Merge pull request #188 from redeltaglio/master

sdf
This commit is contained in:
Riccardo Giuntoli 2020-06-03 06:48:41 +02:00 committed by GitHub
commit 52ee88b945
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 3137 additions and 51 deletions

View File

@ -1,17 +0,0 @@
For our freedom, for the democracy. For Europe. For all of you that have suffered the Illuminati pseudo dictatorship.
For them that have commited suicide.
For you my sun flower. For you Saray. For you my love. To revenge what they have done with your mind.
For you Lucia. For your future.
For all the womans that have been digitally violated in the "Illuminati" network by the digital mafia.
For all the Catalans womans that have been physically violated by the remote parimutuel betting system.
We are not dogs. My two little puppies were killed.
Ricky.
All material publicated in this git repository is strictly protected by the "Creative Commons Attribution-NonCommercial 4.0 International" license.

File diff suppressed because it is too large Load Diff

View File

@ -1,17 +0,0 @@
For our freedom, for the democracy. For Europe. For all of you that have suffered the Illuminati pseudo dictatorship.
For them that have commited suicide.
For you my sun flower. For you Saray. For you my love. To revenge what they have done with your mind.
For you Lucia. For your future.
For all the womans that have been digitally violated in the "Illuminati" network by the digital mafia.
For all the Catalans womans that have been physically violated by the remote parimutuel betting system.
We are not dogs. My two little puppies were killed.
Ricky.
All material publicated in this git repository is strictly protected by the "Creative Commons Attribution-NonCommercial 4.0 International" license.

View File

@ -0,0 +1,778 @@
# OpenBSD is back! Now with GnuPG
## Another friend, another animal, a gnu.
------
![music gnu](https://steemitimages.com/640x0/https://www.gnu.org/graphics/listen-eighth.jpg)
And yes, this gnu is *special*. First of all is a capital letters **GNU**, he likes [free software](https://www.gnu.org/), and our special one also like **electronic music**. But not only *free software*, he is specialized also in privacy, he can be the **guardian** of our privacy! Because one of the hottest applications in this wonderful *GNU world* is [**GnuPG**](https://www.gnupg.org/) a mature piece of *open source* software:
> GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
> Since its introduction in 1997, GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License .
## OpenBSD want your pretty good privacy
------
![privacy is like a pretty woman](https://steemitimages.com/640x0/https://media.vanityfair.com/photos/59c9789f4f79bc3b7908b511/master/w_960,c_limit/pretty-woman-musical%25202.jpg)
Speaking about *pretty* obviously my first tough is a *wonderful woman*. And doing a simple association my *connected* brain has elaborated this image, a wonderful Julia Roberts singing a song in the set's bathroom of [*pretty woman*](http://www.imdb.com/title/tt0100405/), do you remember it?
But you have to understand that *pretty* have to be also our **privacy** in a **interconnected world**, *the Internet*. Every single man and woman (child i don't think that have to use it) in the world have access to the Internet, but only a little part know how to protect him/her **privacy** from what we've previously named *the privacy cannibals*.
Today we add another friend to our great guarantees of privacy, a cool dude that follow the **OpenPGP** standard that you can freely study reading the [**RFC 4880**](https://tools.ietf.org/html/rfc4880).
## Create the perfect pgp keypair with OpenBSD
![perfect pgp keypair](https://steemitimages.com/640x0/https://static.fsf.org/nosvn/enc-dev0/img/en/screenshots/step2a-01-make-keypair.png)
Ok let's go deep and start the configuration of our *GNU PGP*.
Install the software from ports repository:
```
$ rm -rf .gnupg
$ mkdir .gnupg
$ chmod -R go-rwx .gnupg
$ doas pkg_add -U gnupg-2.1.23
```
We've deleted possible previous `gnupg` configuration, recreate the user directory of the program, assign to it the correct permissions and install the version 2 of the `gnupg` collection.
```
$ cat << EOF > ~/.gnupg/gpg.conf
use-agent
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
EOF
```
Create the *bootstrap* `gpg` configuration file in our previously created directory.
```
$ gpg2 --full-generate-key
gpg (GnuPG) 2.1.23; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: No Place No Address
Email address: npna@protonmail.ch
Comment: No Place No Address
You selected this USER-ID:
"No Place No Address (No Place No Address) <npna@protonmail.ch>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/taglio/.gnupg/trustdb.gpg: trustdb created
gpg: key 0xAD8E487FF2F05FDE marked as ultimately trusted
gpg: directory '/home/taglio/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/taglio/.gnupg/openpgp-revocs.d/6ACFBE8E6C24EA903F5B9F49AD8E487FF2F05FDE.rev'
public and secret key created and signed.
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub rsa4096/0xAD8E487FF2F05FDE 2018-02-23 [SC]
Key fingerprint = 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
uid No Place No Address (No Place No Address) <npna@protonmail.ch>
```
We're creating a **no expiring** master key in our home directory, using `RSA` sign only option with the maximum key size that is `4096 bits` . In `gpg` every key is associated with a user ID, in our case is `npna@protonmail.ch`. Remember to use a strong unpredictable password and to anote and store it in a secure place (*¿do you remember what is a pen and what is a paper?*). It's important for the rest of the configuration know the result `keyid`, for our case is `0xAD8E487FF2F05FDE`. Go ahead with the deep configuration:
```
$ gpg2 --expert --edit-key 0xAD8E487FF2F05FDE
gpg (GnuPG) 2.1.23; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
sec rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0x3C423C42DE438790
created: 2018-02-23 expires: never usage: E
[ultimate] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
```
Now we've entered in the `gpg` shell! Look at the new prompt `gpg>`. From there we can access to all the possible commands of our **GNU** privacy suite.
```
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0x17B9BD907F897DD1
created: 2018-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0xEF0998EA8BB3F32B
created: 2018-02-23 expires: never usage: E
[ultimate] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
```
We've created a key that depend from our master key, selecting `RSA` for encrypt only. This is our encryption key.
```
gpg>addkey
addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0x3C423C42DE438790
created: 2018-02-23 expires: never usage: E
ssb rsa4096/0x5DC3DAEF3359F361
created: 2018-02-23 expires: never usage: S
[ultimate] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
```
Now we've created another sub key. This time to sign only, always with the `RSA` protocol. His size is as usual `4096 bits`.
```
addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0x3C423C42DE438790
created: 2018-02-23 expires: never usage: E
ssb rsa4096/0x5DC3DAEF3359F361
created: 2018-02-23 expires: never usage: S
ssb rsa4096/0x52E923E51A16A5E9
created: 2018-02-23 expires: never usage: A
[ultimate] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
gpg> save
```
At last we've created a sub key for authentication purpose. Thanks to the `--expert` option that we've used we can edit **like a pro** our last `RSA` key using the `(8)` option in our `gpg` shell. Follow the commands and we've finished! Don't leave the last `save` if you don't launch it you will loose all! Review the created keys with:
```
$ gpg2 --list-secret-keys
/home/taglio/.gnupg/pubring.kbx
-------------------------------
sec rsa4096/0xAD8E487FF2F05FDE 2018-02-23 [SC]
Key fingerprint = 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
uid [ultimate] No Place No Address (No Place No Address) <npna@protonmail.ch>
ssb rsa4096/0x3C423C42DE438790 2018-02-23 [E]
ssb rsa4096/0x5DC3DAEF3359F361 2018-02-23 [S]
ssb rsa4096/0x52E923E51A16A5E9 2018-02-23 [A]
```
## Export to an encrypted USB stick
------
Ok, we've have created our **4** `gpg2` keys, one master with 3 slaves, *encryption, sign and authentication* .
Let's prepare an encrypted fresh USB stick to backup them!
```
$ doas su
#fdisk -yig sd2
Writing MBR at offset 0.
Writing GPT.
# disklabel -E sd2
Label editor (enter '?' for help at any prompt)
> ?
Available commands:
? | h - show help n [part] - set mount point
A - auto partition all space p [unit] - print partitions
a [part] - add partition q - quit & save changes
b - set OpenBSD boundaries R [part] - resize auto allocated partition
c [part] - change partition size r - display free space
D - reset label to default s [path] - save label to file
d [part] - delete partition U - undo all changes
e - edit drive parameters u - undo last change
g [d|u] - [d]isk or [u]ser geometry w - write label to disk
i - modify disklabel UID X - toggle expert mode
l [unit] - print disk label header x - exit & lose changes
M - disklabel(8) man page z - delete all partitions
m [part] - modify partition
Suffixes can be used to indicate units other than sectors:
'b' (bytes), 'k' (kilobytes), 'm' (megabytes), 'g' (gigabytes) 't' (terabytes)
'c' (cylinders), '%' (% of total disk), '&' (% of free space).
Values in non-sector units are truncated to the nearest cylinder boundary.
> l
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: Flash Disk
duid: 0000000000000000
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 16
total sectors: 257536
boundstart: 64
boundend: 257473
drivedata: 0
> > a a
offset: [64]
size: [257409]
FS type: [4.2BSD] RAID
> w
> q
No label changes.
#
```
We've initialized the USB stick with the **OpenBSD** `fdisk` with a `GPT` partition table and the we add a single `RAID` partition to it with `disklabel`. We use `RAID` because this is the manner that use **OpenBSD** to do it.
```
# bioctl -c C -l /dev/sd2a softraid0
New passphrase:
Re-type passphrase:
softraid0: CRYPTO volume attached as sd3
#
```
We've encrypted the first partition label of our USB stick with the command `bioctl` that result in the creation of the pseudo device `sd3`.
```
# newfs sd3c
newfs: reduced number of fragments per cylinder group from 16048 to 15984 to enlarge last cylinder group
/dev/rsd3c: 125.4MB in 256880 sectors of 512 bytes
5 cylinder groups of 31.22MB, 1998 blocks, 4096 inodes each
super-block backups (for fsck -b #) at:
32, 63968, 127904, 191840, 255776,
# mkdir /mnt/encrypted_usb && mount dev/sd3c /mnt/encrypted_usb
```
Create an `ufs2` filesystem in the pseudo device disk label `c`, that is the one that indicate all the disk. Create a partition where to mount it and mount it!
```
# gpg2 --homedir /home/taglio/.gnupg --armor --export-secret-keys 0xAD8E487FF2F05FDE > /mnt/encrypted_usb/mastersub.key
# gpg2 --homedir /home/taglio/.gnupg --armor --export-secret-subkeys 0xAD8E487FF2F05FDE > /mnt/encrypted_usb/sub.key
# umount /mnt/encrypted_usb
#
```
# OpenBSD, OpenPGP, Bob and Alice but also a little bit of magic.
<iframe frameborder="0" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/Zf1VTOUIuP8" width="640" height="360" style="box-sizing: inherit; max-width: 100%; max-height: 75vw; position: absolute; width: 640px; height: 359.672px; left: 0px; top: 0px;"></iframe>
In this catch from [*viaggi di nozze*](https://it.wikipedia.org/wiki/Viaggi_di_nozze) the Italian iconic actors [*Carlo Verdone*](https://it.wikipedia.org/wiki/Carlo_Verdone) and [*Claudia Gerini*](https://it.wikipedia.org/wiki/Claudia_Gerini) listening to some good *heavy metal* remember the most special situation where they have some good sex.
Like them, or better *i wish it'll be*, our two friends **OpenBSD** and **GnuPG** continue them relation. [*Last time*](https://steemit.com/openbsd/@npna/openbsd-is-back-now-with-gnupg) we've seen how to install, generate master key and subkeys (*sign, encryption and authentication*) and backup all of them in an encrypted usb stick under **OpenBSD**. The result of those operation can be resumed and visualized with this command:
```
$ gpg2 --list-keys
/home/taglio/.gnupg/pubring.kbx
-------------------------------
pub rsa4096/0xAD8E487FF2F05FDE 2018-02-23 [SC]
Key fingerprint = 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
uid [ultimate] No Place No Address (No Place No Address) <npna@protonmail.ch>
sub rsa4096/0x3C423C42DE438790 2018-02-23 [E]
sub rsa4096/0x5DC3DAEF3359F361 2018-02-23 [S]
sub rsa4096/0x52E923E51A16A5E9 2018-02-23 [A]
$
```
## Export the public key to the Internet
------
![_Hierarchical trust](https://steemitimages.com/0x0/http://users.ece.cmu.edu/~adrian/630-f04/PGP-intro_files/fig1-12.gif)
To publish our public key to the Internet allowing others **OpenPGP** users establish a secure channel of communication with us (*i know it's not perfect but combined with other technologies it's the state of the art*) we've to export our **public key** 0xAD8E487FF2F05FDE to one the keyserver of the *pgp network* . Let's start with our *shell sex*:
```
$ wget -P ~/.gnupg https://sks-keyservers.net/sks-keyservers.netCA.pem{,.asc}
$ chmod -R 700 .gnupg
$ openssl verify -trusted sks-keyservers.netCA.pem -check_ss_sig sks-keyservers.netCA.pem
sks-keyservers.netCA.pem: OK
$ openssl x509 -in sks-keyservers.netCA.pem -noout -text | grep "X509v3 Subject Key Identifier" -A1 | tail -n1 E4:C3:2A:09:14:67:D8:4D:52:12:4E:93:3C:13:E8:A0:8D:DA:B6:F3
```
We download the `CA`certificate of the keyservers pool `sks-keyservers.net`
with its **PGP signature** (*.asc file*). We verify it with the [**openssl suite** ](https://www.openssl.org/) and then we extract the *"X509v3 Subject Key Identifier"* and check if it is the same with the one that we've [here](https://sks-keyservers.net/verify_tls.php).
```
$ host -t a hkps.pool.sks-keyservers.net
hkps.pool.sks-keyservers.net has address 193.164.133.100
$ cat << EOF >> ~/.gnupg/gpg.conf
keyserver hkps://193.164.133.100
EOF
$ cat << EOF > ~/.gnupg/dirmngr.conf
keyserver hkps://193.164.133.100
hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem
EOF
```
Like you can see we've just added one new directive in our `gpg.conf` file after resolving the pool of keyservers `sks` in a single `ipv4` address. Next we've created a new configure file for `dirmngr` that is the daemon resposible of the access to the **OpenPGP** keyservers
```
$ gpg2 --send-key 0xAD8E487FF2F05FDE
gpg: sending key 0xAD8E487FF2F05FDE to hkp://193.164.133.100
$ gpg2 --fingerprint 0xAD8E487FF2F05FDE | grep finger | head -n 1
Key fingerprint = 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
```
this is the normal command to transfer our `pub`key who owner is `[ultimate] No Place No Address (No Place No Address) <npna@protonmail.ch>`; after some minutes we can search our `public` key in the **OpenPGP** network [here](http://hkps.pool.sks-keyservers.net/).
## Encryption using public key is AWESOME
We want to establish a secure communications channel between `npna@protonmail.ch` and `r.giuntoli@protonmail`, without public key encription and signing will give us a lot of headchache. Using it produce this esquema:
![bob and alice](https://steemitimages.com/640x0/https://www.usna.edu/Users/cs/wcbrown/courses/si110AY13S/lec/l26/asymmetricencryption.png)
In practice never Alice or Bob have to send in an insecure channel, like *Internet*, their private keys. In my example alice got a **Gentoo** workstation, and Bob an **OpenBSD** one. The two folks have uploaded their `public` keys using the **OpenPGP** suite. The two `trust` each one and can verify the fingerprint of the other utilizing a *secure* channel, like they are in the same room creating this example.
```
alice$ gpg --search-keys npna
gpg: data source: http://37.191.226.104:11371
(1) No Place No Address (No Place No Address) <npna@protonmail.ch>
4096 bit RSA key 0xAD8E487FF2F05FDE, created: 2018-02-23
Keys 1-1 of 1 for "npna". Enter number(s), N)ext, or Q)uit > 1
gpg: key 0xAD8E487FF2F05FDE: public key "No Place No Address (No Place No Address) <npna@protonmail.ch>" imported
gpg: Total number processed: 1
gpg: imported: 1
alice $ gpg --edit-key 0xAD8E487FF2F05FDE
gpg (GnuPG) 2.2.5; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/0x3C423C42DE438790
created: 2018-02-23 expires: never usage: E
sub rsa4096/0x5DC3DAEF3359F361
created: 2018-02-23 expires: never usage: S
sub rsa4096/0x52E923E51A16A5E9
created: 2018-02-23 expires: never usage: A
[ unknown] (1). No Place No Address (No Place No Address) <npna@protonmail.ch>
gpg> fpr
pub rsa4096/0xAD8E487FF2F05FDE 2018-02-23 No Place No Address (No Place No Address) <npna@protonmail.ch>
Primary key fingerprint: 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
gpg> sign
pub rsa4096/0xAD8E487FF2F05FDE
created: 2018-02-23 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
No Place No Address (No Place No Address) <npna@protonmail.ch>
Are you sure that you want to sign this key with your
key "Riccardo Giuntoli <r.giuntoli@protonmail.ch>" (0xA51D8EF938AF47D0)
Really sign? (y/N) y
gpg> save
alice$
```
So we search the `public` key of Alice in the `keyserver` , in this case we've got only a possible key, we select pressing `1` at the **OpenPGP** shell. Next we enter in `edid` mode and always at the **OpenPGP** shell and we see that also Bob have created three *subkeys* one for **encryption**, another for **signing** and the last for **authentication**. We print the fingerprint to validate it with Bob to locally sign it with the option `sign` . We save and the returl to the `bash` shell.
We do the same process in the Bob **OpenBSD** machine:
```
bob$ gpg2 --search-key r.giuntoli
gpg: data source: http://18.9.60.141:11371
(1) Riccardo Giuntoli <r.giuntoli@protonmail.ch>
4096 bit RSA key 0x6DAE5C27DFAF0D6F, created: 2018-02-20
(2) ANTRAX <r.giuntoli@protonmail.ch>
3072 bit RSA key 0xAAE9F49A70ED3F09, created: 2017-09-04
(3) Riccardo Giuntoli (MESWIFI, S.L.) <r.giuntoli@meswifi.com>
2048 bit RSA key 0x83D1285CD6F38DFA, created: 2014-01-26
Keys 1-3 of 3 for "r.giuntoli". Enter number(s), N)ext, or Q)uit > 1
gpg: key 0x6DAE5C27DFAF0D6F: public key "Riccardo Giuntoli <r.giuntoli@protonmail.ch>" imported
gpg: Total number processed: 1
gpg: imported: 1
bob$ gpg2 --edit-key r.giuntoli
gpg (GnuPG) 2.1.23; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/0x6DAE5C27DFAF0D6F
created: 2018-02-20 expires: never usage: SC
trust: unknown validity: full
sub rsa2048/0xA51D8EF938AF47D0
created: 2018-02-20 expires: never usage: S
sub rsa2048/0x32772E38B5C56D73
created: 2018-02-20 expires: never usage: E
sub rsa2048/0xE3E741619E88263B
created: 2018-02-20 expires: never usage: A
[ full ] (1). Riccardo Giuntoli <r.giuntoli@protonmail.ch>
gpg> fpr
pub rsa4096/0x6DAE5C27DFAF0D6F 2018-02-20 Riccardo Giuntoli <r.giuntoli@protonmail.ch>
Primary key fingerprint: 90DC 1D49 FC85 DD2E 38AC 5301 6DAE 5C27 DFAF 0D6F
gpg> sign
pub rsa4096/0x6DAE5C27DFAF0D6F
created: 2018-02-20 expires: never usage: SC
trust: unknown validity: full
Primary key fingerprint: 90DC 1D49 FC85 DD2E 38AC 5301 6DAE 5C27 DFAF 0D6F
Riccardo Giuntoli <r.giuntoli@protonmail.ch>
Are you sure that you want to sign this key with your
key "No Place No Address (No Place No Address) <npna@protonmail.ch>" (0xAD8E487FF2F05FDE)
Really sign? (y/N) y
gpg>save
bob$
```
In this case the reply at our search are three diferents keys, we install the first.
```
alice$ echo "Я хочу встретиться с тобой" | gpg --armor --sign --encrypt -r npna -
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: 0x3C423C42DE438790: There is no assurance this key belongs to the named user
sub rsa4096/0x3C423C42DE438790 2018-02-23 No Place No Address (No Place No Address) <npna@protonmail.ch>
Primary key fingerprint: 6ACF BE8E 6C24 EA90 3F5B 9F49 AD8E 487F F2F0 5FDE
Subkey fingerprint: 2754 CF0A D8FA 32DD 1123 EF25 3C42 3C42 DE43 8790
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----
hQIMAzxCPELeQ4eQAQ/8CzGw9ms0lyHcinfJptV3ICjUIrDxSHEDlj7L5oME1tc0
7BEuURJcqP6ftuU/OK8oQipKw+TBbioDIjNNnWVlpPGhSyHZl8tRnUyOKhQDcGEU
8KWk9wZfwElBVBAbqhfsih5dBIGgmZwvA9iVJrdvXv8uA7OD2qNsiD7SLG1XaemN
un8FnlRptYvwnR4/FEESf4FNeYUki0SwE3PDQb1c1uxTBILSavontFmUwxEhVyKB
2gV8SB2XtiN+WvxJDNlnuEI9NUM46XjNZVew9Iam78PAro/dcXxkD+PkY4Z8aXNB
ugIrym5//4vE7uTskT8qh0m4dlfDgnhuojFWjwSMdedntU09tNy5uMQMbqJkKmSV
8J4qfCVTtp9UtKgA/Ylqmw4TyAsZ+r8TZYgMtbTF3VTOGiXk5fSd5cjNUsAhDPWI
PR0+IrdumfTDoUdXX9SXZrJ8ftlFuVkj8II5Zm7wXbbXO3wTrzAZZTmZL0NoHkca
BKGp11rWk4MgpxwYQKsCI1LZc/q2Ve7PsviN57nmeiDGLGP1AgOqVVJP1LNEPLvs
7xlTDlviALdJXKR3rwww+iwFFLwdE7V7GO4pw5z/Wgxgsx2WlFbOPG6FnJmeW22D
xCQm4NDJvVLnmI6fa8Y2JPzZVFou7bJxEgnGWwoXGdT8b+S10DWxNlAxKKh+svLS
wPEBJYi7+I0iY1gucLhLnKDnTd1XV9POHt/kT2uSb7INZedd221lqLw327aqFpo+
anrVtodShpg3CQM9mC/VX5/tYh/4YqupR+TAmlXvscbjNEy19gjbTjhhO80c1dla
axeLsA6OuDh77arEyk1gzlEFHl2ebUSZjBVNG7nFAMur9hS22TBSOmGHdgEH4w4z
pPCk3dAnqOBdgXCOrt8a9MHDXmg6RqkpclXAK/X/EOtx0JouNQUSXjyakzrKffKF
KtkUGsTyH8wUAlJb2X/enOi89b2VBHgqqy4ss9B3Do1sYpgLo3Ho9oGqpxt0oaiZ
pnIq2jZdns8kdtsEJsQTnN/ucu4L+/MzDGjUAdP7vC94in62gqypnaNhYzpyHrS+
H8p+ddtWoYEZHnp/TuqqdSw3psDzhA9UyWFa1BKTOczI3CBFhoio/NPdK4bvnNdw
Ef9gP4kVaCIDh6QOQV5xJtKgTU53alu76xlyZcyBqP4q6fk94klVxkb1G5lmP60I
HLXQvFuTaGF8BTZqNYsNZlOS0B5plXMYCw1s4hX6n2h+4HgbOg71cHaTTIw5IRls
qk2g
=i1ah
-----END PGP MESSAGE-----
```
Alice encrypt and sign the message *Я хочу встретиться с тобой* for Bob. The process is simple, she piped it to `gpg` that is launched with:
1. `--armor` the result of the process have to be always text.
2. `--sign` she sign it with her `subkey` dedicated to the sign operation.
3. `--ecrypt` she encript it.
4. `-r Bob` the message will only readable by Bob (*that seems to be russian*).
5. `-` it indicate to `gpg` that the text in input was piped.
Now she use a **free past service** to upload it to the *Internet*, the result is there:
[ghostbin free past service, a message for you darling](https://ghostbin.com/paste/28fqm/raw)
So Bob is very exited and want to rapidly verify and decrypt his *love message*:
```
bob$ wget https://ghostbin.com/paste/28fqm/raw -o log -O testmsg
bob$ cat testmsg | gpg2 --decrypt
gpg: encrypted with 4096-bit RSA key, ID 0x3C423C42DE438790, created 2018-02-23
"No Place No Address (No Place No Address) <npna@protonmail.ch>"
Я хочу встретиться с тобой
gpg: Signature made Tue Mar 6 18:49:14 2018 CET
gpg: using RSA key E9664F440C5E14C8E661AC6BA51D8EF938AF47D0
gpg: Good signature from "Riccardo Giuntoli <r.giuntoli@protonmail.ch>" [full]
Primary key fingerprint: 90DC 1D49 FC85 DD2E 38AC 5301 6DAE 5C27 DFAF 0D6F
Subkey fingerprint: E966 4F44 0C5E 14C8 E661 AC6B A51D 8EF9 38AF 47D0
bob$
```
Silently download the message and save in local `testmsg` text file and use `gpg --decrypt` to read his message.
## OpenPGP others applications and a little bit of magic
------
![gandalf](https://steemitimages.com/640x0/![gandalf.png](https://steemitimages.com/DQmbnXz4af8fQEEE7ky1EymSohLAJ85G97AR5hsjQELTghP/gandalf.png)g)
With the **OpenPGP** suite we can also simply encrypt a file or folder.
But *Bob* want to be more [**31337** ](https://en.wikipedia.org/wiki/Leet) and want to hide a *secret message* in an image, embedding in it using a technology knowned as [**Steganography**](https://en.wikipedia.org/wiki/Steganography). And with **OpenBSD** is a nice and rapid task.
```
bob$ doas pkg_add -U steghide
doas (taglio@Lutetia.unknown_domain) password:
quirks-2.367 signed on 2017-10-03T11:21:28Z
steghide-0.5.1p3: ok
bob$ steghide
steghide version 0.5.1
the first argument must be one of the following:
embed, --embed embed data
extract, --extract extract data
info, --info display information about a cover- or stego-file
info <filename> display information about <filename>
encinfo, --encinfo display a list of supported encryption algorithms
version, --version display version information
license, --license display steghide's license
help, --help display this usage information
embedding options:
-ef, --embedfile select file to be embedded
-ef <filename> embed the file <filename>
-cf, --coverfile select cover-file
-cf <filename> embed into the file <filename>
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to embed data
-sf, --stegofile select stego file
-sf <filename> write result to <filename> instead of cover-file
-e, --encryption select encryption parameters
-e <a>[<m>]|<m>[<a>] specify an encryption algorithm and/or mode
-e none do not encrypt data before embedding
-z, --compress compress data before embedding (default)
-z <l> using level <l> (1 best speed...9 best compression)
-Z, --dontcompress do not compress data before embedding
-K, --nochecksum do not embed crc32 checksum of embedded data
-N, --dontembedname do not embed the name of the original file
-f, --force overwrite existing files
-q, --quiet suppress information messages
-v, --verbose display detailed information
extracting options:
-sf, --stegofile select stego file
-sf <filename> extract data from <filename>
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to extract data
-xf, --extractfile select file name for extracted data
-xf <filename> write the extracted data to <filename>
-f, --force overwrite existing files
-q, --quiet suppress information messages
-v, --verbose display detailed information
options for the info command:
-p, --passphrase specify passphrase
-p <passphrase> use <passphrase> to get info about embedded data
To embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt
To extract embedded data from stg.jpg: steghide extract -sf stg.jpg
bob$ wget https://pbs.twimg.com/profile_images/966976157592838145/bzhg-p3s_400x400.jpg -o log
bob$ cat << EOF > msg
trip lover trust
EOF
bob$ steghide embed -cf bzhg-p3s_400x400.jpg -ef msg
Enter passphrase:
Re-Enter passphrase:
embedding "testmsg" in "bzhg-p3s_400x400.jpg"... done
bob$
```
To obtain this little *magic*, Bob install **steghide** from the official ports of **OpenBSD**, next he write a text message and embedded protected with a password in the `jpeg` image.
Now he saves the `jpg` image in his harddisk with `gpg` and `symmetric` encryptions. When he will send to *Alice* he will decrypt it and reuse the `public` method.
```
bob$ gpg2 --symmetric bzhg-p3s_400x400.jpg
```
Nice, i'm in love with this *Bob and Alice* story, i'm in love with my work that is and will be write about security stuff, protecting privacy for who want it.
*love is back, RG*

View File

@ -0,0 +1,610 @@
# OpenBSD up on the Alps, vmm and Alpine linux
## Four days ago...
------
¡Hello there, dear souls! Days pass rapidly, exactly *four days ago* we're speaking about add another soldier, who's name was **privoxy**, in our personal battle with the infamous *privacy cannibals*, [¿do you remember?](https://steemit.com/openbsd/@npna/openbsd-tor-privoxy-and-the-browsers)
Our new friend, could act like a **layer 7 firewall**, but in our last article we didn't any firewalling, only we rewrite the **Refer** HTTP header.
You have to know that some fantastic dudes maintained a public list of hosts that use our *personal sensible data* with the scope of monetizing it (¿have i give my permission to this abuse?) . The name of the list is **easylist** and you can navigate to the home site of the project [here](https://easylist.to/). Normally is used with browsers extensions to grant **ad-free** navigation to his users. But we're *deep* users and we want to use the list in ours *privoxy* rules. The problem is that this is not so simple. There is a project on the *fantastic github* that could help us in doing that, but it use a language not installed by default in our **OpenBSD**, the name of the language is [**haskell**](https://www.haskell.org/), a *standardized, general-purpose purely functional programming language*. Here is some links to the project:
1. [GitHub project home page](https://github.com/essandess/adblock2privoxy)
2. [Project home page](https://projects.zubr.me/wiki/adblock2privoxy)
**Haskell** can be installed on **OpenBSD** but **adblock2privoxy** want [*The stack package*](https://hackage.haskell.org/package/stack) that i couldn't correctly compile under OpenBSD.
That's the reason why i take my OpenBSD and we go to the up of the [Alps](https://en.wikipedia.org/wiki/Alps) to meet with *another good friend*, another security guy, [**Alpine linux**](https://www.alpinelinux.org/).
## Install Alpine linux under OpenBSD vmm
------
![Alps](https://steemitimages.com/640x0/https://images.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.rci.com%2Fstatic%2Fimages%2Fcontent%2Findia%2FC5%2FS5%2Fc5-en_IN_all-destinations-Alps.jpg&f=1)
We're lucky, or *the karma* is in love with us (we're also in love with you), because a few months ago **OpenBSD** introduce in his base tree the *virtual machine monitor* [**vmm**](https://man.openbsd.org/vmm). But *karma* help us more than this, because it's just very few months that under *vmm* we can virtualize *linux*, read [here](https://marc.info/?l=openbsd-misc&m=149329839013688&w=2).
Ok, let's start with prepare the correct *environment* for our new friend:
Download **Alpine** minimal ISO image, to use in virtual environment, and create a virtual disk of 10GB:
```
$ wget http://dl-cdn.alpinelinux.org/alpine/v3.7/releases/x86_64/alpine-virt-3.7.0-x86_64.iso
$ vmctl create alpine-virt.img -s 10G
```
Enable routing in our OpenBSD:
```
$ doas sysctl net.inet.ip.forwarding=1
# echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
```
Create virtual switch `vether0`:
```
# echo "inet 10.1.10.1 255.255.255.0" > /etc/hostname.vether0
# cat > /etc/vm.conf << EOF
switch "local" {
add vether0
up
}
EOF
```
Enable **vmd** on boot, enable it and download the virtual BIOS:
```
$ doas rcctl enable vmd
$ doas rcctl start vmd
$ doas fw_update
```
Indicate dns service of Tor to listen in the `vether0` interface and restart it:
```
# echo 'DNSPort 10.1.10.1:53 IsolateDestPort' >> /etc/tor/torrc
$ doas rcctl restart tor
```
Create a dedicated **privoxy** for our new friend, **Alpine**:
```
$ doas cp -p /etc/rc.d/privoxyfirefox /etc/rc.d/privoxyvesta
# cat > /etc/privoxy/vesta << EOF
# Sample Configuration File for Privoxy 3.0.26
#
# $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $
#
# Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/
#
user-manual https://www.privoxy.org/user-manual/
trust-info-url https://learn.canva.com/wp-content/uploads/2015/06/50-Of-The-Most-Creative-404-Pages-On-The-Web-01.png
admin-address r.giuntoli@protonmail.ch
#config guide
#proxy-info-url http://www.example.com/proxy-service.html
confdir /etc/privoxy
templdir /etc/privoxy/templates
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
filterfile user.filter # User customizations
logfile privoxyvesta.log
#if set all deny but the ones listed on [use ~ like *]
#trustfile trust
#
# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024
# debug 2 # show each connection status
# debug 4 # show I/O status
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# debug 64 # debug regular expression filters
# debug 128 # debug redirects
# debug 256 # debug GIF de-animation
# debug 512 # Common Log Format
# debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
# debug 2048 # CGI user interface
# debug 4096 # Startup banner and warnings.
# debug 8192 # Non-fatal errors
# debug 32768 # log all data read from the network
# debug 65536 # Log the applying actions
debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
#debug 1024 # Actions that are applied to all sites and maybe overruled later on.
#debug 4096 # Startup banner and warnings
#debug 8192 # Non-fatal errors
single-threaded 0
hostname Lutetia.unknown_domain
listen-address 10.1.10.1:8812
#filter mode
toggle 1
enable-remote-toggle 0
#filter by X-filter http header
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 1
# src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
permit-access 10.1.10.2
buffer-limit 8192
#enable if there's a parent proxy
enable-proxy-authentication-forwarding 0
forward-socks5 / 127.0.0.1:9912 .
forwarded-connect-retries 0
#transparent proxy
accept-intercepted-requests 0
#
allow-cgi-request-crunching 0
split-large-forms 0
# grow up to 300 (if browser hang stop)
keep-alive-timeout 5
# disable if problems
tolerate-pipelining 1
#default-server-timeout 60
connection-sharing 0
# try to reduce to 5 sec
socket-timeout 300
#max-client-connections 256
handle-as-empty-doc-returns-ok 0
#enable-compression 1
#compression-level 3
#client-header-order Host \
# Accept \
# Accept-Language \
# Accept-Encoding \
# Proxy-Connection \
# Referer \
# Cookie \
# DNT \
# If-Modified-Since \
# Cache-Control \
# Content-Length \
# Content-Type
#
#client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
# disable-content-filters Disable content-filters but do not affect other actions
#
#
# client-tag-lifetime 180
# # IP address with a X-Forwarded-For header.
# trust-x-forwarded-for 1
EOF
$ doas rcctl enable privoxyvesta
$ doas rcctl set privoxyvesta flags=/etc/privoxy/vesta
$ doas rcctl start privoxyvesta
```
And prepare pf for the new services opened on `vether0`:
```
# cat >> /etc/pf.conf << EOF
pass in on vether0 proto tcp from 10.1.10.2 to 10.1.10.1 port 8812
pass in on vether0 proto udp from 10.1.10.2 to 10.1.10.1 port 53
EOF
$ doas pfctl -f /etc/pf.conf
```
Notice that we don't NAT connections from *Alpine linux vesta*, it will only arrive in Internet by the use of our *privoxy* dedicated instance.
## Alpine under OpenBSD, the video
------
Now, using [this guide](https://wiki.alpinelinux.org/wiki/Install_to_disk) we are going to install our **Alpine** under the **OpenBSD**
[![asciicast](https://steemitimages.com/640x0/https://asciinema.org/a/157644.png)](https://asciinema.org/a/157644)
*...to be continued...* and yes **I LOVE YOU**
# OpenBSD, Alpine and Docker; the good, the bad and the hugly
## The goodfellas
------
![blue whale](https://steemitimages.com/640x0/https://images.duckduckgo.com/iu/?u=http%3A%2F%2Fnews.bbcimg.co.uk%2Fmedia%2Fimages%2F50355000%2Fjpg%2F_50355036_blue_whale_1.jpg&f=1)
OpenBSD, [*last time*](https://steemit.com/openbsd/@npna/openbsd-up-on-the-alps-vmm-and-alpine-linux), meet a good friend in the alps, [**Alpine Linux**](https://en.wikipedia.org/wiki/Alpine_Linux), *¿do you remember?*
After **four** days of [*titties & beer*](https://www.last.fm/music/Frank+Zappa/_/Titties+and+Beer) , they decides to meet another friend, *a blue whale*, his name is [**Docker**](https://www.docker.com/).
## ¿Who is Docker?
------
> Docker is a software technology providing containers, promoted by the company Docker, Inc. Docker provides an additional layer of abstraction and automation of operating-system-level virtualization on Windows and Linux. Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable file system such as OverlayFS and others to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines (VMs).
> The Linux kernel's support for namespaces mostly isolates an application's view of the operating environment, including process trees, network, user IDs and mounted file systems, while the kernel's cgroups provide resource limiting, including the CPU, memory, block I/O, and network. Since version 0.9, Docker includes the libcontainer library as its own way to directly use virtualization facilities provided by the Linux kernel, in addition to using abstracted virtualization interfaces via libvirt, LXC (Linux Containers) and systemd-nspawn.
## OpenBSD, Alpine linux and Docker
------
Always remembering [*russian Matryoshka*](https://steemit.com/openbsd/@npna/openbsd-tor-privoxy-and-the-browsers), we've decided to add another layer of virtualization to our workstation searching how to build [**adblock2privoxy**](http://projects.zubr.me/wiki/adblock2privoxy) in OpenBSD. Retaking our last video tutorial we've got **Alpine linux** correctly installed in a virtual environment in a OpenBSD host. Now we've to adjust some parameters in Alpine to finish the installation:
Add the virtual machine in automatic boot with the host OS:
```
# cat >> /etc/vm.conf <<EOF
vm "screencast" {
memory 2048M
disk "/home/taglio/Virtual/alpine-screencast.img"
interface { switch "local" }
}
EOF
#
$ doas rcctl restart vmd
```
Connect to the serial console, press `ENTER` to boot the default `initramfs` and `kernel` and customize `syslinux` [bootloader](http://www.syslinux.org/) and enable the community repository of `apk` [packet manager](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management):
```
alpine# cat /boot/extlinux.conf
SERIAL 0 115200
DEFAULT virthardened
PROMPT 0
LABEL virthardened
MENU LABEL Linux virthardened
LINUX vmlinuz-virthardened
INITRD initramfs-virthardened
APPEND root=UUID=ebf73ff9-7df6-463d-915f-0ab84f5e11e9 modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4
MENU SEPARATOR
alpine# cat /etc/apk/repositories
http://nl.alpinelinux.org/alpine/v3.7/main
http://nl.alpinelinux.org/alpine/v3.7/community
#
```
Doing so Alpine will reboot automatically without the need of press `ENTER` in `syslinux` prompt.
Generate `root` OpenBSD ssh keys and add to the `root` `authorized_keys` in the virtual Alpine:
```
$ doas su
# ssh-keygen
# ssh 10.1.10.2 mkdir /root/.ssh
# scp ./ssh/id_rsa.pub 10.1.10.2:/root/.ssh/authorized_keys
```
Upgrade Alpine packages and install our new friend, **Docker**:
```
alpine# apk update && apk upgrade
alpine# apk add docker
```
Configure Alpine `openrc` , the [**Gentoo**](https://gentoo.org/) [antagonist](https://wiki.gentoo.org/wiki/Project:OpenRC) of the *hugly infamous* [systemd](https://suckless.org/sucks/systemd), to boot on start our **Docker**.
```
alpine# rc-service docker start
alpine# rc-update add docker default
```
## adblock2privoxy Docker configuration
------
**Docker** container is a extremely flexible software. Have got thousand of different possible uses and configurations. And a *deep dive* into it will require an entire new series of articles (*asap* we will analyze it).
The most important think to understand, he has got a public internet libraries from where you can `pool` a system operative `image` into our local system. After pulling the correct one we can automate a serie of operation every time we `build` one of them into a `container`. I know...there's many new types of concepts here, but with practice it will be simple. Containers are super flexibles because for every command defined in a special file called `Dockerfile` they save a subcontainer in a `overlay` [filesystem](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/overlayfs.txt).
This is the `Dockerfile` that we're going to use in this project:
```
alpine# mkdir docker
alpine# cat > Dockerfile << EOF
FROM debian:8
MAINTAINER Riccardo Giuntoli <r.giuntoli@protonmail.ch>
RUN apt-get update
RUN apt-get -y upgrade
RUN apt-get -y install wget
WORKDIR /root
RUN mkdir privoxy
RUN mkdir lists
RUN wget https://s3.amazonaws.com/ab2p/adblock2privoxy_1.4.2_amd64.debian8.deb
RUN dpkg -i adblock2privoxy_1.4.2_amd64.debian8.deb
RUN wget -O lists/easyprivacy.txt https://easylist.to/easylist/easyprivacy.txt
RUN wget -O lists/easylist.txt https://easylist.to/easylist/easylist.txt
RUN wget -O lists/antiadblockfilters.txt https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
RUN wget -O lists/malwaredomains_full.txt https://easylist-downloads.adblockplus.org/malwaredomains_full.txt
RUN wget -O lists/adblock-list.txt https://raw.githubusercontent.com/Dawsey21/Lists/master/adblock-list.txt
RUN adblock2privoxy -p ./privoxy lists/easyprivacy.txt lists/easylist.txt \
lists/antiadblockfilters.txt lists/malwaredomains_full.txt lists/adblock-list.txt
RUN tar -cvzf privoxy.tgz privoxy/
```
Let's dive a little bit into this `Dockerfile`:
1. `FROM`: key to specify base `image` where start to compile the `container` , in this key is a [**debian**](https://debian.org/) machine, stable version number **8**, codename [**jessie**](https://www.debian.org/releases/jessie/).
2. `MANTAINER`: simply the owner of this `Dockerfile`.
3. `RUN`: `exec` commands in the virtual debian environment.
4. `WORKDIR`: change the working directory.
In this specific docker application you can see that we download and install our **adblock2privoxy** software, download *bad boys* list maintained buy the guys of [**easylist.to**](https://easylist.to/), give to adblock2proxy and pack the result in a `tar.gz` archive.
## Automatic OpenBSD, Alpine and Docker process
Our goal is the automatize all the process and every week update ours **privoxy** rules. We've got an environment with three distinct system operatives, one OpenBSD and two Linux, it's like an orgy.
Let's start to create a little `ash` script in our **Alpine**:
```
alpine# mkdir bin
alpine# cat > bin/automatic_docker.sh <<EOF
cd docker/ && docker build -t adblock2privoxy-bootstrap:final .
ASDF=`docker run -d -t adblock2privoxy-bootstrap:final /bin/bash`
docker cp $ASDF:/root/privoxy.tgz .
docker system prune -f
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)
docker rmi $(docker images -q)
EOF
```
1. `docker build`: Build an image from a Dockerfile.
2. `docker run`: Run a command in a new container.
3. `docker system prune`: Remove unused data.
4. `docker stop`: Stop one or more running containers.
5. `docker rm`: Remove one or more containers.
6. `docker rmi`: Remove one or more images.
7. `docker ps`: List containers.
8. `docker images`: List images.
Next combine it with a little `ksh` *magic* in our **OpenBSD**:
```
#/bin/sh
ssh 10.1.10.2 rm -rf /root/docker/privoxy.tgz
ssh 10.1.10.2 sh /root/bin/automatic_docker.sh
scp 10.1.10.2:/root/docker/privoxy.tgz /etc/privoxy/adblock2privoxy.tgz
cd /etc/privoxy/
tar zxvf adblock2privoxy.tgz
```
Very basic, i know, it simply remove old output, run the Alpine script, copy and `untar` the output in our **privoxy** directory.
Just add a `crontab` weekly script in OpenBSD and indicate to the [*three browsers*](https://steemit.com/openbsd/@npna/openbsd-tor-privoxy-and-the-browsers) to do the **things work like a charm**.
```
# crontab -l | tail -n 1
5 12 * * 2 /bin/sh /root/bin/automatic_adblock2privoxy.sh
#
# cat >> /etc/privoxy/firefox <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
# cat >> /etc/privoxy/chrome <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
# cat >> /etc/privoxy/torbrowser <<EOF
actionsfile adblock2privoxy/ab2p.system.action
actionsfile adblock2privoxy/ab2p.action
filterfile adblock2privoxy/ab2p.system.filter
filterfile adblock2privoxy/ab2p.filter
EOF
```
And with this **triple cat** i remember to you **all** that the wind of changes is blowing.
*i love you*,
# OpenBSD and FreeDOS vs the hell in earth
**[npna (33)](https://steemit.com/@npna)**in [#openbsd](https://steemit.com/trending/openbsd) • 2 years ago (edited)
## The family is rapidly growing
------
![GENOVA antifascista](https://steemitimages.com/640x0/https://scontent-otp1-1.xx.fbcdn.net/v/t1.0-9/26992485_10215637286587786_5182180295980038263_n.jpg?oh=7fd752bfb4977878a635cda33d79d682&oe=5B150DBE)
Yes sir, yes. Our family, composed until now by [OpenBSD](https://www.openbsd.org/), [Alpine Linux](https://www.alpinelinux.org/) and [Docker](https://www.docker.com/) is rapidly growing. And yes, sir. Yes. All together we're fighting against your best friends, the infamous, the ugliest, the worst...the dudes called *the privacy cannibals*. Do you know what i mean, sure?
We're working hard, no matter what time is it, no matter in what part in the world we are, no matter if we've **no money**. We perfectly know that you cannot do nothing against **the true**. And we're doing our best to expand our true, our doors are opened to all the *good guys*, there's a lot here but their brain was fucked by your shit tv, your fake news, your laws, etc etc etc. We're alive, we're **here to fight against you**.
Tonight, yes *it's a Friday night and we're working*, we're ready to welcome with open arms an *old guy*, his experience will give us more power. Welcome to:
[**FreeDOS**](http://www.freedos.org/)
> FreeDOS is a complete, free, DOS-compatible operating system that you can use to play classic DOS games, run legacy business software, or develop embedded systems. Any program that works on MS-DOS should also run on FreeDOS.
> It doesnt cost anything to download and use FreeDOS. You can also share FreeDOS for others to enjoy! And you can view and edit our source code, because all FreeDOS programs are distributed under the GNU General Public License or a similar open source software license.
## UEFI
------
![The hell in earth](https://steemitimages.com/640x0/https://scontent-frx5-1.xx.fbcdn.net/v/t1.0-9/22886001_10214894127769280_7559827501261378744_n.jpg?oh=3f015f59bfb1b5b3d7fa53c0cfe848a4&oe=5B1A8A6A)
But why we want to build a bootable usb stick with **FreeDOS** under our strong **OpenBSD**? The answer is as usual to fight against the privacy cannibals!
More than one decade ago the old [**BIOS**](https://en.wikipedia.org/wiki/BIOS) was silently replaced by the more capable and advanced [**UEFI**](http://www.uefi.org/), this is absolutely normal because of the pass of the years and exponencial grow of the power of our personal computers. [**UEFI**](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) is a complex system, it's like a standalone system operative with direct access to every component of our (*yes, it's our not your!*) machine. But...wait a moment...do you know how to use it? Do you ever know that it exist? And one more thing, *it's secure*? The answer to this question is totally insane, no, *it's not secure*. The idea is good, the company that started in theory is one of the most important in IT, it's [**Intel**](https://www.intel.co.uk/content/www/uk/en/homepage.html?_ga=2.49642342.1336926968.1517604803-1923177664.1517604803).
The history is very large and obviously *we're going to go very deep in it*, but trust me **UEFI** and the various friend of him, like [**ME**](https://en.wikipedia.org/wiki/Intel_Management_Engine), [**TPM**](https://en.wikipedia.org/wiki/Trusted_Platform_Module) are insecure and closed source! Like **the hell in earth**.
## Lenovo UEFI BIOS without Windows?
------
![chaos](https://steemitimages.com/640x0/https://lh4.googleusercontent.com/ywq-n7n21H-S1x6vfI39fyRfgqJNtrzEd57IMNpMrofO6kr90wqUBDds7bpBvbmAsg3BC5ONqCV8nePRIj_o=w1366-h601)
There's no simple method to upgrade our personal computer if we've uninstall Windows...ou it's the first time that i write this name, shit! And it's basic for the users have one, because *UEFI* is living under the hood, in the first ring after the hardware. *It's the most important think to keep secure and clean!* There is no clean information, there is nothing, only there's [Χάος](https://en.wikipedia.org/wiki/Chaos_(mythology)).
Remember well people, *they love Χάος*.
## A FreeDOS bootable usb image under OpenBSD
------
But let's start preparing our **OpenBSD** to put order in this chaos:
```
$ mkdir -p freedos/stuff
$ cd freedos/stuff
$ wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/distributions/1.0/fdboot.img
$ wget https://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/sys/sys-freedos-linux/sys-freedos-linux.zip
$ wget https://download.lenovo.com/consumer/desktop/o35jy19usa_y900.exe
$ wget http://145.130.102.57/domoticx/software/amiflasher/AFUDOS%20Flasher%205.05.04.7z
```
Explanation in clear language as usual: create two directory, download the minimal boot disc image of **FreeDOS**, download [Syslinux](http://www.syslinux.org/wiki/index.php?title=The_Syslinux_Project) assembler [**MBR**](https://en.wikipedia.org/wiki/Master_boot_record) bootloaders, download the last *Windows only* UEFI update from [Lenovo](https://pcsupport.lenovo.com/) and download the relative *unknown* utility from [**AMI**](https://ami.com/en/) to flash our motherboard UEFI chipset. Go ahead:
```
$ doas pkg_add -U nasm unzip dosfstools cabextract p7zip
```
1. `nasm` the Netwide Assembler, a portable 80x86 assembler.
2. `unzip` list, test and extract compressed files in a ZIP archive.
3. `dosfstools`a collections of utilities to manipulate `MS-DOS`fs.
4. `cabextract` program to extract files from cabinet.
5. `p7zip`collection of utilities to manipulate `7zip` archives.
```
$ mkdir sys-freedos-linux && cd sys-freedos-linux
$ unzip ../sys-freedos-linux.zip
$ cd ~/freedos && mkdir old new
$ dd if=/dev/null of=freedos.img bs=1024 seek=20480
$ mkfs.fat freedos.img
```
Create another working directory, cd into it, unzip the archive that we've downloaded, return to the *working root* and create another twos directories.
`dd`is one of the most important utilities in the *unix* world to manipulate at *byte level* **input** and **output**:
> The dd utility copies the standard input to the standard output, applying
> any specified conversions. Input data is read and written in 512-byte
> blocks. If input reads are short, input from multiple reads are
> aggregated to form the output block. When finished, dd displays the
> number of complete and partial input and output blocks and truncated
> input records to the standard error output.
We're creating here a *virtual* disk with `bs=1024` we're setting both input and output block to `1024`bytes; with `seek=20480` we require `20480`bytes. This is the result:
`-rw-r--r-- 1 taglio taglio 20971520 Feb 3 00:11 freedos.img`.
Next we format the virtual disk using the `MS-DOS` filesystem. Go ahead:
```
$ doas su
# perl stuff/sys-freedos-linux/sys-freedos.pl --disk=freedos.img
# vnconfig vnd0 stuff/fdboot.img
# vnconfig vnd1 freedos.img
# mount -t msdos /dev/vnd0c old/
# mount -t msdos /dev/vnd1c new/
```
We use the `perl` utility from `syslinux` to write the MBR of our virtual disk `freedos.img`. Next we create to `loop` virtual node using the **OpenBSD** utility `vnconfig`. Take care here because *it is quite different from Linux*, but as usual is *clear and simple*. The virtual nodes are associated to the downloaded `fdboot.img` and the newly created `freedos.img`. Next we mount the two virtual nodes `c`partitions; in **OpenBSD** `c`partition describes the entire physical disk. *Quite different from Linux, take care*.
```
# cp -R old/* new/
# cd stuff
$ mkdir o35jy19usa
$ cabextract -d o35jy19usa o35jy19usa_y900.exe
$ doas su
# cp o35jy19usa/ ../new/
$ mkdir afudos && cd afudos
$ 7z e ../AFUDOS*
$ doas su
# cp AFUDOS.exe ../../new/
# umount ~/freedos/old/ && umount ~/freedos/new/
# vnconfig -u vnd1 && vnconfig -u vnd0
```
Copy all files and directories in the new virtual node partition, extract the Lenovo cabinet in a new directory, copy the result in our new image, extract the `afudos` utility and like the others copy it. Umount the partitions and destroy the **loop vnode**.
# OpenBSD FreeDOS usb stick and a brief about QEMU
## In the last chapter...
------
![the terminator](https://steemitimages.com/640x0/https://images.duckduckgo.com/iu/?u=http%3A%2F%2F2.bp.blogspot.com%2F-ezjdI7-BZFc%2FTc6Ooc4pGVI%2FAAAAAAAAMlQ%2FAZ54weX0YhA%2Fs1600%2FTERMINATOR5.jpg&f=1)
Hello there, nice people. Machines and technology, take care i'm in love with the twos but i command them they cannot own me, today are so so dangerous. Obviously we're not in the post apocalyptic scene *predicted* by **James Cameron** long time ago, in the **1984** with the futuristic (*just now*) film [**The Terminator**](http://www.imdb.com/title/tt0088247/). But i don't think that *we are not so distance from it*. *But this is off-topic and i don't have sufficient information to argue it*. Simply take care. **Take child off technological dispositives**.
So in our [last article](https://steemit.com/openbsd/@npna/openbsd-and-freedos-vs-the-hell-in-earth) we build with **OpenBSD** a **FreeDOS** *raw* image and now we want to write directly to a **usb stick**. I've presented to you OpenBSD like a very *clean and clear* system; and it's absolutely true. But if you came here with a Linux background it could not appear like this to you, and yes...you have got reason.
One of the biggest wall you have to pass to enter in the *OpenBSD world* is understand how he handle **mass storage devices**, or *disks*.
**OpenBSD** for x86 and amd64 handle storage with two drivers wich manual pages you could find at:
1. `man 4 wd`, driver compatible with standards `MFM`, `RLL`, `ESDI`, `IDE`, and `EIDE` drives, as well as `Serial ATA` drives, and `PCMCIA/CF` storage media.
2. `man 4 sd`, driver compatible with standards `SCSI` that includes USB disks, SATA disks attached to an ahci(4) interface, and disk arrays attached to a RAID controller.
Devices are number on boot stage in the sequence that they are found, from `0`to `x`.
Partitions means two different thinks in **OpenBSD**:
1. filesystem partitions created and managed by `disklabel`. We can find more information about it at `man 8 disklabel`.
2. `MBR`, `GPT`, that can be named also like *BIOS partitions*, because they are created using the `BIOS controller`, that are managed by `fdisk`. We can find more information about at `man 8 fdisk`.
## Write an usb stick with OpenBSD
------
![OpenBSD](https://steemitimages.com/640x0/https://www.openbsd.org/images/tshirt-2.jpg)
Let's see what happened when we plug an usb stick:
```
$ dmesg | tail -n 5
umass0 at uhub0 port 1 configuration 1 interface 0 "SanDisk Cruzer Blade" rev 2.00/2.01 addr 5
umass0: using SCSI over Bulk-Only
scsibus4 at umass0: 2 targets, initiator 0
sd2 at scsibus4 targ 1 lun 0: <SanDisk, Cruzer Blade, 2.01> SCSI4 0/direct fixed serial.888888888888888888
sd2: 3819MB, 512 bytes/sector, 7821312 sectors
```
We can see that the device `sd2` is initialized and it is a 4GB USB stick. Do directly write our boot `FAT-16`disk image that we previously created we don't have to take care about any partition of any kind, the virtual disk image have his personal `MBR`and filesystem. So we directly write to the disk with the `dd`utility, we can find more information about it at `man 1 dd`.
```
$ doas disklabel sd2
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: Cruzer Blade
duid: 0000000000000000
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 486
total sectors: 7821312
boundstart: 0
boundend: 7821312
drivedata: 0
16 partitions:
# size offset fstype [fsize bsize cpg]
c: 7821312 0 unused
i: 7821312 0 MSDOS
```
The `c` partition simply identify the entire disk, so:
```
$ doas dd if=~/freedos/freedos.img of=/dev/sd2c bs=4M
$ doas sync
$ doas sync
```
Now simply reboot the personal computer, select from `BIOS`the USB stick to boot and enjoy **FreeDOS**.
## Virtualize FreeDOS full with QEMU
------
![QEMU](https://steemitimages.com/640x0/https://images.duckduckgo.com/iu/?u=https%3A%2F%2Ftse4.mm.bing.net%2Fth%3Fid%3DOIP.fB91mTfs8H5RQTykFT-ytwHaEj%26pid%3D15.1&f=1)
Just in case you thinking that i'm alone, i've decided to add *another friend* in my personal *list of good guys*. It's another way to handle virtual machines under **OpenBSD**. It's a lot more sophisticated and older than *OpenBSD vmm* but in this case is not *kernel accelerated*. We will dedicate to it many others POST but for now let's see how to install it under **OpenBSD** and next we will attach a video document about the process of instalation of the latest version of **FreeDOS**, the `1.2`. Simply add to the packages like this:
`$ doas pkg_add -U qemu`
And here you are the video:
<iframe frameborder="0" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/sZlZgt6YSg4" width="640" height="360" style="box-sizing: inherit; max-width: 100%; max-height: 75vw; position: absolute; width: 640px; height: 359.672px; left: 0px; top: 0px;"></iframe>
## Greetings
------
As usual have a good night, thank you for spend you time reading me.
Nice regards,
*Riccardo Giuntoli*

View File

@ -1,17 +0,0 @@
For our freedom, for the democracy. For Europe. For all of you that have suffered the Illuminati pseudo dictatorship.
For them that have commited suicide.
For you my sun flower. For you Saray. For you my love. To revenge what they have done with your mind.
For you Lucia. For your future.
For all the womans that have been digitally violated in the "Illuminati" network by the digital mafia.
For all the Catalans womans that have been physically violated by the remote parimutuel betting system.
We are not dogs. My two little puppies were killed.
Ricky.
All material publicated in this git repository is strictly protected by the "Creative Commons Attribution-NonCommercial 4.0 International" license.