I wanted to install the Let’s Encryptcertbot package on a Raspbian Jessie installation that hosts my Asterisk PBX. I had manually installed a certificate but decided that the automated certificate installation is advantageous. Certbot is available as a backport.
W: GPG error: http://ftp.debian.org jessie-backports InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Step 3 — The two bolded keys needed to be added to the gpg keyring:
# gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg: requesting key 46925553 from hkp server pgpkeys.mit.edu
gpg: key 46925553: public key “Debian Archive Automatic Signing Key (7.0/wheezy) <email@example.com>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
# gpg -a --export 8B48AD6246925553 | sudo apt-key add -
# gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010
gpg: requesting key 2B90D010 from hkp server pgpkeys.mit.edu
gpg: key 2B90D010: public key “Debian Archive Automatic Signing Key (8/jessie) ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
# gpg -a --export 7638D0442B90D010 | sudo apt-key add -
Jim Dixon of Alhambra, CA was one of the developers who worked on hardware drivers for the Asterisk Voice over IP software. He took his knowledge and created app_rpt which then allowed Asterisk to function as a radio repeater controller usable by radio amateurs and commercial users. On the amateur radio side, this grew into a VOIP linking system for repeaters that is known as Allstar.
It should come as no surprise to anyone even slightly knowledgeable about information security that the human factor is the biggest risk to unwanted exposure of information. The most dangerous way that a human can put himself or his organization at risk is to read an email. It is way to easy to embed malicious content in an email that can get past the rudimentary security filters that are in place in many organizations and especially on personal devices.
Malicious content in an email can masquerade as a harmless web link. It may seem to be from your your bank or from an email provider. It can direct you to a forged page and ask you to update some personal information or to enter a password. Are you sure that email is legitimate?
Malicious content can be easily embedded in a graphic or a pdf. Take a look at your spam folder. See any files with attachments? Subject lines like “Invoice” or “Purchase Order” from people you were not expecting or don’t even know signal trouble. Do not open those files! You may have been spearphished, targeted because of who you are or where you work.
So with all the talk about “Russian hacking”, this Department of Homeland Security Release detailing what they believe to be an organized campaign against employees of critical infrastructure, academia, and business puts the talk in perspective.
It is probable that no vote tally was changed as a result of any “Russian hacking”, but to discount the real threat to American society of organized hacking campaigns by foreign governments is foolhardy.
I had a few minutes to timesink yesterday and was reading stories on Google News. One link leads to another, and before I knew it, I was sucked into a story on 40 little known facts about TV’s most popular situation comedy ever, “I Love Lucy”. What could be more wholesome web viewing?
I rather quickly noticed that the text accompanying the pictures was very poorly written. Words were misspelled and misused with alarming frequency. I was convinced that the writing had been outsourced to an offshore bot that had stolen the content elsewhere on the interwebs.
And then, this happened.
My computer was crazily beeping and there was a fake virus alert displayed on the screen. Of course I took the time to close the browser (despite the false warning that I would not be able to) and make sure that my workstation was not actually infected. Such fun!
A brief Google survey revealed that the call center number displayed, (877) 337-7936, is often connected with malware scam artists. Most of the displayed pages seem to be further attempts to get you to install real malware on your system. Don’t fall for them.
Then I made the call. I was the end user from hell that these cyberpirates deserve. Imagine if Ransomware Inc. got hundreds of calls like this every day? They’d have no time to hold up their other poor victims and their profit margins would take a dive. The obvious annoyance of the Ransomware Agent at about 7 minutes into the call, when he lets out an exasperated “Yeeeeessss”, is priceless.
According to threads on Microsoft’s Developer Network, DHCPV6 has been broken since the first deployments of the Anniversary Update last August. I first noticed an issue on October 4 where several Windows clients would no longer register their IPV6 DNS address post update.
While this has been broken for a couple of months, I was advised today by Adam Rudell, a Microsoft Support Escalation Engineer, that the “PG is actively investigating. I just updated the TechNet thread and will follow up as soon as PG has provided me some more information.”
The Windows 10 anniversary update came recently to my radio room computer. The folks in Redmond have some quality assurance problems to resolve. Here’s what I’ve noticed so far.
All my firewall rules were deleted. This means that as I run applications which require external access, I have to reauthorize them. While it is not a bad practice to occasionally review these settings, I would have preferred to do so at a time of my own choosing.
The WINUSB driver used by my Perseus SDR was deleted. I had to reinstall the driver and to do so, I had to go through the multiple reboots to allow installation of the unsigned 64 bit driver. Not fun.
My sound device settings were changed. The friendly name for the SignaLink USB sound card device that is connected to my Kenwood TS-2000 reverted to “USB Audio CODEC” and Windows decided to make that device my default sound and communications devices.
This update was hardly the best anniversary present that Microsoft could have given me.
As luck would have it, a key URL for the software mentioned in my September CQ Magazine RF Bits column no longer works. That is because the author, Mike Guenther, DL2MF, decided to withdraw support for the DV4MF2 console for the DV4mini. Whatever his reasons, we have luckily archived a copy for your convenience. So if you arrive at a German language page with a “no more available” caption in English at the top, fret not and get your copy of DV4MF2.exe right here.
While the author has withdrawn support, the software nonetheless functions as it did when my article was prepared for your enjoyment. Other software for the DV4mini is also available and supported by Wireless Holdings, although lacking the nice Brandmaster XTG support that DV4MF2 offered.
It would be great if more radio amateurs released their software under some open source license so that work by and for the community could be continued as needed. We have far too much orphaned software in regular use in the amateur community. A perfect example of this is UI-View32. The author’s last wishes upon his death included the destruction of the source code. Yet, the program is still used by many amateur stations around the world. Imagine how much more useful the orphaned software could be if the source code were available for further development?
While Marshmallows are soft and gooey, Android 6.0.1 (Marshmallow) is one tough cookie. Marshmallow provides granular security controls that allow you to decide whether an application gets access to particular information. Tired of LinkedIn or Facebook trying to grab all your contacts?
Now you can control this behavior.
To take a look at these settings, go to Settings->Apps->Application manager. Pick an app and you’ll see a bunch of sliders that let you turn access on or off for that control. Newer app versions directly support the Marshmallow security model. Older apps don’t and may malfunction, but don’t let that stop you from trying out settings that meet your security requirements.
Blackberry has had this level of application security control for many years. It is good to see that Android is now taking application and data security very seriously.
I am convinced that Google’s Chrome OS is highly underrated and under appreciated. I have been testing an ARM based Chromebook as well as an ARM based Chomestick with great results. If your primary email address is @gmail.com, and if most of your computer activity is email, messaging, and light document prep, you don’t need the complexity of Windows or Linux. And, if you think that Mac OS is simple to use, you have not tried Chrome.
I especially like the Asus Chromebit that arrived yesterday and which is now stuck on the back of a several year old Sony Bravia in the den. I plan to use it where I need a web browser to access content that is not already integrated into TiVo. Paired with a small Logitech wireless keyboard, it is all I need in the den and will free up the i5 Windows 10 machine that was previously used for web streaming.
When I installed WordPress on this site, one thing that concerned me is that login and administrative functions were not using SSL by default. OK, I didn’t have an SSL certificate installed at that point, fair enough. But once the SSL certificate from Let’s Encrypt was installed, I set about learning how to secure these functions.
It is very simple.
In the same directory where WordPress is installed you’ll find a file named “wp-config.php”. Add the following line toward the bottom, right above the “That’s all” comment:
Save the file and you’re good to go. Assuming that an SSL certificate is properly installed on your web server, login and administration will now go over SSL.
I ran it against this site and found that my user accounts could be enumerated. This is clearly information leakage that should be avoided. The solution is to enable a WordPress plugin that stops this behavior. The plugin can be found here.
Download the plugin and copy it to the plugins directory as described in the Installation section of the above page. Using the plugins menu of the WordPress administration console, activate the plugin.
Run the scan again against your WordPress site and you’ll see that this issue has been resolved.