This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Previous revision | ||
blog:index [2020/06/17 10:00] |
blog:index [2023/05/31 11:00] tomas |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | I have decided to keep this section in English as I can see overlapping of the topics over the borders. It makes the information more useful. | ||
+ | |||
+ | ====Secure workstation=== | ||
+ | ==31.05.2023== | ||
+ | There is used to be lot of sensitive data stored on the computers (laptops, desktop, servers). It may consist pictures, texts, code, data, but one very sensitive type of data is identity (access to multiple cloud services), history, filled forms, passwords, sessions. To obtain the sensitive data, it is enough to have read access over the files, so for example root/admin access to the computer. How can it happen? | ||
+ | - steal device - boot from custom boot image as superadmin and access data | ||
+ | - steal disk - put into own device with superuser and access data | ||
+ | - logging to the system as a different user - when data is not protected by user account (access rights, ownership) | ||
+ | - stealing the superuser, or target account | ||
+ | - some system vulnerability - stealing in the memory, on the way (network) etc. | ||
+ | |||
+ | For system vulnerability, | ||
+ | |||
+ | Stealing account threatens by leaking the password, session, key etc. It is ususally the human error and we must trust the persons they protect their data. | ||
+ | |||
+ | Access configuration on the server - it is partially in the scope of administrator and the user. Always think about access rights of the files and their location on the server (for example not keep it on unprotected places like temporary directories, | ||
+ | |||
+ | Steal device and steal disk - for both cases the data encryption is very important to avoid leak of sensitive data. Very important is to have encrypted user profile. In some systems it requires encrypted operating system disk. Here we need to be careful. The encrypted key can be a file on the computer and it can be stolen. Or the encryption key can be a chip on the mainboard and bios can be unprotected and allow insert another boot media or be reset to factory configuration. This is not case of manually entered key (passphrase). But it should be long and hard enough, because the compute force allows to get it bruteforce in shorten time nowadays. When the computer shared by multiple people, all need to know the passphrase and this is not comfortable. | ||
+ | |||
+ | Another alternative is to have encrypted just disk (filesystem, | ||
+ | |||
+ | Best thing is bind the account password with disk encryption password and enter is just once during login. There is quite new tool on linux - systemd-homed, | ||
+ | |||
+ | ====Huion 420 tablet=== | ||
+ | ==22.06.2020== | ||
+ | I received an idea to test a pen together with the computer. Huion 420 was looking as a great option for | ||
+ | the start. For first I wanted an ekonomic model for the play, for second I got an recomendation from a | ||
+ | person, who let an online course I had attended and for the last, I have seen a really nice video on | ||
+ | Youtube of a cartoon designer, who evaluated it as valuable stuff. I have seen that it supports Linux, | ||
+ | so the decission was done. | ||
+ | After a little struggle with installation on Ubuntu, I finally realized, that the pen requires AAA batery and | ||
+ | that is only problem blocking the usage ! OK, than, and what was the procedure to make it working? | ||
+ | Inspired by [[http:// | ||
+ | |||
+ | su - | ||
+ | mkdir ~/ | ||
+ | cd ~/ | ||
+ | git clone https:// | ||
+ | cd digimend-kernel-drivers | ||
+ | dpkg-buildpackage -b -uc ## to find the missing packages, I need to install, to succeed with make | ||
+ | make | ||
+ | make install | ||
+ | ## replug the device and ensure you have a good AAA batery in a pen | ||
+ | apt install xournal ## to have a nice note pad for drawing | ||
+ | apt install gimp ## ti have a good graphical editor | ||
+ | |||
+ | To list information about the device or configure: | ||
+ | |||
+ | lsusb | ||
+ | xsetwacom --list devices | ||
+ | xsetwacom --set "Wacom BambooFun 4x5 Pen stylus" | ||
+ | |||
+ | and enjoy! | ||
+ | |||
+ | ====Onedrive synchronization issue on Linux==== | ||
+ | ==17.06.2020== | ||
+ | Cloud drive is a good way to have backup of your files and have your files synchronized and on single place and in single state on all your devizeces. Microsoft provides the Windows and Mac synchronization tool, but for Linux, there are few projects, who tries keep the same tool working despite the updated of API and other configuration on MS side. I was so happy with the [[https:// | ||
+ | |||
+ | '' | ||
+ | OneDrive HTTP Server Response: 400 | ||
+ | * Connection #0 to host login.microsoftonline.com left intact | ||
+ | OneDrive returned a 'HTTP 400 - Bad Request' | ||
+ | onedrive.OneDriveException@src/ | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | 9002313 | ||
+ | ], | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | ---------------- | ||
+ | ??:? [0x55da54c769d9] | ||
+ | ??:? [0x55da54c75cb5] | ||
+ | ??:? [0x55da54c76b65] | ||
+ | ??:? [0x55da54c74f58] | ||
+ | ??:? [0x55da54c748c5] | ||
+ | ??:? [0x55da54c827a8] | ||
+ | ??:? void rt.dmain2._d_run_main2(char[][], | ||
+ | ??:? _d_run_main2 [0x7f269aaf47ee] | ||
+ | ??:? _d_run_main [0x7f269aaf465d] | ||
+ | ??:? __libc_start_main [0x7f269a6e00b2] | ||
+ | ??:? [0x55da54c4d5ed] | ||
+ | '' | ||
+ | |||
+ | The recipe how to overcome the error is: | ||
+ | 1) You are asked to authenticate the client in a browser, by going into the URL: | ||
+ | https:// | ||
+ | |||
+ | 2) you authenticate and autorize the client | ||
+ | |||
+ | 3) you obtain an URL | ||
+ | |||
+ | 4) you set the URL into the variable URL, for example : | ||
+ | < | ||
+ | |||
+ | 5) you run these commands: | ||
+ | < | ||
+ | curl -X POST -H " | ||
+ | |||
+ | so in other words, you obtain the refresh token manually and store it into the config file. | ||
+ | |||
+ | ====Zamyšlení nad zabezpečením domácí sítě a ochranou děti==== | ||
+ | ==04.05.2020== | ||
+ | Jak nastavit domácí prostředí elektronických zařízení tak, aby poskytovalo bezpečí a zároveň vše, co od ní očekáváme? | ||
+ | * nebezpečného obsahu (hlásání a šíření násilí, pohrdání jinými lidmi, sexuálně nevhodný obsah, vyzývání k nebezpečnému chování, nemorálních, | ||
+ | * ochrana dětí před zveřejňováním citlivých a osobních údajů o sobě či jiných osobách | ||
+ | * ochrana dětí před cílenou komunikaci vůči nim, ať již s cílem dítě zneužít (například ke svému finančnímu prospěchu), | ||
+ | * Ochrana před nezákným chováním (stahování, | ||
+ | * ochrana před závislostí a utápěním času v jednostranné aktivitě | ||
+ | Existují již produkty, které nás mají chránit a které se zaměřují na jedno či více nebezpečí. Jedním aspektem, nad kterým je dobré se zamyslet se, na která zařízení je mohu dostat, která zařízení mohu jimi zabezpečit, | ||
+ | |||
+ | **Rozdělení ochrany pro různé členy domácnosti: | ||
+ | |||
+ | **Ochrana před nebezpečným obsahem - celé weby:** Toto je jednodušší téma, celé weby. Víme, že některé weby se zaměřují na obsah, ze kterého máme obavy, které mají svým charakterem obsah nevhodný. Ochrana před takovým obsahem je jistě jednodušší a dá se zabezpečit vícero způsoby: jmenným překladem - služba převádějící jména webů na číselné adresy a blokováním přístupu (datového toku) na tyto weby. Pokud všechny zařízení používají pouze domácí síť, lze to nastavit centrálně, | ||
+ | |||
+ | **Ochrana před nebezpečným obsahem - jednotlivé stránky** - Považuji toto téma o rozšíření předchozího odstavce o větší ochranu. Předchozí ochrana je totiž na síťové vrstvě, konkrétně na principu, že nevhodné jména serverů se přeloží na IP adresu poskytovatele bezpečí a upozorní na fakt, že se jedná o nebezpečný web. Síťová vrstva nevidí totiž do obsahu aplikačního dotazu na zobrazení konkrétní stránky. Pokud chceme do ní vidět, je třeba povolit pouze proxy službu, přes kterou půjdou všechny dotazy a na ní stanovit pravidla, například blokovat vše, co má v adrese řetězec, který se považuje za nebezpečný, | ||
+ | |||
+ | To by pro dnešek mohlo stačit. | ||
+ | |||
+ | ====Code Retreat==== | ||
+ | ==09.12.2019== | ||
+ | Very interesting experience was the presence on Code retreat workshop. The objective was to have several (5) iterations over the same topic: [[https:// | ||
+ | |||
+ | |||
+ | ====Ubuntu 18.04.2==== | ||
+ | ==28.3.2019== | ||
+ | New release of Ubuntu 18.04 LTS appeared. Most important is hardware support. For instance my laptop started to face network connectivity issue and new firmware downloaded by OS update wasn't supported by kernel. This is solved by 18.04.2 because it comes with up to date kernel. | ||
+ | |||
+ | More info: [[https:// | ||
+ | |||
+ | Update procedure (18.04 to 18.04.2) :\\ | ||
+ | '' | ||