I wanted to check my current passwordsafe database passwords against the data at haveibeenpwned, however I don't like the idea of using the API or the webform to send all of my passwords to a 3rd party.

So I wrote a python script.

#!/usr/bin/env python


import hashlib
import pypwsafev3
from getpass import getpass
import argparse


def getArgs():
    p = argparse.ArgumentParser(description='PasswordSafe hashes')
    p.add_argument('-f', help='PasswordSafe database file')
    return p.parse_args()


def main():
    args = getArgs()

    pw = pypwsafev3.PWSafe3(args.f, getpass('PasswordSafe master:' ))

    with open('hashes.txt', 'w') as f:
        for i in pw.listall():
            f.write('{}, {}\n'.format(i[1], hashlib.sha1(str.encode(i[4])).hexdigest()))


if __name__ == '__main__':
    main()

This generates a text file named "hashes.txt" which contains the name of the password entry and the sha1 hash of the password. Then I could search the pwned-passwords-sha1-ordered-by-count-v5.txt file for them to see if any of them are in the list.

$ sed 's/ //g' hashes.txt | awk -F, '{print $2}' | grep -i -F -f - pwned-passwords-sha1-ordered-by-count-v5.txt

For the last couple of days my phone has been kind of a pain to work with. I would use the keyboard to type something in, and either the entirely wrong letters would show up, or nothing at all. Last night I got around to grabbing an app off the Play Store to show where touch events were detected and then turned on the developer options that do pretty much the same thing.

I rebooted my phone, I rebooted my phone into safe mode, nothing helped.

This is a screenshot using the app I downloaded. I basically ran my finger all over the screen, and I noticed this area where nothing showed up.

So then I tried it with the developer options turned on.

That dead area makes my phone pretty much unusable. Thankfully my phone is still under warranty, and I'll be able to send it in and get a replacement. In the mean time I am charging up my Nexus 6 and will transfer my number back to it so that I have a working phone until the replacement arrives.

This is going to ramble a bit...

I was watching a youtube video, "Star Talk" with Neil deGrasse Tyson, Adam Savage, Matthew Liao, and Chuck Nice.

In the second segment, there was a discussion on uploading consciousness.

Every morning I wake up, and I'm me. I'm not somebody else. ... Maybe I'm not me, and I don't know it. Because in the act of becoming someone else, I am that other person. -- Neil deGrasse Tyson

I think that what we think of as "growing" as an individual, could also be expressed as evolving, of becoming another person.

My identity, the person that I was in the past, is not the same person that I am today. It is possible to look at the former me, and the present me, and see the progression, the journey. But I would not want to be that person again.

The previous versions of me were not as empathetic or sympathetic. The previous versions of me were judgmental, viewing the world through a narrow lens that was only my own perspective.

The current me, and I hope the future me, will continue to try to see the world through the eyes and experiences of others. Just because it hasn't happened to me, just because I have not experienced it, does not mean that it has not, or will not, happen to someone else.

The Four Lakes Amateur Radio Club has been using a Raspberry Pi 1B+ for a couple of years as our DHCP/Samba/NAT server for events like ARRL Field Day.

As I had a spare RPi 2 sitting around, I decided to see if I could use FreeBSD on that device instead, instead of Debian based Raspbian.

I am using the FreeBSD 11.1-RELEASE image for the the OS, the instructions on the FreeBSD website were easy to use to get the image transferred to an SD card. Once we were booted up and running, using the ethernet port for network connectivity, I installed the wpa_supplicant package, I probably could have skipped this step and used the wpa_supplicant installation in the base system.

I had to update /boot/loader.conf

legal.realtek.license_ack=1
if_urtwn_load="YES"
wlan_wep_load="YES"wlan_ccmp_load="YES"
wlan_tkip_load="YES"

Additions to /etc/rc.conf

ntpd_enable="YES"
ntp_sync_on_start="YES"
wlans_urtwn0="wlan0"
ifconfig_wlan0="WPA SYNCDHCP"

The ntp additions are due to the RPi not having a Real Time Clock, these settings force the RPi to update the time from network clocks at boot time.

Create the /usr/local/etc/wpa_supplicant.conf file

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1
country=US
device_name=fpi
network={
    ssid="SECRET"
    proto=WPA
    key_mgmt=WPA-PSK
    pairwise=CCMP TKIP
    group=CCMP TKIP WEP104 WEP40
    psk=SUPER_SECRET
}

And then reboot to have all of the changes take effect.

Once we were up and running on WiFi, I reconfigured the ethernet port for a static IP by changing the configuration in /etc/rc.conf from

ifconfig_ue0="DHCP"

to

ifconfig_ue0="inet 10.0.0.1 netmask 255.255.255.0"

Then I installed dnsmasq and samba.

pkg install dnsmasq
pkg install samba48

/usr/local/etc/dnsmasq.conf

domain-needed
bogus-priv
no-resolv
server=1.1.1.1
interface=ue0
expand-hosts
domain=local
dhcp-range=10.0.0.10,10.0.0.50,6h
dhcp-option=3,10.0.0.1
dhcp-leasefile=/usr/local/var/lib/misc/dnsmasq.leases

/usr/local/etc/smb4.conf

[global]
    workgroup = WORKGROUP
    server string = Samba Server Version %v
    netbios name = fpi
    wins support = yes
    security = user
    passdb backend = tdbsam
    map to guest = Bad User
    log file = /var/log/samba4/log.%m
    log level = 3

[fd]
    comment = Field Day
    create mask = 0664
    directory mask = 0775
    force group = nobody
    force user = nobody
    guest ok = yes
    path = /home/fd
    read only = no

And added to /etc/rc.conf again

dnsmasq_enable="YES"
samba_server_enable="YES"
winbindd_enable="YES"

The directory where we will be sharing files from is /home/fd, so we need to create it and set permissions.

mkdir /home/fd
chown nobody:nobody /home/fd
chmod 775 /home/fd

Now for the NAT portion, since I used to run an OpenBSD firewall for my home network, I decided to use pf instead of ipfw.

So we need to make some more changes to /etc/rc.conf

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"

And create /etc/pf.conf

ext_if='wlan0'
int_if='ue0'
localnet = $int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)

Yes, there should probably be more rules here to restrict access and ports.

Now it's time for another reboot and everything should be working.

I recently got sslh working on my home FreeBSD server. What made this more complicated is that I wanted ssh to go to one jail and https to go to a different jail.

My jail host is 172.27.1.2, the target for ssh is 172.27.1.4, the target for https is 172.27.1.5. The https jail runs a reverse nginx proxy to forward to various other jails and devices on my home network.

Something that I used to use on linux hosts was fail2ban to block the constant brute force ssh attempts against my system. This time around I decided to try something a little simpler. I found this wiki article describing how to use ipfw and a cron job to update a blocklist.

I had to configure ssh on 172.27.1.4 listen on both 22 and 8022, if I tried to just use 22 I could not reach that jail from my local network.

Below are the pieces that make this all work.

My /usr/local/etc/sslh.conf

# This is a basic configuration file that should provide
# sensible values for "standard" setup.

verbose: false;
foreground: false;
inetd: false;
numeric: false;
transparent: true;
timeout: 2;
user: "root";
pidfile: "/var/run/sslh.pid";


# Change hostname with your external address name.
listen:
(
        { host: "172.27.1.2"; port: "443"; }
);

protocols:
(
        { name: "ssh"; service: "ssh"; host: "172.27.1.4"; port: "8022"; fork: true;},
        { name: "ssl"; host: "172.27.1.5"; port: "443"; log_level: 0; }
);

My /etc/ipfw/sslh.rules

#!/bin/sh

ipfw add 20000 fwd 172.27.1.2,443 log tcp from 172.27.1.5 443 to any out
ipfw add 30000 fwd 172.27.1.2,443 log tcp from 172.27.1.4 8022 to any out

My /root/sshd-fwscan.sh

#!/bin/sh

# based on http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins
# Copyright (c) 2004,2005 RPTN.Net,
# Copyright (c) 2005 DaveG.ca,
# Copyright (c) 2006 Bob (kba at ats32.ru)
# You may use this code under the GPL, version 2 or newer.
# Updates for IPF by Sasha.by
# Copyright (c) 2018 Matt Okeson-Harlow, https://technomage.net
# 2018-04-29

# changed rule number to 10000 to not impact sslh rules at 20000
# exclude 172.27.1 as that is the home network
# exclude remote hosts that I control
# lowered the count to 3 from 5
# use find to locate auth.log.*.bz2 files modified in the last 2 days

PATH=/bin:/usr/bin:/sbin:/usr/sbin
LOGDIR=/usr/jails/kotilo/var/log
RULE=10000

# exclude local network, yoda and leia
EXCLUDE='172[.]27[.]1|71[.]19[.]155[.]130|71[.]19[.]157[.]86'

# log the current rules before we clear them
ipfw show ${RULE} | logger -p local0.notice -t sshd-fwscan

# clear the current rules
if ipfw show | awk '{print $1}' | grep -q ${RULE} ; then
    ipfw delete ${RULE}
fi

# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.

(find ${LOGDIR} -mmin -$((60*24*2)) -name "auth.log.*.bz2" -exec bzcat {} \;; cat ${LOGDIR}/auth.log) |
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 3) print h}' | egrep -v ${EXCLUDE} |
while read ip
do
        ipfw -q add ${RULE} deny tcp from $ip to any in
done

I added the following to my /etc/crontab

#
# sshd-fwscan to block failed logins
*/10    *   *   *   *   root    /root/sshd-fwscan.sh

A recurring theme of late has been that our hopes for institutions that many of us thought where "too big" to dismantle, may have been misplaced.

• The Department of Education
• The Environmental Protection Agency
• The Federal Communications Commission
• The Justice Department

I fear that we will soon find out just how vulnerable many of us are as these institutions are gutted, or even, possibly, abolished.

The idealist in me wishes for a world were libertarian ideas and practices result in better products and services, without sacrificing our health, environment or future generations.

But time and time again we have seen what happens when those in a position of power or authority do what is in their best interests, and it is seldom good.

Which brings me to a possible silver lining.

Maybe if people see the destruction and chaos that some of these decisions will bring, they will look back and realize that they can't blame the Other for the trials and tribulations, they will have to recognize that they brought this upon not just themselves, but all of us.

Maybe we will see those that are not governed only by their own self interest or greed step up and do The Right Thing for others.

Maybe we will see local and state officials do more to protect the people they serve than our federal government is doing.

Maybe we will see a massive amount of financial support from individuals to make up for the federal funding that is no longer going to be enough.

Maybe we will see people give money to teachers so that the children in our schools have enough supplies without forcing the teacher to spend their own money.

Maybe we will see police officers welcome review of policies and wistleblowers exposing unethical or corrupt behavior.

Maybe we will come out of this better off.

I hope so, but I fear that it may take so long that I will never live to see it. I hope that my nieces and nephews can see it. I hope that we turn this around before they are required to be the solution.

I hope that they live to see us being kinder to one another.

I hope that the sky is still blue, that the trees still grow, that the water is clean.

I hope that I never lose hope.

I'm in the process, hopefully ongoing, of tossing out stuff that I don't need/want anymore. IF I can make it through my office, I then have to do the same thing in the garage. Too many "Maybe one day..." projects have stacked up.

Projects that I will never get to if I don't get things cleaned up.

Projects that I don't know that I even want to continue with.

I need a place to put my lab rack for learning Cisco gear/software. I've used their products for years, but I have never done anything to formally learn about how it works. It's all just been picked up as I worked on solutions to problems.

I need to cut down on the number of computers I am trying to maintain at home. Too many old laptops that aren't really worth maintaining. I think I should bite the bullet and get just the hardware that I actually need to get things done. Get rid of the rest.

I need to be able to get on the amateur radio bands without it being a major production ( to get the desk that I use for that ).

I need to be able to work on some programming projects. Projects that will help me learn python better, which is a current goal. Projects that will automate and streamline things that are done manually now.

So many of the things I want to do have been stopped or stalled by not wanting to deal with the hassle of actually getting to them.

After I made my last post I was looking through the plugins available for Nikola and found one called 'import_jekyll'. A quick

nikola -i plugin import_jekyll
nikola import_jekyll ~/technomage.net

And I was done!

Wait, nope, that didn't work. After doing some poking around, I had to edit the plugin to fix a path definition. There is a bug report that had the needed information.

Ok, now let's run nikola import_jekyll ~/technomage.net

Yay! Files moved. Then I had to enable markdown... and then I had to go through and fix a bunch of import errors. '.code:: LANG' added before code blocks, which doesn't mean anything to markdown, but I guess means something to rst.

Several of the tags had each word split out with commas between each letter, which made the tag cloud look a little strange.

I will need to update this post with specific links to what I needed to do, and I still need to import the ham radio site. Since that one has lots of pictures, I think it will take more work, we'll see.

UPDATE: added the link for fixing the path issue.

As I recently changed employers, I thought it might be a good idea to start blogging again.

And I also thought it would be a good idea to try something new, so I am giving Nikola a spin. Previously I have used wordpress, serendipity, octopress, jekyll and even webmake.

I've made a few changes in regards to the tools that I use lately, and this felt like another good change to make. I am using emacs and Org-Mode for notes and project planning. I thought about using some of the converters to use emacs to create my blog, but I decided to use something that was a little more editor agnostic.

I'm also using ruby and starting to look at using python for dev work instead of my goto of perl, not because perl can't do what I want, but because I want to try something different. Also, python is already being used for some projects at work, so it's something I should spend some time on anyway :)

I will most likely be merging my ham radio site into this one, because I want to simplify things a little bit. Not that getting all the content moved over will be simple, but in the long term I think it will be worth the effort. Many of the things that I am interested in cross over between ham radio, games, life, and general geekery.

I see people trying to compare one act of courage, bravery or heroism to another. These are all ways to describe someone acting despite their fear, uncertainty and doubt.

While there are many actions that will automatically be described in that way, they are not the only ones. Running into a burning building to save someone else or standing in harms way to protect others are two examples that are easily identified. But for some people just leaving their home is overcoming fear. Speaking in front of an assembled group of ones peers. Standing up to a bully. Taking a stand for something you believe in, whether that be a religious, moral or ethical issue. Depending on the time and place, these could all be very brave and courageous acts.

Just because something is not a challenge for you, or you do not agree with what someone else is doing does not mean that for them it is not an act of courage, bravery or heroism. Don't dismiss or judge harshly someone else just because you don't think what they are doing is brave or you don't agree with them.

One day it will be you that is overcoming fear, uncertainty and doubt in a way that others do not understand or approve of.