**** BEGIN LOGGING AT Mon Sep 26 02:59:58 2016
Sep 26 03:41:34 <DocScrutinizer05> ~usbfix
Sep 26 03:41:34 <infobot> from memory, usbfix is http://talk.maemo.org/showthread.php?t=75920 - and **NEVER** use epoxy (unless you want to seal your device for underwater), or https://www.youtube.com/watch?v=fYz5nIHH0iY#t=1866, you will basically need two irons: a small good one (or better hot-air reflow) and a 60+ Watt
Sep 26 03:42:49 <DocScrutinizer05> >>Fixing USB port, **before** and after it is to late.<<
Sep 26 03:47:34 <DocScrutinizer05> honestly, ruggedizing a non-broken N900 USB port is for 9 year old who want to learn soldering. You don't even need flux for it, when you got proper high quality electronics solder wire
Sep 26 05:32:03 * Maxdamantus ruggedised two N900 USB ports in the weekend.
Sep 26 05:35:33 <klydrar> so i'm getting an n900 on wednesday, should i strengthen the solder on it immediately?
Sep 26 05:38:50 <Maxdamantus> I think that's still the current advice.
Sep 26 05:39:45 <Maxdamantus> Well, I'd at least make sure it's charged first, so you don't have to test it afterwards with a flat battery.
Sep 26 05:42:03 <klydrar> looks easy enough to take apart, i'll give it a shot then
Sep 26 08:54:32 <bencoh> yay, gnuboy works fine on n900 .... I wonder how people could stick with laggy closed-source vgb :/
Sep 26 08:55:09 <KotCzarny> make a tmo entry about it?
Sep 26 08:55:44 <bencoh> yeah, I haven't finished packaging it yet, it and has no GUI either, but ...
Sep 26 08:56:07 <KotCzarny> writing gui shouldnt be hard in pygtk
Sep 26 08:56:44 <bencoh> I can't stand python, and writing GUIs is exactly the part I hate/suck at anyway
Sep 26 08:56:57 <bencoh> so ... feel free :)
Sep 26 08:57:21 <bencoh> actually the main reason it would need a GUI is to set key bindings
Sep 26 08:58:10 <bencoh> (although I patched it to print unmapped keysyms to stdout so discovering needed keycodes wouldn't be too hard)
Sep 26 08:58:28 <KotCzarny> python is easy
Sep 26 08:58:42 <KotCzarny> much easier than perl anyway ;)
Sep 26 08:59:08 <bencoh> I personally think it's braindead, but that's beyond the scope of this chan
Sep 26 08:59:46 <KotCzarny> why so? its a scripting language with beautyfying feat built in
Sep 26 09:00:21 <KotCzarny> and makes writing apps from scratch easy
Sep 26 09:01:16 <KotCzarny> though i agree, on resource limited system (n900) its not useful for anything else than configuration editors/launchers
Sep 26 09:37:16 <Xxaxx> or spy device with webcam/mic, wifi proxy to local network etc
Sep 26 09:37:22 <Sicelo> bencoh: yay!
Sep 26 15:33:28 * L29Ah slaps Wizzup with a portage tree
Sep 26 16:29:48 <dkbrz> hmm.. is u-boot capable booting off kernel found on encrypted LUKS partition on SD card (like GRUB does), or do I need unencrypted /boot for kernel and initrd on a separate partition?
Sep 26 16:46:29 <Pali> dkbrz: u-boot in maemo extras does not support LUKS
Sep 26 16:46:52 <Pali> but I have no idea if new version of u-boot has support for LUKS or not
Sep 26 16:47:07 <Pali> dkbrz: better ask on #u-boot channel
Sep 26 16:47:46 <dkbrz> Pali: thanks
Sep 26 16:48:29 <Pali> maybe look at this: https://packages.debian.org/sid/grub-uboot-bin
Sep 26 16:48:52 <Pali> it has some luks support: https://packages.debian.org/sid/armel/grub-uboot-bin/filelist
Sep 26 16:49:23 <Pali> looks like this acts as grub for third stage bootloader
Sep 26 16:49:34 <Pali> but still something needs to be unencrypted...
Sep 26 16:49:43 <Pali> probably overkill and useless...
Sep 26 16:50:29 <Pali> dkbrz: anyway, if you found something, let me know, luks + uboot sounds very interesting
Sep 26 16:51:36 <dkbrz> Pali: sure. 
Sep 26 16:52:55 <dkbrz> 19:51 < Marex> dkbrz: no, but you can use grub-efi on top of u-boot, which supports that
Sep 26 16:53:11 <dkbrz> so, that's the standard approach I guess
Sep 26 16:54:17 <Pali> it is useless for n900
Sep 26 16:54:43 <Pali> you can boot directly unencrypted kernel
Sep 26 16:54:59 <Pali> or boot unecrypted grub which boot encrypted kernel
Sep 26 16:56:03 <Pali> both options are probably same secure...
Sep 26 16:56:48 <Pali> man with physical access to SD card can change boot code easily (e.g. switching SD card)
Sep 26 16:57:04 <dkbrz> yes, but grub option reveals less, so maybe better from privacy perspective
Sep 26 16:57:54 <Pali> attacker will either see your unecrypted grub or unencrypted kernel image
Sep 26 16:57:59 <dkbrz> if device lost/stolen = not you being of interest for some letters ogranisations
Sep 26 16:58:27 <Pali> I think it is widely known that on n900 is running linux kernel
Sep 26 16:58:43 <bencoh> we'd actually need a way to sign/check bootloaders and check the first one in hw, but ..... meh :)
Sep 26 16:59:05 <Pali> X-Loader is signed by nokia key
Sep 26 16:59:13 <Pali> NOLO not (thankfully!)
Sep 26 16:59:28 <Pali> see what happened with N9/N950 and harmattan
Sep 26 16:59:33 <Pali> useless device for hacking
Sep 26 16:59:34 <bencoh> that's what I suspected yeah .... but that means we cant add signature check code to it
Sep 26 16:59:57 <bencoh> thus cant ensure our 2nd-stage bootloader hasn't been modified
Sep 26 17:00:05 <Pali> I think it is better
Sep 26 17:00:24 <Pali> modifying 2nd stage bootloader without active system and equipment is no so easy
Sep 26 17:00:25 <dkbrz> more from #u-boot:
Sep 26 17:00:36 <dkbrz> 19:57 < Marex> dkbrz: if you want to encrypt all things, add small SPI NOR for u-boot, encrypt and checksum that one using the bootrom (make CPU your root of trust) and then store both the u-boot and kernel in  that NOR
Sep 26 17:00:40 <dkbrz> 19:58 < Marex> dkbrz: u-boot can decrypt kernel using CPU's crypto engine and boot it, kernel can then decrypt, verify and mount the FS from initramfs
Sep 26 17:00:52 <bencoh> yup, it'd be better than nothing, or than encryption
Sep 26 17:11:14 <KotCzarny> dkbrz, just an idea, boot linux then somehow load/kexec encrypted kernel?
Sep 26 17:12:24 <dkbrz> KotCzarny: it sounds even more complex than u-boot + grub. :)
Sep 26 17:12:26 <KotCzarny> or make kernel requiring decryption key avilable via bt dongle
Sep 26 17:12:45 <Pali> what is problem with having kernel image unencrypted?
Sep 26 17:16:29 <dkbrz> Pali: some more privacy only. Actually, for my purposes it's ok. Just Have all other system with full encryptions, maybe a bit lowering expectation and less mental comfort :)
Sep 26 17:21:32 <dkbrz> but chainloading grub sounds interesting, I'll try it just of curiosity
Sep 26 18:38:21 * DocScrutinizer05 beats bencoh with a huge wet Aegis
Sep 26 19:03:18 <DocScrutinizer05> an attacker able to do anything you might try to stop with such encryption (i.e. replacing kernel by an unsigned one) is also able to do basically all the things you might want to forbid via that encrypted kernel
Sep 26 19:03:27 <DocScrutinizer05> sorry
Sep 26 19:04:00 <DocScrutinizer05> sorrythat was poorly worded, but actually still to the point
Sep 26 19:05:49 <DocScrutinizer05> more normal language: what does it help when you can tell an attacker replaced the kernel and your system doesn't boot the non-encrypted/signed new kernel, when the same attacker that sneaked in that new kernel already copied all your protected stuff since he could do that as well when he could replace the kernel
Sep 26 19:18:38 <DocScrutinizer05> yes, somebody with physical access could sneak in a kernel that discloses your master password while they only could steal the encrypted partition
Sep 26 19:55:18 <bencoh> DocScrutinizer05: ?
Sep 26 19:56:36 <bencoh> I only said that the only way to "garantee" "security" would be to keep a chain of signed software, from 1st-stage bootloader (checked by hw) to kernel/initrd
Sep 26 19:58:31 <Pali> and who will have signing keys?
Sep 26 19:58:47 <Pali> how will be distributed (to HW)?
Sep 26 19:58:58 <Pali> and who will be able to change them?
Sep 26 19:59:06 <bencoh> Pali: on n900, we just cant do it :)
Sep 26 19:59:08 <KotCzarny> or just attach some explosives and trigger anything suspicious
Sep 26 19:59:40 <Pali> who is responsible for security audit of that HW signature verification code?
Sep 26 19:59:57 <Pali> and how to replace them if security problem will be found?
Sep 26 20:00:16 <Pali> it is not about n900, those are general questions for any phone
Sep 26 20:00:48 <bencoh> Pali: device vendor
Sep 26 20:01:51 <Pali> I say that if owner of phone does not have all above in his own control, then there is no real security
Sep 26 20:03:48 <bencoh> indeed, and that's exactly what happened with n900 :)
Sep 26 20:04:17 <KotCzarny> its still leaps and bounds better than most of the phones today
Sep 26 20:09:02 <Sicelo> true ... i have taken ownership of my dad's old SGS4 - the hardware is nice (processor, ram, display) - but the OS just leaves a lot to be desired. i feel boxed in :(
Sep 26 20:16:05 <KotCzarny> port maemo to it ;)
Sep 26 20:41:57 <Sicelo> haha .. the Replicant team seems to have had significant problems porting to it ..
Sep 26 20:42:09 <Sicelo> so you can already see the chances for Maemo
Sep 26 20:42:27 <Sicelo> CM works good apparently 
Sep 26 21:07:47 <bencoh> but CM is full of blobs
Sep 26 21:08:07 <bencoh> (not that we don't have any in maemo, but ...)
Sep 26 21:59:23 <Sicelo> yes .. hence my disinterest in CM
Sep 26 23:52:28 <Maxdamantus> Some Lenovo laptops have some "tamper detection", which might be a reasonable solution if done correctly.
Sep 27 00:41:51 <xes> spammers are spreading the world with their empty words.. our filters now are bigger and also more cruel.
**** ENDING LOGGING AT Tue Sep 27 02:59:59 2016