make;
make install;

some notes to myself

Blog

About

File uploading under Microsoft's OAuth 2.0 authz code flow

Written on February 9, 2022

Recently, I needed a way to upload files to Microsoft SharePoint on a regular/ongoing basis. Below are my notes of how I used Microsoft’s OAuth 2.0 authorization code flow and the Microsoft Graph API to do this. Ideally, I’d have a service account for this and use the client credentials grant flow, but sometimes its just easier to work with the access the Azure admin gave you than it is to go back-and-forth. In this case, I’ve delegated permission to the app to perform the uploads under my identity. Which means, since this isn’t using a service account, this will stop working when my account is decommissioned. On the positive side, given that the refresh token’s max inactive time is 90 days, there shouldn’t be a need to regularly get a new auth code.

Read More

Homoglyphic Attack Potential in URL Query Strings and HTML text

Written on November 10, 2021

There has been a fair bit written about homoglyphic attacks targeting domain names. A homoglyph is a character from one character set that looks like a character in a different character set, and has a different underlying value. The common defense for this attack targeting domain names was to display the domain name as Punycode. I wanted to take a look at a potential use case for this attack as it relates to query parameters and rendered HTML text. Specifically, ENS names used as parameters in links and rendered HTML text.

Read More

Integrating Preempt's risk score into each user's Okta profile

Written on June 24, 2021

Preempt (now owned by CrowdStrike) is an IAM security product that sits in front of AD and inspects & analyzes traffic. Part of what it does is generate a risk score for each user, which is based on their activity, access levels, etc. This value is exposed via a GraphQL API which allows it to be tied into other systems. One such use case is having conditional MFA based on each user’s risk score.

Read More

GrapheneOS on the Pixel 3A

Written on October 29, 2019

Copperhead, the security-focused Android project that I posted about previously, imploded in Summer 2018 after a falling out between the tech and the sales guy. The tech Daniel Micay has continued his privacy and security work as GrapheneOS. Copperhead had a business model selling and supporting the Copperhead phones. Graphene appears to rely largely on donations. Due to the shift in funding, it is not necessary to build GrapheneOS from source if you want to try it out - the project provides signed images for recent Pixel models.

Read More

Building Copperhead OS for the Pixel XL

Written on January 20, 2018

Notes for building Copperhead OS for the Pixel XL. (gist here: https://gist.github.com/ramann/62abe0b266bb8c3e8483c7c7ca60fdb8) This was done on Ubuntu 14.04.5 LTS, using GNU Make 3.81 (3.81-8.2ubuntu3) and Python 2.7.6 (2.7.6-8ubuntu0.2), as recommended on https://source.android.com/setup/requirements#software-requirements. All below instructions are specific to the Pixel XL (marlin) and come from https://copperhead.co/android/docs/building.

Read More

Docker(strongSwan + MySQL + bitcoin + Spring Boot)

Written on January 2, 2018

I wanted to get some hands-on experience with Docker and Spring Boot, so I built a Spring Boot webapp, and have put together Docker images to tie it together with Bitcoin Core, strongSwan, and a database. Oh, also, it is absolutely no fun trying to choose a VPN service. I’m not aware of any VPN providers that offer certificate-based authentication for IKEv2/IPsec. Given the current transaction fees and confirmation delays with Bitcoin, it would make sense to go with a different cryptocurrency. You can clone the most up-to-date instance of this project here.

Read More

F5 WAF Suckage

Written on November 11, 2017

We use F5’s Application Security Module (ASM) as our WAF at work, and it sucks!

Read More

GnuPG card setup

Written on April 18, 2017

I recently obtained a GnuPG card (v2.1) from kernelconcepts.de. Below are instructions for setting it up. I generated a new primary key and subkeys on an offline computer, backed up the necessary files, and moved the subkeys to the GnuPG card. This was put together after reading GPG best practices, a dated FSF Europe tutorial, and a lengthy walkthrough for using GPG keys on a Yubikey. After installing the necessary packages, all of the below steps should be done on an offline computer such an Ubuntu livecd (still calling them CDs?).

Read More

pfSense & Ubuntu/Strongswan for VPN

Written on February 23, 2017

Given the current political climate and the dim future for the FCC’s broadband privacy rules, I decided to set up my pfSense box so that internet traffic gets routed over an IPsec connection to a remote Ubuntu VM. This will help to conceal browsing information from my ISP. I also disabled the auto-generated outbound NAT rules so that if the VM goes down, traffic won’t get automatically directed in the clear through my ISP. Currently I am using DigitalOcean but given that they could log traffic under the same laws as Comcast (I am definitely not a lawyer, but sometimes it’s best just to assume to the worst), I will likely end up choosing a provider based in Europe.

Read More

Simple Sandbox

Written on November 6, 2016

The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.

Read More

Feeding /dev/random

Written on June 25, 2016

Recently I was generating two 4096-bit RSA keys for PGP encryption & signing… and it took nearly 6 minutes for me. I can’t wait that long! GPG uses /dev/random as the RNG when generating a new key pair and there is no way to use /dev/urandom without modifying the GPG code.

Read More

IPsec server details

Written on May 8, 2016

IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.

Read More

pfSense

Written on April 2, 2016

pfSense is a FreeBSD-based firewall/security-focused distribution. It can act as a firewall, router, DHCP server, DNS server. It also has a package manager with some security related packages. I’ve been playing around with it for the past couple of weeks.

Read More

Switching back to Ubuntu

Written on September 27, 2015

Eight or nine years ago, when I was first getting into Linux, I played around with a few distributions and ultimately ended up settling on Ubuntu. It was simple to install, easy to use, and had good driver support for the laptop I was using at the time.

Read More

Smartcard unlock encrypted /root

Written on September 6, 2015

It turns out smartcards are cool. It also turns out there is no up to date documentation on using one to unlock an encrypted /root partition during boot. Frustrated by this, I got a hold of a smartcard and dug in to figure out things myself. After all, how many 35+ character passwords am I supposed to remember?

Read More

SDR and airplane transponders

Written on August 24, 2015

One project that I’ve just started fooling around with involves airplane transponder transmissions. It turns out that with a software-defined radio USB dongle (<$30 on Amazon or <$10 on Ebay from Hong Kong) you can grab the transponder signals from planes (which (generally) have data elements such as ICAO code, altitude, speed,lat, long, etc.).

Read More

Moving away from Gmail

Written on July 5, 2015

Recently I mentioned to an acquaintance that I was setting up a mail server so that I could move away from Gmail. He asked me if I was using Mail-in-a-Box. I had no idea what that was - I was going through some instructions from Ars that I had used previously.

Read More