This week Darren is joined in San Francisco by his wonderful co-host Shannon! I know, right? We’re talking about open source software that will save the day if your laptop is ever stolen, following up on your password tips, and finishing up the homebrew router build with Untangle!

Download HD Download MP4 Download XviD Download WMV

Your Password Tips

Shannon and Darren share your password generation tips and tricks:


Ankaku writes: Here is the modified version of my gmail password.
ub012531oa932010ot980245xs601359gc201845ac296987. 48 chars. I’ve been using this format since a school I went to used it. It’s actually pretty easy to remember, and anything can be used ex. initials + section of ip address, phone number etc.

Teemu writes: another simple tool to create secure passwords fast is the apg (Automated Password Generator), compileable on most Unix-ish systems I suppose.

For instance:

#!/bin/sh
/sw/bin/apg -a 1 -m 64 -c cl_seed

Would spew out 6 passwords with 64 random characters.
Project home page: http://www.adel.nursat.kz/apg/


Nathan writes: The technique I find most useful in creating my passwords, aside from the ones you guys mentioned in the last episode, is to follow a spatial pattern on the keyboard itself. (i.e. qwerty, asdf, qweasdzxc; *I know those are terrible passwords, but example of spatial pattern) If you mix this technique with a passphrase that has been 1337speaked, you have a fairly long and seemingly random password string. However, spatial patterns offer the distinct advantage of usually being fairly easy to type quickly, making the physical breach of your password security a bit more of a challenge.


Eugene writes: http://howsecureismypassword.net/ — It’s based on a jQuery JavaScript library that estimates how long it would take an average computer to brute force a password. It even checks it against a list of 500 commonly used passwords (like pass, password, etc), and points out if you’re using a common password. It’s pretty nifty, and interesting how much extra time it would take to brute force by just adding an extra character to the end might make.

Extofer writes:I use a similar schema as Shannon regarding changing the password a bit depending on the site. But I also use a phrase, much like Darren mentioned too… I top it off by replacing certain letters with numbers. and of course, special characters. For instance…

say I take a phrase like: code monkey

replace o = 0 and e = 3 like

c00d3m0nkey

that alone could be hard to hack… it’s 11 alpha numeric characters. Now I tack in special characters and unique identifiers for each site like for Facebook, i will tack uppercase FB, gmail, maybe GM or GE, Hotmail, HM, etc…. you can also distinguish by color of the site or the initials of their mascot, etc.

c00d3m0nkeyFB

finally, tack in at least 2 special chatacter, you can put them perhaps one at the beginning, and one at the end, or on in the middle and one at the end…. which ever.

c00d3*m0nkeyFB+
c00d3+m0nkeyFB>


Jaryth writes: One of the passwords I’ve always been tempted to use, but never really ended up using… ‘http://www.google.com/?’

But you say “thats a URL not a password?” but you see… its both ;). Every single password checker I’ve run it though says its secure, its easy to remember, and even if someone DID have a key-logger on a machine, they’d think you where just typing in a URL.

So… if you wana mess with people, set your password to the URL of the site. Even if someone manages to crack it, they will ASUME that the user is stupid and typed their password into the wrong box :D.


pcdoctor writes:For years I have used RoboForm 5.7.6 which was the last free one to support 30 passwords per group and unlimited groups. It will not create
new passcards in ie7 or 8. It will work in those browsers if the passcard is created in IE6 ahead of time…

So, anywho, I had to find a replacement and this is my story…

I tried KeePass, but got a virus popup when I loaded the browser plugin,
so that was the end of that.

I like lastpass.com, but no matter how well written and secure it is,
the fact that it runs code in the browser and gets the data and updates
from the web is a big red flag to me.

So, I wanted to use Password Safe which was originally designed by Bruce
Schneier, but it was clunky and a big step down in functionality from
roboform (but it was safe)

So, I Hak ed it. Well, kinda. Here’s how to make it work great:

Download it at http://sourceforge.net/projects/passwordsafe/files/

or follow the links from here http://www.schneier.com/passsafe.html

Install it and click the add new icon, enter the url, usrename, password
Then click the additional tab and uncheck use default and change that to Run
Command put this in the Run Command box “${appdir}passsafe.exe” $url $u $p then I used http://www.autohotkey.com/ to compile a script I called passsafe.exe that I put in Password Safes install folder

The script is as follows

Run, "iexplore.exe" %1%
KeyWait, LButton, D
KeyWait, LButton, U
Sleep, 100
SendInput, %2%{TAB}%3%{ENTER}

now when I double click something in the safe, it feeds $url $u $p to my
program which uses iexplore (or any browser you want) to go to the url
then it waits for you to click in the username box (and highlight an
existing username if need be) and then it types username, TAB, password, ENTER

you can write custom scripts for websites that need other combinations
(like newegg).

I even wrote a script that runs from my hosts quick launch to fill in my
Password Safe password in my virtual machine.

and that’s my story and I’m sticking to it :)


Lyle writes: One great technique for long passwords is to pick a book from your bookshelf. Then go to a predetermined page [42, 69, 100]. Something you will remember. The first line of text on the page is your password. Need to change your password? Change the page number or change the book.


Patrick writes: Darren and Snubs were talking about passwords. I haven’t upgraded to the 2.x series yet, but for websites I use http://supergenpass.com It is just a little Javascript you save as a bookmark (or bookmarklet), it asks you for a “Master Password”, and it takes that, combines it with the domain name, and through some hash comes up with a totally random password. It’s pretty portable in that as long as you can add a bookmark to the browser you’re using, you can use SuperGenPass. There is an online “mobile” version, but I’ve never used it — don’t want my “Master Password” sent over the internet.


Adam writes: My suggestion for passwords is to use an application to centrally store the password in a secure database (of course then using a complex password for that database). This way, every password for every site can be unique + crazy complex so I don’t have to worry that if one site is hacked they will get access to the rest of my stuff. The program I use is Password Safe: http://passwordsafe.sourceforge.net/ It is free, open source, and (originally) written by a very reputable source, Bruce Schneier. Once the password is entered, the app offers some neat features, including: Easy copy/paste of usernames and passwords. The ability to paste in fields that don’t support the clipboard (like KVMs) using (I think) a virtual HID device. Built in password generator. All the data is stored in a single encrypted file, making it easy to copy to a second computer.

Domain.com

I like Domain.com’s Deluxe web hosting plan that’s only $8.75/mo. One click install of all the popular open source programs like WordPress, Joomla, and Drupal, and more! Unlimited traffic

Free website builder with unlimited pages, Easy and affordable to get your sites online with Domain.com.

Domain.com offers blistering fast DNS and hosting infrastructure, the lowest prices on the web AND the highest quality. Thanks to Hak5 fans, Domain.com is one of the fastest growing domain and hosting companies in the world. Got a great idea? It all starts with a great domain. Domain.com! Don’t forget to use coupon code HAK5 at checkout to get 15% off your order.

Snubs Report: Stolen Laptop Recovery

Say you’re hanging out in the city one day and you leave your computer at the table while you go grab your coffee. There is always the small chance that, if you leave your laptop unattended, someone could up and swipe it. Usually when this happens you can go to local authorities and hopefully they’ll find the thief. But to make matters a lot better for you, you can use a program like Prey, which will track all sorts of valuable information and even take a picture of the thief, hopefully helping you and authorities find your computer.

There are tons of features in Prey:

  • Uses Wifi hotspots or GPS embedded in the device to accurately pinpoint where the laptop is.
  • If Wifi isn’t in use, Prey will try to auto connect to an open hotspot to send you info.
  • Prey is written in Bash and very lightweight. It’s also Portable!
  • You can edit Prey as you like, adding or removing specific tasks, because each task uses a different module.
  • Prey will list running programs and any files that were modified, as well as take a picture of the person if you have an integrated webcam.
  • Messages can be sent to the device to be read on the screen, and even heard by anyone nearby.
  • Last but not least, Prey is open source and FREE for up to three devices, and will run on any laptop.
  • First, download Prey onto the computer that you wish to track. Click on download and go thru the installation wizard. The download takes barely any time at all and at the end, if you havent configured the tool, it will prompt you to do so.

    First thing I need to choose is setting up my reporting method. You have two options- you can either use a control panel interface, or a standalone interface. The difference is, the control panel can be accessed thru the prey website, and is quick and powerful- everything get sent directly to you as the reports come in. The standalone version will send you updates in your email, but to activate Prey to start reporting you need to activate and delete a URL and setup your mail server settings by hand.
    Choose the control panel version. You need to create a new user account so type in your name, email address, and password. Change the name and device type. Click Create.

    You’ll need to activate your email address, so log into your email, click the link and log in then add devices. Go back to the install and click OK and it tells you congrats now your devices are being tracked!
    Now add a device by clicking the orange button. Fill in the name and it generates all your information about the device. Click create and it’s created. It gives you a device key and you can click on the name to configure all your settings. All of these choices are pretty self explanatory and if you don’t know what you’re choosing, hover over the exclamation point and it’ll explain the setting for you.

    Now, if your computer gets stolen, log into prey project.com and change the status to missing. Now, updates will be recorded on your prey project page for you to view every 20 minutes (or however many minutes you choose).
    I <3 it do you? Email me at feedback@hak5.org.


    GoToAssist Express
    Anyone expecting a long wait for your technical expertise is in for a BIG surprise. With Go To Assist Express brought to you by Citrix, you can provide immediate support by easily viewing and controlling your customers’ computers online! Provide instant remote one-to-one support to clients located ANYWHERE in the world. Handle more requests in less time. Assist up to 8 customers at once. Support both Mac and PC users! Try GoToAssist Express FREE for 30 days! For this special offer, you must visit GoToAssist.com/Hak5 for a FREE trial.

    Homebrew Router Part 2

    You’ll remember from episode 718 that we built a homebrew router based on a mini-itx motherboard running an Intel Atom. This week we’re replacing Smoothwall with Untangle, a free, full featured open source router.

    We also cover the basics of QoS in the context of a home network. Getting in fights with your roommates about bandwidth hogging or online game performance? Take a look at Untangle’s easy to manage built in features. Not to mention the app store. Yes, of course it has an app store.

    I’m looking for your feedback on these home LAN and IT segments to be sure to hit me up at feedback@hak5.org

    Netflix
    Netflix delivers movies directly to your home saving you time, money and hassle. As a Netflix unlimited member you get DVDs by mail in about 1 business day. Plus, you can instantly watch thousands of TV episodes and movies streamed directly to your PC, Mac or right to your TV via a Netflix ready device like the Xbox 360, PS3, and Nintendo Wii console. Watch as many movies as you want! Shipping is FREE and there are never any late fees or no due dates. Keep the movies as long as you like. DVDs by mail – Plus, instantly right to your TV.
    Get unlimited movies 2 ways for only $8.99 a month. As a new member and a Hak5 viewer, you can get a FREE Trial membership. Go to www.netflix.com/Hak5 and sign up NOW! . . Be sure to use this URL so that they know we sent you!

    If you want to know the latest on Hak5 be sure to follow us on Twitter or Facebook.

    Also, now is also a great time to grab some swag from the HakShop – including the new airport friendly WiFi Pineapple with free world-wide shipping.

    And finally if you’d like to suggest a topic for a future show feel free to hit up feedback@hak5.org

Leave a Reply

Your email address will not be published. Required fields are marked *

*

25 Comments

  • I’ve been using Prey for about six months now, and in that time convinced about 8 people to use it as well. Love it.
    Keep up the build segments, it reminds me of Systm.

  • I know that this is coming in late, but on the subject of passwords you guys so look at KeeFox (http://keefox.org/). It is a plug-in for Firefox that stores all your web-page passwords in a keepass file and auto inserts the passwords in web-pages that have already been saved. it was a few small issues but overall it is a great tool to use if you have a lot of accounts on different sites.

  • theSuperman 4 years ago

    Creepy, but I am actually wearing the same shirt right now that you wore for the introduction with Shannon…

  • Can you Plz do a Road Warror VPN Set up on that router??? PLZ

  • tpolich 4 years ago

    I feel this segment gives a bit of a misleading impression of QOS on the downlink. How you have QOS setup can only impact packages that have already arrived, thus already used your downlink bandwidth. Reducing your download speeds to 80% does just that without any real benefit(basically if you managed to start using all your down bandwidth you would be dropping 20% of the packets you received witch depending on how your QOS is disposing of the packages can generate more traffic further clogging your downlink).

    Most implementation of TCP include some very nice congestion avoidance algorithms but these rely on when they receive the ack package (the only way they know that something made it to its destination). The transmission of these ack packages is what you need to control to effectively use QOS; this is done on the uplink not down.

    Don’t even get me started on the value dropping incoming UDP packets, worthless.

    And by the way PACMAN RULE!!!! Arch FTW

  • NOTE: I am not an expert. I may get some things wrong. But I am a contributor to both the pfSense and Untangle projects.

    In reference to your show:

    1) If you want GAMING SPEED with QoS, then I recommend pfSense over Untangle. pfSense is much faster at packet handling as it is BSD based, but Untangle (java packet handling) has way more high level filtering options available. Think of it as the pros and cons of System vs User space code (system = faster, user = more flexibility)

    2) Untangle wants to know how many PCs are being served for two reasons… first, to give them some rough numbers for marketing and secondly to calculate your fees if you purchase any of the non-free modules.

    3) Untangle defaults to Pacific Time (much like Microsoft Windows does). It didn’t magically know what time zone you are in. Although, it would be most excellent if a quick DHCP on WAN and geoIP hit were tried to guess your time zone.

    4) Both pfSense and Untangle support router and bridged (transparent) mode. To be more accurate, it’s actually a brouter and not a bridge. Bridge mode is typically used for 2 purposes: First, to test if you want to use pfSense/Untangle – as you don’t have to change any settings on any equipment – just slip it inline (on either side of your current router – usually LAN side). Secondly, because you want to be more stealthy with its existence (won’t show up on hops during traces).

    5) 10.x.x.x subnet cooler than 172.16.x.x – 172.31.x.x? No way! 10.x.x.x and 192.168.x.x network classes are overused. Very few people seem to know/use the 172.16.x.x-172.31.x.x network. Hence what I’d call “733t”. (I’m just having some fun with this one – I did note the 10.13.37.x network you used)

    6) When installing, selecting the “Open Source Package” is free. No “upsell” there. Note: Multi-WAN and WAN-Failover packages cost money on Untangle, but are free in pfSense — if you need those options and are too cheap to pay for the EXCELLENT software Untangle is.

    7) Your OpenVPN clients won’t be “bridged” or part of your LAN subnet. (In reference to your comments about 200 being VPN clients)

    8) I believe the simplified QoS settings are aliases to protocols as follows: “Ping” refers to ICMP, “ACK” refers to TCP and “Gaming” refers to UDP.

    9) UStream uses TCP/UDP 1935, so you need only set a “source port 1935″ rule. You don’t know what the destination port will be as that changes each time you run you stream.

    As a personal preference (if you have the machines for it), set up a pfSense box to do your firewall, router/nat, VPN work. Then set a transparent bridge Untangle behind it (LAN side) to do all the filtering/scanning of web/mail.

    Another note on you VPN power users… Untangle has a sweet, simple to set up system. However, it will not let clients access to the internet… no WAN gateway allowed. However, pfSense will support being the WAN gateway for VPN clients. This is good for you mobile folks who want to surf the internet through their home router (some hotels block some ports – but by going through your home, you have full access).

    Perhaps I’ll make a segment on some of the pfSense/Untangle features that could air in a future Hak5 episode?

  • Hehe, Woot! I got mentioned on the show for a second time.

    Yeah the google password would not really work for packet sniffing, but it would still be an easy thing to remember, hard to guess/crack, and fool key loggers.

  • Untangle is lame. It’s such a resource hog.

    I’d rather go with..

    RouterOS
    pfSense
    Smoothwall

    • Yup, Untangle is quite demanding of the system. Then again, much of the filtering is done high up on the OSI network model. For example, such excellent high-speed/low requirement systems like pfSense can’t do transparent scanning of email and web traffic. pfSense filtering is limited to packet types, IP addresses, MAC addresses, ports, etc… things easy to gleam in a single packet header.

      Last I saw, the closest the “fast/low resource” router software packages could do is SNORT (which itself is a hog – pardon the pun) and mail (SMTP/POP3/IMAP) relaying with scanning. I think I’ve seen some success in hooking SQUID and/or SOCKS with AV Scan, but don’t recall anyone releasing that into production yet either. If you know of any that can, please forward it on to me. I love checking out new stuff and have no loyalties to pfSense or Untangle (I’m a former LEAF Bering fan for example).

  • I will watch this video in morning, getting sleepy, bye.

  • I’m noticing hardly any anti-ESD (Electrostatic Discharge) measures when handling computer parts (I’m talking about in general). Do people not care anymore if computer parts die prematurely?

    IME, retailers often don’t bother with ESD. I once bought memory from a guy at PC Club who gripped the sticks while ungrounded. When confronted, he explained (a bit surprised I would even bring it up), “The carpet is anti-static,” which would have been fine if he wasn’t wearing rubber soled shoes. One time a Fry’s sales guy took a motherboard out to show it to me, on the sales floor! I bought that model… from the back of the shelf. Don’t get me started on eBay sellers whose photos show their computer parts laying on carpet!

    Back in 1998, I had ESD training as part of the Apple repair certification. But before that I worked for an electronic component reseller where ESD precautions were a normal part of business. Seeing as how chips and components keep getting smaller and more complicated, I would assume that preventing ESD is even more important nowadays. Am I wrong? Gosh darnit and shoot, I wanna know!

    BTW/FYI, ESD often times only weakens electronics, so the effects may not be immediately evident and the parts may fail after their warranty period. I like my parts to last long after that.

    And what about grounding? In a sweet setup like the plexi mount, where’s the ground? Is it even necessary? (I believe grounding has to do with electromagnetic interference or something.)

    So am I just uninformed, or does no one care about the longevity of their computers? I need answers, yo. Sorry for the novella.

    BTW, awesome stuff, Hak5 crew. Your shows keep my hacker side happy. I have no use for most of the stuff, but knowing about it just adds to my charm.

    – Sushi

    (If anyone cares, I came across this: http://www.wikihow.com/Ground-Yourself-to-Avoid-Destroying-a-Computer-with-Electrostatic-Discharge )

    • stocker 4 years ago

      Hmm this might be late to answer but anyway.
      Yes you are right, ESD is a very big cost for chip makers. Usually chips are tested before they go out and they stress them so they break if damaged by esd. The problem is as you said that the damage is often so small you cant detect it, and eventhough you test it it works but the difference with this chip is that it can break fast or even hold its lifetime before you replace it.

      One thing to mention is that grounding yourself isnt always good. You have to level yourself with the chip you handle, a good way to do that is to always touch the tower if you are handling the hardware of your computer.

      Another source of ESD is when ppl clean their computers, vacuum cleaners and compressed air is used and it actually creates static electricity. you can clean it with less risk with ionized air. but then again, some things becomes too complicated and at the rate ppl switch out technology these days we hardly use it long enough to see it break by ESD.

  • h3%5kr3w 4 years ago

    Hey man.. The one thing you didn’t add that would benefit to anyone doing this home router is the issue of crossover cat5 cables and no availability of AUTO MDIX…

    You have to use crossover cat5 cables going from nic to nic on any computer/router or server based setup because the wires are not crossed automatically to make the proper connection…

    Here is a regular (straight through/T568b) cabling wire setup..
    Wo/O/Wg/B/Wb/G/WBr/Br

    i.e. WhiteOrange/Orange/WhiteGreen/Blue/WhiteBlue/Green/WhiteBrown/Brown
    (whites are white striped with a color)

    Crossover cables are as follows on a separate end (uses 568b for one end, and 568a for the other)
    T568a – Wg/g/Wo/B/Wb/G/Wbr/Br
    The greens and the oranges are swapped for the other end. On higher end routers you have what is called “auto mdix” which will test and change each wire internally to reflect what the proper connection should be if there is a miswire but standard computer nics will not do this for you… This should DEFINITELY be in the show Darren, because a LOT of people who will try this will only fail when they don’t know about the cross over cables needed.

    I ain’t mad, just that I felt it was a little something that should not have been missed you ole’ network monkey :P

  • Parman 4 years ago

    LOL at the comment above its called and opinion. Anyways, good show i dont like the fact that untangle doesnt support wifi. but i might do what was stated above. setting up my pfsense box and then and Untangle for web filtering and what not.

  • h3%5kr3w – what are you talking about?

    from a nic to a nic (another computer or server) i’ve never had to use a crossover cable..

    anyways..

    untangle is only good for a pass-through box.

  • zach115th 4 years ago

    Hey if anyone wants to add GPS to their laptop(for use with Prey) U-Blox sells some PCIe mini GPS cards for about $150. Kinda nice if your laptop is lost or stolen, you wont have to wait for it to connect to wifi.

    the card numbers are ‘PCI-5S, and PCM-5S’

  • Digitizer101 4 years ago

    Did I hear Shannon say she was from Missouri at the beginning of this episode?

    I also noticed Darren drinking a PBR! Darren if you want something with a little more flavor just let me know and I can send you some homebrew, yes beer brewed at home.

    I am new to the Hak5 channel so I have a lot of catching up to do this show is to awesome. I have already added Prey project to protect my dell mini.

    I did notice it seems to slow the machine down a lot after you report it as missing.

    Seriously, email and I can drop off many bottles of home brew. Ferguson, MO is my home town.

    Thanks
    Digitizer

  • Scott 4 years ago

    Having problem with connecting to my cable modem,it will not get an ip address.If I connect untangle to the wifi router then it works fine. I am assuming that untangle goes in between the cable modem then to a computer.

  • Hi Darren,

    Is it also possible to use Untangle in a dual-wan (multiple DSL lines) setup?
    I’m looking for someone who KNOWS that creating a system that combines two dsl lines is possible or not.