newbi3
-
Posts
1,022 -
Joined
-
Last visited
-
Days Won
62
Posts posted by newbi3
-
-
Login history is all done and will be included in the next version. It doesn't take a picture with the front facing camera because I don't want to add the permissions but it does warn you when there are new failed login attempts and you can view all, successful, or failed attempts individually.
-
Good question - I'm not sure. I am not going to allow for the log to be cleared. If someone gets the password right on the 100th time they won't be able to clear the login and the owner would see it next time they logged in. Now that doesn't stop someone from modifying the log with a 3rd party application or ADB or something. Without sending the log to a server somewhere and then pulling it down when needed I'm not sure how I could keep it from being tampered with. Maybe the alternative option is to have a kill switch built in where if your password is entered incorrectly x times in x timespan then all of the passwords are dropped.
-
I like the Access History feature and would recommend you also include any failed login attempts. Might be fun to include a snap from the front-facing camera with that.
I like that idea. I would do the camera snap but I am trying to not use any permissions and that would break that model. Ill add a log of failed login attempts though.
-
One if the benefits to the Nano is that it doesn't have the realtek chip with the 11mbps throughput issue -- other benefits are that the web interface is SO much better. Its way cleaner and more responsive and feels amazing. Also with the new API design developers are able to create new modules so much faster than before so you can expect to see some cool new modules on the nano.
-
The Nano is still being developed so the ability to download modules onto your pineapple is still in progress. Even if that weren't the case there are only a few modules that are even "ready to go" at this point.
-
I'm almost ready to release the next version which has a ton of improvements.
1. All data (not just passwords) is encrypted and salted
2. Data is only shown in plain text when it needs to be
3. Access key is now salted in addition to being hashed
4. New "Access History" feature lets you see the dates and times that a specific password has been viewed
5. New random password generator using SecureRandom
Its not released yet and probably won't be for about a week or two as I am on vacation and still have some features to add - however if you want to view the code look at the "development" branch.
-
Nifty! Excited for this!
-
Looked through a few of the files.
codeit/space/vault/crypto/Encryption.java
Your secret key is allowed to be an empty string.
You don't provide any means of seeding the IV prior to encrypting, or salting the hash before hashing, even though the uid you use for a password is an excellent value to use for this.
codeit/space/vault/db/VaultDatabaseHandler.java
51: Your method 'vaultKeyExists' actually tests if the vault key *table* exists, since no key is included anywhere.
89: Let the database do the work for you - SELECT count(1) FROM table where vaultKeyHash = 'hash';
113: In the database column name you suggest the password is encrypted, but your password model doesn't seem to think so.
114: All data from this model should be encrypted. If I get access to your vault I shouldn't be able to prioritize my cracking efforts based on the name you gave to a password nor should I know the places where you have an account. Why is it relevant to retain a creation date?
136: You shouldn't need a getAllPasswords method. You should use a getAllPasswordTitles() method and only when a password is selected do you read it from your database.
The password can't be an empty string. Line 44 of AccessActivity checks the length of the key. I am going to have a password policy in the next version but I just didn't get around to it yet.
I'm not sure the proper way to do the salting. I shouldn't store the salt in the DB correct? If not then I can't use a random salt and if it can't be random then I should use something unique like the phones identity but I don't want to have to have special permissions on the app.
89 - Thats the query I was running but it would crash the app if certain characters were in the hash I just changed the query last night actually
113 - The password is encrypted before being put into PasswordModel (line 78 of NewPasswordActivity)
114 - Yes I agree next release
136 - I also agree with this - next release
Thanks for the review I'll update it soon
-
I know that there are a lot of password managers out there but it never hurts to have options. Also I don't trust any application with my passwords if I can't review the code. So I took it upon myself to write my own password manager for Android and you can find it in the Play Store now. Its completely free and requires 0 permissions. All passwords are encrypted with 128bit AES encryption and the app requires you to enter your encryption key before you can view the "vault". Your encryption key is never stored in the app - just a SHA256 hash of it so the App can verify that you entered the correct key. The code is open source and up on my Github. If you want to contribute to it that would be really cool :D Also you can find it on the Play Store.
I'm completely open to suggestions and criticisms for it.
Git Hub
https://github.com/frozenjava/VaultAndroid
Google Play
https://play.google.com/store/apps/details?id=codeit.space.vault
-
Couldn't you simply have a simple emitter program that spits out a UDP broadcast every second or so? See this for the broadcasting itself. Your app would listen for the broadcast and be able to read from there the source IP address and about 1500 bytes of additional data to work out what you need to know before deciding to connect to it.
I was thinking about doing that but I just wanted to follow a standard that already existed instead of doing my own thing. Just broadcasting it its services would be a lot easier for sure considering I have no idea what I'm doing with SSDP.
-
I am creating a little rover that is powered by the raspberry pi and controlled over the network. I'd like to make this more plug and play but I'm pretty confused trying to implement SSDP. Basically I just want the Raspberry pi to broadcast it self on the network and say "hey my restful API lives at x.x.x.x:8080" this way my android app can just find that broadcast and then connect to the robot without the user having to type in any ip address or port. Is there a service for linux that already does this? I've tried miniupnpd and minissdpd and they don't seem to be broadcasting anything...
I think I may just have a miss understanding of SSDP which is what is making this so hard to implement. Any knowledge on how it works and/or how to implement it would be amazing!
-
I teach computer programming at a college level and I start my students off with Python. I recommend against learning Java as a first language because of a couple reasons. Essentially it will just confuse you and turn you off to programming. Here is what I mean
// WTF is a package?? package learning.programming; // WTF is a class what why public?? public class FirstProgram { // what is a void? Why is it public? what does it mean by static? Wtf is a String[]? public static void main(String[] args) { // All of this code for it to just say hello world?? System.out.println("Hello world"); } }There was this amazing article called "The pitfalls of java as a first language" but I can't seem to find it for you.
Anyways learn Python first just to get your beak wet.
Also shameless time for me to plug a Python module I am working on called jBot which is a "robot simulator" for the purpose of learning to program with instant visual gratification. I have noticed that a lot of my students weren't retaining the concepts that I was teaching them so I figured maybe if they see these code be executed by something visual then they will understand it better. Turns out that that is completely true. So If you want to learn python and you are more of a visual learner then jBot if definitely something you should check out: https://github.com/frozenjava/RobotSimulator
-
Maybe there are other options for outbound, irc bot? Ftp? Https?
Good suggestions, foxtrot made a irc one a while ago (I'm not sure what happened to it). Definitely open to the ftp and http control. I will bake that in.
-
I would like to understand what you are trying to accomplish...
Send out a message full of commands? On the other side this message will be read and commands executed?
Pretty much, I had an old version that did it over MMS but it was insanely difficult to parse and get the actual message out of. New version will be doing it over actual SMS with a modem plugged into the pineapple.
-
stay away from evil portal, portal auth, ettercap, tor....
best best is to run everything you can from the command line and forget about the non stock infusions.
How are you powering your pineapple?
-
I'm willing to help if you want to collaborate on this project.
Sure, its kind on on a hold at the moment until I can get some of my professional obligations done but I'll let you know when I'm starting back up with this project
-
This is something I am putting together in my head as well with some additional features. It's a big project but it's a fun one.
-
I don't think Newbi3's solution will work. To someone monitoring the system I think it would be obvious that one person is walking around with a device that is randomly changing macs.
It doesn't matter if its obvious you can't track me. Also there is no human sitting here monitoring these systems. Since there is no way to stop them from collecting the data you might as well pollute the data so its next to impossible to draw an accurate picture.
I understand what you're saying but I don't think its something worth writing a hundred lines of code when I just accomplished the same thing with 4 lines of python. However, with that said feel free to make your vision happen the way you want it to :D
-
import os, time
while True:
os.system("macchanger -r wlan1")
time.sleep(5)
-
That seems kind of slow... There was a hardware implementation issue with the second radio that limits its speed to 11mbps max. Since its a hardware there isn't anyway to fix it with software
-
every other reboot this infusions craps the bed.
install correctly message after installing dependencies about 1000 times and every other reboot it still needs the deps installed.
That doesn't sound good, I got to say I'm not experiencing the same results can you give me some more info to help me replicate the issue?
What firmware version are you running?
What other infusions do you have installed?
Is the infusion installed on internal storage or sd storage?
Is your pineapple connected to the internet when you try to install dependencies?
-
I'll probably just end up buying APs from manufacturers outside of the US and then flash open-wrt or dd-wrt like I want to. Have they not learned that no one wants devices with regulations or (especially) NSA backdoors? They just keep hurting US companies by doing these things.
-
Lets all send smashed routers to the FCC.
-
Why this a thing? Do we not own the fucking hardware we buy?? I mean goddamn. If I want my <insert_device_here> to run better software than what the manufacturer put out then its going to.
[Support] Evil Portal
in Mark V Infusions
Posted
NoDogSplash is now using UCI for the configuration no longer using the file which is why the auto config thing fails - this is working in the Nano and Tetra version of Evil Portal and I'll get the fix out to the mkv soon.
Yeah all of your portals will still work fine, the new version of NoDogSplash uses UCI for configuration. Evil Portal on the nano will automatically configure everything you need to get it going for you when you install dependencies but if you want to do additional configuration you can do it from the command line. Maybe in the future I'll have a section on the interface but not currently.