Punycode

Phishing or domain squatting is something that has been around for a while but people never stop to find new ways to trick users into handing them confidential data.

I never really got hit by any of that except for a few fishy links that looked like steamcommunity.com but for example there was an extra letter in the domain name. Now this way is easy to spot and usually your browser will block them anyways since their reported. A new way of luring people onto fake websites is Punycode. Well if I’m correct it’s not really new it just got some attention recently.

Take a look at the two urls. They are from two different websites, but they both look exactly the same, in fact I don’t remember which one is from the actual apple website anymore. That’s the power of punycode. It works in both Chrome and Firefox and any recent other browser. You can try it you yourself here (Test site: apple.com, Original: apple.com).

Punycode is used to allow special characters in urls like ü,ä,ö etc. but it also allows other characters from other alphabets that look exactly like the roman alphabet. Now while this sometimes is a useful feature it’s rarely used and it’s making it hard to tell the difference. In this case the entire domain is written in cyrillic letters (You can only really see it on the l). This way most browsers won’t see it as a phishing domain.

Depending on your operating system it might be that the current font will give away the fact that the url is not actually apple.com but on windows you won’t be able to tell. Both sites use https and have a working certificate making them look completely identical at first glance. Firefox also shows what certificate is used which can tell you whether or not you’re looking at the original site since it’ll say “Apple Inc. (US)” in the URL bar. That doesn’t happend with all URLs though so it’s not a consistent way of identifying phishing sites.

A way to dodge punycode phishing

Firefox allows you to disable punycode which is the easiest way, but it’ll also make normal website look a little off. Here’s how to disable it:

  1. Type about:config into the address bar (Accept the message if it shows up)
  2. Search for “puny”
  3. Set the value “network.IDN_show_punycode” to true
  4. Done.

Now the previous website’s URL will look like this: https://www.xn--80ak6aa92e.com/ instead of apple.com.

I’m not sure about chrome but there’s probably a way for it too but you’ll have to look for it yourself.

For the initial article and further reading (which is also linked on the testing domain) go here.

Advertisements

Protonmail

A lot of people use Gmail. It seems to have become a standart for email adresses just like most other google services. My google account to this day is linked to my old email address not because I dislike Gmail but because my account is already linked to a gmail which has a completely random and weird name so I can’t use it.

Gmail is definetely a good service. The web interface and the spam detection is pretty good, but is it really necessary that google gets another oppertunity to collect data? They say that they care about privacy but I still don’t think it’s needed. Also I kinda started disliking gmail addresses because so many people use them as their business addresses which is really unprofessional especially when they already own a domain and it’s only a matter of setting up an email server.

I recently was told about protonmail, which is a small secure email provider. It offers you the security by encrypting your emails with your password (So choose a strong one) and also your data is stored in a data center “underneath 1000 meters of solid rock”. The communication is oviously also end-to-end encrypted and overall it’s one of the most secure email services I’ve ever seen. The emails are accessed over the browser which means their not stored locally (For mobile there’s an android and iOS app). That’s both negative and positive. For one your messages are savely stored on the servers and even if someone had access to your local files they’d be safe. On the other hand you always have to login to use your email. Currently there’s no way to safe your login, which is probably intended for extra security. You can safe your login information but that would be counterproductive so I recommend to use a password manager.

Currently I haven’t completely switched to protonmail but if I’ll end up using it as my main email address I’ll probably ditch my email client and just have the proton inbox open in a tab for the most time so I don’t have to login over and over.

To sum it up: Try protonmail out, it’s pretty nifty if you care about security and your email domain will stick out in the masses of gmail addresses. Just note that if you use the free plan your emails will have this signature:

Sent with ProtonMail Secure Email.

So if you care about your privacy and want to support the people behind proton mail you can donate to them or get protonmail plus for 48 $/€/CHF per year and get some advantages.

Overwatch

Even though they take up a considerable amount of my time, I haven’t written about games on this blog. At least not directly and as the title obviously says I’m about to change that.

I heard about Overwatch pretty early on when it was announced through a youtuber and livestreamer who goes by names star_, ster or niichts. He gained most of his viewer base through his TeamFortress 2 videos. Since Overwatch has been compared to TF2 ever since the day it was announced it was obvious that many TF2 players would be interested in Overwatch because it would give them something new. I played the open beta and like many other players I had the wrong assumption that Overwatch would be free so it could compete with TF2. I was prepared to pay for the game but sadly most big titles nowadays start at 50 bucks which was too much for a game which I’d barely played. So I didn’t touch the game until November at which point they reduced the price to 35 Euros. Still more than what I’d usually pay for a game but after the first free weekend a few weeks back I finally had to get the game.

At the beginning I already noticed a few flaws which are obviously connected with the fact that I was new to the game: The game had been out for over five months so as a newbie you only get to play with people who have played the game for well over a hundred hours. The matchmaking is supposed to look for players in your skill level, but it made it look like there was not a single other person in Europe which was my skill level since I almost always matched up with people over level hundred. This kinda ruined the initial experience since I basically lost every single game and the ones I won I could’ve probably idled afk in spawn because my team was doing all the work.

Now that I’m around level 80 (which is actually pretty low considering the fact that I have the game for about five months) this has more or less stopped. But there’s still a general pattern of continuous loosing or winning streaks. It just seems like either you get steam rolled by the other team or you are the one steam rolling. There’s very few games that I’d rate as “just right” in terms of skill distribution among the teams. My biggest complaint at this point is the queue times. Launching the game on a Friday evening you still have to queue around two minutes and up.

This certainly isn’t always the case but it happens more often than I’d like to admit. It just seems like the player base of the game isn’t that big when looking at something like CounterStrike where the competitive queue times are usually around 15 seconds.

Summing it up the game is certainly a lot of fun but there’s still room for improvement in some cases like the fact that they just *NEED* to use their own distribution software called Blizzard App (formerly battle.net). I just hate that I have to start up a second program just to play this game. I never played any other Blizzard titles and I don’t plan on doing so in the future. Why can’t we just all agree on one service which in this case would be steam. It has all needed features in one place and even offers a better overlay in my opinion. But Blizzard is not the only one desperatly trying to force their own launcher on the user (eg. EA and Ubisoft

Would I recommend Overwatch? If you liked Team Fortress chances are you’d enjoy it, but you probably try it on a free weekend or watch a few videos to see if you like it. Also the price is still pretty high.

Enpass

Small edit: I’m currently trying out Keepass, which an opensource password manager that has been around for over 10 years. It seems pretty good aswell but the user experience isn’t quite the same since it’s harder to setup and it doesn’t have any cloud syncing for linux. So if you don’ trust a newly established password manager that is closed source keepass is probably the way to go. It allows you to migrate from multiple other password managers including Enpass.

For the longest time I didn’t really follow the idea of “use strong unique passwords for every service”. One the one side I don’t really have any super important accounts (at least not that many) and all the ones that are important have two factor authentification. So I usually used pretty weak passwords and just relied on the two factore authentification. I never had any issues with it (maybe I’m jinxing it here. EDIT: I did 😛, but once again nothing happened) but a while ago I decided I shouldn’t wait until something bad happens to start using better passwords, infact I already got a number of emails from one service which told me that someone was trying to log into my account from somewhere in India, but they couldn’t since they also needed my email (Which obviously didn’t use the same password).

So I went ahead and looked for a good password manager and after a short search I found Enpahttp://keepass.info/ss. Keeping all passwords in one place is both good and really bad. For one their secured and you don’t have to memorize them. On the other hand if someone were to get access they’d have it really easy to compromise all of your accounts.

Enpass advertises itself as the “best password manager”. I haven’t used any others but for now I’m happy with it. It’s cross-platform runs on Linux, Windows and my android phone. It encrypts the entire password database with your master password and can sync across various cloud services like Google Drive.

The best thing about it is the browser addon which allows you to directly interact with enpass and transfer login information to the browser. Also it can generate passwords on the fly while creating a new account with settings like lenght, use special characters or only use pronouncable words. When creating a new account it can also automatically add the login information to the database. Obviously all that can only be done when logged in with the master password. You’ll be automatically logged out after 1 minute of inactivity within Enpass (Which can be changed). Passwords that have been copied to the clipboard will also be cleared after a give timeout.

Something that you should note is that passwords you have generated can be looked up in the password history of Enpass. I didn’t know that in the beginning an thought that the passwords were lost, since the clipboard was cleared.

To sum it up Enpass is a pretty useful tool which is free for Windows, Linux and Mac. The mobile version is limited to 30 database entries though. The only thing that can be concerning is the fact that one company could compromise thousands of accounts if they wanted to, let’s hope they don’t.

fping on windows

I started working on a ping plotter a while ago and back then I still was on linux and was currently getting into C. Now that I’m not on linux anymore I kinda dropped the project for a while. After that pause I’ve finally gone back I decided to ditch C and write it in Python since I’m developing it on windows but want it to work on linux aswell. The ping plotter is supposed to ping an ip over a timespan and then make a graph out of the latency values. For that I’ll use the ping command since that’s the easiest way to get latency values without adiministrative rights. The issue is that the windows ping.exe and the linux ping command return different outputs so formatting them means I have to differenciate between windows and linux.

After some searching I came across fping which is a custom ping program for linux. It’s designed to be used in scripts which digest it’s output. So now the only issue is to compile that for windows. I used cygwin for it since nobody seems to have done it before me. Sadly the build script returns errors when compiling. So here’s how I fixed that:

First get the sourcode from the releases. Now we’ll need to convince cygwin that we have the right headers. Download this header file (made by John Paul Morrison) as icmp.h. Copy it into these folders and replace it with the icmp.h that is in those folders (That one is empty, you can open it if you want):

\usr\include\icmp.h
\usr\include\cygwin\icmp.h

The path to cygwin will usually be C:\cygwin64\ or C:\cygwin\. Now you can run

$ ./configure
$ make

Now you’ll have a fping.exe in the ./src/ folder. Run a command prompt as admin and then run something like

C:\fping\src>fping.exe -s google.com

That should give someting like this

google.com is alive

       1 targets
       1 alive
       0 unreachable
       0 unknown addresses

       0 timeouts (waiting for response)
       1 ICMP Echos sent
       1 ICMP Echo Replies received
       0 other ICMP received

 36.6 ms (min round trip time)
 36.6 ms (avg round trip time)
 36.6 ms (max round trip time)
        0.038 sec (elapsed real time)

Pretty cool, huh? But if you read carefully it needs adminstrative rights on windows and root rights on linux so all of that was kinda wasted… I’ll just use the output of the native ping commands instead but if anyone needs fping on windows here you go. For those whore are to lazy to compile it themselves you can download my compiled binary for windows here (By the way there seems to be an infected version of fping on the web so if you need some confidence, that this one isn’t a virus heres a virustotal scan or scan it yourself). It’s completely unmodified and all credits go to the original authors.

I’ll now go back to getting back into python and formatting ping command outputs. Wohoo.

Clearscreen

I mentioned a while ago that I got a second monitor, which a long needed upgrade for me. I’ve been using only one screen for quite a while and for a lot of things it can get very frustrating to only have one screen. For example when playing a game in fullscreen your entire screen space is used up by one program, or when I needed to run two instances of a program for debugging, or when working on any project which requires to switch between programs like the webbrowser and something like Powerpoint.

Now that I have that second screen it’s obviously a lot more comfortable doing these things, but from time to time I still turn the other screen off because I notice that I don’t need it. The problem that comes up with that is that Windows remembers where you closed a program, so when opening for example the taskmanager and the last time I used it it was on the second monitor, I won’t see it since it’s turned off. So for now I’ve always either turned it back on again or just blindly guessed where the program is and dragged my mouse around in the dark.

Since that’s not an efficient solution I put together a small program that’ll move all windows (Almost all windows) that are open on one screen to another.

The program gets all it’s settings over arguments and is generally really small and probably unfinished but it does the trick for me. You pass it the dimensions of your main screen (Left, Right, Top, Bottom coordinates), which you can find out by running the progam with the –setup flag and finally pass it the coordinates of a point to which it should move all programs on the main screen.

It works pretty ok, it just doesn’t seem to want to move the file explorer since it’s probably the same process as the taskbar. At some point it also moved my taskbar, which made up for some interesting results like two taskbars stacked onto eachother. So I ended up blacklisting the explorer process.

And as always here‘s the sourcecode and the binary. I suggest launching the program from a shortcut with arguments.

Wifi issues

This is something that I already dealt with about a year back but it has come again to hunt me. A year back I tried to make use of an old laptop (An IBM T23 to be exact) and install linux on it. The laptop doesn’t have any internal wifi card so I went with an old wifi usb drive. But that thing was already hard to use on windows so getting it to work on linux was a whole different story. First I needed ndiswrapper to get the windows driver to work. But that didn’t do the trick so I went ahead and asked on the Arch linux forums. In the end I dug up a solution which worked for me back then.

A year later I dig up another laptop (An IBM T41 this time) and tried the same procedure. Sadly the thing that did the trick last time wasn’t the whole solution. After some more careful reading of my old thread I put together what is needed to get a wifi pci card or a wifi usb drive to work on an old ibm with linux:

First you need ndiswrapper. For Arch it’ll look like this:

$ sudo pacman -S ndiswrapper

If you have issues running ndiswrapper later you might need the linux headers:

$ sudo pacman -S linux-header

Next up we need to install the driver:

$ sudo nidswrapper -i <driver>.inf

The *.inf file is usually distributed with the driver, sometimes it’s inside the *.exe which means you’ll need to extract it using cabextract.

Now you want to plug in the device of which you just installed the driver and run

$ ndiswrapper -l 

This will list all installed drivers and wether or not the device is present. If it says so the driver is correct and the device is recognized. Now with most devices the last thing you want to do is load ndiswrapper on startup using

$ sudo ndiswrapper -ma

And since this is your first time using it you’ll have to load it manually once:

$ sudo modprobe nidswrapper

Now the device should be ready to use and you can connect to your network using a network mananger or wpa_supplicant. But for me this wasn’t all that was needed. What I need to do is disable ipv6 by editing /etc/sysctl.d/40-ipv6.conf

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.<wifi device>.disable_ipv6=1

You can find the device name by typing ip link and for me it was the last listed device. The next thing to do is add these two lines to /etc/dhcpcd.conf

noipv6rs
noipv6
# Also comment out the line that says something like 'ipv4all'

Now this command has to be executed on every startup:

$ sudo dhcpcd <wifi device> --nohook mtu
# Once again get the wifi device with ip link

Now finally we’ll generate a wpa_supplicant config using

# wpa_passphrase <Networkname> <network password> /home/<username>/wifi.conf

You can get your exact Network name by scanning for networks over:

$ sudo pacman -S wifi-menu
$ sudo wifi-menu

Don’t use wifi-menu to connect (It’ll probably not work, but you can try).

Finally we can use the config to connect via wpa_supplicant:

sudo wpa_supplicant -D wext -B -i <wifi device> -c /home/<username>/wifi.conf

To automate the connection you can follow the Arch wiki or create a service.

And that’s it, wasn’t all that hard, right? 😛