Written on February 9, 2022
Recently, I needed a way to upload files to Microsoft SharePoint on a regular/ongoing basis. Below are my notes of how I used Microsoft’s OAuth 2.0 authorization code flow and the Microsoft Graph API to do this. Ideally, I’d have a service account for this and use the client credentials grant flow, but sometimes its just easier to work with the access the Azure admin gave you than it is to go back-and-forth. In this case, I’ve delegated permission to the app to perform the uploads under my identity. Which means, since this isn’t using a service account, this will stop working when my account is decommissioned. On the positive side, given that the refresh token’s max inactive time is 90 days, there shouldn’t be a need to regularly get a new auth code.
Read More
Written on December 26, 2021
Following up on my previous post which had the example of homoglyphic attacks on ENS (Ethereum Name Service) names, I wanted to see if this sort of attack scenario existed in the wild. To generate lots of homoglyphs for a given name, I turned to dnstwist.
Read More
Written on November 10, 2021
There has been a fair bit written about homoglyphic attacks targeting domain names. A homoglyph is a character from one character set that looks like a character in a different character set, and has a different underlying value. The common defense for this attack targeting domain names was to display the domain name as Punycode. I wanted to take a look at a potential use case for this attack as it relates to query parameters and rendered HTML text. Specifically, ENS names used as parameters in links and rendered HTML text.
Read More
Written on June 24, 2021
Preempt (now owned by CrowdStrike) is an IAM security product that sits in front of AD and inspects & analyzes traffic. Part of what it does is generate a risk score for each user, which is based on their activity, access levels, etc. This value is exposed via a GraphQL API which allows it to be tied into other systems. One such use case is having conditional MFA based on each user’s risk score.
Read More
Written on October 29, 2019
Copperhead, the security-focused Android project that I posted about previously, imploded in Summer 2018 after a falling out between the tech and the sales guy. The tech Daniel Micay has continued his privacy and security work as GrapheneOS. Copperhead had a business model selling and supporting the Copperhead phones. Graphene appears to rely largely on donations. Due to the shift in funding, it is not necessary to build GrapheneOS from source if you want to try it out - the project provides signed images for recent Pixel models.
Read More
Written on January 20, 2018
Notes for building Copperhead OS for the Pixel XL. (gist here: https://gist.github.com/ramann/62abe0b266bb8c3e8483c7c7ca60fdb8)
This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on https://source.android.com/setup/requirements#software-requirements.
All below instructions are specific to the Pixel XL (marlin) and come from https://copperhead.co/android/docs/building.
Read More
Written on January 2, 2018
I wanted to get some hands-on experience with Docker and Spring Boot, so I built a Spring Boot webapp, and have put together Docker images to tie it together with Bitcoin Core, strongSwan, and a database. Oh, also, it is absolutely no fun trying to choose a VPN service. I’m not aware of any VPN providers that offer certificate-based authentication for IKEv2/IPsec. Given the current transaction fees and confirmation delays with Bitcoin, it would make sense to go with a different cryptocurrency. You can clone the most up-to-date instance of this project here.
Read More
Written on November 11, 2017
We use F5’s Application Security Module (ASM) as our WAF at work, and it sucks!
Read More
Written on April 18, 2017
I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).
Read More
Written on February 23, 2017
Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.
Read More
Written on November 17, 2016
A script to grab the cert for a given domain, and print the date & reason for revocation.
Read More
Written on November 6, 2016
The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.
Read More
Written on September 4, 2016
This walk-through was forked from ageis’ gist on building a grsec-patched kernel for Debian 8 and DigitalOcean.
Read More
Written on June 25, 2016
Recently I was generating two 4096-bit RSA keys for PGP encryption & signing… and it took nearly 6 minutes for me. I can’t wait that long! GPG uses /dev/random as the RNG when generating a new key pair and there is no way to use /dev/urandom without modifying the GPG code.
Read More
Written on May 8, 2016
IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.
Read More
Written on April 2, 2016
pfSense is a FreeBSD-based firewall/security-focused distribution. It can act as a firewall, router, DHCP server, DNS server. It also has a package manager with some security related packages. I’ve been playing around with it for the past couple of weeks.
Read More
Written on March 27, 2016
I first got into Bitcoin back in 2013, before a media frenzy caused the price to skyrocket over $1000. Though it has its problems, I think the blockchain concept is awesome.
Read More
Written on February 28, 2016
Read More
Written on February 7, 2016
Details on setting up a de-sensorized (desensitized?) Android phone for use with strongSwan (and USB tethering!). (Other files: https://github.com/ramann/android-tether-vpn )
Read More
Written on December 19, 2015
Since I have a “PKI”-branded smartcard, I decided to see how I could use it with a PKI. I went through a basic PKI tutorial, (http://pki-tutorial.readthedocs.io/en/latest/simple/) but wasn’t sure how I would interface with the smartcard…
Read More
Written on October 25, 2015
Remember that scene at the end of The Conversation where Gene Hackman’s character is seen digging up the floor of his apartment looking for the surreptitious microphone?
Read More
Written on September 27, 2015
Eight or nine years ago, when I was first getting into Linux, I played around with a few distributions and ultimately ended up settling on Ubuntu. It was simple to install, easy to use, and had good driver support for the laptop I was using at the time.
Read More
Written on September 6, 2015
It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?
Read More
Written on August 25, 2015
One of the IT security efforts that the GOVERNMENT OF THE UNITED STATES ;) has been really pushing recently is the use of smartcards. I had to go to an office and get my picture taken and the entire surface of both hands printed when I got my PIV Card (basically a smartcard with some identity objects: http://csrc.nist.gov/groups/SNS/piv/standards.html).
Read More
Written on August 24, 2015
One project that I’ve just started fooling around with involves airplane transponder transmissions. It turns out that with a software-defined radio USB dongle (<$30 on Amazon or <$10 on Ebay from Hong Kong) you can grab the transponder signals from planes (which (generally) have data elements such as ICAO code, altitude, speed,lat, long, etc.).
Read More
Written on July 5, 2015
Recently I mentioned to an acquaintance that I was setting up a mail server so that I could move away from Gmail. He asked me if I was using Mail-in-a-Box. I had no idea what that was - I was going through some instructions from Ars that I had used previously.
Read More