Punycode

Phishing or domain squatting is something that has been around for a while but people never stop to find new ways to trick users into handing them confidential data.

I never really got hit by any of that except for a few fishy links that looked like steamcommunity.com but for example there was an extra letter in the domain name. Now this way is easy to spot and usually your browser will block them anyways since their reported. A new way of luring people onto fake websites is Punycode. Well if I’m correct it’s not really new it just got some attention recently.

Take a look at the two urls. They are from two different websites, but they both look exactly the same, in fact I don’t remember which one is from the actual apple website anymore. That’s the power of punycode. It works in both Chrome and Firefox and any recent other browser. You can try it you yourself here (Test site: apple.com, Original: apple.com).

Punycode is used to allow special characters in urls like ü,ä,ö etc. but it also allows other characters from other alphabets that look exactly like the roman alphabet. Now while this sometimes is a useful feature it’s rarely used and it’s making it hard to tell the difference. In this case the entire domain is written in cyrillic letters (You can only really see it on the l). This way most browsers won’t see it as a phishing domain.

Depending on your operating system it might be that the current font will give away the fact that the url is not actually apple.com but on windows you won’t be able to tell. Both sites use https and have a working certificate making them look completely identical at first glance. Firefox also shows what certificate is used which can tell you whether or not you’re looking at the original site since it’ll say “Apple Inc. (US)” in the URL bar. That doesn’t happend with all URLs though so it’s not a consistent way of identifying phishing sites.

A way to dodge punycode phishing

Firefox allows you to disable punycode which is the easiest way, but it’ll also make normal website look a little off. Here’s how to disable it:

  1. Type about:config into the address bar (Accept the message if it shows up)
  2. Search for “puny”
  3. Set the value “network.IDN_show_punycode” to true
  4. Done.

Now the previous website’s URL will look like this: https://www.xn--80ak6aa92e.com/ instead of apple.com.

I’m not sure about chrome but there’s probably a way for it too but you’ll have to look for it yourself.

For the initial article and further reading (which is also linked on the testing domain) go here.

Protonmail

A lot of people use Gmail. It seems to have become a standart for email adresses just like most other google services. My google account to this day is linked to my old email address not because I dislike Gmail but because my account is already linked to a gmail which has a completely random and weird name so I can’t use it.

Gmail is definetely a good service. The web interface and the spam detection is pretty good, but is it really necessary that google gets another oppertunity to collect data? They say that they care about privacy but I still don’t think it’s needed. Also I kinda started disliking gmail addresses because so many people use them as their business addresses which is really unprofessional especially when they already own a domain and it’s only a matter of setting up an email server.

I recently was told about protonmail, which is a small secure email provider. It offers you the security by encrypting your emails with your password (So choose a strong one) and also your data is stored in a data center “underneath 1000 meters of solid rock”. The communication is oviously also end-to-end encrypted and overall it’s one of the most secure email services I’ve ever seen. The emails are accessed over the browser which means their not stored locally (For mobile there’s an android and iOS app). That’s both negative and positive. For one your messages are savely stored on the servers and even if someone had access to your local files they’d be safe. On the other hand you always have to login to use your email. Currently there’s no way to safe your login, which is probably intended for extra security. You can safe your login information but that would be counterproductive so I recommend to use a password manager.

Currently I haven’t completely switched to protonmail but if I’ll end up using it as my main email address I’ll probably ditch my email client and just have the proton inbox open in a tab for the most time so I don’t have to login over and over.

To sum it up: Try protonmail out, it’s pretty nifty if you care about security and your email domain will stick out in the masses of gmail addresses. Just note that if you use the free plan your emails will have this signature:

Sent with ProtonMail Secure Email.

So if you care about your privacy and want to support the people behind proton mail you can donate to them or get protonmail plus for 48 $/€/CHF per year and get some advantages.

Enpass

Small edit: I’m currently trying out Keepass, which an opensource password manager that has been around for over 10 years. It seems pretty good aswell but the user experience isn’t quite the same since it’s harder to setup and it doesn’t have any cloud syncing for linux. So if you don’ trust a newly established password manager that is closed source keepass is probably the way to go. It allows you to migrate from multiple other password managers including Enpass.

For the longest time I didn’t really follow the idea of “use strong unique passwords for every service”. One the one side I don’t really have any super important accounts (at least not that many) and all the ones that are important have two factor authentification. So I usually used pretty weak passwords and just relied on the two factore authentification. I never had any issues with it (maybe I’m jinxing it here. EDIT: I did 😛, but once again nothing happened) but a while ago I decided I shouldn’t wait until something bad happens to start using better passwords, infact I already got a number of emails from one service which told me that someone was trying to log into my account from somewhere in India, but they couldn’t since they also needed my email (Which obviously didn’t use the same password).

So I went ahead and looked for a good password manager and after a short search I found Enpahttp://keepass.info/ss. Keeping all passwords in one place is both good and really bad. For one their secured and you don’t have to memorize them. On the other hand if someone were to get access they’d have it really easy to compromise all of your accounts.

Enpass advertises itself as the “best password manager”. I haven’t used any others but for now I’m happy with it. It’s cross-platform runs on Linux, Windows and my android phone. It encrypts the entire password database with your master password and can sync across various cloud services like Google Drive.

The best thing about it is the browser addon which allows you to directly interact with enpass and transfer login information to the browser. Also it can generate passwords on the fly while creating a new account with settings like lenght, use special characters or only use pronouncable words. When creating a new account it can also automatically add the login information to the database. Obviously all that can only be done when logged in with the master password. You’ll be automatically logged out after 1 minute of inactivity within Enpass (Which can be changed). Passwords that have been copied to the clipboard will also be cleared after a give timeout.

Something that you should note is that passwords you have generated can be looked up in the password history of Enpass. I didn’t know that in the beginning an thought that the passwords were lost, since the clipboard was cleared.

To sum it up Enpass is a pretty useful tool which is free for Windows, Linux and Mac. The mobile version is limited to 30 database entries though. The only thing that can be concerning is the fact that one company could compromise thousands of accounts if they wanted to, let’s hope they don’t.

fping on windows

I started working on a ping plotter a while ago and back then I still was on linux and was currently getting into C. Now that I’m not on linux anymore I kinda dropped the project for a while. After that pause I’ve finally gone back I decided to ditch C and write it in Python since I’m developing it on windows but want it to work on linux aswell. The ping plotter is supposed to ping an ip over a timespan and then make a graph out of the latency values. For that I’ll use the ping command since that’s the easiest way to get latency values without adiministrative rights. The issue is that the windows ping.exe and the linux ping command return different outputs so formatting them means I have to differenciate between windows and linux.

After some searching I came across fping which is a custom ping program for linux. It’s designed to be used in scripts which digest it’s output. So now the only issue is to compile that for windows. I used cygwin for it since nobody seems to have done it before me. Sadly the build script returns errors when compiling. So here’s how I fixed that:

First get the sourcode from the releases. Now we’ll need to convince cygwin that we have the right headers. Download this header file (made by John Paul Morrison) as icmp.h. Copy it into these folders and replace it with the icmp.h that is in those folders (That one is empty, you can open it if you want):

\usr\include\icmp.h
\usr\include\cygwin\icmp.h

The path to cygwin will usually be C:\cygwin64\ or C:\cygwin\. Now you can run

$ ./configure
$ make

Now you’ll have a fping.exe in the ./src/ folder. Run a command prompt as admin and then run something like

C:\fping\src>fping.exe -s google.com

That should give someting like this

google.com is alive

       1 targets
       1 alive
       0 unreachable
       0 unknown addresses

       0 timeouts (waiting for response)
       1 ICMP Echos sent
       1 ICMP Echo Replies received
       0 other ICMP received

 36.6 ms (min round trip time)
 36.6 ms (avg round trip time)
 36.6 ms (max round trip time)
        0.038 sec (elapsed real time)

Pretty cool, huh? But if you read carefully it needs adminstrative rights on windows and root rights on linux so all of that was kinda wasted… I’ll just use the output of the native ping commands instead but if anyone needs fping on windows here you go. For those whore are to lazy to compile it themselves you can download my compiled binary for windows here (By the way there seems to be an infected version of fping on the web so if you need some confidence, that this one isn’t a virus heres a virustotal scan or scan it yourself). It’s completely unmodified and all credits go to the original authors.

I’ll now go back to getting back into python and formatting ping command outputs. Wohoo.

Windows 10

So I have avoided windows 10 ever since the tray icon showed up for everyone for the free upgrade. The furthest I’ve gone away from windows 7 was 8.1. Since my windows 7 installation was getting kinda slow I decided to make a clean installation, and while I’m at it I thought I’ll go ahead and, for the first time, install windows 10 outside of a virtual machine.

The installation went smooth and I only had to untick about 300 settings about “collecting data to improve my experience”. After the main installation I went ahead and ran a few scripts to disable the rest of the services and I think I now a have a relatively useable installation of windows 10. So after I installed the basic software I need (which I heard can be automated using ninite or allmyapps, but I haven’t tried them) I went ahead and looked at some customisation with designs. There were some pretty cool looking ones but sadly one of them ended up toasting windows and trying to fix it only made it worse. Luckily I made a backup so that helped out a lot.

So after almost loosing my first installation of windows 10 about 2 hours in I stopped with the designs and installed something I knew from windows 8.1: Classic Shell, the free StartIsBack. It gives you a way to customize (or for windows 8 bring it back) your startmenu. The windows 10 start menu is way to big and full of useless stuff in my opinion so with classic shell you’ll get back the windows 7 styled start menu with a skin to fit the flat design of windows 10. It’ll also give you the search bar back and it’ll adjust to the accent color.

Due to the roll back to the backup I lost some software I had already installed, including winamp which was my goto music player for a while now. So I thought I’d use ths opportunity to give foobar a try but quickly dropped it since I didn’t like the interface and installing skins didn’t really work for me. But while looking for skins I found out about AIMP. I’ve never heard of it but I found a cool skin for it and it offers a lot of customization while staying very light weight (at least in terms of RAM usage).

So this is what my current installation looks like:

Classic shell and AIMP with the ncmpcpp skin

That’s basically it. We’ll see how long I can stick with it until I get annoyed or maybe to my surprise I’ll actually stay who knows.

Styling Firefox

A while ago I found out about the firefox addon stylish. It’s an addon that allows you to change the look of your browser and specific websites. Unlike themes it can completely redecorate almost all elements like the url bar, bookmark bar etc.

A small side note: The addon has sadly been bought by a big company. This is not the first time this has happened to an addon, but sadly this means using the addon will send information to that company, since that’s pretty much the only reason they bought it. Currently this is only enabled in chrome and can be disabled under the settings. An update for firefox will probably follow at some point, but I doubt that the option to disable the information collection is here to stay. So use this addon only if you’re okay with sharing some of your data (which I am not). There’s an alternative for chrome called StyleRRR (Chrome/Firefox).

On userstyles.org you can browse website and browser styles. I for one installed DarkTube so the YouTube design is easier on the eyes. So yeah with stylish you can have dark themes for most popular websites which don’t natively support it.

YouTube with the DarkTube theme

So since only making YouTube darker is kinda lame i also wanted firefox to be more darkish and more flat. So after some searching I came across powerline. Which is pretty cool, but the theme doesn’t include the bookmark bar nor the addon icons. But with my amazing css skills and some googling I modified powerline to fit my needs.

Firefox with my modified version of powerline

So as you can see Firefox is now entirely dark themed. The tabs look a little bit like those from chrome and they take up 100% of the window width, devided evenly to all open tabs. The url is centered at the top and on right are the icons from my addons. It’s not perfect but it does the trick.

So if you want to try my version you can get it here. Just copy the css text, make a new style under about:addons and paste in the text.

MPD Query

So I mentioned in another post that I use mpd and ncmpcpp to listen to music. The positive thing about this is that I can just close ncmpcpp when I don’t need it anymore and the music will continue playing, since mpd is responsible for the sound which is running completely in the background. Now sadly I have no indicator about what song is playing right now.

So I looked if anybody made a patch for dwm to display the current song, but everything I found didn’t really work for me. And I didn’t want a bash script to be running in the background. So I found a few people suggesting to make a simple C program to query the current song.

Now this is easier said than done, since I have no idea how to use mpd and C. The first thing I did was download the source code of mpd and copied the include directory into my project folder. So now I can write a program utilizing code from mpd. Now for the tricky part: Getting my program to connect to mpd and get the song name and some other information. I had some example code which showed how to connect and get the play time of the current song, so that helped a little bit, but getting the song name doesn’t work the same way.

For experienced people this task probably would be a thing of ten minutes but I not only had to deal with how mpd worked I also had to figure out how C works. And most time that was me writing like three lines of code, compiling it and finding out it compiled fine but crashed when running. So here’s what I have done so far:

Created a Makefile where the include directory (which containes the headers of mpd) is:

Makefile

VERSION = 3.02
CC      = /usr/bin/gcc

mpdq: mpdq.c
    $(CC) -o mpdq -lmpdclient mpdq.c

So this way compiling is just the command ‘make’. Next up is writing the actual code which started by me finding out how the main method looks in C and then moving onto actually fiddling with mpd. To work with mpd I needed these two headers:

#include <mpd/client.h>
#include <mpd/stats.h>

When those are included and the compiler doesn’t complain about not finding them you should be able to access the necessary methods to connect and query information from mpd:

struct mpd_connection  *connection = mpd_connection_new(NULL, 0, 0);

This will open a connection to the local mpd and return the pointer to the connection if it succeeded. The three arguments are only needed if the connection is to another computer. After that we want to get the current song and from that we can read most Song tags:

// Get current song as a struct
struct song = mpd_run_current_song(connection);
// Read name and artist
char *song_name   = (char *) mpd_song_get_tag(song, MPD_TAG_TITLE, 0);
char *artist_name = (char *) mpd_song_get_tag(song, MPD_TAG_ARTIST, 0);

And that is technically everything important to read information from mpd. The only other things I did were putting this in a loop, adding a command to make it appear in the dwm bar, differentiating between paused/playing and  cleaning up when closing. That’s all I have done up until now. I’ll see if I can get some controls like pause/play into the dwm bar but for now this’ll suffice.

DMEDYKJ

Here‘s the source code and here‘s a binary build. Just give it the run flag with chmod a+x and when running it should display the current song in the top left corner (Provided you use dwm and a song is playing in mpd :P).