Optimizing TCP slow start

2011-10-15, Categories: unix, network

The short version of the problem and solution I will describe is that while TCP gets up to speed fairly fast, and "fast enough" for many uses, it doesn't accelerate fast enough for short-lived connections such as web page requests. If I have 10Mbps connection and the server has 10Mbps to spare, why doesn't a 17kB web page transfer at 10Mbps from first to last byte? (that is, when excluding TCP handshake, HTTP request and server side page rendering)

This is pretty Linux-focused, but I'll add pointers for other OSs if I see them.

Read the rest of this entry »

TPM chip protecting SSH keys - properly

2013-11-27, Categories: security, hsm, tpm, unix

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.

So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.

Read the rest of this entry »

How TPM-protected SSH keys work

2013-12-01, Categories: security, unix, hsm

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

Read the rest of this entry »

Interesting Arping bug report

2012-10-05, Categories: unix, coding, network, arping

A few months ago I was strolling in the Debian bug tracking system and found a curious bug filed against Arping, a program I maintain.

It said that unlike Arping 2.09, in Arping 2.11 the ARP cache was not updated after successful reply. I thought that was odd, since there's no code to touch the ARP cache, neither read nor write. Surely this behaviour hasn't changed?

Read the rest of this entry »

Plug computer for always-on VPN

2013-02-09, Categories: security, network, unix

Last time I was at a hacker conference I for obvious reasons didn't want to connect to the local network. It's not just a matter of setting up some simple firewall rules, since the people around you are people who have and are inventing new and unusual attacks. Examples of this would be rogue IPv6 RA and NDs, and people who have actually generated their own signed root CAs. There's also the risk (or certainty) of having all your unencrypted traffic sniffed and altered.

For next time I've prepared a SheevaPlug computer I had laying around. I updated it to a modern Debian installation, added a USB network card, and set it up to provide always-on VPN. This could also be done using a raspberry pi, but I don't have one.

Read the rest of this entry »

Clipboard sniffer

2010-01-26, Categories: security, coding, unix

Yes clipboard, not keyboard. I've made a clipboard sniffer for X called ClipSniff.

It periodically saves whatever is in the clipboard (both the "PRIMARY" and the "CLIPBOARD") into a sqlite database.

git clone http://github.com/ThomasHabets/clipsniff.git

Read the rest of this entry »

TPM chip protecting SSH keys

2013-11-13, Categories: security, hsm, tpm, unix

STOP! There is a better way. this post explains a simpler and more secure way.

Update 2: I have something I think will be better up my sleeve for using the TPM chip with SSH. Stay tuned. In the mean time, the below works.

Finally, I found out how to use a TPM chip to protect SSH keys. Thanks to Perry Lorier. I'm just going to note down those same steps, but with my notes.

I've written about hardware protecting crypto keys and increasing SSH security before:

but this is what I've always been after. With this solution the SSH key cannot be stolen. If someone uses this SSH key that means that the machine with the TPM chip is involved right now. Right now it's not turned off, or disconnected from the network.

Update: you need to delete /var/lib/opencryptoki/tpm/your-username/*.pem, because otherwise your keys will be migratable. I'm looking into how to either never generating these files, or making them unusable by having the TPM chip reject them. Update to come.

Read the rest of this entry »

Colour calibration in Linux

2014-09-19, Categories: unix

This is just a quick note on how to create .icc colour profiles in Linux. You need a colour calibrator (piece of hardware) for this to be useful to you.

#!/bin/sh
NAME=$1
COLOR=$2
DESC="Some random machine"
QUALITY=h   # or l for low, m for medium
set -e

dispcal -m -H -q $QUALITY -y l -F -t $COLOR -g 2.2 $NAME
targen -v -d 3 -G -e 4 -s 5 -g 17 -f 64 $NAME
dispread -v -H -N -y l -F -k $NAME.cal $NAME
colprof -v -D $DESC -q m -a G -Z p -n c $NAME
dispwin -I $NAME.icc

Read the rest of this entry »

Buffering in pipes

2008-06-28, Categories: tty, unix, coding, ind

I'm trying to force a program not to buffer its output to stdout. Any program, all programs. It can't involve changing the source code or depending on weird or unportable stuff.

It should be possible. It seems like I'm missing something obvious, but I can't figure out what.

Read the rest of this entry »

Solaris installation

2007-12-22, Categories: solaris, unix, bugs

In what top scientists are calling "pretty gay", Solaris can't handle disks that used to have non-solaris stuff on them without being wiped first.

I thought only the windows installer borked if the partition table looked weird, but no! The installer could not see the disk, and I was dropped into a dtterm where I had to do dd if=/dev/zero of=/dev/dsk/c0t0d0 bs=1048576 and reboot.

So... wipe the disk before trying to install Solaris.

Read the rest of this entry »

Yubico is awesome

2011-07-17, Categories: security, coding, unix, hsm

Yubico and their products are awesome.

That pretty much sums up this blog post but I'm going to go on anyway. If you're thinking of introducing two-factor authentication to your company, or you're using something that's fundamentally broken (like RSA SecureID) you simply must at least take Yubikeys into consideration.

Read the rest of this entry »

Moving a process to another terminal

2009-03-21, Categories: unix, coding, tty

I've always wanted to be able to move a process from one terminal to another. For example if I've started a long-running foreground process (such as irssi or scp) outside of a screen and I have to log out my local terminal. I looked around and there doesn't seem to be any way to do this.

Read the rest of this entry »

GPG and SSH with Yubikey NEO

2013-02-28, Categories: security, unix, hsm

I'm a big fan of hardware tokens for access. The three basic technologies where you have public key crypto are SSH, GPG and SSL. Here I will show how to use a Yubikey NEO to protect GPG and SSH keys so that they cannot be stolen or copied. (well, they can be physically stolen, of course).

Read the rest of this entry »

OpenSSH certificates

2011-07-06, Categories: unix, security

The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them.

What they are NOT

They're not SSH PubkeyAuthentication

In other words if your .pub file doesn't end in -cert.pub and you haven't used ssh-keygen -s, then you aren't using certificates.

Read the rest of this entry »

Another way to protect your SSH keys

2014-06-18, Categories: security, network, unix

Let's say you don't have a TPM chip, or you hate them, or for some other reason don't want to use it to protect your SSH keys. There's still hope! Here's a way to make it possible to use a key without having access to it. Meaning if you get hacked the key can't be stolen.

Read the rest of this entry »

Shared libraries diamond problem

2012-05-19, Categories: unix, coding

If you split up code into different libraries you can get a diamond dependency problem. That is you have two parts of your code that depend on different incompatible versions of the same library.

Normally you shouldn't get in this situation. Only someone who hates their users makes a non backwards compatible change to a library ABI. You don't hate your users, do you?

Read the rest of this entry »

tlssh - a replacement for SSH

2010-08-05, Categories: security, unix, coding, network

I've started writing a replacement for SSH.

Why? Because SSH has some drawbacks that sometimes annoy me. I also wanted an authentication scheme that's more similar to SSL/TLS than what SSH does.

With tlssh you don't specify username or password, you simply connect to the server using a client-side certificate to log in as the user specified in the certificate. No interaction until you reach the shell prompt on the server.

Read the rest of this entry »

Autotools is nice

2009-10-01, Categories: autotools, coding, unix

I was recently asked why autotools was so good. I thought I might as well post what I answered.

Read the rest of this entry »