Question 1: Where do you normally use the laptop computer cable lock? Most likely the answer is in the office.

Question 2: How many people used to scramble or reset the security code after unlocking the laptop for a meeting at next door?

Well, I’m afraid that not many users remember to reset the security code, i.e. leave the cable lock in unlock state.

^{How to crack a highly secured Targus DEFCON CL laptop lock in just 3 seconds?}

So, it happened last week in my office. A 3rd-party office cleaner, who came for cleaning works during lunch hour, stole a premium Dell XPS M1330 that was secured with a Targus DEFCON CL lock (the branded cable lock bundled with most Dell laptop package).

The CCTV footage shows that the guy unlocked the “super secured” cable lock as if he knows the security code.

Is there a master unlock code of this 30 over bucks cable lock, that allowed him to crack it so easily?

(We highly believe that) the answer is the careless of owner. The manager recalled that he used to leave the cable lock in unlock state whenever he took the laptop away his office, especially when rushed for a meeting.

So happen that he used to back his cubic after lunch in case the meeting was in morning session, and the cleaner is so smart to remember his security code of the cable lock that was left in unlock status.

That’s how the cleaner crack the Targus DEFCON CL Laptop lock BY CHANCE in 3 seconds on the next day lunch hour, when the manager left for lunch with his Dell laptop “locked” in office.

This careless could lead someone to break just any cable locks, not limited to the tough Targus DEFCON CL lock!

Verdict: Remember to scramble / reset the security code after unlock the laptop!

However, Gmail or Windows Live Mail (previous known as Hotmail) do not allow users to send and/or receive executable program files.

Hotmail / Windows Live Mail:
Windows Live Mail has blocked some attachments in this email because they appear unsafe.

Outlook / Ms Exchange Server:
Outlook blocked access to the following potentially unsafe attachments:md5sum.exe

Gmail:
72.14.253.27 failed after I sent the message.
Remote host said: 552-5.7.0 Our system detected an illegal attachment on your message.
552-5.7.0 Please visit http://mail.google.com/support/bin/answer.py?answer=6590

How to send program file in Gmail or Windows Live Mail

If you prefer Gmail or Hotmail (Windows Live Mail) than Yahoo! Mail, you can use the trick I mentioned in earlier post, i.e. embed the compressed executable program files (any blocked file types) into Microsoft Office document that support embedded object feature (e.g. Microsoft Word or Microsoft Excel) and then email the Office document as a normal attachment will do! (Again, I believe that this trick will fail eventually, if someone abuses it for non-ethical purpose!)

You can’t simply compress or zip the executable program file and email it. Most of the email attachment filtering system, e.g. those available in Gmail or Exchange server, can scan compressed or zipped attachment files and block them from sending/receiving if any executable program is detected!

How to embed a compressed program file into Microsoft Word document? (FLV video played by JW Media Player)

Apparently, recipient has to open this attachment with Microsoft Word (not sure can Microsoft Word Viewer open the embedded object) and uncompress program (e.g. Winzip, Power Archiver, WinRar, etc) to extract the zipped executable program file.

Using Microsoft Office program to embed the compressed executable file

This is the first option I’ve used this morning to email an executable program file to vendor.

By inserting the compressed executable program file as an embedded object in Microsoft Excel / Word, the Exchange server attachment filtering system automatically “allow” the email that attach Microsoft Office document, to be send and receive at both end.

This guide refer to Microsoft Word 2007. However, you may use Microsoft Excel 2007 or any other version of Microsoft Office program that support embedded object feature.

1. Compress the executable program file (or any other file types that the email attachment filtering system blocks by default).
    
2. Open Microsoft Word 2007, click Insert menu, look at the Text ribbon and click the Object icon to bring up the Object dialog box, go to Create From File tab, use the Browse button to select the compressed exe file and click OK to complete.

   

   

   
    

3. Now, send the Microsoft Word document (that embed the compressed executable file) as normal attachment.

Using Yahoo Mail! to send and receive executable file attachment

No special requirements for this method to work, except that you have to send and receive the email that attached with executable program files in Yahoo! Mail account. That’s to say, you don’t have to compress the exe file or embed it to MS Office document.

I tested it before and it still work at this time being. The testing just now proved that an email attached with md5sum.exe (28KB) can be sent from my Yahoo! Mail account and open by another Yahoo! Mail account as normal.

If the Juzt-Reboot card is too costly, Windows SteadyState v2.5 is the FOC alternative! Windows Disk Protection is one of the really cool features of Windows SteadyState, where the service could discards all kind of changes made on the Windows system partition on next system boot!

That’s to say, the good and healthy state of Windows system partition will be reinstated, regardless of program installation/un-installation, Registry editing, setting changes, file deletions, etc, made by end users.

Unlike Windows Ultimate Extras, Windows SteadyState available for all editions of 32-bit Windows XP and Windows Vista, i.e. Windows XP Professional, Windows XP Home Edition, Windows XP Tablet PC Edition, Windows Vista Business, Windows Vista Ultimate, Windows Vista Home Basic, Windows Vista Home Premium, and Windows Vista Starter. However, the default installation will not proceed if the copy of these Windows OS could be validated as genuine copy.

This trick doesn’t work for the scheduled shell script / batch file that needs non-interactive ssh login. See next post that cover this (as more works need to be done in order to get ssh-agent works for cronjob).

How to configure ssh-agent for secured private key to support non-interactive, password-less SSH login?

In my RHEL machine, the ssh and ssh-agent bundled with OpenSSH package work very well for this job:

1. Login to Linux machine and execute eval command to invoke ssh-agent, so that the environment variable (SSH_AUTH_SOCK and SSH_AGENT_PID) output by ssh-agent could be exported to the current shell. Take note that the back-quote ` is used to enclose ssh-agent, not the normal single-quote ':

   eval `ssh-agent`

2. Next, use ssh-add command to add the secured private keys to ssh-agent. Enter the passphrase of the private key when prompted. For example, to add private key $HOME/.ssh/walkerkey to ssh-agent:

   ssh-add ~/.ssh/walkerkey

Now, all ssh connections initiated from the current shell (before log out the current session) will be automatically authenticated via ssh-agent that caches the private keys.

How to configure Putty Pageant.exe for secured private key to support non-interactive, password-less SSH login?

1. Locate the Putty folder and double-click PAGEANT.exe (will run in the Windows System Tray).
    
2. Right-click the Pageant.exe in System Tray, click Add Key option, locate and open the private key, and enter the passphrase when prompted. (Alternatively, you can right-click Pageant.exe, click View Keys, followed by Add Key).
    
3. Now, initiate a SSH connection with Putty.exe to the target server and login with user ID that keeps the public key for the secured private key cached by Pageant.exe. You should notice that Putty automatically authenticate and a message (below) prints on the session window:

   Authenticating with public key “dsa-key-20080609″ from agent

As mentioned earlier, the wonderful of these ssh key managers don’t natively work in cronjob or scheduler environment. Although, these toolkits provide a base to expand the possibility of configure non-interactive / password-less ssh login with a secured private key (see next post).

• a command line SSH utility such as pscp (for Windows batch file) or scp (for Linux shell scripts).
   
• a pair of password-less cryptographic keys (i.e. private key that is without passphrase) for non-interactive authentication.

  Additional steps required for “password-less” ssh login if the private key is secured with a passphrase.

The generic concept: How to setup a password-less, non-interactive ssh login?

This is not a detailed guide for a specific ssh suite. Indeed, this is just a generic view of what you should do, in order to get a OpenSSH-compatible suite to work in a non-interactive authentication way. (As of 2005, OpenSSH is the single most popular SSH implementation).

Personally, I like Putty suite for Windows and OpenSSH for Red Hat Linux. The guides of configuring these tools to support non-interactive ssh login can be referred on these earlier posts:

• How to configure OpenSSH for password-less SSH login
• How to configure Putty for non-interactive ssh login

SSH-2 protocol (secure shell version 2) supports at least two authentication methods, i.e. legacy system password authentication and public-key cryptography authentication. For password-less or non-interactive SSH login to work, public-key cryptography authentication is preferable:

1. Execute ssh key generator to create a pair of keys. For example, the Linux OpenSSH key generator ssh-keygen -t dsa defaulted to create a pair of DSA-based keys called id_dsa (private key) and id_dsa.pub (public key).
    
2. When the SSH key generator prompts you to enter a passphrase (to secure the private key), leave it empty (i.e. to disable the passphrase).
   

   The passphrase secures the private key. So, if someone steals the private key has to know the passphrase to unlock the secured private key. The server that trigger automated shell scripts or batch files keeps the private key, and hence should be secured as well. Otherwise, what’s the justification to only secure file transfer but leave the server box to be vulnerable for attack?

3. Keep the private key in .ssh (a hidden directory) at client side and make sure the private key file access permission is restricted to 600, i.e. only grants read and write access to file owner.
    
4. Transfer the public key to all target servers (which are expected to receive files) and append the public key file content to authorized_key file that resides in .ssh directory. Again, the authorized_key file access permission must be restricted to 600 mode.

Once all those generic steps are done, the client shell scripts / batch file is then capable to automate file transfer in password-less, non-interactive authentication mode.



Suggestion:

If you’re about to write a Linux shell scripts or Windows batch file to automate file transfer between networked hosts via ssh protocol, try to use scp (in Linux) or pscp (Putty suite for Windows) rather than sftp or psftp, for the benefit of coding simplicity, given the fact that secure copy (SCP / PSCP) command is highly non-interactive and straight-forward.

The scp syntax:

scp source_file user_id@hostname:[path/file]

Some scp examples:

Assume all these scp commands are executed at server WalkerNews-A using walker-a user login ID

scp -i $HOME/.ssh/id_dsa file1 walker-b@WalkerNews-B:newfile1

meant to

• use the -i option switch to explicitly specify which private key to used for authentication, i.e. $HOME/.ssh/id_dsa. This option is useful when the ssh_config configured with a non-default IdentityFile option or there are multiple private keys kept inside the .ssh directory).
   
• upload file1 to walker-b home directory at server WalkerNews-B as a new file named “newfile1″

scp file1 file2 log* walker-b@WalkerNews-B:/tmp

meant to upload multiple source files (i.e. file1, file2, log*) to server WalkerNews-B using the walker-b user login ID and save those source files into /tmp directory.

scp walker-b@WalkerNews-B:/tmp/f1 walker-b@WalkerNews-B:/tmp/f2 tmp

meant to download /tmp/f1 and /tmp/f2 from server WalkerNews-B using walker-b user ID to the local tmp directory at walker-a home directory.

Similar to OpenSSH client setup, we could create a pair of public key and private key in Putty SSH client suite for the sake of password-less/non-interactive SSH login.

Assumption made for this example:

Putty client running in Windows Vista Ultimate needs a non-interactive, password-less ssh login to walker-b at Linux server WalkerNews-B. WalkerNews-B is running RHEL 4 Update 5 and installed with the bundled openssh-server-3.9p1-8.RHEL4.1 and openssh-clients-3.9p1-8.RHEL4.1.

• Locate and run the Puttygen.exe (Putty Key Generator), select the SSH-2 DSA key type, press the Generate button and move the mouse over the blank area (as prompted) to generate some randomness on the keys:

  
   

• When the key generation completed, copy all text of public-key in the box and append it to walker-b’s $HOME/.ssh/authorized_keys files.

  
   

• Click Save Private Key button to save the Putty-generated private key that pair the public key appended to $HOME/.ssh/authorized_key file.

  
   

• Run the Putty client (putty.exe) to specify the saved private key and auto-login username before initiating connection to WalkerNews-B.

  

  Specify the login user ID (i.e. walker-b):
  

The Putty command line SSH clients support non-interactive, password-less ssh login too. This is useful if you need some Windows batch files or Windows scripts to automate file transfer between networked hosts via the SCP protocol.

For example, to transfer sourcefile to walker-b’s home directory at WalkerNews-B, execute PSCP.exe program (equivalent to OpenSSH scp command) in this way:

pscp -i id_dsa.ppk sourcefile walker-b@WalkerNews-B:

The -i option switch is used to specified a private key. In this case, it’s a Puttygen-generated private key that I’ve saved it as id_dsa.ppk.

If the Putty fails to work in password-less ssh login fashion, it automatically attempts to perform legacy login ID and password authentication. For troubleshooting, you can refer to Putty Event Log window, i.e. right-click the Putty window title bar and click on the Event Log menu: