Where did my PGP keys go?

Posted on May 21, 2015 by gawen

Today I noticed that one of my PGP private key just disappeared of GPG. The key did not appear when I did gpg --list-secret-keys. After a bit of investigation I discovered that the problem did not affect Linux hosts but only FreeBSD hosts. Weird…

The source of the problem was a migration from GnuPG v2.0 to v2.1. According to this page, GPG does not handle the private keys anymore and delegates all private keys operations to the gpg-agent. Therefore GPG v2.1 migrates the legacy secret keyring, secring.gpg, to the gpg-agent key store, private-keys-v1.d and then forgets about it.

Though, you see, my GPG keyrings were synchronized across all hosts. But the GnuPG package on Debian is still v2.0, while FreeBSD is v2.1. Get the picture?

I synced my keyring on FreeBSD hosts where GPG migrated my private keys to the gpg-agent key store. Then I generated a new key pair on a Debian host, which was added to the legacy keyring. Resynced, but the newer version of GPG didn’t care, they already migrated to the new key store.

Fortunately it was easy to fix, all you have to do is re-import your legacy keyring with one of the newer versions of GPG. The private keys are now also present in the new key store so you can sync to all other hosts.

gpg --import $HOME/.gnupg/secring.gpg
gpg --list-secret-keys

WeakDH

Posted on May 20, 2015 by gawen

Here we go again (The Logjam Attack):

“We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:

Logjam Attack against the TLS Protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. (…)
Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections. (…) We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. (…) A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

Traversons la singularité

Quote

Posted on May 10, 2015 by gawen

Un point singulier, une frontière.
Un autre monde, stérile, ou luxuriant.

Today’s game: Hotline Miami

Posted on May 7, 2015 by gawen

Do you like hurting other people?

A LSD-based brutal murder simulator.

Just letting the steam off, you think. You will quickly find yourself enjoying slaughtering people in the most gruesome way. Then it will be all sort of mechanical. And you’ll feel really bad about this.

But that’s what this game is all about, and it’s really good at it.

Why is there something rather than nothing?

Posted on March 17, 2015 by gawen

Why not?

IPs ban on Linux

Posted on January 26, 2015 by gawen

Who needs a quick ban?

Today we had a bruteforce attack on our nginx server. Well cannot say he was anywhere near successful though, the guy did POST /wp-login.php several times per second and all he got as an answer was 404. Fat chance…

But still, he had our access logs growing far larger than they usually do. So I tried to ban him. Unfortunately nginx does not use TCP wrappers by default (you can use ngx_tcpwrappers although it will have to be rebuilt from source).

So I made a little script, called ban-hammer to temporarily ban IPs using IPTables. There is also a cron.daily script to unban IPs each day. The script requires rpnc, but it is easy to adapt without it.

These scripts add and remove the IPs into a special IPT chain (which you can configure in the script). So you also have to configure your firewall to jump to the two chains and load banned IPs on boot:

echo "Bans"

load_bans() {
  ban_table=$1
  ban_chain=$2
  iptables=$3

  $iptables -N $ban_chain

  while read ban
  do
    ip=$(echo "$ban" | cut -d'=' -f 1)
    $iptables -A $ban_chain -s "$ip" -j DROP
  done < "$ban_table"

  $iptables -A INPUT -j $ban_chain
}

load_bans /etc/firewall/ip4.ban IP4BAN iptables
load_bans /etc/firewall/ip6.ban IP6BAN ip6tables

FP comparison in Shell

Posted on January 6, 2015 by gawen

People tend to not like Shell. But I do!
Here is a simple example, try this floating point comparison:

$ [ 0.1 -gt 0.01 ]
[: 0.1: bad number

The shell itself cannot use float.
But there are multiple workarounds. Here is the one I prefer:

if rpnc "$a" "$b" - | grep "^-" > /dev/null
then
  echo "a < b"
fi

Although you may not have the rpnc command, so here is another one:

if [ $(echo "$a < $b" | bc) -eq 1 ]
then
  echo "a < b"
fi

ISP y u no DNSSEC?

Posted on December 15, 2014 by gawen

Unbound is a secure, lightweight and high performance validating, recursive, and caching DNS resolver. It performs DNSSEC validation and it is also really easy to configure. Although it cannot act as a full fledged authoritative server, you may take a look at NSD, which is, on the contrary, authoritative only. For a nice tutorial about unbound configuration, see this post.

Today I discovered local_unbound on FreeBSD. This script generates a configuration suitable for running unbound as a forwarding resolver. It also uses resolveconf to update the list of forwarders. This means that it is automatically configured with the name servers provided by the DHCP offer.

By default, unbound is configured to withheld the reply from the client when the validation fails. Unfortunately most of the name servers provided by home routers and ISPs do not support DNSSEC. Even worse, some ISPs redirect all queries to their own name servers which of course do not support DNSSEC either. You can check if it is the case with this command:

dig @8.8.8.8 +short test.dnssec-or-not.net TXT

As Google public DNS support DNSSEC. If it does not show you anything, it is OK. If instead it says something like: “Nope! DO bit not set in your query” then your query has been forwarded to a server which is not DNSSEC capable.

Because of this, you often end up with a nice caching forwarding resolver which does not seem to resolve anything (at least on the client side) because of bogus validations.

You have two solutions to overcome this. First you can force your forwarders to DNSSEC capable servers such as Google public DNS (8.8.8.8 / 8.8.4.4). However, as mentioned above this does not work when your ISP redirect all queries to its own server. The second solution is to configure unbound into permissive mode (/etc/unbound/unbound.conf):

server:
    (...)
    val-permissive-mode: yes

In that case, replies to queries that did not pass validation are not longer withheld from the client but the Authenticated Data bit is not set in the reply.

Today’s movie: Interstellar

Posted on November 30, 2014 by gawen

We start this new series with Interstellar by Christopher Nolan. I did not expect to watch this movie. Actually you must know that I was somewhat apprehensive. To me this movie was a direct inspiration from The Songs of Distant Earth by Arthur C. Clarke. This book stirred me so hard. To the point it has partly shaped my vision of life, and of the place we have here. I felt that no movie could ever render this. And I (deeply) feared to see one of my favorite science fiction novel trampled on by yet another gargantuan sf blockbuster overflowing with CGI in every possible direction with a bunch of heroes saving the world (again) because you know that’s just what heroes are for anyway.

Well I must admit, this is what I just saw, yet I was agreeably surprised. And the emotional impact that built all along the movie far outreached my expectations. I found myself multiple times begging for the storyline not to slip into one direction or another, because I felt that all this tension would deflate grotesquely like a dismaying soufflé, only to find minutes later that it was still ok.

The movie itself is not without fails. It is extremely ambitious. And as someone would naturally expect, it misses the point from time to time. It sometimes drew itself too far into the drama to the point that the story was loosing its legitimacy. Some scenes deserved to be more explored, and the fast paced rhythm contrasted too much with the heavy atmosphere of interstellar travel through the vastness and solitude of space combined to the ultimate hope of humanity that the movie tried to convey. These two themes go very well together. But they must be treated with due respect and certainly not as a way to blow up things and acting as a show-off.

Best acting goes for Anne Hathaway (Brand). On the other hand Cooper, Matthew McConaughey’s personnage, sometimes lacks conviction that would benefit to some key parts of the movie. Dialogues are somewhat clunky, and that certainly didn’t help. There are multiple unassuming nods to other sf movies. 2001 being one of them though both movies are still far apart. I was also pleased to see another nod to Arthur C. Clarke, The Garden of Rama.

In conclusion, my impression is that this movie could have been something awfully good. But it is not bad either. I’d even go to say that it is good up to very good.

Gawen's blog

Enjoy life, one bit at a time.

Author Archives: gawen