www.shivaserv.fr

Some stuff about OpenSource & Linux...

No comments

Hi all,

Some weeks ago I've worked on some kernel compilation for the BananaPi, first version.

I was trying to use the mainline kernel, to use the newer functionalities on it, and avoid using old kernel from the original sources.

I've put all my work on my github:

https://github.com/ouafnico/BananaPi-Archlinux

I explain here how to make your own compilation, and choose the needed components on the defconfig panel.
Then, how to integrate this kernel to the Archlinux ARM image.

Enjoy :)

No comments

Hi everyone,

Today I'm going to show you some dangers on Android email applications you can find on the play store.

What you need to know about mails: your mails are actually stored on a mail server somewhere, according to your provider. If you're using Gmail, they are on Google's servers. Most of the people are using Gmail, or Microsoft (hotmail, msn, outlook), or mails from your internet provider.
When you're using a mail application, like stock mail app on your iPhone, or stock mail app on your Android, the application connects directly on the mail server, using standard protocols like IMAP or POP.
To send an email, it's contacting the SMTP server with the SMTP protocol.

alt

The danger with some apps: some are not contacting your mail server directly: they give your information (mail address and password) to a dedicated server, which will do the connection to the mail server, and download all your mailbox. Then, your phone is only refreshing or getting email through this dedicated server, using HTTP or HTTPS access (like web browsing). It's not a bad idea, except ALL your mails are downloaded by someone else!

alt

I tried some emails app with my old Nexus phone. I made a fake mail account on my own mail server. I will connect these app on it, and because I can see the access on live, see which IP address connects to my mail server...

AquaMail: seems good!

MyMail: can't choose a personal IMAP mail :D So I can't test. Goodbye!

BlueMail: Bingo! First one :p After configuring the app, some externals IP addresses are connecting on the server: 54.90.147.202, 54.157.199.199. According to whois, these are Amazon IP addresses, but don't have more info.. On the server, my phone is connecting too on the server. Why these external IP? After the app removal, I still have access attempts...

TypeApp: looks the same as BlueMail graphically.. it's not good! Tada!! Same thing. IP addresses on my mail server: 54.165.87.200 and 54.205.181.135. Amazon servers! After the app removal, I still have access attempts too...

MailDroid: seems good :)

SolMail: Seems good too.

GMX Mail: Seems good!

Mail.ru: Jackpot! Access from 94.100.181.39, 94.100.177.59, 5.61.237.13, 185.5.137.195, 185.5.137.192, 94.100.178.38 ... All from Russia. In contrary with TypeApp or Bluemail, which does external access and direct access from the phone, when you refresh the mails on Mail.ru's app, it's only a Russian IP which is connecting to the mail server.. never the phone.

So, for my part, I can't trust this kind of applications, which are not using the standard way. I will contact the developers to see why these external accesses.. If they respond I will explain!

Maybe the application which are doing external accesses are not bad, but sorry I can't trust this. Nothing can prove me all my personal data is not used for something else (commercial?), and removed when I remove the app.

When you think an app like Mail.ru is used by 10 Millions users and more...



This is the best advice I can tell: always be careful with applications you're using.

No comments

Hi!

After the previous article about PGP, here are some real use of encryption.

On Android, you can easily encrypt your emails, using the Open Source email app "K9-Mail'. See my previous post about Android Email App, where you will understand that protecting your privacy is very important, especially using Email App.

To permit K9-Mail to encrypt/decrypt emails, install the application "OpenKeyChain" from F-Droid or the Play Store. This is of course an Open Source software, so no secrets and no backdoors. This application allow you to manage private/public PGP keys, and use them in other applications.

After installing it, start the app. The first screen will ask you to create or import your private key. If you already got one, with USB put your private key on the phone (and remove it after the process!). Do not send the private key on your phone using mails... don't forget the criticity of private key :) If you don't have one, follow the wizard to create your own key. Don't forget to export it after, and backup it!

alt

When the key is created/imported, you will see it on the main screen.

alt

Now, in the parameters on the left, enable the link to the contacts. The app will ask you to allow contact access (say yes). I will allow on K9-Mail, and other app, to search for a key when you use a contact name.

alt
alt

On K9-Mail, you can now enable the encryption. Go to "Account settings", and "Cryptography". Choose OpenKeyChain app on the OpenPGP application, and select your key. You can enable the signing support for unencrypted mails too.

alt
alt

Now your K9-Mail is ready to decrypt mails for you, or sign mails.

But what about encrypting mails for other people? Like explained on previous article, to encrypt a mail for Alice, Bob (you) need Alice's public key.

On the OpenKeyChain, touch the "+" button. You can scan a QR code from other application, or import a file, or search on PGP server.

alt

When the file is imported, it will appear with an orange exclamation mark, because the key must be validated. You can use the key, but don't forget to validate with the real person the validity of the key.To do that, touch the key, and confirm the key scanning the QR code from the real person's application.

Now, on K9-Mail, when you will send an email to a person, the app will propose to encrypt the mail if the public key exists for this person.

Enjoy !!

No comments

PGP, or Pretty Good Privacy, is a software for encryption. It is used to encrypt or sign documents, mails or even disks.
PGP uses the standard OpenPGP.

How it works?

PGP can works with symmetrical or asymmetrical keys. In our case I will explain asymmetrical keys.
An asymmetrical key is a private key, and a public key. The private key is the main key. Like her name, she's private and must not be given to anyone. The private key permit to generate a public key. The public key, is public and can be given to anyone. We can't regenerate the private key from the public key. The keys have a creation date, an expiration date (or not), the mail of the owner, and an ID (like a signature).
The private key can encrypt and decrypt. The public key can only encrypt.
A lot of software allow to create a private and public key.

alt

OK, and what I do with those keys?

In practice, if Bob want to send an email, or encrypted file to Alice, he will need to ask Alice's public key. With this, Bob encrypt the data for Alice and, send it. Only the possessor of the private key, associated to this public key, can decrypt the data, so only Alice will be able to decrypt with his private key. We can't decrypt a data with the public key.

alt

Great. But, how to get the public key?

Yes indeed. If you need to contact Alice, to get the key, it's not very convenient. But PGP servers exists. A PGP server is a catalog of public keys. Everyone can upload his own public key on it. PGP servers are synchronized between them. On the PGP server, you can search for words, and download the public key.
For information: no public key can be removed from a PGP server. If the owner want to disable the published public key, he need to generate a revocation certificate, from his private key, and send it to the PGP server. The public key will continue to appear, but a message will show she's revoked. For example, you can check https://pgp.mit.edu/.

Nice this PGP server... but who can assure me, Bob's public key on the PGP server is really owned by my Bob?

You can't. That's why you need to confirm with the real bob, like face to face, the signature.

OK. I understand how it works. But why can I need to encrypt data?

You're right. Maybe most of the people will don't need to use this, and I'm pretty sure a big part of them didn't even know PGP exists.
You could use encrypted data to send an email with privacy information. Same, you could encrypt secret documents.
In the reality, the networks your emails will travel may not be always encrypted by the connection, and you can't never be sure they are. Using an encrypted mail allow you to do not worry about the quality of the security of the network your emails will use.
Same, you can encrypt it to be sure only Bob can read it.

In a other articles, I will provide some real example of PGP encryption, like how to use encrypted mails on software (like Thunderbird on a PC, or K9-Mail on an Android device), encrypt some data on Gnome, encrypt a disk/partition/container...

(Credits for pictures: Wikipedia / https://en.wikipedia.org/wiki/Public-key_cryptography)