Blog Defacement

While I am now hosting this blog for nearly 9 years - without any incident - problems tend to happen sooner or later. A lot of hassle and problems has been reduced due to the WordPress Auto Update system - so to update WordPress itself, as well as its plugins - and it works great. However, WordPress introduced - and enabled by default - a REST API - which has a great deal of security problems. And without me always checking each installed version - well, I did not know that... The REST API problems should be fixed by now, but - that came a bit too late for my blog. Nonetheless, I would recommend going to Jetpack -> Settings and disabling JSON API - especially if you're not using it... I learned it the hard way ^^'..

PS: If you disable it, WordPress.com won't be able to talk to your website anymore so... You're gonna have a bad time, if you need that :/. You'll need to decide for yourself...

Regards

Keybase.io got a new Client - and it is awesome!

Finally, Keybase.io got a new Client and it is looking gorgeous: https://keybase.io/.

They added a graphical client to the CLI and included a Chat, as well as the File transfer and Search options. So now, Keybase.io got more easy to use than ever before - and the best thing: A mobile client is soon(tm ;)) to be released.

Actually I missed the release of the client and would not have stumbled upon it, if it weren't for johanbove how send me an encrypted message via the client - and Keybase let me know via email that I got something encrypted waiting for me ;).

Seems like Johan read my last post about Keybase.io and decided to drop me a encrypted message - and as you see, thats the real power of Keybase: You just got to know someones Github/Twitter/Website/WhatEver Account Name - and you can drop her/him an encrypted message, file or chat. And that is infact the point where Keybase.io shines above the regular PGP solutions - it is PGP for the social web :).

So - cheers Johan, thanks for the message - and lot of fun for the rest of you, maybe we connect on Keybase.io - I won't give you my page now - I trust you'll find me very easily ;)!

Raspberry Pi and its Hardware Random Number Generator (RNG)

Due to a Stackoverflow Post I got to know the fact the BCM2708 / BCM2835 contains a Hardware Random Number Generator (RNG). Two blogposts described how to setup this little module, however, they were outdated, as the needed kernel module is directly baked into the latest 4.x kernel, which ends with the fact that /dev/hwrng already exists :).

The only thing left to do is the installation of the rng-tools, which is easy as pie:

sudo apt-get update
sudo apt-get install -y  rng-tools

After that, we also need to point rng-tools to the right source, by adding

HRNGDEVICE=/dev/hwrng

to /etc/default/rng-tools (need root rights for that :))

After that, the service can be restarted and used:

sudo service rng-tools restart

PS: This RNG seems to be available on all other RPis as well, not only RPi 1 🙂

MacType - A better font rasterizer for Windows

If you're tired of the ClearType Fonts in Windows and long for a more Unix/Mac Style Font Rasterizer, you most probably have heard GDI++ and GDIPP. And as both projects are somehow dead (for 6+ years), someone started a new one, called MacType.

How to install the latest version?

1.) Download and Install MacType (chose English!): http://www.mactype.net/

2.) Download the latest patch: http://silight.hatenablog.jp/entry/MacTypePatch currently the latest version is MacTypePatch_1.19.zip (2016/11/17).

3.) Unpack the patch and copy EasyHK32.dll, EasyHK64.dll and UserParams.ini (from win8.1_or_later folder) to the C:\Program Files\MacType folder

4.) Copy EasyHK32.dll, EasyHK64.dll to C:\Windows\System32

5.) Start MacType as Tray Version and chose an default settings, i.e. FT Opt

Here you can see an example - left without, right with MacType:

Lineage OS Fix: After reboot phone not usable anymore (Only back button/statusbar visible)

Sadly, my Nexus 4 (mako) had a rough experience after upgrading to Lineage OS: After a reboot, I ended up with this screen:

As you can see, only the back button and status bar are visible anymore, I can drag down the status bar and enable / disable stuff but cannot launch the settings or anything else - brick'd :(. I had to reinstall that thing several times, but then came to the conclusion what caused the error: I had enabled a screenlock (does not matter which kind :)) and played with the System Profile under Settings. I created a second System Profile which - as soon as it connected to my Home Wifi, removed the screenlock. And that was the problem. After two additional reboots, the error as seen manifested.

Good news: It only took me three complete reinstalls (read: wipe... ^^') to get that - and the fix is very simple: Don't create such an System profile. If you have and you end up there, that is no problem as well: If you have adb Debug enabled, you'll have it fixed in one minute and one reboot:

# open your CMD / Bash
adb shell
# activate root
su
# go to the correct folder
cd /data/system/
# get your current profile config
cat profiles.xml
# now grab that config file, remove the <profile> </profile>
# part which causes the error -> your newly created profile
# with "auto turnoff screenlock"
# after that, put it back on your phone
echo 'HERESHOULDBETHENEWCONFIG' > profiles.xml
# then reboot your phone
reboot

If you have no root access available you could get root on your device via the addon from Lineage OS, and if you don't want that (which is good too!) or you got no ADB Debug enabled - fix it from within TWRP :).

PS: If you want to report something, always pass along your logcat (extract with adb logcat -d '*:V' > logcat.txtif you got adb access)

Gravatar considered harmful - disabling it on my blog

Due to the fact that Gravatar makes users very easily trackable (read r1ch.nets Post "Gravatar considered harmful") I decided to remove the use of Gravatar from my blog. I did this be removing the feature in the Discussion Settings, as well as using the "Disable User Gravatar" plugin to prevent WordPress to leak your E-Mail address through your Gravatar on my blog.

How to run pi-hole in a Docker container

Pihole is an awesome little DNS Server with Blacklists for Ad Sites and the ideal tool to install a small and powerful ad filter for the whole network (Intro Video here).

As diginc designed an Docker Image around the Pihole server (which was normally run on a RPi :)) - and made it x86, you can also run it on your normal Homeserver :)!

Important things just before we start: The Docker container needs to bind to ports 53 (DNS) and 80 (HTTP) - so, if you need to run your own DNS - that could interfere. If you need port 80 for some other website - you'll have to make an reverse proxy.

To make the setup easier, I wrote an little docker-compose.yml:

pihole:
  restart: unless-stopped
  container_name: pihole
  image: diginc/pi-hole:alpine
  volumes:
    - /var/pihole:/etc/pihole
  environment:
    - ServerIP=YOURLANIPHERE
  cap_add:
    - NET_ADMIN
  ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "80:80"

You'll need to change the YOURLANIPHERE to the IP Address of your Servers LAN Interface - and you'll need to create the folder /var/pihole and make it writable for your Docker User.

sudo mkdir /var/pihole
sudo chown -R MYLINUXUSER:MYLINUXUSER /var/pihole

After that, we can start the service via docker-compose up -d.

You'll have access to the Web interface of pihole on YOURLANIPHERE/admin

However, this interface is NOT protected - so we'll do this now:

docker exec -it pihole /bin/bash
# create an password protection for your pihole web interface
pihole -a -p somepasswordhere
# You can also remove the password by not passing an argument.
pihole -a -p

Also, pihole does create a lot of log files, which should be removed from time to time, the block lists should be updated and pihole itself should be updated. This can also be achieved via an cron file, available here.

# [...]

# Your container name goes here:
DOCKER_NAME=pihole
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Pi-hole: Update the ad sources once a week on Sunday at 01:59
#          Download any updates from the adlists
59 1    * * 7   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updateGravity > /dev/null

# Update docker-pi-hole by pulling the latest docker image ane re-creating your container.
# pihole software update commands are unsupported in docker!
30 2    * * 7   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updatePihole > /dev/null

# Pi-hole: Flush the log daily at 00:00 so it doesn't get out of control
#          Stats will be viewable in the Web interface thanks to the cron job above
00 00   * * *   root    PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole flush > /dev/null

I actually did just open my cron with crontab -e and entered the last lines into there - so that should work. You can now test your new Adblocker by entering the IP of your Server as DNS on your Clients - and if you're happy with it, just replace the DNS server entry on your DHCP server with that IP - to rollout pihole to your complete network :).

More Info:

https://github.com/diginc/docker-pi-hole

https://discourse.pi-hole.net/t/how-do-i-set-or-reset-the-web-interface-password/1328

https://www.reddit.com/r/pihole/comments/5rudb3/running_pihole_in_a_docker_container/

[Keybase.io] Add another E-Mail to your Keybase.io Public Key

Keybase.io is awesome!

But the problem was, you could not really use it for email, nor sign your Github commits, as keybase only entered a non existing email into the public key (yourname@keybase.io). But - you can change that :). You'll need to have GNU PGP / GPG installed.

Download Private and Public Key from Keybase.io (edit Button next to Key on Profile, Export my Private Key, Key Checksum for Export of Public Key)

gpg --allow-secret-key-import --import keybase-private.key
gpg --import keybase-public.key
gpg --edit-key myname@keybase.io

then in the gnupg ‘shell’:

gpg> adduid
Real name: Full Name
Email address: myname@mymail.com
Comment: <canbeleftempty,just enter>

You'll need to enter your Key to allow the changes.

Stay in gpg shell and do following to trust yourself (maybe not necessary):

uid myname@mymail.com
trust
5
y
save

Export your newly generated public key:

gpg --armor --export myname@mymail.com

Upload to Github for Sign (New GPG key): https://github.com/settings/keys

Upload Public Key to Keybase: https://keybase.io/myname (edit, Update my key)

You can sign now on Github with:

git commit -S -m "signed commit"

Infos taken from:

http://superuser.com/questions/293184/one-gnupg-pgp-key-pair-two-emails

https://blog.ochronus.com/signing-your-github-commits-with-your-keybase-io-account-7bf3efe04a10#.eqcmjf4cl

http://stackoverflow.com/questions/22136029/how-to-display-gpg-key-details-without-importing-it

Cisco 45xx Supervisor 6LE Defect

As I tend to work with some Cisco 4506 and similiar switches - equipped with WSX45SUP6LE / WS-X45-SUP6L-E Supervisor Engines, I had the unfortunate delight to seem those rebooting at random.

Cisco did put out an entry in their bug tool ("Sup6LE reloads silently (Reset State: 00000201) / watchdog CISR0: 0x80") with the Bug Tracker ID CSCtf85481 - however, of the multiple accounts I had, I only found it on one of those. Other accounts did refuse my access to this file. As we confronted our Cisco Tech Support prior to finding the bug ourself, there was "no known error" which represented itself in rebooting the switch at random - so they said.

How do you find out it your board is one of those faulty ones?
a) If the serial number is JAE1422xxxx or higher (e.g., JAE1445xxxx, JAE1729xxx, etc) they board should not be affected. If it is in the range provided - check b)
b) If the "Hardware Revision" is 1.3 or higher, it is not affected. [sh idprom supervisor]
c) If either a) or b) are not true. Then the board may be affected by this bug. Contact TAC.

Another sign of the error is the "Last reload reason: Unknown reason" output of show version

It seems like the first batch of Supervisor 6L-E Engines were faulty on a HW level, so only a replacement will help. The engines will start rebooting once a while after a certain amount of time - with the time between each rebooting getting shorter.

Nexus 4 / Nexus 7 CrossUpgrade from Cyanogenmod to Lineage OS

EDIT: Experimental Builds were deleted now, as initial stated by LineageOS Team in this post. CrossUpgrade is not possible anymore, best bet would be to wipe the device and start from scratch. So just skip the second step with EXP Image and WIPE EVERYTHING in TWRP and install the latest nightly. Please also stay alert on bugs which are included in LineageOS. This link will give you access to the unresolved section of the Nexus 4 / Mako device, while this link will give you access to the same for the Nexus 7 2013 Wifi / flo :). Also, you can find the latest changes for mako here and for flo here.

As CyanogenMod ended their services - and Lineage OS took over, we need to cross-upgrade to the new system.

0.) Basic idea:
To upgrade to Lineage OS, they setup an so called experimental image. This exp image exists soley for the reason of migrating old CM installations to LOS installations. An really ugly-nag-screen will remind you of that. So the upgrade path will be: CM -> LOS Exp -> LOS Nightly. Also, you need to upgrade to the correct version. I.e. LOS does supply Nexus 7 LOS 14.1 images, so you need to upgrade your Nexus 7 first to CM 14.1, then install the LOS Exp 14.1, then the LOS Nightly 14.1

1.) Nexus 4 (mako)
- Install latest TWRP Version: https://twrp.me/devices/lgnexus4.html
- Make sure your device is on CM 14.1, if not, upgrade via: https://download.cyanogenmod.org/?device=mako
- Download LOS 14.1 Exp and install via TWRP (clean caches!) and reboot: https://download.lineageos.org/mako
- Download LOS 14.1 Nightly and install via TWRP (clean caches!): https://download.lineageos.org/mako

2.) Nexus 7 2013 Wifi (flo)
- Install latest TWRP Version: https://twrp.me/devices/asusnexus72013wifi.html
- Make sure your device is on CM 14.1, if not, upgrade via: https://download.cyanogenmod.org/?device=flo
- Download LOS 14.1 Exp and install via TWRP (clean caches!) and reboot: https://download.lineageos.org/flo
- Download LOS 14.1 Nightly and install via TWRP (clean caches!): https://download.lineageos.org/flo

And thats it! 🙂

More Infos needed? Just check out this older blog entry - you can use 2) and 3) but please do not delete anything except caches on 3) - and you do not need to flash GAPPS - as we want to upgrade, not reinstall from scratch 🙂