Fred’s Notes

Hey, I’m also a very happy customer with djbdns. DNS RR Poison bugs? Not with me.

This is fun. Really.

Alison DeLauzon, Reuters reports, had her camera stolen when left an equipment bag in a restaurant in Florida. The folks who allegedly took the bag also took pictures of themselves, which isn’t unusual. But DeLauzon had an Eye-Fi wireless Secure Digital (SD) card in her camera, received as a gift. The thieves apparently wandered by an open access point with the same SSID as one that DeLauzon had configured for use, and pictures of her baby and the thieves were uploaded to her picture-sharing account. Nifty.

Excuse me, could anyone point to me an iptables p2p blocker module, excluding ipp2p? Is there such a beast? ipp2p project seems to be dead (since 2006). And identifying p2p protocols is always a catch&run game. Thanks.

Não posso deixar de rir com o que o Bruno nos diz sobre esta notícia no Público. Tão verdade, tão português. É a caricatura de um governo que constantemente apregoa o choque tecnológico e da inovação, mas que esqueceu-se de referir que antes disso precisamos de um choque de mentalidades.

De acordo com esta notícia do Público, no Min. dos Negócios Estrangeiros os diplomatas estão todos chocados com o facto de passarem todos a usar um endereço @foreignministry.pt.

O que é absolutamente surreal, é perceber que os diplomatas portugueses actualmente usam endereços de mail no yahoo.fr, wannadoo.fr, tin.it, e free.fr. Ou seja, as mensagens de email dos diplomatas portugueses estão alojadas em servidores de terceiros, incluindo de empresas que não oferecem quaisquer garantias de confidencialidade, que nem sequer obedecem à Lei Portuguesa

Agora pensando bem, se calhar estamos a inovar com a chamada Open Diplomacy.

So, you’re behind the almighty corporate proxy and you have to work. You love ssh. You have deadlines. You don’t have time to loose. So, you go and install corkscrew. Then, create or edit your ~/.ssh/config with:

Host *
ProxyCommand /path/to/corkscrew big.corporate.fw 8080 %h %p

And life is good.

I really think that maybe there’s a reason behind corporate firewalls. To keep people away from doing real work. Oh well, running ssh over corkscrew over the almighty http proxy is not enough. Tomorrow I’ll go for OpenVPN over http and tunnel every piece of packet on top of it. Long live open source.

I always thought that, in this life we learn a lot more from bad experiences, not just the good ones! Yesterday I bought some goods from a known online shop. I’d always payed the bills through Paypal and never had any problems whatsoever. Always fast, always reliable, smooth service. Due to a problem with spanish vat not being charged to me, portuguese citizen (EU laws, oblige) I received an email saying that I had to pay for it and the merchant, gently, giving me an URL saying that I could just click on it, follow the instructions and the process would come to an end. Ok, nice, happy, happy, joy! Clicked on the ClickandBuy link, it got me to a page where I had to fill a registration form to complete the process. Ok, name, address, phone and credit card number. Allright, no big deal, very reasonable. Filled up all the information and clicked on the ‘Register’ button. After some seconds, bang! ClickandBuy registration service says that something is not right with my credit card information (the same one that in the same day I used to pay for other services) and to check my inbox for some instructions regarding this authorization process and approval of my ‘on hold’ account. This was the mail I received:

Dear Mr. Marques,

You are already using the clever and secure payment ClickandBuy – thank you very much for relying on this intelligent solution for payments on the Internet.

Unfortunately, we had to temporarily bar you from the use of ClickandBuy. This could be for several reasons, e.g., we might ask you to contact us regarding the address, bank or credit card data you entered.

So, please contact our service team at

service@pt.clickandbuy.com

or call

+351 707 781 718

for information about the reason for this temporary barring.

We would be happy to activate you again as soon as possible for the use of ClickandBuy and hope for your understanding.

Hmm. I’m already using the clever and secure payment ClickandBuy. No, I’m not. Actually, I can’t register with you because you’re saying that I have “some” problem that is causing this and I have to reply to this mail or call a 707 number (not a 800) to just follow your instructions. Ok, I’m in a hurry, you even have a number in Portugal to call from, let’s see. Phoned ClickandBuy and the nice lady answers the phone with a perfect spanish accent. Oh, and no portuguese talking. English will do, no problem. After some minutes I realized that I had to send a copy of my passport (yes, my passport) and my credit card by e-mail or fax to ClickandBuy just to authorize and authenticate my account. Hello? Are you nuts? Send my passport data and the credit card to a fax number or even an email to you, in clear text? I couldn’t believe this, so I asked if they could send me another e-mail with the instructions that I had to follow. So, here it is:

Dear Mr Marques,

Thank you for contacting ClickandBuy and for your message.

Unfortunately the only way to unblock your ClickandBuy account is by filling
out and signing the attached form. Please send it back to us either via email
or fax with a copy of your passport or drivers licence and credit card (front-
& backside)

ClickandBuy fax#: +49 (0)221 – 26 01 189

Please understand that this is a security measure intended to protect you and
your account from fraudulent use. We apologize for the inconvenience caused by
this matter.

This is pure nonsense. This is bloody stupid. ClickandBuy is worried with the fraudulent use of my account and they ask me to send all my personal details *and* credit card information via email in “clear”? Or fax it to a German Number, from Portugal, at my expenses? No, thanks. See, ClickandBuy, you have to learn a lot with Paypal. Say, for example, their method of authentication of new user accounts. After the registration, you just have to click an email to authenticate a new account. If you want to upgrade your account to a verified one, depending on your country, Paypal charge your credit card or make some transfer to your bank account. Along with the transaction description saying something like PAYPAL you have a code that if you access your bank account records, you can just c&p on paypal and bingo, you have a verified account. Very smart, very easy. Secure. This is one of the million reasons that Paypal is the king of online payment and has about 100 million accounts.

So, after burning 30 precious minutes of my time I sent an e-mail to the merchant asking if it was ok to pay this by Paypal, because I didn’t want to deal with burocratic ClickandBuy again. The answer was: yes, of course, no problem. So, after that, it took me no more than a few seconds to send the money to the merchant.

Desculpem, importam-se de repetir?

A Polícia Judiciária (PJ) e a multinacional Microsoft assinaram hoje um protocolo de cooperação na luta contra o crime informático e a promoção da segurança na Internet.

O quê?

Via pfig. Ler o resto aqui.

From Netcraft, OpenSSL Vulnerable to Forged Signatures:

Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.

The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.

“All software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5,” OpenSSL said in its advisory. “This includes software that uses OpenSSL for SSL or TLS.” OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

Well, long life to yum & apt-get.

Update: important quote from the original post:

Implementors should review their RSA signature verification carefully to make sure that they are not being sloppy here. Remember the maxim that in cryptography, verification checks should err on the side of thoroughness. This is no place for laxity or permissiveness.

Daniel also recommends that people stop using RSA keys with exponents of 3. Even if your own implementation is not vulnerable to this attack, there’s no telling what the other guy’s code may do. And he is the one relying on your signature.

So, we cannot say for sure that other PKI/RSA implementations are not vulnerable. Think NSS/Mozilla.

Só pode ser show-off, mas acho que a PJ anunciou que vai comprar equipamento para sniffar e-mails, conversas de chat e até ficheiros em redes p2p. Tudo isto a bem da investigação de crimes, e passo a citar, “como o tráfico de droga, falsificação de documentos, terrorismo, corrupção e branqueamento de capitais”. Mas depois de ler este parágrafo:

Além de permitir uma mais apertada vigilância a programas de partilha de ficheiros, como o Kazaa e Emule, entre outros, o novo equipamento permitirá ainda “escutar” conversas em programas de conversação online e também fazer escutas telefónicas em comunicações cujo fornecedor actua na Internet, como o Skype, algo que até agora foge ao controlo da polícia.

Percebi que este equipamento pode permitir apanhar os incautos, desgraçados e peixe-miúdo do costume, para além de vigiar a vida privada de cada um. Duvido que se apanhe traficantes de droga e terroristas. Ou acham que os graúdos vendem droga no MSN? E depois isto não terá qualquer tipo de controlo, como à semelhança do excelente sistema de escutas telefónicas deste país? Não sei se é SPIN ou show-off, mas nesta altura do campeonato e estando em Agosto, já penso em tudo.

Update: O Pedro também já se deu ao trabalho de fazer uma crítica mais pormenorizada. Bom texto.

Update 2: O Celso também se debruça sobre o assunto, mais do ponto de vista dos ISP’s. Que, como é óbvio, não foram tidos nem achados. O que só mostra o carácter de propaganda da notícia.

Someone is stealing your wireless internet access? If you don’t want to mess with WEP and all that mambojambo-mac-security-stuff, just install Upside-Down-Ternet and forget about it. :)

Ok guys, I know you rock and pf is the best packet filter out there. But, please, please, can you consider implementing mac address filtering on future versions? Ipfilter is there. And I think that tagging ethernet frames with bridge/brconfig is lame and confuse. So why are you waiting for? It would be great on vlans/L2 filtering. Thankx.