Feuerfest

Made by myself https://admin.brennt.net/bl-content/uploads/pages/44e0aefb15224b22617e9f62071dda3f/uuid.jpg

This is a rant about software.

Dear Software-Vendors,
when you write that your software expects an UUID. Then please make sure that YOU actually first understand what a UUID is. Or to be precise: How the syntax of an UUID looks like and what it tries to achieve (the semantic of a UUID so to speak).

This is a UUID: 550e8400-e29b-11d4-a716-446655440000

That is: EIGHT DASH FOUR DASH FOUR DASH FOUR DASH TWELVE.
Repeat after me: 8-4-4-4-12

All those numbers are represented by strings consisting of hexadecimal characters. Meaning each and every character can either be 0-9 or a-f (NOT a-z because that wouldn't be hexadecimal).
There is no "It has to be a 3 at the seventh position". No. All hexadecimal, all random. Well.. In UUID v4 at least. But for the sake of ranting I won't go into detail here.
You can accept upper and lowercase but that is not allowed to matter.
Similarly like upper-/lowercase in emailadresses doesn't matter.

If you request an UUID of: 9-3-4-4-12

AND/OR

expect the first character to be an upper or lowercase character

AND/OR

you accept characters from A to Z...

Then you should be ashamed and I have no words left for you.

If you then follow up with: "But it's for sEcUriTy! z0mg!" No. Just no. Stop that. Seriously.
That's just your carefully chosen incompatibility (to keep your users nicely tucked in your software ecosystem) and FUD (Fear, uncertainty and doubt). But nothing else.
Also you just broke every single tool out there which verifies and checks UUIDs. Which actually comes in very handy in.. Uhm.. Software-Security? Like you know.. Don't use the same UUID twice, etc. Or Code-Linting tools and the like - which are part of the OPERATIONAL security of your customers.
So please: Stop that BS. Seriously.

Please: Don't be that kind of software vendor. Thank you, please make sure to visit my TED-Talk. 😂

Don't get me wrong: You can make up your own unique identifier syntax. But then: DON'T call it UUID! That name is standardized world-wide with the OSF, IETF, ISO and probably many other important standardization organisations.
Instead: Feel free to create a new one of this lovingly VS3LA's (Vendor specific 3 letter acronyms) which every software vendors seems to like..
Then at least every IT person will know that we are talking about something different.

Photo by cottonbro studio: https://www.pexels.com/photo/man-observing-woman-through-doorway-8626372/

When Apple introduced the AirTag (see Wikipedia) it was primarily marketed as a "Find your device/stuff" product. Allowing you to locate the item to which the AirTag is attached, even when it's hundreds of meters (or kilometers) away. As long as there is some Apple device which receives the Bluetooth signal and forwards this to the Apple servers, you will have the location of the device. Of course, depending on time passed and location it can be inaccurate. But in our connected world it's likely that some device will pick up the signal again and you'll have up-to-date location information.

Additionally AirTags can produce a sound, so that you can get a audio hint on where the device is.

AirTags do have many useful cases. From tracking your stolen bike (if you hide some AirTag on/in it), to locating your lost luggage at an airport.. Even pets! Sure this is useful. But sadly.. The principle of dual usability is real and hence even in the beta phase Apple already rolled out a feature that allowed you to view all AirTags in your vicinity. As the potential for illegitimate usages was too high, to simply ignore it. After all.. Watch someone retrieving money at an ATM, occasionally bump into this person and put an AirTag into the jacked of that person. And then just follow and wait until this person is in some place where there are no cameras and/or eyewitnesses. Or think about the whole stalking and Online-Dating problem.

No, AirTags can be a security and privacy disaster. I'm sure many of you have read the story about Lilith Wittmann, who used an Apple AirTag to uncover an office of a secret german intelligence agency (article on appleinsider.com) or read the original german article, published by herself, here: Bundesservice Telekommunikation — enttarnt: Dieser Geheimdienst steckt dahinter.

Ok, so Apple has this feature included in iOS for it's phones/tablets, etc. - What about Android?

Good things first: Apple and Google recognized the threat and are working together towards an industry specification which aims to put an end to stalking via AirTag and similar devices. But, as this has just been announced in May 2023, it's still too early to have produced any meaningful results (sadly).

Apple press release: https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/
Google blog post in their security blog: https://security.googleblog.com/2023/05/google-and-apple-lead-initiative-for.html 

Well, Android being the fragmented Android market it is, not every manufacturer has such an option included. I know that Google Pixel devices have such a feature. And I was told Samsung and OnePlus phones too. But there are many other Android versions around. And: What about custom ROMs? I use LineageOS on my OnePlus phone and wasn't able to find such a feature. That's why I searched for an app that does this for me, and was pleasantly surprised to find one.

AirGuard is even released for iOS and there it's also able to find trackers which Apples feature won't detect. So.. I guess this is a recommendation to install this app on iOS too.

Introducing AirGuard

AirGuard is an Android app, developed by the Secure Mobile Networking Lab (SEEMOO) which is part of the Technical University of Darmstadt - specifically their computer science department. You may have heard from them occasionally as they regularly find security vulnerabilities in Apple products and do a lot of research on Bluetooth and Bluetooth security. The neat point? AirGuard is OpenSource, it's code is being published on GitHub. This allows me to install the App using F-Droid (which only offers OpenSource apps).

The icing on the cake? It can not only track Apple AirTags, but Samsung SmartTags and Chipolo Tags too.

From here it's just a normal app installation. Allow the app to use Bluetooth, disable battery saving mechanisms (so it stays active while being executed in the background) and that's it.

As I own no AirTag or similar device I can't test it, but I will update this article when I was able to test this.

If you want to stay up-to-date with the development, there is a Twitter account for that: https://twitter.com/AirGuardAndroid

Photo by Pixabay: https://www.pexels.com/photo/black-android-smartphone-on-top-of-white-book-39584/

Too Long;Didn't Read (TL;DR):

You can omit the steps listed below. If your 2FA/OTP App allows to specify the secret key, type, algorithm and interval use the following settings for LinkedIn:

Type: TOTP
Number of digits: 6
Algorithm: SHA1
Interval: 30 seconds

Original article

I try to enable Two-Factor-Authentication, or 2FA in short, on any of my accounts that supports it. But: I dislike it, when the 2FA-Codes are sent via Mail or SMS. This is just too insecure as both can be intercepted. And personally I would go so far to say "SMS & Mail isn't a valid & secure second factor." As there are too many reports how scammers and phishers intercept SMS or mails. Yet many companies still default to this. LinkedIn too.

Therefore I wanted to switch to my Authenticator App of choice: FreeOTP - https://freeotp.github.io/
The source code is on GitHub: https://github.com/freeotp

It is completely OpenSource (sponsored by RedHat) and even available in the alternative Android App-Store F-Droid, which only offers Apps which can be build completely from source.

As naive as I am sometimes I thought it's just the following steps:

1. Enable 2FA in my LinkedIn profile
2. Provide password to authenticate
3. Scan the QR-Code in FreeOTP
4. Enter the generated code to verify it works
5. Generate & Save the backup keys in my password manager

But not so on LinkedIn. They don't display a QR-Code. Well.. To be precise. They did. Before Microsoft bought LinkedIn. After that this changed. Nowadays they only display you the so-called secret key (encoded in Base32) and that's it.
Then LinkedIn tells you to install the Microsoft Authenticator App, while mentioning, that you can, of course, use any other Authenticator App.

The problem? The described workflow on what to do with that key only works in the Microsoft Authenticator App.
Side-Note: Someone told me Google Authenticator should be able to use that code too. But I can't verify this.

LinkedIn gives you absolutely no additional technical information.

• No otpauth:// URL
• No information if TOTP or HOTP must be used
  • Well, to be fair, we can safely assume it's TOTP.
• Which algorithm must be used?
• What is the lifetime (interval) of the generated codes?

Nothing. But this is what I need with FreeOTP. I tried a few combinations, but had no luck.

So I resorted to the Linux command-line.

1. Enable 2FA in your account until the secret key is displayed
2. Install qrencode (or use one of the available Web-Generators for QR-Codes at your own risk)
   • Source Code is here: https://github.com/fukuchi/libqrencode but every major Linux distribution should have a package available
3. Build the following string: otpauth://totp/LinkedIn:MyAccount?secret=KEY-YOU-GOT-FROM-LINKEDIN
   • All in one line, no spaces at the end, no enter.
   • You can change "MyAccount" to something more meaningful like your mail address
   • Example: otpauth://totp/LinkedIn:JohnDoe@company.tld?secret=U4NGHXFW6C3CLHWLQEVCBDLM5FQMAQ7E
4. Paste that string into a textfile.
   • Again, no enter or spaces at the end
5. Execute: qrencode -r /path/to/file.txt -t png -o /path/to/image.png
   • This will generate a PNG-Image at the location specified by the -o parameter
   • -r is the input file containing the string
6. Display the QR-Code and scan it with FreeOTP
7. Verify the code works
8. Generate your backup keys and save them in your password manager
9. Profit!

Some documentation regarding the otpauth:// URL, it's syntax and the parameters you can use is available in the old Google Authenticator repository on GitHub: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
(Google Authenticator once was OpenSource too, but sadly isn't any more.)

And while at it, I created the corresponding GitHub Issue for the FreeOTP project #360 [Feature-Request] Allow adding of entries by just specifying label & secret to properly take care of this nuisance. ;-)

Lessons learned

FreeOTP assumes the algorithm of SHA1 and an interval of 30 when these parameters are not part of the otpauth-URL. Choosing these works out of the box and I can omit the QR-Code step this way.

Photo by Tima Miroshnichenko: https://www.pexels.com/photo/close-up-view-of-system-hacking-in-a-monitor-5380664/

This was a question which came up recently and while I could have given the answer based on my experience where these two strings commonly occur, I never really researched the initial origin.

Turns out rc has quite a heritage. Quoting from the Indiana Universities Knowledge Base:

runcom (as in .cshrc or /etc/rc)

The rc command derives from the runcom facility from the MIT CTSS system, ca. 1965. From Brian Kernighan and Dennis Ritchie, as told to Vicki Brown:

"There was a facility that would execute a bunch of commands stored in a file; it was called runcom for "run commands", and the file began to be called "a runcom". rc in Unix is a fossil from that usage."

Note: The name of the shell from the Plan 9 operating system is also rc.

And then I learned about the Plan 9 OS of which I've never heard before: https://en.wikipedia.org/wiki/Plan_9_from_Bell_Labs

For .d there is not a real distinctive answer. It seems the common consensus is that it originated from /etc/rc?.d as to have a directory for runcoms and to distinguish it from a normal daemon configuration file - as these are typically stored under /etc. And/or to prevent naming-problems, as files & folders can't share the same name under Unix/Linux the .d as indicator for a directory was added.

And from there this mechanism was used for other daemons as well. What seems to have started as /etc/rc1.d, /etc/rc2.d, etc. as a way to separate runcoms to be executed on different runlevels, became commonly used today for the configuration of daemons/services.

Today a something.d directory holds configurations files for the something daemon. The advantage is that you are able to split your configuration in different files. Making it, for example, easier to deploy only certain files to certain hosts via your configuration management tool of choice (Puppet, Ansible, Chef, etc.). Additionally it's easier to spot configuration errors in a relatively small than in one big "contains it all"-file.

Photo by Monstera: https://www.pexels.com/photo/woman-holding-book-with-blank-pages-6373293/

When creating links in TinyMCE the link-plugin is configured to open links in the current window. As this is the default setting. However I don't like this and changed it every time. And when you change something every single time, you should just make it your new default.

Luckily TinyMCE has good documentation about every plugin. So we learn about the default_link_target parameter we can utilize to achieve exactly this.

We open the bludit-folder/bl-plugins/tinymce/plugin.php file and search for tinymce.init. Then we add the default_link_target: '_blank' parameter at the end of the list. Don't forget to add a semicolon behind the formerly last parameter.

In the end it looks like this:

        tinymce.init({
                selector: "#jseditor",
                auto_focus: "jseditor",
                element_format : "html",
                entity_encoding : "raw",
                skin: "oxide",
                schema: "html5",
                statusbar: false,
                menubar:false,
                branding: false,
                browser_spellcheck: true,
                pagebreak_separator: PAGE_BREAK,
                paste_as_text: true,
                remove_script_host: false,
                convert_urls: true,
                relative_urls: false,
                valid_elements: "*[*]",
                cache_suffix: "?version=$version",
                $document_base_url
                plugins: ["$plugins"],
                toolbar1: "$toolbar1",
                toolbar2: "$toolbar2",
                language: "$lang",
                content_css: "$content_css",
                codesample_languages: [$codesampleConfig],
                default_link_target: '_blank'
        });

And now generated links will per-default open in a new window.

Photo by Pixabay: https://www.pexels.com/photo/computer-c-code-276452/

Bludit offers syntax highlighting via TinyMCE and it's codesample plugin, which you have to enable in the TinyMCE plugin settings first. But it offers only limited support. No Bash, no Puppet, no Perl and so on. Also I wanted line numbering when in code blocks for easier orientation. This is also not included.

The Prism.js library however offers support for many more languages and also some nice Plugins. For example for line-numbering.

To make everything work, the following tasks are necessary:

1. Download & install the Bludit-Prism Plugin from here: https://plugins.bludit.com/plugin/prism
2. Replace prism.js and prism.css files included in this Plugin with newer ones from https://prismjs.com/
   • As the one included in the Bludit Prism-Plugin only has support for: HTML/XML, JavaScript, CSS, PHP, Ruby, Python, Java, C, C#, C++
3. Add our new languages to the codesamples config in the TinyMCE plugin config. This will add them in the dropdown-menu when inserting a code-sample block
4. Edit the plugin.min.js file from the TinyMCE codesample plugin to automatically included the line-numbers plugin into the HTML pre-element.
   • Found this solution here: https://github.com/tinymce/tinymce/issues/2771#issuecomment-232910444

For a general overview, and a little bit of background why the Prism plugin was created, see this link: https://forum.bludit.org/viewtopic.php?t=1818

As I'm somewhat new to Bludit I can't assess if this is the best approach. But for me it works. ;-)

EDIT: The code changes in point 7 are not needed anymore if you follow my newer solution described here: A better approach to enable line-numbers in Bludit code-blocks

1. Download & install the Bludit-Prism Plugin from here: https://plugins.bludit.com/plugin/prism
   • Then activate it on the Bludit Plugins page
2. Download prism.js and prism.css from https://prismjs.com/
   • Include all languages and plugins you need
   • Note: You need to use the JS and CSS-file from the same generation! You can't mix features or versions.
3. Go to: bludit-folder/bl-plugins/prism and make a backup copy of the original files

   • mv js/prism.js js/prism.js.backup
     mv css/prism.css css/prism.css.backup
     

4. Download new prism.js and prism.css and put into the correct folders
5. Go to: Plugins -> TinyMCE -> Codesample languages and add your new languages, in my case:
   • Bash sh|RegEx regex|Puppet puppet|Perl perl|Python python|HTML/XML markup|JavaScript javascript|CSS css|PHP php|Ruby ruby
   • Unrelated side info: This will be written in the file bludit-folder/bl-content/databases/plugins/tinymce/db.php. I was just curious how/where this change is persisted.
6. Now you will have syntax highlighting. But only in the generated HTML files, not in the TinyMCE code-blocks!
7. To automatically include the line-numbers plugin from Prism.js we need to include the "line-numbers" class into the pre-element. This is done in the following way:
   • Open: bludit-folder/bl-plugins/tinymce/tinymce/plugins/codesample/plugin.min.js
   • Search for <pre and in the class property add line-numbers. It should now look like this: t.insertContent('<pre id="__new" class="language-'+a+' line-numbers">'+r+"</pre>")
   • A little after that pre you will also find t.dom.setAttrib(e,"class","language-"+a), add the line-numbers class in there too, it should look like this: t.dom.setAttrib(e,"class","line-numbers language-"+a)
   • Again, thanks to this comment on GitHub: https://github.com/tinymce/tinymce/issues/2771#issuecomment-232910444
8. Keep in mind: As Bludit is a static file generator, your previously generated pages won't get this automatically. Here you will have to edit the pre-element manually.

If you are interested in some examples, have a look at this page: https://admin.brennt.net/syntax-highlighting-test with line-numbering and without, etc.