Tech

Sometimes I want to work on client assignments (penetration-tests) from home, if I do that I am using my company VPN so that all traffic is routed thorugh their public IP address (which is white-listed by the client). I do not want for traffic to ever leave that VPN as that would look like as if I’d be performing cyber attacks from my private home IP address. The same requirements arise for different use-cases, e.g., when downloading bittorrent files or forcing traffic through the tor network if whistle-blowing. ...

So I held a lecture on “Web Application Security” for the FH/Technikum Wien last spring and wrote a small booklet for my students (partially because I wanted to avoid discussions during the final exam). I did volunteer for a anonymous feedback round which turned out very positive for me, the booklet was repeatatly mentioned positively. So I distilled and refined it, tried to improve its focus. As I will do the same lecture next year, I am in dire need of feedback so that I can improve it, so I went to dark places and published it on reddit. I was suprised by the kindness of strangers, also got some suggestions from them. I offer the book for free under a creative commons license on my website, but also created a kindle version of the book. If you’re into web security and have read the book, I’d be very happy if you leave a (hopefully positive) review of the book on Amazon. This blog post describes, how I’ve created both the PDF-Version as well as the Kindle-Version of the book. ...

I spent some time playing around with various LTE-options for my Raspberry Pi Access Point/Router setup. My Huawei E3372 USB LTE modem works find but only implements a fake network card. This means that a virtual network card is emulated, all traffic is NATted over a virtual router located behind that virtual network card. This happens in addition to the network translation (NAT) that my Raspberry Pi access point already does. Also, I think that my Raspberry with the external USB LTE modem looks a bit unprofessional: ...

Most of you (and there are a couple of thousands of you) come for my tech-posts, but it seems that some of you get lost reading my non-techie posts too. Time to add on of those, it’s been a while.. I breathe books, they give my brain constant input to thrive on. Recently I went through my goodreads list of reread-good-books to check what influences me and started to reread some of them. Result: I removed some of the books as I had no clue why they were on there. In a flash of practical minimalism I started to think about those books that move(d) me, the result is this list: ...

In one of my last experiments I replaced my crappy T-Mobile (now Magenta) 4G modem/access point with an OpenWRT-based cheap travel router and a 4G USB LTE modem. That doubled my speed over the wireless (WLAN) network but the setup was limited by the outdated and under-powered travel rooter. So I got myself a cheap Raspberry Pi 3b+ and created a minimal Linux-based 4G router/access-point. My basic goal was to create the minimal feasible configuration so that I have a good starting point for future IoT/VPN/SmartHome experiments. I think I succeeded. ...

Recently I upgraded from my “old” Motorola/Lenovo G6 plus to a Xiaomi Mi Mix 2s. Why the new phone? Main reasons for that upgrade were: The old phone started to look like a banana. Seriously, I carry my phone in my back pockets and after a year that.. let to a more-than-slightly bent phone. This might have let to another problem: random vibra-call activation. Originally I thought that I was just imagining them, but recently my phone started to vibrate while it was in my hand — while no notification or interaction at all was happening. Both the USB-C as well as the audio jack were already broken; cables tended to loose connection.. it was annoying to find out that the phone wasn’t charged up after a night because the connection was not stable. Size: the phone was just too big to carry around comfortably. Recently Lenovo’s software upgrade policy turned to the worse: while the phone was recently upgraded to Android 9, 6 months went by without any of the monthly Android security upgrades. As those included fixes for critical remote exploitable vulnerabilities, not having access to upgrades was a no-go for me (I do work in security after all). Mandatory apps; there were both Google’s (Keep, etc.) as well as Lenovo’s mandatory apps (LinkedIn, Outlook, etc.) installed on the old phone; as an user you are not able to remove them. This disturbed my sense of minimalism. No notification LED: this seems small, but a notification LED is something that I highly value. Periodically activating my phone just to check for new notifications is playing havoc with my concentration, so this feature is very dear to me. So I looked out for an Android One or LinageOS phone, that was smaller than my current one and offered dual-SIM functionality (as I want to keep my old private phone number — this one is used by Signal/WhatApp and I’d like to avoid notifying all my contacts). ...

My LTE internet connection (70 Mbit downstream, 15 MBit upstream) came with a combined Huawei B315s LTE modem/access point. As I was using it for the last two to three years a couple of problems did arise: the internet connection was often shaky, oftentimes the uplink connection got lost and I had to power-cycle the modem/access point. Subjectively this got improved with the last system upgrade. while the internet down speed on the wired connection was good, the speed achieved through the wireless connection was atrocious (see measurements later in this blog post) the power supply is badly built and takes the space of two power outlets. I am not trusting proprietary hardware and software too much. Some research showed that I should be able to replace the existing hardware with an OpenWRT-based access point and a single USB LTE-modem. I wasn’t sure if the drivers would work out and what the resulting internet performance would be but there’s only a single way to find that out: build it. ...

Wireguard is recently making a splash as human-configurable low-overhead alternative to OpenVPN and IPSec. As some privacy-centric VPN providers are planning to support it (e.g., PIA) or already have a beta running (e.g., IVPN, as tested by Ars Technica) it was time for me to look into it. The Setup To get a better feeling about the used technology I directly connected my laptop to my desktop (gigabit Ethernet with no switch/router in between) and setup OpenVPN with a minimalist configuration as well as with a more realistic TLS-configuration. I took some bandwidth/latency measurements with iperf and qperf and compared those to a minimal Wireguard setup. ...

I have a quite simple setup: Fedora 23 on my Desktop, Ubuntu 16.04 on my Notebook and a YubiKey thrown into the mix. I do have my normal GnuPG key DD436203 that I’m using. There’s also an old and revoked key 3F5D00B6 with which I was testing my YubiKey with (note to myself: don’t use an YubiKey-crested private key as you cannot backup it). My main key offers an ElGamal 2048bit subkey – which does not work with the Yubikey (as that only supports 2048bit RSA). So I ’ve added a new subkey on my laptop. ...

Update 2017: Sadly I found out (thanks due to the comments on this blog post) that using port-share does not encapsulates subsequent traffic in normal TLS. So using this method will not fool Deep-Package Inspection Firewalls. If you need to mask all your traffic, this is not an option – you might need to investigate stunnel, information can be found here, here or here. I assume, that the higher success rate of this method could be related to some firewalls checking the target of the initial https request. This would yield a normal website with this setup and might be enough to fool some websites. ...