Replicant OS for Android

Replicant is an open source OS for Android phones, while Android is built on a Linux kernel and claims to be open source, in reality it contains proprietary libraries and drivers necessary for interfacing with the phone’s hardware, these include the GSM radio interface library, bluetooth firmware, speech recognition and others, Google has allowed vendors to introduce their own closed source binary drivers into the system that the community can not redistribute, it also uses pushes its own propietary apps into the system, like Google Maps, Gmail and Gtalk.

The Replicant operating system intends to replace propietaty drivers and have Android run 100% free software.

Ghost commander running on Android Fdroid

Because Google Market is proprietary software, Replicant uses a client app released under the GPL license called FDroid that comes with its own repository full of free and open source software (FOSS) apps, it doesn’t include any Google app and comes with alternatives that do exactly the same, you can use Google Market apps in Replicant phones without using Fdroid, but this is not encouraged. Fdroid can also be build in Linaro, a set of tool to help popular Linux distributions run on ARM computers.

Installing Replicant on your phone will void the warranty, eliminate Android OS and erase the data it holds, but if you are a hardcore  open source supporter and can risk something going wrong it is probably worth it, check the list of supported devices on their website.

Visit Replicant OS homepage

Share this:

SFLPhone Linux VoIP softphone review

The SFLPhone is a standards-compliant enterprise softphone for desktop and embedded systems, it has been designed for a help desks to handle hundreds of calls a day, it is also a perfectly suitable Linux VoIP client for the home user, it’s account setup wizard makes it very easy to open an account with the SFLPhone. The SFLPhone has Gnome, KDE and command line Python clients available for download, it is SIP and IAX2 compatible, it allows for multi audio conferencing, multiple SIP account support, call logging and search feature, the SFLPhone has been included in the official Ubuntu repositories.

To streamline calls you can assign shortcuts for pickUp, hangUp, togglePickupHangup, popupWindow, toggleHold these might not seem like star features to a home user but when used in a business environment managing dozens of calls a day being able to speed up calls pressing hotkeys will be invaluable and result in considerable time savings. Other useful features are the unlimited number of calls, call transfer and hold and call recording function. Support for Pulseaudio means that all other applications, e.g. musicplayer, will automatically mute when you receive a phone call.

SFLphone Linux VoIP encrypted calls

This Linux VoIP softphone address book integrates with Evolution’s Data Server for GNOME desktop users and KABC integration for the KDE client, a call feature I liked in the SFLPhone is that you can drag and drop two calls and choose in between transferring it or create a multi-conference call.

Linux VoIP encrypted calls

You can make secure SIP VoIP calls with zRTP and TLS encryption, voice encryption is done using SRTP, it uses the zRTP protocol to exchange encryption keys (Diffie-Hellman key exchange), the same protocol the Zfone uses and compatible with many other VoIP clients. Negotiation of the encryption keys for Secure Real-time Transport Protocol can be done with SDES too, using the TLS transport layer, SDES has been standardized by the Internet Engineering Task Force (IETF).

Visit SFLPhone VoIP homepage

Share this:

How to set up OpenVPN in your server

The easiest way in Linux to set up your own VPN to protect your Internet connection from eavesdropping is using GAdmin OpenVPN Server, a GTK+ client with GUI that works as a OpenVPN bridge server, you do need to know too much about Linux command line or the Vim editor to edit files, once you install GAdmin OpenVPN Server you will be able to configure everything using a quick point and click mouse.

GAdmin OpenVPN Server is available via Fedora/Debian packages or compiling it from source, you will need to have the Openvpn and bridg-utils packages installed in your server first, after that you have to install GAdmin OpenVPN Server software, search for the words gadmin in the software repository to find it.

GAdmin OpenVPN server software

Once installed you can start using GAdmin via GUI and configure the server settings, GAdmin OpenVPN Server can create the necessary digital certificates for you and your choosen users. If you want an alternative to GAdmin with more features, other Linux based distributions used as a firewall also have the capability to set up an OpenVPN server using GUI, some of those distributions are: Astaro, Untangle and PFSense.

GAdmin OpenVPN Server homepage

Share this:

US Army sponsored Privacy Linux live CD

Lightweight Portable Security (LPS) is a free security Linux live CD made by the Software Protection Initiative department, managed by the USA Air Force Research Laboratory and US Department Of Defence. The Software Protection Initiative is focused on protecting US Department of Defence intellectual property from piracy, tampering and exploitation by rogue nation state opponents.

There might be emergencies that force Government workers to be provided with computers at short notice which opens all kind of possibilities if access to secret information is involved. Lightweight Portable Security live CD enables Department of Defence workers to work from their homes or other locations without leaving any sensitive information behind in unsecured computers.

Lightweight Portable Security Linux live CD

Privacy Linux live CD LPS is a very effective and cheap tool to create trusted endpoints for government employees. This Linux live CD will not install anything on the guest computer as it does not mount the hard drive of the host machine, it will only run from volatile RAM memory and it will bypass any local malware while leaving no record of the session.

This Linux live CD is ideal for those on the road using different computers every week, those conducting financial transactions not wanting to leave traces behind, or to be used to send sensitive e-mails and browsing sensitive websites from an untrusted computers without leaving a local record of your Internet surfing activities.

What software does LPS-public include?

• IceWM lightweight Linux desktop.
• SmartCard-enabled Firefox browser supporting CAC and PIV cards.
• Remote desktop client that works with RDP or Citrix hosts.
• PDF (xPDF) and text viewer.
• Wireless networking support for many popular WiFi chipsets.
• Support for Adobe Flash.
• Firefox browser plugins for Encryption Wizard, GMail S/MIME and User Agent Switcher.
• Java and Encryption Wizard to deal with files encrypted using AES.

The LPS-Public edition is small, a 124MB image that can fit on a mini-CD, and requires a Pentium II or better processor and 384M of RAM. Due to its simplicity this privacy Linux live CD is also ideal to give out to someone who is a newbie and can get lost with the multitude of software and options included in modern Linux distributions.

There is also a LPS-Public Deluxe ISO image that comes with Open Office and a LPS-Public image that can be used from a USB flash memory stick without mounting the local hard drive, the free public version of Lightweight Portable Security Linux  live CD is available for download from the US army Software Protection Initiative website.

Visit SPL Lightweight Portable Linux website 

Share this:

Command line Linux for hard drive cloning

If you are a Unix command line geek you can clone your hard disk with various Linux programs. This can be quicker if you feel comfortable using the Linux shell. Computer forensics need to use a Unix live CD to clone a hard drive in order to preserve all data from alteration but unless this is your case you do not need it.

How to clone a hard disk using dd?

To execute dd you should login as root or use the su command.

1- Open Linux terminal window as root.

2- Change appropriate hard disk name, ie sda/sdb and type:

dd if=/dev/sda of=/dev/sdb

3- Cloning a hard drive using dd can take hours depending on size. You can use gzip and save storage space but this will make the hard disk back up even longer.

Copying a hard disk partition using dd

If you don’t want to make a complete duplication of your hard disk the following command will create an image file “disk1.img” in your user’s recovery directory from /dev/sda

dd if=/dev/sda of=~/recovery/disk1.img

To restore a partition or a hard disk from an image file, just exchange the arguments “if” and “of”. For example, restore the whole hard disk from the image file “disk1.img”:

dd if=disk1.img of=/dev/sda

Linux command line hard disk cloning

How to clone your hard drive using ddrescue?

Also known as Gddrescue in Ubuntu, ddrescue is quicker than ‘dd’, gets better results and it also keeps a log file that records each of the bad blocks found.

1- SystemCdTools includes ddrescue but you may have to install dderescue from the repositories otherwise as many other Linux distributions do not come with it.

2- Open Linux terminal window as root.

3- Change source sda and destination sdb if needed, depending on your hard disk name, then type:

ddrescue -v /dev/sda /dev/sdb

If your hard disk has bad sectors the following Linux ddrescue command line below will attempt to recover them:

ddrescue -r 1 /dev/sda /dev/sdb rescue.log

NOTE: There is another Unix tool called dd_rescue do not confuse it with ddrescue, they both enhance dd but are not the same command line.

Share this:

The easiest way to recover your operating system in case of disaster is by cloning it once a week to an external disk. You will save lots of time tweaking the settings once again if you need to reinstall your operating system.

Main Linux live CD to clone a hard disk

CloneZilla: Clonezilla live is suitable for single machine backup and restore, Clonezilla saves and restores only used blocks in the hard disk, this increases the clone efficiency. This live CD to mirror your hard disk can be a bit overwhelming for newbies not used to Linux.

Redo Backup and Recovery: The system uses minimal space and resources, and the download size is less than 75MB. Easy point-and-click GUI tool for full system backup and recovery, very user friendly.

SystemRescueCD: This Linux live CD is normally used to recover data, you can use it to backup data from an unbootable Windows computer not able to boot anymore, as long as the hard disk is still working, you will just need to mount the partition.

UltimateBootCD: You can use this Linux live CD for hard disk cloning using some of the tools it has, such as CopyWipe, g4u, HDClone, partimage and others. You can also use this Linux live CD for data wiping as it includes hard disk wiping tools such as  Darik’s Boot and Nuke (DBAN) and HDDErase.

PartedMagic: This is mainly a Linux live CD used for partitioning but it also includes CloneZilla from the command line.

GRML: For the advanced Linux user, this Linux live CD based on Debian has been designed for the Linux system administrator comfortable with the command line, GRML provides security and network related software, data recovery and forensic tools and many text tools.

GRML Linux screensplash

 Computer Forensics live CD to clone hard drive

Frenzy: FreeBSD live CD, it contains software for hardware tests, file system check, security check and network setup and analysis.

Caine: Ubuntu based computer forensics live CD, mainly used to acquire data of a suspected criminal computer but also useful as a back up live CD. User friendly graphical interface.

CAINE computer forensics live CD

DEFT Linux: DEFT it’s a new concept of Computer Forensic live system that use LXDE as desktop environment and Thunar file manager and mount manager as tool for device management. It is a very easy to use system that includes an excellent hardware detection as well as open source applications dedicated to incident response and computer forensics.

MasterKey: MasterKey Linux live CD is focused on incident response and computer forensics. No installation is required, the forensics system is started directly from the a CD/DVD-ROM or USB thumbdrive.

BackTrack: BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester. You can install Backtrack to USB with full disk encryption if needed.

Share this:

A Virtual Private Server can work well to set up your own anonymous Internet browsing proxy, a VPS can cost as little as $8 a month, which is roughly the same a private proxy or VPN provider would charge you, but with you being in full control over the logs and resources on the server which can be used for other things besides hiding your IP when browsing the Internet, like for example IRC chat through the shell with irssi or hosting a website with lighttpd.

You could also open this proxy for friends and even set up your own anonymous proxy business open to the public. You do not need a great knowledge of Unix to do this, I will write down an step by step tutorial, this was done on a Debian server.

Proxy server diagram

1) You will need to install a proxy sever on your machine, this example uses  micro proxy,  a small Unix based HTTP/HTTPS proxy that runs from inetd.

privacydusk# apt-get install micro-proxy
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
micro-httpd micro-inetd
The following NEW packages will be installed:
micro-proxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9838B of archives.
After this operation, 65.5kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main micro-proxy 20021030+debian-5 [9838B]
Fetched 9838B in 0s (24.8kB/s)
Selecting previously deselected package micro-proxy.
(Reading database … 16543 files and directories currently installed.)
Unpacking micro-proxy (from …/micro-proxy_20021030+debian-5_amd64.deb) …
Processing triggers for man-db …
Setting up micro-proxy (20021030+debian-5) …

2) Install xinetd on your sever:

privacydusk# apt-get install xinetd
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
xinetd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 147kB of archives.
After this operation, 336kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main xinetd 1:2.3.14-7 [147kB]
Fetched 147kB in 1s (140kB/s)
Selecting previously deselected package xinetd.
(Reading database … 16548 files and directories currently installed.)
Unpacking xinetd (from …/xinetd_1%3a2.3.14-7_amd64.deb) …
Processing triggers for man-db …
Setting up xinetd (1:2.3.14-7) …
Stopping internet superserver: xinetd.
Starting internet superserver: xinetd.

Set micro proxy to run via xinetd (or inetd if you use that instead). Here goes my xinetd.conf file configured to use microproxy:

service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}

3) Force xinetd to start the service for you by adding the following snippet of code in your etc/services file:

microproxy 2280/tcp
microproxyssl 2243/tcp

Notice that I am using port 2280 for HTTP and port 2243 for HTTPS, you can use any ports you like but make sure they are open in your server. You will also need to comment out any existing entries in /etc/services that try to define the same service ports.

After you have modified etc/services you will need to restart xinetd for the changes to take effect:

/etc/init.d/xinetd restart

4) Make sure the ports you want to use are open on the server, there are various methods to achieve this:

a) Install  lsoft and then:

lsof -i -nN -P | grep 2280
xinetd 29568 root 5u IPv4 1152793 TCP 127.0.0.1:2280 (LISTEN)

As you can see the line returns listen, this means that port 2280 is open. Change the port in the grep statement  for the port you want to check.

b) You can use netstat to check for open ports:

netstat -vatn

privacydusk:/etc# netstat -vatn
Active Internet connections (servers and established)
Proto                        Recv-Q Send-Q Local Address                  Foreign                                 Address State
tcp                                  0 0 0.0.0.0:111 0.0.0.0:*                                                                      LISTEN
tcp                                  0 0 64.62.173.51:53 0.0.0.0:*                                                            LISTEN
tcp                                 0 0 127.0.0.1:53 0.0.0.0:*                                                                    LISTEN
tcp                                 0 0 127.0.0.1:982 0.0.0.0:*                                                                 LISTEN
tcp                                 0 0 0.0.0.0:22 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 0.0.0.0:25 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 127.0.0.1:953 0.0.0.0:*                                                                LISTEN
tcp6                             0 0 :::80 :::*                                                                                                LISTEN
tcp6                             0 0 :::53 :::*                                                                                                LISTEN
tcp6                             0 0 :::22 :::*                                                                                                LISTEN
tcp6                            0 0 ::1:953 :::*                                                                                           LISTEN

c) Another method to check for open ports on the server is to scan yourself with nmap:

privacydusk# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC

5) Once you have installed micro proxy, configured xinetd and edited etc/services you should be done on the server side, now it is time to configure your internet browser.

If you are using Opera 9.*, go to Tools>Preferences>Advanced>Network>Proxy Servers now enter 127.0.0.1 port 5000 in the HTTP box and 127.0.0.1 port 5043 in the HTTPS box.

If you are using Firefox 3.* you will need to go to Tools>Options>Advanced>Settings and do exactly the same.

You only have left setting up the tunnel from the shell. Before start surfing with your browser, type:

ssh -L 5000:127.0.0.1:2280 -L 5043:127.0.0.1:2243 username@machine.net

machine.net=your hostname, you will need to change the port numbers if you are using different ones.

To surf through the SSH tunnel on a Windows machine without shell you can use KiTTY

Firewall:
If you have IPtables installed, you will need to instruct your firewall to allow traffic through those ports, the following code will open port 2280 in IPTables:

iptables -A INPUT -p tcp -i eth0 –dport 2280 -j ACCEPT

To find out the list of open ports in the firewall use iptables -L:

privacydusk# iptables -L
Chain INPUT (policy ACCEPT)
target                 prot                         opt                     source                        destination
ACCEPT             tcp                             —                       anywhere                  anywhere                                      tcp dpt:2280
ACCEPT              tcp                            –                       anywhere                  anywhere                                      tcp dpt:2243

Newsgroup dealing with port forwarding: comp.security.ssh

Share this:

This an old article from Linux Magazine, free to download, I found it to be an excellent and detailed review of the most common tools that exist to encrypt data in Unix systems, these different tools and methods are still valid and in use nowadays.

It provides some insights on encryption techniques, code quality, and the relative merits of the various solutions. The following encrypted file systems are examined:

• Loop-AES

• DM-Crypt

• Truecrypt

• Crypto-FS

• Enc-FS

In addition to looking at technologies and techniques the performance parameters for these encryption options are also assessed.

Download link(pdf article):

http://www.linux-magazine.com/w3/issue/72/Encrypted_Filesystems_Review.pdf

Share this:

Open source password managers

The reason why you should never reuse your password across sites is because if one of the sites gets hacked the attacker will try that same username and password across sites and gets in all of your accounts. It is impossible remember all the passwords one has, that is where these free password managers will help you, some of them are cross platform and can be used in Windows as well as Linux.

KeePassX: This password manager encrypted database can be passed along Linux, MAC and Windows computers, the software is compatible across all platforms, your database can be opened in any computer regardless of OS. KeePassX will save user names, passwords, urls, attachments and comments in one single database encrypted using AES 256bit.

Password Gorilla: It runs in Linux, MAC and Windows, if you decide to change your computer OS next year it will not be a problem, Password Gorilla encrypts the database with the solid TwoFish algorithm and SHA256 for password hashing, it makes for a good alternative to KeePassX, both of them have portable Windows version that can be used from within a memory card or USB thumbdrive.

Password Gorilla cross platform password manager

Password Safe: Multilingual open source password manager for Linux and Windows, a U3 and portable version are also available, it uses Twofish and SHA-256 for encryption, other related projects implement Password Safe in Java, a command line utility called pwsafe and PwSafe for the iPod, iPad and iPhone Touch, you can get support for Password Safe on its website discussion forum.

Alternatives to the password managers mentioned above that work across platforms are web based password services like LastPass, Clipperz and PassPack, but I strongly discourage you from using those because anyone with access to your browser can have access to your passwords and because man in the middle attacks are also possible in web based password managers.

Share this:

eCryptfs is a cryptographic file system embedded inside the Linux kernel (versions 2.6.19 and later), it is also a stacked file system, which means that eCryptfs is a layer that works on top of other standard, lower file systems, such as ext4, FAT32, XFS and ReiserFS.

Some of the great advantages of eCryptfs over other encryption methods such as LUKS are:

1. Dynamic size of the encrypted tree: The size of the encrypted part does not need to be fixed in advance, you don’t have to pre-allocate a big chunk of your hard disk space to store your sensitive data that maybe only few megabytes.
2. All the cryptographic metadata is stored in the header of the file. This means that the encrypted file can be copied and moved from one location to another not leaving any metadata behind.
3. Files can be encrypted with multiple keys so that multiple different users can have access to encrypted but shared files. You can have different files encrypted by different users and each user can access only his files.

Disadvantages of using eCryptfs (it may change in future versions):

1. eCryptfs does not encrypt filenames, only the content.
2. Certain patterns, such as a typical distribution of file size in a directory, will always give a clear hint of what is being stored, even if it is encrypted.

eCryptfs should not be used if you want to hide the fact that something is stored! You will not be able to deny the existence of encrypted files!

To install eCryptfs in RPM based linux (Fedora, Mandriva, OpenSuse, etc):

su -c ‘yum install ecrypt-utils’

To install eCryptfs  in DEB based linux (Debian, Knoppix, GRML, etc):

sudo aptitude install ecryptfs-utils

encryption eCryptfs kernel diagram

 First create a folder in your Home directory and name it secret:

mkdir ~/secret

 Now you need to change the folder permissions to make sure nobody else will access it:

chmod 700 ~/private

Then mount the ecryptfs to the private folder using the following command as root:

mount -t ecryptfs ~/private ~/private

eCryptfs will then prompt you to answer a few questions, see screenshot below:

eCryptfs Unix encryption

After you have made your choices and mounted the encrypted folder you can add files inside.

To test the reliability of eCryptfs, unmount your encrypted folder and see if you can open the files inside the secret folder.

sudo umount ~/secret

If it is working properly, you should not be able to open any files inside the folder.

Warning: Once the encrypted data is accessed it will leave traces all over your operating system (swap, print spool, spell-checker, backups …). If you really care about your private data falling in the wrong hands then use whole disk encryption!

Share this: