ENIGMA CURRY

Recovering an Ncftp password

A coworker today asked me for the password to an FTP account we use. I didn't have any idea what it was because I just have it stored in an ncftp bookmark. I looked in my ~/.ncftp/bookmarks file and sure enough it was in there but it was encoded.

For future reference, I just wanted to document here that the password is simply base64 encoded. So it's pretty easy to decode using a bit of python:

>>> import base64
>>> base64.decodestring("TheEncodedPassword")

Jungle Disk, Linux, and Mono

Jungle Disk is a really neat application that allows you to store/backup files online using the Amazon S3 storage service. Basically it is a really inexpensive, fast and efficient way to save important files and access them from anywhere. On top of all that, it runs on just about every platform I would ever use: Linux, Mac OS X, and Windows. (In no order of preference, oh wait... )

If you're not much into computer science, that's pretty much all you need to know. If you are though, keep reading. :)

Jungle Disk is not open source. This would normally raise a huge dilemma for me. Without it being open source, how can I be absolutely sure that I will be able to retrieve my data in the future? The software could have a lockout feature of some kind hidden inside the application that would prevent me from getting my data. I refuse to be held hostage by stupid software!

(By no means am I an open source zealot purist that only uses free software. I use a few high quality closed source, commercial applications (VMWare workstation comes to mind) I just think that open source software tends to be of much higher quality and is able to mature a lot faster than your typical closed source variety. I also detest software patents.)

Jungle Disk is a bit different, even though it's closed source, they have released a portion of their code under the GPL: the decoding/retrieval code. What this proves is that your data can be retrieved without any dependence on closed source, secretive, software.

But I still don't want to take their word for it. So I set out to compile the code and try it myself. The code is written for Visual Studio (which only runs on windows), but that's not so much of a problem because the Mono project has brought most of the .NET framework to Linux.

Here's how to compile the Jungle disk retrieval code on Linux using Mono:

Install the latest version of Mono (I used 1.2.4. 1.2.2.1 didn't have all of the functionality I needed).

Download and extract the source code:

mkdir jds
cd jds
wget http://downloads.jungledisk.com/jungledisk/JungleDiskSourceExample.zip
unzip JungleDiskSourceExample.zip

Compile the code:

gmcs *.cs -r:System.Web -out:jungle_example.exe

Cool! It compiled without warnings nor errors.

Now try running it:

mono jungle_example.exe Your_S3_ID Your_S3_Key listbuckets

Error executing command: Error getting response stream (Trust failure): TrustFailure
System.Net.WebException: Error getting response stream (Trust failure): TrustFailure ---> System.Net.WebException: Error getting response stream (Trust failure): TrustFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.

Ouch, we're not accepting the certificate for whatever reason. I don't know much about CSharp at all, but I found a page on the Mono project site that explains the problem and possible solutions. I applied the dumbest of all the possible solutions, which is to ignore the certificate trust issue altogether -- caveat emptor. Here's my patch.

Apply the patch and recompile

wget http://tinyurl.com/2zutxz -O - | patch -p1
gmcs *.cs -r:System.Web -out:jungle_example.exe

Try running again:

mono jungle_example.exe Your_S3_ID Your_S3_Key listbuckets

If it lists your buckets, it worked!

You can also list files in the directory like so:

mono jungle_example.exe Your_S3_ID Your_S3_Key dir default /
mono jungle_example.exe Your_S3_ID Your_S3_Key dir default /pictures
mono jungle_example.exe Your_S3_ID Your_S3_Key dir default /music

You can retrieve your files like so:

mono jungle_example.exe ID Key getfile default "/Some File.zip" stuff.zip

Streaming my music collection from anywhere.

I'm really in love with MPD. It lets me listen to my music anywhere and let's me use the same interface whether I'm stitting at home or at the office.

Recently I got a Nokia N800 which is great because it has wifi and and a great soundcard (even great speakers for a device of this size): it's begging to be a portable WIFI boombox.

The only problem is that MPD only supports Ogg vorbis through Icecast. Ogg vorbis is available through alsa applications on the N800 but most of the applications on the N800 are not alsa aware, which means that the nice little desktop applet for media streams won't communicate with MPD/Icecast.

I figured out recently that MPD CAN stream in Mp3 format (albeit in a bit of an indirect fashion):

MPD -> JACK -> oddcastv3 -> Icecast -> N800

The process was a little bit involved but not too terribly difficult once I figured out the correct pipeline. It's late and I don't really feel like writing up the whole process. If anyone is interested, make a comment and I'll post some more details.

Single sign-on everywhere

Using a single password for every site you visit is really stupid. However, the alternative, making unique and secure passwords for every single site you visit can get tedious and unmanageable quickly.

A long while ago I started memorizing about 10 different passwords of various security levels, thinking that I can mitigate the risk by grouping similar sites together under one password. Memorizing 10 passwords really isn't that hard to do if you're dedicated.. but it still isn't that much smarter than a single password.

Then I started using KisKis, a Java application with which I could store all my passwords in an encrypted form. Although it's very secure and I liked it at first, it became really tedious to create a new entry every single time I made a new account somewhere and then to open the application up and look up the password every time I needed it. Add to that that I had to come up with a way of synchronizing my passwords on all of the machines I use - it became a real pain.

In about 2004, Firefox came along with the ability to store passwords in an encrypted form right inside your browser. What a godsend! Now I can make a new unique password for every site I visit and have the browser remember it for me.

However, I still have one problem. I use a lot of different computers and there is still no easy way to synchronize passwords between firefoxen on different machines.

A couple days ago I found this: PwdHash. PwdHash is a rather ingenious method for generating a unique, secure password for every single site you visit and yet the password is based on a function of a master password and the URL itself, so you don't even need to store the password, you can simply generate it whenever you need it. Almost magic really.

However, I still have a few security related issues with it. I think that it is likely there are websites out there that could implement a keystroke logger in JavaScript or even more likely in Macromedia flash. So the ideal solution for me is to have the same functionality outside of the browser completely. This isn't so bad when combined with Firefox's ability to cache passwords. To PwdHash's credit, the developers have gone to great lengths to make sure that PwdHash is secure, I'm just paranoid. It's my flaw, not theirs.

So here is my first stab at a PwdHash-like python application (Note that this is not compatible with PwdHash. I didn't want to have the temptation of using their software when I'm at some public terminal.) You can run this standalone on any unix like OS (I find it most convenient to have it long running inside of GNU Screen.)

• python site_pass.py
• The first time it is run you have to create a master password
• Now simply enter a URL (either a full URL like http://www.enigmacurry.com or simply enigmacurry.com)
• It will generate an eight character password for you, now copy and paste that into your webbrowser and have firefox remember the password.
• If you ever need to look up the password again, simply rerun the application, enter the URL, and you'll get the exact same password back again. Since it is a hash of your master password and the domain name you don't ever have to store the password (except in your browser for convenience). Just generate it again whenever you need it.
• Do the same for all your other accounts and only look up your password again on other computers that have yet to cache the password

Now you'll never have to go through the process of "I forgot my password" again!

One word of caution however. Don't run this on your friend's box or any other place where you don't have full control of the root account. Your master password resides in memory and could be seen by root if he really wanted to.

Also, this is an alpha release (I wrote it in about an hour's time just today). Progressive.com, my car insurance doesn't like any punctuation in a password. If I find other sites that don't like the generated password I may have to modify the hashing function which would mean that any passwords created with this version would need to change to use a forthcoming version.

OpenSSH with True VPN

I've been using port forwarding with OpenSSH for a long long time. I have a very large .ssh/config file where I setup all my remote services. What I did not know until today though was that OpenSSH supports a true VPN mode that makes multiple port forwards unecessary.

What that means is that I can access my server exactly as I would locally no matter where I am. No fuss... Easy. Sure. there's things like OpenVPN.. but ssh is (pre)installed on just about every computer I use.

I've updated my OpenSSH tutorial with all the details, as well as an easy to use python script for setting it all up. See the heading called "True VPN".