Continue reading »]]> El Reg reports that facebook share dealing opened at $42 per share (up $4 on the opening IPO price of $38). As they wryly point out, the Telegraph reports that that price makes the company “worth” more than Boeing.

That is nonsensical beyond belief. Boeing actually make things. Big things, that other companies pay a lot of money to buy. Facebook’s sole revenue source is advertising.

A small prediction. This time next year, facebook’s shares will be trading at less than $5 each – tops.

Continue reading »]]> One of my hobbies is motorcycling. I have travelled extensively by bike in central and southern europe over many years, but oddly, I have never visited scotland before. I intend rectifying that shortly. When travelling in europe I have always made do with the excellent Michelin range of 1/1000000 (1 cm to 10 km) maps. These maps are of sufficient detail to aid serious navigation and they also fold quite neatly to fit in a motorcycle tank bag top. Never before have I felt the need of a GPS satnav device.

My wife, however, has a TomTom in her car and I noted that the device has two distinct advantages over a static map. Firstly it is immensely useful in the “last 5 mile stage” when you are hunting for a B&B in an unfamilar town, and secondly (of most use when in trouble) it has a “where am I” function that pinpoints location so that you can give your co-ordinates to a rescue service. This latter function is reassuring to someone travelling alone (or to someone left behind by someone travelling alone). So, since I shall be travelling alone in Scotland over some wild and windy expanses where the weather is notoriously less predictably friendly than it is in southern europe at this time of year, I saw the sense in getting a satnav. I bought a garmin (small, light and cheap). Mine even came with a free lifetime subscription to map updates. The device itself is a doddle to set up and works very well. But it has a fatal design flaw – all software and map updates assume that you have a microsoft windows or apple OSX desktop at home. Well, guess what. I don’t.

The garmin update mechanism uses a plugin to IE, firefox, safari or chrome. But only if you are using a “compatible” operating system. No matter how hard I tried to fool the site using a user agent switcher I couldn’t get the plugin to work. I even tried using wine (which according to one or two sites on-line) should have worked, but no, garmin refused to play ball. I can happily mount the satnav as a removable drive on my linux desktop so copying maps (or even software) to the device should be easy.

Now this is more than just a little irritating. I have paid for a device with a “lifetime map update licence”. But I can’t update the maps without a PC running a particular OS. I’m pretty sure that garmin satnavs run a version of embedded linux so the company cannot pretend they have no linux expertise. Worse, they can produce a plugin for OSX machines (which is BSD based) but not something which is debian based.

Garmin, I am disappointed. And annoyed as hell.

Continue reading »]]> Michal Zalewski (aka lcamtuf) has just announced that google is changing the terms of its vulnerability purchase program. The google announcement says:

Today, to celebrate the success of [the program] and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:

• $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
• $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
• Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.

Interestingly, the earlier part of the announcement says that the existing program resulted in:

“over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals.”

So, depending upon how you do the arithmetic, over the last year google paid out around $590 per vulnerability, or around $2300 per researcher. Whatever your views on the merits or otherwise of paying for vulnerabilities, that strikes me as pretty cheap, in all senses of the word.

As an aside, I found it amusing that the first commenter on the google posting was one Andrew Wallace, who styles himself an “Independent Consultant”. Wallace has been making a nuisance of himself around various security related mail lists and web fora for a while now. He used to post as “n3td3v” or latterly, as “Andrew from n3td3v”. Back in July 2010, Wallace labelled the google researcher Tavis Ormandy a “cyber terrorist” following Ormandy’s rather public disclosure of a nasty vulnerability he believed Microsoft were trying to hide. Interested (or bored) readers are invited to search the ‘net for Andrew Wallace, n3td3v.

It is also worth recording that as a result of Ormandy’s (some may say “premature”) disclosure in June 2010, after an initial furious response from Mike Reavey, Head of MSRC, Microsoft went on to devise and publish a new “Coordinated Vulnerability Disclosure” policy (warning, MS docx format document) covering the disclosure of “zero day” vulnerabilities in other vendor’s products.

Continue reading »]]> Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television set. He had discovered that a packet flood attack to any port on his TV using the tool “hping” would cause a denial of service. In his post he says:

“After 35 seconds the TV stop working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”

I can’t help thinking that using the normal remote control would have been easier.

Continue reading »]]> The guardian’s series on internet freedoms (or otherwise) continues today with an article by Richard Stallman on the kindle and ebook publishing. Stallman makes a point I’d missed in my own commentary on the kindle when he says:

“Many other habits that readers are accustomed to are not allowed for ebooks. With the Amazon Kindle, for instance, you’re not allowed to buy a book anonymously. Kindle books are typically available from Amazon only, and Amazon doesn’t accept cash so users must identify themselves. Thus Amazon knows exactly which books each user has read. In a country like Britain, where you can be prosecuted for possessing a forbidden book, this is more than hypothetically Orwellian.”

One obvious way around this is not to buy ebooks from Amazon (or anyone else). The only books on my kindle are those out of copyright which I have downloaded from sites such as project gutenberg or other sites listed on portals such as ireaderreview. Of course you have to be careful that you do not add such books to your personal document archive or Amazon will helpfully copy and list them in your “kindle library”.

And I still haven’t really used my kindle except when on holiday.

(Note that Richard Stallman’s article is Copyright 2012 Richard Stallman under a Creative Commons Attribution Noderivatives 3.0 license)

Continue reading »]]> This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen prophecy) “the end of privacy”. Personally I find the terms “cyberspace/cyberwar/cyberjihad/cyberwhatever” a horrible americanisation, but unfortunately the labels seem to have gained some traction even here in the UK. Whatever, it is at least refreshing that a mainstream newspaper (the guardian is mainstream, right?) should be taking a look at the issues rather than leaving it to the specialist press.

Yesterday’s reporting though was a hoot. The paper led with a front page article reporting an interview with Sergey Brin. Brin is reported to have said:

“there are very powerful forces that have lined up against the open internet on all sides and around the world”. and “I am more worried than I have been in the past, it’s scary.”

OK – I can see how there could be a number of possible threats to the continued existence of the sort of open and collaborative ‘net that I so admire. But the guardian article went on to say:

“The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.”

“He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.”

and moreover

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.”"

So: along with restrictive regimes and an entertainment industry fighting to retain a lost business model, according to the world’s largest infringer of personal privacy, one of the biggest threats to the internet is the fact that apple and facebook won’t let google search the data they have gathered.

Is it just me? Or is this bonkers?

Continue reading »]]> I have just tried to (re)view a youtube video I last looked at a couple of weeks ago from a link that a friend sent me in an email. On clicking the link I got the message: “This video is private. If the owner of this video has granted you access, please log in.” On clicking the link, I was taken to a google sign in page.

I suppose I shouldn’t be surprised at that. After all, the new google privacy policy, which covers all of its “services”, is now in place. But I must admit it did piss me off more than a little. What next? Must I sign in to watch pingu with my grandson?

No google, I won’t sign in just to view a youtube video. But walling off bits of the ‘net may yet be your downfall.

Continue reading »]]> My last post contained two (non-existent) email addresses in my baldric domain in the extract from my postfix logs. As I said in the post, I had edited the log entry specifically to mask real details. Yesterday, only four days after that post, I received spam email attempts at those addresses.

As I have said in the past, if you don’t want spam, don’t publish your email address.

Continue reading »]]> In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my mouth. So this month I took the opportunity presented by the end of my contract to shift to another provider. Of course, in doing so I gained a nice shiny new ‘phone which meant that I could spend a fun few hours setting it up the way I wanted it and nailing it down as much as possible so that it didn’t leak all my data to google. This is unnecessarily difficult, and much harder than it should be (and I know that people like Peter H will simply tell me that I shouldn’t be using an android ‘phone in the first place). But that is not the point of this post.

Like most people these days, I use my ‘phone to pick up email. The standard email client on my last ‘phone was pretty uninspiring so I used K-9 mail in its place. K-9 is a pretty good application, but it has a silly little bug in it which is still not sorted properly. This bug manifests itself in a rather odd, and unpredictable way – K-9 seems to “forget” the X509 certificate used to protect the authentication process if that certificate is self-signed, or otherwise not verifiable by an external CA. The cure, such as it is, is to simply refresh the certificate by reloading the account settings and accepting the cert when K-9 warns you that “TrustAnchor found but validation failed”. The length of time between accepting the cert and K-9 “forgetting” it again seemed random to me, so I got into the habit of refreshing my account settings whenever I noticed that I hadn’t received any mail for a while. Annoying, but not ultimately a deal breaker for using what was otherwise a pretty good application.

So, the first application I looked at on my new mobile was, of course, email. The default mail client on this new phone looks a lot slicker than the old one on my previous phone, but then it is a much newer ‘phone, from a different manufacturer and the android version is much newer too, so no real surprise there. The setup seemed to have no problem with my self signed certs so I thought I might stay with the default to see if it would solve my annoying little problem with K-9.

Unfortunately not.

Whilst I had no problem with incoming mail over my IMAPS connection, all attempts to send mail failed. On checking my server logs I found the following (real details changed or obfuscated):

Mar 20 20:45:57 pipe postfix/smtpd[7594]: NOQUEUE: reject: RCPT from home.baldric.net[12.34.56.78]: 504 5.5.2 <localhost>: Helo command rejected: need fully-qualified hostname; from=<null@baldric.net> to=<noone@baldric.net> proto=ESMTP helo=<localhost>

Aha! My postfix configuration is set up to reject hosts which do not have valid hostnames or do not announce themselves with fully qualified domain names (i.e. names of the form “host.domain”). Now since I use SASL authentication in my postfix configuration the fix is relatively easy; just ensure that the stanza “permit_sasl_authenticated” appears in both “smtpd_sender_restrictions” and “smtpd_helo_restrictions” before “reject_non_fqdn_hostname” – thusly:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain

(In fact, this episode highlighted an error in my postfx configuration because my helo restriction was inadequate. By now checking the authentication before the helo restriction kicks in I am still well protected, but mail from valid authenticated users is permitted.)

I am in that (very) small minority of people who run their own mail servers and are able to change server side configurations. But, and this is a big but. I should not have to change the server side configuration to accommodate a broken client and the vast majority of people will not be able to do so anyway. Almost all well set up mail servers will reject mail where the client connection announces itself in the helo exchange as “localhost”. That is normally an indication of a spammer, indeed spamassassin will allocate a high score to any mail which is so flagged. This means that there will be a huge, and growing, number of people who cannot send mail from their android ‘phones.

If this is the default android mail behaviour, then google need to fix it now. Meanwhile, K-9 is looking attractive again.

Continue reading »]]> Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and b) am retired, the invitations immediately looked suspect, but the return address looked real at first sight. That is, until I looked more closely. The actual address used was linkedln.com (with a second letter “l”) rather than the correct linkedin.com.

Nice try.