Many of us live on the terminal. We use tools which allows us to do things faster and let us stay productive. Most of these tools are old. Sometimes we do pick up a few new generation command line tools. Here is a small list of tools I am using daily. All of these are written in Rust .

ripgrep

ripgrep was the first Rust tool I started using daily as a replacement for grep. It is easy to use. The output looks nice, and also works with my vim.

exa

exa is the replacement for ls. It includes many useful flags.

bat

bat is the one stop replacement for cat and less. It also provides syntax highlighting with nice colours. I do have an alias cat=/usr/bin/bat -p.

zoxide

zoxide allows to move around directories super fast.

starship

starship is the shell prompt you can see in all of the GIFs above. It allows a lot of customization.

All of these tools are packaged in Fedora 32 by the amazing fedora-rust SIG.

One of the major security features of the QubesOS is the file vaults, where access to specific files can only happen via user input in the GUI applet. Same goes to the split-ssh, where the user has to allow access to the ssh key (actually on a different VM).

I was hoping to have similar access control to important dotfiles with passwords, ssh private keys, and other similar files on my regular desktop system. I am introducing ManualBox which can provide similarly access control on normal Linux Desktops or even on Mac.

How to install?

Follow the installation guide on the Mac in the wiki. For Linux, we are yet to package the application, and you can directly run from the source (without installing).

git clone https://github.com/kushaldas/manualbox.git
cd manualbox

On Fedora

sudo dnf install python3-cryptography python3-qt5 python3-fusepy python3-psutil fuse -y

On Debian

sudo apt install python3-cryptography python3-pyqt5 python3-fusepy python3-psutil fuse

Usage guide

To start the application from source:

On Linux:

./devscripts/manualbox

On Mac:

Click on the App icon like any other application.

If you are running the tool for the first time, it will create a new manualbox and mount it in ~/secured directory, it will also give you the password, please store it somewhere securely, as you will need it to mount the filesystem from the next time.

After selecting (or you can directly type) the mount path (must be an empty directory), you should type in the password, and then click on the Mount button.

Now, if you try to access any file, the tool will show a system notification, and you can either Allow or Deny via the following dialog.

Every time you allow file access, it shows the notification message via the system tray icon.

To exit the application, first click on the Unmount, and right-click on the systray icon, and click on the Exit or close via window close button.

Usage examples (think about your important dotfiles with passwords/tokens)

Note: If you open the mounted directory path from a GUI file browser, you will get too many notifications, as these browsers will open the file many times separately. Better to have you GUI application/command line tool to use those files as required.

Thunderbird

You can store your thuderbird profile into this tool. That way, thunderbird needs your permission for access when you start the application.

ls -l ~/.thunderbird/
# now find your right profile (most people have only one)
mv ~/.thunderbird/xxxxxx.default/logins.json ~/secured/
ln -s ~/secured/logins.json ~/.thunderbird/xxxxxx.default/logins.json

SSH private key

mv ~/.ssh/id_rsa ~/secured/
ln -s ~/secured/id_rsa ~/.ssh/id_rsa

If you have any issues, please file issues or even better a PR along with the issue :)

Today marks 365 days of incarceration of Chelsea Manning, with around $256000 in fines. She has not been charged for any crime.

At home, Py (daughter) wanted to know why her Wonder Woman is still in the dungeon? We had to explain Grand jury subpoena to her in simple terms and explain that her Wonder Woman aunty is resisting it, even though that means she is in a dungeon (where most good people go when they fight for truth against the big powers of the world). Py now wants to go to USA and meet Chelsea. The other day, Py also declared that after growing up she will fight for others and go to dungeon just like Chelsea.

Chelsea spoke about her believes and principles again and again, and why did she feel that leaking the war crimes to the world was her duty. By the same principles, she is standing up to the secret hearings of grand juries now. Everyone knows that there is no good reason to put her back into the prison system, but the government still did that.

UN officials already accused the US government of using torture against Chelsea. The officials also mentioned to the US government:

believe that subjecting Chelsea to more punishment will change her mind, they are gravely mistaken.

After waking up today morning, I suddenly found she again tried to commit suicide and now recovering in the hospital. She had previously spent 7+years in prison including 11 months of solitary confinement, and these things in total causes a lot of mental health issues.

I hope for her speedy recovery and also hope someone in the US judicial system will see the injustice to her and release her soon. Meanwhile, we all can send her letters (on white paper, handwritten or drawn) to the following address:

Chelsea Elizabeth Manning
A0181426
William G. Truesdale Adult Detention Center
2001 Mill Road
Alexandria, VA 22314

You can also read her statement released on Aaron Swartz Day 2019.

Last year I published qubes-ansible project. This enables maintaining your Qubes OS system via Ansible. But, to do the same, you will have to take a few steps as Ansible is not in the default Qubes.

Qubes uses Salt to maintain the system. It also has helpful documentation to explain the idea. In this post and with a few more in the future, I am planning to write a series with basic examples of the same, so that you can maintain your Qubes laptop with the Salt itself.

Working in dom0

You can either directly the required files in dom0, or write them in your standard development VM, and then copy them over to dom0. The choice is yours.

I am directly writing them into dom0 using vim as my editor.

The outcome

I want to create the following:

• A new template called fancy-template based on debian-10
• Install a few packages into it.
• Create a new apt repo for VS Code in it.
• Install VS Code in it.
• Create an AppVM called fancy using the template with 3000MB RAM.

Creating .top and .sls files

The .top file will help us to link between any machine (VMs or dom0) and some state files (.sls).

To find the currently enabled top files use the following command:

qubesctl top.enabled

Now, we will create our own top file.

Create the following file as /srv/salt/learnqubes.top

base:
  dom0:
    - fancy-template

Here we are saying for the dom0 machine (VM) use the state file named fancy-template. The state files contain state and configuration of the machines (VMs).

Creating the first state file

Copy paste the following in /srv/salt/fancy-template.sls file.

create-fancy-template:
  qvm.vm:
    - name: fancy-template
    - clone:
      - source: debian-10
      - label: blue
    - tags:
      - add:
        - playground

create-fancy-vm:
  qvm.vm:
    - name: fancy
    - present:
      - template: fancy-template
      - label: red
      - mem: 3000
    - prefs:
      - template: fancy-template

First, we are using a unique name for that step, where we are asking for a qvm.vm (VM), saying that the name is fancy-template, and it is a clone of debian-10. We are also mentioning the label color and adding a tag to the template.

In the next step, we are creating the AppVM named fancy, from the template, red as the label, and 3000MB RAM.

Enabling the .top first

# qubesctl top.enable learnqubes

This command will enable our top file. You can recheck the list of enabled .top files after this.

Applying the state to dom0

# qubesctl --show-output state.highstate

This command will make sure that all the states from all of the enabled top files will be applied to dom0. After this command finished, you should be able to see our new template and the AppVM.

Enabling vscode repo and installing the packages

We will first write a new state file for the steps, write the following to /srv/salt/add-my-fancy-system.sls file.

install-packages:
  pkg.installed:
    - pkgs:
      - htop
      - sl
      - git
  - refresh: True

install-python-apt-for-repo-config:
  pkg.installed:
    - pkgs:
      - python-apt
   
configure-apt-test-apt-repo:
  pkgrepo.managed:
    - name: "deb [arch=amd64] https://packages.microsoft.com/repos/vscode stable main"
    - file: /etc/apt/sources.list.d/vscode.list
    - key_url: "salt://microsoft.asc"
    - clean_file: True # squash file to ensure there are no duplicates
    - require:
      - pkg: install-python-apt-for-repo-config

install-vscode:
  pkg.installed:
    - pkgs:
      - code

You can read all the details about pkg module, and here we are installing a few packages first. While installing the initial packages, we also make sure to refresh the database (think about apt update). To create the apt repository, we used pkgrepo salt module. You will find one interesting thing in that section, and we are mentioning a GPG public key for the repository.

We actually have to download it in a VM and move it to the dom0 in the same /srv/salt directory.

# qvm-run --pass-io devvm ‘cat /home/user/microsoft.asc’ > /srv/salt/microsoft.asc

Remember to replace devvm with the right AppVM in your system.

We will also update the top file so that it knows to use the make-my-fancy-system.sls file for our fancy-template.

The following is the updated top file.

base:
  dom0:
    - fancy-template

  fancy-template:
    - make-my-fancy-system

Then, we can ask Qubes to apply the state to only the fancy-template VM.

# qubesctl --show-output --skip-dom0 --targets fancy-template state.highstate

This command should create the right state in the fancy-template. Remember to shut down the template and the AppVM (if they are running), and then start the fancy AppVM again. You will find it has all the packages, including VS Code.

The title of the is post is misleading.

I actually want to ask you which version of Python3 are you running? Yes, it is a question I have to ask myself based on projects I am working on. I am sure there are many more people in the world who are also in the similar situation.

Just to see what all versions of Python(3) I am running in different places:

• Python 3.7.3
• Python 3.5.2
• Python 3.6.9
• Python 3.7.4
• Python 2.7.5
• Python 3.7.6

What about you?

Now we have official Tor RPM repositories for Fedora, CentOS/RHEL. The support documentation is already in place.

Using this repository, you can get the latest Tor build for your distribution from the upstream project itself. Tor already provides similar packages for Debian/Ubuntu systems.

How to enable the repository in your Fedora box?

Add the following to the /etc/yum.repos.d/tor.repo.

[tor]
name=Tor for Fedora $releasever - $basearch
baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/fedora/public_gpg.key
cost=100

Then you can install the package via regular dnf command.

$ sudo dnf install tor

You will have to import the new keys used for signing these packages.

Importing GPG key 0x3621CD35:
Userid : "Kushal Das (RPM Signing key) <kushal@torproject.org>"
Fingerprint: 999E C8E3 14BC 8D46 022D 6C7D E217 C30C 3621 CD35
From : https://rpm.torproject.org/fedora/public_gpg.key
Is this ok [y/N]: y

If you run a Tor relay (which you all should, one of the easiest ways to contribute to the project and help people worldwide) on CentOS/RHEL, you can use similar repository configuration.

One of the most common parts of writing any desktop tool and taking password input is about having a widget that can show/hide password text. In Qt, we can add a QAction to a QLineEdit to do the same. The only thing to remember, that the icons for the QAction, must be square in aspect ratio; otherwise, they look super bad.

The following code creates such a password input, and you can see it working at the GIF at the end of the blog post. I wrote this for the SecureDrop client project.

class PasswordEdit(QLineEdit):
    """
    A LineEdit with icons to show/hide password entries
    """
    CSS = '''QLineEdit {
        border-radius: 0px;
        height: 30px;
        margin: 0px 0px 0px 0px;
    }
    '''

    def __init__(self, parent):
        self.parent = parent
        super().__init__(self.parent)

        # Set styles
        self.setStyleSheet(self.CSS)

        self.visibleIcon = load_icon("eye_visible.svg")
        self.hiddenIcon = load_icon("eye_hidden.svg")

        self.setEchoMode(QLineEdit.Password)
        self.togglepasswordAction = self.addAction(self.visibleIcon, QLineEdit.TrailingPosition)
        self.togglepasswordAction.triggered.connect(self.on_toggle_password_Action)
        self.password_shown = False

    def on_toggle_password_Action(self):
        if not self.password_shown:
            self.setEchoMode(QLineEdit.Normal)
            self.password_shown = True
            self.togglepasswordAction.setIcon(self.hiddenIcon)
        else:
            self.setEchoMode(QLineEdit.Password)
            self.password_shown = False
            self.togglepasswordAction.setIcon(self.visibleIcon)

From 5th August 2019, Kashmir is under a communication shutdown. SMS service for a particular connection provider is now available for postpaid users, but Internet is still down for all Indian citizens of Kashmir.

This is above 155 days of Internet shutdown. If you are reading this blog post, it means you have an active Internet connection, and you can connect to the different servers/services that are essential to modern life. Now, think about all of those citizens of India staying in Kashmir. Think about the problem when they have to access a website for job/medical/banking/travel or any other necessary work.

The current fascist regime of India kept shouting about “Digital India” for the last few years, and at the same time, making sure to use the Internet shutdown as a tool of oppression. By using a proper communication shutdown and blocking reporters, they made sure only the false stories from the state can be reached to the readers/viewers of news across the world. But, a few brave outside journalists and too many brave local journalists from Kashmir made sure that they kept pushing the real news from the ground. They tried their best to record atrocities.

This story in the New Yorker by Dexter Filkins should be the one for everyone to read. Take your time to read how brave Rana Ayyub and the author managed to sneak into Kashmir, and did the report.

Internet shutdowns across India

Now, if you think that the Indian government is doing this only in Kashmir, then you are totally wrong. In the last few years, India saw the highest number of Internet shutdowns across the country. Govt did not care about the reason. Given any chance, they shut down the Internet. During the current protests against the regime, they shut down the Internet in parts of Delhi, the capital of India. BBC did another story on why India gets the greatest number of Internet shutdowns.

To find all the instances of the shutdown, have a look at this site from SFLC India team.

Latest attack on students and professors of JNU

Jawaharlal Nehru University (JNU) is India’s topmost university, a place where leaders of many different fields got their education, including Nobel laureates. Yesterday evening a bunch of goons from the student wing (ABVP) of the party in power (BJP), went inside of the campus (with the full support of Delhi Police, who waited outside), and started attacking students and professors with rods and other weapons. They turned off all the street lights, but, as they forgot to shut down the Internet in the area, students managed to send across SOS messages. Search #SOSJNU on Twitter to see the amount of atrocity. Now, think for a second, what if they would have managed to shut down the Internet before the attack, just like they are doing now in Kashmir and many other parts of India. Economist and Nobel laureate Abhijit Banerjee commented how this “Echoes of Germany moving towards Nazi rule”.

Why should this matter to you, the technologist?

All of the technologies we are enjoying today, the modern world, the Internet is one of the major bounding material of the same. Think about the pain and oppression the people has to go through as this basic necessity is cut down from their lives.

Most people do not have a voice to raise for themselves. If we don’t know, then the whole country will be lost. And, we know from history what happens next.

People still count India as a democracy, actually the largest in the world. But, unless we raise up, the so-called democracy will be crushed the fascist regime in no-time.

Quick point about different mesh-network and other solutions available at Internet shutdown time

We need more documentation and examples (also translated in local languages) of the different tools available, which can help the citizens when the regime is trying their best to shut down the Internet. India is also known for random blocking of sites, and this is where free software like the Tor Project becomes so essential.

A few days ago, I wrote about different IP addresses trying to break into my servers. Today, I looked into another server to find the frequently used user names used in the SSH attempts.

• admin 36228
• test 19249
• user 17164
• ubuntu 16233
• postgres 16217
• oracle 9738
• git 8118
• ftpuser 7028
• teamspea 6560
• mysql 5650
• nagios 5599
• pi 5239
• deploy 5167
• hadoop 5011
• guest 4798
• dev 4468
• ts3 4277
• minecraf 4145
• support 3940
• ubnt 3549
• debian 3515
• demo 3489
• tomcat 3435
• vagrant 3042
• zabbix 3033
• jenkins 3027
• develope 2941
• sinusbot 2914
• user1 2898
• administ 2747
• bot 2590
• testuser 2459
• ts 2403
• apache 2391
• www 2329
• default 2293
• odoo 2168
• test2 2161
• backup 2133
• steam 2129
• 1234 2026
• server 1890
• www-data 1853
• web 1850
• centos 1796
• vnc 1783
• csgoserv 1715
• prueba 1677
• test1 1648
• a 1581
• student 1568
• csgo 1524
• weblogic 1522
• ts3bot 1521
• mc 1434
• gpadmin 1427
• redhat 1378
• alex 1375
• system 1362
• manager 1359

I never knew that admin is such important user name for Linux servers, I thought I will see root there. Also, why alex? I can understand the reason behind pi. If you want to find out the similar details, you can use the following command.

last -f /var/log/btmp

I use podman on all of my production servers, and also inside of the Qubes system in Fedora VMs. A few days ago I saw this post and thought of trying out the steps on my Debian Buster system.

But, it seems it requires one more installation step, so I am adding the updated installation steps for Debian Buster here.

Install all build dependencies

sudo apt -y install \
  gcc \
  make \
  cmake \
  git \
  btrfs-progs \
  golang-go \
  go-md2man \
  iptables \
  libassuan-dev \
  libc6-dev \
  libdevmapper-dev \
  libglib2.0-dev \
  libgpgme-dev \
  libgpg-error-dev \
  libostree-dev \
  libprotobuf-dev \
  libprotobuf-c-dev \
  libseccomp-dev \
  libselinux1-dev \
  libsystemd-dev \
  pkg-config \
  runc \
  uidmap \
  libapparmor-dev \
  libglib2.0-dev \
  libcap-dev \
  libseccomp-dev

Install latest Golang

Download and install latest golang and also make sure that you have a proper $GOPATH variable. You can read more here.

Install conmon

conmon is the OCI container runtime monitor. Install it via the following steps:

git clone https://github.com/containers/conmon
cd conmon
make
sudo make podman
sudo cp /usr/local/libexec/podman/conmon  /usr/local/bin/

Install CNI plugins

git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins
cd $GOPATH/src/github.com/containernetworking/plugins
./build_linux.sh
sudo mkdir -p /usr/libexec/cni
sudo cp bin/* /usr/libexec/cni

Setup the bridge

sudo mkdir -p /etc/cni/net.d
curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | sudo tee /etc/cni/net.d/99-loopback.conf

Create the configuration files

Next, we need configuration files for the registries and also the policy file.

sudo mkdir -p /etc/containers
sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora -o /etc/containers/registries.conf
sudo curl https://raw.githubusercontent.com/containers/skopeo/master/default-policy.json -o /etc/containers/policy.json

Installing slirp4netns

slirp4netns is used for user-mode networking for unprivileged network namespaces. At the time of the writing this blog post, the latest release is 0.4.2.

git clone https://github.com/rootless-containers/slirp4netns
cd slirp4netns
./autogen.sh
./configure --prefix=/usr
make
sudo make install

Installing podman

Finally we are going to install podman.

git clone https://github.com/containers/libpod/ $GOPATH/src/github.com/containers/libpod
cd $GOPATH/src/github.com/containers/libpod
make
sudo make install

Testing podman

Now you can test podman on your Debian system.

podman pull fedora:latest
podman run -it --rm /usr/bin/bash fedora:latest