ALL POSTS:

DMT/Linux Blog

By - dmt 21 Jan, 2017
EDIT: The original article recommended xsel, but a couple of users reported that it disabled their sound. This wasn't a problem for me, but I found another way (using xclip ) to achieve the same goal that should sidestep the issue. The article has been updated to reflect the switch to xclip.

The ability to copy/paste around your OS is essential. Whether you're writing code or comedy, these two functions are central to working with text on a computer. When you copy text, it goes into the memory-residing clipboard. Unless you install a clipboard manager that can hold multiple entries, the clipboard by default holds one copy event, and the moment you copy something else, the entry before it vanishes. In the standard Linux setup, the clipboard contents are stored in the memory of the program controlling it (most often Xorg).

The clipboard should be hobbled because any program can read its contents, and if left alone, it doesn't forget what it knows. Furthermore, modern browsers enable multiple ways for malicious websites to read from (and write to) your clipboard.

Although never the default, browsers have settings to disallow clipboard access. Add-ons for both browser and OS are available to manage your clipboard, as well, but it's easier and more reliable to fix the problem at the top of the chain and secure the clipboard system-wide. There are plenty of reasons to have a functional clipboard, but not one good reason contents should linger there for more than a minute or two.

Password managers have become popular lately, and if you use one, you've seen how they copy your password to the clipboard so you can paste it over in your browser and log into your accounts. Then what? Your password stays on the clipboard till another copy event or a reboot is what.

Even if you use a separate browser for things like banking, if you copy your password, you bring it back to your other browsers via the clipboard and expose it to web-based clipboard harvesting techniques.

My fix handles the problem for you in the background, clearing the clipboard contents automatically every minute. It does this with the xclip command line tool, a tiny script and cron . The one minute cron interval gives you enough time to get your copied passwords pasted, then it empties the clipboard. This repeats every minute, providing worry-free copying.

We need the xclip utility to clear the clipboard in the terminal. In apt-based distros, enter:

sudo apt-get install xclip

Lets test the utility in the terminal.  First copy some text from anywhere, paste it somewhere else, then enter these two commands:

touch blank
xclip -selection clipboard blank


then try pasting the text again - it should be gone. Now let's put the commands into a script. Create a script by entering (replacing leafpad with your text editor):

leafpad nukeclipboard.sh

and enter the following into the new file:

#!/bin/sh
touch blank && xclip -selection clipboard blank


Save and close the file, then make it executable with:

chmod +x nukeclipboard.sh

Now to make the job run itself every minute. First beware, cron options differ from distro to distro. The following settings are for Ubuntu(based) distros and the process might be different in your distro, so rtm .

To setup the cron job, go to the terminal and enter:

crontab -e

Scroll down past the #commented-out lines and enter the following line (replacing /home/user/ with the location of your script):

* * * * * export DISPLAY=:0 && /home/user/nukeclipboard.sh

Now hit ctrl-o to bring up the save function, then hit enter to save your crontab. Finally, hit ctrl-x to exit the program. From now on your clipboard has a life-span of one minute.

About the cron entry above... cron has limitations regarding environment variables and when it fails, you can spend all day trying a hundred ways to fix it that don't work. After finding this easy fix advising to set the DISPLAY, there's been no more trouble. Thanks Mike Q for this gem.

Now, you might go to paste something you've copied the very moment the clipboard's being emptied and find nothing there, but it's is a small price to pay for the security bump it gives you. If it's a problem, you can configure cron to run the job at any interval that works for you. Instructions for Ubuntu and kin are on this page.

I hope this tutorial helps you get your clipboard locked down - comment below if you got the script working or have an even better way to do this.

dmt
By - dmt 19 Jan, 2017
Through the glazed-over eyes of friends and family, past that painful look of well-intended but feigned interest, I can clearly see a fundamental lack of understanding about this free software I’m constantly going on about. I’ve always been the frugal type, so I think they just assume I choose it for the price. Ironically, I would happily pay for the free software programs I use daily, they just happen to come at no cost. And anyway, I DO pay.. just not to ACME Software Company for the yearly subscription. I go straight to the donation links of developers who write awesome code and pay them directly. It makes someone’s day, feels way better than hitting “BUY” at the neighborhood app store, and costs only what I feel it’s worth. Some days that’s a little, other days it’s more.

Returning to the reason for this essay, I decided to fix this disconnect and explain to those around me where the passion for using and sharing free software comes from. That decision turned into an open letter, which turned into this post. It was surprisingly difficult to distill the essence of a passion that has so many sides, and a winding road brought me to the conclusions herein. As with any other discipline, programming has endless details abound that only interest the initiated (hence blogs), and I only wanted to talk about why I think it’s so important for other people to use free software, so I had to triple-distill my logic. I’ll provide a bit of background first, then explain what I mean.

Free vs Free - Most people get “free”. If I say, “go download Firefox, it’s free”, you understand that you won’t have to run your credit card to get the download. However, in software licensing there’s another kind of free that’s more difficult to grasp at first. The romance languages have different words for each type of free , “gratis” for free as in you got something of value without paying for it, and “libre” for free as in liberty or the opposite of being locked up. This is reflected in the naming of open source programs like LibreOffice and many others. In the software world, when you hear “free as in beer”, it means gratis. When you hear “free as in speech” or “free as in freedom”, it means libre. This distinction is important to understand because a computer program can be free to download, but not free at all in terms of studying its code or recycling it into another program (a good example being the freeware application Adobe Reader).

We are unable to study the workings of many major computer programs because the code is copyrighted and kept secret like the baked bean recipe only that dog knows (will he reveal it?). This kind of proprietary licensing scheme grants the user the right to use the program (through the ubiquitous EULA ), but not the right to see the code or even own the program - ownership stays with the developer while you just use it. Conversely, for each open source computer program written and published, software developers choose a license that covers what can and cannot be done with the code. There are several dozen free and open source licenses to choose from, each defining a different set of rules (or complete lack of rules) regarding how that code can be re-used. Some restrict the re-use of the software, while others don’t. Incidentally, software can also be dedicated to the Public domain in lieu of being licensed at all.

In the late 1980s, the first open source licenses started to appear. The one that broke ground and led to the abundant collection of high-quality, open source programs available today is the Gnu General Public License ( GPL ). What made this licensing approach revolutionary at the time is that it granted users of a computer program the rights laid out in the Free Software Definition (the ability to use, study, change and redistribute the software) while requiring derivative works to be licensed under the same terms. This is known as a copyleft license and is considered “protective” because it preserves the rights in derivative works. This license ensures that a developer’s code won’t get locked up in someone else’s alternatively re-licensed release of the original code. Using this license let’s the developer share her code without worry that it will be used against her wishes down the road. The freedom to code without this worry started a software development rush that continues to this day. The results of this rush are a testament to the skill and tenacity of open source developers, and their fruits are proof that the open development model is a superior one.

Known as "permissive", there are also open sources licenses that don’t have such restrictions. The BSD license is a prime example of a permissive license. These licenses grant the user the right re-use the code in any program, even a proprietary one. For this reason, large companies will target code released under BSD-style licenses for re-use in proprietary software they have no intention of opening up. In recent years, legal challenges have been successfully leveled against companies for re-using software in violation of the GPL. This has resulted in a renewed and long-deserved respect for the terms of the GPL, and nowadays more companies are complying out of the gate when releasing new software (or just using BSD-licensed code).

So Why Use Free Software? - Returning again to the point here (and aware that opinions differ), I strongly believe that developing and releasing code into the open for peer review results in software of a higher quality, that runs faster, more safely and securely, with less problems, getting quicker bug fixes and providing more respect for user privacy than anything in the proprietary world. Indeed, both Apple and Google, who can easily afford their own in-house software development, instead chose to build their respective mobile platforms on top of existing open source operating systems: Linux for Android and the BSD-derived Darwin for iOS. If it’s good enough for them, I think we can make it work on your desktop to read email, play music, video chat with friends, push office docs around, use the web with all the popular plugins, edit images, shop, bank, etc, etc.
By - dmt 17 Jan, 2017
There are many helpful lists maintained online with constantly-updated hosts files that contain the domains of various Internet crap peddlers. Copying these lists into your hosts file can easily block a large number of domains that your system would be better off unable to connect to. This method works without installing a browser plug-in and will handle blocking for any browser (and any other program) on the system.

In this tutorial, I'll show you how to get Steven Black's Unified Hosts script up and running in Linux. The script will keep your computer's hosts file updated (from multiple sources) with the latest known ad servers, phishing sites and other web scum, all while providing a nice, clean way to manage your own black/whitelists separately from the lists the script manages.

There are two caveats to note before putting 30,000 domains into your hosts file. First off, these huge lists contain servers that you might need unblocked in order to make an online purchase or for some other temporary situation. You'll know you have a problem when something on the web is broken since you messed with your hosts file. To remedy this, I'm going to show you how to make a handy on/off switch so you can quickly disable your blocklist to buy that Himalayan salt lamp (it's the ions). I still consider it a feature of these lists that all manner of things get blocked (it was only annoying until I thought of making that off switch). If you have a repeat problem with a blocked server that you need often, just add it to your whitelist file and you're all set.

The second problem is a slight performance hit because the system has to check the entire list each time a domain is called up. Maybe there's a small hit, but not big enough for me to ditch the list and let every connection through. However, consider yourself warned.

Hosts files block a server by directing requests to that server to either 127.0.0.1 or 0.0.0.0 - in other words, nowhere. Some say using zero's is a faster, less problematic way to accomplish the blocking. You can configure the script to use any blocking ip you want by executing it with the --ip option like "--ip nnn.nnn.nnn.nnn", but the default is 0.0.0.0 and that's where I'm leaving it.

I used to do what Steven's script does by hand every once in a while, going to each site, copy/pasting their lists into my hosts file, doing a find-replace to change the one-twenty-seven's to zeros, etc. I knew the whole thing could be automated and there were tons of dupes, but I never took the time to address the problems. Since finding this script, that's now a forgotten chore.

Let's start by getting a fresh copy of Mr. Black's code downloaded (~150MB) so we can push some electrons around. You'll need git installed, so if it's not, go to the terminal and enter:

sudo apt-get install git

After it's done installing, enter:

mkdir unifiedhosts
cd unifiedhosts
git clone https://github.com/StevenBlack/hosts.git
cd hosts

While your cursor blinks at Steven's script, let's talk about choices. The script has a few options and extensions that I wont cover here, but I figure if you got this far and you're interested, the readme.md file can tell you all you need to know.

You need python installed to run the script, and which version you have matters. To find the version of Python you have, enter:

python --version

If you don't have python installed:

sudo apt-get install python

For Python 2.7, execute the script by entering "python" as I do below. For Python 3, replace "python" in the command with "python3". Upon execution, the script makes sure it has the most recent version of each list and if not, grabs a new copy. It then writes a new hosts file, including anything in your black/whitelists. Let's give it a try using the -r option to replace our active hosts file and the -a option so the script wont ask any questions. Back to the terminal, and:

python updateHostsFile.py -r -a

The command will ask for your password so it can write to /etc/. For the newly updated list to be active, some systems require a good flush of the DNS cache. On the same hardware, I've observed different operating systems express very different behavior regarding the length of time it takes for a server to become reachable/unreachable after updating the hosts file without a flush. I've seen everything from instantaneously (Slackware) to never/reboot (Windows). There are commands to flush the DNS cache, but they're different on each OS and even each distro, so just reboot if the changes don't take.

Now it's as simple as adding your personal exceptions to the black/whitelist files and running the script whenever you want to update the hosts file. The script will adjust the resultant hosts file according to your specs, appending the file with your additions automatically each time you run it.

Finally, let's create the on/off switches. We need a script for each function, so go back to the terminal to create the OFF switch by entering (replacing leafpad with your text editor):

leafpad hosts-off.sh

and enter the following into the new file:

#!/bin/sh
sudo mv /etc/hosts /etc/hostsDISABLED

And then make it executable with:

chmod +x hosts-off.sh

Similarly, for the ON switch:

leafpad hosts-on.sh

and enter the following into the new file:

#!/bin/sh
sudo mv /etc/hostsDISABLED /etc/hosts

And finally make it executable with:

chmod +x hosts-on.sh

All you need to do is create a shortcut somewhere for each script, labeling them HOSTS-ON and HOSTS-OFF and there you have it.

dmt
By - dmt 16 Jan, 2017
I share the hope with many people that we will soon have access to modern, capable devices powered by both open source hardware ( OSH ) and software.

Open hardware is that which is fully documented and free to use, study, modify and reproduce for your own needs. Everything from the schematics to the PCB layout is all published, including the software that drives the hardware. There have been advancements in recent years and more hardware is being opened up, but the microprocessors in our pc's and other devices are stuck running one of the dominant, closed Instruction Set Architectures ( ISA's ) in the form of x86 on the desktop or an ARM variant in smartphones/tablets. Both of these ISA'a are closed source and are not candidates for an open device. Also, the many widely-used implementations of ARM like the A9 or Snapdragon add further proprietary layers to these already proprietary ISA's.

RISC-V is different. Introduced in 2010 by the researchers at UC Berkeley, RISC-V (pronounced risk-five) is built according to the same original RISC (Reduced Instruction Set Computing) CPU design that underlies other familiar ISA's such as ARM, MIPS, PowerPC and SPARC, but with the intention of being open and unencumbered by patents (Note: as of right now, the RISC-V specs are only free for private or educational use, with full openness planned for the future). The RISC design strategy is in opposition to the Complex Instruction Set Computing (CISC) design of the x86 family.

While RISC-V is not the only open ISA in existence, it's the only one poised to advance in a hurry. The RISC-V Foundation, which directs the development and adoption of the ISA, has some pretty big donors like Oracle, Western Digital, HP, Google, IBM, and Nvidia. I can think of a couple prominent chip manufacturers missing from that list. It seems that the big players have figured out that as with software, hardware will develop faster and better out in the open. Oh and also, you won't have to pay anyone to use it. A project like this hasn't been conquered any sooner because of the difficulty and cost involved in development. Now that an open result is actually what the big companies are after, the development money is rolling in.

RISC-V also has plenty of backing in the academic world. From its incubation at Berkeley to the over 35 University projects worldwide aiding in its development, there's no shortage of brilliant minds working on the project.

There's already progress happening in the background. On the software side, people are porting programs over to RISC-V and getting things booting up. Fedora has ported thousands of programs already - here's Fedora/RISC-V booting up in QEMU:
By - dmt 15 Jan, 2017
As far as people are concerned, there are essentially two types of passwords: the ones we can remember and the ones that are too complex for us to recall. We've learned the latter type is more secure, but it requires us to store impossible-to-memorize-password lists, creating a whole new set of problems. There are some clever tricks to help our brains out a bit, but for most of us the limit of our memory is regrettable.

Not suffering from such memory limits, computers only see one kind of password - guessable. Regarding how long it takes a computer to crack a password, the major variables are: how much time the computer has to spend guessing, how many guesses per second it can try, and the complexity of the password. There are other factors, but strong passwords can exponentially increase the time it takes a computer to break through the gate, so naturally we want passwords to be complicated - just manageable.

When writing down or carrying around passwords is not desirable, yet you still want one that's more difficult than you can remember, there are options. By using a little imagination, you can open up endless ways to surreptitiously store complex, perfect-style passwords out in the open or glean them from the Internet at will.

This post is not intended to teach any one specific method (I only devised the one in the example below for training purposes to get people thinking outside their boxen), instead it aims to inspire different thinking regarding where to get reproducible data that can be leveraged for use in passwords. The way I see it, if we can't replace the feeble password altogether then we should at least teach it a few new tricks. The trick here lies in remembering a routine instead of an actual password, enabling you to pseudo-remember impossibly difficult strings like a savant.

For the example below, we'll use an image from Wikimedia Commons. You can save the image locally for when you need it or just go back to the web and get it each time - the Wikimedia images seem to sit in place forever, so we'll use it knowing we can easily find the exact same file again. You can use your own file in place of my example, it just has to be fixed and unchanging.

The file we'll grab is called "IBM Personal Computer XT front.jpg" which sits at this page. Save the jpg using the Original file link, then drop to a terminal in the directory where you saved it and enter:

sha256sum IBM_Personal_Computer_XT_front.jpg | rev

This command outputs the sha256 hash of the downloaded jpg in reverse, further obfuscating it. Your terminal should be displaying the following:

gpj.tnorf_TX_retupmoC_lanosreP_MBI  f00059a089c6bb2f58620dfbf3104b29279947ead17f0650f3216013c0d05970

This gives us a high entropy, reproducible, 64 character hexadecimal string that can be called up at will anywhere there's Internet and used as a password, without hardly remembering a thing. Useful? Maybe. Lazy? Definitely.

In my example, you only need to remember the image location and the single command that gets the password out of it. In order for methods like these to be secure, you need to come up with something original, so my illustration should be adapted. There are countless other hash functions to choose from. You could instead use the sha384sum command which outputs a 96 digit hexadecimal string, for example. The possibilities are endless. Make it your own.

Finally, delete the jpg and enter one last command:

history -c

This clears the previous command from the terminal memory so when you close it, it wont be written to the .bash_history file.

dmt

EDIT: A reader from LXer.com chimed in and wrapped this routine up in a handy script, so I'm posting it here. The image can easily be replaced and the script cleans up on its way out. Nice. Thanks to dotmatrix.

mkdir ~/.some
cd ~/.some
wget https://s26.postimg.org/kh6n63t5l/pic1.png
sha256sum pic1.png |rev
cd ~
rm -r ~/.some


By - dmt 11 Jan, 2017
When graphics need to be produced billboard-size, you need nice, crisp vector versions of any logos or illustrations to be printed or else you'll get a pixelated effect like the image above (photos are another story altogether). These days, you can find most common graphics and the logos of large companies in vector format at sites like Seek Logo .

But sometimes, a logo or other graphic is too complex for anyone in the volunteer community to have traced and shared with the public - or the company is not well known enough to have been noticed, so their logo can't easily be found and downloaded. This is where this PDF trick can make you a hero, seemingly pulling the artwork your team desperately needs out of thin air.

We start, as always, at Google. We'll search out the coke logo for this example. Note the colon and lack of spaces between "filetype" and "pdf" in the search query below:

coca cola filetype:pdf

That search brings us these results. At the time of writing, the top result is their Sustainability Report . Great. Right-click, save link as, and download the PDF somewhere.

Now we need the great Inkscape vector graphics program to get to the artwork so if you don't have it, in Ubuntu/Mint, go to the terminal and enter:

sudo apt-get install inkscape

Next step: open Inkscape, click File, Open, choose the PDF you just downloaded, hit Open and you'll get this window:
By - dmt 10 Jan, 2017
It's now obvious that no system is completely immune to unauthorized access. The lowly password keeps failing and failing, yet we still haven't agreed on an alternative. Biometric authentication is promising, but so far has only bloomed in certain walled gardens. The best you can do right now is add layers of complexity to your login routines making your accounts harder to get to.

The problem with adding complexity is that it gets too complex and nobody wants to bother. The best solution for this is 2FA ( Two Factor Authentication ). You've seen 2FA at work when receiving a text from Google with a code that enables a login or gets you through an account setup. Securing logins with text messages no doubt increases security, but there are problems with relying on SMS for authentication. SMS fails to qualify as true two-factor, which is described as using a combination of something you know (a password) with something you have (supposedly your phone) to prove you are you. Since your phone number can be hijacked from the cellular company and your texts re-routed (or worse, cc'd) to another device, the phone doesn't fully qualify as something you (and only you) "have".

The answer to this is to dismiss SMS and rely instead on an app or desktop program that employs the Time-based One-time Password Algorithm (TOTP) to generate a code that will get you logged in and keep others out. This code is entered along with your regular password, exponentially increasing the odds that you're the only one logging into your account. It's interesting to note that the software generating the code need not run on a system or phone that's connected to the Internet to output a good code - the system must only have the correct time (within 30 seconds or so) for it to work.

I'm going to describe the typical 2FA setup routine using an authenticator app, then I'll explain how to start generating codes in your Linux terminal using oathtool. Finally, I'll describe how to get nice menu shortcuts on your Linux machine that will open a terminal, display your auth code for you, then disappear after 30 seconds.

First let's get the app working. Since the software to generate these one-time passwords is open source and freely available, there are tons of apps that will do the job. I only recommend one: FreeOTP. It's open source, written by the Red Hat folks, and has a real no BS interface - and I like that a lot. Get it for iOS here and Android here .

After you get the app running, head over to the great Two Factor Auth website and find a service you use that has implemented 2FA. They even break it down by what type of 2FA is offered by each site - to meet our goals in this tutorial, we're looking for a service that offers the Software Token method. Go login to that service and look around in the account settings till you find their 2FA setup. Every one is different, so there's no point in describing any details. Just get to the point where it shows you a QR code and tells you to scan it - but before you do anything, right-click the QR code image in your browser and save it for later in case you need to decode your key from it. Most services will also display the key under the QR code as a string of letters and numbers (like JBSWY3DPS3YK3PXP). If your service does display the key, copy it and save it for later. Just remember to treat the QR code and plaintext key like passwords and store them safely.
By - dmt 09 Jan, 2017
This is a little trick to shave a few seconds off your daily distrohopping efforts. Every time you download an ISO file, you verify it using a hashing algorithm like md5, or more often these days, sha256. So for instance, if you download ubuntu-16.04-desktop-amd64.iso and run it through sha256 at the terminal like so:

sha256sum ubuntu-16.04-desktop-amd64.iso

...the response you get is:

4bcec83ef856c50c6866f3b0f3942e011104b5ecc6d955d1e7061faff86070d4   ubuntu-16.04-desktop-amd64.iso

Now the lazy part. Simply copy the resulting hash and paste it into a search engine like so . Without even clicking on a link, you can typically determine just from the results that you have a good file.

dmt
Share by: