Obfuscated encryption fails again… No Shit, Sherlock!

This is obfuscation, rather than encryption, for all purposes.

Major hardware vendors are involved, and «the issue is worse on Windows». No surprises, then… Glad I don’t use that poor excuse for an operating system… 🙂

It seems a few popular devices with hardware controlled self encryption aren’t really doing it good by having master passwords (truly a #WTF) and faulty standards implementations.

«SSDs from Micron (Crucial) and Samsung are affected. These are SSDs that support hardware-level encryption via a local built-in chip, separate from the main CPU. Some of these devices have a factory-set master password that bypasses the user-set password, while other SSDs store the encryption key on the hard drive, from where it can be retrieved. The issue is worse on Windows, where BitLocker defers software-level encryption to hardware encryption-capable SSDs, meaning user data is vulnerable to attacks without the user’s knowledge»

There’s a paper with all the gory details for the hard core guys  and a report on ZDNet for the rest.

I love learning new stuff

Really! Learning new stuff is always good to improve yourself, even when it’s something so boring as accounting (well, this one I need to help myself believe it).

This is definitely not news for many people, but I always wondered how failban was blocking an ip.ad.dre.ss when I couldn’t find any of the banned IPs with iptables-save | grep ip.ad.dre.ss

I always left it for another time and boy did it pass long and quickly, with other things more important.

But no more! This past weekend I finally learned how fail2ban manages IP block lists with Firewalld: it uses ipset and then creates iptables multiport matches on that defined ipset!

Boy, was I happy… May come in useful in the future, and in the past it was definitely very useful at times, rather than other workarounds.

Still… nice. I must thrive to make time to learn new stuff at least every weekend.

That god-awful upcoming european copyright directive revision…

So the European Comission and Parliament wants to give more power to the copyright maximalism extremists, sorry… to revise the european copyright directive…

Among other issues they want to:

  • tax links to news sources (article 11)
  • censor before pubication anything citizens want to publish online under the excuse of “protecting” against copyright infringement (article 13)

Article 11

The first one is moronic, andI will do all my best to lead to the death of the publishers of news sources who support this.

No more sharing of article, no more links.

I may personally not be liable BUT any social network I participate in is, and if they deem my website as commercial in any way or form even I may be liable because of what users publish as comments.

This is absurd, links drive potential customers to you, guys. Wanting to cash-in because a link and a short excerpt points to your page is a very misguided idea driven by avarice.

This is what you deserve: a very slow death by nobody using your services because nobody knows of links to you.

I will do my best with this regard. If you can die slowly and painfully (as a business, not as persons), I will watch with a smile on my face.

Ear to ear grin, guys. Not a slight Amazon-like smirk. Ear to ear…

Article 13

Guys… this is censorship at the full extent of the meaning of the word. Government mandated rules that prevent publishing for some specific reason.

If you believe that software can properly detect copyright infringement, then I have a good piece of land on  the moon to sell you really cheap. I promise to provide a good deed of proof of ownership! Really!

And if you needed any proof, then here it goes… a most recent and obnoxious case where Sony claims copyright of Bachs works on Facebook. Seriously?

Do not even dream for a second that is will get refined and work in the future.

It won’t. Artifical Intelligence will sooner take over our society and replace it with repetitive robotic work than do this properly.

And this leeds to a slippery slope of censorship where other rules will be added to the censorship machines…  and in fact… really… they’re already doing it… now they’re adding the “rules against terrorism”, I wonder how many steps until you can’t say something against the european authority…

Sobre a mudança (ou não) de hora… Venha a hora Primavera/Outonal

Parece que a Comissão Europeia está a dar até Abril do próximo ano para os Estados-membro indicarem qual a hora que pretendem manter: Verão ou Inverno.

Nota: teria aqui um link para os artigos d’O Público sobre isto, mas na sequência da mais que provável aprovação da diretiva europeia que legitima a cobrança de taxas pelos links, não pretendo mais colocar links para qualquer órgão noticioso tradicional..

Acho que é de louvar que pelo menos uma vez a Comissão Europeia dê ouvidos aos cidadãos sobre algum tema, seria de esperar que tivesse a mesma atitude no que diz respeito à revisão da diretiva europeia sobre direitos de autor, pelo que de momento temo apenas por… “what’s the catch“…

Que 79% dos portugueses prefiram a hora de verão não me admira nada, como país que por causa do turismo só tem a ganhar com mais exposição solar durante o dia, sobretudo no verão, seria algo muito preferencial.

Por outro lado, há quem diga que isto também tem outros efeitos nefastos.

Ou seja, independentemente de qual a opção tomada, há vantagens e desvantagens.

Qual o caminho a seguir?

Eu pessoalmente acho que a UE podia toda ajustar apenas meia hora e ficar algures a meio sem mudança de fuso horário daí para a frente.

Este meio-termo parece-me mais viável e algo que equilibra os argumentos a favor e contra cada um dos lados. Chamemos-lhe a hora da Primavera-Outonal…

Marine Le Pen is un-“invited” from Web Summit 2018. Good!

I’m a fierce free speech promoter, but allowing anyone to speak their voice is quite different from giving them a pulpit and paying them to do so.

Marine Le Pen, like most speakers at big events like the Web Summit 2018 where she was supposed to speak at, would be paid to do so.

That means that an event sponsored by a state that rejects fascist association in it’s constitution (articles 46 and 160) was about to have sponsored (by both central and local governments in Portugal) the leader of Front Nationale, the French extreme right wing party, promoters of xenophobia and fascism.

Yes, they can speak their ideals and I defend that right, go to the streets if you want to, but I cannot accept that some of my money (via taxes) can finance their activities.

Screw you, fascists.

Now if only Web Summit did the same with the other kinds of extremists they have on their agenda…

Efetivamente não o conheço, Marinho e Pinto… #linktax #censorshipmachines #ep #juri #portugal #copyright #directive #voteno

Marinho e Pinto é o único eurodeputado português presente no comité JURI (que trata com os assuntos jurídicos) e fez umas revelações à Exame Informática numa entrevista do meu estimado Hugo Séneca.

Hugo, desculpa mas não vou colocar o link. Não quero que o Artigo 11 da proposta de diretiva do direito de autor no mercado digital me venha a causar sarilhos e esta entrevista deixa-me com medo…

Na enrtevista Marinho e Pinto diz à boca cheia, a respeito de ser um eurodeputado no qual as pessoas depositavam a esperança de que pudesse travar a diretiva:

As pessoas que tinham essa expectativa não me conhecem.

Efetivamente não o conheço, Marinho e Pinto, pois pensava muita coisa positiva a respeito de si e afinal estava redondamente enganado.

Pensava que lesse as propostas de diretiva, mas pelos vistos não lê. Os artigos mais polémicos não são o “11º e 14º” mas sim o 11º, #linktax, e o 13º #censorshipmachines.

Pensava que entendesse que o #linktax não é contra o Google, é contra o funcionamento da Internet e eu, no meu blog, que é meu e não de uma outra plataforma qualquer, posso estar afetado também.

Pensava que entendesse que os filtros de upload são automáticos e no momento do upload. Não se trata de impedir pirataria mas de censurar o que um algoritmo considerar ser um positivo.

Pensava que entendesse que conhecesse o conceito de falso positivo, e neste tipo de tecnologias o problema não são os positivos mas os falsos positivos.

E há muitos falsos positivos, é por isso que os humanos são ainda muito melhores que as máquinas a identificar coisas (e por muito tempo continuarão a ser na minha opinião não leiga na matéria).

Pensava que entendesse que a disparidade de leis faz com que estes “positivos” sejam diferentes consoante a área geográfica do observador.

Pensava que entendesse que a partir do momento em que máquinas de censura prévia estejam implementadas, será trivial estender o seu controlo a conteúdos tidos como subversivos contra um regime autoritário seria trivial, bastaria colocar as keywords certas.

Pensava que iria defender a liberdade de expressão, que se encontra seriamente ameaçada.

Pensava que fosse defender os interesses dos cidadãos

Pensava que fosse defender os interesses dos autores, que cruzam, misturam e remisturam, apontam para a informação e muito mais.

Pensava que fosse impermeável a fortes lobbies de entidades corporativistas de gestão coletiva que apenas representam uma pequena porção de autores.

Pensava que não fosse desviar as atenções para fantasmas que são desmistificados por estudo atrás de estudo.

Enfim, pensava que fosse uma pessoa equilibrada, em vez de um extremista maximalista do direito de autor.

Mas efetivamente… não o conheço, Marinho e Pinto.

Pre-announcing my musings on GDPR

I’ve only very recently really had to face some of the GDPR “niceties” as member of the board of a Portuguese association (ANSOL).

From the brief discussion we had, even though I’m a staunch supporter of privacy rights, I had this gut feeling quite reinforced:

GDPR looks like another stone in the Roman road (of Good Intentions) to Tartarus.

You can quote me on that if you want. I already am quite convinced that other stone (The Right to be Forgotten) was a huge mistake prone to abuse by miscreants unwilling to have egg on their online faces…

Now I have to read it, I bet I will find lots of issues…

#Keto Recipe: the best roquefort cheese hot scrambled eggs

Today I’m going to share with you a powerful fat bomb meal very friendly to people living a healthy keto diet, a scrambled eggs recipe I’ve been having sometimes that just takes me to heaven.

I known you have to like some of these ingredients, specially roquefort cheese which is not legally available in the USA because of unhinged law makers although you may be able to find it at some place under the counter (if you wink-wink, nudge-nudge the right way of course). Sorry guys, try other replacements, it may still be good for you!

Here it goes, first the ingredients (remember to get the most from so called organic, grass fed, free range,or whatever… sources that are less likely to have the sweet poison of sugar or other potentially dangerous chemical additives):

  • 3 eggs per person (or for two if you eat less, or for many if you share as an appetizer)
  • emmental cheese
  • roquefort cheese
  • hot sauce (make your own, preferably), I like it quite hot
  • a pinch of salt
  • coconut oil (cold extraction)
  • salted butter
  • and optionally, bacon (in this case I had to finish three slices of bacon before they went bad, but the meal is quite awesome without it too)

Start by preparing a good amount of diced emmental cheese:

The, cut a good slice of roquefort cheese…

… and dice it into small pieces:

Then, open your eggs into a cup (one by one in a helper glass, check their smell) and add both a pinch of salt as well as as much hot sauce as you want (I used two tea spoons of my own):

Give them a good vigorous wisk until it’s all very well mixed together:

Finally put a decent amount of butter like between 20 g and 30 g (a good butter to buy in Portugal is Milhafre dos Açores) and a tablespoon of coconut oil in a frying pan:

Now that you have everything ready…

… it’s time to put the frying pan on strong fire and let it melt, mix, and get a quite hot:

At this point, I added my slices of bacon, let them fry a bit and then set them on a plate aside:

Then I poured in the eggs and let it solidify just a bit:

It’s now time to lower the fire, break these eggs and spread the emmental cheese:

Now spread the roquefort cheese over (if you had mixed the roquefor cheese along with the eggs, you’d get green eggs, maybe not very appetizing):

Let the cheeses melt a bit (you can probably cover the pan in order to let them melt better than in these photos) and serve to a dish preferably with the eggs still bit runny, either on top of (easier) or under (looks nicer) the bacon slices we saved up earlier:

It’s now ready for eating straight away and while it’s still hot.

Enjoy the yumminess!

Using Let’s Encrypt with getssl and minimal root usage #letsencrypt

Let's Encrypt is an amazing initiative to have X.509 certificates for your website, or even your email servers, but most instructions just tell you to run (some more some less) complicated programs as root in order to run the periodic certificate renewal workflows, and that is sub-optimal as it substantially increases the number of attack vectors your already exposed system is susceptible to.

This article is just a way to enjoy the benefits of Let’s Encrypt while minimizing the need for root privileges in your system,and thus keeping it reasonably secure, and this example is doing it with getssl (don’t be scared it hasn’t changed much for some time, they’re working on the new APIv2 support).

It’s taking in account a typical CentOS/Red Hat 7 server, your mileage might vary with other systems but it should mostly be the same.

You can start setting up your environment by adding a non privileged user, let’s say… acme… who will run the renewal workflow:

# useradd acme

Then you can proceed to installing getssl and setting up directories for your files:

# curl https://raw.githubusercontent.com/srvrco/getssl/master/getssl > /usr/local/bin/getssl
# chmod 0755 /usr/local/bin/getssl
# mkdir -p /etc/letsencrypt/acme/ssl.{crt,key,pem}
# chown -R acme:acme /etc/letsencrypt/acme
# chmod -R 0755 /etc/letsencrypt
# chmod 0750 /etc/letsencrypt/acme/ssl.{key,pem}
# mkdir -p /var/www/html/letsencrypt/.well-known/acme-challenge
# chown letsencrypt:letsencrypt /var/www/html/letsencrypt/.well-known/acme-challenge
# echo 'letsencrypt yourhostname=NOPASSWD: /usr/bin/systemctl restart httpd' >> /etc/sudoers.d/letsencrypt

That last line adding a sudo rule is part of the magic and the single root command that is executed.  You can also make it restart Postfix, Dovecot, or any other service you use a certificate and that needs restarting in order to take the new certificate.

In order to let you read it all from this article, I’ll borrow the example’s from getssl’s github page and then add in my own suggestions.

Now you want to prepare the environment (as the user acme) for your domain:

getssl -c yourdomain.com

This will create a ~/.getssl/yourdomain.com directory, the main files you want are called getssl.cfg, there’s a global file on ~/.getssl/getssl.cfg and then more specific files per domain, ~/.getssl/yourdomain.com/getssl.cfg

In the main file, ~/.getssl/getssl.cfg, you’ll need to set up the values accordingly to your needs (I won’t dive into how to get an account), but  for this setup you’ll want to change the following:

RELOAD_CMD="/usr/bin/sudo systemctl restart httpd"
ACL=('/var/www/html/letsencrypt/.well-known/acme-challenge')
CA_CERT_LOCATION="/etc/letsencrypt/acme/ssl.crt/lets-encrypt-x3-cross-signed.pem
RENEW_ALLOW="30"

And that RELOAD_CMD right there is part of the magic…

Now edit  ~/.getssl/yourdomain.com/getssl.cfg and change the following:

DOMAIN_CERT_LOCATION="/etc/letsencrypt/acme/ssl.crt/yourdomain.com.crt"
DOMAIN_KEY_LOCATION="/etc/letsencrypt/acme/ssl.key/yourdomain.com.key"

Now all you need is to set up a cron job:

45 6 * * * /home/letsencrypt/getssl -u -a -q

And finally you configure Apache httpd to use the files paths for the CERTificate and its KEY:

(...)
SSLCertificateFile /etc/letsencrypt/acme/ssl.crt/blog.1407.org.crt
SSLCertificateKeyFile /etc/letsencrypt/acme/ssl.key/blog.1407.org.key
SSLCertificateChainFile /etc/letsencrypt/acme/ssl.crt/lets-encrypt-x3-cross-signed.pem
Alias /.well-known/acme-challenge /var/www/html/letsencrypt/.well-known/acme-challenge
(...)

And you’re done: the cron job will run every day, and when you reach the 30 days to renew threshold your certificate will be renewed with minimal root usage.