Locked out? Good luck

Let’s build and configure a minimal SSH bastion host (jump box) from scratch, using Ubuntu 20.04 LTS.

Source: DIY SSH Bastion Host

This is all well and good except for the bit where the author is clearly invested in using the cloud (i.e. other people’s computers) to run your own infrastructure.

What happens when google locks you out? Or when amazon decides to do the same. Same concern goes for Azure, or any other cloud provider.

Good luck fixing any of that without having to tear down a lot of your own work just to be able to be useful again. I get it, from a developer point of view setting it like this means it’s easy to plug into projects, but from a sysadmin point of view it means you’re going to shoot yourself in the foot sooner rather than later, specially if you missed a little onfiguration detail that lets your server wide open for takeover.

Smurf aesthetic

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:
Smurf aesthetic

Refugio

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:
Refugio

Thinking Tools: July 2020

It’s been a long while since that last post I did and my setup has changed a lot:

Web services

  • This site, which I’m trying to update more often with links and blog posts I find interesting. It’s going much better after I installed the WP Editor.md plugin to enhance the plain editor. The gutenberg editor sucks ass.
  • Nextcloud. I’m running my own instance to replace Dropbox, which I didn’t like the last time. Got the desktop client installed and it’s working quite nicely.
  • Twitter is still my social media network of choice. I’m using tweetdeck on the desktop
  • Feedly is still my RSS reader of choice but I’m looking around for a replacement that works across all my devices and it’s pretty to look at. Now that people are starting to move away from centralized social networks again there should be some movement in this space.
  • I’m running my own wiki using Wiki.js, which I’ve blogged about. This will probably merit another couple blog posts of their own specially now that I found vimwiki which could potentially run inside my Nextcloud instance.

Actual applications installed on my desktops and laptops

  • For messaging I’m now using Ferdi, a fork of Franz, to run most of my instant messaging needs. The great exceptions are Slack, Discord, and Signal; I discovered I work better when they have their own app instances running but when Signal offers a web interface I’ll probably fold it into Franz.
  • Spotify. Thinking of replacing it with a self-hosted option. I miss my graded playlists.
  • KeePass is still my password manager of choice.
  • Firefox. Mozilla keeps trying its best to kill all low-level functionality. This is easily the program I fuck around with the most, going from extensions to custom userChrome files.
  • Windows Subsystem for Linux. Much less of a pain in the ass than running a VirtualBox VM depending on what you’re doing. Using wsltty as its terminal.

There are some single-purpose utilities I’ve discovered in the interim that are extremely useful for working in Windows 10.

Mobile applications (Android)

  • The usual instant messaging slash social networking suspects minus TikTok, which is spyware.
  • Firefox mobile. Firefox needs to do better at syncing preferences into it.
  • Fenix twitter client. Twitter Co keeps fucking around with their API and preventing third party clients from achieving the excellence they used to have years ago.
  • Nextcloud mobile client for my Nextcloud instance. Needs a lot of work to compare with Dropbox, but it does its job well.
  • Moon+ Reader for ebooks. This one took me a long while to find, most ebook readers have utterly crazy skeuomorphic defaults.
  • Photoshop Express. This one was annoying but you’d be surprised how many image editors are missing features you’d consider basic (like cropping and image resizing), opting instead to overload with photo filters you’ll never use. This one has all the filters but at least lets you crop and resize. It replaced Snapseed. I’ve still to wade through open source editors but my hopes are dim on that front.

There are some things that underpin all of these applications but I think I’ll leave it as-is. It’s pretty fun to see how my workflow changes over time.

Cognitive Dissonance 30 minutes out of downtown

The suburbs run on federal subsidies. Without them, America’s suburbs would have to become more financially productive. They would need to get greater returns per foot on public infrastructure investment. That would mean repealing repressive zoning regulations, allowing the market to respond to supply and demand signals for housing. It would also mean allowing the “little downtowns” Kurtz fears to form where demand for them exists. Isn’t that what is supposed to happen with self-government and local control?

Source: It’s Time to Abolish Single-Family Zoning | The American Conservative

To have a conservative person say this is quite strange. Few suburbs in all of the US actively try to compete with the cities they’re attached to, mostly because they only want to attract wealthier millennials who can afford the down payment on a house by way of the parents paying for it.

And a special version of Flash for games only?

Are we ready to revisit some of the ideas of the early web again? There are trends that suggest we might just have come full circle – and I like it.

Source: The Return of the 90s Web | Max Böck

The only sites that won’t have an RSS feed are those of corporate entities that explicitly depend on keeping people on their sites, like fb.

Hopefully some enterprising engineer at google has found the Google Reader source code and are bringing it back to life…

Tie yourself together

Over and over again, I’ve seen people fix some wireless-related problem and go “wow, I had no idea how much better this could be!” • Wireless protocols often silently operate in an extremely degraded state that makes them substantially worse than wired equivalents.

Source: Wireless is a trap | benkuhn.net

I live in an apartment building that is located within the city core of my city. When I scan for WiFi networks I can see at least 25 from my main workstation. On my laptop, standing in the middle of the front courtyard, you can see at least 40 networks. Mind you, this is only WiFi networks; I’m not including everything else that might be using the 2.4 GHz spectrum, like Bluetooth or other kinds of wireless devices.

I switched to wired devices a long, long time ago precisely of unreliable connections, network lag, and the fact that WiFi optimization is more of an art than any sort of science, and that’s before you bring in newer WiFi versions. I just recently rewired my apartment to have Ethernet all over and be able to throw around 4K media with abandon.

Now if only the USB Implementers Forum would get its shit together, that’d be awesome

TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting](https://en.wikipedia.org/wiki/Rooting_(Android). Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.

Such drama

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:
Such drama

You’re a Graph Point

These terms distinguish operating systems by the problems they solve for the user. However, a disturbing trend is emerging in which the user is not the party whose problems are being solved, and perhaps this calls for a new term. I propose “vendor-purpose operating system”.

Source: General-purpose OS, special-purpose OS, and now: vendor-purpose OS | Drew DeVault’s Blog

In this instance, you’re not even the vendor’s _user_, that title goes to whomever the vendor is selling to, i.e. the client who is using the OS at scale.

You’re now a byproduct. You’re just something for the vendor to brag about on quarterly meetings with Wall Street.

Nice

Pretty sure this is the longest I’ve been able to keep a server alive without having to reboot for whatever reason.

FTP now has a new meaning.

Black Lives Matter

Organize, provide mutual aid, help out with street cleanup.

Abolish the police.

In their current form, they’re a tool of oppression.

Defund the police.

Don’t want to go the full mile? I’ll meet you at the 900 yard marker. Them pigs do not need hand-me-down military weaponry.

Fuck The Police

Tmux Alt/Meta + Arrow keys don’t work on Windows Terminal

Putting this up ‘cos I will forget how to do this at some point in the future.

Say you’re using the following keybindings on tmux:

# switch panes using Alt-arrow without prefix
bind -n M-Left  select-pane -L
bind -n M-Right select-pane -R
bind -n M-Up    select-pane -U
bind -n M-Down  select-pane -D

And they work okay on Windows Bash but they don’t work on Windows Terminal. This is the cause, and this is the solution:

// Add any keybinding overrides to this array.
// To unbind a default keybinding, set the command to "unbound"
"keybindings": [
    { "command": "unbound", "keys": "alt+down" }, 
                  { "command": "unbound", "keys": "alt+left" }, 
                  { "command": "unbound", "keys": "alt+right" }, 
                  { "command": "unbound", "keys": "alt+up" }
]

This will unbind all uses of the Alt key on the terminal itself and pass them on to tmux.

After the sunrise

        <a href="https://www.flickr.com/people/nullrend/">nullrend</a> posted a photo:
After the sunrise

Wiki.js 2 with Nginx Installation

For the past few months I’ve been using Tiddlywiki as a memory dump but been having some issues. First started with the dreaded XMLHttpRequest error:

Error retrieving skinny tiddler list: XMLHttpRequest error code: 404

Which the available documentation offers no help with and the developers just shrug at. Then it just ate a fucken shotgun shell deep down its throat:

Internal JavaScript Error: TypeError: etag is null

We en’t here for that shit so on we went looking for an alternative that treats markdown as a first-class white citizen in apartheid america. Found wiki.js, which seems to have that, and here we are.

What follows is a guide written after a week of bashing our head against multiple desks because devlopers are morons who don’t know how to write documentation, if they even bother writing any. What is available for wiki.js is fucken laughable or only applies to the 1.x series. Real developers are extinct, by the way.


This is what worked for us on Debian 9. You will have to adapt this for your own OS and hosting configuration. We’re not at fault if the results eat your pet, fuck your significant other, and make your mom call them daddy.

Ingredients

This assumes DNS is already routing properly, outgoing mail works, and you’ve already dealt with your firewall. This setup gets you a wiki.js installation with nginx as a reverse proxy running security.

All commands are executed as root.

Installation

Install what you need

# aptitude install nginx-extras postgresql postgresql-contrib pgcli nodejs certbot python-3-certbot-nginx

Download and extract wiki.js (assuming we’re at /var/www) like the documentation says:

# wget https://github.com/Requarks/wiki/releases/download/2.3.81/wiki-js.tar.gz
# mkdir wiki
# tar xzf wiki-js.tar.gz -C ./wiki
# cd ./wiki
# mv config.sample.yml config.yml

Configuration

Nginx

Edit your configuration file for nginx so it passes everything to the wiki cleanly through nginx. The original configuration was generated by nginxconfig.io and incorporates stuff from the official documentation

As of right now (2020-05-16_14-28) they are valid and working server blocks

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name wiki.domain.invalid;

    # SSL
    ssl_certificate /etc/letsencrypt/live/wiki.domain.invalid/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wiki.domain.invalid/privkey.pem; #managed by Certbot
    ssl_trusted_certificate /etc/letsencrypt/live/wiki.domain.invalid/chain.pem;

    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    #add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=0" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # logging
    access_log /var/log/nginx/wiki.domain.invalid.access.log;
    error_log /var/log/nginx/wiki.domain.invalid.error.log warn;

    # reverse proxy
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version                  1.1;
        #proxy_cache_bypass                  http_upgrade;
        proxy_set_header Upgradehttp_upgrade;
        proxy_set_header Connection         "upgrade";
        proxy_set_header Host               http_host;
        proxy_set_header X-Real-IPremote_addr;
        #proxy_set_header X-Forwarded-For    proxy_add_x_forwarded_for;
        #proxy_set_header X-Forwarded-Protoscheme;
        #proxy_set_header X-Forwarded-Host   host;
        #proxy_set_header X-Forwarded-Portserver_port;
                proxy_next_upstream error timeout http_502 http_503 http_504;
    }

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}

    # HTTP redirect
server {
    listen 80;
    listen [::]:80;

    server_name wiki.domain.invalid;

    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/_letsencrypt;
    }

    location / {
        return 301 https://wiki.domain.invalid$request_uri;
    }

 }

SSL

Using Let’s Encrypt SSL certificates:

# certbot

Go through the wizard and it will automatically fix the SSL entries on your server blocks. You could also do this if you know what you’re doing and don’t want certbot to mess around with your files:

# certbot certonly --webroot -d wiki.domain.invalid --email mail@domain.invalid -w /var/www/_letsencrypt -n --agree-to-tos

Nginx Testing

Test and reload your configuration:

# nginx -t
# service nginx reload

Watch out for any errors, as usual. At this point Nginx will be serving files but as wiki.js isn’t setup yet you’ll get HTTP 502 errors if you try to visit the site on a browser. This configuration plays well with other sites being hosted on the same server.

Postgres

Secure your Postgres installation:

# sudo su postgres
$ passwd

Then setup your database. pgcli has smart completions turned on by default and looks pretty.

$ pgcli

> create DATABASE wikijs;
> create USER wikijs_user with ENCRYPTED PASSWORD 'Strong password';
> grant ALL PRIVILEGES on DATABASE wikijs to wikijs_user;
> \c wikijs
> CREATE EXTENSION pg_trgm;
> exit

$ exit

Wiki.js

Edit config.yml and make the appropriate changes:

  • Port should match what was configured in the nginx https server block (3000)
  • In db section, enter your database credentials
  • Do not enable SSL unless you are not to run this behind a proxy. This might work on a developer workstation but on the public internet you’re asking to get it up the ass, no lube.

Once this is done, start the application and watch for any errors

# node server

At this point you can visit your site and go through the installation wizard.

Configuration

There are a bunch of things the official wiki.js documentation only mentions offhandedly, or that you’ll only find out if you go rooting around in the issues tracker.

Home Page

You can name it anything you want but if you make the path anything other than /home wiki.js will freak out on you and send you on a loop.

File Storage

By default wiki.js will keep all its shit on the DB, which is a fucken stupid bad decision. We like making good decisions so we need to tell wiki.js to keep its shit in the filesystem:

  1. Go to Administration > Storage
  2. Enter the desired absolute path for your stuff, like /var/www/wiki.domain.invalid/wiki-content
  3. Enable the target
  4. Apply the changes

We’re unsure if this means wiki.js will actually use file storage to begin with, but at least you’ll be able to create quick backups of all your stuff. You have backups and you test them, right?

Search Engine

The default search is slow AF, so we’re going to use something better

  1. Go to Administration > Search Engine
  2. Select Database – PostgreSQL
  3. Apply the changes

Finishing thoughts

This thing has potential but it’s got a long way to go before it can look up to MediaWiki. If you find issues with this holler at me on the twitters.

It’s a deep, deep, rabbit hole

In this case the old West Indian world, of which Tennessee lay at the northern fringe. It’s the shatter-zone of the slave diaspora. Circulating currents. We gave Jamaica blues. Jamaica gave us ska. Jamaica gave us dub, we gave back hip-hop. It’s been happening for four hundred years.

Source: That Chop on the Upbeat

More than you thought you’d want to learn about the origins of ska.

Dell Wireless 1703 on Windows Server 2019

Recently at work I had to install this OS (with the Desktop Experience feature set) on a Dell XPS 8700. Windows was able to recognize everything properly and all components but the network adapter would show up in Device Manager. Tried the usual things to fix this:

  • Installing the driver from Dell; it would install but Windows would fail to make use of it.
  • Updating the driver using “Search automatically for updated driver software”. This would fail with Windows complaining about an issue with the INF.
  • Manually pick a driver from the filesystem. It would also fail with an error about the INF.

Looked at the INF file but there wasn’t anything in it that would make Windows Server just up and refuse to install the thing, and given there isn’t that much difference between Windows 10 and Windows Server the issue had to lie elsewhere.

There is one thing that Windows 10 does, however, and that’s automatically start WLAN services, since usually you’d see Windows Server be installed on enterprise hardware or have it connected to the network via Ethernet. Turns out Windows Server does not even install this feature on its own.

To install it:

  1. Click Start button.
  2. Type “Turn features on or off”.
  3. Click Next 4 times (Before you Begin, Installation Type, Server Selection (which defaults to the local server), and Features.
  4. On the Features selection list, scroll down to Wireless LAN Service and select it.
  5. Click Install and wait for the OS to do its thing.
  6. Reboot system. This is required for it all to work.

After the system comes back up the network adapter should be installed and enabled in Device Manager.

Ah, right… in addition to this it turns out the “Dell Update Application” totally does not work under this OS so you have to manually download and install all device drivers; this took me a couple of hours, so mind your clock.