We fetch any GPG public key from the keyservers using the GPG fingerprint (or parts of it). This step is still a problematic one for most of us. As the servers may not be responding, or the key is missing (not pushed) to the server. Also, if we only have the email address, there is no easy way to download the corresponding GPG key.

Web Key Directory to rescue

The Web Key Directory comes to the picture. We use WKD to enable others to get our GPG keys for email addresses very easily. In simple terms:

The Web Key Directory is the HTTPS directory from which keys can be fetched.

Let us first see this in action:

gpg --auto-key-locate clear,wkd --locate-key mail@kushaldas.in

The above will fetch you the key for the email address, and you can also assume the person who owns the key also has access to the https://kushaldas.in server.

There are many available email clients, which will do this for you. For example Thunderbird/Enigmail 2.0 or Kmail version 5.6 onwards.

Setting up WKD for your domain

I was going through the steps mentioned in the GNUPG wiki, while weasel pointed to me to a Makefile to keep things even more straightforward.

all: update install

update:
        rm -rfv openpgpkey
        mkdir -v openpgpkey
        echo 'A85FF376759C994A8A1168D8D8219C8C43F6C5E1 mail@kushaldas.in' | /usr/lib/gnupg/gpg-wks-client -v --install-key
        chmod -v 0711 openpgpkey/kushaldas.in
        chmod -v 0711 openpgpkey/kushaldas.in/hu
        chmod -v 0644 openpgpkey/kushaldas.in/hu/*
        touch openpgpkey/kushaldas.in/policy

        ln -s kushaldas.in/hu openpgpkey/
        ln -s kushaldas.in/policy openpgpkey/

install: update
        rsync -Pravz --delete ./openpgpkey root@kushaldas.in:/usr/local/www/kushaldas.in/.well-known/

.PHONY: all update install

The above Makefile is using gpg-wks-client executable and also pushing the changes to the right directory on the server.

Email providers like protonmail already allow users to publish similar information. I hope this small Makefile will help you to set up your domain.

python -c 'import pty;pty.spawn("/bin/bash")'

I think this is the highest used Python program in the land of Pentesting/Security, Almost every blog post or tutorial I read, they talk about the above-mentioned line to get a proper terminal after getting access to a minimal shell on a remote Linux server.

What does this code do?

We are calling the Python executable with -c and python statements inside of the double quote. -c executes the Python statements, and as we are running it as non-interactive mode, it parses the entire input before executing it.

The code we pass as the argument of the -c has two statements.

import pty
pty.spawn("/bin/bash")

pty is a Python module which defines operations related to the pseudo-terminal concept, it can create another process, and from the controlling terminal, it can read/write to the new process.

The pty.spawn function spawns a new process (/bin/bash in this case) and then connects IO of the new process to the parent/controlling process.

In most cases, even though you get access to bash using the way mentioned above, TAB completion is still not working. To enable it, press Ctrl+z to move the process to sleep, and then use the following command on your terminal.

stty raw -echo

stty changes terminal line settings and part of the GNU coreutils package. To read about all the options we set by using raw -echo, read the man page of stty.

Many years ago, I watched a documentary about Security firms showcasing offensive attacks, that was the first I saw them using Python scripts to send in the payload and exploit the remote systems. Now, I am using similar scripts in the lab to learn and having fun with Python. It is a new world for me, but, it also shows the diverse world we serve via Python.

Last week we started providing two new services for the dgplug members.

• https://toots.dgplug.org
• https://blogs.dgplug.org

Mastodon service at toots

Having our own instance was in the plan for time in my head. I had personal Mastodon account before, but, that instance went down and never tried to find a new home. This time, I think if a few of us (the sys-admins from the group) use this as a regular thing for ourselves, it will be much easier to maintain than depending on someone else.

Any regular dgplug member can get an invite link for the instance by joining the IRC channel and asking for the same.

Blogging platform

In our summer training, we spend much time talking about communication, a significant part is focused on blogging. We suggest https://wordpress.com as a starting place to the newcomers. At the same time, we found that some people had trouble as they were more focused on the themes or other options than writing regularly.

I looked at https://write.as before, but as I saw https://people.kernel.org is now running on WriteFreely, I thought of giving it a try. The UI is much more straightforward, and as it uses Markdown by default, that is a plus point for our use case. Though most of this year’s participants already have their own blogs, we don’t have many people at the beginning, which helps as not too many support requests to us.

Just like the Mastodon instance, if you need a home for your blogs, come over to our IRC channel #dgplug on Freenode server, and ask for an account.

backup of the systems

This is the biggest question in providing the services in my mind. We set up the very initial backup systems, and we will see in the coming weeks how it stands. Maybe, we will take down the services, and try to restore everything from backup, and see how it goes.

Btw, if you want to follow me over Mastodon, then I am available at https://toots.dgplug.org/@kushal

I don’t remember when I started using tmux, but, the move from screen to tmux was quick. I have it installed on all of my systems and VMs. Though I never bothered to have a proper configuration file, it also means that I never used any plugin or other particular configuration. I don’t prefer to use plugins for command line applications much (for example in Vim), as not all systems will have those plugins installed.

While working on OSCP labs, I wished for a way to keep my tmux sessions logged, as that helps to create the report or remember the process in the future. Later, I found IPPSec has a video on their usage of tmux, which includes a plugin to log tmux sessions. I decided to give it a go and created my tmux.conf based on the same.

$ cat ~/.tmux.conf

# Remap prefix to screens
set -g prefix C-a
bind C-a send-prefix
unbind C-b

# Other values
set -g history-limit 100000
set -g allow-rename off

# Join windows
bind-key j command-prompt -p "Join pane from:"  "join-pane -s '%%'"
bind-key s command-prompt -p "Send pane to:"  "join-pane -t '%%'"

# Search mode VI
set-window-option -g mode-keys vi
bind -T copy-mode-vi y send-keys -X copy-pipe-and-cancel 'xclip -in -selection clipboard'

# git clone https://github.com/tmux-plugins/tmux-logging
run-shell /opt/tmux-logging/logging.tmux

Following IPPSec, I have also converted the prefix key to Ctrl+a. This change helps to use another tmux in a remote system, where the default Ctrl+b works as the prefix key. I have also moved the default search to vi mode. You can start selecting text by pressing the spacebar, and then press y to copy text to the primary system clipboard, and helps to copy text easily to any other GUI application. This feature requires xclip tool from the system packages.

I have also cloned the tmux-logging repository under /opt.

On Twitter, Justin Garrison pointed me to his super amazing awesome-tmux repository, which contains many many useful resources on tmux. I spent a good part of reading The Tao of tmux.

Now, my tmux is working the way I want on my Linux systems and also on the FreeBSD laptop (where I am writing this blog post). Btw, if you search tmux cheatsheet on https://duckduckgo.com it provides a lovely view of the cheat sheet in the result page.

From the first-ever conference I attended, I started picking up many tools and habits from other participants, speakers, and friends. It is still the same with many new conferences I go to, by meeting new people and learning about new technologies, or sometimes about technologies which are not so new.

I use Linux as my primary operating system at home over 15 years now, getting a good Internet connection helped to make it happen. It was the same for my servers too. I do run different distributions, depending on the kind of work that needs to be done. When I go to many language-specific or general technical conferences, I do always find some discussions related to which distribution is good for what. However, whenever I met Trouble aka Philip Paeps, his lines are always amusing, but, also making questions about how FreeBSD differs from Linux in every possible way. I had FreeBSD running in few VMs at home, which is okay to have an understanding of the basics. To know more in details, I decided to move my primary site https://kushaldas.in over FreeBSD around a year ago. Till now it is running fine, and as a simple static website, there is not much to do anyway.

Last week during rootconf I again met trouble and a bunch of old friends (who all are regular in the FreeBSD world). They helped me to understand how to upgrade to the latest release, and showed a few more tricks. I wanted to use it more to become familiar with command line tools.

I got a X230 laptop with CoreBoot and installed FreeBSD 12 on it. The necessary installation went very smooth. Then, I decided to have KDE as a desktop environment on it. I followed the guide. However, I failed to get sddm working. Even though friends at #freebsd and #bsdin tried to help/debug, only in the evening, we figured out that I was missing some critical Xorg related packages.

# pkg install xf86-input-keyboard xf86-input-mouse xf86-input-synaptics xf86-input-libinput xauth

Also, remember to upgrade the system to the latest.

# freeebsd-update fetch
# freebsd-update install

I have installed the regular applications I use in my standard Linux boxes, including FocusWriter. Remember to install the hunspell package and corresponding dictionary for your language, if you want to have spell checking in FocusWriter.

I am writing this blog post in the same tool in the FreeBSD system. I completely forgot how good the old X series ThinkPad keyboards were feeling nice to type on this. I will keep using this system for learning purpose and hoping to write more in the coming days.

Last Friday late night, I suddenly started getting a lot of bounced emails from the dgplug mailing list. Within a few minutes, I received more than a thousand emails. A quick look inside of the bounce emails showed the following error:

Unauthenticated email from yahoo.in is not accepted due to     domain's 550-5.7.1 DMARC policy.

Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

$checkboxes = document.querySelectorAll("[name$=nomail]");
for (var i=0; i<$checkboxes.length; i++)  {
      $checkboxes[i].checked = false;
}

The above small script helped me to uncheck 50 email addresses at a time, and I managed to unblock the email addresses without spending too many hours clicking.

I have also modified the mailing list DMARC settings as suggested. Now, have to wait and see if this happens again.

Following the idea of Secure The News, I wanted to verify if the Indian news websites have proper certificates or can they be viewed over Tor network.

The major problem was to get the list of urls, and I managed to create that from the Wikipedia list of Indian news organizations. Next, I had to write a straightforward Python script to verify the sites over Tor.

I have 181 site URLs and out of those, 5 are down. Among the rest 176 sites, surprisingly all but 3 sites could not be open from Tor network. The following 3 sites are blocking the users from Tor, thus, compromising the privacy and security Tor Browser provides to their readers.

• http://www.dnaindia.com/
• http://www.financialexpress.com/
• http://www.jagran.com/

On the other hand, when it comes to enabling HTTPS by default and redirecting people to that, most of these sites failed miserably.

117 sites do not provide their sites over HTTPS. If you do not know why it is important to provide the same, please read this. If you don’t know how to enable HTTPS on your website, you can read this guide.

This is the list of the URLs who are only on HTTP.

Every participant of PyCon US 2019 received a CircuitPython Playground Express (cpx) in the swag bag from Digikey and Adafuit, which is one of the best swag in a conference. Only another thing which comes in my mind was Yubikeys sponsored by Yubico in a rootconf a few years ago.

I did not play around much with my cpx during PyCon, but, decided to go through the documents and examples in the last week. I used Mu editor (thank you @ntoll) to write a small game.

The goal is to guess a color for the next NeoPixel on the board and then press Button A to see if you guessed right or not. Py and I are continuously playing this for the last weeks.

The idea of CircuitPython, where we can connect the device to a computer and start editing code and see the changes live, is super fantastic and straightforward. It takes almost no time to start working on these, the documentation is also unambiguous and with many examples. Py (our 4 years old daughter) is so excited that now she wants to learn programming so that she can build her things with this board).

A couple of weeks back, I gave a talk at PyCon US 2019, "Building reproducible Python applications for secured environments".

The main idea behind the talk is about the different kind of threats in an application which has dependencies (with regular updates) coming from various upstream projects, and also the final deployable artifact (Debian package in this case) needs to audit-able, and reproducible.

Before my talk on Saturday, I went through the whole idea and different steps we are following, with many of the PyPA (Python Packaging Authority) and other security leads in various organizations.

You can view the talk on Youtube. Feel free to give any feedback over email or Twitter.

My phone has more friends than me. It talks to more peers (computers) than the number of human beings I talk on an average. In this age of smartphones and mobile apps for A-Z things, we are dependent on these technologies. However, at the same time, we don’t know much of what is going on in the computers equipped with powerful cameras, GPS device, microphone we are carrying all the time. All these apps are talking to their respective servers (or can we call them masters?), but, there is no easy way to track them.

These questions bothered me for a long time: I wanted to see the servers my phone is connecting to, and I want to block those connections as I wish. However, I never managed to work on this. A few weeks ago, I finally sat down to start working to build up a system by reusing already available open source projects and tools to create the system, which will allow me to track what my phone is doing. Maybe not in full details, but, at least shed some light on the network traffic from the phone.

Initial trial

I tried to create a wifi hotspot at home using a Raspberry Pi and then started capturing all the packets from the device using standard tools (dumpcap) and later reading through the logs using Wireshark. This procedure meant that I could only capture when I am connected to the network at home. What about when I am not at home?

Next round

This time I took a bit different approach. I chose algo to create a VPN server. Using WireGuard, it became straightforward to connect my iPhone to the VPN. This process also allows capturing all the traffic from the phone very easily on the VPN server. A few days in the experiment, Kashmir started posting her experiment named Life Without the Tech Giants, where she started blocking all the services from 5 big technology companies. With her help, I contacted Dhruv Mehrotra, who is a technologist behind the story. After talking to him, I felt that I am going in the right direction. He already posted details on how they did the blocking, and you can try that at home :)

Looking at the data after 1 week

After capturing the data for the first week, I moved the captured pcap files into my computer. Wrote some Python code to put the data into a SQLite database, enabling me to query the data much faster.

Domain Name System (DNS) data

The Domain Name System (DNS) is a decentralized system which helps to translate the human memory safe domain names (like kushaldas.in) into Internet Protocol (IP) addresses (like 192.168.1.1 ). Computers talk to each other using these IP addresses, we, don’t have to worry to remember so many names. When the developers develop their applications for the phone, they generally use those domain names to specify where the app should connect.

If I plot all the different domains (including any subdomain) which got queried at least 10 times in a week, we see the following graph.

The first thing to notice is how the phone is trying to find servers from Apple, which makes sense as this is an iPhone. I use the mobile Twitter app a lot, so we also see many queries related to Twitter. Lookout is a special mention there, it was suggested to me by my friends who understand these technologies and security better than me. The 3rd position is taken by Google, though sometimes I watch Youtube videos, but, the phone queried for many other Google domains.

There are also many queries to Akamai CDN service, and I could not find any easy way to identify those hosts, the same with Amazon AWS related hosts. If you know any better way, please drop me a note.

You can see a lot of data analytics related companies were also queried. dev.appboy.com is a major one, and thankfully algo already blocked that domain in the DNS level. I don’t know which app is trying to connect to which all servers, I found about a few of the apps in my phone by searching about the client list of the above-mentioned analytics companies. Next, in coming months, I will start blocking those hosts/domains one by one and see which all apps stop working.

Looking at data flow

The number of DNS queries is an easy start, but, next I wanted to learn more about the actual servers my phone is talking to. The paranoid part inside of me was pushing for discovering these servers.

If we put all of the major companies the phone is talking to, we get the following graph.

Apple is leading the chart by taking 44% of all the connections, and the number is 495225 times. Twitter is in the second place, and Edgecastcdn is in the third. My phone talked to Google servers 67344 number of times, which is like 7 times less than the number of times Apple itself.

In the next graph, I removed the big players (including Google and Amazon). Then, I can see that analytics companies like nflxso.net and mparticle.com have 31% of the connections, which is a lot. Most probably I will start with blocking these two first. The 3 other CDN companies, Akamai, Cloudfront, and Cloudflare has 8%, 7%, and 6% respectively. Do I know what all things are these companies tracking? Nope, and that is scary enough that one of my friend commented “It makes me think about throwing my phone in the garbage.”

What about encrypted vs unencrypted traffic? What all protocols are being used? I tried to find the answer for the first question, and the answer looks like the following graph. Maybe the number will come down if I try to refine the query and add other parameters, that is a future task.

What next?

As I said earlier, I am working on creating a set of tools, which then can be deployed on the VPN server, that will provide a user-friendly way to monitor, and block/unblock traffic from their phone. The major part of the work is to make sure that the whole thing is easy to deploy, and can be used by someone with less technical knowledge.

How can you help?

The biggest thing we need is the knowledge of “How to analyze the data we are capturing?”. It is one thing to make reports for personal user, but, trying to help others is an entirely different game altogether. We will, of course, need all sorts of contributions to the project. Before anything else, we will have to join the random code we have, into a proper project structure. Keep following this blog for more updates and details about the project.

Note to self

Do not try to read data after midnight, or else I will again think a local address as some random dynamic address in Bangkok and freak out (thank you reverse-dns).