DigitalReplica

AWS Multi-Account SSO Setup Guide

2021-03-17T00:00:00-04:00

You need multiple AWS accounts for hacking. This guide will show you how, using AWS Organizations and SSO.

Why?

Hacking requires a lot of tools, and experimentation. Having several AWS accounts lets you keep a “stable” account with working tools, and a playground account that let’s you try new things. And let’s face it, some of the tools out there aren’t quite trustworthy, and keeping those in a separate account reduces your risk. If one account gets compromised, nuke it and spin up a new one.

Larger AWS-based organizations use multiple AWS accounts to separate their envionments, with at least separate development and production accounts. Understanding how they use them will make you a more successful hacker.

Design

This approach uses Amazon’s own management tools for a simple, easy-to use system. The key tools are:

AWS Organizations: Centralized management management and billing for multiple AWS accounts.

AWS Single Sign-On: Centralized administrator accounts.

Using Organizations, you create a hierarchy of accounts, such as

Management
- Tools
- Playground

Let’s start

The cleanest way to start is with a new AWS account, but this can certainly be used with an existing account as well. You will need two different email addresses:

Management account root user
Normal user account

Management account

The management account controls all the others, and is the first one to set up. This account should only be used for creating other accounts, without any other users, tools, or configuration.

Instructions for setting up a new AWS account are at New AWS account. The important things to note are:

Email address: This should be an email that’s never been used to sign up for any AWS account, and different than the account you’d like to log in every day with.
Account name: Name this account something like “management”.
Phone: You’ll need a phone number that can receive SMS.

This creates a new account with a special root user login. Protect this at all costs, by:

Setting a long, random password. Save this in your favorite password app
Configuring MFA for the account.
And once Single Sign-On is configured, use that for normal login. Save the root user for emergencies only.

AWS Organizations

Next, turn on AWS Organizations, and set this account as the management account. Use the instructions at Creating an organization

Once complete, the AWS Console should show a single account with a star next to it, indicating that this is the management account.

AWS Single Sign-On

Now, turn on Single Sign-On, using the Getting started guide. The basic steps are:

Enable AWS SSO
Use AWS SSO to manage your users

To give yourself access to your accounts, you need to:

Create an Admins group
Create a user in the Admins group
Create a permission set with the AdministratorAccess IAM role
Assign accounts

Create Group Add group

Create a group called Administrators

Create User This is the user you’ll normally use to log into AWS with. Add Users

Create a user with your normal email address.
Add it to the Administrators group

Create Permission Set create a permission set.

Name: AdministratorAccess (or similar)
Use the “Attach managed policies” button to add the “AdministratorAccess” IAM policy. This gives you full admin access over accounts.

Assign Users and Permissions Single sign-on access

Select all your AWS accounts and click the “Add Users” button.
Click the Groups tab and select the Administrators group
Click the “Permission sets” button and select the AdministratorAccess permission set
Click Finish

Find Portal Url Single Sign-On creates a portal used to log in and access all your AWS accounts. Be sure to save this url. It will be in the email sent when you created your user, but if you need to find it again.

Click Dashboard in the menu and look for “User portal URL” at the bottom

Log out of the AWS console with your root user. Use the email to log into the user portal with your Single Sign-On user. If everything is successful, you should see an “AWS Account” box, that you can open to access your different accounts.

All of the hard setup stuff is done. Hurray!

Adding a new AWS account

Now you can use AWS Organizations to create new AWS accounts, then configure Single Sign-On to give yourself access.

Follow Creating an AWS account to create a new AWS account managed by this account.
Follow the same steps again in Single sign-on access to select the new account, and add the Administrators group with AdministratorAccess over the new account.
Refresh your User Portal page. The new account should appear.

Start with a playground or sandbox account. Use this to try different tools and get them working. Once you’re happy, create a second account to move stable and tested tools into.

Finale

Congratulations. You can now take advantage of multiple AWS accounts to hack from. Have fun!

Can gunshot detection technology contain gun violence?

2019-08-10T00:00:00-04:00

Photo by Ed Rojas on Unsplash

With more recent mass shootings, we ask once again, “How do we solve gun violence?” Then everyone gets on their soapbox again to blather the same crap about gun control.

What if a better question is “Can we contain gun violence?”

A gunshot detection device can be built today for under $100 with 99% accuracy. Reducing police reaction time could potentially save eight lives on every incident. Why don’t we have them everywhere? Why don’t we have our schools bristling with them?

A high school girl can do it

A Novel Approach to Gunshot Detection using Internet of Things IoT and Machine Learning

She built a system using hobby-level electronics that detects gunshots with 99.4% accuracy. It can also determine if the shot came from a handgun or rifle. Read more about her work at A Novel Approach to Gunshot Detection using Internet of Things (IoT) and Machine Learning - Young Innovators To Watch.

Technology is simply that good now. The sensors, circuits, and computers are absurdly cheap (Arduino and Raspberry Pi). New, readily-available, machine learning algorithms can easily take the data and give probabilities for a handgun fired, a rifle fired, and nothing-happening-here-right-now.

The Dream

Imagine a school. In every classroom and hallway, there’s a gunshot detector installed. An incident occurs. Police and school officials know in real-time that a shot has been fired, where it occurred, and what type of weapon. They can track events as they happen: more shots fired, if it moves, if multiple weapons are involved.

Police reaction time is drastically reduced. Evacuation procedures are simplified.

And perhaps this alone would deter someone from going through it.

But it’s more complicated than that

A group at the Pacific Northwest National Laboratory designed a low-cost gunshot detection system. Their system goes a little further, and can determine the calibre of weapon used. Their estimated cost is less than $100 per device. But they admit that this is just the sensor. There is much more needed to turn this into a viable technology.

What does it connect to?

If a school installed these, would they connect it to the school alarm system? Would it instantly notify law enforcement? If the goal is to reduce reaction time, then it absolutely has to do both.

It’s a bit more complicated than “Call 911”. Sending data feeds to law enforcement is a work in progress. We have Enhanced 911, but this is a new type of data sent over new channels that would have to be developed and standardized.

False alarms

They will happen. Swatting is a very real problem, where someone prank calls the police to send a SWAT team out to an innocent person’s house. Someone will assuredly try to do the same with this. How can we determine when this occurs? What’s the penalty if someone does it?

And then there’s simply faulty equipment to deal with?

Certification and maintenance

Can anyone build one of these? Or does it need to go through some sort of certification process?

What does it take to maintain and test these? Is it like a smoke alarm, where someone has to go press a button once a week? There are commercial fire alarm tests that could easily be adapted to cover these types of devices.

None of this is hard. We know how to do this stuff.

Why don’t we have these already?

Good question!

We do. Kinda, maybe, not really.

ShotSpotter is one example of a commercially available system trying to bring gunshot detection to police already. But such systems appear to be outdoors only. The accuracy sucks.

From Gunshot detection system once green-lighted for Richmond isn’t happening:

An 8News investigation in 2017 did find Shotspotter is not a perfect system. Police using it in other cities were unable to find evidence of gunshots 30% to 70% of the time.

Perhaps the many red light camera and licence plate recognition debacles have made me leery of any company selling technology directly to law enforcement.

Privacy considerations

I have serious issues with companies streaming our audio and video out to their systems, where they can use (abuse) it in any way they wish. Amazon, Google, even Apple have plastered the news with their use of your data.

How about a device like this ?

It depends. The first article shows that a $35 Raspberry Pi has enough processing power to perform all analysis on the device itself. No internet connection or streaming of audio needed. It only needs to send an alert when an event happens, with the relevant data.

I’m totally OK with this. Make the data formats open and auditable, respect people’s privacy, and no security researcher will have issues with this.

The ability to auto record audio, even video, would be a nice feature to have, on the device only. Dashcams are a great example of this. Have an accident and the footage is available to show the police right then and there.

Livestreaming the data out? Well, let’s talk.

On my iPhone too?

A Google search finds exactly nothing. Is it possible for Apple to do this? Absolutely!

Apple has extensive experience melding hardware and software to solve similar problems. IOS Photos face detection identifies your friends by leveraging the power of Apple’s custom-built CPUs and GPUs with deep learning models. Saying “Hey Siri” is processed on-device without sending data to Apple. All the pieces are already there, and if not, Apple can easily add to next year’s model.

Imagine another shooting, this time with dozens of phones detecting and reporting the event. Using location and intensity reading across all of them, the shooter could be pinpointed to within a square foot. Video recording could turn on automatically to gather evidence. The police could see and hear within a second, monitor the situation on-route, and provide real-time instructions to anyone nearby.

Even as a security-nut, I’d probably turn this feature on. If it existed.

So I asked

I went to Apple’s Product Feedback site to add a feature request to iPhone.

Please consider adding the ability to iPhones / Siri to detect gunshots, to help protect all Apple users in an active-shooter situation.

As a security-focused consumer, I would like:

all processing on-device

an option to automatically notify law enforcement

an option to automatically turn on video recording

a way to disable it at a gun range

Thank you,

Danny

Whether Apple will consider this, who knows. If enough people ask, I think they would.

What can you do?

Make some noise. Ask for these types of devices.

Submit a Feature Request to Apple iPhone
Submit a Feature Request for Google Android
Submit a Feature Request for Amazon Echo
Ask schools if they would consider implementing this technology
Contact your elected officials
Use your own expertise to solve some of the implementation problems
Just say that you want it

Conclusion

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

Bruce Schneier - Wikiquote

I started with a title using “solve gun violence”. This won’t.

But can it be used as an effective tool to help contain it? I think it can. Please help.

Solving CloudFlare and Let’s Encrypt Issues on a new Ghost Blog

2019-08-04T00:00:00-04:00

I wanted to consolidate two websites into a single, new Ghost platform. Re-using one of the existing URLs, and having the site behind the CloudFlare CDN caused issues with the install and LetsEncrypt SSL setup. Here’s what I did to get everything working.

I wanted to consolidate two websites into a single, new Ghost blog platform. Re-using one of the existing URLs, and having the site behind the CloudFlare CDN caused issues with the install and LetsEncrypt SSL setup. Here’s how I got everything working.

The starting point

One site was hosted on GitHub pages behind CloudFlare to provide a custom DNS name and SSL. The other was a WordPress site.

I debated mightily between Medium, WordPress, SquareSpace, Wordpress, and Ghost. Then should it be hosted vs running it myself. I decided I wanted to control everything, so chose Ghost, and hosting it myself. There’s plenty or articles on all of that, but here are two I found helpful in the basic setup of a cheap DigitalOcean droplet.

How to deploy a Ghost blogging platform to Digital Ocean
Step by Step: Setting up Ghost with a Digital Ocean Droplet

Setup

Since I was re-using a URL, and I didn’t want to take that offline until everything was ready, I setup Ghost with the IP address as the URL. That meant HTTP only, because Ghost doesn’t setup even a self-signed SSL certificate that way.

Ghost over http

Hint: Make your site private while doing the initial setup. Go to General Settings, scroll to the bottom and enable “Make this site private”. It will give you a password, so only you can see any content.

Ghost: Make this site private

If you want additional security, enable a DigitalOcean (or other) firewall and restrict SSH and HTTP to your IP address only.

DigitalOcean droplet firewall example

Migrating data

The first website used Jekyll on Github Pages. There’s a converter and migration guide at GitHub - mekomlusa/Jekyll-to-Ghost. That worked, but the second step of converting at How to Migrate to Ghost from other platforms - Docs (to convert to MobileDoc) totally failed for me. As I didn’t have many articles, so it was easier to recreate them. Ghost’s markdown conversion is awesome. I essentially pasted the article, then uploaded and fixed the image links.

The second website was Wordpress. Even easier to copy and paste. Though the Wordpress plugin is there to make that easier.

Redirecting URLs

To keep Google and other search results from being lost, I followed Google’s Site Move Guide.

The article URL format changed from /year/month/article-name/ to just /article-name/. I created a redirects JSON file with all articles by going to Settings, Labs, downloading the current redirect file, editing and re-uploading. The guide is in Ghost Tutorials, but it was simply filling out one line for each article, like below.

[
  {"from":"/2014/10/pocket-internet-privacy-shield/","to":"/pocket-internet-privacy-shield/","permanent":true},
  {"from":"/2016/12/privacy-from-corporations/","to":"/privacy-from-corporate-data-gathering/","permanent":true}
]

I made a list of all the old urls, did a search/replace for the Ghost IP urls, and tested each one.

Then I tinkered with themes, tags and other bits until I was ready to switch over.

Moving DNS and setting up SSL through CloudFlare

Now it got tricky. I needed to:

Change CloudFlare DNS to point to the new Ghost IP address.
Change the Ghost URL, and enable SSL.
Purge the CloudFlare cache

Change CloudFlare DNS

Changing CloudFlare DNS was straightforward. Delete the old records. Create new ones. To make the site use the domain name (without www) by default, I created an A record for the domain, and a CNAME for www. Like:

A	@	1.1.1.1	Automatic TTL

CloudFlare DNS setup

CloudFlare DNS setup screenshot

Note the proxy status. I had it enabled, which caused problems and a few extra steps. For anyone else trying this, I would do the next steps with proxy status disabled for the A record (so the icon is gray), then re-enable it once SSL is set up.

Change Ghost URL and enable SSL

Ghost uses LetsEncrypt to setup SSL. LetsEncrypt validates that your server is actually on the DNS domain name before it issues a certificate. Since CloudFlare is in the middle of this, I followed their LetsEncrypt support page to enable the webroot option. Log into the Ghost system using SSH, then run

nano /etc/letsencrypt/cli.ini

At the bottom of the file, add the line

authenticator = webroot

Next I went through the steps to change the Ghost site URL via How do I change my configured site URL? It failed, with the error message from LetsEncrypt of:

✖ Setting up SSL
One or more errors occurred.

1) ProcessError

I tried rerunning “ghost setup nginx ssl”, which did nothing. I tried running the LetsEncrypt command manually, which seemed to complete, but the site still had no SSL.

The fix

First, I disabled the CloudFlare proxy status for the A record (from orange to gray). Then on the Ghost server, I ran the commands below:

[email protected]:/var/www/ghost $ sudo -i -u ghost-mgr
[email protected]:/var/www/ghost $ cd /var/www/ghost
[email protected]:/var/www/ghost $ ghost setup ssl
? Enter your email (For SSL Certificate)
...
✔ Creating ssl config file
...
✔ Setting up SSL

I verified with the netstat command and saw that nginx was finally listening on port 443.

[email protected]:/var/www/ghost $ netstat -n --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address     State
tcp        0      0 0.0.0.0:80          0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:443         0.0.0.0:*         LISTEN

Opening a web browser, my site loaded using HTTPS. Hurray!

Purging CloudFlare cache and re-enabling proxy status

CloudFlare still had the old site cached, so I went to the Caching tab and clicked the “Purge Everything” button. Then I went back to the DNS tab, and re-enabled the proxy status (turning it orange again). Refreshed the browser.

It works!

Note: Changing anything in CloudFlare DNS takes about 5 minutes to propagate. You have to wait for the DNS time-to-live to expire before trying. Check often using the dig command (Mac OS or Linux). The timeout is the second column, in seconds. Or just wait 5 minutes before trying.

$ dig digitalreplica.org A

;; ANSWER SECTION:
digitalreplica.org.	300	IN	A	104.18.40.96
digitalreplica.org.	300	IN	A	104.18.41.96

Verifying CloudFlare status in the browser

You can verify in the browser whether you’re hitting the site directly, or going through CloudFlare. This varies by browser, but in Firefox, click the lock icon in the URL bar, click the arrow for details. If it says “Verified by: CODOMO CA Limited”, you’re going through CloudFlare. If it says “Verified by: Let’s Encrypt”, you’re hitting the server directly without going through CloudFlare.

Verifying SSL Certificate in Firefox

That’s it. Everything is working after that. I was super happy.

Summary

So far, Ghost appears to be a great blogging platform. Hope this helps others in creating theirs.

LastPass Identities + Browser profiles = Awesomeness

2018-04-08T00:00:00-04:00

Using LastPass Identities with browser profiles (either Chrome People or Firefox profiles) can help keep online identities separate, and possibly safer in the event of a web attack.

It’s a security best practice to keep passwords in a password vault, so passwords can be long and (hopefully) uncrackable. Many of mine are in LastPass for its sheer convenience.

But I like to keep online identities separate, using a different browser profile for each part of my life. Each has a different set of passwords that I’d like to keep up with. For example:

Personal
Professional
Financial
Gaming
Untrusted

Using LastPass Identities, I can. It’s mostly seamless, with a few annoying bits, but awesome anyway. I haven’t found another article describing this, so am throwing it out there to encourage everyone to try something similar.

I’m showing this using Chrome People, cause I tend to use Chrome. But it works with Firefox profiles, or even using different browsers for different identities.

What are Chrome People?

It’s a way to have separate browser profiles, typically so two or more people can share a computer. Each has it’s own set of cookies, history, browser extensions, etc. Chrome browser security isolates these people, so even going to bad or insecure web pages should prevent a computer hack from spreading beyond that person. (Disclaimer: Chrome security is amazingly good, but not perfect.)

Share Chrome with others - Google Chrome Help

What are LastPass Identities?

A way for LastPass to store separate sets of passwords under one account. It’s nice if you want to pay for LastPass once and use it for multiple things.

LastPass - Using Folders for Organization

LastPass with Chrome People

Here are the instructions to use for each person. You can use the Chrome and LastPass links beside each step to get additional details.

Create a new Chrome person / profile. Google Chrome Help
Install LastPass for that person. Download LastPass
Create a LastPass identity. LastPass Identities
Move any passwords over. LastPass Identities
Switch your identity from All to the newly created one. LastPass Identities

Here’s what it looks like after you’re set up. The Chrome person matches the LastPass identity.

LastPass vault using personal identity

Helpful Hints

I’ve made folders in LassPass for each identity, then subfolders for organization. Moving passwords between identities has an awkward interface, and this helps.

Once you’re using an identity, creating a new password automatically goes in that identity (Yay!). If you’re just starting with LastPass, create identities first, then add passwords.

Making one more profile that’s logged into all LastPass identities may be useful to help keep things organized.

The Rough Bits

You’ll have to login to Lastpass once for each person. With mutifactor turned on, trusting the computer, this means once every 30 days.

There’s no way to look at a password in LastPass and tell which identities it’s in. You have to go into each identity and move things around. Grouping the passwords in folders first helps.

FAQs

Can I use Firefox profiles?

I love Firefox profiles, even though it’s rather a pain to use in practice

Use the Profile Manager to create and remove Firefox profiles

What about Firefox Multi-Account Containers

Looks interesting. Cookies are separated into “containers” but other things like addons aren’t. Haven’t tried it with LastPass yet.

Firefox Multi-Account Containers

Links

Crossposted to [LastPass Identities + Browser profiles = Awesomeness

LinkedIn](https://www.linkedin.com/pulse/lastpass-identities-browser-profiles-awesomeness-danny-rappleyea/)

First Pitch Retrospective

2018-02-13T00:00:00-05:00

So having survived my first book pitch, I wanted to share some of what I learned. I pitched to Laura Zats, who was brilliantly brutal, amazing, and I learned so much. Mostly about setting up the pitch, so an agent would have the right mental image when I start talking about the book itself.

Nail the genre and pitch tone

I thought I had it easy with science fiction. But…she wasn’t sure whether my book was hard science fiction, or more of a techno-thriller. And those are pitched in different ways, so the tone of the pitch has to match the genre. Getting genre and pitch tone correct and matching is absolutely critical.

This came up again (and again, and again) later, during a panel, reading first pages to agents. The genres given were vague, or contradictory, or didn’t match how the first page read.

Find better comps

I needed better comparable books. She instantly pulled out a better something to compare to, of a “why didn’t I think of that?” variety. I still want to see if I can tweak that slightly better for next time. More research!

Be receptive

The best thing I did was go to learn how to pitch, more than trying to get the book sold on the the first try. So while the nervousness was there, it helped me be open to what she was saying, and talk about what might make it better.

Take a written copy

I had a copy of my pitch written, and took it with me. I’d practiced from it. Then, at the last minute, I went through and highlighted a few words from each paragraph. That helped SO MUCH. Just enough to keep my mind on track, and make sure I didn’t miss key points. But it also let me adapt on the fly.

It’s all about marketing

I’d heard, but it really hit home how pitching is all about marketing. That’s a hard thing for an introvert, but hopefully something that can be learned and practiced. (And I’m just assuming there’s no introverted marketing people.)

Go try it again

On this side of it, I’m looking forward to taking everything I learned and applying it to my pitch. Then I know at some point, I’ll go try it all again.

Privacy From Corporate Data Gathering

2016-12-05T00:00:00-05:00

Corporate data gathering of consumers private information has exploded over the last few years. The new normal seems to require registration to use any website, device or app. The company almost always wants your name and email, and some require address, phone number and credit card as well. After you provide that information your usage is tracked and data mined for corporate profits. Online privacy is becoming scarce (if not non-existent).

This article offers a practical guide to opt out of this pervasive data gathering by setting up an alternate online identity. Companies get something to track. You get to use their awesome service and you get to preserve at least some of your privacy.

Goal

This guide will show options to set up an alternate online identity, using commonly available and legitimate services. It will specifically cover setting up an alternate

name
email address
phone number
credit card
address

The order in which these are set up will vary a bit depending on the services used. I’ll note dependencies where possible.

Disclaimers

This is US centric since that’s (mostly) what I know.
I am not a lawyer. While I’ve looked at some of the legal aspects of doing this, I will not be giving any legal advice today. If you have questions, please consult legal advice for your jurisdiction.
This may help avoid some US government mass surveillance, but that is not the purpose of this article. Any US agency (or state and local law enforcement) could easily defeat some or all of these techniques.
And there are many other ways to accomplish these same goals. These methods are ones I know from personal or friends’ experiences. Do your own research and find what works for you.

Name

You can make up whatever name you feel like. But if you want help, try the Fake Name Generator. They have lots of options for coming up with something suitable. Copy and paste this name somewhere to save it since it will be the “new you”.

Email Address

There seem to be about a million different email providers. I’ll list a few here for you to review.

I would seriously consider using a non-US provider for email. European privacy laws are far stricter than in the US. This will certainly keep email out of (easy) reach of the US government. Setting up the email address as .ch or .de may also suggest to other companies to treat your data under European and not US procedures (but results will likely vary wildly). The Tutanota and ProtonMail services described below topped every article I reviewed on best email providers for security or privacy.

For more information on European privacy laws, look at The new transatlantic data Privacy Shield. The Privacy Shield agreement between the European Union and US is a new attempt to replace the older “Safe Harbor” agreement which crashed and burned after the Snowden revelations.

Gmail

Everyone knows and loves/hates gmail. But the last time I tried to set up (yet another) gmail account, it required a phone number for verification (and they were quite good at detecting attempts to use free phone number services.) You can wait until you get a different phone number (see below), but the phone online account setup requires an email. Catch-22. Agggh!

Tutanota

Tutanota is a free encrypted email service based in Germany. Their website states (slightly paraphrased):

“The Tutanota servers are located in secure data centers in Germany. All saved data are subject to the strict German privacy protection laws. Independent of that all data is end-to-end encrypted and cannot be read by the provider or by any third party.”

ProtonMail

ProtonMail is a free encrypted email service based in Switzerland. Their website states (slightly paraphrased):

“ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws. All emails are secured automatically with end-to-end encryption”

Phone number

There are quite a few options for no-contract cellular plans. I specifically looked for low cost, pre-paid plans on an “alternative” carrier. Known as MVNO or “Mobile Virtual Network Operator”, these carriers rent space on the larger carriers (AT&T/Sprint/Verizon) networks in bulk, so can give better rates or different types of plans than the big carriers do. Articles on attractive providers include:

For most pre-paid cellular plans, the phone has to be purchased outright. Carriers only support limited types of phones. Some carriers only allow you to buy the phone from them. Others allow any “compatible” phone. This raises the initial cost, but generally leads to a lower monthly cost. If you have an older, unused phone, look for services that will let you use it.

I found two that looked promising: Red Pocket and Page Plus Cellular. In addition to monthly plans, they both offer refillable plans where you can buy a certain number of minutes usable over the course of a year. I tried Page Plus cellular because they have local dealers near me. But there are certainly other options out there, so don’t limit your options to just these two.

The store was tucked away in a strip mall. They offered phones and plans from several carriers. They had maybe a dozen types of phones for the Page Plus service. Maybe one looked new. The rest appeared to be used phones. After fending off the $400 phones, I settled on a used, cheap (but probably overpriced) iPhone 4. It is well out of Apple support, so I can’t upgrade to the latest IOS. That absolutely will make the phone less secure. But for basic phone calls and text messages, it’s still decent. Store selection will be random, so others may have better or worse luck.

They couldn’t directly activate the phone under the Page Plus “Pay-as-you-go” plan. I had to activate it under a monthly plan. When the month runs out, I can contact Page Plus and switch to the Pay-as-you-go plan. Then I can buy their $80 card, good for 1000 minutes and lasts up to a year. Phone calls, texts and cellular data all deduct from the balance. It doesn’t give a lot of usage, but I doubt even that much is really needed.

They asked for a name to activate the phone under. I paid in cash. It took about 10 minutes to activate the phone and have it ready to go.

The very first thing I did was charge the phone a bit and do a “Erase All Content and Settings”. See the Apple article on What to do before selling or giving away your iPhone, iPad, or iPod touch. After going through the Welcome screens, the phone successfully re-registered itself on the cellular network. If you are using a non-Apple phone, you’ll still want to erase all content and settings. Google the phone name/model/manufacturer to find instructions for the particular phone you ended up with.

The online options will likely provide more selection of phones at a cheaper price. I’m guessing a shipping address, credit card, and possibly email address will be needed to make a purchase.

Address

Consider a mailbox from The UPS Store. This gives you a mailbox for mail and packages. It has a street address, so no package delivery issues like PO boxes have. I have been told I can add additional names for delivery, and mail and packaged are delivered to the address, not the name. So getting stuff for my alternate identity should not be an issue.

You must use your real name and address and give two forms of ID to set up the box. This is because the US Postal Service requires PS Form 1583, Application for Delivery of Mail Through Agent in order for The UPS Store to receive mail on your behalf.

Alternate Names for the mail system

For mail, the use of alternate names seems to be a gray area at best. In general, the postal service seems to deliver mail to addresses, not people. But searching the issue, some people (particularly PO boxes) have mail denied unless it is specifically for them.

The most authoritative source I’ve found is USPS guidelines for addressing which states the addressee must be “Addressee name or other identifier and/or firm name where applicable”.

I researched if this would be mail fraud. But the court system test is a person using the mail system to steal money/property/etc from other people. So definitely don’t do that (or apparently try to mail lottery tickets)!

Credit Card

Credit cards are a little more difficult, since the US government really likes to keep track of money going places. But there are still many options. I discuss two options: one more anonymous, and the other with your alternate name on the card.

Anonymous gift cards

Visa gift cards make getting anonymous credit cards absurdly easy to get. They are sold about everywhere, but drug stores seem to always have the best selection. They have a giant rack filled with restaurant, iTunes, Amazon and every other imaginable gift card.

For this article, I picked up a plain (i.e. ‘Vanilla’) Visa gift card. You can select the amount on the card at the time of purchase, anywhere from $20-$500. There is a one-time $5.95 activation fee, so a higher-value card is better than several low-value ones. I took it to the checkout, paid cash and walked out.

To use the card to make online purchases, most gift cards allow setting the shipping zip code. For mine, I used the website on the card to “log in” using the card number, expiration and CVV code. There was a tab on the page for “Assign ZIP Code”. Set. Go.

Reloadable cards

Reloadable cards may give lower fees and more personalization. But many of them require ID checks to comply with US money laundering laws. I wanted one that was low cost and allowed name personalization. The types of reloadable cards I looked for were ones that parents get for their teenage children. Some good articles to look at include:

I tried the American Express Serve card. At $1/month, it was the lowest cost option that I found. Setting it up required giving over all of my real information to make the US government happy. This sets up the “master” account that you load money into.

With the master account, “subaccounts” can be set up. From the American Express website, these are “Perfect for paying allowance or the babysitter. Each one comes with its own Serve Prepaid Card”. They require a name, phone number, email address and password, but no other verification. Best of all, the subaccount name is embossed on the card. Other than a small “prepaid” logo on the back, it looks like any other credit card.

The master account can then transfer money to/from subaccounts.

Final words

I hope this will be useful for people. Please use comments to ask questions, or provide information on other useful services.

Purism Librem 13 Laptop Review

2016-06-15T00:00:00-04:00

As a security and privacy advocate wanting a new laptop, much time and research was needed to settle on what I wanted. I bought a Purism Librem 13 running Qubes OS. While this is definitely not the setup for everyone, it is worth considering if you’re worried about privacy and have any kind of Linux experience.

So this is a review of the Librem 13 running Qubes with a bundle of setup notes and impressions.

For those not familiar with Qubes, it is the only operating system that is modern, secure and usable. By secure, I mean a machine I trust to log into my financial sites (bank, credit card, etc) and also browse untrusted websites (which given recent website hacks is pretty much everything).

Goals

Store my files and access my stuff securely.
Survive untrusted networks.
Be super portable so I can carry it more places.

Ordering

I ordered at the absolutely worst time, right in the middle of Chinese New Year. I think the lead time was about 2 months. It showed up at random in 4-5 weeks. Not instant gratification, but was happy with the ordering process.

Taking it apart and upgrading things

The upgrade options while buying the Librem 13 are expensive. Better, cheaper options are available at Newegg or Amazon. I would recommend getting the base model with the hardware kill switches, then upgrading as needed.

Taking it apart

The bottom is attached with 12 small phillips head screws, arranged in three rows of four. The two center screws are the longest. The lower right corner (assuming the keyboard is closest to you) is slightly longer.

Upgrading

Ram

Note there is only one RAM slot. I assumed and bought an upgrade that had two memory modules. Oops, had to return and reorder. Past that, is easy to upgrade to 16GB of RAM. I went with a Crucial 16GB Single DDR3L 1600 Sodimm.

Hard Drive

I went with the cheapest hard drive, planning to replace it with an M2 SSD drive. This still turned out cheaper than ordering it with an M2 drive. You can replace the drive with either a 2.5mm SSD or an M2 SSD.

The stock hard drive is a Seagate 500GB Thin drive. This is a 2.5”, 7mm drive, so be careful that replacement hard drives are that height. Removing it meant I had to untape and disconnect a small ribbon cable to get to the screws. That was fairly simple, but I was still careful with the cable. Once the hard drive is removed, the bracket can’t go back in, so a baggie for storage is needed. Putting the M2 drive was easy, except there’s no screw provided. I had to steal one of the hard drive screws.

I later added another 2.5mm SATA SSD to get even more storage. So main OS on the M2 drive and extra storage on the SATA drive. The setup is super quiet, fast and minimal battery drain.

Power

I already had an Anker 20000mAh battery pack, big enough to power a laptop. All I needed was a cable, so got a 2.5 x 5.5mm Male-to-Male Plug An extra power adapter is also helpful. I ordered the Toshiba 19V 4.74A 90W Replacement AC Adapter. Works great.

Qubes on the Librem 13

I set up the preloaded Qubes just long enough to test the hardware. My essential tests worked: it connected to the wireless network and sleep worked. Awesome. That’s when I replaced the hard drive with the M2 SSD and installed a new Qubes from USB.

Installing Qubes was quick and easy. Everything just worked. I restored VM’s from a different machine. I was up and running in 2-3 hours. It would have been faster if I had stayed with the preloaded Qubes.

Observations using it:

All of the special keys work. This includes brightness, sound, changing monitor configuration, sleep, etc.
Unplugging and re-plugging external monitors just works. After adjusting the configuration (external monitor only, or both internal/external), the system remembers the settings. Windows resize nicely. The only slightly quirky part is a large windows on an external monitor. When you disconnect, it shrinks to fit the internal display. When reconnecting the external monitor, it’s maximized on it (when it wasn’t originally). That’s mostly not a big deal.
The HDMI port does support a 4K monitor at full resolution at 30Hz. Nice.
I have no hard numbers for battery life. With my setup, it seems I can get about 4 hours on battery doing whatever I want with wifi on and screen dimmed a bit.

What I Like

Hardware Switches

Love them. I verified that when turning the switch off, the device is removed from the Linux kernel. I mostly keep wireless on and camera off. But it’s nice to know that I can switch around as needed.

Open Hardware

All hardware has support built into the Linux kernel. It just works. Awesome!

Overall Design

It’s small, light. Seems solid and well-made. No issues after throwing it in my bag every day for a while.

What I Dislike

Trackpad

The default Qubes driver for it sucks badly. You get the basics like moving, clicking, right-clicking. No other multi-touch gestures work. What’s worse is typing. When I’m in a typing groove, some part of my hand hits the trackpad. The cursor jumps all over the place, focus switches to other windows or spaces. It’s so bad, I generally use the hotkey to disable the trackpad (yay that you can!) and use a usb mouse. I read that a better driver is in the works. I can’t wait.

What I really wish were different

Ram

For Qubes, 16GB of ram is the minimum I would consider. I wish the Librem 13 would support 32GB (or more!) I can keep all of my common VMs and some other VM’s open. But not everything, so at times I have to close a few to open a few more. It mostly works, but sometimes annoying. PLEASE MORE RAM!

External Video Connector

The video connector is HDMI. It will drive a 4K monitor at 30Hz. I slightly wish for a DisplayPort, just to get 4K at a full 60Hz.

Extra Screw for M2 Drive

Please include one extra screw for the M2 slot.

Closing Thoughts

Would I recommend it? Absolutely. A 32GB version would be pretty close to perfect for a Qubes setup, but this one does very nicely.

OpenLDAP for LDAP Plain Text Password Capture

2015-10-22T00:00:00-04:00

I recently tested an application using LDAP to connect to Active Directory to perform queries. The app had valid AD credentials and I wanted to steal them. I couldn’t grab the credentials directly, but I could change some of the app configuration, including the IP address of the LDAP server to connect to. That led to “Let’s set up a malicious LDAP server to capture credentials!”

There is no metasploit capture ldap module :-( and I didn’t have the time to write one. OpenLDAP does support unencrypted, plaintext authentication, but the instructions for setting that up are non-existent. So I documented as I went to make this post.

All testing was done using Kali Linux, so it’s easy to add to a pentest setup.

Usage

In researching this, I found client LDAP devices to be more common than I thought. One example is printers querying user information from Active Directory. Printers aren’t very secure, mostly have default creds to get into them, and they might have an AD username and password. LDAP server IP is usually easy to change. And printers are generally stupid enough to do things like plaintext auth. A few minutes of work for a valid login? One that probably has access to a file share with lots of sensitive documents. Score!

Rant about OpenLDAP configuration madness

(skip if desired)

I’m sure there’s a reason why OpenLDAP changed from a normal readable configuration file to using ldap queries to update a semi-database-like structure. But from a noob perspective, configuration settings make absolutely no sense. The documentation is lacking and there’s no examples of common configurations. Instead, you left to wade through pages of Google results, all of which are exactly not what you’re trying to do or use the old .conf system.

What I’m trying to do is not in the OpenLDAP administration guide. I finally found the options I needed through forums and digging into the man pages. Authentication options in particular are poorly documented and confusing. I basically had to try all of them (and combinations of them) to get this working. Trying to actually secure the settings will be equally as difficult.

Authentication

There are three different authentication methods that can be configured.

Anonymous: no auth needed
Simple: plaintext username and password
SASL: a pluggable authentication system supporting many other
methods, including a PLAIN method of plaintext username and
password.

I have simple auth working here, and pretty sure I have SASL PLAIN
working. (I can’t actually authenticate with SASL PLAIN, but it
negotiates the method with the client and I can capture the creds). Good
enough.

Installation

The best guide for basic installation that I’ve found is Install and
Configure an OpenLDAP Server with SSL on Debian Wheezy. For more configuration than I have here (like SSL/TLS), look at that one. Here’s the essentials.

apt-get install slapd ldap-utils
dpkg-reconfigure -p low slapd

Omit OpenLDAP server configuration? No
DNS domain name: {target AD domain name}
Organization name: {target AD domain name}
Administrator password: {password} (Doesn’t matter, it won’t be used)
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? Yes (Support for less secure protocols…oh yeah!)

If you do the dpkg-reconfigure more than once, you may have to do:

rm -rf /var/backups/unknown-2.4.31-2+deb7u1.ldapdb

Start the service

service slapd start

OpenLDAP by default is non-SSL on port 389. Yay, no encryption to worry about.

Testing what authentication methods are allowed

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

Example

# ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM

By default, DIGEST-MD5, CRAM-MD5 and NTLM methods are supported. Let’s remove those and add in PLAIN.

Reconfiguring using ldapmodify

The “proper” way to configure is to save the changes you want to make into an LDIF-formatted file (whatever that is), and use the ldapmodify command to commit those changes into the actual configuration.

# cat >olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Here is the ldapmodify command. This uses the internal (loopback-like) ldapi:// interface, which can have different authentication (ala no auth) than the external ldap:// interface.

ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif

Example output from same.

# ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Restart slapd

# service slapd restart
[ ok ] Stopping OpenLDAP: slapd.
[ ok ] Starting OpenLDAP: slapd.

See what authentication is supported now.

# ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

Manual configuration

The main configuration file is /etc/ldap/slapd.d/cn=config.ldif. It says it shouldn’t be manually edited. I did and it worked fine.

Testing Simple Authentication

The ldapsearch command is good for testing authentication. My test domain was evil.ninja (wish I had actually bought that one!). Change it to whatever you configure. And change the host and the password too, unless your password is also “foo”.

# ldapsearch -h 10.0.2.5 -p 389 -D "cn=admin,dc=evil,dc=ninja" -w foo -b '' -s base -LLL
dn:
objectClass: top
objectClass: OpenLDAProotDSE

Testing SASL PLAIN Authentication

Done from a different system. The auth failed, but the credentials were captured in wireshark.

$ ldapsearch -h 10.0.2.5 -p 389 -U "cn=admin,dc=evil,dc=ninja" -I -Y PLAIN -O none -LLL -b '' -s base
SASL/PLAIN authentication started
SASL Interaction
Please enter your authorization name: admin
Default: cn=admin,dc=evil,dc=ninja
Please enter your authentication name: admin
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: SASL(-13): user not found: Password verification failed

Capturing plaintext credentials

At the end of this, my app didn’t support plain text authentication (good for them!) But for those that do, capturing is just opening wireshark on 389/tcp. In the wireshark Capture Options, disable promiscuous mode and set a capture filter of tcp port 389. (See image below, except actually uncheck promiscuous mode.)

wireshark capture options

Once you capture an authentication in wireshark, it looks like this. This is the simple authentication type. The password is “foo”.

wireshark capturing LDAP auth-simple authentication

Here’s the same same user authenticating with SASL-PLAIN auth.

wireshark capturing LDAP auth-sasl-plain authentication

Capturing DIGEST-MD5 credentials

If plaintext credentials don’t work, DIGEST-MD5 credentials can be tried. It looks like this is a MD5 of the password with a server-side nonce (salt) added and a client-side nonce (salt) added. With a good GPU, stupid or short passwords (ala 8 characters or less) should be crackable. The default configuration supports this method, and it appears to be the first method tried. If needed, do a dpkg-reconfigure -p low slapd to get settings back to defaults.

Capturing NTLM credentials

I found no way to configure OpenLDAP to support just NTLM authentication, but I have a dirty workaround that works. I didn’t have any way to test this one to see what the wireshark capture looks like.

This uses the same default configuration as DIGEST-MD5, but deletes the libraries for the methods not wanted.

mv /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so .
mv /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so .
service slapd restart

References

Using the Pocket Internet Privacy Shield

2014-10-19T00:00:00-04:00

In my previous post, I described how to install a Pocket Internet Privacy Shield. It uses a cheap TP-Link pocket router, OpenWRT and a privacy VPN to protect your privacy on untrusted networks like hotels and coffee shops.

I had no idea the post would be as long as it was. I didn’t want people to have to scroll to the bottom just to read how to use the thing. So here’s the post on how to use the thing.

About the Device

Here’s the basics of the device. It has:

A LAN/WAN wired network jack that can be connected to an untrusted wired network
A LAN wired network jack that you can plug your computer into
An untrusted wireless network that can be connected to untrusted wireless networks, like a hotel or coffee shop
A trusted internal wireless network that you can connect your devices to securely
A LED that blinks in different patterns to show the state of the device
A tiny reset button re-purposed to connect and disconnect the VPN

So you can use any combination of wired or wireless networking on both the untrusted network and your internal trusted networks. So you’ll have to pick out the scenario you’d like to use.

Conventions

During the install, look for this type of formatting in text.

Italics: Something you look for on the screen or device

Bold: Something you type, click or select

Using an Untrusted Wired Network

This is the easiest to use and is preferred when it’s available.

Connect the untrusted wired network into the LAN/WAN network jack
Connect your device to either:
- The LAN network jack for a wired connection
- The internal wireless network set up during the install
Plug the device into a power outlet
The device should blink while it’s loading, then go into its’ slow
blink mode, once every 5 seconds or so.

At this point, you are protected by the firewall but your communications aren’t private yet. Go down to the Connect to the VPN section. If you know that you don’t have to deal with a captive portal, you can connect to the vpn before you connect your devices for a bit more privacy.

Using an Untrusted Wireless Network

You’re using the device to connect to the untrusted wireless network, so your devices don’t have to. This requires going into the device’s management webpage.

If you’ve connected to this untrusted wireless before, the device will remember the settings and automatically connect again. You can skip these instructions and just connect your laptop or other devices.

If you’re connecting your laptop or other device to the wired
connection, plug the cable into the LAN network jack.
Plug the device into a power outlet
The device should blink while it’s loading, then go into its’ slow
blink mode, once every 5 seconds or so
If you’re connecting your laptop or other device to the wireless
network, go ahead and connect
Open a browser and navigate to http://192.168.1.1/
From the web management menu , select Network -> Wifi
Beside Generic MAC80211 802.11bgn (radio0), click the Scan button
Find the network you want to connect to and click the Join Network button
- UNCHECK the Replace wireless configuration box
- Enter a password if needed to connect
- Make sure the Name of the new network is wwan
- Make sure the Create / Assign firewall-zone is wan
- Click the Submit button
- In the next Wireless Network page, click the Save & Apply button

Wireless overview page

Selecting wireless network

Join network: settings page

Wireless configuration settings

At this point, you are protected by the firewall but your communications aren’t private yet. Go down to the Connect to the VPN section.

Connect to the VPN

By default, the vpn does not start automatically, so you’re communications aren’t private. Hotels typically use a captive portal that you have to browse to in your web browser so you can login and/or agree to whatever lousy policies they have. Only then do you get full Internet access.

At this point, the device should be doing a slow blink, once every 5 seconds or so.

Open a web browser and see you need to click through a captive
portal. Make sure basic Internet works (it redirects you to some new
page, etc).
Find a paperclip
Find the Reset button. It’s between the LAN/WAN port and the USB port
Push the Reset button (for less than a second). You should hear/feel it click.
After a couple of seconds, the LED should start a fast blink cycle (about once a second)
To test, open an web browser and go to a geolocation website like
http://www.iplocation.net/ . It should show a location different
than the one you’re at.

At this point you are protected by the firewall and all communications are encrypted by the VPN. People on the untrusted network should not be able to see where you’re going or what you’re doing.

Disconnecting from the VPN

If you need to disconnect from the VPN, it’s pretty simple.

Find a paperclip
Find the Reset button. It’s between the LAN/WAN port and the USB port
Push the Reset button for about 3 seconds. You should hear/feel it click.
The LED should immediately go into slow blink mode, about once every 5 seconds

At this point, you are protected by the firewall but your communications aren’t private.

Turning the Device Off

Unplug it. Enough said.

Resetting the Device

If you want to reset the device in a nicer way than unplugging it, here
how.

Find a paperclip
Find the Reset button. It’s between the LAN/WAN port and the USB port
Push the Reset button for between 10 and 20 seconds. You should hear/feel it click.
The device should start blinking as it’s loading, then go into the slow blink mode.

Wiping the Device

If you every need to erase all your settings (before selling or getting rid of the device), this will wipe all configuration and reset the device back to a default OpenWRT install.

Find a paperclip
Find the Reset button. It’s between the LAN/WAN port and the USB port
Push the Reset button for longer than 20 seconds. You should hear/feel it click.
The LED start blinking as it’s loading

At this point, the device is not configured in any way.

Pocket Internet Privacy Shield

2014-10-10T00:00:00-04:00

When I travel, the thought of using the Internet in hotels and such leaves me feeling gross and paranoid that someone can see what I’m doing. As a penetration tester who hacks people this way, and seeing how awful some hotel Internet setups are, I feel pretty justified in my paranoia.

So I wanted to make a hardware-based device that was cheap, easy to use and effective at protecting my privacy in not-quite-trustworthy networks. Here’s what I made with step-by-step instructions on making your own.

Goals

Allow my computers and devices to use untrusted network in a safe way. (Or at least safer than the alternatives)
Block all incoming connections (a hardware firewall)
Encrypt all traffic so people on the untrusted network can’t intercept it. This includes DNS traffic, which is sometimes tricky to deal with
Be able to handle stupid hotel captive portals
Based on cheap hardware
Be easy to use

You can do this sort of thing directly on your laptop and some devices. But if you have several, it gets to be a pain to deal with.

The Solution

Hardware

I purchased a TP-Link “Mini Pocket Router”. It’s roughly 3 inches square and an inch thick, so small enough to fit it a bag. It’s also very easy to re-purpose for other things like this. It has:

Two wired network jacks for an internal and external network
A wireless chip that can do simultaneous access point mode (so your devices can connect to it) and client mode (so it can connect to the crappy hotel wireless)

Cost: currently $26 at Amazon.
The exact model is a TP-Link TL-WR710N mini pocket router.

Software

The device can do some of the things out of the box. But I don’t trust the software to be that secure, and want it to do more anyway. So instead, we’re using OpenWrt. It is a popular Linux distribution for embedded devices and used as the basis for many home routers.

Cost: free

VPN

A useful tool for online privacy is a paid VPN (virtual private network) service geared towards privacy. The better ones support open standards, can’t tie traffic from a given IP address back to a specific user, don’t keep logs of your traffic and make some statement of how they will deal with law enforcement requests. A good link to start with is:

http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/

I picked one with a good rep, and that supported OpenVPN, a popular open-source VPN software package.

Cost: typically $50-$100 per year

How to Survive this Install

Beer or wine certainly helps. The only scary part is replacing the software with OpenWrt. Once that’s done, if you mess up, it’s easy to reset the device and start over. There are some tricky bits to edit configuration files and copy them to the device, but otherwise everything else is done using a web browser

Assumptions

This can be done several different ways. But this install tries to do the easiest thing that anyone can follow. So I’m assuming:

You’ve purchased a TP-Link TL-WR710N and found a VPN provider that supports OpenVPN
Your computer is (or can be) using a wired network connection and it’s working correctly
Your computer gets its IP address through DHCP, which is default on most systems
You have a working Internet connection and web browser
You have (or can install) a couple of programs that can do SSH and SCP (more on that in a sec)
You have a paperclip or something similar. This is quite important.

For Windows systems, there’s nothing by default that supports SCP (for transferring files) or SSH (for logging in at a command line). The best and easiest are below. You will definitely need WinSCP, but only need PuTTY to troubleshoot if things don’t work correctly the first time.

PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/

WinSCP: http://winscp.net/eng/index.php

Linux and Mac have tools like this built in. So if you have those, I’m assuming you can follow along or Google equivalents.

Conventions

During the install, look for this type of formatting in text.

Italics: Something you look for on the screen or device

Bold: Something you type, click or select

Now to Actually Install Something

##3 Download OpenWrt

Download OpenWrt BarrierBreaker 14.07 from downloads.openwrt.org. You may also want to look for a newer version. If so, the device is an ar71xx-generic-tl-wr710n and you want the file with squashfs.factory.bin in it.

Connect to the TP-Link Device

Connect network cables to the TP-Link device and plug it in

Take the network cable from your computer and plug it into the LAN/WAN port
Plug another network cable from your computer to the LAN port
Plug in the device
The light will blink a couple of times and turn solid green

At this point, the device (and your network) are completely unsecure. Now is not the time to go out for a few hours or go to bed. So connect to the management webpage at the link http://tplinklogin.net .

Login with a username and password of admin. It will ask you to start the Quick Setup process. You don’t care, because it’s about to get blown away. Click the Exit button.

Install OpenWrt

In the management webpage, open the System Tools menu from the left sidebar
Select Firmware Upgrade from the menu
Click the Choose File button
Select the openwrt-ar71xx-generic-tl-wr710n-v1-squashfs-factory.bin file downloaded earlier
Click the Upgrade button
The page will say “Are you sure to upgrade the firmware?” Click OK
- The file uploads in a couple of seconds
- The Processing screen shows a progress bar
- The Software Upgraded Successfully! Restarting screen shows a progress bar
- When that screen shows Completed! in red, the upgrade is complete

Logging into the TP-Link Device

Choose firmware upgrade file

Firmware upgrade file chosen

Are you sure to upgrade the firmware

Firmware upgrading

Restarting system

Software upgraded successfully

Initial Configuration of OpenWRT

Your computer should have detected the device rebooting and reconnected to the network. Make sure you can still browse to the Internet. Once that’s working, you can start configuring.

Open a browser and navigate to http://192.168.1.1/
Click the Login button. This logs you in with the default root user with no password
Once the Status page loads, there is a message at the top saying “No password set!”. Click the Go to password configuration link below it
On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page
On the same page in the SSH Access section, set the interface to LAN. Click the Save & Apply button

Log into openwrt

No password set

Set router password

Set ssh to lan only

Make It Blink

There’s only one LED to show any kind of status. We’re going to make it do a slow blink by default. Then when the VPN is connected, it will automatically change to a fast blink so you know the VPN is up.

From the web management menu, select System -> LED Configuration
Click the Add button

Option Name	Setting
Name	slowblink
LED Name	tp-link:blue:system
Default state	checked
Trigger	timer
On-State Delay	500
Off-State Delay	5000

Click the Save & Apply button

The LED should start blinking on and off roughly every 5 seconds.

LED configuration screen

LED configuration settings

Untrusted Internet Wireless Network

Any existing wireless network can be used to complete this section. It’s better to not use an untrusted one yet.

From the web management menu , select Network -> Wifi
Beside Generic MAC80211 802.11bgn (radio0), click the Scan button
Find the network you want to connect to and click the Join Network button
- UNCHECK the Replace wireless configuration box
- Enter a password if needed to connect
- Make sure the Name of the new network is wwan
- Make sure the Create / Assign firewall-zone is wan
- Click the Submit button
- In the next Wireless Network page, click the Save & Apply button

Network Wifi page

Join wireless screen

Join Network Settings

Wireless network settings

Internal Wireless Network

This is the secure wireless network that your devices can connect to. It should be encrypted with a good password.

From the menu, select Network -> Wifi
Click the Edit button beside the OpenWrt network
Change the wireless name (ESSID)

The wireless network name should be memorable, but without a way to tie it back to you. One good place to generate nonsense words is http://www.soybomb.com/tricks/words/

Make sure the mode is set to Access Point
Make sure the network is set to LAN
Click the Wireless Security tab
- Change Encryption to WPA2-PSK
- Change Cipher to Force CCMP (AES)
- Set the Key to the password you want to use
Click the Save & Apply button

Wireless general setup

Wireless security setup

Disable the Untrusted Wireless Network

Until we do the initial test, disable the untrusted wireless network

From the web management menu, select Network -> Wifi
Find your untrusted wireless network and click the Disable
button beside it

Firewall Configuration

From the web management menu , select Network -> Firewall
In the General Settings section
- Change Input to drop
- Change Forward to drop
In the Zones section for the wan zone
- Change Input to drop
- Change Forward to drop
Click the Save & Apply button
Select the Traffic Rules tab
Uncheck the Enable checkbox beside these Traffic Rules
- Allow-DHCPv6
- Allow-ICMPv6-Input
- Allow-ICMPv6-Forward
Click the Save & Apply button

Firewall zone settings

Firewall traffic rules

End of Act I

At this point, the device makes a nice hardware firewall. All traffic is allowed out but no traffic is allowed in. It’s completely usable at this point.

Now for OpenVPN

Add the interface for the VPN

From the web management menu, select Network -> Interfaces
Click the Add new interface button
- Name of the new interface: VPN
- Protocol of the new interface: select Unmanaged
- In Cover the following interface, select Custom Interface and enter tun0 into the box beside it.
- Click the Submit button
In the next “Interfaces - VPN” page
- Select the Firewall Settings tab
- Make sure unspecified or create is selected. Enter vpn in the box beside it
- Click the Save & Apply button
From the web management menu, select Network -> Firewall
Click the Edit button beside the vpn zone
In the Firewall - Zone Settings - Zone “vpn” page
- Enable Masquerading
- Enable MSS clamping
- In the _Inter-Zone Forwardin_g section
  - Allow forward to destination zones: select wan
  - Allow forward from source zones: select lan
- Click the Save & Apply button

Interfaces screen

Interface for vpn

Firewall zone settings

Installing OpenVPN

From the menu, select System -> Software
Click the Update lists button to refresh the list of available packages
In Download and install package enter openvpn-openssl and click OK

This may take a couple of minutes and could possibly give an error as it’s refreshing status. You may have to select System -> Software a couple more times until openvpn-openssl appears in the list of Installed packages

Installing openvpn package

Getting VPN Provider Configuration Files

This is where things may change, depending on your OpenVPN provider. Mine has a zip file with all of the configuration files needed to connect. Out of those, the certificate files ca.crt, client.crt, client.key and ta.key will need to be copied to the device in a moment.

Also in the file is a vpn.conf file with configuration options. In that file is the server name and port needed to configure the device.

Download the configuration file(s) from your VPN file and see if they contain the same files.

Getting My OpenVPN Configuration Files

To reduce some of the command line configuration, I’ve made a set of configuration files to get through this last bit. Download the file.

Extract openvpn_files_for_openwrt.zip
Edit the openvpn_files_for_openwrt\etc\openvpn\myvpn.pass file
- Put your vpn username on the first line
- Put your vpn password on the second line
- Save the file
Edit the openvpn_files_for_openwrt\etc\config\openvpn file. You may have to select Notepad if you double-click, or open Notepad and then open the file.
- On the last line with option remote ‘my.openvpn.server 1194’,
  replace my.openvpn.server with the server name or IP of your
  VPN server. Replace 1194 with your vpn port
- Save the file
Look through the rest of the files. They should be short and simple enough that they make sense and you can make sure they don’t have any hidden backdoors.

Copying Files to the Device

Next is copying the configuration files to the device. For people not familiar with Linux systems, SSH and SCP are ways to log in and copy files. Windows doesn’t have this by default, but Putty and WinSCP are great tools to use on Windows systems. We’re going to use WinSCP to copy the files over.

Also as a note, Windows displays folder paths as etc\config\openvpn. Linux displays them as etc/config/openvpn. We won’t restart the war over which one is better.

Open WinSCP. It should bring up a login screen
- Change the File protocol to SCP
- In Host name, enter 192.168.1.1
- In Username, enter root
- In Password, enter the password you set
- Click the Login button
The first time you connect to a system, it will give an unknown server warning. Click the Yes button

On the left half of the screen is your computer. On the right is the device. Each side shows the current folder for that system. You can drag and drop files from one to the other to copy them back and forth. In the toolbar on each side are buttons to navigate directories, go up one folder, etc. The Up button (with the hint Parent Directory) is the most useful here.

On the right side navigate to /etc/openvpn
- Use the dropdown or the up button to go up to the / (root) directory
- Double-click the etc folder
- Double-click the openvpn folder
On the left side, navigate to where you have your VPN Provider configuration files
Drag the ca.crt, client.crt, client.key and ta.key files to the right side to copy them
In the Upload dialog box, click OK
Copy your OpenVPN configuration files
- On the left side, navigate to where you have your OpenVPN configuration files
- On the left side, go into the etc\openvpn folder
- Copy the blink_led_fast.sh, blink_led_slow.sh, myvpn.pass, vpn.down and vpn.up files to the right side (in /etc/openvpn)
- Change Permissions
  - On the right side, select all the files and click the Properties button
  - In Octal, enter 0600. The permissions checkboxes should automatically change
  - Click OK.
  - On the right side, select the blink_led_fast.sh, blink_led_slow.sh, vpn.down and vpn.up files and click the Properties button
  - In Octal, enter 0700.
  - Click OK
- On both the left and right sides, navigate up one level (to etc) and open the config folder
- Copy the openvpn file to the right side (in /etc/config)
  - On the Overwrite File dialog screen, click the Yes button
- On both the left and right sides, navigate up one level (to etc) and open the rc.button folder
- Copy the reset file to the right side (in /etc/rc.button)
  - On the Overwrite File dialog screen, click the Yes button
Close WinSCP

WinSCP site

Accept server key

Navigate to files

Drag files to upload

Old permissions

New permissions

Reset the device

From the web management menu, select System -> Reboot
Click the Perform reboot link
The device LED will blink while it’s loading, then go into a very slow blink cycle (once every 5 seconds)

Reboot device

Push the Button

Now we get to test and see if it all works. The page that shows how to use the device is here, but we’ll go through the basics and make sure it works.

Find a paperclip
Find the Reset button. It’s between the LAN/WAN port and the USB port
Push the Reset button (for less than a second). You should hear/feel it click.
After a couple of seconds, the LED should start a fast blink cycle
To test, open an web browser and go to a geolocation website like http://www.iplocation.net/ . It should show a location different than yours.

That’s it. You’re done.

Troubleshooting

Hate to say it, but sometimes things go wrong. Here’s some general steps to start troubleshooting any issues.

If nothing happens when you press the button, check all of the
configuration files uploaded to the device and the permissions in
/etc/openvpn. These are the files that start the vpn when you press
the button and control the LED
For everything else, compare the web interface to the instructions
and make sure you didn’t miss a step.
It’s also entirely possible that I missed a step. Post a comment
here and I’ll take a look and comment/update as needed.

Hardcore Troubleshooting on the Command Line

When all else fails, time to break out some command line foo. For Windows system, this requires a SSH tool like Putty to be installed.

Run Putty. The PuTTY Configuration dialog should appear
In Host Name, enter 192.168.1.1
Click the Open button. The main window should open
For login as: enter root
For password:, enter the password you set
Type in the command
- /etc/init.d/openvpn start
See if the LEDs start the fast blink. If not, enter this command to stop the vpn
- /etc/init.d/openvpn stop
Enter this command below to start watching the VPN log
- tail -f /tmp/openvpn.log
Now press the Reset button to start the VPN. If nothing happens,
the /etc/rc.button/reset configuration may not be correct. If text
starts scrolling by, look for cannot connect to server or invalid
username/password type messages which may indicate that the VPN
provider configuration files or the /etc/openvpn/myvpn.pass file
may not be correct. You can fix these on your systems and use WinSCP
to re-upload the files

Putty configuration

Openwrt command line

DigitalReplica

AWS Multi-Account SSO Setup Guide

Why?

Design

Let’s start

Management account

AWS Organizations

AWS Single Sign-On

Sign in with normal user account

Adding a new AWS account

Finale

Can gunshot detection technology contain gun violence?

A high school girl can do it

The Dream

But it’s more complicated than that

What does it connect to?

False alarms

Certification and maintenance

Why don’t we have these already?

Privacy considerations

On my iPhone too?

So I asked

What can you do?

Conclusion

Solving CloudFlare and Let’s Encrypt Issues on a new Ghost Blog

The starting point

Setup

Migrating data

Redirecting URLs

Moving DNS and setting up SSL through CloudFlare

Change CloudFlare DNS

Change Ghost URL and enable SSL

The fix

Purging CloudFlare cache and re-enabling proxy status

Verifying CloudFlare status in the browser

Summary

LastPass Identities + Browser profiles = Awesomeness

What are Chrome People?

What are LastPass Identities?

LastPass with Chrome People

Helpful Hints

The Rough Bits

FAQs

Can I use Firefox profiles?

What about Firefox Multi-Account Containers

Links

First Pitch Retrospective

Nail the genre and pitch tone

Find better comps

Be receptive

Take a written copy

It’s all about marketing

Go try it again

Privacy From Corporate Data Gathering

Goal

Disclaimers

Name

Email Address

Gmail

Tutanota

ProtonMail

Phone number

Address

Alternate Names for the mail system

Credit Card

Anonymous gift cards

Reloadable cards

Final words

Purism Librem 13 Laptop Review

Goals

Ordering

Taking it apart and upgrading things

Taking it apart

Upgrading

Ram

Hard Drive

Power

Qubes on the Librem 13

Observations using it:

What I Like