About Security¶

Readings¶

• 2013-06-09: My Perfect GnuPG / SSH Agent Setup
• 2015-04-27 !!!: Using GPG agent for SSH authentication
• 2015-04-27, Hauke Laging (de): Einführung in die Funktionsweise von OpenPGP / GnuPG (gpg) Ein GnuPG-Tutorial mit vielen Hintergrundinformationen.

Advice¶

• http://codahale.com/how-to-safely-store-a-password/

Password Managers¶

• The Best Password Managers, Compared, Lifehacker Faceoff, 2015-03-30

General¶

• Famous xkcd strip: http://xkcd.com/936/: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Human Factors¶

• About “The Usability of Passwords”: http://www.baekdal.com/insights/password-security-usability

• Your Password is Too Damn Short CODING HORROR - programming and human factors, 2015-04-23

• How to use Aspell dictionaries to find words randomly for a passphrase: https://lists.zx2c4.com/pipermail/password-store/2016-April/002236.html

  aspell -d en dump master | grep -v "'s$" | grep -v "^[A-Z]"
  aspell -d de dump master >de.txt
  

  http://aspell.net/man-html/Working-With-Affix-Info-in-Word-Lists.html:

  ➜  echo abbestellen/BDIOXY  | aspell -l de expand
  
  abbestellen abbestellbarem abbestellbares abbestellbarer abbestellbaren
  abbestellbare abbestellbar abbestellendem abbestellendes abbestellender
  abbestellenden abbestellende abbestellend abbestellt abbestelle abbestelltem
  abbestellter abbestelltes abbestellst abbestellt abbestellten abbestelltet
  abbestelltest abbestellte
  

Password solutions¶

Generate a temporary password:

head -c 16 /dev/urandom | base64  # ➜ i+gjOJZ95yQJdJrYPAZ78g==

Randomness¶

• Card shuffling, probability: The Best Way to Shuffle and Randomize a Deck of Playing Cards

Entropy:

• haveged - A simple entropy daemon

• Intel RdRand Instruction

• Debian or Unbuntu package ‘rng-tools’:

  ➜  ~ dpkg --status rng-tools
  Package: rng-tools
  Status: install ok installed
  Priority: optional
  Section: utils
  Installed-Size: 135
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
  Architecture: amd64
  Version: 4-0ubuntu2.1
  Replaces: intel-rng-tools
  Provides: intel-rng-tools
  Depends: libc6 (>= 2.14), libgcrypt11 (>= 1.4.5), udev (>= 0.053) | makedev (>= 2.3.1-77)
  Conflicts: intel-rng-tools
  Conffiles:
   /etc/default/rng-tools 80e82742d3612fbcc5b2fe28d9be198e
   /etc/init.d/rng-tools 364c92343bbad3c2b6c7f080c0abe322
   /etc/logcheck/violations.ignore.d/rng-tools 7c9474cbf0b1317efd82ce1cce1c1648
   /etc/logcheck/ignore.d.server/rng-tools 7c9474cbf0b1317efd82ce1cce1c1648
  Description: Daemon to use a Hardware TRNG
   The rngd daemon acts as a bridge between a Hardware TRNG (true random number
   generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's
   PRNG (pseudo-random number generator).
   .
   It tests the data received from the TRNG using the FIPS 140-2 (2002-10-10)
   tests to verify that it is indeed random, and feeds the random data to the
   kernel entropy pool.
   .
   This increases the bandwidth of the /dev/random device, from a source that
   does not depend on outside activity.  It may also improve the quality
   (entropy) of the randomness of /dev/random.
   .
   A TRNG kernel module such as hw_random, or some other source of true
   entropy that is accessible as a device or fifo, is required to use this
   package.
   .
   This is an unofficial version of rng-tools which has been extensively
   modified to add multithreading and a lot of new functionality.
  Original-Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
  

Story¶

• http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker !!!

Webshells¶

Keywords: web, shell

All kinds of good and evil webshells: https://github.com/tennc/webshell

Unix Tools¶

• [dmenu]: http://tools.suckless.org/dmenu/
• [maldetect]: https://www.startpage.com/do/dsearch?query=maldetect recommended scanner
• [pass]: http://www.zx2c4.com/projects/password-store/
• [xdotool]: http://www.semicomplete.com/projects/xdotool/

Passwordstore¶

• https://www.passwordstore.org/

• https://git.zx2c4.com/password-store/

• git-pass for passwordstore: https://gist.github.com/mpasternacki/e308be60eb2a67be080a

• Installation and update:

  git clone https://git.zx2c4.com/password-store ~/Repositories/git.zx2c4.com/password-store
  cd ~/Repositories/git.zx2c4.com/password-store
  git pull
  sudo make install
  

• Assuming Ubuntu Bionic Beaver 18.04:

  sudo apt update
  sudo apt install qrencode
  

• Untested, interesting: Replace the default Firefox and Thunderbird password manager with zx2c4’s pass (unmaintained)