Yubikey 4 for SSH with physical presence proof

2016-01-28, Categories: security

This is another post in the series of how to protect SSH keys with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or TPM inside your laptop) was actively involved in the transaction, and not, say, turned off and disconnected from the Internet at the time (like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test on every use of the key. That means that even if someone hacks your workstation completely and installs a keylogger to get your PIN, unless they also break into your home they can’t use the key even while the machine is on and connected. Evil hackers in another country are out of luck.

Read the rest of this entry »

How I made my custom keyboard layout on Linux and Windows

2015-11-29, Categories: unix, keyboards

This post explains how to set up a keyboard layout the way I like it. It may not fit you at all, but it may give you ideas that would work for you.

In short: I remap Caps Lock to add some extra keys.

Read the rest of this entry »

Building pov-ray on raspberry pi

2015-11-28, Categories: unix

This is just notes in case I need to do this again. It’s for my QPov project.

sudo apt-get install autoconf libboost-all-dev libjpeg-dev libtiff-dev libpng-dev
git clone https://github.com/POV-Ray/povray.git
cd povray
git checkout --track -b 3.7-stable origin/3.7-stable
cd unix
./prebuild.sh
cd ..
./configure --prefix=$HOME/opt/povray COMPILED_BY="My_Name on RPi"
make
make install

Read the rest of this entry »

Scraping data from a BT home hub 5

2015-03-28, Categories: network

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Read the rest of this entry »

How to boot an encrypted system safely

2015-03-27, Categories: security, tpm

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

Read the rest of this entry »

Raytracing Quake demos

2015-03-22, Categories: coding

I decided to combine these two problems into one solution:

My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.

Update: New better screenshot:

Quake scene rendered in POV-Ray

Read the rest of this entry »

My mechanical keyboard

2015-03-21, Categories: hardware, keyboards

You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.

Read the rest of this entry »

Secure browser-to-proxy communication - again

2014-09-20, Categories: security, network

I've previously blogged about a secure connection between browser and proxy. Unfortunately that doesn't work on Android yet, since except if you use Google for Work (an enterprise offering) you can't set Proxy Auto-Config.

This post shows you how to get that working for Android. Also it skips the stunnel hop since it doesn't add value and only makes Squid not know your real address. I'm here also using username and password to authenticate to the proxy instead of client certificates, to make it easier to set up.

Read the rest of this entry »

Colour calibration in Linux

2014-09-18, Categories: unix

This is just a quick note on how to create .icc colour profiles in Linux. You need a colour calibrator (piece of hardware) for this to be useful to you.

#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Read the rest of this entry »

Another way to protect your SSH keys

2014-06-17, Categories: security, network, unix

Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.

Read the rest of this entry »
Older posts