Linux: How to force an application to use a given VPN tunnel

I’ve changed my approach and am now using a simple docker setup to achieve the same result Somehow I have to use VPN services throughout the day: when pen-testing from abroads I really need to login to my company’s network first. Otherwise my provider is kinda grumpy when I’m doing fast non-cloaked scans against large companies. also when pen-testing I like to use some cloaking VPNs to test the client’s detection capabilities if I would ever use bit-torrent I’d really like to make sure that the torrent program can only communicate through a private proxy (as pia). The easy solution would be to connect the openvpn tunnels on startup and just route all the traffic through the tunnels. Alas this is way to slow for daily use – and somehow error prone: if a tunnel dies and some pen-test is currently under progress traffic might escape into ‘unsecured’ public networks. The same would be true for torrents. ...

October 20, 2013 · 4 min · 845 words · Andreas Happe

Git with transparent encryption

This is part three of a series about encrypted file storage/archive systems. My plan is to try out duplicity, git using transparent encryption, s3-based storage systems, git-annex and encfs+sshfs as alternatives to Dropbox/Wuala/Spideroak. The conclusion will be a blog post containing a comparison a.k.a. “executive summary” of my findings. Stay tuned. git was originally written by Linus Torvalds as SCM tool for the Linux Kernel. It’s decentralized approach fits well into online OSS projects, it slowly got the decentralized OSS of choice for many. Various dedicated hosted storage services as github or bitbucket arose. In this post I’ll look into using git as replacement for Dropbox for data sharing. As Dropbox has a devastating security history (link needed) I’ll look into ways of transparently encrypting remote git repositories. ...

October 10, 2013 · 5 min · 883 words · Andreas Happe

Encrypted S3 storage filesystems

This is part two of a series about encrypted file storage/archive systems. My plan is to try out duplicity, git using transparent encryption, s3-based storage systems, git-annex and encfs+sshfs as alternatives to Dropbox/Wuala/Spideroak. The conclusion will be a blog post containing a comparison a.k.a. “executive summary” of my findings. Stay tuned. This post tries some filesystems that directly access S3. I’ll focus on Amazon’s S3 offering, but there should be many alternatives, i.e. OpenStack. Amazon S3 has the advantage of unlimited storage (even if infinite storage would come with infinite costs..). S3 itself has become a de-facto standard for providing object-based file storage. ...

June 27, 2013 · 7 min · 1335 words · Andreas Happe

Secure Online Data Backup using Duplicity

This is part two of a series about encrypted file storage/archive systems. My plan is to try out duplicity, git using transparent encryption, s3-based storage systems, git-annex and encfs+sshfs as alternatives to Dropbox/Wuala/Spideroak. The conclusion will be a blog post containing a comparison a.k.a. “executive summary” of my findings. Stay tuned. Duplicity is a command-line tool similar to rsync: you give it two locations and it synchronizes the first location to the second. Duplicity adds additional features over rsync, especially interesting for me are incremental encrypted backups to remote locations. This form of storage would prevent any hoster of gaining any information about my stored data or its metadata (like filenames, etc.). ...

June 27, 2013 · 4 min · 719 words · Andreas Happe

Avoiding Internet/Network Surveillance

Last week’s World Conference on International Telecommunications (WCIT) brought internet surveillance into public news: one outcome of the conference was standardization of DPI technology. This infrastructure standard will make it easier for governments to implement large-scale surveillance and/or filtering. Funny thing is that governments are already having those capabilities, they only want to standardize it. The public outrage came too late. So let’s protect you from governments at home or abroad, the RIAA, MPAA, random eavesdroppers and anyone else that want to listen in on your secrets while you’re surfing the Internet. The initial steps are easy and cheap (or free), so there’s no reason let your security down. They might not be perfect but making the government’s job more expensive seems to be a good road to take. ...

December 10, 2012 · 7 min · 1360 words · Andreas Happe

Linux: How to forward port 3000 to port 80

Another small tip: to locally forward port 80 to port 3000 use the following Linux iptables command: $ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000 You can use this command to allow customers to connect to your locally run Ruby on Rails setup (as long as you have some port forwarding set up on your local router). I am using this to develop facebook open graph apps as the application URL (that is configured within facebook’s app controll page) cannot include a custom port (like 3000). ...

November 18, 2012 · 1 min · 93 words · Andreas Happe

Postgres: Howto change owner for all tables

Just a small tip for today: when moving an RoR-application between servers the database user often changes. While it is easy to dump and restore database dums using pg_dump and pg_restore this might lead to invalid table ownerships on the new host. I’m using the following bash snippet for fixing this problem ...

November 11, 2012 · 1 min · 169 words · Andreas Happe

Moving OctoPress to Amazon S3 and CloudFront

OctoPress is embraced for its simplicity: write blog posts, save them, generate HTML pages and move those upon a web server. As no code is executed server-side every page can be cached and security risks are low. So far I’m hosting my blog on a rented hetzner root-server in Germany. While there’s no server-side security problem I’m still using a full blown server which imposes maintenance overhead on me. No peace of mind. An alternative would be moving to the cloud (Amazon’s S3 storage in my case), but is it worth it? ...

November 3, 2012 · 5 min · 994 words · Andreas Happe

A full-powered shoebox-sized Desktop

After three or four years it became time to replce my Desktop Computer with newer technology. I’ve got a first generation Intel Core i7-920 Octo-core processor: it still packs more than enough power but sadly gets too hot and thus the cooling system got too loud for my taste. So time for a new Desktop! I decided to go the miniITX route. The main idea was to pack as much power-efficient technology in an as-small-as-possible case. This post describes my hardware experiences.. ...

October 28, 2012 · 7 min · 1286 words · Andreas Happe

Generating PDFs with wicked_pdf

Ruby on Rails is perfect for creating web applications but sometimes you just need to create some documents which can be stored or send through email. While printing is no problem with CSS not all users are able to “save/print page as pdf”. The ubiquitous Adobe PDF file format seems to be a perfect solution for this problem. The common solution for this is Prawn (also see the RailsCast about it). Alas prawn uses a custom DSL for defining and styling the document and I would rather prefer to reuse existing view partials. princeXML seems to solve this: it transforms existing HTML/CSS into pdf. This allows to reuse existing views and partials but comes with a hefty price-tag of $3500+. ...

May 1, 2012 · 4 min · 670 words · Andreas Happe