Apr 18 2012

now switch it back on

Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television set. He had discovered that a packet flood attack to any port on his TV using the tool “hping” would cause a denial of service. In his post he says:

“After 35 seconds the TV stop working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”

I can’t help thinking that using the normal remote control would have been easier.

Permanent link to this article: https://baldric.net/2012/04/18/now-switch-it-back-on/

Apr 18 2012

stallman likes sharing

The guardian’s series on internet freedoms (or otherwise) continues today with an article by Richard Stallman on the kindle and ebook publishing. Stallman makes a point I’d missed in my own commentary on the kindle when he says:

“Many other habits that readers are accustomed to are not allowed for ebooks. With the Amazon Kindle, for instance, you’re not allowed to buy a book anonymously. Kindle books are typically available from Amazon only, and Amazon doesn’t accept cash so users must identify themselves. Thus Amazon knows exactly which books each user has read. In a country like Britain, where you can be prosecuted for possessing a forbidden book, this is more than hypothetically Orwellian.”

One obvious way around this is not to buy ebooks from Amazon (or anyone else). The only books on my kindle are those out of copyright which I have downloaded from sites such as project gutenberg or other sites listed on portals such as ireaderreview. Of course you have to be careful that you do not add such books to your personal document archive or Amazon will helpfully copy and list them in your “kindle library”.

And I still haven’t really used my kindle except when on holiday.

(Note that Richard Stallman’s article is Copyright 2012 Richard Stallman under a Creative Commons Attribution Noderivatives 3.0 license)

Permanent link to this article: https://baldric.net/2012/04/18/stallman-likes-sharing/

Apr 17 2012

battle for the internet

This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen prophecy) “the end of privacy”. Personally I find the terms “cyberspace/cyberwar/cyberjihad/cyberwhatever” a horrible americanisation, but unfortunately the labels seem to have gained some traction even here in the UK. Whatever, it is at least refreshing that a mainstream newspaper (the guardian is mainstream, right?) should be taking a look at the issues rather than leaving it to the specialist press.

Yesterday’s reporting though was a hoot. The paper led with a front page article reporting an interview with Sergey Brin. Brin is reported to have said:

“there are very powerful forces that have lined up against the open internet on all sides and around the world”. and “I am more worried than I have been in the past, it’s scary.”

OK – I can see how there could be a number of possible threats to the continued existence of the sort of open and collaborative ‘net that I so admire. But the guardian article went on to say:

“The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.”

“He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.”

and moreover

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.””

So: along with restrictive regimes and an entertainment industry fighting to retain a lost business model, according to the world’s largest infringer of personal privacy, one of the biggest threats to the internet is the fact that apple and facebook won’t let google search the data they have gathered.

Is it just me? Or is this bonkers?

Permanent link to this article: https://baldric.net/2012/04/17/battle-for-the-internet/

Apr 16 2012

rockbox rocks

Some time ago my wife bought me a Sansa Sandisk Clip+ music player. When she asked me “what kind of MP3 player” I would like, I specifically specified the Clip+ because it could handle ogg vorbis encoded audio files. All my audio disks are encoded in this format. Picky I know, but there you go.

The version she bought me was the 8 GB Black which comes with (you guessed it) 8 GB of internal storage – sufficient for a fair number of audio tracks. But this version also has a microSDHC slot which will take a maximum of another 32 GB. That should enable me to carry most of my music collection (which currently runs to around 47 GB) if I cut out some of the obvious duplicates and exclude some of my more embarrassing ’70s choices. The device is small, neat and light and also has a pretty good battery life.

But Sansa have not been entirely honest in their advertising. Sure, the device will accept additional storage, but it is largely unusable. Once you get past around 6 or 7 GB on the internal storage and even as little as 3 or 4 GB on the additional card, the device is not capable of building its database of the collection. The symptom is pretty obvious. As soon as you disconnect the Clip+ from the USB connection used to transfer files (and incidentally to charge the device) the display shows “Refreshing your media” and a progress bar which slowly fills from left to right. If you only use the internal storage, there is no problem, but as soon as you get past the 3 or 4 GB additional store on the external card, the clip+ will sit there, refreshing away, for hour after hour if you let it.

Even after a firmware upgrade, the device wouldn’t do what it was supposed to, so I turned to the FLOSS community yet again. This time in the shape of rockbox.

Rockbox is a free, open source jukebox utility which runs on a wide variety of devices. The website provides detailed instructions on how to install and use rockbox and even comes with an installer for most operating systems so that you don’t have to get your hands dirty installing it manually. Most impressive of all however, is that the rockbox firmware can be installed alongside the original player’s firmware without danger of bricking the device. If you find that you don’t like rockbox (and what’s not to like about a free product that outperforms the paid for original?) you can still boot into the original firmware because rockbox provides a dual boot facility. And if you really don’t like it, then you can simply remove it and go back to using the original.

Thoroughly recommended.

Permanent link to this article: https://baldric.net/2012/04/16/rockbox-rocks/

Mar 31 2012

this video is private

I have just tried to (re)view a youtube video I last looked at a couple of weeks ago from a link that a friend sent me in an email. On clicking the link I got the message: “This video is private. If the owner of this video has granted you access, please log in.” On clicking the link, I was taken to a google sign in page.

I suppose I shouldn’t be surprised at that. After all, the new google privacy policy, which covers all of its “services”, is now in place. But I must admit it did piss me off more than a little. What next? Must I sign in to watch pingu with my grandson?

No google, I won’t sign in just to view a youtube video. But walling off bits of the ‘net may yet be your downfall.

Permanent link to this article: https://baldric.net/2012/03/31/this-video-is-private/

Mar 29 2012

that didn’t take long

My last post contained two (non-existent) email addresses in my baldric domain in the extract from my postfix logs. As I said in the post, I had edited the log entry specifically to mask real details. Yesterday, only four days after that post, I received spam email attempts at those addresses.

As I have said in the past, if you don’t want spam, don’t publish your email address.

Permanent link to this article: https://baldric.net/2012/03/29/that-didnt-take-long/

Mar 24 2012

android mail client is broken

In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my mouth. So this month I took the opportunity presented by the end of my contract to shift to another provider. Of course, in doing so I gained a nice shiny new ‘phone which meant that I could spend a fun few hours setting it up the way I wanted it and nailing it down as much as possible so that it didn’t leak all my data to google. This is unnecessarily difficult, and much harder than it should be (and I know that people like Peter H will simply tell me that I shouldn’t be using an android ‘phone in the first place). But that is not the point of this post.

Like most people these days, I use my ‘phone to pick up email. The standard email client on my last ‘phone was pretty uninspiring so I used K-9 mail in its place. K-9 is a pretty good application, but it has a silly little bug in it which is still not sorted properly. This bug manifests itself in a rather odd, and unpredictable way – K-9 seems to “forget” the X509 certificate used to protect the authentication process if that certificate is self-signed, or otherwise not verifiable by an external CA. The cure, such as it is, is to simply refresh the certificate by reloading the account settings and accepting the cert when K-9 warns you that “TrustAnchor found but validation failed”. The length of time between accepting the cert and K-9 “forgetting” it again seemed random to me, so I got into the habit of refreshing my account settings whenever I noticed that I hadn’t received any mail for a while. Annoying, but not ultimately a deal breaker for using what was otherwise a pretty good application.

So, the first application I looked at on my new mobile was, of course, email. The default mail client on this new phone looks a lot slicker than the old one on my previous phone, but then it is a much newer ‘phone, from a different manufacturer and the android version is much newer too, so no real surprise there. The setup seemed to have no problem with my self signed certs so I thought I might stay with the default to see if it would solve my annoying little problem with K-9.

Unfortunately not.

Whilst I had no problem with incoming mail over my IMAPS connection, all attempts to send mail failed. On checking my server logs I found the following (real details changed or obfuscated):

Mar 20 20:45:57 pipe postfix/smtpd[7594]: NOQUEUE: reject: RCPT from home.baldric.net[12.34.56.78]: 504 5.5.2 <localhost>: Helo command rejected: need fully-qualified hostname; from=<null@baldric.net> to=<noone@baldric.net> proto=ESMTP helo=<localhost>

Aha! My postfix configuration is set up to reject hosts which do not have valid hostnames or do not announce themselves with fully qualified domain names (i.e. names of the form “host.domain”). Now since I use SASL authentication in my postfix configuration the fix is relatively easy; just ensure that the stanza “permit_sasl_authenticated” appears in both “smtpd_sender_restrictions” and “smtpd_helo_restrictions” before “reject_non_fqdn_hostname” – thusly:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain

(In fact, this episode highlighted an error in my postfx configuration because my helo restriction was inadequate. By now checking the authentication before the helo restriction kicks in I am still well protected, but mail from valid authenticated users is permitted.)

I am in that (very) small minority of people who run their own mail servers and are able to change server side configurations. But, and this is a big but. I should not have to change the server side configuration to accommodate a broken client and the vast majority of people will not be able to do so anyway. Almost all well set up mail servers will reject mail where the client connection announces itself in the helo exchange as “localhost”. That is normally an indication of a spammer, indeed spamassassin will allocate a high score to any mail which is so flagged. This means that there will be a huge, and growing, number of people who cannot send mail from their android ‘phones.

If this is the default android mail behaviour, then google need to fix it now. Meanwhile, K-9 is looking attractive again.

Permanent link to this article: https://baldric.net/2012/03/24/android-mail-client-is-broken/

Mar 19 2012

unlinked

Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and b) am retired, the invitations immediately looked suspect, but the return address looked real at first sight. That is, until I looked more closely. The actual address used was linkedln.com (with a second letter “l”) rather than the correct linkedin.com.

Nice try.

Permanent link to this article: https://baldric.net/2012/03/19/unlinked/

Mar 14 2012

unplugged

A few days ago my sheevaplug died. Beyond the obvious lack of response either over the network or through the USB serial connection, the symptoms (single green LED rather than blue and green LED lit, ethernet LED light steady rather than flashing) were all consistent with a blown PSU.

This problem is well known and well documented on the Newit forum and the plugcomputer forum as well as plenty of other sites, so I was pretty confident in my diagnosis. The general consensus seems to be that the low quality components used by Globalscale in what is, after all, supposed to be a piece of development kit, coupled with its low power output, means that it can’t really cope with the demands placed upon it – particularly if you attach unpowered USB peripheral devices. Even so, I was pretty pissed off that it failed after only two years.

I use my plug as my NTP time source, network “apt-get” cache and local end point for my ssh proxy tunnel to tor. So it was quite important to me that I get it working again. Fortunately Newit now stock replacement PSUs. Mine arrived within a couple of days of order.

Newit have kindly placed a “howto fix your fscked plug” guide online. I found the process relatively easy, with the exception of replacing the new AC inlet plug back in the chassis. In the end I pushed hard and held my breath in case something snapped, but I got it in.

I have seen many pictures of the PSU on-line, but I confess I was pretty shocked at the completely amateurish look of the thing when I pulled mine out.


The picture above shows the PSU in its case as I pulled it out of the plug.



and this one shows the contents of the PSU when the case lid is removed. It looks like the sort of breadboard setup I last saw in a 1960s transistor radio built by my uncle. Certainly not of the quality I would expect from a major electronics company. Mind you, the new replacement unit (see below) is not /that/ much better.



This final picture shows the new PSU installed in what is actually the top half of the plug.


The plug is now back together, and to my relief it booted fine first time. But I’m now not at all confident that it will last. And since one of my earliest slugs is now becoming a little unstable, I’m looking for a replacement for both.

Permanent link to this article: https://baldric.net/2012/03/14/unplugged-2/

Mar 09 2012

steam locomotive

Most debian users will be familiar with the ASCII “moo” easter egg in apt-get.

I have just stumbled upon a more elaborate piece of ASCII art by one Professor Toyoda Masashi who wrote a joke program to reprimand those command line users who misspell “ls” as “sl” (it happens). I installed it on my desktop because my grandson loves “choo choos”.

Give it a try, it should be available in most distros. The animation is quite good.

And yes, I know I need to get out more.

Permanent link to this article: https://baldric.net/2012/03/09/steam-locomotive/

Mar 07 2012

iBomber Defence: Nuclear Option

Today’s G2 has a nice little article by Tim Dowling called “What’s on David Cameron’s iPad“. Dowling’s article says:

“David Cameron is about to take delivery of a specially programmed prime ministerial iPad, reportedly at a cost of £20,000 (3G contract not included). An iPad devotee already – he uses it to catch up on episodes of The Killing while travelling – Cameron will now be able to keep tabs on polling data, market fluctuations, unemployment figures, crime statistics and news feeds, all with the sweep of a finger across a special dashboard.”

Dowling goes on to list the applications he believes would be on the Prime Ministerial iPad. These include:

Nuclear Button

This secure application allows the PM to be in control of Britain’s nuclear arsenal at all times. For safety reasons, password must be at least eight characters long and contain both numbers and letters.

and

iBomber Defence: Nuclear Option

New game in which a world leader has just 12 hours to decide whether to launch a nuclear strike. Don’t worry – the icon is a totally different colour to the Nuclear Button.

Given what the iPad probably had to go through before Dave was let anywhere near it, I think £20,000 sounds pretty cheap.

Oh, and I quite like this little app….

rMail

A selection of hilarious private emails sent by UK citizens, delivered daily from GCHQ.

Permanent link to this article: https://baldric.net/2012/03/07/ibomber-defence-nuclear-option/

Mar 06 2012

banking stupidity

When I logged on to my new bank site this morning, I tried the “help” offered on the opening screen just to see what they had to say about the range of options available. I was not best pleased to be greeted by the message “Flash is not installed, is not enabled or is not up to date” together with a nice big button marked “Get Adobe Flash Player”. No – I don’t think so.

Adobe products have an unfortunate history of critical vulnerabilities. Indeed, only a couple of weeks ago they released a patch for a critical vulnerability in Adobe Flash Player 11.1 and earlier for Windows, Macintosh, Linux and Solaris. It wasn’t the first, and it certainly won’t be the last. There are probably a whole bunch of zero days out there primed and ready for use.

I do not want to see flash on one of the most critical sites I use. And I have told my new bank exactly that. Watch this space.

Permanent link to this article: https://baldric.net/2012/03/06/banking-stupidity/

Mar 04 2012

am I kidding myself

I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.

As you would expect, I do all my on-line financial transactions from my linux desktop. Given the prevalence of sophisticated banking trojans (PDF file) such as ZeuS, I really don’t see how anyone could comfortably use a windows based machine, even one fully patched, with up to date virus protection and firewall in place. But I go further than just using my desktop, I actually only log on from a second desktop within a virtualbox VM. Further, the browser I use in that VM is as stripped of functionality as is possible (no addons, no plugins, defaults to block cookies etc.) and only ever connects to my bank(s) and no other sites. Unfortunately, the banks insist on cookies and javascript so I have to enable those selectively.

The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.

But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.

But they do make me feel safer…..

Permanent link to this article: https://baldric.net/2012/03/04/am-i-kidding-myself/

Mar 04 2012

wordpress 3.3.1 bug update

Addendum to previous post.

On further experimentation, the problem seems to be caused by a combination of graphene 1.6.1 and wordpress 3.3.1, not just 3.3.1 alone. I’ll post to the graphene support site to see if anyone else has seen this.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug-update/

Mar 04 2012

wordpress 3.3.1 bug?

As part of the move to the new site I also upgraded wordpress to the latest release (3.3.1). Unfortunately I found a small bug in that version so I have reverted to the earlier version.

The bug is odd, and not particularly problematic but irritating nonetheless. It prevents upload of media (such as is used in embedding images) and also loses the html editor toolbar – the “visual” toolbar remains unaffected. Oddly though, the bug only manifests itself in the edit of “pages” as opposed to “posts”.

I think I’ll wait until the next full point release (to 3.4) before trying again.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug/

Mar 01 2012

we’ve moved (again)

Back in September 2009 I moved trivia from its original home on a cheap shared web hosting platform to one of my first VMs at Bytemark. However, in that move I left the design relatively untouched. (Having sat through more than my fair share of tedious powerpoint presentations I’m a firm believer in the power of content over bling). That said, trivia was overdue for an update so I have taken the opportunity of a move to another new VM (again hosted at Bytemark, but on their whizzy new platform called BigV) to change trivia’s theme.

One of the major limitations of the old theme was the loss of all sidebar navigation options when moving away from the home page. This meant that anyone arriving at a trivia page from a link elsewhere would have no sense of the (ahem) full depth or range of content available here. The new theme solves that problem and also allows me a to add just a little more bling. I think I’ve been relatively restrained, though I particularly like the scrolling random selection of old posts across the top of the new home page. I may play around with some of the minor options available in the new theme, but the overall layout is likely to stay broadly as you now see it.

Let me know what you think.

Permanent link to this article: https://baldric.net/2012/03/01/weve-moved-again/

Feb 20 2012

HMG goes cloudy

The UK Cabinet Office has announced the winning bidders to supply IT goods and services to UK Government under its new framework contract called “G-Cloud”. The winners are listed on a new website called the CloudStore which, supposedly, allows HMG procurement specialists to search for the goods and services they want to purchase. The new framework is supposed to break the old cosy relationships in HMG procurement circles between the big suppliers and HMG Departments. Politics and personal prejudice aside, I think Francis Maude’s intentions in setting the new services framework is actually quite honourable. But, frankly, the results baffle me.

I picked “Infrastructure as a Service” as my first choice and the list I was presented with gave several suppliers for which the description said “The supplier did not provide a description of this service, please click on the link to find out about this service.”. Of course, clicking the link merely confirms what the description says – no info. So I tried a search for “open source software” on the IaaS page and got no results. I also got no results when similarly searching “Software as a Service”. Excuse me? Am I expected to believe that not one supplier of the 255 successful companies even mentions open source software in their offering of IaaS os SaaS? Has no-one heard of the LAMP stack?

I then widened the search to include any and all service by any and all provider and got just one result – for some company called “Cloud Cache and Archive Limited”. The description says:

“Cloud Cache And Archive Limited is a privately funded software company with development based in London. Cloud Cache and Archive provides a game changing solution to allow the rapid integration of legacy applications and databases; and the deployment of new enterprise services and Web 2.0 applications on the Cloud. The solution leverages “big data” technologies; a 100% open source software; and cloud native platforms to provide Agile Information Integration and Agile Information Management all based on a cloud native platform. The proven solution is designed for Governments and large commercial organizations.”

I’m sorry, but that is just marketing drivel. WTF does that actually mean? What solution? To what problem? What is a “cloud native platform”? And how will this help a government procurement specialist (who, trust me, will not be an ICT specialist) choose a supplier?

Answers on a post card please.

Permanent link to this article: https://baldric.net/2012/02/20/hmg-goes-cloudy/

Feb 14 2012

Досвидания камрад?

From a peak of around 25,000 mail drops per month in the backscatter I was getting from the .ru domain to the non-existent address “info@baldric.net” I am now seeing virtually none. My logs show a distinct drop off from mid to late December last year to about 10-15 emails per day (when I had previously been seeing anywhere between 600 and 900 per day). Since then the trickle has slowed to a crawl. I now receive only a handful a week, with most days being completely clear.

I wonder where they have gone.

Permanent link to this article: https://baldric.net/2012/02/14/%d0%b4%d0%be%d1%81%d0%b2%d0%b8%d0%b4%d0%b0%d0%bd%d0%b8%d1%8f-%d0%ba%d0%b0%d0%bc%d1%80%d0%b0%d0%b4/

Feb 07 2012

perl programmer goes rabid

As a Guardian reader I find the Daily Mail distasteful and I would not normally refer to it in trivia. However, a friend of mine has just sent me a link to a random Daily Mail page generator which manages to lampoon the rag quite successfully.

image of spoof daily mail random page

Further investigation of the author’s blog reveals another random page generator which suggests he may have too much time on his hands.

Permanent link to this article: https://baldric.net/2012/02/07/perl-programmer-goes-rabid/

Jan 30 2012

tomorrow the world

A slightly breathless new post over at omgubuntu proudly boasts that the market share of Linux on the desktop jumped “from 0.96% in January 2011 to 1.41% by the year’s end.” (That could equally be be written as a close to 50% rise in Linux’ popularity). No doubt this will scare the pants off Steve Ballmer.

I can’t help being amused by the comments below this post which run like this:

1. Thanks to Unity!

2. Despite unity.

3. Despite unity & gnome shell.

4. Thanks to gnome & despite unity.

5. Thanks to Ubuntu.

6. Thanks to Linux Mint.

This sort of united, combined front in opposition to proprietary software is exactly what will drive free software to say, oh around 2% of the desktop.

Permanent link to this article: https://baldric.net/2012/01/30/tomorrow-the-world/

Jan 22 2012

moxie’s proxy

Moxie Marlinspike, a security researcher probably best known for his SSL proxy tool, likes google even less than I do. His googlesharing website says:

“Google thrives where privacy does not. If you’re like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you’ve ever searched for, what search results you clicked on, what news you read, and every place you’ve ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn’t reach through Google. If you use Gmail, they know the content of every email you’ve ever sent or received, whether you’ve deleted it or not.

They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you’re doing, they also have significant insight into what you’re thinking.”

His solution to this problem was interesting. He came up with the idea of a proxy system which would intercept all google queries, strip off identifying material (such as cookies and UserAgent strings and other HTTP headers) substitute new identifiers and mix the requests up with those from other users before forwarding to google. Implementation depended upon a Firefox addon (nothing for other browsers) which identified google queries and forwarded them to the proxy. All other traffic was untouched.

image of googlesharing proxy

I stopped using google (except via scoogle) some time ago, and when Moxie’s new proxy first surfaced I thought it interesting but susceptible to the same problem I discussed in mid 2009 when writing about Hal Roberts’ experience of GIFC – all you are doing is shifting knowledge of your searches from google to a new intermediary. However, Moxie later addressed this problem with the release of version 0.20 of his addon so I thought I’d take another look at it. Unfortunately the addon won’t work with FF 9 (which I am using). Moxie’s proxy is not the only one out there however. Because he released the code under an open source licence, others have picked it up. I found one at gs.netsend.nl. They also provide an updated FF addon which will work with versions up to 15 (i.e. probably around next wednesday given the speed with which Mozilla is currently shipping new FF releases).

Once the addon is installed, it gives you two proxy options in the preferences settings – one is the original proxy.googlesharing.net, the other is gs.netsend.nl itself. In testing I found that the original googlesharing proxy seemed to be off-line, but when using the netsend.nl proxy I was reassured to see the message “Search results anonymized by GoogleSharing” added to the google homepage. I was even more reassured that my sniffer showed a connection to vps1101.pcextreme.nl on 31.21.98.201 and not to any known google network.

So, will I use it? Maybe. But the proxy mechanism seems to be unreliable. In many tests, the proxy connection seemed to be bypassed and the connection was obviously made direct to google (as evidenced by my sniffer). I think this failure is doubly unfortunate because it does not fail safe (i.e. the connection does not simply fail with an error message, it passes you direct through to google). This could lead the unwary to think that they are protected when in fact they are not.

I prefer not to use google at all. And in those cases where I do want to compare results with another search engine I prefer to do so via tor. But it is one more option in my toolkit if used carefully. And if using it pisses off google, then it is worth it occasionally.

Permanent link to this article: https://baldric.net/2012/01/22/moxies-proxy/

Jan 18 2012

and darkness shall be upon the face of the net

Today, 18 January 2012, parts of the ‘net went deliberately dark in combined opposition to the SOPA (A Bill to:“promote prosperity, creativity, entrepreneurship, and innovation by combating the theft of U.S. property, and for other purposes.” I love the “other purposes” bit.) and PIPA bills currently being considered by the US legislative machinery. These two bills are classic examples of badly thought through legislation developed in response to lobby group pressure to protect an existing business model which is failing. I don’t normally make political comment, but I find myself entirely in agreement with the sentiments expressed on the torproject site this morning.

When first attempting to view the tor site, readers are faced with this:

image of blacked out tor website

Clicking on the blacked out section you are taken to a copy of the 18 January blog posting which says:

“The Tor Project doesn’t usually get involved with U.S. copyright debates. But SOPA and PIPA (the House’s “Stop Online Piracy Act” and the Senate’s “Protect-IP Act”) go beyond enforcement of copyright. These copyright bills would strain the infrastructure of the Internet, on which many free communications — anonymous or identified — depend. Originally, the bills proposed that so-called “rogue sites” should be blocked through the Internet’s Domain Name System (DNS). That would have broken DNSSEC security and shared U.S. censorship tactics with those of China’s “great firewall.”

Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).”

Jimmy Wales, the founder of wikipedia has been a particularly vocal critic of the impending legislation. Today, english speaking users of wikipedia were greeted with the following page:

image of the wikipedia blackout page

There is plenty of discussion about the effects of SOPA and PIPA on-line in the usual technical fora (see wired, for example) but as El Reg said about a week ago, the mainstream media in the US have been largely quiet about the implications of the Bills should they ever become law.

I wonder why.

Permanent link to this article: https://baldric.net/2012/01/18/and-darkness-shall-be-upon-the-face-of-the-net/

Jan 12 2012

t-mobile resets its policy?

As I have mentioned in other posts here, I run my own mail server on one of my VMs. I do this for a variety of reasons, but the main one is that I like to control my own network destiny. Back in October last year I noticed an interesting change in my mail experience with my HTC mobile (actually my wife first noticed it and blamed me, assuming that I had “twiddled with something” as she put it). Heaven forfend.

My mail setup is postfix/dovecot with SASL authentication and TLS protecting the mail authentication exchange. My X509 certs are self generated (and so not signed by any CA). I pick up mail over IMAPS (when mobile) and POP3S (at home – for perverse reasons of history I like to actually download mail to my main desktop over POP3 and archive it to two separate NAS backups). I send via the standard SMTP port 25 but require authentication and protect the exchange with TLS.

My mail had been working fine ever since I set it up some years ago, but as I said, back in October my wife complained that she could no longer send email from her HTC mobile (we both use t-mobile as the network provider). She was at work at the time so away from my home network. Both our phones are setup to use use wifi for connectivity where it is available (as it is at home of course). When my wife complained I checked my phone and it could send and receive without problem. But when I switched wifi off, thus forcing the data connection though the mobile network, I got the same problem as my wife reported. On checking my mail server logs I read this:

postfix/smtpd[28089]: connect from unknown[149.254.186.120]
postfix/smtpd[28089]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer
postfix/smtpd[28089]: SSL_accept error from unknown[149.254.186.120]:-1
postfix/smtpd[28089]: lost connection after STARTTLS from unknown[149.254.186.120]
postfix/smtpd[28089]: disconnect from unknown[149.254.186.120]

(the ip address is one of t-mobile’s servers on their “TMUK-WBR-N2” network)

Everything I could find about that sort of message suggested that the client was tearing down the connection because there was something wrong with the TLS handshake and it was not trusted. Checking earlier logs, I found that t-mobile’s address had apparently changed (to the address above) recently. So I assumed that some recent network change following the Orange/T-mobile merger had been badly managed and all would be well again as soon as the problem was spotted. Wrong. It persisted. So I had to investigate further. As part of my investigation of the error, I tried moving mail from port 25 to 587 (submission) because that sometimes gets around the problem of ISPs blocking, or otherwise interfering, with outbound connections from their networks to port 25, No deal. In fact it looked as if t-mobile were blocking all connections to port 587 (I assumed a whitelisting policy block, or again, a cockup).

So, the scenario was: mail works when connecting over wifi and using my domestic ISP’s network, but doesn’t when using t-mobile’s 3G network. Symptoms point to a lack of trust in the TLS handshake. Tentative conclusion? There is an SSL/TLS proxy somewhere in the mobile operator’s chain. That proxy sucessfully negotiates with our phones, but when it gets my self certified X509 cert from the server. it can’t authenticate it and decides that the connection is untrusted so tears it down. My server sees this as the client (my phone) tearing down the connection. [As it turns out, this conclusion was completely wrong, but hey].

I said in an email at the time to a friend whose advice I was seeking, “I suspect cockup rather than outright conspiracy, but if my telco is dumb enough to stick a MITM ssl proxy in my mail chain, they really ought to have thought about handling self signed certs a little better. Otherwise it sort of gives the game away.”

In response, he very sensibly suggested that I should run a sniffer on the server and check what was going on. At that time, I was busy doing something else so I didn’t. And because the problem was intermittent (and my wife stopped complaining) I never got around to properly investigating further. (I should explain that I rarely send mail from my mobile nowadays. I just read mail there and wait until I get home to a decent keyboard and can reply to whatever needs handling from there. My wife just gave up bothering to try).

I should have persisted because of course I wasn’t the only one to experience this problem.

Back in November, a member of the t-mobile discussion forum called “dpg” posted a message complaining that he could not connect to port 587 over t-mobile’s 3G network. In response, a member of the t-mobile forum team suggested that dpg might reconfigure his email so that it was relayed via t-mobile’s own SMTP server. Not unreasonably, dpg didn’t think this was an acceptable response – not least because he would then have to send his email in clear. He then posted again saying that “the TLS handshake fails when the mail client receives a TCP packet with the reset (RST) flag set.” (This is a bad thing (TM). Further, he posted again saying that he had set up his own mail server and repeated earlier tests so that he could see both ends of the connection. At the client side he posted mail from his laptop tethered to his phone which was connected to the t-mobile 3G network. By running sniffers at both ends of the connection he was able to prove to his own satisfaction that something in the t-mobile network was sending a RST and tearing down any connection when a STARTTLS was seen. Again, in a later post in response to one from another poster who apparently manages several mail servers and had been looking at the same issue for a client, dpg says:

“I must say I’m not too pleased to discover that T-Mobile may be snooping all traffic to check for SMTP messages. I have demonstrated that they may be doing this by running a SMTP server on a non-standard port and finding that they still sent TCP reset packets during TLS negotiation – so they must be examining all packets and not just those destined for TCP ports 25 and 587.

I’m also not that keen on T-Mobile spoofing/forging TCP resets. This is the sort of tactic resorted to by the Great Firewall of China (https://www.lightbluetouchpaper.org/2006/06/27/ignoring-the-great-firewall-of-china/) and also by Comcast back in 2007 (https://www.eff.org/wp/packet-forgery-isps-report-comcast-affair) until the US FCC told them to stop (https://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-08-183A1.pdf).”

Then 9 days ago, dpg posted this message:

“I finally got to the bottom of this. I was contacted by T-Mobile technical support today and was told that they are now actively looking for and blocking any TLS-secured SMTP sessions. So, it is a deliberate policy after all, despite what the support staff have been saying on here, twitter and on 150. They told me it is something they have been rolling out over the last three months – which explains why it was intermittent and dependent on IP address and APN to begin with.

So, the only options for sending email over T-Mobile’s network are:
– unencrypted but authenticated SMTP (usually on port 25)
– SSL-encrypted SMTP (usually on port 465)
– unauthenticated and unencrypted email to smtp.t-email.co.uk

TLS-encrypted SMTP sessions are always blocked whether or not they are on the default port of 587.”

(As an aside, there is, of course, another alternative. You can ditch t-mobile as your provider and pick one which doesn’t use DPI to screw your connections. You pays your money….)

Following this, a new poster called “mickeyc” said this:

“I’ve been experiencing this exact same problem. I run my own mail server which has SSL on port 465 and also uses TLS on port 587. I used wireshark to confirm that the RST packets are being spoofed. This is the exact same technology used by “The Great Firewall of China”. I have two t-mobile sims. One is about a year old and doesn’t experience this problem (yet), one is a few weeks old and does.”

He went to say that he had also experienced problems with his OpenVPN connections and would be blogging about the problem (damned bloggers get everywhere) and sure enough, Mike Cardwell did so at grepular.com. That blog post is worth reading because it has an interesting set of comments and responses from Mike appended.

Mike’s post seems to have been picked up by a few others (El Reg has one, and as Mike himself has pointed out, boingboing.net has a particularly OTT post which seems to say that he is accusing t-mobile of something he clearly isn’t.

Finally, two days ago, dpg posted this:

“I’m pleased to report that T-Mobile is no longer blocking TLS-secured email on port 587. As a follow-up to an email exchange over the Christmas period I was contacted today to say that, contrary to what I had been told previously, it was never a deliberate policy to block TLS-secured outgoing email. There was a problem with some equipment after all, which was resolved yesterday.”

I tried again myself today. Initially, I got the same old symptoms (“lost connection after STARTTLS”) then I rebooted my ‘phone and lo and behold I could send email.

Like Mike, I tend to the cockup over conspiracy theory, it’s more likely for one thing. IANAL, but it seems to me that it would be in breach of RIPA part I, Unlawful Interception, for the telco to intercept my SMTP traffic in the way it seems to have been doing. That is not likely to be a deliberate act by a major UK mobile network provider.

But I’ll still keep an eye on things.

Permanent link to this article: https://baldric.net/2012/01/12/t-mobile-resets-its-policy/

Jan 12 2012

tails in a spin

When I first tested running a tails mirror on one of my VMs, the traffic level reported by vnstat ran at around 20-30 GiB per day. I figured I could live with that because it meant that my total monthly traffic would be unlikely to exceed my monthly 1TB allowance. However, when I checked the stats on that server last week (around the 9th of Jan) I found that I was shipping out around 150 GiB per day and vnstat was predicting a monthly total of close to 3 TB. As the tails admins said when I told them that I would have to shut off the mirror on that VM while I sorted something, “Ooops”. Ooops indeed. I couldn’t chance a massive bill for exceeding my bandwidth allowance by quite that much. The actual stats for 4, 5, 6, 7, 8 and 9 January before I pulled the plug were: 34.23 GiB, 69.14 GiB, 178.31 GiB, 131.68 GiB, 99.05 GiB and 133.27 Gib. It turns out that tails 0.10 was released on 4 January and I hadn’t been prepared. A lesson learned.

Having shut down and had the DNS round robin amended, I attended to finding some way of throttling my traffic so that I could live within my allowance whilst still providing a useful mirror. I scratched my head for a while before stumbling on the obvious, I should be throttling at application level. (Sometimes I find that I miss simple answers because I am looking for complicated ones).

I started out by assuming that I should be using tc and iptables mangling, or something like the userspace tool trickle, all of which looked horribly more complicated than the approach taken by tor (which allows you to simply set the acceptable bandwidth rate to some limit, plus set an accounting period maximum of some total transfer limit per day/week whatever). And of course it turns out that my webserver (lighttpd) allows something similar. Just set the server limit to some chosen max transfer rate and, if necessary, also impose a per IP max rate. The magic configuration file options are:

# limit server throughput to 3000 kbytes/sec (~30000 kbits/sec)
server.kbytes-per-second = 3000
#
# and limit individual connections to 50 kbytes (~500 kbits/sec) – NB. I don’t actually use this
# connection.kbytes-per-second = 50

I tested this by pulling a copy of the tails iso from one of my other VMs which has a high bandwidth connection and got acceptable (and expected) results. So now I can go back on-line later this month safe in the knowledge that I’m not going to blow all my bandwidth in one week.

Permanent link to this article: https://baldric.net/2012/01/12/tails-in-a-spin/