Linux User Group of Mauritius Promoting open source software in our beautiful island

28Jan/160

LUGM Statement on Ish Sookun

Posted by admin

The Managing Committee of The Linux User Group Meta (Mauritius) notes that one of its members, Ish Sookun, is currently being detained under The Prevention of Terrorism Act. Ish Sookun is a valued member of the LUGM and has actively participated for the promotion of open source software and technology in general in Mauritius. The Association appeals to the authorities for the investigationĀ to be conducted in accordance with all laws and also taking into consideration the rights of all parties while safeguarding public interest.

Filed under: Uncategorized No Comments
27Dec/150

Tell your SSL vendor to randomize the serial number of your certificate !

Posted by logan

Are you using SSL for your business ?

Like many of you, we rely on SSL for checking our mails, and doing bank transfers. As I said previously, local banks reduce the amount of money spent of papers by actively encouraging clients to use Internet Banking. I have the latest Android on my mobile phone, and I can connect to Internet Banking using the latest security technologies. However, not everybody can afford the latest android smartphone. A lot of people are still using Android KitKat in Mauritius. If tomorrow, MCB or SBM decide to deprecate SHA-1 for their SSL (a hash algorithm which is getting dangerously weak), and go with SHA 256 (a more secure hash algorithm) only, a lot of clients might not be able to connect to Internet Banking. Why ? It's because many widely-used software do not support SHA-256 very well.

What can we do with certificates with SHA-1 hash ?

CloudFlare proposed here that generating certificates containing SHA-1 hash should randomize the serial number to make it more difficult to forge those digital certificate and impersonate your business. Note that this does not mean that you should not advise your clients to upgrade their hardware and software and relax. It buys your clients more time to properly budget for their upgrade costs of their hardware and software to be SHA 256 ready.

For example, hackers.mu uses SSL. We asked on our SSL vendor forum about randomizing the serial number. We recommend to Banks such as MCB and SBM to ask their SSL vendors about the possibility of randomizing the serial number, with 20-bit entropy. Any other businesses that rely on SSL for their business should consider formulating the same request to their SSL vendors. If your SSL vendor flatly refuses, then you have a reasonable argument for moving to another SSL vendor.

Filed under: tls No Comments
25Dec/150

Wrong advice on Tor Usage from hacklog.mu

Posted by logan

Hacklog.mu presentation on Tor

Hacklog.mu has a presentation on tor on the following page . On the same page, SM mentions that HTML5 elements could be used to leak information about an Internet User even with Tor. This is correct. Several developers were aware of the problem, and there were plans to fix this in orweb. See this URL for : details . This vulnerability was reported in 2013, and fixed in the same year . The presentation, by hacklog.mu, took place in 2014.

Firefox as the solution ?

Hacklog.mu uses firefox from Google Playstore, and configures it to work with Tor. From a security perspective, Firefox leaks more metadata than Orweb or tor-browser, due to the lack of patches that Orweb has. In fact, if you look at Tor-browser, you will realize that it's a modified version of Firefox, with a number of patches added on to protect the privacy of the users. Those patches are not in Firefox. Those patches provide several additional layers of security that Firefox on Android DOES NOT provide. The tor project constantly reworks the patches for their Tor-browser and applies the same design principles in Orweb/Orfox. See the design requirements for Orweb, OrFox and Tor-browser here We tested with Orweb & Orfox, and both do not leak, according to browserleaks.org. It is highly questionable to use Firefox, even with a Mobile proxy, as by default, Firefox is not designed to be as secure as Orweb, Orfox, and Tor-browser.

Conclusion

We recommend Internet users who want to remain anonymous to use orweb/orfox on Android and Tor-browser on their PCs instead of Firefox, and avoid the example presented on hacklog.mu. ^-^

Filed under: security No Comments
24Dec/150

Find user IP address with Cloudflare & Nginx

Posted by Ish

A content delivery network (CDN) is a distributed network of servers that delivers content, typically webpages, to users based on their geographic location. A CDN would serve you from a less distant location on the network.

CloudFlare provides such a CDN service. A friend recommended me to use CloudFlare around a year or so, and I do not regret accepting.

Find user IP address with Cloudflare & Nginx

CloudFlare Global Network, Source: cloudflare.com

I noticed considerable performance gain when I switched to CloudFlare.

PING hacklog.mu (104.28.11.229) 56(84) bytes of data.
64 bytes from 104.28.11.229: icmp_seq=1 ttl=51 time=114 ms
64 bytes from 104.28.11.229: icmp_seq=2 ttl=51 time=115 ms
64 bytes from 104.28.11.229: icmp_seq=3 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=4 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=5 ttl=51 time=114 ms

--- hacklog.mu ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 113.856/114.509/115.854/0.847 ms

CloudFlare bundles other features, among which the Firewall allows you to set rules for rogue visitors.

Get the user’s IP address with Nginx

CloudFlare proxies requests to your webserver and as such, your webserver log would record CloudFlare’s IP addresses. In order to obtain the user’s IP address in a request, you would need to activate the True-Client-IP Header from CloudFlare’s administration panel. However, that requires an Enterprise plan. It is not available in the free service.

There is one workaround using the ngx_http_realip_module in Nginx. It allows a change of the client address to one that is specified in the header field. CloudFlare specifies the same in the CF-Connecting-IP field. The technical story can be summed up as follows in the http context of Nginx:

http {

    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 199.27.128.0/21;
    real_ip_header   CF-Connecting-IP;

    ...
}

The IP addresses specified are those of CloudFlare and they can be obtained here. I suggest checking the page from time to time for updates or you might even monitor changes on the page (^^,) …


Ubuntu & openSUSE come bundled with ngx_http_realip_module. If Nginx is complaining about an unknown directive in your distribution, then you most likely need to compile Nginx with the --with-http_realip_module parameter.

The post Find user IP address with Cloudflare & Nginx appeared first on HACKLOG.

Tagged as: No Comments
21Dec/150

Juniper backdoor explanation

Posted by logan

A simple explanation of a backdoor

Irshaad Abdool contacted hackers.mu concerning the Juniper vulnerability here Unfortunately, reverse engineering a firmware image, and explaining assembly code doesn't cut it for a lot of the young IT folks :)

The vulnerability

A strcmp() call was inserted. strcmp() is used for string comparisons. If it's successful, you can proceed, if Not, you are denied. In this particular case, this was inserted right before the normal authentication with SSH (or telnet). So you had your normal login, that went through the normal SSH (and telnet) code, but right before that, you had a special user that could login, and bypass the normal SSH and telnet login. That's in summary how this vulnerability works.

If you have any questions, please send them to us :)

Filed under: backdoor No Comments
19Dec/150

Belgacom & the Juniper backdoor in Mauritius

Posted by logan

Juniper Security vulnerability

After Ajay Ramjatan talked about Juniper's latest vulnerability, Hackers.mu decided to dig further to know the critical infrastructure in Mauritius that rely on the affected Juniper series. To make it simple, it's an "authorized code that allows someone to remotely decrypt VPN traffic".

Belgacom in Mauritius

Belgacom is present in Mauritius and is selling bandwidth to various ISPs. It obtained its license in 2012. According to Frederic Jacobs' analysis on gist , Belgacom is vulnerable to this vulnerability. The question which we would like Belgacom to answer is how much of Internet traffic from Mauritius is going through vulnerable Juniper equipment ? While, looking for a twitter account for the Mauritian branch, we found none. So, we decided to ask to Belgacom main branch, in the hope that they can explain to us what is the impact on the Internet in Mauritius. Our tweet : here .

Let's see where this lead :)

Filed under: backdoor No Comments
19Dec/150

MaxCDN sponsors GNU Bash logo redesign

Posted by Ish

bash-orgOn 16 December 2015, Chet Ramey, the maintainer of GNU Bash announced an excited piece of news, that of new logo proposals for GNU Bash. The iconic Bash logo seen on the left was taken from tiswww.case.edu/php/chet/bash/bashtop.html.

Depending on the number of votes from the community, one of the below designs could soon sport GNU Bash.

new-bash-logo

Bash, which is a short form of writing Bourne Again Shell, is a Unix shell that comes bundled in Linux distributions and OS X. Released in 1989, GNU Bash was welcomed as a free software replacement for the Bourne shell.

Unfolding the story behind the Bash logo designs

maxcdn-logoI had this chat with Justin Dorfman, a fellow designer at MaxCDN, who had the idea of the GNU Bash logo redesign. As Justin explains, MaxCDN encourages its staff to contribute to Open Source in various ways.

Now, Justin is a huge fan of Bash, he adores stickers and realizing that GNU Bash doesn’t have an attractive logo, he wrote to Chet Ramey in September asking whether he would be okay with MaxCDN sponsoring a logo redesign. Chet showed the green light and Justin also obtained approval for resources from MaxCDN.

Justin says ProspectOne, the company behind jsDelivr and another freelancer were hired for the task. When the proposals were sent to Chet, he chose three designs by ProspectOne but could not further decide which one to select. Therefore they decided to let the final choice be that of the community and Chet sent the announcement on the bug-bash mailing list.

On the first day ~200 votes were recorded. A user by the name ‘anlar’ then posted about voting for the new bash logo on Reddit, which garnered 160 comments. At the time of writing this post over 12,000 votes were recorded, with logo no. 2 earning 79.3% of the votes.

gnu-bash-votes-10k

I thank Justin who provided me an insight of the story behind the new Bash logo. Below are some of the designs that were among the initial proposals.

BASH-new-logo-2015-v5
BASH-new-logo-2015-v6

Is the final GNU Bash logo decided yet? Nah. You still have time to vote for your favorite. Please visit the page, and cast your vote now.

The post MaxCDN sponsors GNU Bash logo redesign appeared first on HACKLOG.

Tagged as: No Comments
17Dec/150

Tor Users in Mauritius

Posted by logan

How many tor users in Mauritius ?

Tor is an anonymizing Network, which is free of access by anybody. It hides your Internet Traffic. It is used world-wide by Journalists, dissidents, and various groups. The question of the number of Tor users in Mauritius has been on the mind of hackers.mu for a while. We expect at most around, 200 Users at most. Upon looking at the Tor statistics, we realised that there are around 700 active Tor Users from Mauritius !! We were shocked ! URL here: Tor from Mauritius.

Why is that number so high in Mauritius ?

One of the first acts of Internet Censorship in Mauritius occured in 2007, when ICTA ordered all of the ISPs to block facebook. We believe that this caused people to get interested in technologies such as Tor that protect their online privacy, and prevent censorship.

More cases of censorship ?

It is very likely that we will see more attempts by the government of Mauritius to censor the Internet. ICTA has deployed a blackbox to block child pornography. However, the setting up of the blackbox was shrouded in secrecy as Internet Users were not invited to the public consultation. Hackers.mu has been advocating the use of Tor in Mauritius since day one, on top of our other initiatives such as promoting signal, an SMS/voice encrypted communication medium, which is easy to use. We have also sent patches to Tor & Signal to try to make those privacy tools better.

Conferences about Freedom, Privacy and Security in Mauritius

We would like to see more conferences about protecting the privacy of Internet Citizens in Mauritius. The government should implement measures to protect our privacy, as written in the Constitution of Mauritius. The High number of Tor Users in Mauritius is a sign that people feel that their privacy is not being respected by the Government of Mauritius.

Filed under: tor No Comments
16Dec/150

Vote for your favorite Bash logo

Posted by Ish

Chet Ramey, maintainer of GNU Bash, the popular shell that comes bundled with Linux distributions, announced earlier that he received new logo proposals for Bash. In his message on the bug-bash mail list, he invites Bash users to vote for their favorite among the three logo proposals that he received from Justin Dorfman.

new-bash-logo

Source: http://imgur.com/RTK89fX

Chet shared a Google form allowing people to cast their vote. I like the second proposal and voted for the same. At the time I voted the form recorded 12 responses, out of which the second logo received 11.

bash-logo-votes

If you’d like to see your favorite logo sport GNU Bash, cast your vote now :)

The post Vote for your favorite Bash logo appeared first on HACKLOG.

16Dec/150

Evaluating linphone (Part I)

Posted by logan

Feedback from France

Jean Elchinger wrote to us arguing that promoting signal is not a good idea. Instead, he proposed the idea of linphone for encrypted voice calls. Hackers.mu decided to evaluate linphone, and see if we could recommend it to Internet citizens in Mauritius.

What is Linphone ?

Linphone is a VOIP application that relies on the SIP protocol. Optionally, it supports encryption. However, this is not enabled by default. You can use linphone over wifi or even across 3g/4g networks.

Installation

We grabbed linphone from Google Play Store. The installation went more or less smoothly. We had to create a SIP account, and wait for the registration mail. Once you confirm by clicking on the link in the mail, it takes a few minutes until your account is usable. [linphone could have implemented a "WAITING for account activation" instead of saying "account deactivated". We found this slightly confusing]. Compared to signal, it takes longer to get up to speed. The advantage of linphone is that you can use the same client, as it supports MAC OS X & Linux.

Encrypting our voice calls

As we said earlier, linphone is closer to a VOIP client, and does not enforce, encryption by default. This requires users to go to settings > network > media encryption and selecting one of the options available.

Voice quality

We are waiting for other hackers.mu to create their SIP account to test the voice quality. This will be done in a future blog post.

Source code quality

When talking about online security, one of the first things hackers.mu does is to look at the source code, and see how well designed is the code. In the case of linphone, so far, we find the code to be quite good. We did suggest improvements to the randomization functions, and hackers.mu submitted a patch to the linphone developers. Geeky details here.

Recommendation for the masses ?

Will hackers.mu recommend linphone to Internet Users in Mauritius ? We could recommend it to technically savvy people who distrust Google. However, we feel that the UX & account creation process could be simplified further. Right now, signal is much more user friendly, and thus more suitable for massive user adoption.

Filed under: linphone No Comments