Archive for the ‘en’ Category

Smartphones are total crap [en]

lundi, octobre 16th, 2017

Smart phones, despite their popularity, are overrated pieces of shit. They are unfit for normal everyday use and will let you down at the worst moment you can imagine, regardless of how careful you are with them.

3 phones – all dead

Nokia E51

The first smartphone i had. Bought in 2009 and running Symbian S60, the OS was utterly obsolete when i unpacked the phone. The SSL implementation is broken and forced me to switch from Exim (GnuTLS) to Postfix (OpenSSL) on my mail server so i can be able to send e-mails. Typing text on a numeric keypad is just painful. The web browser is unusable. Updating the phone requires a computer running Windows XP and the Nokia software suite. The battery gave way end of 2011, leaving me with only one short phone call of autonomy. Totally useless nowadays.

Samsung Galaxy Nexus

First foray in the Google ecosystem in mid-2012. I had the Apple iPhone in hand at that time, but the apple walled garden just did not convince me with it’s closedness, so i settled for a more open platform. The software was OK, but the hardware is total shit: the wifi died 9 months after purchase, it was like the wifi chip has been pulled from the phone. Beginning of 2014, i cracked the screen with my belt buckle, but it was still usable. Then, in july 2014, during my holidays, the baseband died: impossible to send or receive phone calls, data, and SMSes. The only radio left working was Bluetooth. Oh, and i received only one system update beginning of 2013, making it totally unsecure nowadays if it was working properly. Utterly useless.

Jolla

Since i was out of phone, i needed a replacement one. The Edward Snowden revelations about mass surveillance made me reconsider which OS my phone would be running. I settled on the Jolla, mainly for being developed and hosted in the European union, despite being manufactured in China. The phone is running SailfishOS, with the DalvikVM to run Android applications. The phone feels cluncky, but is useable. The hardware gave me a lot of issues:

  • The speaker stopped working at random: the only fix was to whack it on the table
  • Bad contact with the battery: The phone rebooted with a battery fully charged
  • The baseband is crashing at random, especially when there is poor coverage. Reboot required to get 3G signal back
  • Bad contact with the USB charging connector: the phone just won’t charge anymore
  • not-so-great camera
  • Very bad android support and the web browser is slow as hell
The aftermath

I was thinking about starting to develop some software for those platforms, turns out they are not worth wasting any time on, except if it can be something simple like a shell script. They are totally insecure by design (in software, in UI design, in hardware, and in general concept), and should not be relied on for anything.

The ideal phone for me has not been invented yet. here are the features i’m looking for in a phone:

  • can survive a 1m drop
  • Can cross 4 countries the same day without requiring a reboot
  • Regular software updates
  • Fully encrypted mass storage
  • Root access and no dependency on third parties, especially the ones in the US (Facebook, Microsoft, Google, Apple)
  • A speaker loud enough so i can hear the ringtone one meter below my ears
  • Dual or triple profile that can be triggered by passcode entry alone (duress mode: a real profile and one or two with fake data, like a TrueCrypt hidden container), so you don’t expose all your data at once to a third party, even under torture.
  • Call filtering: depending on the last profile activated, it will ignore selected calls and/or messages, but will give you everything if you open the « trusted » profile
  • A battery that can last two days on a single charge
  • A decent and well debugged 3G baseband (Yes, 3G: i don’t care about fancy 4G or 5G, give me something stable that works)
  • Fully sandboxed applications (Stop that non-sense of applications that freely access all your data and data from other applications)

For now, i will live without phone. I’m available on several channels (e-mail, IRC, but not facebook). My SIM card will happily live in a 3G dongle, so i can still receive SMS in a limited fashion. Fuck phones, they are a disturbance anyway…

My new phone.

 

Telenet modem and Cisco switch [en]

mardi, avril 25th, 2017

This is one thing among many others i have to say against Telenet: once the modem reboots (and it can be quite often, always requested by Telenet), the port of the switch just shuts down and block all access to the modem. Very embarrassing…

Let’s see what’s going on in the switch via the serial console:

Switch>enable
Switch#show interface status err-disabled

Port Name Status Reason Err-disabled Vlans
Fa0/23 err-disabled loopback
Switch#

Something you need to know about the Cisco is that the switch send keepalive packets down all active ports. When the modem reboots, it’s echoing the keepalive packet back to the switch. The switch freaks out and disable the port, cutting you off the internet.

The solution is pretty easy: all you need to do to is to turn off keepalives for that interface:

Switch#config t
Switch(config)#Interface fa0/23
Switch(config-if)#no keepalive
Switch(config-if)#end 
Switch# copy running-config startup-config
Switch#

Now that we disabled the keepalive,it’s time to re-enable the port. You have to manually shut it down and re-enable it to clear the err-disable state:

Switch#config t
Switch(config)#Interface fa0/23
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
Switch(config-if)#end 
Switch#

Enjoy your recovered internet. 🙂

 

Getting started with Juniper SRX platform [en]

vendredi, janvier 6th, 2017

I started to play with the Juniper SRX platform a few month ago. I got a SRX 220 on loan from Rafael and i bought a SRX100 for my experimentations. The JunOS operating system installed on the boxes is heavily based on FreeBSD, so we’re in familar Unix-land. This is going to be fun. 🙂

I have access to lab documentation, but i will not exactly reproduce the setup from the books: there will be some adaptations (mainly about port numbering) that will fit my lab setup, since I will work on those devices from a remote location and i will not enjoy 100% physical access during my exercises. To make matters even more interesting, i still have my old ADSL connection that will be used as a separate internet access.

The default configuration is a simple NATing firewall/router, similar to the one you might expect from a stock OpenWRT installation. There is a web interface, but i will just ignore it, so let’s dig out the Cisco serial cable and connect to the console port.

Configuring the SRXes over serial port is nice, but they are available only in limited quantity on my Terminator server, so we will start by setting up the devices for a more convenient ssh access from my home network. The config statements allow for comments: they start with the character ‘#’ and the commands will be peppered with them, so you can copy-paste huge blocks of text at once.

We will start with the SRX100: the management port is connected to port 7 on the firewall

# Set system root password (REQUIRED)
set system root-authentication plain-text-password 

# Check if config passes
commit check 

# Remove interface from bridge
delete interfaces fe-0/0/7 unit 0 

# Add ssh pubkey
set system root-authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC98TAUD9PPuzRj5uyHWlxZiXGLm1JI7T2hPNwmW9pU5V/guoJ90VTNQ7lugEoX8HYxB7JC0/RA5ogJBkhcQHIAMIGT6yM7F2zzVv9LadbiMU0KrB2dZVmPKKxi49uqqj+d8zIWTbm4tLf7xdF42kr7c2AUl1kYzaD1ymlAXSavvHTg7y/h2/mZ36F7WZmVwa7Q6iI5Vuca66lauwGgl1ETS2lwneQn+CWDZFMSFDT9TmphR8mpISi8063oTwvvHa/t0bpeQnKltg1iqM2YGTlIGTgXuEWsiAARfF96zhOUAXseA9WHeCTDUITmycFau4+ILxVH47Z6oC11W52BtwIf frederic@pekko"

# Set IP address
set interfaces fe-0/0/7 unit 0 family inet address 192.168.4.60/26

# Put interface into mgmt zone and activate services
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services http
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services https
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ping

# save changes
commit

# From now, ssh is available and we can disconnect the serial interface. It won’t be used for the rest of the experimentations unless we need to move the management interface to another port. Now, let’s set up PPPoE…

set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap local-name <YOUR_USERNAME>
set interfaces pp0 unit 0 ppp-options chap default-chap-secret <YOUR_PASSWORD>
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options client
# When using PPPoE, always set MTU to 1492
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
# Explicitly tell to use the PPPoE interface as default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0
commit

At that point, the PPPoE session is established. Let’s check it:

run show interfaces terse

<snip>
...
</snip>
pimd up up 
pime up up 
pp0 up up
pp0.0 up up inet 62.235.222.80 --> 62.235.222.1
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 192.168.1.1/24

This looks good ! We have an IP address from our ISP ! Let’s attack the SRX220…

 

Ikea hack: The candle spill guard [en]

samedi, février 21st, 2015

My girlfriend bought a huge candle holder some time ago. Unfortunately, she has a carpet on the whole floor and the candles tend to drip their wax on it, which makes a terrible mess that stick like hell and is a real bitch to clean up.

We could not find any suitable protection in any shop around, until I went to Ikea and I found this.

Carpet protection for desk chair

Okay, I would have preferred something circular instead of a rectangle, but the shortest side length was exactly what i needed. Given the price, i bought two of them and used one under my desk chair, the other was left to be butchered. 🙂

Finishing the cut

Finishing the cut

I marked the center of the sheet and made a hole small enough to snugly fit a small nail. Then the whole thing has been nailed to the side of my table because i lacked some clamps. Of course you will ruin your table doing so, but it was the most reliable way for me to have the roundest shape possible. You should use a piece of scrap wood and extra clamps if you value your table. 🙂

Dremel tool

This is not a drill bit

 

The cutting rig: detail of the "rail"

Detail of the « rail »

Detail of the cutting rig

Detail of the cutting rig: Yes, Dremel, Club Mate and Gaston Lagaffe mix quite well 🙂

The leftovers of the cutting

The leftovers of the cutting

After that treatment, the resulting disc had the edge sanded down to remove plastic shavings and it now look like it was coming straight from the shop.

The finished product in action

Discrete yet effective

This is an old hack that was done 4 years ago. It still look fine today.

askarel.be – 10 years already ! [en]

mercredi, avril 2nd, 2014

Today marks the tenth year of this domain, but my website existed already a year ago under a different name.

Lots of things happened, and the infrastructure evolved with the knowledge gained, while fooling around and screwing up things, here is a timeline of events:

  • 2003: started operating from a small ADSL line at home
  • 2004: Domain askarel.be entered my possession, Zoneedit was handling the DNS zone and the mail reception
  • 2006: First IPv6 experiments, starting with my girlfriend’s home, using a SixXS tunnel
  • 2007: Playing around with a virtual machine running on somebody else server, no great result, service got shut down
  • 2008: First dedicated server at OVH
  • 2009: Dedicated server replaced by something beefier, IPv6 appeared, Partial SSL appeared with a CACert certificate
  • 2011: Joined the DN42 project to learn more about BGP routing
  • 2013: Due to Zoneedit failing to provide IPv6 on their name servers, their US-centric approach, and the Snowden case, i am now handling my own DNS and Email became self hosted.
  • 2014: In the process of replacing the current server, after 5 years of operation, it is time to move on to fresher hardware

The future:

There are many plans in the boxes for the future. The most immediate one will be to replace the SSL certificate by a paid one and go full SSL by default, then i plan to make the infrastructure much more resilient by distributing it: i don’t like the idea of having everything in the same place, even if i have backups. Downtime will hurt.

Mid-term project will be having my own personal cloud, and the long term one will involve AS numbers. 🙂

A puzzle solved. [en]

mercredi, juillet 4th, 2012
Vasco Digipass 810

Vasco Digipass 810

Do you remember when i opened my bank calculator ? Beside replacing dead batteries, i wanted to see what made it tick and eventually replace it by an ordinary smartcard reader and some code running on a computer.

Turns out that other people had the same idea, but they beat me by having put more time and energy into that project and ended up producing something usable.

It’s just a Python script to talk to the card. The usage is very straightforward, here are some examples:

To authenticate with the M1 key and the 23543696 challenge, type the following command:

$ ./EMV-CAP -m 1 23543696
***************************************************************************
Using this software for real financial operations can lead to some risks.
Indeed advantage of using a standalone reader is is to isolate your banking
card from big bad malwares.
Using it in a non-secured reader is taking risk that a keylogger intercepts
your PIN, a malware accesses to your card informations, or even intercepts
your transaction to modify it or operates its own transactions.
***************************************************************************
Are you sure you want to continue?
If so, type 'YES', or anything else to quit:YES
Enter PIN (enter to abort) :
Response: 45108749
$

To sign a transaction the same way than the M2 key with the challenges 09356196 and 345, use the following command:

$ ./EMV-CAP -m 2 09356196 345
***************************************************************************
Using this software for real financial operations can lead to some risks.
Indeed advantage of using a standalone reader is is to isolate your banking
card from big bad malwares.
Using it in a non-secured reader is taking risk that a keylogger intercepts
your PIN, a malware accesses to your card informations, or even intercepts
your transaction to modify it or operates its own transactions.
***************************************************************************
Are you sure you want to continue?
If so, type 'YES', or anything else to quit:YES
Enter PIN (enter to abort) :
Response: 45201783
$

Thank you Jean-Pierre Szicora and Philippe Teuwen, nice work !! 🙂

An update to the wall wart hunting [en]

mercredi, avril 4th, 2012

There was some evolution since that article.

Velleman PSIN30012 with some desk clutter

The Power supply: a Velleman PSIN30012

power supply with brackets

I can has brackets ?

I finally decided to make the brackets and installed the power supply in my apartment.

The power supply can output 25A under 12V, should be enough for my applications at the moment.

I pulled some 6 mm² wires through my apartment, inside the same conduits as the network cables. There is one supply going to the datenklo (the toilet host my network, like at the Chaos Communication Camp) and two independent supplies are going to my desk. They only meet at the terminal blocks.

The power supply has been installed in the cupboard near the fuse box and is protected by a 6A breaker at the primary, sharing the circuit with the doorbell.

power supply in place

Installed and wired

6 mm² wires on the power supply

6 mm² wires on the power supply

temporary cable with XLR 4 pin female connector for the wireless router

Temporary cable with XLR 4 pin female connector

The connectors i use for the 12V power sockets are Neutrik XLR 4 pins, they are much more resilient and safer than cigarette lighter plugs (will be part of a rant in a separate article)

Problems

None so far, the power supply is running smooth and cool, but the fan is noisy like hell !!

My wireless router is running from that power supply and seems very happy about it.

The future

  • I will have to move the power supply to the datenklo: i have a noisy 24/7 ventilation in there. 🙂
  • Still need a way to integrate the XLR sockets with my light switches in such a way that it look like it’s coming straight from the manufacturer. Will be part of a separate article. 🙂
  • Rebuild my media-PC to work straight from a 12V DC source.
  • Connect LED strips to it: my bar and my kitchen will receive a bunch of LED strips.
  • Figure out how to work with pictures in WordPress, this article is a mess !!

Wall wart hunting [en]

mardi, janvier 17th, 2012

I found in my apartment about 10 wall warts and two linear power supplies that give the same (or similar) voltage for my equipment.

Spools of red and black wire with a power supply

Let the hunt begin

I would like to get rid of those power bricks and have a more consistent and centralized setup. I hope to make some savings in the process by using a more efficient oversized switch mode power supply. Another advantage is that if i want an UPS on that line, i just need to connect a SLA battery.

My apartment will be wired with 6 mm² wires carrying 12VDC: one branch go to the networking area, the other two go to my desk.

Let’s lay down some wires !!

Today in the physical mail box [en]

jeudi, juillet 14th, 2011
Package content

Package content

Today i received the GSM shield for Arduino from Open Electronics. I rushed to get a pre-paid SIM card to start playing with the new toy.

I just realised that i don’t have an arduino board yet in my personal toolbox, but i can borrow one from the hackerspace to start experimenting.

I have two projects in mind:

  • mailbox watcher: Since the mailbox is far from my apartment and not within my regular walking path, (and i am a lazy person ;-)), i want the board to send me an SMS when a letter is landing in the mailbox. This is also a nice opportunity to experiment aggressive power saving and see how long can a set of fresh batteries last.
  • Hackerspace door opener: I am also building a motorized lock for the local hackerspace. I don’t know yet what kind of remote control we can use, but it has to be democratic enough. This is not the most original project: the Ghent hackerspace already did it.

Assembly

GSM shield assembled

GSM shield assembled

The shield come as a kit, some soldering is required, but nothing too serious (only through hole components, 2,54 mm pin spacing). In my case, only the switch SW1 was tricky to install.

That’s all for the moment, time to write code.

EPIC FAIL [en]

jeudi, mai 12th, 2011

Ce matin, à vélo, sur le chemin du travail (et pas loin de l’arrivée en plus).

This morning, on the bicycle, on the way to work (and very close to my destination).