TurnKey Linux Virtual Appliance Library

Backdoor in my Medialink router

Just because you're paranoid doesn't mean they aren't out to getcha.

Here's another example of why we need free software running the Internet. When I bought my Medialink router it was the most popular brand of wireless router on Amazon.com. It is created by a Chinese corporation called Tenda.

And it comes with a root shell backdoor, which I just tested:

The closest you can get to perfectly secure Bitcoin transactions (without doing them in your head)

@pa2013 helpfully posted Alon's BitKey announcement from last week to the Bitcoin Reddit, which sparked an interesting discussion regarding whether or not you can safely trust BitKey to perform air-gapped transactions. I started responding there but my comment got so long I decided to turn it into a blog post.

Enabling Debian 6.0 LTS Security Support

This announcement is for Debian 6.0 (AKA Squeeze / TurnKey 12) users who have not yet upgraded to Debian 7.0 (AKA Wheezy / TurnKey 13):

~# cat /etc/issue.net
Debian GNU/Linux 6.0

Support for security updates to Debian 6.0 officially ended on Saturday May 31 2014.

As you may have heard, for the first time Debian is experimenting with a five year Long Term Support (LTS) program that will extend support until Feb 2016:

TurnKey 13 critical security issue (Heartbleed / CVE-2014-0160)

Without action, your TurnKey 13 installations may remain vulnerable to the critical Heartbleed OpenSSL attack (DSA-2896-1 CVE-2014-0160). This is not a theoretical attack.

Important security notice: Your TurnKey system may no longer be receiving automatic security updates

I have some bad news and some good news. The bad news is that if your TurnKey installation is older than 2 weeks you may no longer be receiving security updates.

The good news is that you are reading this and there is a very easy fix. Either reboot your system, or log in and restart the cron service:

/etc/init.d/cron start

Until you start recron, security updates and other scheduler related services (e.g., daily backups) will not work.

Secure, flexible and scalable Amazon EC2 instance preseeding

I'd like to introduce Joe. He is a good looking, experienced sys-admin and like all good sysadmins, he has more stuff to do than time to do it.

Joe wants to get up and running on Amazon EC2 with a Wordpress installation, and chooses to do so with a pre-configured appliance. These are the steps Joe performs:

Making TurnKey more turnkey - the end to default passwords

In our quest to make the upcoming TurnKey 11.0 release more "turnkey", I set out to extend the firstboot inithooks to include application specific configuration hooks such as setting of the admin password, email and domain to serve (where applicable).

I'm glad to announce that the quest is now over, and that puts the end to default passwords.

Passphrase dictionary attack countermeasures in tklbam's keying mechanism

Background: how a backup key works

In TKLBAM the backup key is a secret encrypted with a passphrase which is uploaded to the Hub.  Decrypting the backup key yields the secret which is passed on to duplicity (and eventually to GnuPG) to be used as the symmetric key with which backup volumes are encrypted on backup and decrypted on restore.

When you create a new backup, or change the passphrase on an existing backup, a new backup key is uploaded to the Hub where it is stored in the key field for that backup record.

When you restore, tklbam downloads the backup key from the Hub and decrypts it locally on the computer performing the restore. Note that the Hub only allows you to download the backup key for backup records to which you have access (e.g., you are the owner).

Only you can decrypt your passphrase protected backups

All of this matters because it means that as long as you use a passphrase to protect the key, even the Hub can't decrypt your backups, only you can - provided you remember the passphrase (or failing that, at least have the escrow key stored in a safe place).

In other words, the decryption of the backup key happens locally and at no point does the passphrase reach the Hub, so we can't decrypt your backup even if you asked us to. Neither can an attacker that has theoretically compromised the Hub, or a government agency that comes kicking down our door with a court warrant.

The problem with cryptographic passphrases

But wait. If an attacker has local access to the key, his ability to run dictionary attacks to find the key's passphrase is limited only by the computational resources he can throw at it.

Self signed and trusted SSL certificates

Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.

HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning: