Without use of MAC, it’s easy to mess with the IV to change the result of “successfully decrypting” ciphertext.
First, create some plaintext:
echo Give Eve \$500 > plaintext.dat
cat plaintext.dat
[uwsgi] | |
socket = /tmp/app.sock | |
chdir = /home/USER/sites/site.com/repo.git | |
env = NEW_RELIC_ENVIRONMENT=production | |
env = NEW_RELIC_CONFIG_FILE=newrelic.ini | |
uid = USER | |
chown-socket = www-data:GROUP | |
chmod-socket = 660 |
TODO passphrase protected keyfiles…setup a keyfile in a remaining key-slot? something to make this properly two–factor.
Notes on installing Arch Linux from scratch, using LVM volumes inside a LUKS container.
Why not boot from removable media? Well, there's no real support for “plausible deniability” built in to LUKS/dm-crypt. This means that the benefit of booting from removable media—being able to keep secret the fact that the main HDD contains an encrypted
# -*- coding: utf-8 -*- | |
# | |
# Retrieve a list of hosts from EC2, with Name metadata tags matching | |
# the supplied regex. | |
# | |
# e.g. in your fabfile | |
# | |
# env.roledefs = { | |
# 'somesite': lambda: matching_names(r'somesite-web-\d+'), | |
# } |
# -*- mode: sh; coding: utf-8 -*- | |
# check for interactive shell, returning straight away if this isn't | |
# one! | |
[ -z "$PS1" ] && return | |
setopt prompt_subst | |
setopt transient_rprompt | |
setopt prompt_sp | |
autoload -Uz vcs_info |
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# | |
# Update Route53 DNS A name record for home IP. | |
# | |
# Uses the *route53* library, rather than boto. | |
import os | |
import re | |
import sys |
remove Lock = Caps_Lock | |
remove Control = Control_L | |
keysym Control_L = Caps_Lock | |
keysym Caps_Lock = Control_L | |
add Lock = Caps_Lock | |
add Control = Control_L |
TODO passphrase protected keyfiles…setup a keyfile in a remaining key-slot? something to make this properly two–factor.
Notes on installing Arch Linux from scratch, using LVM volumes inside a LUKS container.
Why not boot from removable media? Well, there's no real support for “plausible deniability” built in to LUKS/dm-crypt. This means that the benefit of booting from removable media—being able to keep secret the fact that the main HDD contains an encrypted
Watch outgoing DNS requests on wlan0
tcpdump -pni wlan0 'port domain'
set skip on lo0 | |
block in all | |
pass in on { em0 wlan0 } proto udp from any to 224.0.0.251 port mdns | |
pass out all keep state |