Long-term Memory

To get secure access to internal networks, one usually employs one of the many variants of a VPN. When connecting from a normal computer, you can install basically whatever variant you wish. When using devices such as smartphones however, the number of supported VPN technologies is usually limited. Especially on non-open platforms such as the iDevices by Apple, you can not add VPN software yourself, contrary to the Android platform.

In this post, I’ll explain how to set up an IPsec (without L2TP) tunnel endpoint on an Ubuntu server, capable of handling an iPhone/iPad/iPod/iWhatever. The users will be authenticated against an LDAP directory.

Continue reading ‘iPhone compatible IPsec VPN on an Ubuntu server, with LDAP authentication’ »

dd-wrt has built-in support for a whole list of Dynamic DNS services. Unfortunately, they only support HTTP-based services. I use a standard RFC2136 DNS update. Here’s how to add nsupdate support to dd-wrt.

Continue reading ‘Using nsupdate in dd-wrt’ »

Although the big builds of dd-wrt contain IPv6 support, it doesn’t support ip6tables. Hence, I choose to use the mini build (which gives me the most free space) and add the missing parts myself. I shamelessly used OpenWRT modules to save me the trouble of figuring out how to compile each library. (Unfortunately, my router isn’t supported by OpenWRT, so I need to stay with dd-wrt for the base system).

Continue reading ‘Adding IPv6 support to dd-wrt’ »

Since none of the dd-wrt releases include ip6tables support, I added it myself. The standard kernel does support module loading, so you can simply add additional kernel features without reflashing the device. You do need some writable storage. I use the remaining 4MB of flash using JFFS, but using an external storage (USB, network, …) is also possible.

Since you can’t run a complete build environment on the router itself, you’ll have to set up a cross-compiling environment on your own machine. As I found out, this isn’t always very easy to do…
Continue reading ‘Compiling custom dd-wrt kernel modules’ »

I bought myself a new WiFi router. When in the shop, I specifically searched for a router that is supported by dd-wrt, and has (at least) 8MB of flash. I settled for the Linksys WRT320N: it has a dual band (switchable between 2.4GHz and 5GHz, not simultaneous) 802.11a/b/g/n radio, a 4 port GbE switch, and a WAN port. It houses a Broadcom BC4717 processor running at 354MHz, 8MB of flash and 32MB of RAM.

The default Linksys firmware is actually not bad, but dd-wrt just offers a ton more features: Multiple SSIDs, IPv6 support (including Sixxs tunneling), WAN volume monitoring, custom firewalling, traffic shaping, … So I decided to void my warranty and put my router on steroids! Mandatory note: this may very well turn your router in to a very expensive brick.

Continue reading ‘Converting a WRT320N to dd-wrt’ »

I usually don’t just repost other people’s posts, but this one really deserves some extra attention. It explains a very elegant way to hop using SSH.

Continue reading ‘Hopping from host to host with SSH, automatically’ »

I tried to upgrade my silverlight plugin from version 3 (3.0.50106.0) to version 4 (4.0.50917.0). I downloaded the DMG, followed the wizard all the way through, restarted Firefox as requested and saw that I was still at version 3… Strangely, Safari did load and use version 4, so the install was successful. So I searched my entire system fore some remains of Silverlight 3, without success.

The only place I could find the old version mentioned, was in the pluginreg.dat file in my firefox profile. I just erased this file, and it all magically worked!

Some people seem to be obsessed by long keys for cryptographic purposes. While it does increase the strength of the key, it also decreases the performance. Beyond a certain point, adding extra bits just isn’t worth it. Bruce Schneier did the calculations in his book Applied Cryptography, I added the conversion to SI units: (I’m quoting without permission, under the “review/criticism” and “research/study” exceptions. If the copyright owner does not agree, please contact me.)

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k = 1.38×10^-16 erg/°Kelvin [1.38 × 10⁻²³ J/K], and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10^-16 ergs [4.41 × 10⁻²³ J] every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21×10⁴¹ ergs [1.21 × 10³⁴ J]. This is enough to power about 2.7×10⁵⁶ single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2¹⁹². Of course, it wouldn’t have the energy left over to perform any useful calculations with this counter.

But that’s just one star, and a measly one at that. A typical supernova releases something like 10⁵¹ ergs [10⁴⁴ J]. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

The calculations are slightly off; however, it does give a very good indication how far bruteforcing can go, ever.

When you cycle through all possibilities by incrementing the counter, the number of bit changes is higher. To count up to N, you need N flips of bit 0 (the least significant bit); N/2 flips of bit 1; N/4 flips of bit 2; … Some clever mathematicians proved that 1+1/2+1/4+1/8+… = 2, so you need 2N bitflips in total. A 187bit counter hence requires 2 * (2^187-1) bitflips, roughly 3.9E56.

By iterating in a smart way, you can reduce the number of flips to half of that. Calculating this smart way may however require more energy than you’re saving…

Sometimes, you want to manually alter the caching behaviour of linux. Making sure all data is committed to disk can be done by the sync command. If you want to flush the caches for reads as well, you need to go deeper into the system.

echo 3 > /proc/sys/vm/drop_caches

Writing 1 only clears the pagecache; 2 clears the dentries and inodes; 3 clears all.

There has been a lot of fud lately about the privacy of your browser-history. JavaScript can detect which URL’s you have visited and act accordingly. This can range from a useful script to only show the social networks you actually use, or a site that lists your history. However, nothing is stopping the JavaScript to “call home” with this information.

I too was a bit worried about this potential privacy breach. Obviously there are several solutions and workarounds:

• Systematically clear your browser history
• Use a sort of private browsing mode
• For Firefox: Disable layout.css.visited_links_enabled in about:config. This completely disables visited-links, so you won’t be able to see which sites you’ve visited
• For ancient Firefox 2.0: SafeHistory extension