Easton's blog

Linux 4.15.2 on SnackLinux

Quick update to SnackLinux, rolled out Linux 4.15.2 with Busybox 1.28.0. Also switched over to x86_64 only (for now at least) since it simplifies a lot of things. I removed the need to staticly link everything and get rid of that niche, since a few other smaller distros cover that (Alpine Linux for example). Again, this simplifies building packages and running into less issues.

Why is my Android keyboard sending unencrypted data? And where?

I recently switched phones from a LG G4 to a Sony Xperia X Performance (isn't that a mouthful!), so I had a spare Android phone lying around. What better use for than to sniff some traffic! First up is ai.type Free Emoji Keyboard, a free keyboard that has built in text-swiping features, emoji, a calculator and much more. Android keyboards have the ability to read what you type, mostly just to improve text correction and prediction. This is an understandable permission but has the opportunity for misuse.

I loaded up Burp Suite, added the proxy setting to the phone and off I went. First request right off:

Holy leaking information batman! The app sent my email addresses, latitude, longitude, IP address and device info to their server over HTTP.

Now you may be thinking "well ads display in apps too, they must send juicy tracking information back too", so let's take a look.

Create an ad blocking VPN for mobile use

Ads on your mobile device can use a fair chunk of your monthly data, so I set out to create a way to disable them while browsing. If you happen to have a rooted Android phone, AdAway is the easiest solution that I have found. Another solution is creating your own DNS server, to have all traffic to unwanted domains be unresolved. While that's great, one can only set the DNS servers manually for wifi, not for mobile data (3G/LTE). The fix this issue, what I did was create an OpenVPN server with Bind9 zones to block unwanted domains.

 

To bootstrap installing VPN, I used this script to quickly set up an OpenVPN server. Its all very straight forward and will prompt for a few options.

If all went well, it will generate a client profile for you to use (.ovpn). Next, I installed bind9 and followed this tutorial. Once that is all set up, you'll have an ad blocking DNS server! Only thing left to do is force clients to use the DNS.

Base64 image uploading to Pasteros

Pasteros now has JPEG handling abilities when pastes are uploaded with base64 data (see commit). Convert your image to base64 like this and view it by add .jpg to the end of the paste ! I also wrote a command line utility that uploads a selected screenshot area to Pasteros.

 

Remote code execution with Hitron CGNM-2250

Edit: This has been fixed in the latest firmare update 4.5.10.25

Makefile update to SnackLinux

The Makefile for SnackLinux has been updated, I made it a bit easier to build SnackLinux from scratch. I'd like to update GCC to at least 5.x something, and add a few more packages to SnackLinux. Eventually, adding a PKGBUILD-like system to fbpkg would be preferable. Right now, it's just a bunch of instructions on the snacklinux.com.

SnackLinux update

SnackLinux now has a whopping 31 packages, which include a (somewhat) working gcc toolchain and other fun GNU utilities (vitetris included!). I was able to add Docker support as well, which is just tarballed userland. Getting a working gcc toolchain was a bit of a pain in the butt.

Tags to Pasteros.io

Tags have been added to Pasteros.io, so now pastes can be "grouped" together, making it a bit easier to manage. For example, see https://pasteros.io/tag/snacklinux. A delete URL is still on my todo list, but that shouldn't be too difficult to implement.

Pasteros.io is live!

My text storage platform project, pasteros.io is finally live! It's also on Github: https://github.com/snacsnoc/pasteros

Tags:

Setup Nagios 3 with lighttpd on your VPS

There are countless tools and software stacks out there to monitor your servers out, though some are not the easiest to setup. I went with Nagios since it's straightforward to configure and easy to setup. For reference, I used Nagios 4.0.8 on Debian 7 using Debian 7 slaves. The Nagios master node already had lighttpd and PHP set up so I'll gloss over that.

Master node

Start by downloading Nagios and Nagios plugins:

 

Pages

Subscribe to RSS - Easton's blog