Eubolist's Blog

about IT, Linux, the web and much more

Archive for the ‘Security’ Category

Spirit – the jailbreak for the iPad

leave a comment »

Today the Dev-Team has released their latest stroke of genius: Spirit is the name of the latest untethered jailbreak for iPad, iPhone and iPod Touch. Before you jailbreak your device you should take two steps:

  1. Save the SHSH blob of your device. To do so you either have to download the necessary tool for Windows or Mac or edit your hosts file (/etc/hosts) to point “gs.apple.com” to “74.208.10.249” (Saurik’s server)
  2. Perform a full backup with iTunes! Especially if you’re trying to jailbreak your iPad – the whole procedure as well as Cydia on iPad is still considered beta.

Then go to http://spiritjb.com/ and download the jailbreak application for Mac or Windows. The jailbreak itself is as easy as one single click.

Written by eubolist

2010/05/03 at 15:46

Howto: Ubuntu Lucid Lynx Beta 1 Encrypt System Partition using Live CD

with 5 comments

In case the alternate installation doesn’t work for you (there have been some bugs reported in the current Beta 1 version) or you only downloaded the Desktop CD and now suddenly decided to install Ubuntu on an encrypted partition, this is the right guide for you. If you just like pretty GUIs that’s okay too, but be aware that for this tutorial you should be comfortable working from the terminal. (though most of this tutorial you can just copy – paste into a terminal window).

Let’s start by installing lvm2 on your live system (the desktop cd doesn’t have that by default), open a terminal and type:

sudo su

aptitude update && aptitude install lvm2

If that fails check your network connection. You need a working internet connection to download the package. Now you need to set up (at least) two partitions:

  • /dev/sda1: an unencrypted /boot partition (around 250 MB) and
  • /dev/sda2: one encrypted LVM volume for your / filesystem and swap.

In your system it may be /dev/sdb or whatever you choose: Adjust the following commands to your system configuration:

cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda2

When choosing a password take a long, safe password which is not prone to dictionary or brute force attacks. But also make sure you won’t forget it – if you forget your password all your files and settings will be lost.

cryptsetup luksOpen /dev/sda2 lvm

pvcreate /dev/mapper/lvm

vgcreate ubuntu /dev/mapper/lvm

lvcreate -L 1300M -n swap ubuntu

You can change the size of the swap partition, usually a value 1.3-1.5x your RAM size is fine.

lvcreate -l 100%FREE -n root ubuntu

If you want more than one partition (eg. a seperate /home partition) don’t use 100%FREE but the value you wish and define the additional partitions using the above scheme before proceeding to the next step.

mkswap /dev/mapper/ubuntu-swap

mkfs.ext4 /dev/mapper/ubuntu-root

Now start the installation process (don’t close the terminal yet, we’ll need it later). In the partitioning step choose /dev/mapper/ubuntu-root -> Mount point: / and reformat the partition with ext4. Choose /dev/sda1 -> Mount point: /boot and also reformat the partition.

Then continue your installation. On my system it wasn’t able to install the bootloader – don’t worry, we’ll fix that later, just continue with the installation. Once it’s finished don’t restart the system: Close the window and go to the terminal again.

mount /dev/mapper/ubuntu-root /mnt
mount /dev/sdX1 /mnt/boot
mount -o rbind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
chroot /mnt

Now you’re chrooted in your new installation and able to modify it in order to boot into the encrypted partition. Install the necessary software:

aptitude install cryptsetup lvm2

Then you need to write the UUID of the encrypted partition into /etc/crypttab

echo “lvm UUID=VOLUME_ID none luks” >> /etc/crypttab

You can find out the volume id by typing blkid /dev/sda2 in your terminal. Lastly you need to update the initramfs with

update-initramfs -u -k all

If you were able to install the bootloader grub during the installation process you’re done now, you can exit the terminal and reboot. If not there are three more commands you need to run before exiting:

aptitude install grub2

grub-install /dev/sda

update-grub

If all went well you have a 10.04 installation with an encrypted system drive now. Congratulations!

NOTE: The last part of this tutorial (chrooting plus installing grub) may also serve as a workaround if you encounter any problems or bugs setting up grub during the regular installation process.

Written by eubolist

2010/04/05 at 18:51

A guide to make safe passwords

with 2 comments

There are a lot of informations out there on how to make secure passwords, most of which are about passwords for cryptographic purposes, written by security experts. Of course the most secure password form is a true random password consisting of upper/lowercase letters, numbers and special characters. There are a lot of web services out there to generate such strings, take this one for example: http://clsc.net/tools/random-string-generator.php

Now it occurred to me, that some security enthusiasts – and some folks at Microsoft – also advise people to choose random passwords for their accounts (computer, mail, social networking …) as well – to make it safe, of course. This is idiotic because the average user certainly does not want to memorize multiple random strings and this policy would encourage users to use one password for all their accounts. Using the same password for multiple accounts is a very bad idea – if one account gets compromised (the programmers at your dating site didn’t do a great job in securing their server) all your other accounts (PayPal, eBay, …) will be in danger, too. And even if you can memorize the random password there is a good chance that you will forget it once you haven’t used it in a while. Which is quite probable to happen since most people are too lazy to always type the password and decide to store it in Firefox, the keyring or whatever password manager they’re using. So don’t use random passwords as long as you’re not an autistic savant genious with a superhuman memory.

Now, since I’ve condemned the really safe option of random passwords let’s have a look at the two possibilities an attacker has to crack your password. The first method would be a dictionary attack: The attacker uses a dictionary file with lots and lots of words in it as possible passwords. This attack is the reason why it’s a bad idea to use simple words without modification as passwords. The second method is a bit simpler, it’s called brute force attack.  Similar to the dictionary attack the attacker tries to guess your password, this time – as the name suggests – every possible password is tried, starting with a and ending with ZZZZZZZZ… Brute force is a lot slower than a dictionary attack because obviously many more passwords have to be guessed until the right one is found. But the big advantage is that the password doesn’t have to be a word, so a password such as “123++” doesn’t offer a lot of protection against brute force attacks, despite being quite strong against a dictionary attack (always depending on the dictionary used, of course).

So what properties does a password need to be safe?

  • It should be long. The longer the better. Why not use a short sentence for example? A short sentence consisting of a few words is very easy to remember and contains a lot of characters, making it hard to break. In case spaces are not allowed you can just leave them out or substitute them with a dash or a certain number.
  • It should contain upper and lowercase letters, numbers and special characters. Adding a number and a special character after your usual password vastly increases the security of your password. Let me show an example: if “monday” is your usual password, it consists of 10 lowercase letters. So a brute force attacker has to try a maximum of 246 possible passwords until he eventually will guess the right one. Given he can try 5000 passwords per second he will crack your password in about 10 hours (he would even be a lot faster if he used a dictionary attack in this example). Now we add a number and a special character to your password and capitalize the first letter: “#0nd4y” A brute forcer would have to try the full ASCII set to crack your password: 1286 which would, at the same speed, take the attacker almost 140 thousand years!
  • It shouldn’t be a plain (or simple variation of a) dictionary word. Even if the above sample may seem secure against brute force attacks, it may not be against a dictionary attack where the dictionary has been added variations of the words (a huge list like that can be easily and quickly generated with an automated script). Use words from foreign languages you know, they are not likely to be in a dictionary (since the largest dictionary files are English, and who would guess eg. a french password on a Spanish user and website?)
  • As I already mentioned: One password per account! Don’t use the same password for multiple accounts. Just don’t.
  • Finally, the last and maybe most important point: It should be easy to memorize! How can one achieve that regarding my other points above? Even passwords containing special characters or numbers are easy to memorize if you create yourself a pattern. There an infinity of patterns you could use to generate safe, easy-to-memorize passwords. Here are a few ideas: Always add the same number (e.g. your birthdate) plus one special character after or before the word you use: puppy –> 1351976?puppy / 1351976=puppy / 1351976@puppy / … Or play around with a whole sentence: puppy –> i have a cute puppy 9877+*$ / i-have-a-cute-puppy9877 / ihaveacutepuppy+*$ / i9have8a7cute7puppy!!! / …

This way even if you don’t use a password for a long time you, and only you, will still be able to guess the right one amongst the most likely variations that you have in mind. And even though I certainly do not consider myself a security expert, I think this is one of the safest, most reliable ways to choose your passwords for everyday users.

Written by eubolist

2010/02/19 at 17:12