zeitgeist.se

A Linux way to disable the Virtual CD on WD disks

Fri, 01 Sep 2017 19:32:58 +0000

According to Western Digital, there is no known way under Linux to disable (and hide) the “Virtual CD” (VCD) partition that can often be found on their external hard disks (such as the popular My Passport series).

No results with Google either, so I had to dig a little further. Please keep in mind that the following solution worked well for me, but that it could, potentially, brick your hard disk. You’ve been warned.

Mount an iPhone inside a KVM guest by disabling usbmuxd

Sun, 28 Jun 2015 21:03:43 +0000

Today I wanted to mount an iPhone inside a KVM-based VM. My host is Ubuntu 15.04, the guest is Windows XP. Well, it didn’t quite work at first because the host kept stealing back the phone’s USB connection. The culprit was usbmuxd, a “USB multiplexing daemon” that handles communications with iOS devices and Linux. To temporarily overwrite its behavior I added an empty udev rules file:

$ sudo touch /etc/udev/rules.d/39-usbmuxd.rules

This rule file (which does nothing) takes precedence over the original rules in /lib/udev/rules.d, with the result that it would no longer trigger the usbmuxd daemon whenever an iPhone is detected on the USB host.

Arial from Windows 10 doesn't play nice with Linux

Mon, 01 Jun 2015 19:11:28 +0000

I was fiddling with the fonts on my Linux notebook today, and I thought, why not upgrade all the Windows-based fonts with the latest fonts from Windows 10 (preview version)? Well, something definitely got changed and I don’t think I like it.

Google Domains invites up for grabs

Fri, 10 Oct 2014 10:35:17 +0000

I have five invites for Google Domains available. The first five users to reply to this post will get one (make sure to enter a valid e-mail or I won’t be able to send it to you).

Keep in mind Google Domains is currently only availble for users in the US; your location is determined by the billing address for the credit card you use with Google Wallet to purchase or transfer a domain.

Enabling ATA Security on a Self-Encrypting SSD

Sun, 07 Sep 2014 11:20:12 +0000

Recently I purchased a Samsung 840 Pro SSD for my frayed old notebook (a Thinkpad X200s). It’s a self-encrypting drive where data is always stored with AES-256 encryption. But first, to benefit from the encryption, I needed to encrypt the underlying encryption keys. One way of doing that is to set an ATA user password for the drive, which is supported by the BIOS of most notebooks.

But there is a problem.

Optimize AES and ChaCha20 usage with BoringSSL

Sat, 23 Aug 2014 11:49:02 +0000

BoringSSL is a Google fork of OpenSSL. It includes various interesting patches, including an implementation of the ChaCha20 cipher. In addition, BoringSSL allows you to group cipher suites of equal preference:

Equal preference cipher groups. This change implements equal-preference groups of cipher suites. This allows, for example, a server to prefer one of AES-GCM or ChaCha20 ciphers, but to allow the client to pick which one. When coupled with clients that will boost AES-GCM in their preferences when AES-NI is present, this allows us to use AES-GCM when the hardware exists and ChaCha20 otherwise.

Source

In this article I show you how you can tweak your nginx configuration to take advantage of this feature.

Debug Memcached with tcpdump

Sat, 03 May 2014 16:44:22 +0000

tcpdump -i lo -s 65535 -A -ttt port 11211| cut -c 9- | grep -i '^get\|set'

Google Cloud DNS: How-to Guide

Thu, 01 May 2014 18:38:08 +0000

In this article I will walk you through setting up a domain DNS zone using the Google Cloud DNS service.

Google Cloud DNS is a high performance, resilient, and global DNS service, which allows you to easily publish and manage DNS records.

To keep this short and sweet, I assume that you know the basics of DNS.

OpenSSL with ChaCha20-Poly1305 support

Sat, 26 Apr 2014 07:44:39 +0000

Update: Meanwhile you could also switch to the BoringSSL fork.

D. J. Bernstein’s ChaCha20-Poly1305 has not been merged into the OpenSSL master branch yet (ETA, anyone?). If you are curious to test it with nginx or any other application relying on the OpenSSL libraries with support for TLS 1.2, you can check it out via the 1.0.2-aead branch:

$ git clone https://github.com/openssl/openssl.git
$ cd openssl
$ git checkout 1.0.2-aead

Then follow the usual instruction from the INSTALL file on how to compile OpenSSL.

IPSec Fail: Perfect Forward Secrecy, Where Art Thou?

Fri, 18 Apr 2014 14:28:29 +0000

Perfect Forward Secrecy (PFS) has garnered widespread publicity in recent months thanks to Snowden and the NSA. As a result, an increasing number of websites and email service providers have been pushing for PFS to provide better security to their users.

PFS protects previous key exchanges even if the current one is compromised.

Unfortunately the same cannot be said about current popular IPSec VPN clients. Neither of the ones I tested - all of them from recent distributions including Windows and OS X - offered PFS out of the box, meaning previous IPSec key exchanges could be decrypted by an attacker if the current one is compromised.

Despite Heartbleed bug: certification revocation refused (Updated)

Sat, 12 Apr 2014 08:27:22 +0000

Note: [04/14/14] Today I was contacted by GlobalSign representative Gregory who stumbled over this blog post, and he was so kind to revoke the affected certs free of charge. He also added, in response to my summary below, that there is an option in the Chrome settings to enable revocation checking, and that beginning April 1, 2015, GlobalSign will restrict the maximum validity of then-issued certs to 39 months.

So the Heartbleed bug ( CVE-2014-0160) is out, and every administrator using SSL to protect his infrastructure has been wondering the same thing: should I absolutely, positively, without a doubt, replace all certificates and associates keys?

The only reasonable answer is: yes - if you used certificates on a vulnerable machine. Even those in disbelief were quickly proven wrong.

The first thing I did was to patch all impacted OpenSSL instances and restart the services that depend on the OpenSSL library (that includes not only HTTP but also MTA and IMAP, among others). That was the easy part.

What followed was a major pain with my certificate authority and one of its partners.

A list of helpful JavaScript resources (free)

Wed, 26 Mar 2014 09:03:23 +0000

Recently I’ve been refreshing my rudimentary JavaScript skills. Listening to a Mr. Crockford makes me all humble and sentimental. Did you know that he was somewhat involved in the development of Maniac Mansion - mainly in porting the Lucasfilm Games SCUMM engine for Nintendo?

Anyhow, here is my list of free online JavaScript resources that I’ve found extremely helpful. Not all of them are necessary for beginners, but I am sure the list contains something for everyone.

Reconnect VPN upon resume from sleep (Windows)

Wed, 11 Dec 2013 02:47:37 +0000

Windows doesn’t automatically reconnect VPN connections when you resume from standby mode. Sometimes this can be annoying - for instance when you are using someone else’s Internet and want to make sure that your connection is always secured through the VPN. To fix this, I created a task that automatically connects to a predefined VPN whenever you resume Windows.

120+ Live Webcams not requiring Flash

Thu, 05 Dec 2013 14:50:48 +0000

It’s raining outside. It has been cold and gloomy in the last couple days. Since I cannot afford going to a sunny, remote beach right now, the best I can do is load one of the below webcams and watch ocean waves crash onto the sand. Pathetic I know.

The following live streams are from the Earthcam Network. They are pretty well known, and there are quite a few other blogs listing at least some of these streams. With one big difference: All the lists I’ve seen link to them using the Real Time Messaging Protocol (RTMP) protocol. The biggest drawback is that RTMP only works in Flash. But who wants to do Flash these days? Fortunately, Earthcam streams are powered by the Wowza Media Server, which includes support for other protocols as well. So after some food for thought I was able to find the following links which all point to the AVC/H.264 streams using standard HTTP. This means they should be compatible with a wide range of popular video players (I am using MPlayer).

Privacy Policy

Wed, 04 Dec 2013 21:40:35 +0000

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used.

Collection of Personal Information

When visiting zeitgeist.se, the IP address used to access the site will be logged along with the dates and times of access. This information is used to analyze trends, administer the site, track users movement and gather broad demographic information for internal use. Most importantly, any recorded IP addresses are not linked to personally identifiable information.

strongSwan 5 not autostarting on Debian

Wed, 27 Nov 2013 16:51:12 +0000

Did you follow the guide how to install strongSwan 5 on Debian Wheezy? You may have noticed that strongSwan doesn’t automatically start when you reboot the server (tested with 5.1.0-3~bpo70+1). The fix requires a small modification to /etc/init.d/ipsec.

Finding the optimal NAT Keepalive interval

Wed, 27 Nov 2013 15:59:12 +0000

udpnat is a useful tool to figure out the optimal interval for sending out UDP keepalive packets in a specific environment. From the description:

MTU woes in IPsec tunnels and how you can fix it

Tue, 26 Nov 2013 15:55:55 +0000

Today I ran into a problem with IPsec Xauth PSK and the built-in Android VPN client (Android 4.1.2), resulting in some sites (such as www.yahoo.com) not loading through the VPN tunnel. Turns out I was dealing with MTU issues. When the Android VPN is started, it sets the MTU to 1500 on the tun0 interface:

Contact

Fri, 22 Nov 2013 15:49:35 +0000

Hi there!

You can reach me at alexander@zeitgeist.se.

strongSwan 5: How to create your own private VPN

Fri, 22 Nov 2013 15:41:41 +0000

Update 04/20/2014: Adjusted to take into account the modular configuration layout introduced in strongSwan 5.1.2. Tweaked cipher settings to provide perfect forward secrecy if supported by the client.

This article is a step by step guide on how to prepare strongSwan 5 to run your own private VPN, allowing you to stop snoopers from spying on your online activities, to bypass geo-restrictions, and to circumvent overzealous firewalls.