Category Archives: Linux

Bypassing Basic Download Filters

The other day, I was trying to update the driver for my EVGA GeForce GTX460 Video Card, but the download kept stopping at 180MB out of 271MB. After re-starting the download a few times, realized that my ISP or firewall was flagging something malicious and interrupting the download. I figured I had 4 options:

  1. Download the driver on my server, and then download it to my PC using SFTP.
  2. Download it over a VPN. Being limited to 300kb/s bandwidth on the free ProXPN VPN didn’t seem like a good option either.
  3. Download it over public Wi-Fi. Just annoying.
  4. Download it over https.

Assuming it worked, I figured option 4 would be the easiest. The default download link too me to http://us.download.nvidia.com/Windows.... By changing the link to https://us.download.nvidia.com/Windows..., I received a certificate mismatch message, but the download worked when I overrode the warning. A closer look at the warning, shows the https certificate is for the domain name a248.e.akamai.net. This seems safe to me, since Akamai is a CDN, so it makes sense that NVIDIA could be using Akamai to distribute their drivers. I would be more cautious if the certificate was not issued to a CDN or NVIDIA itself. Remember to check that the installer was signed by the appropriate company (NVIDIA in this case).
Cert Error

I haven’t tried this on other downloads, but I think it should work on a fair percentage of them.

Converting from Chrome to Firefox

I’ve been a long time Google Chrome user, but Chrome’s lack of certificate revocation checking persuaded me to switch to Firefox as my secure browser. I’ve relegated Chrome to being my media browser to take advantage of it’s built in and automatically updated Flash player.

After a few days back on Firefox, I’m happy with the switch. Firefox’s certificate revocation checking seems to be faster than Chrome’s (completely subjective) and Firefox’s security is much easier to customize.

Transition Process

Add-Ons

under Settings → Add-Ons, I added:

  • LastPass – works about the same, but seems to be slightly less stable
  • NoScript – more mature than ScriptSafe
  • CipherFox – provides ciphersuite information in a dropdown and allows easy enabling and disabling of RC4 based ciphersuites (check "Disable RC4 cipher" in the Extension preferences).

I also installed HTTPS Everywhere. It seems to be more mature and easier to manage than the Chrome version, with the exception of adding custom rules. Custom rules must be added to a folder in the filesystem and cannot be edited from within Firefox.

Plugins

Under Settings → Add-Ons → Plugins

I set all of my media plugins like Google Talk and Microsoft Silverlight to "Ask to Activate".

I set to Java (it got installed when I was doing some Java development) to "Never Activate".

Preferences/Options

Under Advanced → Data Choices, I disabled Firefox Health Report and Crash Reporter, because these could inadvertently disclose sensitive information.

Under Advanced → Certificates, click the Validation button and check "When an OCSP server connection fails, treat the certificate as invalid".

Advanced Configuration

Type "about:config" into the address bar.

Disable SSLv3.0
security.tls.version.min = 1
Disable DSS based authentication
security.ssl3.dhe_dss_aes_128_sha = false
security.ssl3.dhe_dss_aes_256_sha = false
Disable Triple DES based ciphersuites
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.rsa_des_ede3_sha = false
Minimize Session Data Storage
browser.sessionstore.restore_on_demand = false
browser.sessionstore.resume_from_crash = false

Summary

These configurations give you good control over what runs on each page through NoScript and Ask to Activate.

The most sites use RSA or ECDSA certificates and support AES. I generally find that sites that don’t support AES, only support RC4, so disabling Tripple DES doesn’t reduce compatibility. I use CipherFox to enable RC4 on an as-needed basis, because some sites that support AES, prioritize RC4 (e.g. BarclayCard). Due to Dreamhost’s server configuration, this site only supports RC4.

At this point, I rarely encounter a site that does not support at least TLSv1.0, so I figure it’s time to disable SSLv3.0.

Specifying an SSH Key Exchange Algorithm

I was doing some testing were I needed to test an SSH server’s support for various key exchange algorithms. I know PuTTY for Windows supports the configuration of key exchange algorithms, but I was testing in a Command Line only VM environment that already had a number of Linux clients running. It’s not obvious from the ssh man page or my searches (I found one site that said it’s not possible), it turns out to be almost as straightforward as setting your cipher or MAC algorithm. Just use the
-o KexAlgorithms=<comma_separated_list_of_algorithms> option.
<comma_separated_list_of_algorithms> can be any of the following:

  • ecdh-sha2-nistp256 – (elliptic curve nist-p256), limited support.
  • ecdh-sha2-nistp384 – (elliptic curve nist-p384), limited support.
  • ecdh-sha2-nistp521 – (elliptic curve nist-p512), limited support.
  • diffie-hellman-group-exchange-sha256 – (discrete log bits are negotiated), limited support.
  • diffie-hellman-group-exchange-sha1 – (discrete log bits are negotiated), limited support.
  • diffie-hellman-group14-sha1 – (discrete log 2048 bits), should be good for now, and widely supported.
  • diffie-hellman-group1-sha1 – (discrete log 768 bits), might not be strong enough, but widely supported.

Note: The elliptic curve algorithms are believed to be as strong or stronger than the standard Diffie-Hellman discrete log cryptography; however, they are newer and have not been as thoroughly analyzed.

Example: ssh -o KexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384 kenji@192.0.0.45

UDF (a FAT32 replacement) Part 3

I tested UDF and exFAT over a fairly wide range of non-computer devices, and none of the devices could read or write to it. If you need something that will work with non-computers, stick to FAT32. If you just need interoperability between computers (but don’t need to boot from the drive), switch over to UDF.

I UDF and exFAT did not work with:

I plan on testing UDF and exFAT with a few phones and will update this post when I do.

UDF (a FAT32 replacement) Part 2

Comparison of cross platform filesystems for flash memory and/or external hard drives.

The Universal Disk Format (UDF) is maintained by Optical Storage Technology Association while FAT32 and exFAT are maintained by Microsoft.

FAT32’s primary limitation is its 4GB file size limit. Microsoft also recommends limiting Volumes formatted in FAT32 to be limited to 32 GB, although many implementations support larger volumes.

Microsoft created exFAT to get around the limitations of FAT32 relating to file and volume size limitations.

Overall, exFAT and UDF appear to be very comparable. They both support Unicode filenames and long filenames.
UDF supports a journaling and ECC (Error Correction Codes). The MacOS format utility provides an option for specifying the number of blocks to use for ECC. I assumed that this option was some type of ratio, but when I changed the number from 1 to 2, my formatted drive had exactly one block less space available. UDF “journaling” features are designed around optical media, so it is unclear if flash and hard drive implementations of UDF use the Logical Volume Integrity Descriptors.

Overall, FAT32 has the best compatibility. It is supported by nearly every device from phones, to cameras, to picture frames.

If you are only concerned with accessing your data from a computer, UDF is probably the file system to pick since Linux’s support for exFAT is not 100%.

Next I’m going to explore the compatibility of UDF and exFAT in other devices.

References

  1. UDF Spec – http://www.osta.org/specs/pdf/udf260.pdf
  3. FAT32 Spec – http://msdn.microsoft.com/en-us/library/windows/hardware/gg463080.aspx
  4. exFAT Spec – unable to find
  5. exFAT description – http://support.microsoft.com/kb/955704
  6. exFAT description – http://en.wikipedia.org/wiki/ExFAT