Reset your forgotten iPhone4 SSH password.

Wonderful, I SSH’d to my iPhone 4 this morning to find out I forgot the mobile and root account passwords. Not to worry! We can fix this!

Ok this is relatively simple the only problem I ran into was that MobileTerminal crashes under iOS4 so I had to figure out another way to edit the files in question as well as come up with the crypto hashes, but lets not get ahead of ourselves.

First we need to make some backups, PLEASE PLEASE PLEASE do not skip this part!There is a potential to really screw things up if you make a mistake and have a backup. Its easy to correct by restoring the original file. Proceed at your own risk if I outline something here you do not understand find someone who is more versed in unix to assist you, or shoot me an email and I’ll do my best to help you out.

Since we cant use MobileTerminal we need another way, head into the Cydia Store and find an application called iFile and install it to your device. Fire up iFile and browse to /etc you can do this by clicking the button in the top left until your at the root of the filesystem / then finding the etc folder and clicking it.

Now find the file master.passwd, don’t open it yet, we first need to make that backup click the edit button in the top right of the screen and select the master.passwd file, there will be a red checkmark showing you have it selected, now hit the button in the bottom right (the arrow coming out of the box). And select Copy/Link. You now have the file copied to iFile’s clipboard, click the done button (top right). Followed by the home button, (little house 2nd from right on the bottom).

Hit the edit button again but before you select anything click the bottom right button (the arrow coming out of the box) and click Paste. We now have our backup.

Navigate back to the /etc folder. open up the master.passwd file the 2 lines we are interested in are:

root:UI48wgPSS/M1k:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:UI48wgPSS/M1k:501:501::0:0:Mobile User:/var/mobile:/bin/sh

Before you go thinking you have my Hashes I’ve replaced both of them with the hash for the Password of Password1 (not my password).

To get new hashes we need to generate one, head over to functions-online.com’s crypt function: http://www.functions-online.com/crypt.html

$str is your new password
$salt is an optional string to base the hashing on, when I first learned this I was taught to use a salt of ‘Ul’ others might work but I’ve always stuck with Ul since I know it works. generate your new passwords and then get them onto your device somehow, I used http://myphonedesktop.com/ which allows me to transfer things (images, text etc) to my phone pretty easy. you could also simply generate the crypto hash in MobileSafari on your phone then simply copy paste it over, you want to replace the part between the
::’s I;ve highlighted it for you. now just save the file and SSH to your phone with your new password.

root:UI48wgPSS/M1k:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:UI48wgPSS/M1k:501:501::0:0:Mobile User:/var/mobile:/bin/sh

If it still does not work we should restore your backup from the mobile users home directory (/var/mobile/master.passwd) back over the /etc/master.passwd file and try again.

This works because most applications on the iPhone are executed with root permissions giving the iFile application the ability to edit a file only the root user should have access to. this is also why its very important to always reset your password if your going to jailbreak your iPhone. all it takes is someone sniffing out your iPhone on an open wifi and figuring out they can use the default password of ‘alpine’ to get full access to your device while its in your pocket.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1KjVEx57oCL7Exuc6RCuVPhbPaWC4E34ba

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Using Secure Passwords.

Everyone has to use them; they protect our privacy so when it comes to something that grants access to things like bank accounts and private files why risk it?

Working in the IT field I can’t tell you how often I see passwords such as “123456” or “Password1” when a good password should never be a sequence of numbers or something based on a word found in the dictionary.

In fact when the application developer RockYou’s login credentials were left exposed because of a SQL injection bug  in RockYou’s website the top 10 passwords  used were listed as the following:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

A good password should be something along the lines of “7ufebuHU” hard to remember? Yes it is but its also hard to guess and not going to be cracked in a dictionary based attack. If you really hate remembering passwords grab some kind of password database application, never settle for storing your passwords in a text or word document. I personally use 1Password (Mac Only) at home because it offers the ability to sync with the 1Password companion app on the iPhone. It also stores my passwords using AES the same encryption algorithm used as the national standard in the United States, 1Password uses 128-bit keys to encrypt your passwords. Which basically means it would take years to decrypt your data using a brute force attack, negate this altogether by changing your master password every few months.

If you don’t want to fork out any cash for a good password database, then check out KeePass which is a free alternative, which also offers encryption. A nice future the KeePass team came up with, if you don’t want to even remember the one password to decrypt your password database is the use of keyfiles, you can toss the keyfile on a flash drive and keep it with you while leaving the password database one your computer, to decrypt the database to retrieve your passwords simply plug in the flash drive and point the KeePass application at the keyfile.

With both of the above applications you can copy the passwords directly to your clipboard to paste in whatever application you need, and both also have the ability to clear your clipboard after a set number of seconds. KeePass even has the ability to automatically clear the clipboard as soon as you paste it.

So now if you’re going to store everything in the password there is no need to keep them simple, both programs offer you the ability to generate random passwords. If you don’t have ether application handy and need to generate a password, you can use a nifty tool up at the PC tools page to generate up to 50 passwords all at once.

The moral of the posts is that by making a little effort at using a secure password makes a big difference at keeping prying eyes out of your private information.

Also as a final note, looks like 1Password has already made plans and released Mockups for the iPad Interface =) I’m looking foward to that release.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1N546cNnS7iyNiDBaJKBKHByJhqSJiqs64

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Passport RFIDs cloned wholesale by $250 eBay auction spree • The Register

rfid_passportI knew it was bound to happen eventually. As soon as they announced they were embedding RFID (Radio-frequency identification) Chips in the new passports my first thought was “how long till someone discovers how to scan that?”.

Chris Paget from San Fransisco already figured it out, and built a mobile scanner that sits in the back of his car scanning for the RFID chips in the new passports. Chris hopes by showing he discovered how to do this perhaps future passports will have better security built in.

Most of the comments on YouTube scream out”Fake!” but then again most comments scream this out on all videos, Is Chris’s method full proof? No. but he simply proves its possible.

 

 

Passport RFIDs cloned wholesale by $250 eBay auction spree • The Register.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1KTW6LF4gFqqnRQ8khtbDizNC19Qf9s7tK

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Check out Dropbox, the Easy way to transfer files.

tour3aaStill transferring files around on a Flash drive? Why bother with that anymore when you can sign up for Dropbox and get 2GB of online storage for free.

So how does dropbox work exactly? First off its cross platform meaning the software works with Widows, Apple and Linux computers. Simply install the Dropbox client on any machines you would like to sync with. During installation on the first machine you set up you’ll be presented with the option to log into an existing account or create a new account. 

Select the option to create a new account, after setting up the account on the first machine you can select the option to log into an existing account on any additional machines you set up. After setting up the client on a windows machine you’ll see a new folder in your My Documents folder called My Dropbox any file you drop into your Dropbox folder will synchronize and be available on any other computer you’ve installed Dropbox on, as well as from the web. Also, any changes you make to files in your Dropbox will sync to your other computers, instantly.

But that’s not all, Dropbox does not only sync files it also tracks any changes made to the files, Accediently delete that presentation your supposed to give tonight? No problem log into th web interface and undelete the file, or pull up older versions of the file if you need to.

Copy LinkNeed to send someone a large file? toss it in the public folder then right click the file and select “Copy public link” you can then paste this URL into your email and any user (even users not running dropbox) can download the file.

Even if you don’t plan on sharing your data with other machines Dropbox has its benefits, Anything placed in the Dropbox directory will be immediately transported over SSL to the Dropbox server, and encrypted using AES-256.

Dropbox is also incredibly fast, say you have a 50MB file and you change one small aspect of that file, the client doesn’t bother updating the entire file, it only transmits the changes of that file to the server and then down to all the machines behind synchronized with the account, thus incredibly speeding up the process.

So head over to the Dropbox site and stop bothering with a flash drive.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

19W84e9o52MPdVNcrNtBtKfNa4R6KwkHxt

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Here’s How to Send Encrypted Email using Apple Mail

Ever need to send information you want protected from prying eyes? You’ve come to the right place. By following the instructions found right here, you’ll soon be able to sign and encrypt your email using your Apple Mail email client.

We’ll be setting up Mac GNU Privacy Guard to do this. MacGPG for short. MacGPG uses the very secure Public-key Cryptography scheme.

Public-key Cryptography uses a Private/Public key pair. The public key is exactly like it sounds. It’s as public as you want it to be. Post it on your website, email it to your friends and co-workers, or not. It’s entirely up to you. On the other hand, the private key is kept, well, private, You only keep this key on your system, never giving access to that key to anyone.

When someone wants to send you a secret encrypted message, they need your public key. Any message encrypted with the public key can ONLY be decrypted with the associated private key. So anyone that wants to send you a secret message only needs your public key to do so. They also need to have installed MacGPG just like you did.

So, they encrypt their message using your public key and send it to you. Because you have the only copy of your private key on your computer, you are the only person able to decrypt this message and read it.

Now the same is also true in reverse. Any message encrypted with the secret key can be decrypted with the public key.

So if you want to send an encrypted message to someone:

  1. Encrypt your message using your private key.
  2. Email it to your friend.
  3. They then decrypt it by using your public key.

I know what you’re thinking.

What’s the use of encrypting a message anyone can decrypt?

The point is to prove you’re the one that created the message. Now this is a greatly simplified explanation of what actually occurs, but hopefully you get the basic idea. Lets dig in.

First you’re going to need to download and install Mac GNU Privacy Guard also kown as Macgpg.

You can get a copy from http://macgpg.sourceforge.net/

Scroll down to the area labeled “files”.

  1. Download the latest disk image for your version of Apple OS X.
  2. It should automatically mount and the image you see to the right should pop up on your desktop.
  3. Next you’ll want to double click the installer package (labeled GnuPG for Mac OS X 1.4.8 as of this writing, or whatever version you downloaded)
  4. Follow the prompts and choose your boot volume, usually “Macintosh HD” for the install location.
  5. Typically the default prompts will work fine on your Mac. You will need your admin password so you can allow the program to install itself.

Now that you have installed MacGPG, lets see about generating a “key pair”.

If you are scared of the command line (its OK really) you can opt for the GPG Keychain access GUI available from the same page.

If you prefer working at the command line you can preform the follwowing:

First launch Terminal.app.

  1. Open a new finder window
  2. Click your Applications folder
  3. Scroll down to the Utilities folder and click it
  4. Double-click Terminal.app
  5. Paste the following instruction into the open Terminal window and hit “enter”
gpg --gen-key

Typically option 1 is recommended.

  • Enter your name
  • Enter your email address
  • you don’t have to enter a comment but you can if you wish.

Once you get yourself a key pair its time to install GPGMail.

Head over to http://www/sente.ch/software/GPGMail/

  • Quick note, if your running Leopard you’ll need to download and install the Beta version of the plugin, as of this writing this will be GPGMail_d53_Leopard.dmg I’ve had no issues using this version on my primary computer.
  • download the image and mount it.

next run the Applescript “Install GPGMail” this will copy the bungle over to your Library/Mail/Bundles folder and enabe plug-in support for Mail.app.

If your running the Leopard and had to use the beta version you’ll need to copy some files into your /Library/Mail/Bundles folder (create the Bundles folder if one does not exist) and run the following 2 commands at the command prompt to enable plug in support.

Now go ahead and fire up Maill.app you’ll now see a new section called PGP in the Preferences panel (Mail > Preferences) as well as a few check boxes to to sign and encrypt your messages. now go bug a friend to set this up and send a few test messages to test it out, remember you need your friends public key before you can send them a encrypted message just as he/she will need yours before they can send you one.

To get your public key to send to your friend you only need to run the following:

 gpg --export --output key.pub

or if you installed GPG Keychain fire it up, select your key, and click the export button, thats it. Now email your friend your key. or toss it on a flash drive, once you get his you can use GPG keychain the same way but click Import this time. or if your more comfortable with the command line:

gpg --import key.pub
No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1A1afsKU2mr43TeKf786WkVogRpBKwd6Xx

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.