Choose color scheme

About the Author

544 Posts By ben

  • Poor man’s 2FA: a simpler 2-factor authentication mechanism for SSH

    The problem with PAM based 2FA:
    • PAM does not get called when the SSH daemon does key based authentication. So your 2FA there only works with password authentication. This might be something you want but maybe not.
    • A PAM module based solution to 2FA is harder to implement
    The solution: Poor man’s 2FA!

    It is possible to add the ForceCommand directive to your sshd_config. Like the name suggests it simply runs a command after authentication and before the shell is spawned. This is a good spot to add an extra check, say another factor for authentication.

    The code:
    trap "echo "I'm sorry Dave. I'm afraid I can't do that."; sleep 1 ; kill -9 $PPID ; exit 1" 2 20
    code=`od -a -A n /dev/urandom | head -2 | tr -d ' ' | tr -d 'n' | sed 's/[^a-zA-Z0-9]//g' | awk '{print substr($0,1,5)}'`
    echo -e "Subject:$code\nFrom:root@server <>\n2FA code in subject" | sendmail
    read input
    if [ $code = $input ];
        `awk -F: '($1 == $LOGNAME) { print $7 }' /etc/passwd`
    kill -9 $PPID

    That’s it really, save this to an executable file, replace the obvious variables and ForceCommand its ass.

  • Avoid getting tracked in a datamining society

    Welcome to the information age! Memory is cheap, millions of records are copied in the snap of a finger and everybody wants your information. This is called data-mining and everybody is doing it essentially to better advertise to you. These databases of your facts & habits are often sold and even hacked. It is time to ponder how little control you have over your own information. And when you do so, think not only about the information you give but above all about the information that can be inferred from it.

    Compiled bellow is a list of tips for avoiding getting tracked in modern society. They range from simple good practice to paranoia. Obviously you could go live as a hermit in the woods and be untraceable. Feel free to comment on anything I missed and I’ll add to the post.

    Day to day life

    • Broadcast the least information possible. Does your state require license plates in the front & rear? 19 states don’t, google them. Police cameras automatically scan all the license plates they see, why double your chances? Your license plates are also often recorded when you drive through tolls.
    • Pay everything in cash, credit/debit card transactions can easily place you in space and time. Moreover, encoded in the magnetic stripe is your name, stores know everything you buy and when you buy it. This is pant creaming data for the marketing geniuses trying to figure out ways to make you consume more.
    • Avoid customer rewards programs. An even better way to tie information back a a customer that might use multiple methods of payment. Still want the sweet deals? Don’t use your real info when signing up, or just don’t sign up, the cashiers often have default cards to scan.
    • Avoid mail-in rebates. They are nothing more than a way for you to sell your information.

    I.T. life

    This is a dense section, no surprise this is where most data mining occurs.

    • Don’t let email load remote content

    This is commonly used as a way to know if you’ve opened the email, at what time you opened it, where you opened it from (IP geolocation) and what your email client was. The technical explanation is that some email have HTML formatting with images included. These images can be embedded in the email itself or referenced to a remote server. In the later case, the remote server will for example enable PHP parsing for JPEG files, execute code to track you and then feed the image to the email client which never had a clue it was loading a “special” image. This is all transparent to the user and the email client.

    • No smartphone GPS tracking

    Let’s take an example: you enable Google Latitude on your cell phone to share your location with friends and get to know fun facts about how much you travel. The information you give Google are geographic coordinates, the informations inferred from it are where you live, where you work and whether or not you pull your 40 hours a week there.

    • Let’s go further: no smartphones at all!

    Apple’s Iphones and Google’s Android phones gather location information WHETHER YOU WANT IT OR NOT. That’s right, you can turn off GPS all you want your phone still recurringly reports back to Apple & Google telling them not only where they are but also which other wireless devices they see around.

    More info here from the most excellent Samy Kamkar.

    The tech giants are involved in a major data gathering process where they use you to create a comprehensive map of the wireless spectrum. This is both an awesome project using crowdsourcing to accomplish a daunting task & a scary invasion of privacy. Because it doesn’t ask you, and because you take it home and so it reports your wireless router and so now everytime you use a regular computer connected to said router, they know exactly where you are. It is scary because even if you could turn it off, others around you are passively reporting your location.

    • Even further? no cell phones! your location can be triangulated from cell towers.
    • Forget social networks, even if you use fake information. Sooner or later, your contacts, something you said, someone that said something about, will be traced back to your real self.
    • Remove EXIF data from the pictures you distribute online, especially if they were taken with smartphones.
    • SSL encryption, SSL everywhere. In fact any time you configure a connection (IMAP, FTP, HTTP) make sure that it uses an encrypted mechanism. The number of network taps are growing and you don’t want to make the job easier on them.
    • Review pictures you distribute online for license plate numbers, bills laying on tables and other identifiers.
    • A strong firewall not just for incoming traffic. Nowadays devices are very noisy, from Bonjour to checking for updates the packets coming out of your network interfaces without your knowledge are plentiful and growing. And every time to send a packet out, your presence is known. A firewall with rules on outgoing traffic is a good idea to keep unwanted traffic to a minimum.
    • Don’t give your email address to anyone that asks for it, use services like or even better yet, get a new email account every time. This way if they sell your information you will know right away since you only have 1 email account per company. You can then check they EULA and see if maybe they boast of not selling your information, Make them accountable! On a side note Gmail offer the capability of adding a plus (“+”) following by a string of your choosing to your regular email address. For example if your email address is, Gmail will also accept mail to This way you can segregate mail by company with the convenience of having it all go to the same account. The caveat to that is that “+” is often considered as an invalid character in an email address even though it is a valid character.
    • Adblock is one of the best plugin for your web browser (Firefox or Chrome). It removes ads thus significantly enhancing your browsing experience. By negating traffic to advertisement servers, you are denying their chance to data mine the crap out of you. Browser fingerprinting is one of many techniques used with an argument often made that the combinations of browser related software are so plentiful that your browser can be uniquely identified. Permanent cookies are also used to keep an eye on your web whereabouts.

    And even if you follow all these steps, you are not 100% untraceable online.

    The path of maximum sheep

    Finally, for when you have to give information, try and be a generic & blend as possible.

    • Your name is needed to sign up for something? John Smith.
    • Need a new car? White Honda Civic, no bumper stickers, no vanity plates.
    • Gotta find a new name for a PC? Linksys.
    • Need a username for that shitty forum? User2656, don’t use the one you use everywhere else or one thing leading to another, it can most likely be tied to your real identity.
  • Python SNMP simple example to get 1 OID

    Because it took me forever to piece this simple code together

    import netsnmp
    session = netsnmp.Session( DestHost='', Version=2, Community='public' )
    vars = netsnmp.VarList( netsnmp.Varbind('.') )
    print( session.get(vars) )
  • Shell scripting – updating a file holding a counter

    counter=`cat /tmp/counter` ; echo "$counter+1" | bc > /tmp/counter

    note that loading the /tmp/counter into the variable is a necessary indirection, the following:

    echo "`cat /tmp/counter`+1" | bc > /tmp/counter

    would not work as the output redirection gets triggered before the cat gets a chance to happen, so the file is emptied too early.

  • Datasets!

    Here are a bunch of datasets accumulated over the years for different projects, have fun with them! If you have something to augment this list with, let me know.

    U.S. zip codes

    basic english words

    condensed english words

    english dictionnary

    miscellaneous easy to type

    star trek references

    first names

    significant numbers

    common passwords


    king james bible words

    book of mormon words

    koran words

    U.S. counties

  • Trip to a new life

    Not a whole lot of cell coverage in Wyoming & Nebraska :)

  • Adding an Endace card to Symantec’s DLP

    I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.

    After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:

    Endace DAG driver is not available
    Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.

    A look at /var/log/Vontu/debug/PacketCapture.log yields:

    ERROR PacketDriverFactory - Driver Dag is unavailable: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]

    do an


    You will notice you just compiled a version more recent than As it turns out, Symantec DLP v11.0 does NOT know how to use the generic nor the latest you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use

    Hold on to your pants as I explain the unholy hack that made it work:

    edit /opt/Vontu/Protect/lib/native/ , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.

    search for and replace its 3 by a 4.

    Recycle your server again and it should be happy about life :)

  • Spamassassin stats

    54.46% of all emails received on akrin so far got flagged as spam by the excellent Spamassassin. This is actually not too bad compared to high profile mail service providers.

    1 email that takes the cake is with a spam score of 42.2 (anything above 4 is not relayed):

    Return-Path: <>
    Received: from ( [])
    From: "Chase bank" <>
    To: <>
    Subject: urgent security notification for client!
    X-Spam-Level: ******************************************
    X-Spam-Status: Yes, score=42.2 required=5.0

    Content analysis details:

    pts rule name              description
    ---- ---------------------- --------------------------------------------------
    2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in [Blocked - see <>]
    3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL [ listed in]
    0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
    0.6 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server [ listed in]
    1.8 URIBL_PH_SURBL         Contains an URL listed in the PH SURBL blocklist [URIs:]
    1.9 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist [URIs:]
    1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist [URIs:]
    1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist [URIs:]
    2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist [URIs:]
    3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
    4.3 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)
    4.4 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr 2)
    0.0 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
    1.4 FROM_LOCAL_HEX         From: localpart has long hexadecimal sequence
    1.9 TVD_RCVD_IP            TVD_RCVD_IP
    0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
    2.3 SPOOF_COM2COM          URI: URI contains ".com" in middle and end
    1.6 HTML_IMAGE_ONLY_24     BODY: HTML: images with 2000-2400 bytes of words
    0.0 HTML_MESSAGE           BODY: HTML included in message
    1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
    0.1 RDNS_DYNAMIC           Delivered to trusted network by host with dynamic-looking rDNS
    2.8 DOS_OE_TO_MX           Delivered direct to MX with OE headers