passwrd.in : Born out of frustration

Once you visit https://passwrd.in , you will know the problem it solves !

Why just blocking port 80 won’t help you

We know HTTP is insecure since across the web IANA’s assigned port list is used by default which says port 80 should be used for HTTP traffic, but it’s not that you cannot run anything else which is “non-standard” in port 80.

Anyways, coming to point you could be running HTTP server on any port 80, 8080, 8090 whatever, HTTP protocol by design is left insecure. Since we cannot change the standard 80 usage everywhere (IPv6 is still on way even after decades) there are multiple remediations that can be used to avoid common challenges with HTTP.

  1. Instead of serving anything on port 80/HTTP, use it solely for redirecting to correct HTTPs/443. As recommended by cio.gov, letsencrypt
  2. Enforce HSTS Policy on your domain, by nature it will be effective only when your domain is access by the client once. if you don’t know what HSTS is, it is just a HTTP header that tells browser to always open website in HTTPS.
  3. Blocking or disabling doesn’t make your server any secure, in fact it makes things worse.
    1. There is still an open opportunity of MITM attack. The flaw is in protocol not in the implementation of HTTP, which is why anyone can sniff and serve you alternate content, even if you have port blocked in server.
    2. You will make things worse for your users, they won’t be able to access your website as normally they would.
    3. if you serve HSTS headers over HTTP, at least HSTS will be enforced on one hand.
    4. Everywhere you have to type HTTPS, which people don’t do, it is a painful thing to enforce.
  4. It is not about 80, it is more about not using HTTP anywhere, if you have other ports that serve content over HTTP it is still an issue!

Life : A simple advice

A thoughtful advice given to me long back, just posting it here for general reference, should work for you too πŸ˜‰

Stand strong always, may the sun always shine brightly for you after heavy rain.


Anger is paralyzing, its just the absence of control, You will have no use of it whatsoever.


So be patient and calm, make people quiet wid your skills, mindset and behavior if these three don’t work then don’t think ur words would matter.

Anonymous, June 2014

PDF Signing using hardware token (DSC) in Python

Hardware based tokens are widely used in India to generate signed PDF’s like invoices and agreement. We wrote small Python code to sign the invoices automatically where token was attached to a local server.

Windows drives are widely available but rare to find linux drivers are listed https://www.e-mudhra.com/Repository/index.html

You can uncomment to get the token name print(self.pkcs11.getSlotList(tokenPresent=True))
print(self.pkcs11.getTokenInfo(1)) to get token name, for PROXKey the name "WD PROXKey" was generated.

#!/usr/bin/env vpython3
# *-* coding: utf-8 *-*
import sys
import datetime
from endesive import pdf, hsm

import os
import sys

if sys.platform == 'win32':
    dllpath = r'c:\windows\system32\cryptoCertum3PKCS.dll'
else:
    dllpath = '/usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so'

import PyKCS11 as PK11

class Signer(hsm.HSM):
    def certificate(self):
        #print(self.pkcs11.getSlotList(tokenPresent=True))
        #print(self.pkcs11.getTokenInfo(1))
#        print(self.pkcs11.getTokenInfo(2))
#        print(self.pkcs11.getTokenInfo(3))


#        print(self.pkcs11.getSlotInfo(1))
        self.login("WD PROXKey","12345678") # WF PROXKey is token name.
        keyid = [0x5e, 0x9a, 0x33, 0x44, 0x8b, 0xc3, 0xa1, 0x35, 0x33, 0xc7, 0xc2, 0x02, 0xf6, 0x9b, 0xde, 0x55, 0xfe, 0x83, 0x7b, 0xde]
        #keyid = [0x3f, 0xa6, 0x63, 0xdb, 0x75, 0x97, 0x5d, 0xa6, 0xb0, 0x32, 0xef, 0x2d, 0xdc, 0xc4, 0x8d, 0xe8]
        keyid = bytes(keyid)
        try:
            pk11objects = self.session.findObjects([(PK11.CKA_CLASS, PK11.CKO_CERTIFICATE)])
            all_attributes = [
                #PK11.CKA_SUBJECT,
                PK11.CKA_VALUE,
                #PK11.CKA_ISSUER,
                #PK11.CKA_CERTIFICATE_CATEGORY,
                #PK11.CKA_END_DATE,
                PK11.CKA_ID,
            ]

            for pk11object in pk11objects:
                try:
                    attributes = self.session.getAttributeValue(pk11object, all_attributes)
                except PK11.PyKCS11Error as e:
                    continue

                attrDict = dict(list(zip(all_attributes, attributes)))
                cert = bytes(attrDict[PK11.CKA_VALUE])
                #if keyid == bytes(attrDict[PK11.CKA_ID]):
                return bytes(attrDict[PK11.CKA_ID]), cert
        finally:
            self.logout()
        return None, None

    def sign(self, keyid, data, mech):
        self.login("WD PROXKey","12345678")
        try:
            privKey = self.session.findObjects([(PK11.CKA_CLASS, PK11.CKO_PRIVATE_KEY)])[0]
            mech = getattr(PK11, 'CKM_%s_RSA_PKCS' % mech.upper())
            sig = self.session.sign(privKey, data, PK11.Mechanism(mech, None))
            return bytes(sig)
        finally:
            self.logout()

def main():
    date = datetime.datetime.utcnow() - datetime.timedelta(hours=12)
    date = date.strftime('%Y%m%d%H%M%S+00\'00\'')
    dct = {
        "sigflags": 3,
        "sigpage": 0,
        "sigbutton": True,
        "contact": "[email protected]",
        "location": 'India',
        "signingdate": date.encode(),
        "reason": 'Sample sign',
        "signature": 'Madhurendra Sachan',
        "signaturebox": (0, 0, 100, 100),
    }
    clshsm = Signer(dllpath)
    fname = 'sample.pdf'
    datau = open(fname, 'rb').read()
    datas = pdf.cms.sign(datau, dct,
        None, None,
        [],
        'sha256',
        clshsm,
    )
    fname = fname.replace('.pdf', '-signed.pdf')
    with open(fname, 'wb') as fp:
        fp.write(datau)
        fp.write(datas)


main()

.dll/.so path for common tokens

  • For Windows the file will be in Windows\SysWOW64″ or “WINDOWS\system32” or “WINNT\system32”
  • For Linux machine the file will be in /usr/local/lib/ or /usr/lib/
Hardware Token TypeLibrary file (Windows)Library file (Linux)
SafeSignaetpkss1.dllaetpkss1.so
eMudhraeMudhra\eMudhra CSPV1.0\wdpkcs.dll1. WatchData/eMudhra_3.4.3/lib/libpkcs11wrapper.so
2. WatchData/eMudhra_3.4.3/lib/libwdpkcs_eMudhra_343.so
Trust Key1. TRUST KEY\TRUST KEY CSP V1.0\wdpkcs.dll
2. C:\Windows\System32\TRUSTKEYP11_ND_v34.dll
1. WatchData/TRUSTKEY/lib/libpkcs11wrapper.so
2. WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so
Belgium eID MiddleWarebeidpkcs11.dllbeidpkcs11.so
Gemalto Cryptocard Tokenlibgtop11dotnet.dlllibgtop11dotnet.so
EPasseps2003csp11.dll
Aladdin eTokeneTPKCS11.dll
Safenet iKeydkck201.dll
Starkeyaetpkss1.dll
Watchdata PROXkeySignatureP11.dllWatchData/ProxKey/lib/libwdpkcs_SignatureP11.so
.DLL or .so path’s for linux.

Why books matter not just reading

So I am developer and maker – basically a keen person who is interested in almost everything which sounds logical. As hard it is to understand more interested I become in something.

In current “vast” space of information, On an average I read 10-15 articles a day that is being done since last 8 years but there hasn’t been a sense of knowledge satisfaction. If I compare it to my school days where I used to read through books which were related to computers, technical but outdated there is significant difference in satisfaction. (Do note, here I am not debating about articles in digital form & books in physical form.)

To understand the problem I started by creating a new habit.

Reading books – few pages as I wake up, few pages in evening. (Not a strict goal but 2 books/month – where each book averages to 200 pages and isn’t fictional )

So far it has been good and satisfaction level is quiet high !

but why ?

It seems it has to do with us :

  1. We skim not read, We skim news paper for information, we usually skim articles for information which we seek, we skim most of the content. With time, when brain see’s similar organization of content it activates the skimming mode.
  2. Information online is volatile; You might find similar or same piece of advise everywhere, copied & in few days it might disappear – & when not used it is trashed by brain. We need to see something once in a while to automatically recall & become more persistent.

    Eg: You read a book, keep it somewhere, you might stumble across it someday & open it – might check few things – you brain will start recalling many events but how many times you re-read same article ?
  3. Content doesn’t have a sense of authenticity; You come across articles, read them, understand them but mostly you can’t trust a content. How many people spend a month or a year in writing an article ?
    Articles have one key focus SEO, even if content is genuine it should have click baits, keywords etc but authenticity is not something search engines seek.
  4. Effort is missing; Again I am not talking about every article but publishing an article doesn’t require enough effort. While writing a book takes money, getting a publication house to agree and years of effort to put down thought – because once it is printed – it is printed.

    if you write something wrong – you can’t take book from people, there is error – it will persist for your lifetime. People will judge you by your book and it’s cover.
  5. Information is not organized; When you get a book, it’s always on specific theme and in all those pages it will talk just about that. You read related content such that slowly it starts persisting in your brain. And that how I got a sense of knowledge.

Irony is – this is an article.

This doesn’t mean that articles are bad but I have following perception on how articles should or shouldn’t be :

  1. Not for SEO : Yes, check the site if a lot of articles are of clickbait nature they will actually not convey good enough information. if a person is writing articles very frequently – those are there just for sake of being there.
  2. Should convey meaningful information : Now days most articles are just DERIVED from some other article, it is a good thing if article can innovate in certain manner or atleast put effort to organise certain information.
  3. There is no way but experience – on one hand you should not trust every source and should get information from trusted sources, but on other a good source doesn’t write frequently or broad topics. With time if one observes he/she can come to know how to identify bogus sources.
  4. Refer to official sources for information, yes just as in programming there are millions of tutorials but if I ever want to learn about something new I refer to official documentation – it doesn’t matter how badly it is written but usually documentations are accurate and explain logic as they are written by developers not content writer having bleak understanding about underlying principles. Same if for everything – if you want to read about some rules refer to government issued rule book – might not sound good – but it’s best way to have accurate information.

I know this is not a popular blog and there are not million followers but since you have read this articles feel free to comment and share what I missed – what else should be incorporated.

Solving the problem of phishing !

Phishing is a never ending war thug of war where one side is only trying to stop other side from winning, “Attackers are always trying to be innovative while defenders are trying to innovate on the innovation done by defenders.”

Ironic as it may sound, but this is what it is.

This article is not about blaming some organisation not doing enough to protect the customers here it is more about the vendors who are trying to defend, while current time doesn’t demand defence – instead it needs aggressive attack mechanism, even proactive attacks before damage could be done.

Approach

To solve the problem I am proposing a N step approach to solve the problem of phishing.

  1. Get ready with your defenses – Just as in war, first strengthen your defenses. It can be done by proactively doing following:
    1. Training your employees
    2. Asking cybersecurity team to be vigilant
    3. Performing vulnerability assessment and penetration testing.
    4. DDOS prevention (you might need, DDOS is cheap these days)
    5. DMARC, Cousin domains monitoring
    6. WAF, SIEM & other stuff.
  2. A small attack ( to know capabilities )
    1. To get an idea monitor what type of attacks are originating.
    2. Measure similarity among phishing attacks – you might be able to figure out active APT groups.
    3. Initiate takedown’s, publish something about them in media (yes, you heard me – more aggressively, see how they react)
  3. Attack the psychology
    1. Setting up “honeypot” (honeypot is key, I cannot write the process in detail, but trust me – they are something you will need) to gather information.
    2. Giving the attacker bogus information
    3. You win !

But how ?, the key part of approach is psychology – if you attack infrastructure it can be bought easily, success of a phishing attack depends on how good results the attacker gets.

Reasoning

if you ever conducted an actual phishing attack or have observed programmatic logics – attackers have adopted methods to get 2FA from clients but once verified data is valuable. Let’s do some math.

Let’s say you are conducting a phishing attack & it costs you to 100$ to compromise a web site or host it, sending email might cost you 0.001$.
Assuming 1/1000 spam are clicked – you are technically going to spend 1$ per click, let’s say 10% of clickers turn to victim. To get useful data you will require 10$.

if captured data is being sold in market at 20$ for every good data – you are going to make profit of 10$ excluding hosting cost.

but what if you are getting bogus data, which feels just good but now it is useless since 2FA has failed, or may be the server’s are not responding. Overall if vendors can make cost of Phishing high, only those will survive who have willingness to catch a whale.

Associated friends, companies, and partnerships.

This is small list of people, products & companies, I am currently associated with:

  1. UPADI Vet : A cattle equipment store
  2. Passwrd.in : A simple password generator
  3. blog.jaysinha.me : Blog posts on AI worth reading
  4. thejetboy.com : Awesome blogs on aero
  5. blinkstore.in : Create your own merch store
  6. blog.blinkstore.in : Blogs about creative stores.
  7. mansoorahmad.com

Why world will be never cooler again !

The below article discusses my point of view in a mix technical fashion.

…and everyone is aware hot and cool are relative terms. Long before you touched ice, you never knew what is cooler than water. The moment you touched ice, you immediately altered your definition of cold. Moreover, definition of hot and cold are relative to your expectations. Even though you touched ice, it became coldest thing ever, you would have started imagining about living in igloo, but you never expected to build one in middle of thar.


To give you more feel of what I am saying, imagine back in middle ages, a person living in the middle of desert introduced to a water cooler, he would say it is the coolest thing. But if we take the same person to Greenland he stays for a week there, will he feel the same when he comes back ?, Probably not. Why ? because now he knows there is a cooler place possible where he can live.

Fast-forward to near present, Long before AC’s were just an idea – water cooler were luxury and fans were the things which gave chill while cool breeze used to give a chill. Slowly, globalization took over – science innovated, AC’s were reality. Water coolers became more like fan, their cool wind was now filled with moisture, fans became dry.

The perception of world has changed, that’s the reason – global warming can never be stopped, it can only be slowed, why ?

When you were out in open, it felt hot why ? – because recently you were in some cool place, you turn on fan – still hot, water cooler – still hot, AC at 25c – felt better, you go outside – sit in ac set to 17 – you come back you feel hot – turn on AC – Set to 25c – it is still hot – set to 17 – now it’s normal.

All this would feel normal , but this is a loop where once we are caught it’s hard to get out (probably never) why? – Let’s dig deeper.

  • AC is cool, Some Rich X Company gets it’s rich CEO a cool place with a million dollar AC.
  • People move in & out – while surviving in cool breeze of water coolers
  • They want to enjoy same cool environment as CEO – they work hard to get one.
  • Their collegue want same and everyone keeps getting AC.
  • As AC’s got cheaper, more people bought it as luxury.
  • More than People’s feeling of hot and cold changed , it impacted it’s surrounding.
  • The outside got hotter – why ? because of heat emitted by AC’s
  • People lowered temp – the heat emitted increased
  • People lowered it more and the outside world felt hotter.
  • Eventually the cool breeze can’t be cool – because the breeze are hot with heat emitted.
  • Forcing others to get AC.
  • Now, everyone is in AC – the world is hotter – we are installing AC’s to make it cooler.

Now, You can’t live without AC – because outside is hotter. It’s us making it hotter to make it cooler. The out will feel hotter day by day – people will lower the temperature – world will keep getting hotter because you want it to be cool. Sad thing – it will never end.

What can we do ?
One could say move to nature, it will take a lot more effort to educate everyone on this planet. My suggestion ? Sit in AC room and discuss possible solutions.

IOT Push Button (Like Amazon Dash)

Amazon Dash button is an incredible piece of hardware and another example of “applied engineering” in Amazon, just like Kindle.

The inspiration for this project isn’t directly derived from amazon dash, I wasn’t aware of it until I started digging the internet but at end, I had to set the performance goal to Amazon dash, because no other piece of hardware was up to mark. A detailed teardown of dash button can be found here.

So, Since “decades” I wanted to build some piece of hardware which I could dynamically program for any functionality like playing next youtube video, unlocking door, rebooting a machine, minimizing all open tabs or whatever with a push of a button. The button should be portable and independent of device for operation.

To meet my requirements I had to remove BLE or any other radio-based technology which needed a receiver or additional unit to operate. ESP-12F is power intensive and somewhat large if compared to esp-01.  The end prototype looked like this and worked as expected.

Below is list of components I used.

  • 1x LiPo Battery – 150mAh
  • 1x ESP8266-01
  • 1x 1k Register
  • 1x Tactile Switch Button

You might require a soldering iron with fine tip, basic desoldering skills, access to 3d printer, FTDI board or similar setup.

The schematics of setup would look like below:

The functioning would be like – We turn on ESP using push button, but it would take time to log in to wifi, authenticate – so we need to keep it on for pretty long time – which could be done by using programming output pins, As soon as ESP turn on GPIO2 can be set to HIGH, Once operation is finished it can be set to low. Few challenges which I found on way (with fixes):

  • Power is very limited – So we need to remove LED’s from the esp, this would save a lot of power and would increase battery life by almost a fold!
  • You should use diode and transistor to limit current, since I am not an electronic nerd I would not comment on it.
  • You should set a timeout period, in case you are writing custom logic else battery will drain and you will never come to know why!

After soldering – You have to upload following code which need to be tweaked according to need, but it has basic logic code –

The code can set in hotspot mode if couldn’t connect to wifi and if could connect it would make a connection to mqtt server and make an announcement then shutdown.

#define DEVICE_ID         "YOUR_USERNAME"
#define DEVICE_NAME       "iot-" DEVICE_ID
#define WIFI_SSID         "mad-" DEVICE_ID
#define WIFI_PASSWORD     DEVICE_ID
#define MQTT_SERVER       "YOUR_SERVER"
#define MQTT_USERNAME     DEVICE_ID
#define MQTT_PASSWORD     "YOUR_PASSWORD"
#define MQTT_SEND_CHANNEL "pushbutton"
#define MQTT_RECV_CHANNEL DEVICE_NAME




#define BUTTON_MODE 1
#define USE_SSL 1
#define GPIO2 2
#define BUTTON_TIMEOUT 30000


#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>
#include <PubSubClient.h>
#include <DNSServer.h>
#include <WiFiManager.h>
#include <ArduinoJson.h>
#include <stdarg.h>


#if USE_SSL
#   include <WiFiClientSecure.h>
//    WiFiClientSecure client;
#   define PORT 443
#else
// WiFiClient client;
#   define PORT 80
#endif


void reconnect();
void sendMessage(String action, String data, char* num = "", ...);
char* stringToChar(String str);

WiFiClient espClient;
PubSubClient client(espClient);
WiFiManager wifiManager;


long lastMsg = 0;
char msg[50];
int value = 0;
String DEVICE_FEATURES = "";

void setup() {

  DEVICE_FEATURES += "pushbutton;";
  pinMode(GPIO2, OUTPUT);
  digitalWrite(GPIO2, HIGH);


  //Serial.begin(9600);

  //  wifiManager.resetSettings();
  if (!wifiManager.autoConnect(WIFI_SSID, WIFI_PASSWORD)) {
    //Serial.println("failed to connect, we should reset as see if it connects");
    delay(1000);
    ESP.reset();
    delay(1000);
  }
  client.setServer(MQTT_SERVER, 1883);

}
void loop() {

  //if button mode, & time since start is greater than TIMEOUT close the time.
  if (millis() > BUTTON_TIMEOUT)
    digitalWrite(GPIO2, LOW);
  //if MQTT Client not connect connect it back.
  if (!client.connected())
    reconnect();
  client.loop();

}



/**
   Send message to server
   example: sendMessage("hello", DEVICE_NAME,"ksks","mac",getMacAddress(),"localIP",WiFi.localIP().toString());
   k for key
   d : double, f : float, s : string, l : long,
   No char type
*/
void sendMessage(String action, String data, char *types, ...) {
  StaticJsonBuffer<200> jsonBuffer;
  JsonObject& root = jsonBuffer.createObject();
  root["action"] = action;
  root["data"] = data;

  //find length
  int count = 0;
  while (types[count++] != '\0');
  --count;

  //if not even args
  if (count % 2 != 0)
    return;

  //for argument parsing.
  va_list arguments;
  va_start ( arguments, types );

  String key;

  //even length validated already
  for (int i = 0; types[i] != '\0'; i += 2) {
    //this is intentionally done, default key as type k can be used, but developer might mistake, causing lot of debugging
    if (types[i] != 'k')
      continue;
    key =  va_arg ( arguments, char *  );

    switch (types[i + 1])
    {
      case 'd': root[key] = (va_arg(arguments, int));
        break;
      case 'l': root[key] = (va_arg(arguments, long));
        break;
      case 'f': root[key] = (va_arg(arguments, double));
        break;
      case 's': root[key] = (va_arg(arguments, char *));
        break;
      default:  ;
    };
  }

  va_end ( arguments );                  // Cleans up the list

  char tmp[root.measureLength() + 2];
  root.printTo(tmp, sizeof(tmp));
  client.publish(MQTT_SEND_CHANNEL, tmp);
}



void reconnect() {
  // Loop until we're reconnected
  while (!client.connected()) {
    //Serial.print("Attempting MQTT connection...");
    // Attempt to connect
    if (client.connect(DEVICE_NAME, MQTT_USERNAME, MQTT_PASSWORD)) {
      //Serial.println("connected");
      // Once connected, publish an announcement...
      sendMessage("hello", DEVICE_NAME, "ksks", "features", (DEVICE_FEATURES).c_str() , "localIP", (WiFi.localIP().toString().c_str()));
      digitalWrite(GPIO2, LOW);
    } else {
      //Serial.print("failed, rc=");
      //Serial.print(client.state());
      //Serial.println(" try again in 5 seconds");
      // Wait 5 seconds before retrying
      delay(2000);
    }
  }
}

I hope you enjoyed the article, it wasn’t a detailed writeup and I dropped many details – but if you have any questions you can comment or drop mail – I will surely help.

Cheap BLE : JDY-08

Disclaimer : This post is based on my experience which is completely subjective, in no way I am promoting any application or product πŸ˜‰

I have been trying to get my hands into BLE4.0 modules since long. As always I was looking for small, cheap solution, JDY-08 was one of solution I came across – it seemed just Perfect !

JDY-08
JDY-08 Module

It is based on TI-CC2541 SOC, Low power consumption – long range Voila!

Below is what is being advertised by most vendors:

  1. maximum transmit power of 0db, the maximum transmission distance of 80 meters.
  2.  support serial allowing users to modify the device name through AT commands service UUID, transmit power, pairing password instructions, convenient to use and flexible.
  3. Ultra-low standby power consumption 400uA ~ 800uA
  4. Ultra-long connection distance 100 ft / 60 m
  5. Fast reaction speed 0.4 secondsFor Apple, AndroidReceive no byte limit, up to 6K Bytes/sec.

I quickly ordered 10pcs without a second thought.

Below is what you should keep in mind:

  1. Datasheet, documentation – everything is in Chinese! Cool !
    Luckily, Few folks did translation – https://docs.google.com/document/d/14mHWT3GhELCj-6yxsam0k5bjzazq8nnPoz4B_gYh04k
    Also, you can check http://forum.arduino.cc/index.php?topic=432074.0 because this is the only helpful resource in the web.
  2. Firmware is broken – at least for me, some other user confirmed same in above Arduino thread.
  3. No other support.
  4. Non-standard board pitch, you cannot use header pins

But it is good in many ways:

  1. Small size, thin, light, small – cool!
  2. If you use HC-05 or HC-06 for transparent communication, you can use GATT terminal for transparent communication.
  3. Very low power consumption – from my tests, I found 0.5ma consumption.
  4. Long range – upto 30meters without optimization.
  5. iBeacon mode – works fine – but power consumption was 0.5ma

I was unable to test as I could only use GATT write & notify methods, AT commands to change mode & device name, even AT+RST returned ERR.

You can use following tools to test :

Below is schematic I followed: