Categories
Password Projects ProjectSuccess

Rolling My Own Password Manager (Part 2)

Continuing the review of how I implemented my own password manager, this is part two.  If you’d like to read part 1, you can do so here.  For somewhat obvious reasons I am not going to share the product name or the specific details about my implementation broadly here.  I would be glad to provide a bit more information: if you are so interested, leave a comment below and I can reply to your question directly.

I picked a product that fit the following desirables:

  • Standalone install on my own server – does not rely upon any third party
  • Open source and more than 10 years old.  Reasonably active developer community, penetration tested and uses proven encryption algorithms.
  • The installation was modular allowing me to customize the front- and back-ends I wanted to use.
  • The solution has logging in place so I can monitor log in attempts.

Stumbling Blocks

I mentioned in part 1 that I had two remaining control efficiencies which I can share now as I have those patched up.  The first issue was a silly mistake.  I had uploaded into my password manager the username and password for the server that hosts the password manager itself.  The issue here is that if the password manager was ever breached and the data stolen, by including the credentials of the host server, a malicious actor could then delete the password manager itself leaving me in a world of hurt.  I have since deleted those credentials.

The second issue I realized was that I never had a certificate attached to the server leaving me vulnerable to possible man-in-the-middle attacks.  Since one of the pleasures of using a password manager is that I can log in to copy/paste my credentials from my laptop or phone, the chance of using the password manager on a public access point is pretty high.  So I signed up for a free certificate from Let’s Encrypt to encrypt all the traffic.  My host made it extremely easy to apply the certificate.

Learnings

I had a few challenges in this project.  For one thing, I had a really difficult time forwarding all traffic to use https instead of http after I got my certificate installed.

I was finally able to get forwarding to work by adding the following lines to the .htaccess configuration file located at the root of the public directory.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^(<directory name>.*)$ https://www.domainname.com/sub-directory/sub-directory/sub-directory/etc.$1 [L,R=301]

This was particularly nasty because I had intended to use an .htpasswd configuration on the server to require “double credentialing” – one where you log into the directory containing the password manager and one where you log into the password manager itself.  The forwarding rules and the authentication rules for Apache kept stepping on each other and so I decided to abandon the directory authentication.  I definitely lost a lot of time and effort on this, but since directory level authentication in Apache isn’t really secure anyway, I decided to cut my losses.

Another less challenging but important learning was to turn off web crawling using a robots.txt file.  I realize this provides limited control utility, but why have search engines indexing my password manager?  That only creates more visibility and opportunity for malicious actors to find it and attempt exploits on it.  I know that malware crawlers can and do simply ignore robots.txt configurations, but I also know that utilities like amass use legitimate search engines that do respect robots.txt for intel.  Again, why make it easy?

Amass searches Internet data sources, performs brute force subdomain enumeration, searches web archives, and uses machine learning to generate additional subdomain name guesses.  I am going to do some experimentation with amass on my own servers to get more familiar.

Further Work

This has been a fun project.  I have learned a lot and vastly improved my web security and habits.  I have a few more ideas that I plan to work on related to the password manager:

  • I am going to minify the entire application by removing any reference to its name or any other identifiers in the source code.  It will still be possible for bots to fingerprint my use of the application, but it will take more work for any malicious actors because the basic search phrases and configurations won’t work on my instance.
  • I am still not pleased with the complexity of the passwords I used for the front and backends to communicate – so I’ll add more hardening there.  I am also in the process of turning two factor authentication on for all of my assets and need to finish up activating the last few.
  • I also need to come up with a backup plan for two factor authentication in the event that my phone is lost or broken.
  • I am going to experiment with John the Ripper to test the encryption and try to crack my own passwords.
  • I would like to set up a service to download my log file every few minutes, compare it, and send me a text message whenever there is new activity.  That way I am aware of any brute force login attempts that did not originate from me or any other approved user.
Categories
Password Projects ProjectSuccess

Rolling My Own Proper Password Manager (Part 1)

On previous posts here I shared my poor hygiene when it comes to password management (reusing the same password and not having passwords complex enough). I’m really happy to say I’ve made some major improvements. I’ve been meaning to roll my own password manager and I had a few requirements in mind.

1.) I wanted to host the web application myself on my own server so I could access it from any device and share access with my spouse.

2.) I wanted a password management application that would make it easy to generate maximum complexity usernames and passwords that I could copy and paste.

3.) I wanted the password manager to be free standing and not rely on any cloud or external services outside the scope of one of my servers.

4.) I wanted an open source solution, relying on established encryption protocols.

The primary attack vector that I am guarding against is breaches at the various third party sites I use – take the recent breach at MyFitnessPal as an example. This impacted me personally due to too much password-reuse. I am on a quest to eliminate both password and username re-use as well as start enabling two factor authentication on my email and sites with my financial assets. I am not concerned, primarily, about the physical security of my devices – which means I use Chrome and allow the passwords to be saved and even allow Chrome to sync across devices.

Overall the solution has a pretty nice experience. I use my password manager to generate random usernames and passwords and then copy and paste them when I need to. Chrome then saves the username and password and I don’t have to worry about it again.

In this post I am not going to share which solution I picked, where I installed it, or what customization I made in this post. I still have two control gaps in the solution I have implemented. I will share more details once I have those patched up in the next couple of weeks.

Categories
Projects ProjectSuccess Terminal TurboTerm

TurboTerm: The (Re-)Birth of My First Open Source Project




A quick note to mention I authored my first open source project today.  Not only was it a great chance to breathe some life into an old project of mine, but a chance to officially get comfortable using Git and GitHub.  More work and learning to do, but I am very proud to have a working (on Linux, anyway) terminal configuration utility.  I have included a todo file to capture the enhancements I plan to make. Enjoy!

TurboTerm is a simple terminal configuration file that makes the terminal more user friendly and welcoming to novices.

TurboTerm on GitHub.

Categories
chromebook chrx Projects ProjectSuccess Ubuntu Uncategorized

Dual Boot GalliumOS on a Chromebook




I had some success running Ubuntu on my Chromebook through Crouton, but I started running into issues. My hypothesis is that since aspects of the Linux kernel are shared between ChromeOS through chroot with Crouton, I couldn’t get a clean installation of Apache to run. I assume this was due to permissions. So I set out on yet another Linux adventure to do a true installation of Linux on the Chromebook.

I found a nice utility called chrx that made the installation very straight forward.

Installing Linux via chrx onto a new (or freshly recovered) Chromebook is a two-phase process:

The first phase reserves space on your SSD or other storage device for the new operating system, and then reboots.

The second phase installs your chosen distribution, and configures the new system according to your selected options.

The installation proceeded smoothly by typing the following into the terminal.
Run chrx: cd ; curl -Os https://chrx.org/go && sh go

Follow on-screen instructions to prepare your Chromebook for installation

Stumbling blocks

I have a Bay Trail chromebook. I should have paid more attention. I did not notice this the first time I installed so even though the install went smoothly, when I pressed CTRL + L to launch into Ubuntu, it was non-responsive and would boot back into ChromeOS. The issue was that I needed to update my firmware. I found this nice firmware update script. I chose the first option which installed the RW_LEGACY firmware with a newer/working/customized version of the SeaBIOS firmware payload and then I good to go Ubuntu loaded nicely.

A second issue I ran into was that the full Ubuntu 16.04 install was just a bit too resource heavy for my now discontinued Acer Chromebook. Chrx comes with a variety of different distro installation options. I chose to go with GalliumOS. Gallium is built on Ubuntu and optimized for Chromebooks plus it has a very clean design.

My install of Apache, PHP, MySQL, and MongoDB all went smoothly so I have a nice and pretty responsive development environment. I have not really booted into ChromeOS since installing Gallium.

Thanks to reynhout for their work on chrx, MrChromeBox for the firmware script, and hugegreenbug the founder of the Gallium project. This is another example project demonstrating the remarkable power of open source software.

Categories
Books

Book Review: Divine Direction

A book as big as your head!
Divine Direction: 7 Decisions That Will Change Your Life written by Craig Groeschel broke down seven decisions you need to make: Stop, Start, Go, Stay, Serve, Connect, and Trust. The book interweaves well-known biblical stories to demonstrate aspects of the decision. Overall, this book was topical and a quick read, and a good tool to do some self reflection. The seven decisions, in general, are good things to keep in mind day-to-day.
Unfortunately, the book lacks depth and substance. I can’t recommend it.

Categories
Analog Open Source Truck Projects ProjectSuccess

The Open Source Truck

The open source equivalent in a truck.

I went offline for project number 3.  I drive a 1991 GMC C2500 pickup truck.  I’ve owned this beautiful gold truck for about four years.  In it’s own, non-Internet-y way, the truck itself follows our ground rules.  It was cheap and paid for in cash (Rule #2).  You can buy a laptop for more than I spent on this. Whenever possible I try to do the work on it myself (Rule #1).  In many ways the truck is similar to open source software – it invites you to tinker, learn, and make it better.  It was built in an era when you popped the hood, you could actually see all of the mechanics laid out in a (mostly) logical way and without plastic covering everything. Thanks to my father-in-law and Truck-Mentor, Jim, we have done a lot of work together to breathe new life into this truck:

  • Replaced the radiator
  • New tires
  • New battery
  • New brake lines
  • New Bluetooth radio
  • Had the engine rebuilt
  • Cleaned the distributor cap
  • And now, replaced the headlight switch.

This particular project started with my daughter helping me do a quick oil change.  As she says, easy-peasy lemon-squeezie, but we didn’t stop there.  I noticed when I drove home from work on Friday evening that all of my headlights were out.  In being honest with Rule #5, being Honest and Transparent (HAT), I will admit to never having changed a headlight before.  So I thought this would be a simple project to learn.  But, in the back of my mind I thought it was odd that all the headlights were out at once.  I justified this by thinking maybe all the lights burned out slowly over time and I never noticed until they were all out. I did make a mental note though, that the light bulbs might not be the true issue.

I picked up a wonderful and comprehensive Haynes manual for my truck a few weeks back.  I wish I had done this years ago.  It guided me seamlessly through opening up the headlights popping out the old bulbs and dropping new ones in.  After knocking this out, I fired up the lights and…nothing.  My mental note was affirmed.  This was going to be a multi-step project.

It was fun to open up the headlights and replace the bulbs, but it didn’t solve the problem.

At Truck-Mentor Jim’s advice, the next step was to check to see if I had a blown fuse.  I never even thought about cars having fuses, circuits, and circuit breakers, but just like a house, they do.  The fuse box is conveniently located to the immediate left of the steering wheel and the fuses are labeled.  In the Haynes manual it included photos of good and “blown” fuses.  With a pair of needle-nose pliers I visually inspected each fuse to confirm they were all working.

Nothing wrong here. All fuses in good working order.

The fact that all the fuses were in working order was a good sign.  It meant if the bulbs and the fuses were working, the physical switch on the dashboard used to turn off and on the headlights had, after years of wear, stopped working.

The back of the headlight wiring harness: Don’t blame me, I work just fine!

I unscrewed the dash cover and inspected the back of the headlight switch.  No sign of wear on the wiring or the harness.  I took a piece of soldering wire and bridged together the red and yellow wires to complete the circuit and the lights turned on!  This was a huge milestone which meant I could now drive my truck at night even if I had to Jerry-rig a bridge out of a paperclip or soldering wire while I pursued a permanent fix  Confirmed: the physical dashboard switch had failed.

A quick call to Auto Zone and $13 later and we are good as new.  We are still abiding by Rule #2, as low cost as possible.  I was amazed that Auto Zone had a part that was over 25 years old on hand and in stock and in the right color.  I shared my amazement with the clerk at the store and he said, “We have over $600,000 of inventory in this store and more than $200,000 has never been sold in the six years I’ve worked here.”  A rush of thoughts entered in my mind that he probably should not be sharing the value of the inventory with a random customer, but I was also amazed at what a treasure trove of parts must be  tucked away, never to see the light of day.  I also left wondering how Auto Zone makes a profit.

The old headlight switch. It was me, I’m the culprit!

I busted open the old headlight switch and found a gooey, sticky paste.  I’m not sure if someone else opened this up some time in the past and tried to patch it together or if after 25+ years this weird epoxy finally gave out causing the switch to fail.  I closed everything up and we’re back in business.  The truck has a fresh oil change, a couple of fresh light bulbs, confirmed the circuits are all working, and now it has a fresh headlight switch.

Learnings

I should have trusted my intuition when I first started the project.  All the headlights going out at once was a clear sign that something else was wrong.  I should have trusted my intuition and checked the fuses then the switch first.

The Haynes manual is a huge help.  This bad boy guided me through each phase of the project: opening the headlights, finding the fuse box and checking the fuses, and then opening up the dash and replacing the switch.

Stumbling Blocks

This project had a lot of them!  I am finishing up reading Zen and the Art of Motorcycle Maintenance.  I will write about the book in a future post, but it introduces these things called, Gumption Traps, which are so stinking relevant.

gumption trap is an event or mindset that can cause a person to lose enthusiasm and become discouraged from starting or continuing a project. The word “gumption” denotes a combination of commonsense, shrewdness, and a sense of initiative.

I was challenged by the following gumption traps.  Just being aware of them helped me to move past them not get frustrated.

  • It was cold in the garage.
  • Garage had too much stuff everywhere which I kept tripping over.
  • I didn’t have the parts so I had to run to the store.  Then I had to run back to the store.
  • One of the headlights had a stripped screw so it was impossible to open up.
  • Wrapped my knuckle trying to get a headlight out.
  • As with all things auto repair, the job took more than twice as long as I thought it would.

I did a good job adhering to Rule #4, and not rushing the job.  At the end of the project I cleaned up the garage and put all the tools away.  A small thing I know, but something I have always been terrible at.  In so doing, I consciously avoided creating another gumption trap for my next project.

Categories
Chromium Crouton FileZilla FTP Projects ProjectSuccess Ubuntu

Run Ubuntu Linux on a Chromebook

Project number 2 is in the can! I am now running Ubuntu Linux on my Acer Chromebook in a dual boot environment thanks to Crouton.  Actually, it would be more accurate to say that I am running Ubuntu Linux concurrently and on top of the Chromium kernel. This 11 inch 64 bit Intel white workhorse met my needs for casual browsing since I first bought it in April of 2015.  Great battery life, to boot. But, I expect that in taking on this year of development and the many technical projects I have in mind I need more horsepower.  So, in honoring Rule #2, rather than buying a new laptop or spending any money, I wanted to breathe new life into hardware I already had. Call it the classical approach to technology.  Since Chromebooks are already written on top of the Linux kernel, it made getting going with Linux pleasantly simple.

I followed these instructions and was pleased that more than a year later and they still worked without issue.  I chose to install Ubuntu with the Xfce desktop enviornment because it is fast and light on system resources.  It’s not much of a looker, but it is powerful.  Once I landed in the desktop I fired up the terminal did a quick

sudo apt-get install filezilla

I installed the powerful FileZilla FTP client–much better experience than using sFTP which kept failing in Chrome.  Back in cPanel I created a new FTP user and I finished uploading WordPress.  Back in Ubuntu, I also grabbed Firefox

sudo apt-get install firefox

for a better browser experience and then I logged out.  On logout, Ubuntu closes and you’re brought right back to the session you left in Chrome.  I am loving having the simplicity of chrome right alongside the power of Ubuntu.  Now whenever I want to launch Linux I hit CRTL+ALT+T to launch the terimnal then:

shell
sudo startxfce4

Learnings

This was my first encounter with Crouton and it was a great experience.  Admittedly, I was unfamiliar with chroot.  From the GitHub, here’s a nice concise explanation and a quick pro/con analysis.

Like virtualization, chroots provide the guest OS with their own, segregated file system to run in, allowing applications to run in a different binary environment from the host OS. Unlike virtualization, you are not booting a second OS; instead, the guest OS is running using the Chromium OS system. The benefit to this is that there is zero speed penalty since everything is run natively, and you aren’t wasting RAM to boot two OSes at the same time. The downside is that you must be running the correct chroot for your hardware, the software must be compatible with Chromium OS’s kernel, and machine resources are inextricably tied between the host Chromium OS and the guest OS. What this means is that while the chroot cannot directly access files outside of its view, it can access all of your hardware devices, including the entire contents of memory. A root exploit in your guest OS will essentially have unfettered access to the rest of Chromium OS.

Thanks to David Schneider and the other contributors for his generous and amazing work on Crouton.

Stumbling Blocks

A few things where challenging on this project.  I didn’t read the instructions carefully enough the first few times and I had a difficult getting my Chromebook in developer mode.  The Chrome interface for develop mode was pretty intimidating and the bios made some of the scariest beeping sounds I’ve ever heard.  Besides that this project was pretty straight forward and clean.

I did manage to build more horrible identity management habits by not using a password for my sudo account in Chrome, having a riduculously guessable password in Ubuntu, and then reusing my same user ID and pass for FTP, host,  WordPress, and the WordPress database.  Keeping things easy for the hackers.  Just kidding, we are going to address password management in a future project.

Oh yeah, I also had to fight an acute, but strong desire to just buy a more powerful laptop.  Rule #2 grounded me.  I’m glad I fought that urge and enjoyed the classical challenge of giving this laptop a new future.

Categories
cPanel FileZilla FTP MySQL Projects ProjectSuccess WordPress

We landed here, on the internet, safely in one piece!

Our first project is in the can!  I call this project “Make a Website, Start Following Through on Your Development Plan.”

The first step was to find a domain name using Instant Domain Search.  I’ve been using this site for at least 5 years and it remains the fastest and simplest way to find a domain.

I then bought the cheapest hosting plan on Bluehost after hearing an advertisement on The Bill Simmons podcast.  Like Instant Domain Search, I have at least 5 years of experience with Bluehost.  I wanted a hosting plan that was basic, but would let me fully manage and run my own server including giving me the ability to experiment with a variety of programming languages and databases.  I bought the bear minimum services, opting for just a domain name, some basic hosting, and for 99 cents a whois proxy to keep my personal information safe.

The next step was to delete the default WordPress installation that Bluehost sets up, because of Rule #1: We prefer to build our own and then I uploaded my own version of WordPress.  I used cPanel to builtd a new database for the WordPress install.  For some reason, the user privileges on the default MySQL database on Bluehost were not working.  So I created a new database then created a new database user, linked the two together, and completed the World Famous 5 Minute WordPress install.

After some customizing and minimal-izing, here we are.  Along the way I had an impossible time getting the FTP Client to work on my Chromebook so I upgraded my Chromebook to Ubuntu (more on that in a few days).  I also introduced some horrible password and identity management behavior by reusing a subset of the same username and password combination to try to work fast, a violation of Rule #4.  I plan to clean that up in a future post when I explore using a password manager.

According to Rule #2: we always beep our costs low.  I fared quite well in this area walking away with a year’s worth of this website for $71.28.

On to project number two in a few days: detailing how I installed Ubuntu Linux on my Acer Chromebook.