Friday, March 3, 2023

Phishing scams using URL Shorteners

I am sure many of you are familiar with shortened URLs that redirect you to a different long-winded URL when clicked. If you’ve ever seen or used tinyurl.com, or a bit.ly link, you are already familiar with how they work. 

These shorturl services like bit.ly etc., have been abused by scammers for their phishing campaign for a while now. Recently, there is an increased use of these technique specifically leveraging reputable/legitimate websites like linkedin.com (see link below) since malware protection software and spam blockers are unlikely to block these short links created by reputable organizations like LinkedIn.

https://www.malwarebytes.com/blog/news/2023/02/linkedin-slinks-abused-to-phish-email-and-payment-details

So how do you know if your given short URL is not going to take you to a shady phishing site or worse, to a malware laced website? Essentially, what you need is an inverse of shorturl i.e., longurl 😁 which expands the shorturl to show where it would take you if you were to click. That is exactly what I have done on this simple tool below. Feel free to use.

https://selvansoft.com/longurl/

Note: Try expanding this sample short link (https://bit.ly/3YuGbTA) using the longurl service above. For safety, the redirect address is checked w/ out actually traversing there and also it goes just one level deep only. There is also urlscan.io that does lot more if you want to try that as well. 

PS: I also have a very simple shorturl service similar to bit.ly here  https://selvansoft.com/shorturl/ Again, feel free to use.

Thursday, January 26, 2023

DocuSign sends sensitive info in plain text

Yes, you read the title correctly. DocuSign indeed sends everything including sensitive information to you after you complete "docusigning" something.

Have you ever used the DocuSign service for signing any documents? I am sure many of you are familiar with DocuSign because it is used very widely everywhere for document signing online. If you think you haven't used it, think again, you may have used it and not know about it. Typically, a lot of information you enter when you sign any legal document like your loan application, lease contract, loan, even job acceptance these days goes via DocuSign. When both parties completed the signing process, DocuSign will send you a mail with a copy of the fully signed/executed document (PDF file) once. The PDF file may likely contain your SSN, DOB, address, phone number, account number and many other sensitive information you may have entered during the signing process. Guess what, all of these are in "plain" form and sitting in your email (gmail, yahoo etc). If you don't believe me, search your email from docusign.net and open the attachment they sent you. You would not believe what you see.

If you use gmail (who doesn't?) here is a easy search filter to quickly show all mails from docusign containing PDF files. 

"from:(docusign.net|docusign.com) has:attachment filename:pdf"

The screenshot below will help if you don't know how to search for e-mail messages with filter. 



How to spot phishing attempt - an anatomy of a phishing Email

Note: This is an old post from 2014 at blog.selvans.net. It is moved to this site as part of migration. Though it is more than 8 years old, it is still valid and relevant.

If you consider yourself as someone who knows how to spot spam and phishing emails, you won't learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can't resist clicking on links in your email no matter how many times you were told not to :)  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the 'mail from' (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the 'raw' content of the mail which will show all mail headers].



When you select the 'show original' as shown above, you can get the 'raw' mail content including all the mail headers (see annotated screenshot below).



From the above screenshot, you can clearly see google's mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company's mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn't matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further ...

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).


I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from www.base64decode.org



Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.

PS: As of this writing the above server is still up and running although the post action is no longer working.

Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.


How to protect your Facebook account with encrypted notifications

Note: This is an old post from 2015 at blog.selvans.net. It is moved to this site with updated screenshot and content. Though it is more than 7 years old, it is still valid & Facebook still supports this feature.

As part of the Facebook account security feature, Facebook sends various notification e-mails. All these notification e-mail messages are in plain text. For notification e-mails like "Login Alert", it is not a big problem if the mail content is plain text as it does not contain anything important. However, in the case of password reset request e-mail, it is a problem since the reset code is sent in plain text. If your e-mail account is compromised, for example by a session hijacking method, the hacker has access to your e-mail account until the session expires so they can request Facebook password reset and easily take over your Facebook account.

Note: How your account got session hijacked is outside the scope of this blog but typically, it can happen when clicking on phishing e-mails or visiting infected websites etc.

From Jun 2015, Facebook introduced an option for users to request all notification e-mails in encrypted form. If you are already using or familiar with PGP, you can now provide your public key to Facebook so it will use it to encrypt all e-mail communications to you. Go to your Facebook profile and navigate your way to the "Security and login" section or click here https://www.facebook.com/settings?tab=security

See the screenshot below where I entered my public key.



Once you enter your public key (make sure to check the box to enable encrypted notifications) and save changes, you will get an encrypted mail from Facebook. You then decrypt the mail using your PGP tool and confirm using the link Facebook sends you. After this, all e-mails from Facebook will be encrypted using your public key so only you can decrypt it. In addition, you should to add Facebook's public key to your PGP keyring so you can verify the signature of the encrypted e-mail to ensure it is from Facebook. The key is at link below.


See this whole process in action. I get numerous attempts by cyber criminals monthly, weekly and even daily sometimes to reset my facebook password. The following is an example of an attempt. For every attempt, facebook will send me an e-mail (shown in the screenshot below) with encrypted content containing the reset code which is useless to anyone but me.



Below is the screen shot after I decrypted the content using my private key. 


So even if my e-mail account was compromised (highly unlikely 😀), the hacker can't read the code sent by Facebook to reset my password since he can't decrypt the mail without my private keys. For PGP encryption/decryption, I use GNUpg (https://gnupg.org/download/). However, there are other tools and browser plug-ins readily available which you can easily install in your browser (chrome or firefox) to use PGP.

If you are new to PGP, the read the link below for a quick introduction before getting started on using Facebook encrypted e-mails.

https://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/

How to access your passwords anywhere

Note: This is an old post from 2014 at blog.selvans.net moved to this blog site.

Have you ever forgotten the password to login to one of your many online accounts? It happens to me all the time so I save all my passwords to a file, encrypt it, and have a shell script to decrypt, search and spit the plain password whenever I don't remember the password. This is great when I am at home where I have access to my script and my encrypted password file. However, if I don't remember a password to a site when I am not at home, it is a problem. So I exposed a simple public interface on my webserver to securely decrypt my passwords online from anywhere. Feel free to use this tool to encrypt/decrypt anything (passwords, email, or just any text) and share a per message passphrase to other person to decrypt the message to its original content. Don't worry no one will be able to read unless you give them your passphrase. You can save the encrypted content (see a sample below) anywhere like google docs, dropbox, skydrive, or usb stick etc so you can easily access it anywhere. Feel free to use the tool (it is at the link below). There are many password manager tools like lastpass, keepass etc available freely that does similar things but the only difference is, here you control how you safeguard your encrypted file and in addition, you have simple web access to encrypt/decrypt any arbitrary text.



It is perfectly safe to store the encrypted message anywhere in your laptop/desktop as it will be encrypted with strong AES-256 cipher. Whenever you need to see the message content, all you need to remember is the passphrase you used to encrypt it. To get an idea, decrypt the sample content below using the passphrase 'th1s 1s coo1' without the quotes if you are interested to see how it works.

b97ca8a4928db1a7M5lbEofsXXYqTrvEQXyIYBwbJgqUo8S5iUZuzUuoX370OzoeIXiEbkX1KKprK02Z7n9ocnMx1JoEeB3cJdgqBxkpO84Pq+rQrSsUcgLtOp10xZnFM40EJX9RPyLD7Gyl1yKIzZ5nuWxrKIz29R5UFel6J6ZBGKCbWRP2lVbaQPKFZLJtgUQ7Vq7sKxffUOepPoBxeCWcpNYyhthj4IQ/t1WUl8asGSH7CUp0Rje3GJIaHBSciwUDA+g4euunb4NY6Kivq3O7FCyJ8REpZgZ9TIZuUgYFV0tjMi9xdAxWR4EUsJUaG4fC+5JfFA05cGZgcEkwc9VSdLKDc6L1p3Ku3L/3dRnBSlSC1hXZM0Shsdo=

Sunday, July 17, 2022

How much of your info is freely available online?

Have you ever wondered how much of your information is available on public websites for anyone to search? I am sure some of you are aware of paid services that go far beyond typical google and other search engines but I am talking about totally free service to instantly get a ton of information not only on you but also everyone associated with you like your kids, neighbors, relatives, phone numbers, and more. Not to mention all the places you have ever lived which I am sure many of you know is one of the key attributes to validate your identity with many financial institutions.

Well, wonder no more as there is tons of information about you online and are freely available for anyone to search. And these are constantly being updated and redundantly stored on multiple online sites!

Now that I caught your attention 😊, here is a quick way to find out how much information is out there on you and how to remove your information ... well, you can attempt to remove it but it's not that easy, which is explained at the end. Just open your browser and navigate to the following site below and search your name and your address (just city or even state is fine) or phone number ... you would be very surprised to see how much of your info is out there. 

https://www.fastpeoplesearch.com/



Make sure to scroll down all the way and click the "VIEW FREE DETAILS'' button at bottom (as shown in the screenshot) that brings up the detailed screen which shows all info they got on you. I am sure some of you know that this is not new, and this specific site mentioned is in business for well over 10+ years but how much of the information they gathered over the years is nutts!. This site has a lot more free information now than it had before when I looked at it several years ago. 

Note: I removed my information but it is erroneously showing someone else in that place 😄

So how do you remove it? For this site, navigate to the link below and follow the directions. It should be fairly quick to get your data removed. Feel free to post a comment on this blog if you have trouble removing yourself and I will try to help you. Now, the big question is, how long it's going to stick?

https://www.fastpeoplesearch.com/removal

Here are a few more sites and the corresponding removal links but these are by no means a full list. 

Website

Removal Link

www.truepeoplesearch.com

https://www.truepeoplesearch.com/removal

www.peeplookup.com

https://www.peeplookup.com/opt_out

www.beenverified.com

https://www.beenverified.com/app/optout/search

truthfinder.com

https://www.truthfinder.com/opt-out/

www.zabasearch.com


www.intelius.com

https://www.intelius.com/opt-out/

www.familytreenow.com

https://www.familytreenow.com/optout

www.peekyou.com

https://www.peekyou.com/about/contact/optout/index.php

www.fastpeoplesearch.com

https://www.fastpeoplesearch.com/removal

www.spokeo.com

https://www.spokeo.com/optout

nuwber.com

https://nuwber.com/removal/link

Radaris

https://radaris.com/control/privacy

unmask.com

https://unmask.com/opt-out

whitepages.com

https://www.whitepages.com/suppression-requests

infotracer.com

https://infotracer.com/optout/

emailtracer.com

https://emailtracer.com/privacy

freebackgroundcheck.io

https://freebackgroundcheck.io/optout

govwarrantsearch.org

https://www.govwarrantsearch.org/

familytreenow.com

https://www.familytreenow.com/optout

peopledatalabs.com

https://www.peopledatalabs.com/do-not-sell-or-share

clustrmaps.com

https://clustrmaps.com/bl/opt-out


I know there are literally 100's of them out there and they all scrape data back and forth, in addition to pulling data from common public sources and constantly updating themselves. As detailed above, they all provide a mechanism (varies by site) to remove your information, but you will soon find out the task of removing your info will become a constant battle of whack-a-mole game since they all feed on each other and the information you removed will be back, eventually! 😟

While this blog is focused on outlining how to remove publicly available data from data brokers, it is worth mentioning that you should also check if your personal data has been compromised in any of the data breaches over the last decade or so. Obviously, you can't remove breached data, but you can find out if any of your critical PII data, like your SSN, is part of these breaches and take necessary action. The following table lists a few websites among the many out there to search.

https://haveibeenpwned.com

A goto website that has aggregated data of many breaches of last few decades

https://npd.pentester.com

Exclusively search the NPD dataset - a super large breach in July 2024

https://monitor.mozilla.org/


https://dehashed.com/



If you find that your SSN has been leaked, which is highly likely with the NPD data breach if you live in the US, you can read this blog below on how to freeze your credit file to protect yourself from becoming a victim of identity theft.

On a final note, there are many paid services like Optery, Incogni, DeleteMe, BrandYourself, and many more that claim to remove your data from all sites for good. However, I am very skeptical about how effective these services are and whether it is even worth spending a lot of money on them. On the plus side, they are convenient and eliminate the time and effort required to do it yourself. However, on the flip side, they now have all your detailed personal data in addition to all these data aggregators. In the event that they get breached (if not today, it will be soon; that is the reality), your full information could end up on the dark web forever. In my opinion, doing it manually is one less thing to worry about.

Sunday, June 26, 2022

Deterministic Password Manager

While Apple, Google, and Microsoft are all very hard at work on a variety of passwordless schemes, passwordless logins will not be a reality at every website you visit anytime soon, simply because password-based login systems are the easiest and the cheapest to implement and most business, including banks/financial institutions are too lazy and don't want to do anything unless they are forced to implement a better solution. So we all have to continue using password manager for quite some time to come. 

There are many commercial and free versions of password managers out there to choose from but most of them store your encrypted password somewhere on the cloud which has a potential to be compromised. What if a password manager stores literally nothing and is able to deterministically calculate your password every time you access it? Would that be cool? That is what I did with my deterministic password manager prototype below. 

My website password.selvansoft.com creates deterministic password without storing anything on the cloud or local storage unlike many password managers. All you need to remember is your single passphrase, the website name (FQDN), username for each website to create or retrieve your strong password on the fly. For convenience, the password is copied to browser's clipboard so it can be pasted into the website's password field directly.

Note: Password length can be set to 8 char for old & outdated websites that still insists on 8 char but it is highly recommended to use 16 char. Also, fields are case sensitive to ensure high variability on generation of password.


Simple Encrypted Drive

We all have sensitive data that we need to keep them away from prying eyes. While there are so many free software and solutions available, they all have advantages and disadvantages in using them. A discussion of available solutions and the pros/cons are outside the scope of this blog. If you are interested in using a simple, highly secure and most importantly, a free solution where you have 100% control of your sensitive information, read on. Note: This is only if you use a Mac or Linux laptop/desktop, sorry no Windows.


Here is a simple shell script to encrypt your data locally in your hard drive or on a portable USB stick to take it anywhere. If your USB stick is lost or stolen, the data stored in there are of course useless to anyone. The way the script works is by creating an encrypted disk using a special filesystem driver (encfs) and allows you to copy your ordinary files (i.e. unencrypted) through the driver just like copying a file with your operating system's copy command. To access these files, you have to mount the drive with your passphrase. Once the filesystem is mounted, they are available through a mounted drive in plain form to retrieve or update your files. Once the file system is unmounted, they stay in your hard drive or usb stick in encrypted from. 

Here is how to use it.

./encrypted_drive.sh -d /tmp -m

In the screenshot below, I am using a /tmp directory just as an example but you should actually choose a permanent storage like an ordinary directory in your home path like "$HOME/encrypted" or a USB disk mount ex: /Volumes/<mydisk> on Mac. Note: you need to choose a strong passphrase and remember that to access your files later. The very first time you run, script will ask you a question about encrypted volume type as shown below, just hit enter to take the default; subsequent runs will not ask anything except the Encfs password i.e. master password you chose to mount the encrypted volume.



Once the drive is mounted (see the screenshot above shows mounted drive on your desktop), you can simply copy your sensitive files using operating system copy command like shown below, or just drag and drop files like you'd do with any other drive/path. The mounted drive will stay mounted for 15 minutes and unmount itself automatically for security reasons.


As you can see from the above screenshot the files are now accessible through the mount point (/tmp/decrypted) for reading and writing in plain form. Once you unmount using -u command, you see the files in /tmp/decrypted are gone and the actual files in encrypted form are in /tmp/encrypted which is useless if anyone got a hold of your USB drive or your computer containing these files. (Note: replace /tmp/ with the path you chose for your permanent storage when you mounted the drive)

The script is available in my GIT repo below. Download it and follow the instructions (below) to install the encfs which is required for this script to operate. Love to hear feedback.


#  Instructions for installing encfs

#   Mac
#   run the following 2 commands on mac terminal (assumed you have brew installed)
#     brew cask install osxfuse
#     brew install encfs
#   
#   Linux:
#     Ubuntu/Debian: apt-get install encfs
#     Redhat/CentOS: yum install encfs  
#     Other: refer to your distro manual
#
#   Windows:
#      Sorry, wipe that crap 😃 and install Linux or get a Mac!
#

Facebook knows you way more than you think!

We all know that Facebook collects data on all of us. They manage to do that with different ways including via 3rd-party web browser cookies; an explanation of 3rd-party cookies goes beyond the scope of this blog but you can read about it at the link here. Though 3rd-party cookies are slowly phased out, the alternative i.e. FLoC proposed by Google, as per many privacy advocates, is even worse i.e. so for now, just assume Facebook and other platforms will always have a way to spy on you.

While there are ways to restrict what Facebook collects (follow steps at end of this blog), there is not a whole lot you can do to make them stop other than just deleting your Facebook account. The reason is, Facebook generates substantially all of its revenue by selling ads so they have to monitor your online activity to slap you with targeted ads and curated content based on your web browsing behaviour i.e. the sites you visit, shop, like etc. At the end of the day, Facebook knowing I have T-mobile wireless, or shop at Amazon or browse Reddit is not a big deal for me, I just don't care. However, when I looked at what websites are sharing with Facebook, specifically, financial institution that I do business with, I was concerned. My financial institution (will not mention their name here) shared with Facebook something related to my activity, see below ... 

Off-Facebook Activity

It is unclear to me what they shared since I don't have the details other than Facebook telling me they did. I have the habit of clearing all cookies on banking and financial websites frequently, so unfortunately, I can no longer access this specific cookie in my browser to see the content! However, based on the name of activity shared i.e. "COMPLETE_REGISTRATION", I can only assume it is not something I would like them to share, whatever it is. If it was just "PAGE_VIEW" like all other sites, I would be ok with it. The only thing I remember is opening a new account, transferring money on those 2 days at that exact time mentioned which caused my concern. Why on earth Facebook needs this information? Just to give some perspective, this is just one specific instance of a website I have discussed above, there could be crap ton of them we visit everyday sharing all kinds of stuff w/ Facebook 😮

Finally, if you got this far, you can follow the steps below to tell Facebook to quit doing this, at least for now, until they figure out new ways of profiting on you 😃


Update: (May 22, 2024): Since many page links and interfaces have changed since this original post back in June 2022, I updated the details below as of today. 

While logged in Facebook ...

  1. Navigate to https://www.facebook.com/off_facebook_activity
  2. Click "Manage future activity"
  3. Click on "Disconnect future activity" [Note: this will also clear all the stored activity so you don't need to clear that]
For visual reference, The screenshots for steps 2 and 3 are below.




Sunday, November 2, 2014

How to get free home phone service w/ Google Voice + OBi

If you are still paying for home phone service, you should to look into this. This blog will walk you through to setup a free, feature rich home phone service with no monthly recurring cost (except the cost of the OBi device you purchase one time). You can enjoy features like unlimited free local and long distance calling in US & Canada, $0.01/minute to India, unlimited call blocking of annoying telemarketer calls, call screening, call hour schedule, custom greeting, voice mail transcript to your e-mail and a boat load of other features. The only requirement is: you need have a decent internet connection. Interested? Then read on.

OBi110:

First you need to get a OBi110 VoIP device (for about $60 at amazon.com). Here is a link to it http://www.amazon.com/gp/product/B0045RMEPI

Google Voice (GV):

Next, sign-up to get a free GV number. Anyone with a g-mail account can get one by clicking the link below...just follow the instructions. If you don't have a g-mail account, no worries, you can create free account here http://www.gmail.com ; it should not take more than a few minutes.


Number porting:

Skip this section if you are fine with the brand new phone number GV assigned to you. However, if you don't want new phone number and would like to keep your existing number, Google will happily port your number to GV service for $20. However, it gets bit complicated if your existing number happens to be a land-line number because Google will not be able to port land-line. The good news is, there is a way to port your land-line number to GV service by first porting it to a mobile provider (t-mobile) and when the porting is complete, then you can ask GV to port it from t-mobile. Just follow this link http://www.obihai.com/porttutorial that will walk you through that process. I took this route to port my land-line number since I had the same number for almost 18 years and I did not want to loose it … the total cost to port my land-line following the link was about $35 ($20 for Google + $10 for t-mobile prepay card used in the process to convert my land-line to mobile number).

Setting up OBi Device:

Once you got your OBi device, connect the internet port of the OBi to your internet router and power it on. Connect a home phone (corded or cordless base unit) to the port named “Phone” on the device (Note: there is also “Line” port there, I will explain later in this blog what you can do with it). Now, create an account at http://www.obitalk.com using your Google account credentials. After the account is created, login to obitalk.com and click on the “Add Device” link on the left of your dashboard, (Note: ensure that the check-box “I want to configure Google Voice on this device” is checked) and follow the prompts to setup GV service on the OBi. Have the home phone connected to the device handy with you as you will have to dial some codes to activate the device during the process. Once you complete this step, and if all goes well, your corded or cordless phone connected to the OBi will be active now and ready to make local and long distance calls. Congratulations, you are ready enjoy the free service!

To setup and use all that great google voice features (custom greeting, call blocking, call screening, ... etc), read the documentation at the link below. There are plenty of documentation available besides this on the web.


International calls:

If you just want the home phone for calls in US and Canada, you can skip this section as well as the rest of the blog. Otherwise, read on for to setup cheap calls to many countries especially India. This step is very simple, all you have to do is add money to your GV account! You can do that in GV webpage here: http://google.com/voice click the + link next to the word “Credit” on the left under your GV phone number and follow the prompt.

The rest of the blog is for optional things like skype integration. If you are not interested, you can skip the rest of the blog.

Skype integration: (optional)

Since many people use skype to make and receive international call these days, you can optionally integrate your skype account with OBi so you can call your friends and family overseas via your skype account bridged to OBi. The OBi110 device is equipped with two SIP lines. The first one (SP1) is already used for GV that you setup earlier and the second one (SP2) is free to do what ever you want with it. We can use the empty SP2 to link your skype client to OBi so your friends and family overseas who use skype can call your skype client which in turn will call your OBi which in turn will ring your home phone. Sounds good right? This step is bit complicated and you can potentially screw up your device but if you follow the steps carefully it should be OK. This skype integration is not needed if you prefer to use skype client and are comfortable with it. If that is the case, you can skip this section.

Here are the steps to follow to link your skype client to OBi
  1. Download the latest SipToSis (a program that creates a bridge between your skype client and OBi device) from here: http://www.mhspot.com/sts/siptosis_download.php Once download is complete, extract the archive to a folder named SipToSis. Execute SipToSis_win.bat (windows users) on a command prompt or SipToSis_linux (Linux users). When activity has stopped, terminate SipToSis.
  2. Now, using notepad (or vi) edit SkypeToSipAuth.props file and add the following line at end of the file. In order to do this, first you need to find the IP Address of your OBi device. To find IP address, pickup your home phone, and dial ***1 and press talk button. Now your OBi will speak the IP address (and other settings) for you, once you note down the IP, you can hang up. I assume you know your skype_id :) Note, replace the appropriate entries on the line with out any angle brackets of course.
    *,sip:siptosis@<your_OBi_IP_Address>:5061,<your_skype_id>
  3. Add a # in front of the line in the same file as shown below
    #*,play:clips/invalidDest.wav
  4. Go to obitalk.com and enable expert settings (click the blue button for expert/advanced configuration, click yes at the warning and click enter to enable expert settings page). Under the expert settings, make the following changes.
    Service Providers -> ITSP Profile B -> SIP -> ProxyServer : 127.0.0.1
    Voice Services -> SP2 Service -> AuthUserName : (put anything here)
    Voice Services -> SP2 Service -> X_RegisterEnable : (unchecked)
    Voice Services -> SP2 Service -> X_ServProvProfile : B
    SP2 status should show : Registration Not Required
  5. Start skype client.
  6. Start SipToSis on the command prompt. (You should see the output similar to what I get on my machine shown below for reference)

Launching SipToSis

2014-11-01 21:47:25,062 Starting SipToSis v20130716
2014-11-01 21:47:25,065 Skype4Java Version 1.3.0.1
2014-11-01 21:47:25,065 os=Linux ver=3.13.0-37-generic arch=amd64 (8 core)
2014-11-01 21:47:25,065 javaVer=1.7.0_72 - Oracle Corporation (64 bit)
2014-11-01 21:47:25,091 Available Codecs: PCMU(0),PCMA(8),iLBC(98),L16/16k(102)
2014-11-01 21:47:25,091 DTMF rfc2833(101)
2014-11-01 21:47:25,092 initSkype - If stuck, check Skype online & API auth
2014-11-01 21:47:25,628 SkypeVer:172
2014-11-01 21:47:25,703 Attached SkypeUserId:aselvan
2014-11-01 21:47:25,713 Config - skypeClientSupportsMultiCalls:false concurrentCallLimit:2
2014-11-01 21:47:25,713 SipToSis contact_url=sip:skypests@192.168.x.xxx:5070
2014-11-01 21:47:25,713 via_addr=192.168.x.xxx realm=
2014-11-01 21:47:25,713 RTP Ports: 63200-63202 Local Skype Ports: 64432-64435
2014-11-01 21:47:25,713 jitterLevel=-1
2014-11-01 21:47:25,750 Registrar Server Domains=
2014-11-01 21:47:25,751 MaxCallTime: not limited MaxPSTNCallTime: not limited
2014-11-01 21:47:25,751 MaxDailyPSTNUniqueNumberCount: 48 MaxDailyPSTNMinutes: 350
2014-11-01 21:47:25,751 Loading Skype PSTN Call History
2014-11-01 21:47:25,756 WAITING FOR INCOMING CALL
...

At this point (assuming I haven't missed any steps) you have your OBi device bridged to skype client successfully. To test it out, you can setup a speed dial to your skype friend or skype test user “echo123” as shown below at obitalk.com speed dial setup (you can find it under the “Add Device” link).

sp2(<your_friends_skype_id>@<your_computers_IP_address>:5070)
sp2(echo123@<your_computers_IP_address>:5070)

Note: Replace <your_computers_IP_address> with the IP address of your PC running SipToSis and Skype client. Enter the above without the angle brackets in the “Number/Address” field of an empty speed dial entry, you can add a friendly name in “Name” field.

Once the skype speed dials are setup, you can simply pickup the phone and dial the speed dial number and press talk. This will make the OBi call SipToSis which in turn calls skype client which actually connects your home phone to your skype buddy on a voice call.

BTW: The speed dials are for anything, it can be skype friends or just any phone numbers. You can setup up to 99 speed dials

Bridging a land-line with OBi: (optional)

Finally, if you have an existing land-line and would like to keep it as a second line for home business or you just love to pay telephone company for what ever reason :), you can link that to OBi so you can take advantage of OBi features on that line as well. Remember the “Line” port mentioned earlier? that is where you connect your existing telephone service. Once connected, you need to go to your obitalk.com account and click on “Add Device” and follow the prompt (note: ensure that the check box “I want to configure Google Voice on this device” is unchecked this time). The only reason you may want to do this bridging is so you can use same phone to make calls using different services (GV or your land-line), and to take advantage of the OBi features. OBi by default will use SPI (your GV service) to make outbound calls. You can however change that on Obitalk.com settings.

Final thoughts:

OBi is highly configurable and comes with ton of useful features. In my opinion, it is way too complicated for ordinary folks to mess with all of them especially the inbound and outbound call routing rules, digitmaps, auto attendant etc. In order to play with all of them you need to spend a lot of time to read the manual (first link below) to learn how to do it. If you are happy with GV features (sufficient even for an advanced user), just don't mess with any settings on your OBi.

Enjoy your OBi!


Saturday, May 3, 2014

How to block unwanted calls using Vonage and Google Voice

While most VoIP based telephone service providers allow features to block annoying telemarketers and SPAM calls, Vonage does not provide any feature to block calls but I still stick to Vonage for number of other features I really like. The following are 3 simple and easy steps to setup selective call blocking using combination of Vonage and Google Voice service. Not an elegant solution, but it does work, most importantly, its free :) I am using successfully for couple of years now.

Just follow the 3 steps below.

1. Get a free google voice number. Go to https://www.google.com/voice and follow the prompt to set it up with your home or cell (you should remove it later) and google chat as the forwarding numbers as shown below ...

Phones setting: http://selvans.net/vonage_scb/gvsettings.png
Calls setting: http://selvans.net/vonage_scb/gvcallsettings.png
Note: mine shows only google chat since I removed all forwarding numbers.

2. Login to your vonage account and setup simulring to ring your google voice as shown below
Simulring: http://selvans.net/vonage_scb/simulring.png

3. Login to your vonage account and setup voicemail timeout settings as shown below
Vonage VM timeout: http://selvans.net/vonage_scb/vmtimeout.png

After this, when ever you get an unwanted call, login to google voice, select history, find the unwanted number and select "block" from the pulldown menu under "more" as shown below ...
http://selvans.net/vonage_scb/gvblock.png

Note: Google does a pretty good job on its own blocking spam... as you can see, I did not have to block this 702-815-2394 number since google already did that for me :)

In addition, if you have a list of numbers to be blocked you can follow my original post below to setup a group of numbers to block.

https://forums.vonage.com/showpost.php?p=17184&postcount=56

Enjoy!

How to setup keybased ssh, scp to Transend WifiSD card


The following are steps to get root and ssh access to Transend WifiSD card to automate copying of files from the card. It is assumed that the user is familiar with some knowledge of Linux scripts and commands. It is also assumed that the user is going to use a Linux host to interact with the card although the setup can be easily used in Windows as well using tools like winSCP or cygwin or pscp.exe.

The setup outlined here is based on the information and code shared by the original author (Glen) at the following link/blog.
https://www.pitt-pladdy.com/blog/_20140202-083815_0000_Transcend_WiFi_SD_Hacks_CF_adaptor_telnet_custom_upload_/

DISCLAIMER: Use it at your own risk. I am not responsible for any loss or damage to your property.

STEPS:

0. Use the Transcend tools (andriod app or ios app) to configure your card to connect to your home wifi network; while you are at it, change admin user, cards wifi ssid, passwd etc. Make sure your card successfully connects to your  wireless network and note the IP address assigned to it by your home wifi router.

1. Download and extract http://selvans.net/public/custom.tar.gz in your desktop computer and edit the autorun.sh file to uncomment the line below for telnet access, i.e. remove '#'

   telnetd -l /bin/bash &

2. Edit the access.sh file and change "trusted_network" variable to match yours

   trusted_network="your_routers_ssid:your_routers_ip:your_router_mac"
   example: trusted_network="myrouterssid:192.168.1.1:ff:ff:ff:ff:ff:ff"
 
3. Insert your SD card in your computer and copy the entire custom/ directory from step #1 above to the root directory of SD card. In addition, also copy autorun.sh to root directory of SD card.

4. Remove card and reinsert it into your computer.

5. Now you should be able to telnet to your card from your linux box, i.e. telnet <your_card_ip>
In the examples shown below 192.168.xxx.xxx is my WifiSD card  and 192.168.yyy.yyy is my ubuntu desktop

   arul@cheetah:~$ telnet 192.168.xxx.xxx
   Trying 192.168.xxx.xxx...
   Connected to 192.168.xxx.xxx.
   Escape character is '^]'.
   # ls
   bin             home            lost+found      sbin            usr
   config_value    init            mnt             sys             var
   dev             lib             proc            tmp             www
   etc             linuxrc         root            ts_version.inc

6. Once you are logged in via telnet as shown at #5 above, you need to create dropbear hostkeys and copy them to your desktop to include in /custom directory on SDcard.  Note: I have included two dummy files in /custom directory you need to replace them by creating your own key files. i.e. follow the example below but use your IP address and your user name of course.
 
   # dropbearkey -t rsa -f /tmp/dropbear_rsa_host_key
   # dropbearkey -t dss -f /tmp/dropbear_dss_host_key
   # scp /tmp/dropbear_* arul@192.168.yyy.yyy:/tmp/.
 
Now, copy the 2 files from your /tmp directory to the custom/ directory on the SD card  by replacing them.

7. Create (or copy if you already have a dsa public key) in your desktop to  the /custom directory as authorized_keys. Note: I have a dummy authorized_keys  file that you need to replace.

   ssh-keygen -t dsa
   cp ~/.ssh/id_dsa.pub custom/authorized_keys

8. Once you update all the key files in custom/ directory in the card, unplug your card and plug it back into your device (computer or camera) one last time. Once the card boots, you should be able to ssh into your card or scp files, or setup automated scripts to copy files from card to your desktop... and pretty much do everything you can do with ssh!
 
   example: 
   arul@cheetah:/tmp$ ssh root@192.168.xxx.xxx
   # cat /proc/cpuinfo 
   Processor : ARM926EJ-S rev 5 (v5l)
   BogoMIPS : 421.06
   Features : swp half fastmult edsp java 
   CPU implementer : 0x41
   CPU architecture: 5TEJ
   CPU variant : 0x0
   CPU part : 0x926
   CPU revision : 5

   Hardware : KeyASIC Ka2000 EVM
   Revision : 0000
   Serial : 0000000000000000
   
   # date
   Sat May  3 16:13:53 UTC 2014
   
   # /sbin/busybox-armv5l uname -a

   Linux (none) 2.6.32.28 #137 PREEMPT Fri Mar 22 18:21:52 CST 2013 armv5tejl GNU/Linux

   # exit
   Connection to 192.168.xxx.xxx closed.

   arul@cheetah:/tmp$ scp -r root@192.168.xxx.xxx:/mnt/sd/DCIM/* .
   DSCN0254.JPG                                          100%  836KB 278.8KB/s   00:03 


Have fun with ssh/scp on your Transend WifiSD card!

TOOLS:
   This is where I got the prebuilt busybox and dropbear binaries for reference. They are already in the custom/ directory for convenience.
   arm5l busybox: http://busybox.net/downloads/binaries/latest/
   arm5l dropbear: http://landley.net/aboriginal/about.html