Archive for the 'Hacking' Category

I'm very passionate about open hardware. I'm into FOSS software for a long time since about 2000 when I completely switched to Linux, but I've only recently became conscious that it's possible to create hardware by individuals or small groups.

Hardware is not that fascinating to me in itself. Sure, lots of big companies create well-designed and quality hardware, Apple being one of the most well known amongst them, but I'll never buy their products because these devices are locked and not designed to be exploited to reach their full potential. Putting OpenWrt into my ASUS WL500GPV2 is the best example I can think of how one can make his/her device a thousand times more powerful and customizable by replacing the stock firmware. Unfortunately, it's necessary to buy closed hardware in most cases because there are not many open alternatives but this situation can change in the future and whenever I can I choose open hardware.

In the Next Industrial Revolution, Atoms Are the New Bits is a fascinating read for anyone interested in the open hardware revolution. Atoms Are Not Bits; Wired Is Not A Business Magazine has lots of though provoking arguments and Are atoms the new bits? discusses the mentioned issues even further.  I don't really think that open hardware will ever take over the world and will replace closed hardware. The big manufacturers fiercely protect their intellectual property and most consumers couldn't care less whether they can hack a given piece of hardware because they just wanna use the damn thing (with all its shortcomings, being unaware of its full potential).

Hackers are a different breed. There are a several hundred open source projects out there, the most relevant ones being present on Harkopen, Open Innovation Projects and Open Manufacturing. Reprap is the flagship project of the revolution and rightly so because it's very rare for the open hardware community to create something this complex and well working, even if the quality of the created models lags way behind the commercial alternatives. I think open hardware is not so widespread because 1) most of the projects are technical minded and aren't practical for the average Joe, 2) most creators are only interested in implementing, not distributing the projects, 3) these teams don't have any marketing / business experience and 4) the economies of scale are against us (until we conquer the world).

I definitely have to work on 3) but the Ultimate Keyboard is gonna be ready in the not too distant future. I don't mind learning non-technical stuff to make it happen.

I'm using Oracle 10g, but you're free to download any other versions that you want.

wget http://prdownloads.sourceforge.net/cx-oracle/cx_Oracle-5.0.2-10g-py26-1.x86_64.rpm?download
# We should use alien but it didn't work for me.
rpm2cpio cx_Oracle-5.0.2-10g-py26-1.x86_64.rpm | cpio -id
sudo cp usr/lib64/python2.6/site-packages/cx_Oracle.so /usr/lib/python2.6
# Go to the Oracle Instant Client download page and accept their fucking license, then download Instant Client Package - Basic for version 10.2.0.3, that is instantclient-basic-linux-x86-64-10.2.0.3-20070103.zip
unzip instantclient-basic-linux-x86-64-10.2.0.3-20070103.zip
sudo cp instantclient_10_2/{libclntsh.so.10.1,libnnz10.so} /usr/local/lib
sudo ldconfig

Installing such proprietary shit like Oracle (related software) is a bad experience too many times.

I think this feature will soon be standard in Ubuntu as many users requested it. It's absolutely mandatory for me because every time I leave my laptop I carry out this action, even at home. Yeah, call me paranoid...

I've written a simple script to deal with the issue:

#!/bin/bash
gnome-screensaver-command -l
sleep 3
xset -display :0.0 dpms force off


You're encouraged to bind it to any key combo. It should work perfectly out of the box but a gnome-power-manager related bug enables the display some seconds or minutes later randomly, so we have to

killall gnome-power-manager

and it should be pretty fine. For those who can't afford to live without gnome-power-manager an alternative (and in my opinion suboptimal) workaround exists.

About a year ago I became involved in electronics. This was because the development of the Ultimate Keyboard requires strong electronics knowledge and not only I couldn't hire anybody (without the resources doing so), but I also wanted to understand electronics and over time as I read the articles on Hack a Day I realized how cool electronics really is.

I've been doing software development for a few years and it's always fun, but doing purely software development in itself is not that interesting for me as it used to be. We have a keyboard, a mouse and a monitor, that's mildly interesting. We also have the Internet for several years which is much more interesting. What if create a propeller clock, a line following robot or all kinds of ultra-crazy stuff, both the hardware and software? That sounds to me like the ultimate fun.

Joe Grand is probably the most well-known hardware hacker who became famous as one of the hosts of Prototype This. He is a really cool guy and has tons of interesting materials on his site. I'm grateful for every piece of knowledge that I can learn from guys like him.

Finally, I got my first laptop a week ago which I named nitehawk because of it's color.  It's an Acer Aspire 8935G-874G100BN and I think it pretty much represents the level of hardware integration that can be achieved in 2009.  With its 18.4-inch LED LCD screen and its load of impressive features it's almost more like a desktop than a laptop and it's exactly what I wanted because I change my location of a two weekly basis and I don't need much mobility other than that.

The first thing I did when nitehawk arrived is I sent it back to Acer so they could remove Windows 7 and give me back its price. When all things summed including the traversing costs I haven't earned almost any money, but I didn't do it for the money. This was my gentle gesture to show Redmond that they're welcomed to taste my middle finger.

nitehawk's keyboard is as crappy as most laptop keyboards from a typewriting point of view, but I do truly appreciate its power efficiency in overall and suspend, hibernate especially. I carry it in a Targus TCB001EU XL notebook backpack because I couldn't get any other backpacks in Hungary that was big enough to hold this beast. :)

Oh yeah, Linode has just reached Europe.  Moving from Dallas to London made my ping go from 150ms to 50ms looking from Szeged and the migration couldn't have been easier or smoother.

Thank you Linode staff, you rock!

I've just replaced the microswitches of my Logitech MouseMan Optical dual sensor mouse.  I bought it about 6 years ago for about $80 and I was extremely satisfied with it until the switches broke.

Today I managed to get some Omron D2F-01 switches.  The original switches are Omron D2FC-F-7N parts but they have been obsoleted.  The new switches have a crisp tactile feel which I love, altough they are a little bit harder to press than the old ones.

Being able to replace the switches is one of the "secrets" that manufacturers don't want you to know because chances are you wouldn't have to buy any other mouse ever again.  There are other temporary fixes to solve the issue, but replacing the switches with new ones is stongly advised.

This is a much harder question than one might think as VSZ and RSS are not accurate.  /proc/{PID}/smaps provides the most accurate information as of Linux 2.6.16.

ps_mem.py is a nice script that summarizes smaps information on a per application basis and gracefully falls back to measure VSZ when no smaps support is found.

cat >> /etc/firewall << END
iptables -t filter -A input_wan -p udp --dport 1194 -j ACCEPT
iptables -I INPUT   1 -i tun+ -j ACCEPT
iptables -I FORWARD 1 -i tun+ -j ACCEPT
iptables -I OUTPUT  1 -o tun+ -j ACCEPT
iptables -I FORWARD 1 -o tun+ -j ACCEPT
END

/etc/init.d/firewall restart

opkg install openvpn
# I don't wanna convert my OpenVPN config to UCI-like format so I just replace the default init script.
mv /etc/init.d/openvpn /etc/init.d/openvpn.orig

cat >/etc/init.d/openvpn <<END
#!/bin/sh /etc/rc.common                                                                                                                                                                             

START=99                                                                                                                                                                                             

start() {                                                                                                                                                                                            
    openvpn --daemon --config /etc/openvpn/server.conf                                                                                                                                               
}                                                                                                                                                                                                    

restart() {                                                                                                                                                                                          
    stop                                                                                                                                                                                             
    sleep 3                                                                                                                                                                                          
    start                                                                                                                                                                                            
}                                                                                                                                                                                                    

reload() {                                                                                                                                                                                           
    killall -SIGHUP openvpn                                                                                                                                                                          
}                                                                                                                                                                                                    

stop() {                                                                                                                                                                                             
    killall openvpn                                                                                                                                                                                  
}
END

chmod 755 /etc/init.d/openvpn

# Here, I copy my OpenVPN config to /etc/openvpn
/etc/init.d/openvpn start

# Thanks the OpenVPN via TUN HowTo for the help. Enjoy!

I have a reoccuring task of setting up OpenVPN for the LANs of small enterprises and adding / removing users.  Usually they have a dumb little TP-Link or D-Link router facing the public Internet, we bring a relatively powerful PC to their office and my job is to configure the PC as an OpenVPN gateway (among other things).  OpenVPN traffic gets forwarded to our PC through the dumb little router using port forwarding.  Well, this is not particularly challenging to me but I was looking for a way to automate this process as much as I can because managing clients can be cumbersome.

Let's clarify a task at hand: An OpenVPN gateway has to be set up for a /24 LAN in order to provide access to all hosts on the LAN.  Privilege management will be implemented using PKI.  On top of that we'll use tls-auth so the HMAC firewall will only answer if the received packet signature is valid, thus effectively making the OpenVPN service undetectable by any scanning techniques.

The LAN should reside on a class A private subnet (10.x.y.0/24) where x and y should be randomly choosen because it'll minimize the probability of address collision with other subnets used with OpenVPN.

First of all, the PKI should not reside on the server on which the OpenVPN daemon runs for security reasons.  I store it on my home partition which is heavily encrypted and regularly backed up.  I create a directory under ~/openvpn for every OpenVPN installations where I store the server and client configuration files and the PKI.  Only the needed files will be transferred to the server or to the clients.

This post will describe the implementation of the above configuration and will provide a set of scripts to make the task very efficient.

1)  Set up the ~/openvpn infrastructure

mkdir ~/openvpn
cd ~/openvpn

# User credentials will be temporarily published under the directory below for user download.  This should be a trusted host.
# It's probably needless to say but I mention that $PUBLISH_URL should not under any circumstances be listable by the web server.
cat >config <<END
PUBLISH_PATH=yourhost:/var/www/pki
PUBLISH_URL=http://yourhost.com/pki
END

wget http://monda.hu/releases/openvpn-scripts.tar.bz2
tar xjf openvpn-scripts.tar.bz2 -C ~/bin
rm openvpn-scripts.tar.bz2

2) Set up the server directory

cd ~/openvpn
mkdir SERVERNAME
cd SERVERNAME

3) Set up the PKI

mkdir easy-rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa
cd easy-rsa
# Edit the all the KEY_* variables in ./vars so you won't have to type them anymore.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd ..
mkdir ccd

4) Create server configuration

openvpn --genkey --secret ta.key

cat >server.conf << END
mode server
local 10.X.Y.Z
tls-server
dev tun
proto udp
port 1194
client-config-dir ccd
ifconfig 10.8.0.1 10.8.0.2
push "route 10.X.Y.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 10.8.0.0 255.255.255.0
keepalive 10 120
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
log server.log
verb 3
END

# This will be used by the synchronization script to rsync the configuration to the server through SSH.
echo SERVERHOSTNAME > server.hostname

5) Create general client configuration

# This is the client configuration from which the all individual client configurations will be generated.
# Don't touch "username" as it will be automatically replaced with the name of the relevant user during the generation process.

cat >client.conf << END
dev tun
proto udp
nobind
remote OPENVPN-GATEWAY-HOST 1194
client
ca server.crt
tls-auth server-ta.key 1
cert username.crt
key username.key
verb 3
END

6) Add users

openvpn-add-user username1
openvpn-add-user username2
...

# The configuration will be automatically transferred to the server.

7) Publish client credentials

openvpn-publish-user-credentials username1
openvpn-publish-user-credentials username2
...

# Which outputs something like this:
# User credentials are accessible from http://yourhost.com/pki/servername-username1-65378842373270.zip
# User credentials are accessible from http://yourhost.com/pki/servername-username2-10200344763221.zip
# ...

# These URLs are meant to be mailed to the relevant users and removed eventually.

8) Unpublish client credentials

openvpn-unpublish-user-credentials username1
openvpn-unpublish-user-credentials username2
...

# Which removes the relevant files from the server.

9) Revoke client credentials

openvpn-revoke-user-credentials username

# The configuration will be automatically transferred to the server.