More Zonkyness

Unicode Passwords?

Apr 062017

One of the possibilities when setting a password is to use non-ASCII characters, such as ¨þ¨ (that is a thorn). Well perhaps something a little more secure than just a single character.

But just how sensible is it?

The first thing to bear in mind is that you need to be able to enter the password reliably in all circumstances. A tale from the mists of time: I once set a root password on a Unix machine that included the ¨@¨ character, which normally worked fine but failed on the system console because on that terminal the old Unix tty was still active and ¨@¨ would erase a line, making it impossible to enter the password.

Fortunately I realised what the problem was before it became more than a little annoying.

But the point still remains – if you cannot type a password, you cannot authenticate. So for passwords such as firmware passwords, system encryption passwords, or normal computer account passwords, a password containing Unicode characters is probably a very bad idea.

But for when you have full control over your computer(s), such as for web account passwords, a password containing Unicode characters is worth considering.

So how safe is a password containing a Unicode character anyway? Well, on my usual password cracking machine, john the ripper is unable to crack the password ¨þ¨ in approximately 24 hours. Of course that is a bit of a cheat as john the ripper does not by default check Unicode characters, and if it did it would be able to crack a one character password. But it would take longer; adding Unicode characters increases the space that john the ripper needs to search in order to find your password.

And perhaps more importantly makes it less likely for a password guesser (Hydra for example) to be successful.

So if you normally use a password such as thistlethinthorn, changing it to þistleþinþorn is worth considering. Or indeed changing the separator between words in a multiword password to a Unicode character: thistle☠thin☠thorn, or red¡whistle¡wheel.

Increasing the Size Of HTML Emails In Claws Mail

Computing, Working Notes No Responses »

Apr 032017

Since getting a HiDPI screen, I have been plagued with claws mail merrily doing the right thing with proper emails, but showing HTML emails at a tiny size.

Whilst it doesn’t appear to be a preference you can change in the normal way, there is a zoom variable you can change within the Claws preferences file. Quit claws, and edit ~/.claws-mail/.clawsrc and scroll down through the file until you find the “[Fancy]” section :-

[fancy]
enable_images=1
enable_remote_content=1
enable_scripts=0
enable_plugins=0
open_external=1
zoom_level=100
enable_java=0
enable_proxy=0

Change the “zoom_level” to a suitable percentage (such as 200).

Westminster Attacker: Cowardly, Pathetic, and Incompetant

Politics No Responses »

Mar 232017

It may be a bit early to comment in this way with 5 dead, and 40 injured after the attack in Westminster yesterday.

But it could easily have been so much worse.

For those who are not aware, every afternoon Westminster is crawling with hundreds or thousands of pedestrians. Any half-competent attacker armed with a vehicle would have a hard job keeping the casualty figures down to 50-odd.

And then to leap out of a hired car armed with a couple of knives just makes the attacker look pathetic.

Yes this is the worst terrorist attack in London for a decade – which just goes to show just how little terrorism there really is.

Yes there were deaths and terrible injuries, but to me it seems that mocking the attacker is an appropriate reaction.

If you look at recent terrorist attacks in Europe, most of the terrorists turn out to be pathetic petty criminals, and it won’t surprise me if this latest attacker also turns out to be a petty criminal. He’s certainly cowardly, pathetic and incompetent.

The New Defence

Programming a TiPro in a Virtual Machine (VirtualBox)

Computing, Keyboards No Responses »

Mar 182017

The TiPro programmable keyboards are quite fun for those who are into their keyboards, but with one big problem: the programming tool is Windows only. Well at least if you happen to have a USB-based TiPro; otherwise you need to set up the serial interface as the PS/2 interface is only usable for programming with a 32-bit Windows.

As it turns out, if you try to run it under a virtual machine and assign the USB device of the keyboard to the virtual machine, it still fails – somehow it doesn’t like staying assigned to the virtual machine. However there is a fix for this – using the command-line VirtualBox tools to set up a permanent USB filter.

To assign, first of all determine the name of your virtual machine with :-

VboxManage list vms

Next, add a USB filter – you can normally assign it to “slot” (or index) 1, but you may have to check what slots are available if you already do this :-

VBoxManage usbfilter add 1 --target "W10" --name TiPro --vendorid 0x1222 --productid 0xfaca

Once that is done, the Windows tool should be able to find the keyboard to start programming it. If necessary, reboot the virtual machine or try assigning the USB device via the menu option.

During programming it is helpful to remember than raw USB HID codes can be used by right-clicking in the input field for a key, selecting “Text Input” and inputing the code in the form “/${hex hid code} ${hex hid code}\” – such as “/69 69\” (a list can be found at: http://www.usb.org/developers/hidpage/Hut1_12v2.pdf)

Removal at the end:

VBoxManage usbfilter remove 1 --target "W10"

After the removal it seems that disconnecting and reconnecting the device is necessary for Linux to pick it up (or possibly a udevadm trigger).

GCHQ Spying On Trump?

Politics No Responses »

Mar 182017

There is a media commentator (Andrew Napolitano) in the USA who has solved the mystery of who was spying on Trump during the election. Apparently it was GCHQ after being asked to by Obama. If it had remained just a commentator on Fox News which is well known for letting kooks, weirdos, and the generally insane spout all sorts of garbage, that would have been it.

But Sean Spicer then repeated the claims in a White House briefing.

And GCHQ have denied it.

But can we believe them? In this case almost certainly.

There is a very long standing convention within British intelligence agencies of neither confirming nor denying any action. Refusing to comment no matter how embarrassing is better than being caught in a lie, so the extremely unusual denial by GCHQ is believable because it is so unusual. But there’s more.

Firstly, Obama as president didn’t have the phone number of GCHQ (which is after all a British agency). A request from the president directly to GCHQ would probably be (and should be) answered with something along the lines of “Wrong number pal”. If he wanted to make a surveillance request it would go to the NSA who would then make an inter-agency request to GCHQ.

Which would of course result in a very secret paper-trail.

And if the request did make it through to GCHQ, the only surveillance data they are likely to have access to is international data (phone calls, Internet, etc) from Trump Tower to places abroad (with probably particularly good capture rates when passing through Europe). Which may well be of interest, but to actually put surveillance equipment inside Trump Tower?

That’s the job of a domestic intelligence agency, and whilst GCHQ could get involved in such an operation on foreign soil (and probably have), it is exceptionally unlikely in this case because it would put the intelligence co-operation agreements between the US and the UK at risk.

Whilst believing statements of an intelligence agency is a risky business, in this case it is probably true that GCHQ had nothing to do with any supposed surveillance of Trump Towers given the number of reasons why GCHQ wouldn’t be involved.

Older Entries Newer Entries