Jul 22 2012

the accidental stupidity of good intentions

For some years now I have used what used to be the freecycle system to dispose of unwanted, but otherwise useful items from my home. In return I have sometimes used the same mechanism to get hold of things like books which someone else wishes to get rid of. A couple of years or so ago, the UK freecycle organisation split from the US parent and was renamed “freegle”. Naming and politics aside (and there was some nasty politicing going on) the purpose and intentions of the UK freegle organisation continued to be honourable and useful. A lot of goods and material that would otherwise have ended up in landfill has been successfully recycled.

To date, UK freegle has been based on yahoo groups. Members subscribe to a freegle group covering their area and then send/receive email alerts about items offered or wanted. But yahoo groups is not an ideal mechanism for an organisation such as freegle, so alternatives are popping up – usually web based and often bespoke. My local group recently received lottery funding to help it establish just such a website.

Following an email from the group’s moderators about the intended change (and imminent closure of the old yahoo group) I signed up to the new system. Having done so I then set about editing my preferences and settings. One of the settings required is “postcode”, which the system uses with (an editable) radial distance in miles to determine which offers/requests to email to you. Alongside the required postcode, is the option to include your full address. Entering your full address will obviate the need to add it later when giving details to other freeglers about how to get to your location to pick up offers. Address details are apparently necessary because all interaction between freeglers now takes place (and is moderated) via the website address. Unlike the old system whereby freegler’s email addresses were exposed, users of the new system only see the freegle group address. (This, incidentally, is a “good thing” (TM)). However, one of the other settings on the preferences page is a checkbox marked “On holiday”.

Forgive me for thinking that this might not be a good idea.

Permanent link to this article: https://baldric.net/2012/07/22/the-accidental-stupidity-of-good-intentions/

Jul 20 2012

gpg key upgrade

Following a recent discussion about gpg key signing on my local linux user group email list, one of the members pointed out that several of us (myself included) were using rather old 1024-bit DSA GPG keys with SHA-1 hashes. He recommended that such users should upgrade to keys with a minimum size of 2048 bits and a hash from the SHA-2 family (say SHA256).

I believe he is right. That is good advice and it is long past time that I upgraded. So, I have now created a new default GPG key of 4096 bits – that should last for a while. However, that leaves the problem of how to migrate from the old key to the new key when the old key has been in circulation since at least 2004.

Fortunately, Daniel Kahn Gillmor (dkg) has published a rather nice and useful how-to on his debian-administration blog. I used that guide, supplemented with some further guidance on the apache site to come up with a transition plan. If you wish to contact me securely in future, then please use my new GPG key. My signed transition statement is here. A copy is given below. That transition statement is signed with both my old and new keys so that people who have my old key may be sure (or as sure as they can be if they presume that my old key has not been compromised) that the new key is valid and a true means of secure communication with me.

(BTW, the way to sign a document with two keys is as follows:

gpg –clearsign –local-user $KEYID-1 –local-user $KEYID-2 filename

where $KEYID-1 and $KEYID-2 are the eight digit IDs of the old and new keys. This is not well documented in the GPG manual.)

Copy of transition statement

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1,SHA256

GPG transition statement – Friday 20 July 2012

I am moving my preferred GPG key from an old 1024-bit DSA key to a
new 4096-bit RSA key.

The old key will continue to be valid for some time, but I prefer all
new secure correspondence to be encrypted with the new key. I will be
making all new signatures with the new key from today.

This transition was aided by the excellent on-line how-to at:

https://www.debian-administration.org/users/dkg/weblog/48

This message is signed by both keys to certify the transition.

The old key was:

pub 1024D/10927423 2004-07-15

Key fingerprint = E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423

And the new key is:

pub 4096R/5BADD312 2012-07-20

Key fingerprint = FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312

I have signed my new key with the old key. You may get a copy of my
new key from my server at rlogin.net/keys/micks-new-public-key.asc

To fetch the new key, you can get it with:

wget -q -O- https://rlogin.net/keys/micks-new-public-key.asc

Or, to fetch my new key from a public key server, you can simply do:

gpg –keyserver keys.gnupg.net –recv-key 5BADD312

If you already have my old key, you can now verify that the new key is
signed by the old one:

gpg –check-sigs 5BADD312

If you don’t already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

gpg –fingerprint 5BADD312

Please let me know if you have any trouble with this transition. If you
are also still using old 1024-bit DSA keys, you too may wish to consider
migrating your old key to a stronger version.

Best

Mick
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlAJms8ACgkQueqCzBCSdCM90wCeMo25AmWEdEEztjY635LPFtxB
qcMAn17NUSPZLPZAmknloWacWUsXFGndiQIcBAEBCAAGBQJQCZrPAAoJEAof5gtb
rdMSDyUQALIMRKcIZgaOqMPBA2o5juJTu0W9mICEaNMl4Cnf7kw5zZvwc+vu/9N0
pTYwgc0UmrG3Uy0rzBU53jf6coAqu3g2rqfWQ4+Ns03gGfdFCTYlKP0IlpntlVba
TxAaw52ScCLKOKCJK7atXxF0PvQCKK9wATbT1HgHZ6dHBzejEn4X308UzkgEzQ/l
Z1FQtgwkZrVd2QQlYBn6PxYrFqaH0rEBSKJWskAY05IalIwRXD6Pj7oq8BdwhU4t
cFK41afY74ZgAhvNzYs7Ge8Dk3Izj1RtN7nRnESD0ZZAFUG9M8smolE9f677xeOR
TRgVKEBhDN3JvKo+wuxgxsCpB1DD/W2yIs+b7Y140GvPvwGZjcF50tEP0KhZMiIK
/W1UxwNmQhDmTrhilL4o6efVaI1EZgyn6sdyycimrQ+0zm1o+TSntiF2o5Ulj+uY
JnME9WfnNWcfS9ezp6ZQ03YkhW5PVGaWg9KxPGN2hWOKtCBHJf1E5xOS5zy4kgc8
C9HovVp0N46MZleTBYE/v5JdJ5/yrktcSfYGA6jeOaBDHFb6qNkGcMQVlpNszKid
7a5Q4/rJ/Z75BMoVBaicNwUZpqHvCxDHMXjuw44RzG/QWca6ljxmSF/8ZFPggqJP
uTv3wKd0Y8i3DjWmAX/ps4viQEeDal7w5lqoJBA6YulQGnwqFAl5
=DzN2
—–END PGP SIGNATURE—–

Permanent link to this article: https://baldric.net/2012/07/20/gpg-key-upgrade/

Jul 07 2012

RBS meltdown

I’ve been away on holiday during the one of the most public, and potentially most expensive, IT screwups for some time. By now everyone will be aware of the meltdown in RBS/NatWest/Ulster Bank systems. Since my return, I’ve been catching up on some of the on-line commentary and analysis. I particularly liked this comment on El Reg in an article discussing how management might address the root causes of the fault:

“the decision to put the cheapest person they could find anywhere in the world in such a responsible position was a bad idea.”

That reminded me of Alan Shepherd’s famous quote about the early US space programme:

“It’s a very sobering feeling to be up in space and realize that one’s safety factor was determined by the lowest bidder on a government contract.”

I guess some people are currently looking for new jobs.

Permanent link to this article: https://baldric.net/2012/07/07/rbs-meltdown/

Jun 19 2012

fail

My new bank (which is actually one of the few remaining mutuals in the UK) sent me my voting forms for the AGM today (by postal mail). The information pack included details of how to vote on-line should I choose to do so, together with two unique “voting codes” one of eight digits the other of four alphanumerics. Sure enough, entering the requisite codes on the website allowed me access to the voting arena.

Once there, besides actually voting, I was presented with a checkbox saying: “Opt to receive future AGM information by email and you could win 1 of 10 prizes of £1000 (prize draw rules apply).” (Clearly they wish to encourage email as a cost saving measure). However, upon clicking the checkbox I was presented with a new box saying “By ticking this box, I agree that in future the Society may email my voting codes to my email address below and that I can access the Notice of AGM and Summary Financial Statement and give my voting instructions on the Society’s secure online voting site via a link sent to my email address. To access your AGM documents by email in future years please provide your email address below:”

Oh dear, a repetition of the BCS stupidity of a few years ago. No way do I want supposedly secure, unique, voting codes sent to me via email, unless of course the bank can encrypt with my public key.

Guess what?

Permanent link to this article: https://baldric.net/2012/06/19/fail/

Jun 17 2012

microsoft goes all canonical

It would seem that Microsoft has been taking a look at the world of linux and decided that the best way to take on the emerging desktop threat is to emulate the competition. Unfortunately for them, they seem to have decided to emulate the stupidest of decisions recently taken by Canonical and have completely redesigned the windows desktop interface in windows 8 to make it look like a mobile phone. [Note, that link goes to techradar. I would link to the official windows 8 pages, but they insist on using silverlight….].

When I first saw the early reviews of the new metro interface I couldn’t quite believe that Microsoft (who are not usually suicidal) could have made a mistake which so completely dwarfs the vista experience. So I downloaded a copy of the release preview and fired it up in a virtualbox VM. I chose the iso installation option because MS do not have the equivalent of a linux live distro and, since I do not run Microsoft software, the option of a live install is, fortunately, impossible for me. I say fortunately, because I cannot believe that anyone who selected that option and overwrote a working version of windows 7 will be at all happy.

Not that the iso install option was straightforward either. Microsoft, being Microsoft, cannot allow you to simply try out a pre-release version of their software, Instead, they make you jump through all sorts of unnecessary hoops to register and set up an account which will give you access to their on-line software repository. Why, is completely beyond me. I had to give MS a name, postcode, date of birth, gender, the name of my first pet and two, yes two, separate email accounts before they would let me in. Even then, I couldn’t successfully complete registration (OK, I may not have been entirely truthful in my registration details, but two separate trashmail accounts should have been enough). The last hurdle I faced was the “click this link to confirm your account” sent to the first of the two email addresses I gave. Clicking on that link took me to a windows live sign in page – and there, of course, I got stuck. MS wouldn’t let me sign in using FF on linux, saying, unhelpfully:

“The Windows Live Network is unavailable from this site for one of the following reasons:

  • This site may be experiencing a problem
  • The site may not be a member of the Windows Live Network.

You can:

You can sign in or sign up at other sites on the Windows Live Network, or try again later at this site.”

Now if the windows 8 installation in my VM had allowed cut and paste from my desktop (as is possible with a linux VM) I could have just pasted the login URL into IE and continued from there. But no, not possible, and I really could not be bothered to transcribe a 177 character long random URL by hand. I wasn’t that interested in continuing.

Here’s why:

And this is what you see if you click on the “desktop” icon:

What happened to the task bar and the infamous “Start button”?

That interface is not going to go down at all well even with domestic users, let alone businesses which may have invested significant time, effort and money in previous versions of windows.

Ironically, one of the arguments used against moving from windows to a linux desktop in the enterprise is the “cost of change” notably in the cost of staff training. It looks to me as if Microsoft may just have handed the open source community its best ever opportunity to move into space previously sewn up by Redmond.

(Oh, and BTW, windows 8 is painfully slow in a VM).

Permanent link to this article: https://baldric.net/2012/06/17/microsoft-goes-all-canonical/

May 27 2012

software is /not/ biological

I know language evolves, and I know that jargon from one domain is sometimes reused in another, completely unrelated domain, but I really, really do not like the increasing usage of the word “ecosystem” to refer to software/hardware or information systems. I think I first heard the word used in this way by a Microsoft guy in a presentation a few years ago. As I recall, what he he was /actually/ referring to was Microsoft applications running on the windows OS. Only he called it the “windows ecosystem”, possibly in the belief that that somehow sounded cooler or more important. Since then, I have seen (and heard) the word used to describe everything from simple application software (the “MySQL ecosystem”) to a collection of security systems.

I’m sorry, but an ecosystem is a biological system in which a collection of living things interacts with its environment. So a coral reef, or a rain forest are ecosystems, but microsoft word used in the accounts department of a business most assuredly is not. I’m with the FSF here, but sadly a search for the phrase “software ecosystem” will get you no end of business techno-babble references.

Permanent link to this article: https://baldric.net/2012/05/27/software-is-not-biological/

May 25 2012

stupid hunt

According to reporting today, Jeremy Hunt, the Secretary Of State for Culture, Media and Sport, lobbied the Prime Minister in support of Rupert Murdoch’s bid for BSkyB. The report says:

“The inquiry heard that the culture secretary drafted the email on his private Gmail account on 19 November 2010 despite being warned by his officials that he should not intervene because the decision was being taken exclusively by Cable. In the memo he voiced concern that Cable, the business secretary, had referred the takeover to media regulator Ofcom, warning him that James Murdoch was “pretty furious” and that the government “could end up in the wrong place in terms of media policy as a result”.

His Gmail account? Regardless of all else of Hunt’s manifest deficiencies, that act alone means that the man is not fit to hold Minsterial Office.

Permanent link to this article: https://baldric.net/2012/05/25/stupid-hunt/

May 22 2012

tor abuse

I have been running at least one tor exit node for about three years now. Over that period I have occasionally had to move provider following one or more abuse reports. Most ISPs like the quiet life, and you can’t really blame them for not wanting the hassle of dealing with complaints from other ISPs about apparent hostile activity originating from their networks. I have been with one provider for a couple of years and, until now, they have been understanding when they have received complaints and I have pointed them to my exit policy and my notice on the tor node itself. However, this week that changed. They have received two more reports of hostile activity, aimed apparently at Brazilian Government servers, in rapid succession. Following discussions with my provider I have now reluctantly agreed to shut down the exit policy completely. In future my tor node will relay only.

This is a shame, but the only real alternative I was faced with was to shut it down completely and/or move yet again. I’m no longer prepared to do that.

For the record, the activity logged by the victims showed that some bozo was using tor (and popped out of my node) to scan servers with sqlmap. It is extremely disappointing to me that the tor network should be adversely affected by that sort of script kiddie activity.

Update on 24/05/12

I emailed the tor-relays list about my experience and rapidly received a half dozen or so “me too” replies. It would seem that someone has been heavily targetting Brazilian governnment web servers through tor.

Permanent link to this article: https://baldric.net/2012/05/22/tor-abuse/

May 19 2012

pure bubble

El Reg reports that facebook share dealing opened at $42 per share (up $4 on the opening IPO price of $38). As they wryly point out, the Telegraph reports that that price makes the company “worth” more than Boeing.

That is nonsensical beyond belief. Boeing actually make things. Big things, that other companies pay a lot of money to buy. Facebook’s sole revenue source is advertising.

A small prediction. This time next year, facebook’s shares will be trading at less than $5 each – tops.

Update – added 19 June 2012 – this Nasdaq daily quote page for Facebook may be useful.

Permanent link to this article: https://baldric.net/2012/05/19/pure-bubble/

May 13 2012

disappointing satnav

One of my hobbies is motorcycling. I have travelled extensively by bike in central and southern europe over many years, but oddly, I have never visited scotland before. I intend rectifying that shortly. When travelling in europe I have always made do with the excellent Michelin range of 1/1000000 (1 cm to 10 km) maps. These maps are of sufficient detail to aid serious navigation and they also fold quite neatly to fit in a motorcycle tank bag top. Never before have I felt the need of a GPS satnav device.

My wife, however, has a TomTom in her car and I noted that the device has two distinct advantages over a static map. Firstly it is immensely useful in the “last 5 mile stage” when you are hunting for a B&B in an unfamilar town, and secondly (of most use when in trouble) it has a “where am I” function that pinpoints location so that you can give your co-ordinates to a rescue service. This latter function is reassuring to someone travelling alone (or to someone left behind by someone travelling alone). So, since I shall be travelling alone in Scotland over some wild and windy expanses where the weather is notoriously less predictably friendly than it is in southern europe at this time of year, I saw the sense in getting a satnav. I bought a garmin (small, light and cheap). Mine even came with a free lifetime subscription to map updates. The device itself is a doddle to set up and works very well. But it has a fatal design flaw – all software and map updates assume that you have a microsoft windows or apple OSX desktop at home. Well, guess what. I don’t.

The garmin update mechanism uses a plugin to IE, firefox, safari or chrome. But only if you are using a “compatible” operating system. No matter how hard I tried to fool the site using a user agent switcher I couldn’t get the plugin to work. I even tried using wine (which according to one or two sites on-line) should have worked, but no, garmin refused to play ball. I can happily mount the satnav as a removable drive on my linux desktop so copying maps (or even software) to the device should be easy.

Now this is more than just a little irritating. I have paid for a device with a “lifetime map update licence”. But I can’t update the maps without a PC running a particular OS. I’m pretty sure that garmin satnavs run a version of embedded linux so the company cannot pretend they have no linux expertise. Worse, they can produce a plugin for OSX machines (which is BSD based) but not something which is debian based.

Garmin, I am disappointed. And annoyed as hell.

Permanent link to this article: https://baldric.net/2012/05/13/disappointing-satnav/

Apr 24 2012

cheap?

Michal Zalewski (aka lcamtuf) has just announced that google is changing the terms of its vulnerability purchase program. The google announcement says:

Today, to celebrate the success of [the program] and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:

  • $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.

Interestingly, the earlier part of the announcement says that the existing program resulted in:

“over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals.”

So, depending upon how you do the arithmetic, over the last year google paid out around $590 per vulnerability, or around $2300 per researcher. Whatever your views on the merits or otherwise of paying for vulnerabilities, that strikes me as pretty cheap, in all senses of the word.

As an aside, I found it amusing that the first commenter on the google posting was one Andrew Wallace, who styles himself an “Independent Consultant”. Wallace has been making a nuisance of himself around various security related mail lists and web fora for a while now. He used to post as “n3td3v” or latterly, as “Andrew from n3td3v”. Back in July 2010, Wallace labelled the google researcher Tavis Ormandy a “cyber terrorist” following Ormandy’s rather public disclosure of a nasty vulnerability he believed Microsoft were trying to hide. Interested (or bored) readers are invited to search the ‘net for Andrew Wallace, n3td3v.

It is also worth recording that as a result of Ormandy’s (some may say “premature”) disclosure in June 2010, after an initial furious response from Mike Reavey, Head of MSRC, Microsoft went on to devise and publish a new “Coordinated Vulnerability Disclosure” policy (warning, MS docx format document) covering the disclosure of “zero day” vulnerabilities in other vendor’s products.

Permanent link to this article: https://baldric.net/2012/04/24/cheap/

Apr 18 2012

now switch it back on

Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television set. He had discovered that a packet flood attack to any port on his TV using the tool “hping” would cause a denial of service. In his post he says:

“After 35 seconds the TV stop working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”

I can’t help thinking that using the normal remote control would have been easier.

Permanent link to this article: https://baldric.net/2012/04/18/now-switch-it-back-on/

Apr 18 2012

stallman likes sharing

The guardian’s series on internet freedoms (or otherwise) continues today with an article by Richard Stallman on the kindle and ebook publishing. Stallman makes a point I’d missed in my own commentary on the kindle when he says:

“Many other habits that readers are accustomed to are not allowed for ebooks. With the Amazon Kindle, for instance, you’re not allowed to buy a book anonymously. Kindle books are typically available from Amazon only, and Amazon doesn’t accept cash so users must identify themselves. Thus Amazon knows exactly which books each user has read. In a country like Britain, where you can be prosecuted for possessing a forbidden book, this is more than hypothetically Orwellian.”

One obvious way around this is not to buy ebooks from Amazon (or anyone else). The only books on my kindle are those out of copyright which I have downloaded from sites such as project gutenberg or other sites listed on portals such as ireaderreview. Of course you have to be careful that you do not add such books to your personal document archive or Amazon will helpfully copy and list them in your “kindle library”.

And I still haven’t really used my kindle except when on holiday.

(Note that Richard Stallman’s article is Copyright 2012 Richard Stallman under a Creative Commons Attribution Noderivatives 3.0 license)

Permanent link to this article: https://baldric.net/2012/04/18/stallman-likes-sharing/

Apr 17 2012

battle for the internet

This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen prophecy) “the end of privacy”. Personally I find the terms “cyberspace/cyberwar/cyberjihad/cyberwhatever” a horrible americanisation, but unfortunately the labels seem to have gained some traction even here in the UK. Whatever, it is at least refreshing that a mainstream newspaper (the guardian is mainstream, right?) should be taking a look at the issues rather than leaving it to the specialist press.

Yesterday’s reporting though was a hoot. The paper led with a front page article reporting an interview with Sergey Brin. Brin is reported to have said:

“there are very powerful forces that have lined up against the open internet on all sides and around the world”. and “I am more worried than I have been in the past, it’s scary.”

OK – I can see how there could be a number of possible threats to the continued existence of the sort of open and collaborative ‘net that I so admire. But the guardian article went on to say:

“The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.”

“He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.”

and moreover

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.””

So: along with restrictive regimes and an entertainment industry fighting to retain a lost business model, according to the world’s largest infringer of personal privacy, one of the biggest threats to the internet is the fact that apple and facebook won’t let google search the data they have gathered.

Is it just me? Or is this bonkers?

Permanent link to this article: https://baldric.net/2012/04/17/battle-for-the-internet/

Apr 16 2012

rockbox rocks

Some time ago my wife bought me a Sansa Sandisk Clip+ music player. When she asked me “what kind of MP3 player” I would like, I specifically specified the Clip+ because it could handle ogg vorbis encoded audio files. All my audio disks are encoded in this format. Picky I know, but there you go.

The version she bought me was the 8 GB Black which comes with (you guessed it) 8 GB of internal storage – sufficient for a fair number of audio tracks. But this version also has a microSDHC slot which will take a maximum of another 32 GB. That should enable me to carry most of my music collection (which currently runs to around 47 GB) if I cut out some of the obvious duplicates and exclude some of my more embarrassing ’70s choices. The device is small, neat and light and also has a pretty good battery life.

But Sansa have not been entirely honest in their advertising. Sure, the device will accept additional storage, but it is largely unusable. Once you get past around 6 or 7 GB on the internal storage and even as little as 3 or 4 GB on the additional card, the device is not capable of building its database of the collection. The symptom is pretty obvious. As soon as you disconnect the Clip+ from the USB connection used to transfer files (and incidentally to charge the device) the display shows “Refreshing your media” and a progress bar which slowly fills from left to right. If you only use the internal storage, there is no problem, but as soon as you get past the 3 or 4 GB additional store on the external card, the clip+ will sit there, refreshing away, for hour after hour if you let it.

Even after a firmware upgrade, the device wouldn’t do what it was supposed to, so I turned to the FLOSS community yet again. This time in the shape of rockbox.

Rockbox is a free, open source jukebox utility which runs on a wide variety of devices. The website provides detailed instructions on how to install and use rockbox and even comes with an installer for most operating systems so that you don’t have to get your hands dirty installing it manually. Most impressive of all however, is that the rockbox firmware can be installed alongside the original player’s firmware without danger of bricking the device. If you find that you don’t like rockbox (and what’s not to like about a free product that outperforms the paid for original?) you can still boot into the original firmware because rockbox provides a dual boot facility. And if you really don’t like it, then you can simply remove it and go back to using the original.

Thoroughly recommended.

Permanent link to this article: https://baldric.net/2012/04/16/rockbox-rocks/

Mar 31 2012

this video is private

I have just tried to (re)view a youtube video I last looked at a couple of weeks ago from a link that a friend sent me in an email. On clicking the link I got the message: “This video is private. If the owner of this video has granted you access, please log in.” On clicking the link, I was taken to a google sign in page.

I suppose I shouldn’t be surprised at that. After all, the new google privacy policy, which covers all of its “services”, is now in place. But I must admit it did piss me off more than a little. What next? Must I sign in to watch pingu with my grandson?

No google, I won’t sign in just to view a youtube video. But walling off bits of the ‘net may yet be your downfall.

Permanent link to this article: https://baldric.net/2012/03/31/this-video-is-private/

Mar 29 2012

that didn’t take long

My last post contained two (non-existent) email addresses in my baldric domain in the extract from my postfix logs. As I said in the post, I had edited the log entry specifically to mask real details. Yesterday, only four days after that post, I received spam email attempts at those addresses.

As I have said in the past, if you don’t want spam, don’t publish your email address.

Permanent link to this article: https://baldric.net/2012/03/29/that-didnt-take-long/

Mar 24 2012

android mail client is broken

In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my mouth. So this month I took the opportunity presented by the end of my contract to shift to another provider. Of course, in doing so I gained a nice shiny new ‘phone which meant that I could spend a fun few hours setting it up the way I wanted it and nailing it down as much as possible so that it didn’t leak all my data to google. This is unnecessarily difficult, and much harder than it should be (and I know that people like Peter H will simply tell me that I shouldn’t be using an android ‘phone in the first place). But that is not the point of this post.

Like most people these days, I use my ‘phone to pick up email. The standard email client on my last ‘phone was pretty uninspiring so I used K-9 mail in its place. K-9 is a pretty good application, but it has a silly little bug in it which is still not sorted properly. This bug manifests itself in a rather odd, and unpredictable way – K-9 seems to “forget” the X509 certificate used to protect the authentication process if that certificate is self-signed, or otherwise not verifiable by an external CA. The cure, such as it is, is to simply refresh the certificate by reloading the account settings and accepting the cert when K-9 warns you that “TrustAnchor found but validation failed”. The length of time between accepting the cert and K-9 “forgetting” it again seemed random to me, so I got into the habit of refreshing my account settings whenever I noticed that I hadn’t received any mail for a while. Annoying, but not ultimately a deal breaker for using what was otherwise a pretty good application.

So, the first application I looked at on my new mobile was, of course, email. The default mail client on this new phone looks a lot slicker than the old one on my previous phone, but then it is a much newer ‘phone, from a different manufacturer and the android version is much newer too, so no real surprise there. The setup seemed to have no problem with my self signed certs so I thought I might stay with the default to see if it would solve my annoying little problem with K-9.

Unfortunately not.

Whilst I had no problem with incoming mail over my IMAPS connection, all attempts to send mail failed. On checking my server logs I found the following (real details changed or obfuscated):

Mar 20 20:45:57 pipe postfix/smtpd[7594]: NOQUEUE: reject: RCPT from home.baldric.net[12.34.56.78]: 504 5.5.2 <localhost>: Helo command rejected: need fully-qualified hostname; from=<null@baldric.net> to=<noone@baldric.net> proto=ESMTP helo=<localhost>

Aha! My postfix configuration is set up to reject hosts which do not have valid hostnames or do not announce themselves with fully qualified domain names (i.e. names of the form “host.domain”). Now since I use SASL authentication in my postfix configuration the fix is relatively easy; just ensure that the stanza “permit_sasl_authenticated” appears in both “smtpd_sender_restrictions” and “smtpd_helo_restrictions” before “reject_non_fqdn_hostname” – thusly:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain

(In fact, this episode highlighted an error in my postfx configuration because my helo restriction was inadequate. By now checking the authentication before the helo restriction kicks in I am still well protected, but mail from valid authenticated users is permitted.)

I am in that (very) small minority of people who run their own mail servers and are able to change server side configurations. But, and this is a big but. I should not have to change the server side configuration to accommodate a broken client and the vast majority of people will not be able to do so anyway. Almost all well set up mail servers will reject mail where the client connection announces itself in the helo exchange as “localhost”. That is normally an indication of a spammer, indeed spamassassin will allocate a high score to any mail which is so flagged. This means that there will be a huge, and growing, number of people who cannot send mail from their android ‘phones.

If this is the default android mail behaviour, then google need to fix it now. Meanwhile, K-9 is looking attractive again.

Permanent link to this article: https://baldric.net/2012/03/24/android-mail-client-is-broken/

Mar 19 2012

unlinked

Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and b) am retired, the invitations immediately looked suspect, but the return address looked real at first sight. That is, until I looked more closely. The actual address used was linkedln.com (with a second letter “l”) rather than the correct linkedin.com.

Nice try.

Permanent link to this article: https://baldric.net/2012/03/19/unlinked/

Mar 14 2012

unplugged

A few days ago my sheevaplug died. Beyond the obvious lack of response either over the network or through the USB serial connection, the symptoms (single green LED rather than blue and green LED lit, ethernet LED light steady rather than flashing) were all consistent with a blown PSU.

This problem is well known and well documented on the Newit forum and the plugcomputer forum as well as plenty of other sites, so I was pretty confident in my diagnosis. The general consensus seems to be that the low quality components used by Globalscale in what is, after all, supposed to be a piece of development kit, coupled with its low power output, means that it can’t really cope with the demands placed upon it – particularly if you attach unpowered USB peripheral devices. Even so, I was pretty pissed off that it failed after only two years.

I use my plug as my NTP time source, network “apt-get” cache and local end point for my ssh proxy tunnel to tor. So it was quite important to me that I get it working again. Fortunately Newit now stock replacement PSUs. Mine arrived within a couple of days of order.

Newit have kindly placed a “howto fix your fscked plug” guide online. I found the process relatively easy, with the exception of replacing the new AC inlet plug back in the chassis. In the end I pushed hard and held my breath in case something snapped, but I got it in.

I have seen many pictures of the PSU on-line, but I confess I was pretty shocked at the completely amateurish look of the thing when I pulled mine out.


The picture above shows the PSU in its case as I pulled it out of the plug.



and this one shows the contents of the PSU when the case lid is removed. It looks like the sort of breadboard setup I last saw in a 1960s transistor radio built by my uncle. Certainly not of the quality I would expect from a major electronics company. Mind you, the new replacement unit (see below) is not /that/ much better.



This final picture shows the new PSU installed in what is actually the top half of the plug.


The plug is now back together, and to my relief it booted fine first time. But I’m now not at all confident that it will last. And since one of my earliest slugs is now becoming a little unstable, I’m looking for a replacement for both.

Permanent link to this article: https://baldric.net/2012/03/14/unplugged-2/

Mar 09 2012

steam locomotive

Most debian users will be familiar with the ASCII “moo” easter egg in apt-get.

I have just stumbled upon a more elaborate piece of ASCII art by one Professor Toyoda Masashi who wrote a joke program to reprimand those command line users who misspell “ls” as “sl” (it happens). I installed it on my desktop because my grandson loves “choo choos”.

Give it a try, it should be available in most distros. The animation is quite good.

And yes, I know I need to get out more.

Permanent link to this article: https://baldric.net/2012/03/09/steam-locomotive/

Mar 07 2012

iBomber Defence: Nuclear Option

Today’s G2 has a nice little article by Tim Dowling called “What’s on David Cameron’s iPad“. Dowling’s article says:

“David Cameron is about to take delivery of a specially programmed prime ministerial iPad, reportedly at a cost of £20,000 (3G contract not included). An iPad devotee already – he uses it to catch up on episodes of The Killing while travelling – Cameron will now be able to keep tabs on polling data, market fluctuations, unemployment figures, crime statistics and news feeds, all with the sweep of a finger across a special dashboard.”

Dowling goes on to list the applications he believes would be on the Prime Ministerial iPad. These include:

Nuclear Button

This secure application allows the PM to be in control of Britain’s nuclear arsenal at all times. For safety reasons, password must be at least eight characters long and contain both numbers and letters.

and

iBomber Defence: Nuclear Option

New game in which a world leader has just 12 hours to decide whether to launch a nuclear strike. Don’t worry – the icon is a totally different colour to the Nuclear Button.

Given what the iPad probably had to go through before Dave was let anywhere near it, I think £20,000 sounds pretty cheap.

Oh, and I quite like this little app….

rMail

A selection of hilarious private emails sent by UK citizens, delivered daily from GCHQ.

Permanent link to this article: https://baldric.net/2012/03/07/ibomber-defence-nuclear-option/

Mar 06 2012

banking stupidity

When I logged on to my new bank site this morning, I tried the “help” offered on the opening screen just to see what they had to say about the range of options available. I was not best pleased to be greeted by the message “Flash is not installed, is not enabled or is not up to date” together with a nice big button marked “Get Adobe Flash Player”. No – I don’t think so.

Adobe products have an unfortunate history of critical vulnerabilities. Indeed, only a couple of weeks ago they released a patch for a critical vulnerability in Adobe Flash Player 11.1 and earlier for Windows, Macintosh, Linux and Solaris. It wasn’t the first, and it certainly won’t be the last. There are probably a whole bunch of zero days out there primed and ready for use.

I do not want to see flash on one of the most critical sites I use. And I have told my new bank exactly that. Watch this space.

Permanent link to this article: https://baldric.net/2012/03/06/banking-stupidity/

Mar 04 2012

am I kidding myself

I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.

As you would expect, I do all my on-line financial transactions from my linux desktop. Given the prevalence of sophisticated banking trojans (PDF file) such as ZeuS, I really don’t see how anyone could comfortably use a windows based machine, even one fully patched, with up to date virus protection and firewall in place. But I go further than just using my desktop, I actually only log on from a second desktop within a virtualbox VM. Further, the browser I use in that VM is as stripped of functionality as is possible (no addons, no plugins, defaults to block cookies etc.) and only ever connects to my bank(s) and no other sites. Unfortunately, the banks insist on cookies and javascript so I have to enable those selectively.

The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.

But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.

But they do make me feel safer…..

Permanent link to this article: https://baldric.net/2012/03/04/am-i-kidding-myself/