Magna Techa
guides and thoughts on technology

Email hardening: Subject-only Access

It seems like every week we find out about credentials being leaked by some company. Even though that seems like the most pressing threat to the security of our online accounts, I've been thinking about a different one: the signed-in email account. How many devices is your email account currently signed in on? Altough they might have their own passwords when they are locked or suspended, most of us leave our email accounts wide open on all of our devices. Our smartphones, our tablets, our laptops, our work devices -- they all would give our entire email account to anyone that happens to catch them unlocked. And some of us don't even lock our devices when we're away from them (you should start if you don't).

Thinking about this, and realizing that I don't need email-sending abilities at a moment's notice I decided to set up a "subject-only" email portal. The problem is that if someone had access to your email then they could reset a myriad of passwords and have access to many of your accounts. But if they could only read the subject (or sender) of your newest emails then they couldn't accomplish much. I already have my Raspberry Pi backing up my email (with fail2ban running), so I set up a quick output of my newest email when it checks my account. I then rsync this file to my VPS (I would host it on the Pi, but my ISP has control issues and messes with server ports). This means I can visit a page on a website I own and see my newest email. But an a malicious person couldn't do much with this information.

I also set up basic authentication for this page so it's not easily seen by others. This may be little less convenient, because I have limited my email-sending ability to a single device that stays in my home and password protected. But I don't send a lot of emails so that doesn't bother me. Here's my script:

#! /bin/bash

date > mail.txt;

grep "Subject: " mail.mbox | \
grep -v "From: " | \
sed s/"Subject: "/---\ /g | \
sed s/"=?utf-8?q?"//g | \
sed s/"?="//g | \
sed s/"=?iso-8859-1?q?"//g | \
tail -n 20 >> mail.txt;

scp -P myaltport mail.txt mydomain.com:~/path_to/webroot/

This gives me a list of my 20 most recent email subject lines (with useless text cleaned out) delimited by a new line and "--- ". Now I can access the information I need from any of my devices, but a malicious person can't use my account from those devices.

This might seem far-fetched to some, but there's no reason to make access to an important email account easy for other people. You don't leave your money in a bucket on your porch "because it's convenient", do you?


Taking Webcam Photos Via the Command Line

Here's an easy way to use your default webcam to take a photo with a single command from a terminal:

mplayer -vo png -frames 1 tv://

I wanted a quick and easy way to take a photo with my laptop's webcam and upload it to my server on a regular basis when I'm away from my machine. Side note: this wasn't to take photos of unknowing human victims, but to check in on my dogs :).

I realized that the first few frames weren't great due to the camera turning on, so I had it take 5 frames:

mplayer -vo png -frames 5 tv://

I then wanted to upload them to my server to be accessible (behind nginx's basic authentication so only those with the credentials can see them):

mplayer -vo png -frames 5 tv://; \
scp 00000005.png magnatecha.com:~/webroot/mydomain.com/cam/pic.png;

I also wanted to take the webcam photo on an interval:

while true; do \
mplayer -vo png -frames 5 tv://; \
scp 00000005.png magnatecha.com:~/webroot/mydomain.com/cam/pic.png; \
sleep 120; \ 
done;

That creates an infinite loop that takes 5 frames of photos, uploads the fifth one to my server, waits 120 seconds and then does it all again. This allows me to see a photo of whatever my laptop is pointed at that is at most 2 minutes old.


Screenshot Sharing Script for Mac OS

I recently wanted to move away from commercial screenshot sharing tools (I was using Jing), so I decided to create a script that takes screenshots, allows you to annotate them, then uploads them to a free webhost. The free host I use is 000webhost.com and I use ftp to upload the image. Here's the script:

#! /bin/bash
d=`date +%Y%m%d%I%M%S`
host="http://tr99.host56.com/"
password="*******"

screencapture -i $d".png";

open $d".png" #edit?

read go;

echo "put "$d.png | ftp ftp://a8533349:$password@tr99.host56.com:21/public_html/ \
    && echo $host"$d.png" | pbcopy
mv $d.png ~/pics/

That will take an interactive screenshot, open it in Preview so that you can edit and save it, then continue and upload it to your ftp host when you press any key in the terminal. I have my terminal (iTerm2) set to hide with a keyboard combo (ctrl+space) so that I can tell it to get out of the way if I'm taking a screenshot of something else. I assigned the script to a bash alias, so all I have to to do is open a terminal and type my alias. It also copies the url to the screenshot to your clipboard using pbcopy so that you can just paste it when you want to share it.


Get a random file from a directory with the Linux terminal

Here's how you can grab a random file from a directory using the GNU/Linux terminal:

ls | shuf -n 1

And perhaps you want to do something like open that file with a program:

your_program `ls | shuf -n 1`

I used this to do things like open a random image with feh from my pictures folder:

cd Pictures; feh `ls | shuf -n 1`

The magic here is the shuf command that will output n pseudorandom items from a collection that is fed to it.


Nginx and “413: Entity too large.”

That's what she said! Okay, okay, here's how to fix an "entity too large" error with nginx. Add this to your server block:

client_max_body_size 10M;

where 10M is the size of uploads you want to allow. The default is 2 MB, but as you know people have smartphones that take larger pictures than that now. Just remember you should probably resize them for web display until we all have better download speeds.