Recently, I needed a way to upload files to Microsoft SharePoint on a regular/ongoing basis. Below are my notes of how I used Microsoft’s OAuth 2.0 authorization code flow and the Microsoft Graph API to do this. Ideally, I’d have a service account for this and use the client credentials grant flow, but sometimes its just easier to work with the access the Azure admin gave you than it is to go back-and-forth. In this case, I’ve delegated permission to the app to perform the uploads under my identity. Which means, since this isn’t using a service account, this will stop working when my account is decommissioned. On the positive side, given that the refresh token’s max inactive time is 90 days, there shouldn’t be a need to regularly get a new auth code.

Following up on my previous post which had the example of homoglyphic attacks on ENS (Ethereum Name Service) names, I wanted to see if this sort of attack scenario existed in the wild. To generate lots of homoglyphs for a given name, I turned to dnstwist.

There has been a fair bit written about homoglyphic attacks targeting domain names. A homoglyph is a character from one character set that looks like a character in a different character set, and has a different underlying value. The common defense for this attack targeting domain names was to display the domain name as Punycode. I wanted to take a look at a potential use case for this attack as it relates to query parameters and rendered HTML text. Specifically, ENS names used as parameters in links and rendered HTML text.

Preempt (now owned by CrowdStrike) is an IAM security product that sits in front of AD and inspects & analyzes traffic. Part of what it does is generate a risk score for each user, which is based on their activity, access levels, etc. This value is exposed via a GraphQL API which allows it to be tied into other systems. One such use case is having conditional MFA based on each user’s risk score.

Copperhead, the security-focused Android project that I posted about previously, imploded in Summer 2018 after a falling out between the tech and the sales guy. The tech Daniel Micay has continued his privacy and security work as GrapheneOS. Copperhead had a business model selling and supporting the Copperhead phones. Graphene appears to rely largely on donations. Due to the shift in funding, it is not necessary to build GrapheneOS from source if you want to try it out - the project provides signed images for recent Pixel models.

Notes for building Copperhead OS for the Pixel XL. (gist here: https://gist.github.com/ramann/62abe0b266bb8c3e8483c7c7ca60fdb8) This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on https://source.android.com/setup/requirements#software-requirements. All below instructions are specific to the Pixel XL (marlin) and come from https://copperhead.co/android/docs/building.

I wanted to get some hands-on experience with Docker and Spring Boot, so I built a Spring Boot webapp, and have put together Docker images to tie it together with Bitcoin Core, strongSwan, and a database. Oh, also, it is absolutely no fun trying to choose a VPN service. I’m not aware of any VPN providers that offer certificate-based authentication for IKEv2/IPsec. Given the current transaction fees and confirmation delays with Bitcoin, it would make sense to go with a different cryptocurrency. You can clone the most up-to-date instance of this project here.

We use F5’s Application Security Module (ASM) as our WAF at work, and it sucks!

I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).

Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.

A script to grab the cert for a given domain, and print the date & reason for revocation.

The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.

This walk-through was forked from ageis’ gist on building a grsec-patched kernel for Debian 8 and DigitalOcean.

Recently I was generating two 4096-bit RSA keys for PGP encryption & signing… and it took nearly 6 minutes for me. I can’t wait that long! GPG uses /dev/random as the RNG when generating a new key pair and there is no way to use /dev/urandom without modifying the GPG code.

IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.

pfSense is a FreeBSD-based firewall/security-focused distribution. It can act as a firewall, router, DHCP server, DNS server. It also has a package manager with some security related packages. I’ve been playing around with it for the past couple of weeks.

I first got into Bitcoin back in 2013, before a media frenzy caused the price to skyrocket over $1000. Though it has its problems, I think the blockchain concept is awesome.

Yeah… no.

Details on setting up a de-sensorized (desensitized?) Android phone for use with strongSwan (and USB tethering!). (Other files: https://github.com/ramann/android-tether-vpn )

Since I have a “PKI”-branded smartcard, I decided to see how I could use it with a PKI. I went through a basic PKI tutorial, (http://pki-tutorial.readthedocs.io/en/latest/simple/) but wasn’t sure how I would interface with the smartcard…

Remember that scene at the end of The Conversation where Gene Hackman’s character is seen digging up the floor of his apartment looking for the surreptitious microphone?

Eight or nine years ago, when I was first getting into Linux, I played around with a few distributions and ultimately ended up settling on Ubuntu. It was simple to install, easy to use, and had good driver support for the laptop I was using at the time.

It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?

One of the IT security efforts that the GOVERNMENT OF THE UNITED STATES ;) has been really pushing recently is the use of smartcards. I had to go to an office and get my picture taken and the entire surface of both hands printed when I got my PIV Card (basically a smartcard with some identity objects: http://csrc.nist.gov/groups/SNS/piv/standards.html).

One project that I’ve just started fooling around with involves airplane transponder transmissions. It turns out that with a software-defined radio USB dongle (<$30 on Amazon or <$10 on Ebay from Hong Kong) you can grab the transponder signals from planes (which (generally) have data elements such as ICAO code, altitude, speed,lat, long, etc.).

Recently I mentioned to an acquaintance that I was setting up a mail server so that I could move away from Gmail. He asked me if I was using Mail-in-a-Box. I had no idea what that was - I was going through some instructions from Ars that I had used previously.