Wilted buttercup, grey skies, and geek » OSX

A more secure(-ish) crypted file

Mischa — Mon, 16 Jan 2012 01:29:22 +0000

I have been using two commands blogged about by a friend Steve Harris to store my passwords on my mac osx laptop. He illustrated two commands “useful” and “viuseful” which open an gpg encrypted file using less and vi respectively. Opening the file in less, allows for safe read-only access to the contents of the encrypted file. The vi mode of operation as described by Steve leaves a temporary copy of the file that exists in plaintext briefly while it’s being encrypted.

With a little help from one of my current colleagues Sid I have altered Steve’s example by writing the temp file to a ramdisk, which is subsequently srm’d.

The fact that this implementation never writes the contents of the unencrypted file to disk, I recon I can go as far as saying that it was a little *more* secure than Steve’s original post

#Password config USEFUL_FILE="$HOME/.passwords/passwords.txt.gpg" USEFUL_KEYID="XXXXXXXX" RDLABEL="ramdisk" RAMDISK="/Volumes/$RDLABEL" # Please no spaces FILE="passtmp" # Please no spaces


function useful {

  gpg --trust-model always -d $USEFUL_FILE | less

}
function ramdisk {

  let SIZE=$1*2

   # Check if the ramdisk is already mounted

   if [[ $(mount | grep "$RAMDISK " | wc -l) -eq 0 ]]; then

       diskutil erasevolume HFS+ "$RDLABEL" $(hdiutil attach -nomount ram://$SIZE) &> /dev/null

   fi

}
function cleanup {

  if [[ -e "$RAMDISK/$FILE" ]]; then

    srm -f "$RAMDISK/$FILE"

    umount "$RAMDISK"

  fi

}

function viuseful { ramdisk 4096 # 4MB cp "$USEFUL_FILE" "$USEFUL_FILE~" vi '+set viminfo=' '+set noswapfile' '+r !gpg --trust-model always --quiet -d '"$USEFUL_FILE"' 2>/dev/null' '+1d' '+redraw!' "$RAMDISK/$FILE" if [ -s "$RAMDISK/$FILE" ]; then gpg --trust-model always --yes -r "$USEFUL_KEYID" -o "$USEFUL_FILE" -e "$RAMDISK/$FILE" else echo "File not changed" fi cleanup }

So yeah, a big shout out to both Steve and Sid, for now I have a proprietary secure(-ish) way of storing all of various passwords.

If someone would like to tell me how to create the RAMDISK on a linux machine I would love to know

HTTPS: Making more use of SSL

Mischa — Tue, 26 Oct 2010 10:31:16 +0000

There has been a lot of talk about how more and more people are using their laptops on public wifi connections, and with the advent of the Firesheep plugin, there has been a number of scares around session hijacking, and unencrypted login details being sent through the ether.

As a result, I thought I would describe the steps I have taken in securing my Firefox instance on my laptop. These are :

Installing the HTTPS Everywhere plugin from the eff, which attempts to select https if available when accessing a site. I have tested it with Facebook, Google, Hotmail, LinkedIn and a few other sites
I have set my homepage to be encrypted.google.com
I have changed the search engine in top right hand of my Firefox instance to use the encrypted google service, by installing their plugin
I have set a master password on my Firefox keychain, which gives my stored passwords some level of protection
And I run Adblocking software, (with a custom Facebook Like Button blocking extension) as per an earlier blog post

Furthmore, I use Firefox as my main browser, I have chrome installed, but I hardly ever use it, and I have a locked down, stateless Safari instance which I wrote about earlier.

Signing Mail on Snow Leopard

Mischa — Thu, 19 Aug 2010 15:58:35 +0000

Yay finally, come across an update to the GPGMail plugin for Mail.app 4.3 on Snow Leopard. This is the one bit of functionality which I have missed since upgrading from Leopard to Snow Leopard, and have been searching for updates periodically for a while now.

This is fanstatic news, as I can now digitally sign my emails, with my GPG identity, which can be found linked to from my FOAF file.

Private Browsing with Safari

Mischa — Sun, 15 Nov 2009 20:38:33 +0000

I use Firefox as my primary browser, both at home and at work. So I have setup my Safari browser, as my private browser – that is sans cache, history, cookies or anything of a similar nature. I noticed that the “Private Browsing” option in Safari, doesn’t do that good a job of not leaving files hanging around in one’s operating system, furthermore unless your careful, Spotlight will eventually end up indexing your browser history, cache, which may be less than ideal.

In order to have a zero cache safari instance on my laptop I have taken the following steps :

1: Removed spotlight’s prying eyes, by excluding the following directories :
- /Users//Library/Caches
- /Users//Library/Safari
- /Library/Caches
2: Setup two cronjobs to constantly delete Safari cache-dir

*/10 * * * * find /Users//Library/Safari -type f -exec rm {} \; 2>&1 > /dev/null */10 * * * * find /Users//Library/Caches/Metadata/Safari/ -type f -exec rm {} \; 2>&1 > /dev/null

And finally, I have created a wrapper .app file which open’s Safari, and then enables “Private Browsing” mode, as I could not find a way to do this through editing the Safari.plist file. I followed the instructions posted on the MacWorld site, and they go a little something list so:

1. One needs to enable the Enable Access for Assistive Devices option, which can be found in the Universal Access system preference.
2. Open the AppleScript editor, and type in the following commands :
tell application "Safari" activate end tell tell application "System Events" tell process "Safari" tell menu bar 1 tell menu bar item "Safari" tell menu "Safari" click menu item "Private Browsing" end tell end tell end tell end tell end tell
3. Save this shiny new AppleScript as an application (.app file), and I called mine “PrivateSafari.app”.
4. I then grabbed the icon file from Safari, and added to the PrivateSafari, and then replace the old shortcut in my Dock, with one to “PrivateSafari.app”.

It should be noted that I am well aware that the private browsing features in most of the modern web browsers have come under a certain amount of scrutiny recently, below are some links to articles for the interested reader :

Timemachine to a Linux Box

Mischa — Tue, 07 Jul 2009 17:22:11 +0000

By default TimeMachine on Mac OSX is configured to run through the Apple Filing Protocol only.

At home I run a backup server for Time Machine on one of my Linux boxes, I did this by enabling the following feature on the machine which I have configured to be backed up.

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

This in turn allows for unsupported network volumes to be used as backup volumes.

Below are some other Apple related preferences I have configured on my macbook:

defaults write com.apple.dock persistent-others -array-add '{ "tile-data" = { "list-type" = 1; }; "tile-type" = "recents-tile"; }'

defaults write com.apple.terminal FocusFollowsMouse -string YES

defaults write com.apple.Safari IncludeDebugMenu 1

defaults write com.apple.finder AppleShowAllFiles Yes (ALL FILES IN FINDER)

ld: duplicate symbol _g_bit_nth_lsf Mac OSX Leopard/Darwin

Mischa — Tue, 07 Jul 2009 16:41:46 +0000

I have had some problems installing software from source on my Max OS X Leopard machine. I should thank Martin Szomszor for his help on getting this working, but after some time faffing we finally got it sorted out.

I found that I was having problems making software on Leopard, which I could build fine on my linux (fedora) machines. The error I was getting was:

ld: duplicate symbol _g_bit_nth_lsf in foo.o and bar.o

I am running Leopard 10.5.3. I was using glib2, installed via Fink, version number: 2.12.0-103. After spending lots of time googling I found the following article to be of the most use, “Wireshark with Macports”, where Anders Brownworth pointed out that the error was due to a “extern inline bug in glib/gutils.h which is easily fixed“.

So to fix this:

I located gutils.h, which I found here:

/sw/include/glib-2.0/glib/gutils.h
I then replaced these lines:

#ifdef G_IMPLEMENT_INLINES # define G_INLINE_FUNC # undef G_CAN_INLINE
#elif defined (__GNUC__) # define G_INLINE_FUNC extern inline #elif defined (G_CAN_INLINE)
With this:

#ifdef G_IMPLEMENT_INLINES # define G_INLINE_FUNC # undef G_CAN_INLINE #elif defined (__APPLE__) # define G_INLINE_FUNC static inline
#elif defined (__GNUC__) # define G_INLINE_FUNC extern inline #elif defined (G_CAN_INLINE)
By adding these two middle lines:

#elif defined (__APPLE__) # define G_INLINE_FUNC static inline
The start of the fragment of code was at line number 96 in my gutils.h file

Here is a link to my edited and working gutils.h file.

Note 1: I would make sure I get a copy of my original gutils.h file, as this may come in handy

Note 2: There is a patch which one could apply to make the same changes which I have just described here. This patch follows this ticket. I didn’t know what to do with the patch file, so I ended up editing the file by hand:). I am guessing that is something todo with macports, mmm, nevermind, its working now.

duplicate dylib libiconv.2.dylib

Mischa — Tue, 07 Jul 2009 16:29:27 +0000

When building from source on Mac OSX, I have regularly come across the problem whereby the compiler complains about duplicate dylibs.

duplicate dylib libiconv.2.dylib

This is due to my use of the Fink and Darwin packages to install various bits I need for OSX development.

I recently noticed that many configure scripts cater for the user to select which dylib they would like to include. So I figured that my problem of duplicate iconv’s can be overcome by looking for options like :

--with-iconv=

So look out for similar parameters in configure scripts

./configure --with-iconv=/opt/local/..

So, why do I not just remove all but one instance of iconv? Well, Leopard ships with an old version of iconv, and I require recent versions for my development work.