Small secure linux distributions

With the recent news stories about bank accounts being hacked and monies pilfered we decided to investigate ways to protect our business.

Now the problem is two fold.

Online banking login details

The first is quite obvious, protecting the online banking username and password. It is fairly obvious when someone stands over your shoulder concentrating on memorising your account details. It is also very easy to protect yourself from this approach by, say, locking yourself in a tiny room.

More frightening is key logging software. We’ve on occasion identified key logging software running on a clients machine in the logs of one of our products. Malware, trojans, virus (whatever the plural may be) and the like easily infects browsers and workstations. We even had articles this week about government spy software in RSA masquerading as a firefox process collecting end user data. So this is where the problem lies, protecting the details from stealthy criminals thieving all your hard earned cash.

One time passwords

There is a fallacy regarding the cellphones we carry. Banks do not make us aware of this and place the onus on the phone owner to ensure their security. Our cellphone companies do not and have never indicated that sim cards are secure and securely dished out. So when our banks added OTP sms message and claimed we’re all saved it was a huge lie. A fake ID, a couple of bob, and 30 minutes later a crafty criminal is in possession of a new sim card on your account. The OTP sms messages arrive on the new sim card (as the one in your phone was declared stolen) and bobs your uncle, new beneficiaries are created, money transferred and wailing and gnashing of teeth for the now much poorer individual.

Solutions

The solution is not simple, however, one easy start is to use a small OS that stores no data, runs from RAM and loses all data when the workstation is rebooted.

http://en.wikipedia.org/wiki/List_of_Linux_distributions_that_run_from_RAM. Wikipedia lists a number of these small distributions. So now when locked in a small windowless room this ensures no software key loggers are able to steal bank account details. Note software carefully placed in the previous sentence. Physical security is the only way to protect yourself from hardware key loggers readily available for purchase on the internet.

We’re experimenting with Tails, a small distro employing the tor network for anonymity. It’s not ideal, as it forces you to use the Tor network to access the internet securely which makes the experience slow and most banks will raise alarm if your bank activity jumps from country to country.

Another possibility is Lightweight Portable Security (LPS) which is a DoD initiative, if I can get it to work…

Synergy

A blast from the past. I just rediscovered the joys of Synergy. I used to use it over a decade ago while still a lecturer at University. I needed a tool, before I finally abandoned Windows for good, to enable me to effortlessly switch between my Linux workstation, Gentoo at the time, and the Windows workstation. I didn’t want an additional keyboard and mouse to confuse my already cluttered academic brain.

In comes Synergy. It allows multiple workstations to be controlled by a keyboard and mouse connected to one of the devices. The mouse will move from the edge of one monitor to the other. Focus follows mouse and the keyboard then inputs on the client. It’s still the same simple application that can run on Linux, Mac and Windows. There is even a client for Android in alpha dev stage, synergyandroid, so as I’m typing this my mouse can seamlessly move from Laptop, to workstation to Android tablet.

section: screens
Laptop:
Desktop:
AndroidTablet:
end

section: links
Desktop:
left = AndroidTablet
right  = Laptop

Laptop:
left = Desktop

AndroidTablet:
right = Desktop

end

section: aliases
Desktop:
paul-Desktop
end

The config file, /etc/synergy.conf is all too simple to configure for this basic setup. The workstation is the server, and the laptop and tablet the clients. If one or more of the clients are not available that edge of the window disappears seamlessly.

Android rom development

I purchased a Toshiba Thrive tablet on the 16th of April. It was rooted in under an hour as the stock Honeycomb is a disaster. Even the Toshiba update to ICS is apparently a disgrace as its unstable and little support is forthcoming.

On the Thrive forums a gent with the nickname pio_masaki‎ and some of his friends put together a fantastic Jellybean rom on android 4.1.2 which is very stable and in daily use and he is working on a CM10.1, version 4.2.1 rom which is almost usable as a daily driver.

After flashing a couple of his releases I decided to settle on the Baked black bean rom on 4.1.2. But, I became curious about custom rom development.

Google AOSP documents how to download and build roms for your device.

Above you can see my new workstation chugging away at compiling aosp. It took surprisingly little time.

After 45 minutes I could boot the rom in an emulator. This is obviously not usable on a phone or tablet, but its a start. Now the difficult part begins. I’ve asked the dev on Thrive forums if I can use his code as a starting place and hope to hear back from him soon. Figuring the device trees and other profiles out all by myself is a bit much to start off with.

I’ll keep this site up to date with my experimentation.

Byobu, another console window manager

 

We happened upon Byoby by accident while installing screen this afternoon. I quote from the project home.

It was originally designed to provide elegant enhancements to the otherwise functional, plain, practical GNU Screen, for the Ubuntu server distribution. Byobu now includes an enhanced profiles, convenient keybindings, configuration utilities, and toggle-able system status notifications for both the GNU Screen window manager and the more modern Tmux terminal multiplexer, and works on most Linux, BSD, and Mac distributions.

As with other window managers it is possible to create, destroy and move between windows.

What makes it rather unique is its use of the function keys. This might not seem like much, but it is actually very convenient to operate without obscure <CTRL> key combinations.

I’ve only been playing with it for a couple of minutes but it is a breeze to use. Notice also the time, very valuable and not usually considered in console, and some other system stats at the bottom right.

Back to dvtm

OK, so I’m back to DVTM. So far the only compelling reason I found to use TMUX in stead of DVTM was the ability to copy and paste from the terminal which DVTM didn’t allow. At least, so I though.

To copy and paste, from and xterm or the console, press and hold SHIFT and block whatever needs to be copied. Once again, to paste, hold SHIFT and press the middle button. Voila!

There is absolutely nothing wrong with TMUX though. I suspect had I started of with it that’s where my preference would’ve stayed. DVTM is just too familiar now.

Another ncurses window manager

I know others have reviewed it as well, but I’m cautiously optimistic about this one.

TMUX provides much of the same functionality as dvtm shown earlier, however, it has a number of features that peaked my interest.

It sports the usual multiple panes, and they are adjustable. However, it allows me to block copy text which dvtm does not allow me (at least on my installation) to do. Below is a useful bar showing the active window.

For me being able to block copy is the most useful difference between the two. If someone knows how to enable that on dvtm please let me know. Other than that both window managers are excellent.

VoIP cheap and simple, sort of… (update)

Small update to my VoIP setup. I discovered a brilliant initiative by Voxbone. iNum offers an international phone number not linked to any geographic location, in essence, a telephone number that should follow you anywhere in the world. I quote from their web site

iNum is an initiative launched by Voxbone, supplier of local telephone numbers to communications services providers and businesses worldwide. Voxbone is a privately held company with offices in Brussels, Singapore and Los Angeles. The iNum.net website aims to inform about the iNum initiative and its members and will centralize the communication between iNum members.

Of course I jumped at the opportunity and got my free number from one of the participating VoIP providers. In my case its Localphone. They offer the usual cheap local calls to most international destinations, cheap incoming numbers and free iNums. As with some other providers they will assign you a free iNum without a purchase.

So now I have two phone numbers incoming, one from TelfreeSA for local incoming calls from friends and family, iNum for all international calls and one outgoing through Rynga.

I was very surprised, all the VoIP providers I tested are able to call my iNum, not that I tested that many. Predictably, traditional telcos here do not honour the +883 5100 numbers and fail.

So, my numbers +27 87 750 6002 (SA number so don’t call if you don’t have above mentioned or similar cheap international calling plan) and +883 5100 904 4687 iNum.

VoIP cheap and simple, sort of… (part 2)

Having struggled a bit with version 1 of my VoIP system I decided a new approach was in order. Keep in mind my requirements, somewhat expanded from the initial plan:

  1. I need to be available regardless of my location
  2. No roaming charges
  3. I would like my cellphone number in South-Africa to reach me where ever I might roam.
  4. Cheaper calls than the cell provider offers would be a bonus.
  5. Additional phones around the house would be great too.

The above meant version 1 would’ve been perfect if only I could get chan_mobile to reliably work for extended periods of time. Since I could not quickly stop at the office to restart the bluetooth link and disruption is not really acceptable I abandoned that approach.

I spun up a droplet at Digital Oceans. It is a very cost effective virtual server apparently running on KVM offering 512 MB (I know its not a lot) and 20 GB SSD drive. Because its a VM in KVM swap space is possible making this virtual server very useful for small web hosting, and running an Asterisk server.

At the moment it is hosting this web site, my Asterisk and also has a couple of console apps making mail, gtalk and skype available from any workstation with an ssh client.

My requirements above are met the following way.

  1. To be available regardless of my location I acquired a free VoIP number from FreetelSA. This is the local option to South-Africa. Telfree offers a similar service to the rest of the world however, at the moment their web site seems to be down.
  2. Obviously, no roaming charges apply to VoIP. All I need is a cheap 3G sim card in the country I operate in. If not available there must be wifi available somewhere.
  3. Having my cellphone number reach me in another country on my VoIP turns out to be easier than I expected. I have a positive balance of almost R2k on my phone atm so to help me burn through those all I need to do is forward my cellphone number to the local VoIP number when the phone is not reachable on the MTN network.
  4. Now the cheaper calls is not really a big concern as my phone contract is much bigger than I really need. However, the contract period ends in April so I’d like to have everything in place to reduce my telco costs. I found Rynga offering 120 freedays for every 10 euros purchased. The freedays offer free calls to landlines in most countries and for all other calls local tariffs to most countries competing very favourably with anything MTN or any other local telco can provide. In addition, once my phone number with MTN was verified calls through Rynga appear to come from my cellphone number.
  5. Additional phones around the house are a breeze with Asterisk as I can add as many sip accounts as I want. At the moment I have one analogue phone in my study, and one VoIP account for my cellphone. I can call between the phones and receive calls.

 

 

VoIP cheap and simple, sort of…

While I still enjoy playing with my X less system I also started to play with VoIP. I put together a VM with Asterisk earlier this year to replace the functionality that our VoIP provider was offering, mostly because it is way easier to manage ourselves than to keep asking for changes at the provider. And also, they charge per VoIP number and there really is no need for each and every one of our office phones to have its own number.

Having successfully completed this I decided I’d like VoIP for myself. Specifically, my wife and I are heading off to Europe for our 2nd anniversary in June and I would like to be able to stay in contact.

Asterisk is the obvious way to go. Version 1 of my VoIP server is illustrated below: