The Clipboard and Password Managers

There are many discussions about to use or not a password manager. However, most experts agree that you must use a strong password in every system/service (+2fa, but we are not going to elaborate about it today).

So to create a strong password, you need:

  1. A decent password length (eg. >14 characters), old articles recommends 8, however, if they are not produced by a random generator, they are vulnerable to some statistical attacks (eg. Markov chains)
  2. Use non dictionary based words (No dates on it, no ending numbers like qwerty99 or qwerty01, no dictionary based words)
  3. Use Alphanumeric and special characters.
  4. Not to use l33t transformations (P4ssw0rd!)
  5. Even is a 100% secure password, please don’t reuse the password between systems/services
  6. And don’t share segments of the password between systems (like: p4s%sW0rdGMAIL, p4s%sW0rdFACEBOOK) or (like: p4s%sW0rd2002, p4s%sW0rd2003) or (like: p4s%sW0rd01, p4s%sW0rd02) or anything like that

I don’t have to mention that reusing a password is extremely dangerous… even if the service is 100% PCI compliant, that does not mean that this is 100% hacker-proof. If you still believe that there is no need to be alarmed, try searching yourself in https://haveibeenpwned.com/

So, the secure alternative is to use different passwords like this in every service: R@mf8909%3ZA2111, D2mH!8u7s95s4, @#$%aei54mk!36644s

The question:

Are people capable of remembering every password for 100 different services?

The answer is, most people can’t. Most people can only remember 1 or 2 secure passwords and usually are MyPuppyName2022!

So, this is usually the reason behind we use password managers (and tokens like yubikey’s or 2fa)….

Are password managers secure?

Well, the problem is widely discussed everywhere, if the password manager fails, everything goes down with it… so If you are capable enough to create secure passwords, remember every password and rotate them every few months, you should not be using this… if not, it’s a decent option.

The other problem about the password manager is the clipboard…

many users usually copy the password from the password manager using the clipboard, and if you are compromised even with an unprivileged application, even in the future, your password may going to be available in the memory and can be recovered by this application.

And if you think that viewing and copying the password from the screen is a good idea: no is not… it may be leaked with an USB physical keylogger, or simply taking a picture from your screen (or maybe some “advanced” tempest screen radiation recovery)

So, password managers like KeePassXC have a very nice option to avoid all of this: “Perform Auto-Type

This option will type the password straight to the program that is requesting the password, it’s not perfect but it’s pretty decent and simulate the keyboard input…

Installing Libvirtd in OpenSUSE

Installing this virtualization is very easy..

Installing process:

to install, just type this commands:

# Run as root:
zypper install -y libvirt-daemon-qemu libvirt-daemon-lxc libvirt virt-manager virt-what qemu qemu-kvm qemu-ksm qemu-arm qemu-user-static libguestfs lxc
systemctl enable --now libvirtd

And add your user to the proper group… the commands are:

# Run as root:
usermod -aG libvirt youruser

now you can use virt-manager to add/remove new virtual machines.

Useful Info:

  1. Use nocow for the subvol/partition where the images are (http://blog.jim.nz/2015/12/04/btrfs-subvolume-with-nocow.html)

Installing VirtualBox-7.0 in OpenSUSE 15.x (or tumbleweed) from repo and UEFI Secure Boot Enabled

This is a simple/short how to for installing VirtualBox 7 in OpenSUSE 15

Here we are handling two problems:

  1. There is no repo for OpenSUSE 15.4 (we need to do a trick)
  2. There is no documentation on how to create proper UEFI secure boot MOK’s (owner keys) for the newer OpenSUSE which demands that the key will have special attributes like “codeSigning

so, here is the answer:

Step 1: basic instalation:

# Get/Install the repo...
wget https://download.virtualbox.org/virtualbox/rpm/opensuse/virtualbox.repo -O /etc/zypp/repos.d/virtualbox.repo

# Workaround (there is no repo for 15.4, but 15.3 works fine)
sed -i 's/$releasever/15.3/g' /etc/zypp/repos.d/virtualbox.repo

# Install VBox7.0 (and accept the certificate) and kernel build tools
#  Repository:       VirtualBox for openSUSE 15.3 - x86_64
#  Key Fingerprint:  7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139
zypper install VirtualBox-7.0 kernel-default-devel

# add your user to group (replace myuser):
usermod -aG vboxusers myuser

Step 2: MOK Key Creation (Only For UEFI+Secure Boot Systems):

mkdir -p /var/lib/shim-signed/mok
openssl req -nodes -new -x509 -newkey rsa:4096 -addext "extendedKeyUsage = codeSigning" -outform DER -keyout /var/lib/shim-signed/mok/MOK.priv -out /var/lib/shim-signed/mok/MOK.der
# here, use a random two-use password for enrolling the key
mokutil --import /var/lib/shim-signed/mok/MOK.der
reboot

# In the EFI MOK Utility...
# Enroll the key... the password is the password that you entered in mokutil, you won't be asked again about this password.

Step 3: Install the extension pack

# Installing the extension pack (you can re-use this every time after you do zypper up):
VBOXVERSION=$(rpm -qa VirtualBox* | cut -d'-' -f3 | cut -d_ -f1)
wget "https://download.virtualbox.org/virtualbox/${VBOXVERSION}/Oracle_VM_VirtualBox_Extension_Pack-${VBOXVERSION}.vbox-extpack"
VBoxManage extpack install --replace "Oracle_VM_VirtualBox_Extension_Pack-${VBOXVERSION}.vbox-extpack"

OpenSUSE 15.x Post Install Guide Part 1 (Software Installation)

WIP (Work In progress)…

This is my personal guide for post install OpenSUSE with KDE for developing/hacking, everything as root…

Base:

First step… update your system and allow vendor change policy:

zypper update
sed -i 's/# solver.allowVendorChange = false/solver.allowVendorChange = true/g' /etc/zypp/zypp.conf

Now, install the following repos (depending on your needs):

# for google chrome:
zypper ar --refresh https://dl.google.com/linux/chrome/rpm/stable/x86_64 Google-Chrome
# for google repos:
wget https://dl.google.com/linux/linux_signing_key.pub
rpm --import linux_signing_key.pub
# For security software:
zypper ar --refresh https://download.opensuse.org/repositories/security/15.4/security.repo
# Graphics:
zypper ar --refresh https://download.opensuse.org/repositories/graphics/15.4/graphics.repo
# For Snapd:
zypper ar --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.4 snappy
# For Codecs...
zypper ar --refresh -cfp 90 -n Packman https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_15.4/ packman

Then, you may want to install snapd (many software is available trough snapd), proceed as follows, execute each one by one:

zypper install snapd
systemctl enable --now snapd
systemctl enable --now snapd.apparmor

Virtualization / Containers:

Here are many options for containerization/virtualization:

LXC (Containers):

zypper install lxc

QEMU Tools (manage virtual machine images):

zypper install qemu-tools

Win32 Binary Emulation (WINE):

zypper install wine winetricks

If you want to add a virtualization software, here is the recipe:

Internet Tools:

Installing google-chrome (stable) as browser:

zypper install google-chrome-stable

Torrents:

zypper install transmission-gtk

Sysadmin tools:

Console Tools:

zypper install htop tmux dialog zenity ioping iotop lshw busybox

# ShInstallify (by me)
wget https://raw.githubusercontent.com/unmanarc/shinstallify/main/shinstallify.sh -O /usr/bin/shinstallify.sh
chmod 0755 /usr/bin/shinstallify.sh

Network Tools:

zypper install iptstate iptraf-ng openvpn easy-rsa net-tools-deprecated bridge-utils telnet lftp stunnel wget whois

Disk, File & File Systems Management:

zypper install partclone gparted unetbootin filelight mc p7zip-full unrar k3b sshfs pv kpartx cifs-utils smartmontools mlocate dc3dd dd_rescue dd_rescue-crypt dd_rescue-lzo

Remote administration access:

zypper install virt-manager rdesktop remmina remmina-plugin-rdp remmina-plugin-spice remmina-plugin-vnc remmina-plugin-exec remmina-plugin-xdmcp putty x3270 tn5250 vinagre vino krfb

Developer tools:

Visual Studio Code:

snap install code --classic

Android Studio & tools:

snap install android-studio --classic
zypper install android-tools android-tools-bash-completion

APK Tool:

snap install apktool

Debugging / Reversing Tools (for C++ and others):

zypper install strace ltrace gdb valgrind # radare2

Development basis for C/C++ (like g++, git and some useful libs) :

zypper install -t pattern devel_basis
zypper install -t pattern devel_C_C++
zypper install poco-devel cmake3-full libboost_*1_66*devel jsoncpp-devel ninja

Development basis for C#/.NET:

zypper install -t pattern devel_mono

Packing

zypper install upx

Database Libs

zypper install sqlite3-devel postgresql-devel libmariadb-devel

Database Clients

zypper install sqlite3 pgadmin4 sqlitebrowser

AppImage Tools:

wget https://github.com/AppImage/AppImageKit/releases/download/continuous/appimagetool-x86_64.AppImage -O /usr/local/bin/appimagetool
chmod +x /usr/local/bin/appimagetool

Security & Hacking Tools:

Password Management:

zypper install seahorse keepassxc yubikey-manager-qt apg

Encryption & Privacy:

zypper install veracrypt kgpg sweeper

Network tools:

zypper install nmap hping wireshark tcpdump tcpreplay # aircrack-ng

Other tools:

zypper install okteta dhex

Office & Multimedia tools:

Office:

zypper install libreoffice dia
# If you want additional language, like spanish (es), remove the # and execute:
# zypper install libreoffice-l10n-es

Scanner & Camera:

# Scanner apps:
zypper install skanlite xsane cheese
# Video4Linux:
zypper install v4l2loopback-kmp-default v4l2loopback-autoload v4l2loopback-utils v4l-utils

PDF:

# PDF:
zypper install pdftk okular

Audio Control:

zypper install pavucontrol

Spotify:

snap install spotify

Image Manipulation:

zypper install ImageMagick kolourpaint gimp gimp-plugin-lqr # gimp-plugin-resynthesizer jpegoptim

# More nice stuff (latest Digikam, ART ), you can use the AppImage...
# - https://www.digikam.org/download/
# - https://bitbucket.org/agriggio/art/downloads/

# Vectorial:
zypper install inkscape

# More stuff
zypper install kipi-plugins

3D Models:

# Design:
zypper install blender freecad
# 3d printing:
zypper install cura

Video:

# Play:
zypper install vlc vlc-codecs mpv 
# Creation:
zypper install vokoscreenNG kdenlive
# Plugins:
zypper install gstreamer-plugins-base gstreamer-plugins-good  gstreamer-plugins-libav gstreamer-plugins-ugly # gstreamer-plugins-bad

Printer (HP):

zypper install hplip

Look and feel:

Common Drivers / Video Acceleration:

zypper install intel-vaapi-driver

If you have nvidia drivers, follow the official guide (in this case, I used G06, but depends on your videocard):

zypper ar --refresh 'https://download.nvidia.com/opensuse/leap/$releasever' NVIDIA
zypper install --auto-agree-with-licenses x11-video-nvidiaG06
zypper install nvidia-glG06

For PRIME:

zypper install suse-prime bbswitch-kmp-default
zypper remove xf86-video-nouveau
zypper install  xf86-video-intel

cd /etc/uefi/certs
for i in *; do mokutil -i $i; done

# This key is not installed by default in new systems, but bbswitch still uses it:
cd /tmp
wget https://rpmfind.net/linux/opensuse/distribution/leap/15.3/repo/oss/x86_64/openSUSE-signkey-cert-20210302-lp153.1.1.x86_64.rpm
rpm2cpio openSUSE-signkey-cert-20210302-lp153.1.1.x86_64.rpm | cpio -idmv 
cd /tmp/etc/uefi/certs/
for i in *; do mokutil -i $i; done

reboot

# For switching the graphic card to the Integrated Card (eg. intel), execute as root:
prime-select intel
# now, logout from X and get back... 

Other GUI Applications:

zypper install kwrite

Fonts & Look:

zypper install deepin-icon-theme fontforge menulibre papirus-icon-theme qt5ct bitstream-vera-fonts fetchmsttfonts