Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Air-Gapped Gentoo Install, Tentative
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Apr 20, 2014 9:24 pm    Post subject: Reply with quote

If you look into my make.conf file, still basically:
https://forums.gentoo.org/viewtopic-p-7539048.html#7535952
there is the line:

PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +90 -delete"
# yes 90 days, because text is cheap, and it's expensive when it's missing

Yes, but I'm afraid that won't gzip my /var/log/messages file in 7 days as is default, but only every three months.

And that is not acceptable either.

I installed dcron, will look through what docs it has and for guides and talk in the forums, but I am slow to grasp...

Because I want to keep the logs, but get things gzipped that grow out of proportions (grsecurity amply logs things in my config setup of the kernel).

And this is a concrete, short and precise question in this very post you are reading. (You can see I still have the critique in mind that I received from krinn a few posts earlier.)
Any help appreciated, and as usual, if I solve it, others will know.

M.R.
Happy Easter for one last time! (soon to be Monday)
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon Apr 21, 2014 1:13 am    Post subject: Reply with quote

In the last post I was barking up the wrong tree.

An excerpt follows from my:
/var/log/portage_logs/elog/app-admin:syslog-ng-3.4.7:20140417-084329.log
Code:

LOG: postinst
For detailed documentation please see the upstream website:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/index.html
It is highly recommended that app-admin/logrotate be emerged to
manage the log files.  syslog-ng installs a file in /etc/logrotate.d
for logrotate to use.

And now follows a peep into:

Code:

mybox ~ # ls -l /etc/logrotate.d/
total 24
-rw-r--r-- 1 root root 221 Apr 19 15:51 apache2
-rw-r--r-- 1 root root 135 Apr 17 12:40 dcron
-rw-r--r-- 1 root root 272 Apr 20 00:15 elog-save-summary
-rw-r--r-- 1 root root  71 Apr  3 14:14 openrc
-rw-r--r-- 1 root root 105 Apr 20 01:19 rsyncd
-rw-r--r-- 1 root root 357 Apr 17 10:43 syslog-ng
mybox ~ # date
Mon Apr 21 00:17:07 CEST 2014
mybox ~ #


And sure, what we're most interested now, is:

Code:

mybox ~ # cat /etc/logrotate.d/syslog-ng
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.logrotate.in,v 1.1 2014/01/22 04:25:35 mr_bones_ Exp $
#
# Syslog-ng logrotate snippet for Gentoo Linux
# contributed by Michael Sterrett
#

/var/log/messages {
    missingok
    sharedscripts
    postrotate
        /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
    endscript
}
mybox ~ #


My problem, of course, is not yet having installed logrotate. That is why I
wouldn't get my /var/log/messages and other files gzipped, and not for the
reason I initially thought above.

Namely:

Code:

mybox ~ #  emerge -s logrotate
Searching...
[ Results for search key : logrotate ]
[ Applications found : 2 ]

*  app-admin/logrotate
      Latest version available: 3.8.7
      Latest version installed: [ Not Installed ]
      Size of files: 57 kB
      Homepage:      https://fedorahosted.org/logrotate/
      Description:   Rotates, compresses, and mails system logs
      License:       GPL-2

...[snip]...

mybox ~ #


but, of course that is being fixed now. If logs don't start being gzipped I'll
be back to report. I won't bother if that problem is now fixed by installing
logrotate.

Sorry!
M.R.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon Apr 21, 2014 2:37 am    Post subject: Reply with quote

Somewhat related to this air-gapped Gentoo install:
Safe reinstall of Sysresc on USB stick that was exposed online
http://www.sysresccd.org/forums/viewtopic.php?f=25&t=5305
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed Apr 23, 2014 7:36 am    Post subject: Reply with quote

I lost some valuable time with so little benefit:

Libav (Avconv) Imposition on Users who want FFmpeg
https://forums.gentoo.org/viewtopic-p-7539612.html

From that discussion, if you are installing Gentoo (air-gapped or not), take
out just how to evade libav before it imposes itself, if you like the (so far,
in years) much better real ffmpeg.

Sorry for allowing myself to be inadvertently pushed into ruining that thread.

With installing LXDE, withoutl the bloat, I'm still at weighing options.
My choice I'll be posting next.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sat May 03, 2014 3:46 pm    Post subject: Reply with quote

This time around I am late to report how I fared with my air-gapped install due
to a few reasons, but the most important one is that I was able to put two of
my new installs (two machines) to full use and therefore I was busy.

No, the install isn't complete, but I am able to run long sessions of ffmpeg
video sonversions without a hitch and with usual Gentoo-style superior
performance that I've been used to for years now.

I would like to round this up with clear instructions for beginners newer than
me, who might need this kind of install as I do now have some experience, but I
believe it is still better, when I find time, to first solve the remaining
issues, which are:

The X, for some reason still misterious to me, is unable to use the radeon
driver, but only plain VESA, some diagnostics is here:
Installing X; but X ... freezes
https://forums.gentoo.org/viewtopic-t-988956.html
The X works, so it is solved in that regard, but works only at inferior VESA
level, so it isn't completely solved...

and

The audio. Works in a similar sketchy manner. Reasons being, I decided to veer
off the supported path, and add the regular user on the machine to audio group,
because I don't want to go neither Consolekit not Systemd way, as can be found
in the X link a few lines above and in this link:
LXDE replacement question
https://forums.gentoo.org/viewtopic-t-973802.html
So it looks like unchartered territory. Not really in the Wiki (only the
Consolekit or the Systemd way there, although the adding user to audio group is
described in the Gentoo Wiki Alsa page (so not fully off all routes...).

(I really don't know for certain, but it could be the ACCEPT_LICENSE="@FREE",
see my emerge --info:

https://forums.gentoo.org/viewtopic-t-988956.html#7537924

that might have caused some configuration to be missing in terms what some
binary blobs somewhere need, and so that something misconfigured or missing I
now can't get the radeon driver to really work.

Seems @FREE is not sufficiently supported in Gentoo. There was an attempt by
the Argentinian based Gentoo offshoot Ututo to make a completely free really
GNU distro, but the free mankind not really being so free, to not say more and
suffer consequences again, I think they're stranded now... Sadly maybe I
shouldn't have ventured trying that make.conf line... Really don't know.)

Those two issues however, are not really related to the air-gapped install
topic, so don't belong there. So once I solve them, I'll probably report in the
two topics just listed.

Regarding the air-gapped install, it is so much harder than with Debian, which
I mentioned earlier that I was perfectly able to air-gapped install, here is
the link local to this topic:
https://forums.gentoo.org/viewtopic-t-987268.html#7527310
It's much more stuff, some 180G, the Gentoo local mirror, compared to 40+G or
80+G with sources with Debian, but the dedicated local compiling is what makes
for Gentoo's generally superior performance when compared to any binary
installs, at possibly huge cost in ease of use.

But once you have your mirror it's easy to update, not any more huge
downloading to do. My yesterday's update of my local mirror that I rsync'd two
weeks ago the previous time took some 7GB of download only.

Living air-gapped, however, is soo much more expensive in labor and
circumvention than living online and, well, exposed, which is absolutely worse,
thank you. So it might pay off. Surely my data is safe as far as that exposure
goes...

As I said, I would like to, can't promise, but will really try, revisit this
topic, and make a quick and easy to understand resumé, with all the necessary
links to Gentoo documentation, such as Wikis and man pages, where it is
(sometimes barely sufficiently) documented, for those who need a quick howto
and are (even) less experienced than I am in these matters.

Of course, if anybody manages to do this manner of install, and there are so
many around with so much better grasp on these matters than me, it'll be great
if you make a final easy-to-read resumé!

Cheers!

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
jonathan183
Apprentice
Apprentice


Joined: 13 Dec 2011
Posts: 282

PostPosted: Sat May 03, 2014 10:27 pm    Post subject: Some thoughts on just the initial install process Reply with quote

I think your main issue for the initial install is being unable to trust information you are able to download from the net without being able to complete some form of additional verification.

If I were in this situation then my approach to the initial install would be:-
To use trusted, read only media to boot from (a CD - not an image on a hard drive or usb pen drive), for which I think the SystemRescue CD is most appropriate.
I'd verify the SystemRescue CD after download and after burning to CD, if you don't have a CD drive on the system exposed to the net then buy one even if it's a usb CD/DVD drive.

The system exposed to the net will need storage connected to it (either hard drive, pen drive or dvd writer) to store downloaded information.
Boot the system to expose to the net from the SystemRescue CD and partition/format (including secure erasure) the storage (hard drive/pen drive) and then mount the storage. I'd set iptables to block incoming (except established connections), and only allow outgoing ports you require - feel free to make this more difficult to defeat by creating rules that only allow outgoing connection for a certain group with a name and groupid you select at random.

Connect to the net and download an all on one page version of the handbook to be able to refer to later, also download (section 5 of one of the older handbook copies for instructions for portage snapshot install).
Download and verify the integrity of the appropriate stage3 tarball (section 5 of the handbook) - using the mirror of your choice. Redirect output of verification to a .txt file so it can be checked later.
Download and verify the integrity of the a portage snapshot - using the mirror of your choice. Again redirect the output of verification to a .txt file so it can be checked later.
Now check the stage3 and portage snapshot against a few other gentoo mirrors in various locations (selected at random ;-) ).

Disconnect the system from the net, shut it down and power off, then reboot it using the SystemRescue CD and check the intergrity of the downloaded information, comparing the output you get with the .txt files saved while the system was online. Assuming the same results, you can be as sure as your going to be that what you have are good copies of a stage 3 and portage snapshot to complete the install of the air gapped system(s).

Boot air gapped system from the SystemRescue CD, partition/format its storage and mount the partitions for the install and copy and untar the stage3 and portage snapshot, setup locale and make.conf as you want it on your target system. Before you can build the kernel, install a bootloader or sync we require net access again.

At this point you can start identifying url of individual files and download them. Personally at this point I'd copy the install of the air gapped system back across to the system with a net connection, boot the net exposed system using the SystemRescue CD (setup IP tables as above then connect to the net) and chroot and pull kernel and bootloader files using emerge -avf your_selected_kernel_sources your_boot_loader. Then disconnect from the net and compare the air gapped system with the copy which should now have kernel and bootloader downloaded. I think copying the kernel_sources and your_boot_loader related files in usr/portage/distfiles to the air gapped system will be sufficient (copy the minimum required - start with distfiles only eg grub and gentoo-sources) to allow chroot in and finish off the install by emerging the kernel and bootloader, configure and compiling the kernel and installing the bootloader. Taking this approach does not risk compromising the air gapped system but allows identification of any modifications made to the net connected system.

I'd check the air gapped system boots and then copy it back to the net system, and do an emerge -avfe world to pull source packages for the entire system. Do a diff and copy the information to the air gapped system (I think distfiles only).
After that I'd pull apps, xorg-server and other things I want then diff and copy across to the air gapped system in a similar way to the kernel and bootloader above.

There are several options in terms of maintaining an air gapped system after that, with pulling a snapshot and then downloading files for the update similar to the above being one approach. Booting from the SystemRescue CD each time will help protect against boot sector issues but will offer no protection against BIOS issues. Protection against something like badBIOS would need a bit more thinking about - and is one reason I'd us CD/DVD rather than a pen drive if I were so concerned about a compromised system.

The above does not really require any knowledge of the internal workings of portage, but you can streamline what needs to be synchronised to portage affected tree only rather than an entire system. I suspect setup of a build server using webrsync-gpg feature which you periodically connect to the net (random times/day of week) locked down and setup with cli only would be a better approach to maintaining systems. But then I don't know what sort of information you want to protect, how sensitive it is, what the consequences are for a system being compromised or how determined individuals/group of people are to gain access to your systems. I also don't know if using cli and framebuffer applications like links are sufficient for systems you do connect to the net which would allow a reduction of attack vectors.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu May 08, 2014 12:42 pm    Post subject: Re: Some thoughts on just the initial install process Reply with quote

jonathan183, sorry for being this late in my reply. It's not recklessness, but slowliness in doing these GNU/Linux things, I just employ time really, and have already mentioned that I can't do things quickly.

jonathan183 wrote:
I think your main issue for the initial install is being unable to trust information you are able to download from the net without being able to complete some form of additional verification.

If I were in this situation then my approach to the initial install would be:-
To use trusted, read only media to boot from (a CD - not an image on a hard drive or usb pen drive), for which I think the SystemRescue CD is most appropriate.
I'd verify the SystemRescue CD after download and after burning to CD, if you don't have a CD drive on the system exposed to the net then buy one even if it's a usb CD/DVD drive.

The system exposed to the net will need storage connected to it (either hard drive, pen drive or dvd writer) to store downloaded information.
Boot the system to expose to the net from the SystemRescue CD and partition/format (including secure erasure) the storage (hard drive/pen drive) and then mount the storage. I'd set iptables to block incoming (except established connections), and only allow outgoing ports you require - feel free to make this more difficult to defeat by creating rules that only allow outgoing connection for a certain group with a name and groupid you select at random.

Connect to the net and download an all on one page version of the handbook to be able to refer to later, also download (section 5 of one of the older handbook copies for instructions for portage snapshot install).
Download and verify the integrity of the appropriate stage3 tarball (section 5 of the handbook) - using the mirror of your choice. Redirect output of verification to a .txt file so it can be checked later.
Download and verify the integrity of the a portage snapshot - using the mirror of your choice. Again redirect the output of verification to a .txt file so it can be checked later.
Now check the stage3 and portage snapshot against a few other gentoo mirrors in various locations (selected at random ;-) ).

Disconnect the system from the net, shut it down and power off, then reboot it using the SystemRescue CD and check the intergrity of the downloaded information, comparing the output you get with the .txt files saved while the system was online. Assuming the same results, you can be as sure as your going to be that what you have are good copies of a stage 3 and portage snapshot to complete the install of the air gapped system(s).

Boot air gapped system from the SystemRescue CD, partition/format its storage and mount the partitions for the install and copy and untar the stage3 and portage snapshot, setup locale and make.conf as you want it on your target system. Before you can build the kernel, install a bootloader or sync we require net access again.

At this point you can start identifying url of individual files and download them.

I think I can grasp you basic idea how to do the air-gapped install. And I guess that may be a fine way to reach the same goal.
But my approach differs quite a lot.
There is no need for checking of any individual urls anymore for my approach, but a wholesale check of the entire local mirror.
( individual urls only need to be checked/downloaded separately for non-GNU packages, but I shun from those anyway )
And I explained that it isn't any more much of a fuss updating it (so I won't repeat it here). Only the initial download is really a lot of work, not the updating it.

jonathan183 wrote:

Personally at this point I'd copy the install of the air gapped system back across to the system with a net connection, boot the net exposed system using the SystemRescue CD (setup IP tables as above then connect to the net) and chroot and pull kernel and bootloader files using emerge -avf your_selected_kernel_sources your_boot_loader. Then disconnect from the net and compare the air gapped system with the copy which should now have kernel and bootloader downloaded. I think copying the kernel_sources and your_boot_loader related files in usr/portage/distfiles to the air gapped system will be sufficient (copy the minimum required - start with distfiles only eg grub and gentoo-sources) to allow chroot in and finish off the install by emerging the kernel and bootloader, configure and compiling the kernel and installing the bootloader. Taking this approach does not risk compromising the air gapped system but allows identification of any modifications made to the net connected system.

I'd check the air gapped system boots and then copy it back to the net system, and do an emerge -avfe world to pull source packages for the entire system. Do a diff and copy the information to the air gapped system (I think distfiles only).
After that I'd pull apps, xorg-server and other things I want then diff and copy across to the air gapped system in a similar way to the kernel and bootloader above.

There are several options in terms of maintaining an air gapped system after that, with pulling a snapshot and then downloading files for the update similar to the above being one approach. Booting from the SystemRescue CD each time will help protect against boot sector issues but will offer no protection against BIOS issues. Protection against something like badBIOS would need a bit more thinking about - and is one reason I'd us CD/DVD rather than a pen drive if I were so concerned about a compromised system.

Yup! The BIOS can be attacked when system is exposed online. Or even through intermediaries (such as pendrive) which were exposed). Sure, CD is better.
jonathan183 wrote:

The above does not really require any knowledge of the internal workings of portage, but you can streamline what needs to be synchronised to portage affected tree only rather than an entire system. I suspect setup of a build server using webrsync-gpg feature which you periodically connect to the net (random times/day of week) locked down and setup with cli only would be a better approach to maintaining systems. But then I don't know what sort of information you want to protect, how sensitive it is, what the consequences are for a system being compromised or how determined individuals/group of people are to gain access to your systems. I also don't know if using cli and framebuffer applications like links are sufficient for systems you do connect to the net which would allow a reduction of attack vectors.

I just want true privacy (TM). Half-joking, sure, but I just don't want anybody being able to poke anywhere, or at least almost anywhere. Regardless what kind of information it was...
Anyway, talking of all the updating, believe me, once you have the local mirror, it's close to a breeze updating it, and it's just the distfiles/ folder that takes a few minutes or not much more (or maybe half hour if your access is turned down for political reasons like I am kept at miserable access by the regime in my country), say once in a week, and just the latest portage snapshot.
Then I run clamscan on it, as I showed previously, and then once I serve the mirror with apache for all (just a few in my case) the Gentoo systems on the SOHO, the rest of the checking is the portage itself doing.
I still trust Gentoo devs to great extent. Nobody can you trust fully, can you? Only trying to say that GNU Linux itself is not anymore fully trustworthy ever since SELinux is default in a number of distros.
Basically I wouldn't use your approach now that I have the local mirror, but it could be a fine shortcut for people with too little patience to build this version of the air-gapped Gentoo install that I have used here for myself.

Miroslav Rovis
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
jonathan183
Apprentice
Apprentice


Joined: 13 Dec 2011
Posts: 282

PostPosted: Sun May 11, 2014 1:35 pm    Post subject: Reply with quote

The method outlined would be my approach to being unable to trust information downloaded from the net without further verification/integrity checks in order to achieve a clean air gapped installation of Gentoo.
The method means I need to trust the SystemRescueCD which I can boot from, and the Gentoo teams producing the stage3 and portage snapshot to not be attacking me as an individual.
I'm also relying on the supply chain and people who made the PC are not attacking me as an individual (but that would apply equally to any OS I choose to install), Free BIOS https://www.fsf.org/campaigns/free-bios.html would help with this ;-)

The air gapped system need have no network connection, it only needs to be able to read information saved from the net connected system and be able to write information that can subsequently be read by the net connected system - but this could be CD/DVD media.
My approach allows portage verification plus the use of diff tools plus any other verification you may want to do before changes are made live on the air gapped system (including portage tree updates).

You can trade some reduction in security for convenience and use USB drives, a network share or a private file/web server to get information to and from the air gapped system or not have an air gapped system at all.
You can have a local mirror, build servers or take other approaches to ongoing maintenance of the system after installation, as I said in the title of my previous post it only really dealt with the initial install of an air gapped system.

I work on the basis that the people attacking have greater knowledge and time to dedicate to the activity than I do to defence, so try to keep things fairly simple and minimise the things I have to trust.
I'm not expecting a knock on the door at 2am by armed police based on something I have on my computer, if I were then I would be using air gapped systems or better still not storing such information on a computer in the first place.

I don't claim to know more than you (or anyone else) about installing or maintaining a Gentoo system, I just provided my thoughts on an initial install for an air gapped system if unable to trust downloaded information without additional verification. If you have experience of systems being compromised after several hours on the net (which I get that impression from some of your previous posts) I would be cautious about connecting a system which has been on the net with an air gapped system at some point in the future even if this occurs over a private network connection.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon May 12, 2014 9:59 am    Post subject: Reply with quote

jonathan183 wrote:
The method outlined would be my approach to being unable to trust information downloaded from the net without further verification/integrity checks in order to achieve a clean air gapped installation of Gentoo.
The method means I need to trust the SystemRescueCD which I can boot from, and the Gentoo teams producing the stage3 and portage snapshot to not be attacking me as an individual.
I'm also relying on the supply chain and people who made the PC are not attacking me as an individual (but that would apply equally to any OS I choose to install), Free BIOS https://www.fsf.org/campaigns/free-bios.html would help with this ;-)

Helpful it looks. When I get free time (busy, overwrought actually wrt to my abilities, at this time), I'll enjoy reading it! The link.
EDIT START Wed May 14 02:42:47 CEST 2014
I just did. Really important link. Next, I should see if my MBO is supported with FreeBIOS. No. Neither Asrock Extreme4 nor Abit AT8 can I find on:
http://www.coreboot.org/Supported_Motherboards
But I do run almost only AMD64.
EDIT END

Regarding Gentoo, of course it is fair assumption that our great minds who gave us Gentoo are not attacking us! But on another note, even a historical person named Jesus had a traitor right among his closest friends, and every movement, association, you name it had theirs.
All other OSs but GNU/Linux are known to have sold their users. Just think M$, Apple. It's a known, no wish to delve deeper.
One needs to be ware of rotten apples. I don't think anyone can honestly find anything wrong with that.
jonathan183 wrote:
The air gapped system need have no network connection, it only needs to be able to read information saved from the net connected system and be able to write information that can subsequently be read by the net connected system - but this could be CD/DVD media.
My approach allows portage verification plus the use of diff tools plus any other verification you may want to do before changes are made live on the air gapped system (including portage tree updates).

You can trade some reduction in security for convenience and use USB drives, a network share or a private file/web server to get information to and from the air gapped system or not have an air gapped system at all.
You can have a local mirror, build servers or take other approaches to ongoing maintenance of the system after installation, as I said in the title of my previous post it only really dealt with the initial install of an air gapped system.

I work on the basis that the people attacking have greater knowledge and time to dedicate to the activity than I do to defence, so try to keep things fairly simple and minimise the things I have to trust.
I'm not expecting a knock on the door at 2am by armed police based on something I have on my computer, if I were then I would be using air gapped systems or better still not storing such information on a computer in the first place.

I don't claim to know more than you (or anyone else) about installing or maintaining a Gentoo system, I just provided my thoughts on an initial install for an air gapped system if unable to trust downloaded information without additional verification. If you have experience of systems being compromised after several hours on the net (which I get that impression from some of your previous posts) I would be cautious about connecting a system which has been on the net with an air gapped system at some point in the future even if this occurs over a private network connection.

Your way is a fine shortcut of mine which is closer to true air-gapping.
I confirm that it may be a fine shortcut, but now that I have my local mirror, my way to install, actually only maintain my air-gapped Gentoo looks to me so much better to keep than to revert to your way.
We are not in conflict with our statements.
Cheers!
Miro
www.CroatiaFidelis.hr
Here the work that is taking all of my time, all of my capabilitites to fulfill:
http://www.croatiafidelis.hr/gnu/Flowstamp/
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed May 14, 2014 7:22 pm    Post subject: Reply with quote

EDIT START 2014-10-31:
I have pointed to this post from the latest topic of mine:

Mutt without Portage/in Local Overlay, for Air-Gappers
https://forums.gentoo.org/viewtopic-t-1002146.html

And it is good to point out to the occasional reader that this whole issue is pondered over in more precise terms, and will possibly produce more lean and mean ways for us to install gnupg-1 and, in this case, the great Mutt program, where gnupg-1 cat be put to exceptional use.

This long text below is still a good read, containing issues not discussed anywhere else.
EDIT END

I have just solved a problem. And I don't agree that verbosity like mine can be
really regarded as a problem (well not in most of the instances where I wear
and tear my keyboard copiously, I'm sorry for where I did exaggerate).

And this is why: it is because it wasn't anywhere really obvious how to solve
this problem.

Also, in some other places, not on Gentoo Forums to my knowledge, the
discussion on this problem that follows and which is easily solved in Gentoo
was, in all probability, censored (I will try and substantiate my claims in due
course).

And so it took me about a day, about some maybe 15 (fifteen) hours of wake, to
solve this problem for myself.

For that reason I argue to krinn (who was quite helpful and kind in a few
occasions with me, and that further above from him in this topic is not anger,
just advice), and to others who either write too cryptically or do things in
such way as to make those things hard to grasp, that mine is a good way to say
things, certainly in this case.

Namely, the less advanced users who read this will get what I grasped in such
long research, in maybe a half hour, plus maybe reading general manpages, wikis
and docs, if they're too new. So bear up with me. Thank you.

I'll first post the problem as if I hadn't found the solution yet.

It's about GnuPG funcionality that is getting disabled in some dev circles for
reasons of inclusions of GUI things and other layers on top of pure GnuPG.

[ I believe everybody understands that GnuPG as the paramount privacy program
fits well into this topic on Air-Gapped Gentoo install. ]

This is the normal behavior that I have been used to thus far, and that all of
a sudden I found was missing (real output, it's from a Debian box of mine where
the good old version is still the default):

Code:
me@DebianBox:somewhere$ gpg -s -a -b --output stdin_msg.sig -

You need a passphrase to unlock the secret key for
user: "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
4096-bit RSA key, ID 4FBAF0AE, created 2014-01-16

gpg: problem with the agent - disabling agent use
Enter passphrase:
I can try writing the message and see.
me@DebianBox:somewhere$


Just, for the avarage users like me to have the whole story, at the point the
GnuPG program (version 1.4.16 in this case) itself (and not any popup gui
little window) asked right there on the terminal:

Code:
Enter passphrase:


it waited for my input, and once I typed it, left a black open whitespace for
me to type more, and then I typed in the message above as shown, which message
I terminated with an Enter (Enter is equivalent of typing a LN, newline
character), and a Ctrl-D, upon receiving which signal the good old GnuPG gave
me back the command prompt and deleted from view the lines:

Code:
Enter passphrase:
I can try writing the message and see.


But I'm showing them above so non-advanced users can get a chance to understand
more easily too. In my opinion, teaching is better way of rendering GNU/Linux
more usable than GUIs and stuff.

Now I go and see that the plain text file stdin_msg.sig that GnuPG just created
in my directory will verify the same taxt as the one that is signed.

Code:
me@DebianBox:somewhere$ gpg --verify stdin_msg.sig -


At this point the GnuPG 1.4.16, the current default in Debian, waited for my
input, which had to be the exact same as what I entered previously. So I typed:

Code:
I can try writing the message and see.
gpg: Signature made Wed 14 May 2014 10:10:03 AM CEST using RSA key ID 4FBAF0AE
gpg: Good signature from "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
me@DebianBox:somewhere$


Because anything else other than that exact line doesn't verify.

Code:
me@DebianBox:somewhere$ gpg --verify stdin_msg.sig -
I can try writing anything else and see.
gpg: Signature made Wed 14 May 2014 10:10:03 AM CEST using RSA key ID 4FBAF0AE
gpg: BAD signature from "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
me@DebianBox:somewhere$



The GnuPG 1.4.16 where it worked on my Debian distro still has in its manual:

Quote:
--use-agent
--no-use-agent
Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
the agent before it asks for a passphrase. --no-use-agent disables this option.


while the GnuPG 2.0.22 on my freshly air-gapped installed Gentoo has in its
man page:


Quote:
--use-agent

--no-use-agent
This is dummy option. gpg2 always requires the agent.


I so much like the working --no-use-agent option, and don't want the latter. I
don't want to need Qt or other GUI yet on top of another tool, this gpg-agent
already on top of GnuPG, to remember my most important password data in my
stead, I will be happy with GnuPG 1 till doomsday.

I have searched for gnupg, and here's abbreviated output:

Code:
gbn miro # emerge -s gnupg | grep -A1 'app-crypt'
*  app-crypt/gnupg
Latest version available: 2.0.22
--
...[snip]...
gbn miro #


No GnuPG 1 available in Gentoo. gpg2 won't work without gpg-agent and Qt or Gtk
or whatnot.

Have a look. This is the whole output if I try with a similar line:

Code:
me@GentooBoxPREVIOUSLY ~ $ gpg -s -a -b --output stdin_msg.asc -

You need a passphrase to unlock the secret key for
user: "Miroslav Rovis (consecrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
4096-bit RSA key, ID 4FBAF0AE, created 2014-01-16

gpg-agent[30889]: can't connect to the PIN entry module: IPC connect call failed
gpg-agent[30889]: command get_passphrase failed: No pinentry
gpg: problem with the agent: No pinentry
gpg: no default secret key: Operation cancelled
gpg: signing failed: Operation cancelled
me@GentooBoxPREVIOUSLY ~ $


Doesn't look nice.

So, short of abandoning all things in my life and studying the source, to not
say more, because my opinions are often too strong not to ruffle feathers (pls.
note that I am not saying anything that is in anyway overly critical here)...

So... short of working the GnuPG 2 source and portage the sole thing in my
life for at least a year (only joking, I can not do that)... so what are my
options?

I don't want gpg-agent and guis here...

Is it that the sole option for me is then, in Gentoo, compiling the GnuPG 1
source myself (even that is huge work for avarage users like me)?

Miroslav Rovis
www.CroatiaFidelis.hr

That was the problem on my hands that I had before I found the solution. The
thing is, again, the solution isn't obvious, and it is likely that many
non-advanced but GNU/Linux real lovers like me will like to know it, and I
don't want them stuck in this status that I was for the fifteen (15) waking
hours.

I'm back in just a few minutes, Vis Major allowing (Latin, not English: read
maayawr, only pronounce vowels pretty short, like in stun, goggles, not like in
talk, are).

Miroslav Rovis
www.CroatiaFidelis.hr


Last edited by miroR on Fri Oct 31, 2014 9:37 pm; edited 2 times in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed May 14, 2014 7:24 pm    Post subject: Reply with quote

I tried to find what portage holds to tell on the matter.

Code:
GentooBox me # emerge -s gnupg | grep -A1 'app-crypt'
*  app-crypt/gnupg
      Latest version available: 2.0.22
--
...[snip]...

Also
Code:
GentooBox me # emerge -S gnupg

gives similar results only.

And here I went and searched ddg.gg (That the shortcut address you can type in
the address bar to search the DuckDuckGo engine. I don't use Google. The
Schmoogle hates me, they terminated my account of over 500 (five hundred)
videos on Youtube on their own falsehood, so I don't use that Surveillance
Engine, and this is a note that also fits here, because here in the Air-Gapped
install we don't want surveillance.).

I searched a lot, and read a lot, and I finally stumbled upon the end of two
exact cryptic enough to not be readily perceived, and that is a fault as well,
but of course I don't blame it on the good developer in question further on,
but on the community. What I mean is, all of us should care to spread the good
information to the less advanced than we are. And why not e.g. make it possible
to find that information somehow in the emerge -s or at least emerge -S
output? Or was it in the eselect news? I don't think so.)

So, finally, this is where the information is:

security risk with gpg
https://forums.gentoo.org/viewtopic-t-987174.html#7534990

how to disable (sanitize) gpg2 GUI features (pinentry)?
https://forums.gentoo.org/viewtopic-t-639272-postdays-0-postorder-asc-start-25.html#7534996

It does look obvious now, but it's easy to say that once you are underneath
that tree in the forest, but the forest that tree is in is huge...

I solved this issue for myself, and I can post more on it next, but the main
purpose of this post is giving those two links above, so this is enough for
this post.

Also next, I will try and substantiate the claim on how a particular
information on some of the related development issues is somewhat mysteriously
unavailable, I used a bad word: possibly censored. Again, not on these forums.
Elsewhere. But that is not so urgent, if I don't properly prepare the text soon,
bear withm e longer..

Miroslav Rovis
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu May 15, 2014 1:57 am    Post subject: Reply with quote

The first link given is the post in the topic "security risk with gpg" with
this exact address local to topic:
https://forums.gentoo.org/viewtopic-t-987174.html#7534990
where this is the information for us:

khayyam wrote:
... that said,

which doesn't interests those who want to use password verification on the
command line straight by GnuPG, which is explained above. Of course no one is
saying Thunderbird with Enigmail, and other GUI based applications are bad, but
I will prefer to be spending more weeks again, like I already spent numerous
weeks earlier, to use Mutt with GnuPG, again in this new Air-Gapped install (on
a system cloned from it in a renewable/clonable environment from the master

--to not leave what I just said unclear to beginners, I clone systems, and that
can be done most easily say btwn two exact same MBO, and similar if not same,
other hardware. 'man dd' and other docs, wikis and forums, I wrote about that
somewhere too--).

The master Air-Gapped will always remain air-gapped from the world, as long as
there isn't a knock on the door, followed by some tortureous conditions
/persecution that some of my friends --about whom not here-- already were
subjected, very very early some morning on my door as well...

This is of interest to us:

khayyam wrote:
I've masked > gpg-1 as the who pinentry thing is broken IMO.


EDIT: 2014-12-02 there was a "/" lacking in the closing quote above, was very unreadable

but we can only understand it because of:
https://forums.gentoo.org/viewtopic-t-639272.html#7059670
khayyam wrote:
As gnupg has no native method, and uses pinentry, this means
there is no current method of escaping one or other "interface". If you were
happy with how it once was, when a command line interface was an 'option', then
step aside, linux is being made 'usable', and your antiquated thinking is
standing in the way of progress.

The offical advice is "use gpg-agent", which in my case makes ... no, no, don't
get me started. So, yes, this is a major annoyance, but unless some stop is put
on this drive toward an ill concieved abstracted "user" (which is little more
than a stratigists idea of the "usability" requirement for "developing
markets") then I think we will see more and more of this type of "development".


Nothing can I allow myself to add there.

Other than, dear air-gappers, that we, the real users, need to keep the
requirement alive to have the old way available that
khayyam wrote:
a command
line interface
must remain
khayyam wrote:
an 'option'
in
GNU/Linux _forever_.

Here is the solution that, as I said, and I surely never ever tried to blame
the actually clear sight of this tree in the Gentoo forest (but in the huge
forest as explained earlier), but the community, even other users like me who
take the good news and don't care to spread it.

And the second link given is the post in the topic "how to disable (sanitize)
gpg2 GUI features (pinentry)?" with this exact address local to topic:
https://forums.gentoo.org/viewtopic-t-639272-postdays-0-postorder-asc-start-25.html#7534996
khayyam wrote:
gw wrote:
How can I disable this new "feature", that is: simply enter the passphrase from within my terminal application, or how can I at least make pinentry accept copy and paste?

gw, et al ...

I got *so* fed up with pinentry screwing up the tty when editing with vim I decided to do something about it, and so I'm bumping this just to say getting the old behavior is infact possible.

/etc/portage/package.mask
Code:
>=app-crypt/gnupg-2.0.22

... it turns out gnupg-1 is still in portage, and still maintained ... so, voila!

Code:
# emerge -p app-crypt/gnupg
[ebuild   D    ] app-crypt/gnupg-1.4.16

... depclean pinentry (and deps) ...

Code:
# emerge --depclean -a

... sanity! ...

Code:
% vim ~/test.gpg
You need a passphrase to unlock the secret key for user: "khayyam <user@domain.tld>"
4096-bit RSA key, ID FFFFFFFF, created xxxx-xx-xx (main key ID FFFFFFFFF)
Enter passphrase:

... unlike with pinentry keyboard navigation works (and please, no, this has nothing to do with GPG_TTY, or 'no-grab', etc).

Hopefully that helps someone ....

best ... khay


This is actually complete explanation, newbies only need 'man emerge' and
associates here.

I'd like to add how I got the signing in git working on Gentoo the old GnuPG
way, though, as another good example, while, and that's the bad example, how I,
again, couldn't sign with GnuPG (even though it was GnuPG 1) from git, in
Debian.

Why? Because it is, and this is not an exaggeration, I quoted above khai's
opinion which you cannot disregard in that matter, it is probably what is lying
in wait for us, in most any distro of GNU/Linux, unless we oppose it, we the
real users who want True Privacy and Freedom which GNU/Linux still has strong
and proud running in its veins.

The example will be what I only mentioned here:
Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php?f=16&t=110503&p=540691#p540691
but then I veered off and explained what did work in Debian, instead of
explaining what didn't, so this:
gpg-agent now forced upon users of GnuPG
http://forums.debian.net/viewtopic.php?f=3&t=114427
is not complete, as of the time of this writing.
(and neither can I give the example that I meant first there, and now meant to
give it here, in this post, now, but hope to give it in the next post. I can
see that I can't because I'm giving a last proofreading to this text now...)

Having given the link to "gpg-agent now forced upon users of GnuPG" that I will
take an excerpt just next further on too, I believe I also substantiated my
claims about possible censorship that I mentioned two posts ago, and repeated
in the last post.

For a quick revision of what could be censorship, and whithout cross-posting,
but only extracting the precise information, that I would like to put forth a
few comments/quests for further insights/opinions about, I would like to quote
just this part of what I wrote there (why would I need to repeat those same
facts in new words?):

miroR_on_Debian wrote:
http://www.gossamer-threads.com/lists/gnupg/users/58785
[[ still looks like having been cut short, because there are issues that cry so
loud in there, so loud, they break from in between the lines very forcefully,
if you have enough alert on the right side of the privacy/freedom/surveillance
issues ]]
[[ No, I don't claim anything, I suspect only. Strongly ]]
[[ Because.. read on... ]]
Because, do you see any more, or much less of that thread on the original list?
Tell me, somebody, pls.:

the thread is on this page (search for "pipe passphrase to unlock key"):
http://lists.gnupg.org/pipermail/gnupg-users/2012-June/thread.html

and the message is here:
http://lists.gnupg.org/pipermail/gnupg-users/2012-June/044881.html
and it has no links to any replies there on that page, only other topics..


Of course it could be an error, but I chose my words appropriately: probably it
is not error, but censorship, because, some people somewhere just don't want
users to know all that is going on.

That is, thanks to http://www.gossamer-threads.com , who IIUC also host Gentoo
on their servers, the information that can be gleaned from the thread on
gossamer-threads (but not from the archives on
http://lists.gnupg.org/pipermail/gnupg-users/ .

Pls. be quick in checking the links above, because when some people notice that
the possible censorship is discovered, they rearrange things to control the
"damage"!

In case this has already been done following the posting of my now offtopic'ed
post on Debian Forums:
gpg-agent now forced upon users of GnuPG
http://forums.debian.net/viewtopic.php?f=3&t=114427
I'll see what I can do, but I don't expect that it has been. If it already has,
I'll expand the next plan onto previous screencast/dumpcaps that I take when I
go online (see...

But just in case, after this post, I will put to some use my modest
(beginners/immediate-level) understanding of cryptography and give the sums of
both the screencast and the dumpcap that I will take, as soon as I try to post
this online, of that my next, soon to be, time online (I almost always write
offline, and then post entire prepared text(s) quickly).

I then could, whenever in the future, not necessarily while this matter is hot,
work the Screencast taken with my Flowstamp program, some day, like here an
example of its use:
http://www.croatiafidelis.hr/gnu/Flowstamp/
[ * ] read in bottom of this post on that
Because I'm here above limiting my talk to the possibly censored gpg-agent
inposition on users, for some marketing purposes.

So I'll now try and take screencast/dumpcap of Gossamer kept mailing list topic
"pipe passphrase to unlock key", and same topic "pipe passphrase to unlock key"
being lost on http://lists.gnupg.org/pipermail/gnupg-users/ , archive them and
transfer them in the air-gapped way safely first:

[[ another useful advice is growiso line in this article on Debian Forums:
Poor User's Defences, Basic Anti-Surveillance for Debian
http://forums.debian.net/viewtopic.php?f=3&t=111906&p=540730#p540730
[ but the subtopic is: "How to transfer files the air-gapped way" and yes it
works great on Debian sure, just search for growisofs there ] ]]

then only I'll give their SUMS here, and probably only then continue with the
more important topic of gpg-agent and guis imposition on GnuPG users, but
probably in the next post, Vis Major (see pronounciation in some previous post)
allowing.

[[ Not later, but before the posting the sums, because nothing changed nor on
gossamer nor on gnupg-users proper:
Code:
f5d649af5ca4935ce90b5193e08cd53c955d173e9c122458418820ea1f2ab8da  dump_140515_032910_naibd6.pcapng
0318a42acce3e71ce085db3a11f9b38840af4dbd34bbc8f898fa7ce3976ca86a  Screen_140515_032907_naibd6.mkv

and I hope I won't need to use them. ]]

There, I gave all what I planned in the previous posts, and promissed the git
in Debian not allowing GnuPG one to sign, and git on Gentoo signing proud and
well my jigdo-automate-scripts local git repo, which is a promise I intend to
keep.

And also I said how I would like to put forth a few comments/quests for further
insights/opinions about that thread extant on gossamer-threads (but not from
the archives on http://lists.gnupg.org/pipermail/gnupg-users/ That thread is
worth of careful perusal.)

But let's first wait and see if there are feathers ruffled here again.
There shouldn't be, as far as GNU/Linux nature of freedom goes, but...

I would actually like I could finish this sooner, but thei gpg-agent and guis
imposition where passwords are is driving me a little angry...

I'll be sleepless tonight again. Because, this third post of this sequence of
the last, what, already some twelve hours maybe, is done, but the finishing
talk, the analysis what is at stake and why the precious information is not
very available at all in regard to the imposition of agent and gui around where
the passwords go, has to be done in the hot, as soon as possible.

Vis Major allowing,

Miroslav Rovis
www.CroatiaFidelis.hr

All links screencast/dumpcap captured/checked and alive except
or the intermittently showing/not showing one:
Libav (Avconv) Imposition on Users who want FFmpeg
https://forums.gentoo.org/viewtopic-t-7539612.html

b3d84c55395f4a9ff4960953c50dfb1c5db652430e7b3e4d71abbd6bc79e86e6 dump_140515_034426_naibd6.pcapng
906ef32aefefde02e9608b616f9e124955350def0879c6efda9df04f4657a4dd Screen_140515_034422_naibd6.mkv

############ pls. what follows is of difficult explanation ####################
############ skip it altogether as soon as you start suspecting ###############
############# it might be of no interest to you, boring, or simply ############
############# too complex ###########################
On the example which can be studied and should be easily accessible on:
http://www.croatiafidelis.hr/gnu/Flowstamp/
Here anyone can see the video is showing:
Libav (Avconv) Imposition on Users who want FFmpeg
(currently --I'm proofreading the next last time, no, it started showing again
on the original address too-- only at:)
https://forums.gentoo.org/viewtopic-t-989196.html
(but the addresses changed for some erroneous conditions, as can be studied
from same name topic on FFmpeg-users list archives, that was originally:
https://forums.gentoo.org/viewtopic-t-7539612.html
and that changed quite a few different addresses which is unusual
(I just tried, and from my Flowstamp page ffmpeg-users list archives were not
accessible to me at all, just a while ago, ddg.gg as a try to see if I had a
different error, was accessible and searcheable, luckily I learned exactly on
FFmpeg-users list, and this is also something useful to Air-Gappers, to use
isup.me and it was not just me:
http://www.downforeveryoneorjustme.com/ffmpeg.org the site looked down from
there too --no, I don't blindly believe isup.me is truthful..)
I was trying to post that:
Libav (Avconv) Imposition on Users who want FFmpeg
https://forums.gentoo.org/viewtopic-t-7539612.html
was originally the address of that topic. The very first one. It can be
seen that that address was alive at the time the topic was started:
[ missing that exact address at the time of even next last proofreading no more
reading, but link alive to find, it's the second post of the thread, not the
first: https://ffmpeg.org/pipermail/ffmpeg-user/2014-April/021023.html ]
Libav (Avconv) Imposition on Users who want FFmpeg
which start was not available for me to find now on the good ole FFmpeg
original list, but, the linked from my Flowstamp page above to a later time in
that topic:
https://ffmpeg.org/pipermail/ffmpeg-user/2014-April/021052.html
shows the SHA256SUMS of the screencast demo and the accompanying dumpcap, and
they were taken obviously at the time of that post in April, the same one
SHA256SUM of the screencast being the one flowstamped onto the demo video

[[ if at least two persons want to check that I have that video, and to
publically confirm or deny here, within reasonably short time (say, certainly
not hours after my posting of it,, that the sum is correct, I can post the 20M
original screencast for readers' confirmation on CroatiaFidelis.hr as well ]]

and on the Flowstamp demo you can see around 0:00:42 seconds from beginning,
and at that exact time you can see the title nicely, but also around that time
you can see that the address:
https://forums.gentoo.org/viewtopic-t-7539612.html
was alive and well also at that later time.

Today, e.g., the address was intermittently on and off, and I still have that
screencast how that original address was off, and how from Portage and
Programming the link to that topic is instead:
https://forums.gentoo.org/viewtopic-t-989196.html

[[ server should be fixed in this respect ]]


Last edited by miroR on Tue Dec 02, 2014 1:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu May 15, 2014 3:48 am    Post subject: Reply with quote

No, the night has been sleepless, and I started some analysis as I said in the
immediately preceding post, but I am growing sick tired.
Good day (night is over in Europe)!Going to sleep,
Miro
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu May 15, 2014 12:12 pm    Post subject: Reply with quote

I believe I am entitled to, by mere fact of being user of it, and having some
plain human logic avilable in my mind, on the thread extant, but is it
incomplete?, on gossamer-threads (but unavailable from the archives on gnupg-users
lists), say my finishing analysis on the obvious facts, those that I said on
Debian that cry out forcefully in betwwen the lines.

But is is incomplete? Ciprian, the contributor Ciprian Craciun (if that is his
complete first and last name) judging from the address ciprian.craciun at gmail
(probably doc com or some other extension) just doesn't look like someone who
would want to bail out just after that, last extant for the public, mail by
Werner Koch, which certainly does not make for any kind of logical conclusion
in the topic, any kind of settlement to the issue exposed.

If some kind reader was subscribed to gnupg-users at the time of the (possibly
stumped) discussion in question and have the archives, they can look up and see
if there are any more messages, and I believe it is in the public interest of
GNU/Linux community that the (possibly) remaining messages be re-published, for
all of us to read.

On the careful perusal, I am not knowledgeable enough to figure out all the
scripts that are there without delving for numerous hours in Bash, and I don't
have another half day time now for that purpose. If anyone is willing, and so
many people here can figure out these scripts in a breeze, what am I saying,
can read scripts like drink water, that would be great (but I know, devs are
often too busy).

But upon another reread of that thread, I'd like to comment on a few places.

Most of the following discussion was held on Jul 31, 2012 and the
mailing list archives on Gossamer are the sole source, where you can correct
me if I made any mistakes as I reproduced it here. The following are all plain
copy-pastes, and it's a reconstruction adapted for forums view.

Some parts are visible in only one place, and weren't (or it seems now that
they weren't, but they were) replied to, most notably the Ciprian's mention how
"double forking is very bad, and should be done only in exceptional cases...
(And the GnuPG or SSH agents aren't one of those cases...)" at the very end.

Typoes are kept as they were mistyped (such as: "no-user-agent" instead of
"no-use-agent").

Werner Koch wrote:

Ciprian Craciun wrote:

Werner Koch wrote:

Ciprian Craciun wrote:

Werner Koch wrote:

Not a good idea, because GnuPG 2.1 requires the gpg-agent and won't see
any private key stuff.


Not necessarily if you use the `--batch`, `--no-use-agent`, or
`--no-tty` (or a mix of the I'm not sure right now, but the manual
is.)

Nope. Recall that I implemented the stuff.


(Sorry I didn't knew you've implemented it.) :)

Mmm... Didn't read the "fine print" of the manual... (Which isn't
that fine print...)
~~~~
--no-use-agent
This is dummy option. gpg2 always requires the agent.
~~~~

Then I'm a little bit at unease...

First of all I would really have liked the tool to not just ignore
the `--no-user-agent` flag and bail out...


That would make migration for user of 2.0 to 2.1 too complicate. We try
to do the migration as smooth as possible.

Ciprian Craciun wrote:

Then if I use the `--batch` option it doesn't ask for a password,
thus what is the purpose of the agent anymore? (Except handling cards
which isn't the case in most instances...)


The agent does not handle cards. It just acts as a proxy for scdaemon.
What the agent does is to perform all operations involving the private
key (e.g. signing and decryption of the session key). GPGSM works this
way for 10 years now; 2.1 completes it and moved the private key
operations for OpenPGP also to the agent.

Ciprian Craciun wrote:

But on the other side, not always you have the option of running a
`gpg-agent` (for example on server side of a background job, etc.),


I run it on servers ;-).

Ciprian Craciun wrote:

I bet you can run it on servers. And I bet it works nicely.

What I also bet is that it leaves dangling "background" processes
lying, because -- if I'm correct -- the following happens:
* if I implement a service that isn't started with an `gpg-agent`
properly set up, then
* each invocation of `gpg2` will start its own, but not as a
child, but by making it double fork in the background;


That was the default in 2.0 on Unix. 2.1 will start the agent only once
and keep it around. The Windows version of 2.0 does this for a few
years now.

Ciprian Craciun wrote:

* but unfortunately the tool won't be able to export that
environment variables to its parent...


No problem anymore. We need an envvar only for the ssh support and that
is a fixed value.

Ciprian Craciun wrote:

* and also after the invocation the agent would just remain there;


Right.

Ciprian Craciun wrote:

Maybe the tool would check if someone listens on the socket and
not restart another agent, but still we have at least one agent
running, and for no purpose as there is no password to enter...


The agent is not for the passphrase. The passphrase handling code is
only a minor function block.

Ciprian Craciun wrote:

Or?
Ciprian.


P.S.: Maybe you remember that I've sent a patch in the past that
adds an option to the agent not to double fork (which was rejected)...
I really still strongly believe that double forking is very bad, and
should be done only in exceptional cases... (And the GnuPG or SSH
agents aren't one of those cases...)



Now, in my strong opinion, and for strong opinions I am becoming notorious for
;-) , while the forking (which is plain for perusal just above here in this
text that you're reading) I can only leave to big guys if they wish to
enlighten us mere mortals or fractions of programmers, just somewhat
programmers like me, there is, not many lines above from this place in this
text of mine, these statements, and by Werner Koch.

Werner implemented the new changes, IIUC, that the marketing requires to make
GNU/Linux "usable", and there is, not many lines above in this text, the
admission, and I believe him...

Sincerity is always good, honesty is always good, even when it sheds light in
such a way that leads to understand that what you programmed was, well, wrong
thing to do...

Sincerity is so much better than lying, in all but the cases where, such as
saving Jews in WWII, you lie that they weren't in your basement...

And Werner, I hope you'll be reading this some day, in the first place I thank
you for your sincerity and honesty.

That you were taken to do programming for such stupid purposes is a matter for
your thinking how to revert it, even against the tide of the insane drive for
marketing (and I don't want to say what is obviously deeper yet inside that
drive in this post Edward Snowden revelations era).

But your sincerity and honesty recovers your clean face here in great ways.

This is that statement:

Werner Koch wrote:

The agent is not for the passphrase. The passphrase handling code is
only a minor function block.


A minor funcion block, but I'd need all that stupid little password intaking
GUI (huge code programs by definition) on top of an agent with all the other
huge code (of which the passphrase handling code is a minor fraction), which
agent would lie around with my passwords all the time, because, why?, GnuPG
couldn't do that anymore on its own, got old and senile for some reason?

C'mon, all you marketeers, give us users with some logic still running a little
in our minds, a break!

I want to end this fourth post, in this sequence on gpg-agent imposition, which
is part of Air-Gapped Gentoo Install, Tentative topic, on that note.

I think now I have unfinished only on the git on Debian not intaking password
for GnuPG 1 when trying to sign a tagged release, and Gentoo doing the same
correctly, cases.

But I am somewhat tired here. I'll see how I should deal with that yet. I've
been busy on this sole topic of gpg-agent and guis taking away the simple
password handling work from GnuPG bully-style for more than one day (24
hours) by now...

Of course now I need to be available in more hours from now and reply back
within relatively short time if I receive any replies on this topic.

A caveat: I did notice some errors (too tired to analyze, though), not much, on
the Debian system that I use to connect and post. If I were not to reply, it
could be a successful attack on that my sole exposed system (attacks on my
systems did happened, just a note for readers who jumped in here from
elsewhere, read and find links to Grsecurity Forums with undeniable attacks on
my systems; find them somewhere roughly at the beginning of this very topic
on Air-Gapped install, here on Gentoo Forums.

Miroslav Rovis,
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Fri May 16, 2014 5:44 pm    Post subject: Reply with quote

I've got something pretty much fairly connected to this topic, but it's not
ready at all. It should be, because I'm very interested to understand more
about it.

It's really coonected to the topic right in the root, because surveillance is
the reason for air-gapping.

Here:

Code:
e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201
dump_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.pcapng
b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4
Screen_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.mkv


I'm dead serious. You will probably enjoy the analysis. However, if i make it,
because it's not ready at all, and it'll take probably days, and if Vis Major
(Lat.) be of help.

It's not at all connected to anything close to the errors on Gentoo server
that
I pointed at, so they be corrected, not at all, because I never reached
anywhere near in this short, poignant, getting proverbial in our circles,
story.

Patience,

EDIT START: Wed 4 Mar 19:20:46 CET 2015
And the mystery is now plain for everybody to scrutinize:
< this same topic, same page you're reading >
https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7712012
EDIT END


Last edited by miroR on Wed Mar 04, 2015 6:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
jonathan183
Apprentice
Apprentice


Joined: 13 Dec 2011
Posts: 282

PostPosted: Sat May 17, 2014 6:14 pm    Post subject: Reply with quote

miroR wrote:
It's really coonected to the topic right in the root, because surveillance is
the reason for air-gapping.

I don't think the pgp issue is air-gapped system specific, I think it's better as a separate thread that mentions pgp specifically. People may have different reasons for an air-gapped system, including having a PC with no network interface. Someone wanting to deal with pgp would also not necessarily look at a thread with title air-gapped systems. Also just because someone is running an air-gapped system does not mean that a gui interface is a problem.

Masking individual packages is not unique to air-gapped systems, and has little impact on the overall approach either IMO ...

if you don't want the gtk or qt4 agent frontends building then use something like
Code:
echo 'app-crypt/pinentry -gtk -qt4' >> /etc/portage/package.use


if you don't want an agent at all then use something like
Code:
echo '>=app-crypt/gnupg-2.0.2'  >> /etc/portage/package.mask


The wiki page for https://wiki.gentoo.org/wiki/GnuPG#Final_thoughts_and_Credits might be a better place for this sort of thing ;-)
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon May 19, 2014 9:03 am    Post subject: Reply with quote

jonathan183 wrote:
miroR wrote:
It's really coonected to the topic right in the root, because surveillance is
the reason for air-gapping.

I don't think the pgp issue is air-gapped system specific, I think it's better as a separate thread that mentions pgp specifically. People may have different reasons for an air-gapped system, including having a PC with no network interface. Someone wanting to deal with pgp would also not necessarily look at a thread with title air-gapped systems. Also just because someone is running an air-gapped system does not mean that a gui interface is a problem.


You are simply right. It did dawn on me, but most of it was already posted by the time it dawn on me.
In my defence, I have to say that I was very much annoyed with this kind of behavior:
A case of actual protection of my Gentoo box by Grsecurity
https://forums.gentoo.org/viewtopic-t-967806.html
[ * ]
where the case for Grsecurity is undeniable really...
and where the same, even much stronger opinions, as well as the same link, on my side were not at all off-the-walled here:
NSA SELinux Support???
https://forums.gentoo.org/viewtopic-t-984066-highlight-grsecurity.html

jonathan183 wrote:
Masking individual packages is not unique to air-gapped systems, and has little impact on the overall approach either IMO ...

if you don't want the gtk or qt4 agent frontends building then use something like
Code:
echo 'app-crypt/pinentry -gtk -qt4' >> /etc/portage/package.use


if you don't want an agent at all then use something like
Code:
echo '>=app-crypt/gnupg-2.0.2'  >> /etc/portage/package.mask


You do bring a little new here, in a minor way, and, you repeat some that is already stated, and at least twice, some also in great detail because I often have newbies in mind, in the previous posts, but you are expanding a topic that we agree doesn't belong here.

However, air-gap principally is done for countering surveillance on oneself, because install on a PC with no network is simply an offline install.

But pls, let's not dwell on this, pls. Let's agree to differ in some points.

I'm sorry for having damaged the thread and not created a separate on gpg-agent marketeering imposition! I'll try and not diverge this much again here.

jonathan183 wrote:
The wiki page for https://wiki.gentoo.org/wiki/GnuPG#Final_thoughts_and_Credits might be a better place for this sort of thing ;-)


Absolutely right! That crossed my mind too! But I am so slow at doing these things (I'm an older man).The information ought to be included there for all clear and easy to find! Absolutely right!

Miroslav Rovis
www.CroatiaFidelis.hr
[ * ] what I was incoherently trying to say, is sometimes I am a little fearful of opening new topics, such misbehavior like those poeple's, hurt.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed May 28, 2014 9:35 pm    Post subject: Reply with quote

Today, I will first start with the assumption that the majority of the readers
undestand like me, that air-gapped install doesn't just mean simply an offline
install when you don't have something like a network card on a particular
system, right?

No, air-gapped install means an install offline with the purpose of countering surveillance.

It means installing in such way as to be defended. Say, to retain defence such
as what the Iranians unsuccessfully believed they did, when they attempted to
hide their nuclear plants infrastructure, but which air-gapped systems of
theirs were straddled into by Israelis' (whose nuclear plant at Demona location
the "International Community" tacitly allow) and U.S. of A.'s Stuxnet virus
nevertheless.

I gave the example for the figurative purpose to hit your imagination well.
Those were air-gapped systems. And by top hackers of one capable state. And
they were broken into. Remotely!

Of course in our case, it's just defending your own, by your own country's
Constitution guarantied:

privacy

and no weapons/other bad things/anything illicit to hide.

In fact, if I knew, I would help discover bad people, and never help them hide.

I mean really bad people, not good people like (most of) the anonymous when
they, for morally justified purposes, deface Visa and other institutions
because those institutions commited, well, very arguably in the least, crimes
or immoral acts (such as preventing people to contribute to Wikileaks).

I hope I can assume that it's anti-surveillance in protection of your privacy
the meaning of this topic here, the "Air-Gapped Gentoo Install".

If that is so, then maybe the broad excursion into GnuPG in the previous posts,
is not such incompatible digression, not so very much out of place, although a
separate topic and a link to it would have been a better solution.

I mean, why would you be wasting your time building Air-Gapped Gentoo, if the
most valuable little information, your password, that protects you with your
encrypted or other communication is then much more easily guessed/leaked
because you introduced more programs that unnecessarily "guard", fork, convey
around your password?

But I stumbled upon one other thing that evades most users, and many devs
refuse to see it, and surely not all programmers are like Gentoo developer khay
whom I quoted and thanked, in the previous posts on GnuPG, for saving GnuPG 1
for us in Gentoo distro for some more time into the future.

Really there are strange things going in GNU/Linux, which are not good for
users, and are not done for the sake of users, but other reasons.

I was having a break, a week or two now, from struggling with my Gentoo. I was
using it, not building it, for a while...

What I did, is, I managed to get cgit deployed on apache, so I could have my
git sources available on my SOHO, and got into git enough to shape, somewhat,
my two really simple (but still useful, and used by some Debian circles)
programs, the only two currently on:

https://github.com/miroR/

after which I was now into preparing the real prerelease of my Flowstamp
program, as I announced:

http://www.croatiafidelis.hr/gnu/Flowstamp/

preparing its source for publishing on github.com.

But then I noticed that I needed to make a sensible demo, because the hastily
made one currently available on the link immediately above was too
unrepresentative...

And I was preparing various videos for a compilation, during which time I
understood that I needed to record a voiceover, and tried recording on my new
Gentoo system...

But, pulseaudio, alsa and things are still not sorted.

And so I went on and tried to fix those things.

Not easy at all.

But in the process I acquired some insight about some ways and ... *kits
relatively recently introduced into Gentoo.

And that is what, again, I feel somewhat titubant to post here, but (I'm in the
proofreading phase, where else does this possibly fit so well, other than in
this surveillance-aware topic?).

...So I kindly ask you to bear with me a little longer, because my point is not
at all easily made in just a few sentences.

I want to start with other contributors' points made elsewhere. The focus of
your attention as you seek to understand why I claim it has a lot to do with
building a good Air-Gapped system, in this story should be on the following
one:

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers
https://forums.gentoo.org/viewtopic-t-858965-postdays-0-postorder-asc-start-325.html#7164546

That was in response to:

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers
https://forums.gentoo.org/viewtopic-t-858965-postdays-0-postorder-asc-start-325.html#6960232

And, to not clog this post on top of my never terse nor short writing, just the
point (I allowed myself the freedom to introduce only spacing, actually quite a
few newlines, the words are verbarim):

miket wrote:

...[snip]...They force us to go through all of this just so they can support a very specialized usage case.

How many people do you know who run computers with multiple keyboards and monitors

(
therefore "multi-seat"
)

and need to be sure that random people sitting at those seats around the
computer don't get access they shouldn't?


Now, I'll try and make the right point, for us, who don't want to allow
surveillance on us.

Did you notice the term "seat" above? You did because I put it prominently.

That it may be more easily understood what it is, on top of what can be gleaned from the page which I will give here only the title "Tips and tricks for ConsoleKit, PolicyKit, and udev helpers", because there are alreadly three different links to it in the text (obviously I'm at proofreading), I can try and offer those who want to venture and understand more precisely what it is:

http://www.manpagez.com/html/PolicyKit/PolicyKit-0.9/polkit-polkit-seat.php

where it states:

Seat — Represents a ConsoleKit Seat.

EDIT START Thu May 29 02:00:21 CEST 2014
or much better yet:

http://www.freedesktop.org/software/ConsoleKit/doc/ConsoleKit.html

where there is the precise definition:

A seat is a collection of sessions and a set of hardware (usually at least a
keyboard and mouse). Only one session may be active on a seat at a time.

EDIT END

But I don't have the time, nor I want to go into those. I only want to post
what I can not agree with, because it it not in the interest of the users,
because it is not Free progamming for good people which is what GNU/Linux has
always been...

Because...

Because consolekit/polkit, dbus and stuff can well be programmed so that, added
more infrastructure (that us users sure will not be told about, other than in
leaks like Edward Snowden's, whom my thanks go), some seat(s) on a user's
machine can well be remote and for a less knowledgeable user, completely
unnoticed by him/her!

Some seats can well work remotely on a poor Joe user's computer even while he's
sitting at it.

Pls. bear in mind that NSA got it's SELinux in so many computers, thanks to
dear leader Linus accomodating for it.

Read here about that genius:
NSA SELinux Support???
https://forums.gentoo.org/viewtopic-t-984066.html#7501068
which creaker's wise words I repeat later on in the same thread
(
so while you're there, take notice of the mention of Grsecurity, the sole true
counter measure against spying-under-pretence-of-security which SELinux is...

===
A note within this note in parenthesis: basically, Grsecurity fixes what Linus
leaves open and unprotected for whichever reason in the GNU/Linux kernel, and
that seems to annoy the genius very much... It's a real though subdued war out
there, and Grsecurity had a moment of mild failure for a few days, exactly
after a major contribution by, wait, wait!... by the Dear Leader himself...
Find more from me on that failure after that contribution here:
Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616&p=541906
)

You found "If Grsecurity were not viable in Gentoo, Gentoo will become just
nice looking crap, nothing else.
"? That is my strong conviction.

Now something to give you a broader picture for how those seats (with, let's
call them, shadows sitting on them), who you won't know about, can work in your
computer..

...Have a look at another infrastructure introduced in the GNU/Linux kernel
back in late 2010, as it appears in this article by Brad Spender Spengler:
False Boundaries and Arbitrary Code Execution
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522

Difficult read for non-advanced users, and I myself still don't understand
occasional details in that article, and only vaguely understand some other
of the points.

But, the suggested 'man capabilities' a stop to fuel up your understanding, and
it's not so hard to get the gist of it. C'mon!

And you don't even have to go very deep into it. Search for "catch-all" and
take a while to figure that one paragraph out. I'll reproduce it here in its
entirety (I'll take liberty to add only newlines, the text will remain
verbatim):

spender wrote:

CAP_SYS_ADMIN: generic: among many other things (it's a sort of catch-all capability choice), CAP_SYS_ADMIN grants the ability to mount/unmount filesystems.

So you have the ability to bind mount a new filesystem over an existing one to backdoor any binary on the system.

There doesn't appear to be any DAC check for this operation, so the capability itself is sufficient.

CAP_SYS_ADMIN also grants the ability to use the TIOCSTI ioctl against /dev/tty (a tty not owned by us) and inject commands into an administrator's shell that will be executed without any interaction on their part.


Did you just read how CAP_SYS_ADMIN can give [*] a (shadow sitting on a) seat(that the user isn't neven aware is rummaging in his machine) the:
"ability to bind mount a new filesystem over an existing one to backdoor any
binary on the system
"

( [*] Spender talks to them straight. He says: "...you have the ability to bind
mount...". He can confront them. I can't. My defenses work, but they are yet so
very primitive, only based on backup and restore. I'm very much still learning
all the time. )

And no one really can dismiss what Spender writes (well they haven't ever
really done it successfully).

The problem is, almost all the wikis and documentation, tell you you have to
install those kits.

So, esp. if you disagree with me for some reason, go ahead and deploy the
*kits, the consolekit/dbus/polkit and things...

I will try and follow what creaker and Anon-E-Moose suggested here:

LXDE replacement question
https://forums.gentoo.org/viewtopic-t-973802.html

and which didn't really completely understand back when I first posted in
there, and it was because back then I didn't know about these seats. I

Only now I understand and will go this way, as in this post of the thread
already cited above (but this is the last referral to that page in this post,
and this in parens is me proofreading):

Tips and tricks for ConsoleKit, PolicyKit, and udev helpers
https://forums.gentoo.org/viewtopic-t-858965.html#6544053

But, on my system, some of those *kits got pulled in by some of the around 700
packages that I currently have installed in my system, and I think I now first
need to try and figure out how much possibly remote influence on my system I
would have, if I cloned this system to use it online on a non-master (not the
main Air-Gapped system) box...

To find out if if I have not managed to evade some of the infrastructure as is
programmatically offered to remote seats by those *kits and associate
infrastructure...

As usual, I'm exhausted at this point. Really complex to explain these things.

Let us please get the option of the free no-remote seats GNU/Linux viable!

Miroslav Rovis
www.CroatiaFidelis.hr
all links checked to be live and as intended at the time of posting
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Jun 03, 2014 10:07 pm    Post subject: Reply with quote

After having written the immediately previous post on those weird programs, which
are becoming mainstream and imposed all over GNI/Linux-land, I have successfully
(judging by the end result) ventured into ridding myself of them.

Pls. look up:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146.html

I recommend mdev-like-a-boss as a good choice.

People have had difficulty installing it due to incomplete (from the user's point of view) documentation.
While that topic is thorough and pretty comprehensive, it might be a little hard to read. Sorry!

There was really lots of wondering, but eventually khayyam helped me overcome the last obstacle, which I think is exactly the one lots of users left their skin at.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Sep 07, 2014 11:23 pm    Post subject: Reply with quote

I have a new topic:
Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html
which actually very much deals in Air-Gapped stuff.

I believe some fine advice there for people seeking how to free gnu/linux (that's a verb). At least I really tried hard.

Miroslav Rovis
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Fri Oct 10, 2014 11:18 pm    Post subject: Reply with quote

People are interested in this method, described in this topic, and all I can really tell you is still only that it does work.

I have no time to present it from scratch which this topic would require.

While a probably good alternative to full air-gapping may really be what jonathan183 suggested here:

( same topic that you are reading )
https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7546202

I did not go for it, I went for the full air-gapped install, that is, with a local mirror (or private mirror).

On issues (not necessarily connected to failure of the method, actually probably not(, and the possibly nascent method of verifying the mirror, you can read here:

Broken Pipe on Air-Gapped (& Portage Snapshots off Mirrors)
https://forums.gentoo.org/viewtopic-t-1001706.html

And you should know what I previously wrote, and is certainly very connected to success of our air-gapping on:

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-998108-start-300.html#7624044

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Feb 05, 2015 1:23 am    Post subject: Reply with quote

What this topic on Air-Gapping can not offer you currently, and that is an systematic guide to build your Gentoo the air-gapped way, you may get in my Debian Forums tip, for that other FOSS Linux flavor:

Air-Gapped Debian Install for Newbies
http://forums.debian.net/viewtopic.php?f=16&t=119648

I was able to reach to solution there almost in a straightforward manner because I had the experience with building my Air-Gapped Gentoo. Here I started from imperfect concept about where I needed to get, and for that reason I have wandered so much in this topic.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Thu Feb 05, 2015 1:26 am    Post subject: Reply with quote

And if you are considering mailing programs for you Air-Gapped, you can read this stub:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html#7696102
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Mar 03, 2015 4:54 pm    Post subject: Reply with quote

I have to say, this is what I like! Everything adds up on these Forums, as expected in a FOSS institution.

Ten months ago, I promised I would show something that looked interesting to me... and I was hoping to understand what it was...

This is today's little event from my terminal:
Code:

ukrainian@mybox /some/where $ sha256sum *_140516_164150_naibd6_Schmoog_intrusion.*[pv] | \
egrep 'e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201|b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4'
e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201 dump_140516_164150_naibd6_Schmoog_intrusion.pcap
b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4 Screen_140516_164150_naibd6_Schmoog_intrusion.mkv
ukrainian@mybox /some/where $


And the egrep'ing was for the numbers which could be seen, and if they don't ban me from my beloved Gentoo Forums, or worse things happen, will be seen for more time to come in the future.

Here's where those same numbers feature.

previously in this page wrote:

Code:
e34f22f720275434128e9b26d70f8040cd742bca2918d230ce8386fbcb6e9201  dump_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.pcapng
b52cb6238640df0870bbea659db1d07f05abb5ce7a6a392beb8766cffc4790a4  Screen_140516_1xxxxx_naibd6_XXXXXX_xx_XXXXXX.mkv



That's a quote from this same page of this topic, from the post which is further above. This exact post:

[ this same topic you're reading, this same page of the topic ]
https://forums.gentoo.org/viewtopic-t-987268-start-25.html#7552466

So I obviously still got those same files, and they are now very close for anyone to check on what itched me back then...

Just go and download:

wget http://www.CroatiaFidelis.hr/gnu/.hm/.dump_140516_193521_naibd6++.pcap

Rename it:
Code:

mv -iv .dump_140516_193521_naibd6++.pcap dump_140516_193521_naibd6++.pcap


lest it remain invisible for `ls -l' without the `-a', such as: `ls -la'.

It's all in that packet capture file... But...

But it's not in the file you see, that's unimportant. I mean, in the file you can see the packets of in Wireshark

Just if you do open it in Wireshark, it should tell you that some of the data is corrupted.

Well, is it really corrupted I'll leave it as moot point for now, but do go and, if you can:

1) find the exact bytes that are corrupted

2) say if those bytes contain anything or are random corruption?

C'mon go ahead! Do try it!

Will post all my explanations just next. And if you're reading later when all is posted and no secrets remain (well some do, but those are the usual survellors-control-and-users-are-controled society secrets).
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Tue Mar 03, 2015 5:47 pm    Post subject: Reply with quote

EDIT Sat 2 May 17:57:47 CEST 2015: Read this too, but be aware of issues with this post, as I explain in the next one:

https://forums.gentoo.org/viewtopic-t-987268-start-50.html#7741670
---
...[And if you're reading later], do try to understand how easy it is to hide things in computing...

Make a directory:

Code:

mkdir ukrainian.d/


(the name is just an example, and because of my love and support for a related nation to us Croats)

Copy the file you downloaded into that dir.

Code:

cp -iav dump_140516_193521_naibd6++.pcap ukrainian.d/


Enter in it.

Code:

cd ukrainian.d/


Make this little script. Just paste this content into a file recov.sh.

(recov for recover [those "corrupted?" no!, hidden] data)

Code:

#!/bin/bash

cat dump_140516_193521_naibd6++.pcap \
   | split -d -b4295443 - dump_140516_193521_naibd6++.pcap
cat dump_140516_193521_naibd6++.pcap01  \
   | split -d -b2045043 - dump_140516_193521_naibd6++.pcap01
mv -iv dump_140516_193521_naibd6++.pcap0100  \
   Screen_140516_164150_naibd6_Schmoog_intrusion.gg
cat dump_140516_193521_naibd6++.pcap0101  \
   | split -d -b49822 - dump_140516_193521_naibd6++.pcap0101
mv -iv dump_140516_193521_naibd6++.pcap010100  \
   dump_140516_164150_naibd6_Schmoog_intrusion.gg
cat dump_140516_193521_naibd6++.pcap00 dump_140516_193521_naibd6++.pcap010101  \
   > dump_140516_193521_naibd6.pcap

So select and copy that code, and paste it like so:

Code:
cat > recov.sh
< here paste that code >
< and issue Ctrl-D >


And:
Code:

chmod 755 recov.sh


and run it (you're in ukrainian.d all the time):

Code:

./run.sh


Of what that gets you, you only need two files, the *.gg ones:

So you can:

Code:

mkdir DEL
mv -iv * DEL/


and:

Code:

mv -iv DEL/*.gg .


And now you should have:



Code:

ukrainian@mybox /some/where/ukrainian.d $ ls -l
total 2056
drwxr-xr-x 2 ukrainian ukrainian    4096 2015-03-03 18:09 DEL
-rw-r--r-- 1 ukrainian ukrainian   49822 2015-03-03 18:09 dump_140516_164150_naibd6_Schmoog_intrusion.gg
-rw-r--r-- 1 ukrainian ukrainian 2045043 2015-03-03 18:09 Screen_140516_164150_naibd6_Schmoog_intrusion.gg
ukrainian@mybox /some/where/ukrainian.d $



It would still be no freaking use having those files for you.

Just like what will remain, after you see the data that I will hereby reveal to you, is the freaking cowardly encrypted data against the use, against us users who are controled, by our surveillors who control us! It's easy hiding things, you freaking Schmoog!

But it's so dishonest and filthy way to live, you ugly octopus of the internet!

Those two files are encrypted symetrically with gpg. Here's the password:

Code:

X0pho5m1r0


So what you need to do is:

Code:

gpg -d dump_140516_164150_naibd6_Schmoog_intrusion.gg  > dump_140516_164150_naibd6_Schmoog_intrusion.pcap


and:

Code:

gpg -d Screen_140516_164150_naibd6_Schmoog_intrusion.gg >Screen_140516_164150_naibd6_Schmoog_intrusion.mkv


And there you can see still only as much as an inquisitive user like me, can get to understand about what the intruder, in this case the Schmoog the Surveillance Engine, did, and no more.

It takes an expert to decrypt what data, or what ploy, or what ever-else, the Schmoog did in these some half a minute that I tried to connect to DuckDuckgo.com, but the Schmoog, the Goog, the Phfloog the Octopus of the internet, intruded on my machine.

I may correct this post some, tired now... Will only make sure the password above is correct. (Still checking that. If I'm not back in a little while, the whole procedure works. Still no warranties. Try it at your own risk.).

Checked it. All is well here. And rare is corruption on Gentoo Forums, but do tell if things don't add up, because I may have overseen some part of the tips here above...


Last edited by miroR on Sat May 02, 2015 3:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum