Rogue Access Point and SSL Man-in-the-Middle the easy way

After I’ve tried setting up a rogue access point using squid and hostapd I’ve seen that KDE’s network-manager offers host access-point functionality. How easy is it to combine this with BURP for an SSL man-in-the-middle attack? Well some GUI clicking and 3 command line invocations.. The Hardware I bought two USB 802.11n wireless adaptorts on deal extrem, so far both of them work as an access point: a small whitish one for $5.

Read More

How-to setup a rogue access point with a transparent HTTP(s) proxy

I’m always reading about dangerous rogue access points but never actually have seen one in action. So what better than create a test setup.. Hardware for this test setup will be * my old linux notebook (a macbook pro) as fake access point * a small deal extreme network card (Ralink 5070 chipset). I’ve actually bought three differnet wireless cards for under $20 and am trying out the different chipsets.

Read More

Politics: there seems to be no middle anymore

Yesterday was this year’s “Akademikerball” in Vienna. This is a continuation of the former WKR ball – which is used for right-wing networking across Europe and organized by the Austrian Freedom Party. This party in turn is a right-wing party: populist, xenophobic, haven of people with a far-right history. Opposed to this party were protests mostly organized by the left-ish social party and the green-alternative party. Police forces were using this event as a show-of-strength.

Read More

Luxury is Slavery

It’s weakness. Well at least un-enjoyed luxury that has become an everyday event is. This has nothing to do with morals. Luxury costs money. Making money makes you dependant and consumes your free time, it reduces your financial freedom. So if you’re spending your life on luxury make sure that it counts and you’re enjoying it every moment.

Read More

Review and New Year's resolutions

Yeah, let’s make some new year’s resolutions so that I can feel bad breaking them. The big ones are: Stop smoking. And nail-biting. Both might be the same outlet of my nervousness, let’s see if I can get them under control. Start doing Yoga and/or Meditation again. To be honest, this will be needed to get resolution #1 to work. Continue climbing. Alas my left wrist joint seems to have suffered sometime last year – I’ll gonna go to the doctor, but might have to reduce my bouldering for a bit.

Read More

Cleaning Up

With the year’s end comes the time for reviews and cleanups. Reducing cruft allows your mind to be free, with it comes a sense of closure and empowerement. Otherwise all my possessions would drag me down. Stuff I really like to do at this time is: review existing bank accounts and service contracts (like phone/internet/power plans). Reduce them to maintain some sense of control. Books: I hoard them even if most of them are not exactly Pulitzer-price materiel.

Read More

How to use FakeS3 for S3 testing

I’m contributing to a secure cloud project (well, it’s not that secure yet, but getting there..). It’s backend storage options include S3 so I want to test the S3-functionality against a locally installed S3 server. I first tried to utilize OpenStack Object Storage (Swift) or Riak, but both solutions were rather heavy-weight and cumbersome to setup. Bear in mind, that I just wanted some fake S3 storage server which would be deployed within a local network (without any internet connection).

Read More

Indulgence Galore!

We’re living in a world of indulgence and seem not to cherish the small (or larger) daily treats anymore. As a cousin of mine once noted: we are able to go out for coffee and food daily without thinking to much of it’s costs. We’re the lucky few but somehow forgot about that. We’re privileged but we’ve got accustomed to it. Living in Austria our grand-parents and parents started with almost nothing after the second world war.

Read More

Linux: How to force an application to use a given VPN tunnel

I’ve changed my approach and am now using a simple docker setup to achieve the same result Somehow I have to use VPN services throughout the day: when pen-testing from abroads I really need to login to my company’s network first. Otherwise my provider is kinda grumpy when I’m doing fast non-cloaked scans against large companies. also when pen-testing I like to use some cloaking VPNs to test the client’s detection capabilities if I would ever use bit-torrent I’d really like to make sure that the torrent program can only communicate through a private proxy (as pia).

Read More

Git with transparent encryption

This is part three of a series about encrypted file storage/archive systems. My plan is to try out duplicity, git using transparent encryption, s3-based storage systems, git-annex and encfs+sshfs as alternatives to Dropbox/Wuala/Spideroak. The conclusion will be a blog post containing a comparison a.k.a. “executive summary” of my findings. Stay tuned. git was originally written by Linus Torvalds as SCM tool for the Linux Kernel. It’s decentralized approach fits well into online OSS projects, it slowly got the decentralized OSS of choice for many.

Read More