All posts by anthony

I’m a computer programmer, coder, and hacker, under Debian GNU/Linux 99.9999% of the time. Code is an art, like the art of Picasso that common people are not able to comprehend and appreciate. I like the Internet, I like the world wide web, I like wikipedia, I like AJAX, I don’t like the old web programming paradigm, interactive UI is what people need, but I hate web2.0, and I hate those people who are telling the world how much they know about web2.0 while they’re in fact just eyeing for VC investments.

Debian 10 “buster” 來了

Debian 已正式釋出 Debian 10 “buster”,可喜可賀,小弟將 release notes 的重點總結了一下。

• Gnome 預設的 display server 改為 Wayland,對不想使用 Wayland 的用家仍可選用 Xorg。

• 91% 的 source package 已能 reproducible build。Reproducible build 意即每次從源代碼編譯出來的二進制程式都是完全一樣的。這樣能夠保證和證明你拿到的程式,確實是從沒被篡改過的源代碼編譯出來。

• 預設採用 AppArmor。

• APT 加入 seccomp-BPF,用於限制可使用的 system call 以提高安全性。APT 亦已正式支援 HTTPS。

• nftables 取代 iptables,iptables 仍可通過 iptables-legacy 支援,詳情可看 https://wiki.debian.org/nftables

• 正式支援 Secure Boot,在 amd64、i386 和 arm64 上無需關掉 secure boot 選項便可進行安裝和啟動系統。

(來源:https://www.debian.org/News/2019/20190706

How to Read Kobo e-books on Your Kindle Devices

Recently I am fortunate to be introduced of a wonderful book about self improvement. As a Kindle user, the first thing I do is to look for it in the Kindle Store. Bummer, the search result returns nothing. Having checked again with my friend, the book was bought at Kobo. That’s not good, because I prefer reading books on my e-ink Kindle device rather than on LCD or LED screens, since I would suffer from eye strain easily after prolonged reading using them. Seems as I am getting older my eyes are becoming more sensitive to strong visible lights.

I have no experience with Kobo before, so I did some research, found that Kobo’s e-books are not compatible with Kindle. The book that I want is in EPub format with DRM protection (bad!), Kindle doesn’t take ePub, let alone DRM-protected ones.

I have no other choice, except to find my way to decrypt the e-book to remove the DRM. Once it is DRM-free, I can simply convert it from EPub to MOBI/AWZ3, which is natively supported by Kindle.

As my main working machine is Ubuntu, what I am going to write are only applicable to Ubuntu. With some tweaking you can achieve the same result on other Linux distributions. I performed all the steps under Ubuntu 19.04. The process is a bit tricky but not impossible. It mainly involves these steps:

  • Use Adobe digital editions under WINE to save Kobo e-book as a DRM-encrypted ePUB file.
  • Use DeDRM plugin in Calibre to remove DRM from the EPUB file.
  • Convert the DRM-free EPUB to MOBI/AWZ3 by Calibre.

Save the e-book into DRM-encrypted EPUB

  • First login to Kobo and download the e-book’s ACSM file. ACSM a very small descriptive file that contains metadata of your e-book.
  • Go to your books library in Kobo, under the book cover there is an icon with 3 dots. Click on it and it will display a menu, the third item is “Download”. Click on it, the website will prompt you to download a file, its filename ends with “.acsm”. Save it for later use.
  • First login to Kobo and download the e-book’s ACSM file. ACSM a very small descriptive file that contains metadata of your e-book.
  • Go to your books library in Kobo, under the book cover there is an icon with 3 dots. Click on it and it will display a menu, the third item is “Download”. Click on it, the website will prompt you to download a file, its filename ends with “.acsm”. Save it for later use.
  • If you do not have WINE installed, install it with other tools by:
    sudo apt install wine-stable winetricks cabextract 
  • Now download Adobe digital editions (ADE) version 2.0 and install it in WINE ADE 2.0 is available at http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe, download it for later use.
  • Run the following commands:
  • In ADE, open the acsm file by going to File > Add to Library (or press Ctrl-O). There is a GUI glitch that the menu is not shown when you click “File” until you move your mouse around.
  • ADE will ask you to “Authorize Your Computer”. If you do not have an Adobe ID, click on the “Create an Adobe ID” link, and you will be brought to a web page, where you can sign up. If you already have an Adobe ID, sign in with your existing Adobe ID and password.
  • Voila! After you have signed in, ADE will start loading your e-book. After awhile, your e-book will be shown in ADE. Now, check your ~/Documents/My Digital Editions folder, you should see your e-book there in EPUB format!

Remove DRM from Your E-Book

  • If you do not have Calibre in your computer, install it with apt install calibre.
  • Then you need to import the DeDRM plugin to Calibre, as Calibre doesn’t come with the capability to remove DRM out of the box.
    • Go to https://github.com/apprenticeharper/DeDRM_tools/releases, and download the latest DeDRM_tools zip file.
    • Unzip it. There are many files but what we care is the DeDRM_calibre_plugin folder. 
    • Open up Calibre, click on the Preferences icon at the top bar. From there, locate the Plugins icon under the “Advanced” heading. In my Calibre it is the last row.
      Calibre Preferences dialog
    • At the very bottom of the plugins window, there is a button called “Load plugin from file”. Click on it. Browse to the Calibre plugin folder that you extracted from the zip file, select DeDRM_plugin.zip within that folder. Calibre will warn you that importing an external plugin is a potential security risk. That’s fine, just confirm your choice. Once it is done, Calibre will show you a success message telling you to restart the program for the changes to take effect. Do as you are told.
      DeDRM plugin installed
  • Now fire up Calibre again. Click on “Add books” icon on the top bar. Choose the EPUB e-book from ~/Documents/My Digital Editions. Your e-book will be shown in the main window. Click on the “View” icon in the top bar, you should now be able to view it! If you can’t view it saying that the book is encrypted, you may have done something wrong in importing the DeDRM plugin. Go back and check that the plugin is properly installed.

Convert the DRM-free EPUB to MOBI/AWZ3

  • Since you now have your e-book unencrypted, you can convert the e-book to any format that you desire. If you are like me and prefer Kindle, you should convert it to AWZ3.
  • Select your e-book in the main window, then click on the “Convert books” icon that is on the top bar.
  • A new window will show up for configuring many conversion settings. Since we are converting for Kindle, choose “AZW3” as the “Output format” at the top right corner of the window. Then click on “Page setup” in the left pane, choose an “Output profile” for your device. There are many different settings that you can test with. Once you are satisfied, click “OK”. Calibre will now start converting your e-book to AZW3, wait for a while, it will prompt you when it is done.
  • After the conversion completes, look at the right hand side of the main window. You can see the label “Path” under the book cover, after “Path” there is a link called “Click to open”. Click on it, your file browser will open and you should see a new file with the extension azw3. That is the file that you can import to your Amazon Kindle. Transfer it to your Kindle device just like any other Kindle e-books. Enjoy!

Securing DNS Traffic in China

Overview

DNS poisoning is one of the most common cause of nuisance when accessing websites
that are outside this 1.4 billion-people Oriental country. So far, the best way to protect yourself from this trouble is to route all your DNS traffic through an encrypted channel, and the method I am going to introduce is DNSCrypt. There is not yet a standard for encrypted DNS, DNSCrypt is a project done by OpenDNS. According my experience, DNSCrypt is very reliable and robust, the cryptography of the protocol is called DNSCurve, which is a public-key crypto that employes an extremely strong elliptic-curve cryptography called Curve25519.

If you have read my previous writing, you should know my setup is a Raspberry Pi, and so the rest of this article is based on that, running Raspbian. Dnsmasq will be used as the first DNS caching proxy to serve incoming DNS queries from machines on the network. If the queried domain name is a China one, the request will be served by a China DNS. This is necessary because for some domains, answers from DNS servers in China and global ones could be different. If the requested domain does not belong to any known China domains, the request will be forwarded to dnscrypt-proxy, which will ask a DNSCrypt server for an answer.

After DNSCrypt is used, your DNS traffic will look like this:

Setting up DNSCrypt

As illustrated in the above diagram, dnscrypt-proxy is the piece of software that handles DNSCrypt, but it is not available in Raspbian’s Wheezy and Jessie releases, only in testing (currently Stretch). You can either compile it yourself, or grab the debian package I built and install it. You can find the package here. It is based on the Raspbian package in testing repo, with some modification to debian packaging files, since the one in testing depends on systemd, which had not yet been adopted when Wheezy was released.

If you really want to build the package yourself, first install the libsodium packages. The package are also not available in Wheezy repo but the ones from testing, libsodium13_1.0.3-1_armhf.deb and libsodium-dev_1.0.3-1_armhf.deb, can be installed without any problem. Download and install them, then follow these steps to build your dnscrypt-proxy package:

After dnscrypt-proxy is installed, you have to update the port it uses. Change DNSCRYPT_PROXY_LOCAL_ADDRESS in /etc/default/dnscrypt-proxy to another port other than 53 (as it will be used by dnsmasq later), like this:

You can also change the remote DNSCrypt server, but since the default (cisco) works well for me, I left it unchanged.

Now test it to make sure it works as expected:

Setting up dnsmasq

Dnsmasq is very common and is available in Raspbian, installing it is easy:

Now we have to do some configuration in /etc/dnsmasq.conf. These are my recommended settings. Please note that the interface option is the network interface that dnsmasq will serve, and in my case that is wlan0. You have to change it to the one that applies to your case.

Now comes the interesting part. We are going to tell dnsmasq to use a China DNS server (114.114.114.114 in my example) for China domains and DNSCrypt server for all others. This is done by using the server option in /etc/dnsmasq.conf. Here is an example:

This is pretty straightforward. The last line tells dnsmasq to use your dnscrypt proxy if the domain you query does not match any China domains. In my config file there are 12238 lines for China domains so I’m not going to post them all here, you can get the snippet of my dnsmasq.conf here, and put it into your own dnsmasq.conf. The problem is to maintain the list for all China hosts. I am now using the list from the fqrouter project, it has been serving me well, since most common domains are already there. What’s worrying is due to the abandon of the project by it’s author, the list is now unmaintained. If you know a more updated list, please let me know!

Debian 哀悼 Ian Murdock 離世

bits.debian.org 上發佈了 Ian Murdock 的死訊,由於對 Ian 十分敬佩,看到之後立馬把它翻譯過來,本來已經在上月31號翻好並發到 debian-publicity 郵件列表,可是不知什麼原因那邊一直沒收到(已經用了兩個不同的 email)。由於剛好那段時間在日本旅遊,也就沒太注意。今天打算再看看什麼問題的時候,發現 Anthony Fok 已經把另一篇由 Bootingman 翻譯的中文版放上網站,既然如此我也不好把它換掉。可是翻譯畢竟已經完成,而且還花了點心血,結果還算滿意,因此就在這公佈一下。

原文:https://bits.debian.org/2015/12/mourning-ian-murdock.html

Ian Murdock 是一位自由/開源軟件的忠實擁護者、一名父親、兒子、以及 Debian 中的 ‘ian’,我們懷著沉重的心情,對 Ian 的離世致以深切哀悼。

Ian 於 1993 年 8 月啓動 Debian 計劃,並於同年不久推出首個版本。之後,Debian 逐漸成爲世界上的一個通用作業系統,無論從嵌入式設備,乃至國際太空站,皆能尋到它的蹤跡。

Ian 在創造 Debian 發行版與發展社羣文化時,無不專注於確保在道德層面,抑或技術層面,所做的事情都是正確的。譬如每個版本只會在最终完備時發佈,而 Debian 計劃對自由軟件的堅定立場,現已被視爲自由與開源領域的標準。

Ian 對於做正確事情的執著,使得他在 Debian 及往後的日子裏,一直朝向最美好的未來邁進。

Ian 的夢想猶在,Debian 社羣仍然非常活躍,上千的開發人員奉獻數不盡的日日夜夜,帶給世界一個穩定及安全的作業系統。

在這個傷痛的時刻,Debian 社羣眾人與 Ian 的家人心繫一起。他的家人亦請求各位,在這段艱難時期重視他們的私隱,我們對此表示尊重。各位來自 Debian 以及廣大 Linux 社羣的朋友,請將您們的慰問發送至 in-memoriam-ian@debian.org,所有唁函將被永遠保存。

譯者:黃彥邦 (Anthony Wong)

Obfuscated SSH tunnel

VPN providers were cracked down, open source anti-censorship tools were eliminated. This is what’s happening in China and has become even more severe than ever. Shadowsocks alone is no longer reliable due to more powerful deep packet inspection implemented at the GFW.

I am now replacing shadowsocks on my gateway with obfuscated SSH tunnel, based on Tor‘s obfsproxy. To the impatient ones, I will first give a concise summary of the necessary steps of my set up. You can follow it without drilling down the details. I will explain in more details later. But please note that you have to follow the other instructions in this blog post to complete the whole set up.

Quick Set up

On your server

Assume your server runs Debian 8 (jessie) or Ubuntu, and its IP is 1.2.3.4, run these commands:

On Raspberry Pi gateway

Edit ~/.ssh/config:

Run these commands: