Category Archives: Utility

Programs used to accomplish tasks.

So you’re thinking about Linux…

Congratulations. Whether you intend to or not, you are about to stick it to the man–or at least two of his most prized servants. Perhaps you fall into some of the following categories:

  • Idealistic
  • Frugal
  • Intolerant of non-consensual sphincteral expansion

Ironically, the latter quality will bite you in the ass if you start off on the wrong foot. The purpose of this article is to provide basic insight and practical tips on how to make yourself comfortable in your new home–because that’s what it is. You are away from your Windows or Mac home for the first time, and things are different. Accepting this is your first step.

Distro

A Linux distribution is three things:

  • An interface to the world’s Free software, called a repository
  • An interface to that repository, called a package manager
  • A community

A Linux distribution is not the software itself. Distributors of Linux are software curators, not creators. You may have heard, for example, that Debian comprises 1,000 metric assloads of source code and would take 100 Dutch developers working full-time for over 210 years to create–but this is bullshit, because Debian itself does not provide code, and Dutch developers are notorious for taking time off to work on pet projects.

The code is out there, waiting for people to use it. The kind folks responsible for Debian and other such distributions simply make that code more readily available to users. Naturally, this changes…

Software Installation

In Windows, software installation generally involves downloading software from either its home page or c|net, Tucows, and other such mid-to-late 90’s software portals. Do not do this in Linux.

In Linux, use the package manager to install software from the repository.

Choosing a Distribution

As illustrated in an aforementioned link, Linux offers too many choices. You may recognize this plethora of choice as an opportunity to express yourself in superficial yet self-satisfying ways.

No, I wasn't joking.
This made enough money to buy a new house.

Such distributions seem fun at first, but unlike that holiday sweater you bought for last year’s company party, your distribution is an outfit you wear every day. Choose a beginner-oriented distribution with a large and supportive community that offers a comprehensive and relatively up-to-date repository. Distributions that fulfill these criteria include:

Further information can be found at DistroWatch.

Installing a Distribution

Write a live installer of your chosen distribution to a bootable USB data drive. The Windows program most commonly used to do this is called Rufus and may very well be the last piece of software you install the old-fashioned way.

Plug the USB drive into your computer, reboot, and enjoy. Your computer now runs Linux, and you haven’t even installed it. Your underlying system–files and all–remains untouched. If you like what you see, reference your distribution’s official installation guide in order to take the plunge:

Notes

  • Your computer likely requires user intervention in order to boot from USB. Look for a message shortly after powering on, something to the effect of: “Press ____ to enter boot menu.” If you do not see such a message, try F1~F12 and Delete.
  • Traditional installers sometimes succeed, even when live installers present errors.

Hierarchy of User Experience and More Seasonal Analogies

Screenshots of distributions mean nothing. Ignore them.

As mentioned, a distribution is three things–only one of which has any effect whatsoever on the screen in front of your face (and even then, only when managing software packages). Otherwise, a distro is like Santa Claus. It lives in your heart and brings you fun toys, if you are good and install from the repos.

Rather, screenshots show programs, the vast majority of which are common among all Linux distributions. What most people think of as an “operating system”–the start menu, the control panel, the little clock in the corner–is actually a collection of programs called a desktop environment. Linux offers many desktop environments. Each of them is a compromise between resource usage and wiping your ass without you having to ask. In order from most to least wiping, they are:

For even more efficient usage of system resources, experienced users sometimes opt to install only certain components of desktop environments. Technically, the only necessary component is the “window manager”.

Miscellaneous

  • Laptops manufactured in small runs sometimes have issues running Linux out of the box. Experienced users can sometimes help (as can including specific hardware models in online searches).
  • System updates in Linux are heavenly, as they tend to make your system faster. Update often.
  • Migrating your setup to any other Linux distribution (or even BSD) involves little more than copying your home directory.
  • Expunge from your head the concept of a “clean install” every year or so, when things “get bogged down”. Your new home does not need it.

Conclusion

Linux is easy.

Summary of Steps

  • Accept there will be differences.
  • Ignore distribution screenshots.
  • Run a live installer off a USB drive.
  • Install software from your distribution’s repository, not “the Internet”.
  • Remove the sphincteral expanding device from your personal cavity, and place it into the cavity of Bill Gates and the grave of Steve Jobs.
  • Infect others.
Advertisements

Overheard in IRC

Sometimes straws break camels’ backs. I haven’t quite figured out how it works.

I also don’t know how many times I’ve heard it, but something clicked today that immediately connected a common IRC personality with the following scene from The Twilight Zone:

“You expect me to edit some config file?”

“I’m seriously thinking about going back to Windows.”

Note that even buggy, old, iframe-restricting WordPress can be worked around with YouTube’s player parameters. The post you are now reading uses modestbranding and rel (among others).

Verification in AUR Land Is Security Theater

Makepkg says to verify the key 449190F3235ABD3B. I decide today is the day I stop relying on –skippgpcheck. Wonderful.

From $HOME/.makepkg.conf, I set $GNUPGHOME to a freshly created gpg directory (as there are different kinds of “trust” in the world, and mixing personal keys with makepkg keys confuses two, separate kinds). This feature is not documented in makepkg’s man pages, but a contributor to makepkg mentions it here. I then run gpg –search-keys using my original $GNUPGHOME because hey, all it does is search, and something may very well be missing from the new $GNUPGHOME. Gpg, however, gives an error about dirmngr not running. I check dirmngr.conf. I try $( gpg-connect-agent –dirmngr ). “IPC connect call failed.” Fine, that’s another problem. There are still options, though, and I step over that rabbit hole.

I decide to verify the key manually, searching the PGP public key server at MIT. That’s a pretty big one, right? Sorry, the key is not there… All right, let’s try SKS. After all, that one is recommended in the GnuPG FAQ! That counts for something, right? “No results found.” Okay… I’ll just search for the key ID using a regular, Internet search engine.

DDG returns one result, and this link isn’t even it. Fine… perhaps DDG is small-time. Perhaps their web crawlers run on bread-powered ducks. Whatever. I seek the help of a multi-billion dollar corporation, which provides five results! The first is the same result from DDG! The remaining four are two copies each of the very signature error I foolishly thought, earlier this morning, that I could resolve through mere perseverance and rational protocol. These results were posted not by humans but by logging utilities.

The package that started this whole mess has 70 votes. It has a git repo with absolutely no references to signatures or pgp keys… Well, what would you do at this point? Do you trust the single entry from the CS department at Utrecht University? Did you even know that Utrecht had a university? … Had you even heard the word “Utrecht” once in your life before today?

Most importantly, do you honestly care at this point? The listed user has “debian” in his name. I can trust that, right?

Verification in AUR Land is security theater. It is not real security, because it is not feasible. Knowledgeable users may respond by pointing out PKGBUILD’s validpgpkeys, but aksr (the uploader) is just a regular user. Why should I trust him? Because I want to view PDF files with vi-like controls, that’s why. Such baseless trust is tantamount to –skippgpcheck, the very option that will earn your relay-chatting buttocks a paddling in #archlinux.

But seriously, you should trust him. I mean, look at all these.

I pity the people who spend as much free time as I do, wrestling imaginary monsters, and I apologize to the fine citizens of the Netherlands for implying their municipalities deserve anything less than international renown.

AUR verification is security theater.

ALSA Configuration of Loopback Device


# NoSuck.org
# 2017年02月13日、05時13分
# This file demonstrates ALSA configuration for a loopback device that simultaneously saves both input and output. Thanks go to debianuser from #alsa on the Freenode network for providing guidance.

■ aplay -L | grep ‘^sysdefault’
sysdefault:CARD=PCH

■ aplay -l | grep PCH
card 0: PCH [HDA Intel PCH], device 0: ALC898 Analog [ALC898 Analog]
card 0: PCH [HDA Intel PCH], device 1: ALC898 Digital [ALC898 Digital]
card 0: PCH [HDA Intel PCH], device 3: HDMI 0 [HDMI 0]

■ cat /etc/modules-load.d/snd-aloop.conf
snd-aloop

■ cat /etc/modprobe.d/alsa.conf
options snd_hda_intel index=0
options snd_aloop index=1

■ cat ~/.asoundrc
defaults.pcm.dmix.!rate 48000
defaults.pcm.dmix.!format S16_LE
pcm.multi {
type multi
slaves.a.pcm “dmix:PCH”
slaves.a.channels 2
slaves.b.pcm “dmix:Loopback”
slaves.b.channels 2
bindings.0 { slave a; channel 0; }
bindings.1 { slave a; channel 1; }
bindings.2 { slave b; channel 0; }
bindings.3 { slave b; channel 1; }
}
pcm.both {
type route
slave.pcm “multi”
ttable.0.0 1
ttable.1.1 1
ttable.0.2 1
ttable.1.3 1
}
pcm.!default {
type asym
playback.pcm “plug:both”
capture.pcm “plug:dsnoop:PCH”
}

# Record.
■ ffmpeg -y -f alsa -ac 1 -i sysdefault -f alsa -i plughw:Loopback,1 -filter_complex [0:a][1:a]amerge=inputs=2 output.flac

# Record input only.
■ ffmpeg -y -f alsa -ac 1 -i sysdefault:CARD=PCH output.flac

# Official example.
■ cat /usr/share/alsa/cards/Loopback.conf

Configuring Mailto in an XDG Environment

Edit: Security features described below have since been incorporated into mutt as the mailto_allow directive.

It’s time to configure your web browser to open mailto links using mutt. You know you want to.

Nimble mutt action.

You also know it’s going to be tricky, as mutt is a command-line program, and command line programs are like appliances that refuse to die. They work well but don’t match your cupboards from IKEA made from particle board. Still, mutt has a nice trick up its sleeve: It can process mailto arguments on the command line.

mutt mailto:mutt-users-request@mutt.org?Subject=Subscribe%20Mutt%20Users

There is only one problem: Mutt is unable to process every mailto attribute and fails on attributes it does not recognize (like Body).

mutt mailto:mutt-users-request@mutt.org?Subject=Subscribe%20Mutt%20Users&Body=subscribe
> Stopped

[The above mailto link is taken directly from the official mutt mailing list page. Mutt’s fleas have a good sense of irony.]

The solution is to wrap mutt in a script that parses mailto links. Using a whitelist of valid attributes has an added benefit of heightening security, as potentially malicious attributes are automatically discarded.

Use that script in a desktop file.

cat "$HOME/.local/share/applications/mutt-mailto.desktop"
> [Desktop Entry]
> Type=Application
> Name=Mutt Mailto Handler
> GenericName=MUA
> Comment=Supposedly sucks less.
> Exec=/home/ingvar/MuttMailto
> Terminal=true
> MimeType=x-scheme-handler/mailto
> NoDisplay=true

Inform the desktop environment.

update-desktop-database

Make it stick.

xdg-mime default mutt-mailto.desktop x-scheme-handler/mailto

Now you’re cooking with gas.

You Are Managing Passwords Wrong: LastPass and Friends

In an uncharacterstic move, I type now not to my future self but to the entire world. The importance of my announcement justifies this decision: If you use LastPass, your conception of security is wrong. Expert knowledge is not necessary to understand why, and the only postulate to which you must agree is that of chains only being as strong as their weakest links.

I do not use LastPass, though I consider its accessibility and ease of use a boon to the security ecosystem. I even recommend LastPass to others (family and friends with little inclination toward computers, for example). In recommending LastPass, I do not reveal that its foundation is flawed. Such knowledge is irrelevant to the people to which I recommend LastPass, as these people are not able to customize their window managers. If you are not able to customize your window manager to the point of emulating keypress events from menu items, the remainder of this article will be of little use to you. If, on the other hand, you are, we will be using the following tools:

The end result looks like this (using Openbox):

Qutebrowser is great.
More secure and more versatile than any password service.

The window manager’s main menu is opened, and the password menu (P) is selected. A category is chosen (A), followed by the actual item for which a password is retrieved (A). The final item is an encrypted password file that is decrypted by GNU Privacy Guard, with the resulting password output by xdotool to whatever program currently accepts input. Already, we have uncovered three advantages over LastPass and friends…

  • Works with any program, not just with forms displayed in web browsers with password plugins installed.
  • Fewer entry points. Fewer links in the chain lower the chances of one being weak (the unknown unknowns).
  • Customizable and extendable.

… and one quality that LastPass would like to claim a disadvantage:

  • Limited to terminals with access to encrypted password files.

I claim this an advantage, because once again, I know that chains are only as strong as their weakest links. Today, it is raining outside. I look outside, and I see clouds overhead. My neighbor sees the same clouds. My neighbor might think those clouds can hold critical documents, but I keep mine locked in a file cabinet in the basement. This is not an issue of trust so much as one of common sense and convenience–because the file cabinet is closer, and tomorrow could very well be a sunny day.

Then again, the whole point of having clouds hold documents is for people to be able to go one town over and still see those documents hanging in the sky. I have had enough of this analogy. If you require access to a critical document on a terminal to which you cannot trust to store an encrypted password file, you are managing passwords wrong. Use “12345” for those. They are not secure, and no quantity of helmets will protect you from sharks while diving. I am an analogy machine.

Critical documents should only be accessed from terminals you are able to claim as your own. You might think you need your online banking password available on any computer with Internet access, but I bet you could count on one hand the number of computers you actually use. Send money, record secrets, and store nude photographs on your own computers, not on some cloud on a cloudy day.

Then when you have separated cruciality from “12345,” make some noise:

uLength="24"
uCount="50"
for (( u = 0 ; u < uCount ; u++ )) ; do
# Output is concatenated to maintain continuity of demonstration.
# For the real deal, use gpg's --output option and forego looping.
gpg --armor --gen-random 2 "$uLength" >> /mnt/hdd_not_ssd/entropy.txt
done

Look at the randomness. These are your passwords. Break them into variable-length chunks, and store them in files. Don’t let your editor back them up, and remember that extra caution during the setup procedure lasts forever:

echo "set nobackup" >> ~/.vimrc
echo "set nowritebackup" >> ~/.vimrc
vim /mnt/hdd_not_ssd/entropy.txt
# Saved to these:
/mnt/hdd_not_ssd/gmail.txt
/mnt/hdd_not_ssd/japan_net_bank.txt
/mnt/hdd_not_ssd/freenode.txt

Gnome-keyring, python-keyring, and libsecret would only be redundant links in your chain. Do not bother assessing their strengths, because they are superfluous. Instead, concoct a good master passphrase and generate a key from GNU Privacy Guard:

gpg --full-gen-key

Encrypt your password files as soon as possible:

gpg --list-keys
> /home/nosuck/.gnupg/pubring.gpg
> ------------------------------
> pub rsa2048/DEADBEEF 2015-04-01 [有効期限: 2016-04-01]
> uid XXX
> sub rsa2048/LIVEBEEF 2015-04-01 [有効期限: 2016-04-01]
sKeyId="DEADBEEF"
gpg -ear "$sKeyId" /mnt/hdd_not_ssd/gmail.txt
gpg -ear "$sKeyId" /mnt/hdd_not_ssd/japan_net_bank.txt
gpg -ear "$sKeyId" /mnt/hdd_not_ssd/freenode.txt
shred /mnt/hdd_not_ssd/gmail.txt
rm /mnt/hdd_not_ssd/gmail.txt
# ... and so on.

Finally, output passwords through your window manager, using xdotool. Though this link is arguably stronger than even physically typing a password on a keyboard, it is still the weakest in our short and sturdy chain:

pGmail="/mnt/no_longer_matters/gmail.asc"
xdotool type --clearmodifiers --delay 5 "$( gpg -qd "$pGmail" )"

You can also use passwords with programs clever enough to take input from places other than GUI toolkits:

cat ~/.muttrc
> set smtp_pass = `gpg -qd /mnt/no_longer_matters/gmail.asc`
cat ~/.offlineimaprc
> remotepasseval = Password ( "/mnt/no_longer_matters/gmail.asc" )

When you’ve memorized your master passphrase, adjust time-to-live settings for its prompting. The following settings will make gpg-agent require master passphrase input only once per day–not as often as it should, but I have little faith in you. Specify in seconds:

echo "default-cache-ttl 43200" >> ~/.gnupg/gpg-agent.conf
echo "max-cache-ttl 86400" >> ~/.gnupg/gpg-agent.conf

You can also force re-prompts for any subsequent password accesses. This is good to do before leaving your computer unattended. Make this command accessible. Mine is never more than four keystrokes away (the “R” item in the animated demonstration). It is a good idea to force a reprompt on system idle and sleep events, as well:

echo RELOADAGENT | gpg-connect-agent -v

… and that is the optimal convenience you can get out of a truly secure password management system. Passwords entropy level is high; password retrieval is convenient, with the master passphrase only required as often as configured; lastly, the chain of software from password request to password retrieval is as short as feasibly possible.

.. and I didn’t even mention LastPass being closed-source as a deal-breaker from the get-go.