Friday, March 1, 2013

How I got phished by an 8-year old

I would like to consider myself a tech savvy individual that knows a thing or two about security. But for what its worth I got phished by my 8-year old son. Like all busy parents in this 21-st century, we let our iPad be the Nanny when we want some quiet time in the house. To feel less guilty about this habit of handing a gizmo to keep them occupied, I have severely restricted what they can do with it. We have also secured it with a Pin so either my wife or I can unlock it when we think they can play with it. Now this goes for a week or two and clearly my twins are not too happy about this arrangement. One day while I am busy doing something else one of them asks me to enter the passcode to continue playing and I enter the passcode for him and get back to what I was doing. Later that day, much to my surprise my pin does not work on the iPad anymore and my son has that It-wasn't-me-look on his face which of course means that he has everything to do with it. After some serious you-better-tell-me-what-you-did conversation, he admits he changed the pincode. The little brat made me enter the passcode in the change passcode screen and changed the passcode! While I was pretty mad when it happened, thinking back it was also a proud father moment to get phished by your 8-year old son :). Kids these days.....

Sunday, July 29, 2012

Watch Olympics LIVE -- Roll your own FREE VPN

The Olympic fever is on. Except if you are in the good old U.S of A, you probably just have nausea hearing about the Epic Fail that is the Olympic coverage by NBC. As a cord cutter, I don't have any television service much less Comcast cable. And how can you watch such a global event like this that is all over social media tape delayed, I ask you ?

What follows is a step-by-step tutorial to signup for the free AWS (Amazon Web Services) account and run your own VPN in the Europe region (Ireland) and watch the olympics live from Eurovision Sports Online.

What you need:


  • New AWS account

  • SSH client - Available natively for Mac and Linux, Download Putty for Windows

  • PPTP VPN client - Available natively in Windows, Mac and Linux



Step-by-Step guide:


Launch an EC2 instance in EU West Region (Ireland):


  • Register for AWS (aws.amazon.com) using new credit card and get 1 year of free Micro instance. If you already have an account with Amazon AWS then you are out of luck.This is only for new accounts.

  • Login to AWS management console: https://console.aws.amazon.com/ and go to the EC2 Service

  • On the Left choose the Region - EU West (Ireland)

  • Now click on Launch Instance and choose the Classic Wizard and Continue

  • Choose Ubuntu Server 11.10 from the list and hit the Select button

  • Ensure that the Instance Type is Micro and hit Continue

  • Continue again for the Instance details. You can give it a name like VPN

  • For KeyPairs, Create and Download a new keypair. Keep this safe as you need to use this to login

  • Review and Launch Instance



Install VPN and Configure server


  • After the instance is up, Click on the Security Groups link in the left navigation and choose default Security Group

  • Choose Inbound tab and now add two new rules :

    • Choose SSH for choose a new rule and leave the source as 0.0.0.0 and choose Add Rule

    • Choose Custom TCP rule and set the port as 1723 and source as 0.0.0.0 and choose Add Rule



  • Now that the security group is setup, get the Public DNS: value for that instance from the AWS dashboard.

  • Also get the Public IP address and check if it is showing Ireland as the location in MaxMind's IP to Location database: http://www.maxmind.com/app/locate_demo_ip?ips=[IP address] . This is the database commonly used to deny access to people using their IP address. I had a few instances I brought up that come up as located in New Jersey. So if that happens, terminate the instance and create a new one with the steps above.

  • Use the SSH client of your choice and login to this Instance, you will need to use the keypair .pem file you downloaded above:
    ssh -i /path/to/keypair.pem ubuntu@ec2-xx-xx-xx-xx.eu-west-1.compute.amazonaws.com

  • Do the following to configure your instance:

    $ sudo su
    # aptitude install pptpd

    Add the following to /etc/pptpd.conf
    localip 172.16.0.1
    remoteip 172.16.0.2-100

    - Add ec2 dns server to /etc/ppp/pptpd-options and required 128-bit encryption
    ms-dns 172.16.0.23
    require-mppe-128

    - Add the following to /etc/ppp/chap-secrets . This username and password is what you will use to connect to your VPN
    [username] pptpd [password] *

    - Uncomment the following from /etc/sysctl.conf
    net.ipv4.ip_forward=1

    - Reload configuration
    # sudo sysctl -p

    - Add the following to /etc/rc.local and run it once:
    # sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # sudo /sbin/iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
    # sudo iptables -A FORWARD -p tcp --syn -s 172.16.0.0/24 -j TCPMSS --set-mss 1356
    - restart pptpd:
    # sudo /etc/init.d/pptpd restart




Connect to your VPN and enjoy Olympics LIVE


  • Create a new PPTP VPN in your VPN client and use your Public DNS of the VPN server you just created as the Gateway/Server Address.

  • Enter the username and password you chose above for the VPN and Choose Connect

  • After you are connected go to : http://www.google.com?q=ip and hit Search and it should you the VPNs IP address rather than your ISPs as your Public IP address

  • Now go to http://www.eurovisionsports.tv/london2012 and enjoy live Olympic coverage

Thursday, March 1, 2012

Sequel Pro Bundles to Copy as DBUnit FlatXMLDataSet or XMLDataSet

Sequel Pro (http://www.sequelpro.com/) is the best MySQL UI for the Mac. You can connect to your MySQL running locally or to remote instances over SSH and it has a ton of features. Best of all its free to use but I highly recommend donating (http://www.sequelpro.com/donate/) if you use it a lot. One of the features of Sequel Pro that I put to good use recently was Bundles. Bundles are simple extensions to Sequel Pro that you can write. They execute in many different contexts like when selecting a table, selecting a row in a table etc.

One of the painful things while writing unit tests for database access code is getting your database in a particular state. This requires inserting rows into these tables as part of the test setup. If you use frameworks like DBUnit for Java or PHPUnit for PHP, one would use the FlatXMLDataSet or XMLDataSet to populate these rows. For eg., this is how an employee table might be populated using FlatXMLDataSet:


<dataset>
<employee id="1" name="Steve Jobs" title="CEO" dept="1" />
<employee id="2" name="Steve Wozniak" title="CTO" dept="2" />
</dataset>


This is pretty simple but as you add tables with more columns, you spend quite a bit of time writing these XML files by hand.

If you have tables with BLOB columns, you would need to use XMLDataSet which is even more verbose than FlatXMLDataSet:


<table name="employee">
<column name="id"/>
<column name="name"/>
<column name="title"/>
<column name="dept"/>
<row>
<value>1</value>
<value>Steve Jobs</value>
<value>CEO</value>
<value>1</value>
</row>
<row>
<value>2</value>
<value>Steve Wozniak</value>
<value>CTO</value>
<value>2</value>
</row>
</table>


Obviously nobody wants to do these by hand. In the past I have generated these using DBUnit scripts or using Jailer. I thought it would be easier if I could simply select one or more rows in Sequel Pro and then right click to convert to the appropriate XML format. I have created two different bundles one to Copy as FlatXmlDataSet and another to Copy as XMLDataSet to do just that.

I have submitted a pull request to SequelPro and you can also look at my fork in github: https://github.com/chandraonline/Bundles

To install these bundles:


  • Download CopyAsDataSet-1.0.tgz

  • tar xvzf CopyAsDataSet-1.0.tgz

  • copy the two directories to "~/Library/Application Support/Sequel Pro/Bundles"

  • In Sequel Pro do Bundles->Reload Bundles



Now you can select one or more rows, right click Bundles -> Copy -> CopyAsFlatXMLDataSet or Bundles -> Copy -> CopyAsXMLDataSet and you will have the data in that format in your clipboard.

Thursday, January 6, 2011

Surfing the Web securely on Free Wifi Hotspots

Everyone likes free especially free Wifi. We are all on devices that need an internet connection and we are more than happy to connect to these free Wifi hotspots to get internet access. There is of course a big problem with all this. If your Wifi is not secure (most free Wifi hotspots are not secured by encryption) , anyone that is using the same Wifi connection can snoop on the information exchanged between you (the browser) and the website that you are connecting to. This is ok if you are just surfing the web reading news articles and such or if the website that you are using uses https (where s in https stands for secure). However, we tend to use services like Facebook, Twitter etc that don't use https. There is a firefox plugin firesheep that can actually show you how trivial it is to hijack another person's facebook / twitter account if they happen to be logged into facebook from the same coffee shop you are logged in from.

Obviously I still want to be able to use free hotspots in places like starbucks. To be secure, I typically use the following setup in my mac to keep my stuff off snooping eyes. Here is a very short HOWTO on how to you use an ssh tunnel to do secure web browsing in a Mac (this will work in Windows and Linux as well with small tweaks)

Ingredients:


  • openssh (I installed openssh using mac ports: port install openssh)

  • Firefox add-on called quick proxy (https://addons.mozilla.org/en-US/firefox/addon/1557/)

  • a shell account with ssh access (this could be your hosted account or if you are a geek perhaps a dd-wrt router at home)



HOWTO:


  • Create an ssh tunnel to your server. If you have private/public key pair setup, this will be quick and easy
    /opt/local/bin/ssh -D 9999 user@host

  • Now create a proxy configuration in firefox->Preferences->Advanced->Network->Settings
    Click on the Manual Proxy Configuration and set just the SOCKS host to localhost and Port to 9999

  • Now install the QuickProxy add-on to be able to switch between the proxy being on and off.

  • To avoid people from knowing where you are surfing or from having the malicious one do a DNS phish, change in the following setting by typing in about:config in firefox address bar and then search for network.proxy.socks_remote_dns
    network.proxy.socks_remote_dns = true

  • When you are in an insecure wifi hotspot , simply turn the proxy on in the status bar of firefox. This will make all traffic go through the ssh tunnel created in step 1.

  • Go to http://www.whatsmyip.us to see what the server sees as your IP Address. you will notice that when the proxy is on, all traffic flows through the SSH tunnel (encrypted) and the IP address is different from when you connect directly.



CAVEAT:

  • Remember that only your browser is using the SOCKS proxy.

Sunday, January 31, 2010

OpenVPN on a Jailbroken Iphone

OpenVPN support is one of the things sorely missing from the iphone. And there is very little information about how one could go about getting OpenVPN working even on a jailbroken iphone. There is iopenvpn.com if you are running 2.x and it costs $29. This post is my attempt to fill this gap with step-by-step instructions on how to get openvpn working for free. But please be forewarned that I am not liable for any problems this might cause your iphone. Having said that, I have followed the instructions given below and have been successful in getting access to resources behind the corporate network using OpenVPN. Before we get started, here are some of the pre-requisites:

  • Jailbroken Iphone (I run 3.1.2 jailbroken using Blackrain)

  • Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

  • WinSCP (http://winscp.net/eng/download.php or something similar)

  • OpenVPN certificates and openvpn configuration file (.ovpn). The certificate should not be password protected if you want to use this through SBSettings toggle. There is instructions to take the password off below. The .ovpn file should be renamed conf.ovpn and should also be pointing to the certificates without any path.



Step-by-Step instructions (Please run these as root by doing su root and entering your password)

  • In Cydia: Install Openvpn toggle for SBSettings

  • In your windows/mac assemble your certificate, .ovpn files etc into a local directory

  • rename your .ovpn file to conf.ovpn and add the following two lines to the end of the file. Here is a sample ovpn file. You need to change the remote host, cert details to yours.


  • up /var/mobile/Library/OpenVpn/update-resolv-conf
    down /var/mobile/Library/OpenVpn/update-resolv-conf

  • download the update-resolv-conf

  • Open a WinSCP session and copy all the files you assembled locally to /var/mobile/Library/OpenVpn

  • In the winscp session edit the /var/mobile/Library/SBSettings/Commands/com.offinf.openvpnup and change as follows:


  • #!/bin/sh
    /bin/rm /var/mobile/Library/SBSettings/Toggles/OpenVpn/OFF
    cd /var/mobile/Library/OpenVpn/
    "/usr/bin/openvpn-iphone --script-security 2 --config /var/mobile/Library/OpenVpn/conf.ovpn" &

  • Open Putty and login to your iphone as root.


  • $ cd /var/mobile/Library
    $ chown -R mobile.mobile OpenVpn
    $ cd OpenVpn
    $ chmod +x update-resolv-conf
    #### If you have a key with password. Remove the password with the command below.
    #### You will be asked for the password one last time
    #### Important: Leaving your certificate without a key is a security risk. Please turn on passcode lock in your settings
    #### This will ensure that if your phone does fall into the wrong hands they cant get into your network.
    $ cp my.key my.key.orig
    $ openssl rsa -in my.key.orig -out my.key
    #### Now test your vpn setup by doing the following:
    $ openvpn-iphone --script-security 2 --config conf.ovpn
    #### You should see it connecting to your vpn server and setting up routes. Try to use Safari to look at something
    #### behind the openvpn server.

  • Reboot your phone for the sbsettings toggle changes to take effect

  • After reboot, open SBSettings and turn on OpenVpn

  • Note: For trouble shooting install top from cydia and run top to see if the toggle spawns the openvpn-ip process.

Monday, April 24, 2006

Web Automated Testing in Ruby (WATIR)

I came across a very cool library in Ruby that allows Web UI testing using OLE automation. One of the problems with running automated tests of Web applications like a end user is the effort it takes to use libraries like Http Unit to setup test cases and execute them as part of your build process. WATIR (pronounced Water) is a ruby library that allows you test you web applications using OLE automation in your windows machine.

This is how it works:

You write unit test cases using WATIR and it actually invokes IE and actually does what a end user would do by entering form data, clicking on links, clicking buttons etc. You can then look at the resulting HTML DOM object and check if the web application did what it is supposed to. This is especially useful for testing multi-page wizard like applications where a lot of data entry is involved.

Here is a Step-by-step on how to install WATIR:

Install Ruby for Windows: http://rubyforge.org/projects/rubyinstaller/ (Look for download link)
Install WATIR: http://rubyforge.org/frs/?group_id=104 (Look for watir 1.4.1.exe)

It is pretty straight forward to create WATIR scripts. But, who wants to write these scripts by hand. You are right, I wouldn't. Instead you can use WATIR webrecorder, which records all your browser actions as WATIR scripts. All you need to do is record your testing once and then refactor it into a test script.

You can also pass -b switch to the WATIR script and it will not open the IE window and will execute the whole test in a headless mode that is ideal for test suites.

There is also another competing tool called Selenium that uses Javascript to drive tests and works across many browsers. I have not used it. But I have heard more people switch from Selenium to WATIR than the other way around.

Thursday, April 13, 2006

Google does Calendar

It has been long rumored that Google was working on a Calendar service and its finally online for everyone to try. The UI is similar to anything Google : very clean and intutive. I use Yahoo Address book and Calendar today and Y!s UI is not as fresh and snappy as Google's but it satisfies one of my key requirements : Being able to Sync-up with my Palm Treo 600. Until Google adds a way to sync up with PDAs through a PC or over-the-air, there is no big reason to switch to this service.