dinsdag 29 april 2014

Google ai recognizes cats, oh really?

So people at google are smart, and I mean really smart. Their goals are high, and I mean really high, moonshot high.

They've made|bought|tricked software able to actually come up with a cat, based on watching a million or 2, youtube movies. I dread to think what it could have come up with if it would have followed -my- youtube clicks...

Google invented and made and sells google glasses, currently a feat not just impressive but basically radically impressive.

Bought a thermostat company for 3 billion.

Bought a robot and a drone and a balloon company and is trying to reach new highs. I applaud that, [I applaud them mainly for google search and for gmail not for that monster google+ and not for killing google reader and google picasa!] but for having these wild dreams and actually putting there incredible resources into finding solutions for billions of people.

Thank you google. Thank you Larry, thank you engineers and early financial backers.

But why on earth would one spend a quatrillion dollars on the problems of tomorrow, where we, the billions of people that are customers of google and every single device they use, ARE SUFFERING FROM RIDICULES PROBLEMS LIKE SSLHEARTBLEED?

How on earth is it possible that there is no AI|engineer|smartass that actually comes up with a something that can prevent|warn|find stupid little problems as 'a typo' or an illogic piece of computer code?

Apple's CVE-2014-1266 would have been identified if only the right parameters would have been giving to the compiler.

Try that again: the whole problem of apple's double goto would have been AUTOMATICALLY DETECTED if the code was compile ONLY ONCE, with the proper compiler argument.

We're under constant attack by governments and maffia a like and the smartest company on earth is teaching cars to drive autonomous and simply ignores the most fundamental problem:

computercode that does what it is supposed to do.


donderdag 17 oktober 2013

DNS and what have you

DNS, the beast. 

There is a lot to know about DNS and it keeps evolving in a steady pace.

A blog I like that focusses on the abuse part of DDoS DNS is dnsamplificationattacks. I even tried to setup a sort of the same infrastructure to see how long it would take for a resolver to be descovered and abused. The result? It takes mere minutes to be discovered [scanned by] and rather hour then days before your open resolver is used.

/var/log/syslog.1:Oct 15 13:25:25 vps1463 named[1376]: client query: aa.10781.info IN ANY +E (
/var/log/syslog.1:Oct 15 13:25:25 vps1463 named[1376]: client query (cache) 'aa.10781.info/A/IN' denied
/var/log/syslog.1:Oct 15 13:25:53 doknowevil named[18459]: client query: aa.10781.info IN ANY +E (
/var/log/syslog.1:Oct 15 13:25:53 doknowevil named[18459]: client query (cache) 'aa.10781.info/ANY/IN' denied
/var/log/syslog.1:Oct 15 13:25:53 manandmice named[11516]: client query: aa.10781.info IN ANY +E (
/var/log/syslog.1:Oct 15 13:25:53 manandmice named[11516]: client query (cache) 'aa.10781.info/ANY/IN' denied
/var/log/syslog.1:Oct 15 14:09:39 xxx.static.dimenoc.com named[429]: client query: aa.10781.info IN A +E (
/var/log/syslog.1:Oct 15 14:09:39 xxx.static.dimenoc.com named[429]: client query (cache) 'aa.10781.info/A/IN' denied

These 4 hosts are AS miles apart from one and other. None has ever functioned as a open resolver.

Then I wanted to find out a little more about the current state of the DNS protocol. When I started using DNS, it would use UDP for about everything but a zone transfer. That has changed with the Extension Mechanisms for DNS (EDNS0). Initially the larger requests originated from [poorly] implemented DNSSEC zones caused pain. Loads of TCP queries all of a sudden and the surprise results that came with it in different networks.

 RFC 4035 has something to say about DNSSEC and message sizes:
A security-aware name server MUST support the EDNS0 ([RFC2671]) message size extension, MUST support a message size of at least 1220 octets, and SHOULD support a message size of 4000 octets.

Come in:

OARC's DNS Reply Size Test Server

The maximim reply size between a DNS server and resolver may be limited by a number of factors:
  • If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
  • The resolver may be behind a firewall that blocks IP fragments.
  • Some DNS-aware firewalls block responses larger than 512 bytes.
The BIND resolver, since version 9.5.0, includes a feature to decrease its advertised EDNS receive buffer size (down to 512) when its queries time out. We've seen this lead to significant increases in TCP for DNSSEC-signed zones.
DNS-OARC built the DNS Reply Size Test Server to help users identify resolvers that cannot receive large DNS replies.

How To Use

To use the DNS Reply Size Test Server, simply use dig command line tool to issue a TXT query for the name rs.dns-oarc.net:
$ dig +short rs.dns-oarc.net txt
You can test a specific DNS resolver by using the @server feature of dig.
The output should look something like this:
" sent EDNS buffer size 4096"
" DNS reply size limit is at least 4023 bytes"
The first three lines of the output are CNAME records in the response. The "x" numbers represent the sizes of successfully received responses at each step in the test. The final two lines are TXT records that provide information on the test results. Here we can see that the resolver advertised a receive buffer size of 4096 and the server was able to send a response of 4023 bytes.
If your test results in a reply size limit of less than about 4,000 you may want to investigate further. See the excellent write up here.

With all the dig'ing like
dig google.com ANY @myveryownresolver
came the desire for more useable statistics on what was going on in named land. Over at merit the there is a nice little tool that does exactly that. statDNS. The tool is called for what it does. The output is limited and that is what I was looking for to get an impression of what as happening.

For a little more info on the resolving ability side of things, I actually liked the CLI version of netalyzer. Ok it requiers java but on a trashable VPS that is not a real issue. Check here for sample output of one of the hosts I tried it on. It shows a lot more then only DNS resolving issues, and I was surprised to see the IPv6 tests it did. Guess there is still hope for v6 ;)

You made it to here, well done! Here´s a present.

woensdag 10 oktober 2012


Vodafone Anonymous Customer Recognition


Gotta love 'm for it.

dinsdag 11 september 2012

IPv6 + google = captcha

Dear google, 

I applaude you for being one of the biggest and one of the first to permanetly publish quad A's. Really. Very gutsy. 

But since I setup my proxy [squid3] on my server [Tilaa VPS 3.2.0-30-virtual #48-Ubuntu SMP] with the latest and greatest Ubuntu 12.04, all my drones are being forced to out themselfs as human by your [admitedly, friendly and well readable!] captcha. 

Multiple times a day. 

Ubuntu has by default enabled the IPv6 Privacy Extensions [RFC 4941]. This is nice, and in my book something that is desireable, but with the captcha's poping up all day long it gets old very fast. 

 Google, would it be feasable for your guys to tweak the 'monitoring for robot access' script a little and check for robot access not on a per IP[v6] address but on IPv6/64's? 

 128 bits of thanks!

donderdag 31 mei 2012

Me like

A couple of tools I'd like to test drive: http://www.southord.com/Lock-Picking-Tools/Electric-Lock-Pick-Set-E500XT.html http://www.tweedehands.nl/hobby-vrije-tijd/handvaardigheid/gereedschap/klopsleutels-klopsleutel-slagsleutel-bumpkey-lockpick-110728211.html http://www.southord.com/Lock-Picking-Tools/Tubular-Lock-Picks.html While enjoying some simple music: http://soundcloud.com/eerdhuizen/recorded-live-woodstock-69-06 And I need a blokeersleutel: http://www.euroscooters.nl/advanced_search_result.php?keywords=Blokkeersleutel+&search_in_description=1&x=0&y=0 And then some...

maandag 16 april 2012

528140000468795 Thank you!

528140000468795 is my dog's chip number. It's a Staffordshire Bull Terrier.
He's registered in the database of NDG, and being registered in different other registars as Stichting Chip,

Currently the number 528140000468795 does not yield any results in Google. This post will change that.

zaterdag 7 april 2012

WiFi roaming on Android [Declined!]

It's an absolute disgrace that Google/Droid/Samsung/HTC can't solve problems like WiFi roaming in 2012.
I know Android is the poorman's iPhone but still, the pointing to the hardware by the software guys and visa versa is a major blast from the past. ICS shows little to no improvement for the hand full of devices it is available for [do _not_ get me started on the pathetic availability of ICS for droid devices!].

I will not even mention the 'support' for VPN.
Nor the malware-ized software.
Nor the pathetic 'choice' END USERS are required to judge and agree to about access to resources when installing software.
I have emerged myself in the Android world, putting all my iDevices in a locked box since 3 months and replace them with Samsung [tablets] and HTC [phones], and as much as I like the larger displays, the freedom to tinker, the whole experience has shown me one thing: Android with it's fragmented [per hardware manufacturer, per device] support and the silly fail to solve rudimentary issues like WiFi roaming [do not get me started on application availability across devices!], is just too olt skool to expose but the choice-less consumers to.
Within a couple of weeks I have hold up to my promise to my employer [a rather large telecom company] to at least give Android a shot, but I will celebrate the day my devices will 'just work' and I can focus on work rather then geting the infrastructure to cater for broken consumer devices. It has been a good experience, but only to fortify my expectations that Android with it's manufacturer driven 'support' and 'upgrades' is just not ready for business.

I've tried the Best Wifi app, with varying results.
Multi BSSID single ssid android
Picture from multiple sources [see here]

maandag 16 januari 2012

"niets is maar ik ben"

"Niets is, maar ik ben", ik weet 't.

Niets is, maar ik ben.

zaterdag 10 december 2011

UPC Thomson TWG870 modem :(

With the upgrade to 120Mbit I also received a new modem, the Thomson TWG870. It's DOCSIS 3.0, with very decent WiFi, and a couple of issues.

It's an 'end user' device, where end user should be read as dumb-ass-I-need-not-one-change-nor-control-over-my-own-network kinda user. Ok, one can set the SSID, and password and even the WiFi compatibility, but that is about it. Want the device in bridge mode? Forget it, disabled by your friendly provider! You would like to assign fixed leases for particular device in your wired/wifi network? Forget it, just not possible.

"IP Flood Detection" slows the box down to a crawl, just turn it off. FTP can cause issues, but then again, this is a protocol that is about as clean as SMNP is secure. And while at it, the updating of the firmware has been disabled, so all UPC customers will proberbly never update, till they order a new modem.

And the whole interface is just... so incredible 1.0 it should really be used in the-greatest-design-fuckups-ever contest.

So now I'd need to switch back to the reliable Cisco EPC3000. There is absolutely nothing fancy about this modem, except maybe the USB port. For the rest it is simply a useable bridge. I'll do my nat'ing and what have you not myself, thanks UPC!

maandag 22 augustus 2011

He does not age, he levels...

Some expressions are so good, they deserve a hit on google.

He does not age, he levels, is one of those.

vrijdag 22 april 2011

Pintupi Planner

Want to get rich? Here's the ticket.

We all stumble upon super stories, excellent excibitions and great geographical descriptions but most of the time at the wrong time and the wrong place.

So here is the idea: make a location aware reminder service.

You RSS some cool information about a place, link it to a location with, depending on interest a larger or smaller range, and get notified of that information if you ever in your live get within that range. On sites with information that is linkable to a location, the content owner will place a purple button ' P' which will insert the reminder with location.

dinsdag 5 april 2011

Seems I am not alone with a gripe against S O N Y. From the Anon site:

Dear Greedy Motherfuckers^H^H^H^H^H^H^H^H^H^H SONY,

Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz.)

You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, "copyright".

Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for, and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been "renting" your web domains. Having trodden upon Anonymous' rights, you must now be trodden on.

If you disagree with the disciplinary actions against your private parts^H^H^H^H domains, then we trust you can also understand our motivations for these actions. You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, "wrong." Sound familiar?

Let Anonymous teach you a few important lessons that your mother forgot:
1. Don't do it to someone else if you don't want it to be done to you.
2. Information is free.
3. We own this. Forever.

As for the "judges" and complicit legal entities who have enabled these cowards: You are no better than SONY itself in our eyes and remain guilty of undermining the well-being of the populace and subverting your judicial mandate.

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
Expect us.

zondag 13 maart 2011


Webresentation is becoming more important then any other old form of being.
"I 200, thus I am"

dinsdag 15 februari 2011

GeoHot sued by Sony. NEVER buy their gear no more!

So, hot on the heels of the no lube ass pounding of HBGary & affiliates, here is another company that might take on a party they should not mess with. As he puts it "You're fucking with the dude who got the keys to your safe"

How wize that is, I leave to you...

Yo it's geohot
And for those that don't know
I'm getting sued by Sony
Let's take this out of the courtroom and into the streets
I'm a beast, at the least, you'll face me in the northeast
Get my ire up, light my fire
I'll go harder than Eminem went at Mariah
Call me a liar
Pound me in the ass with no lube, chafing
You're fucking with the dude who got the keys to your safe and
Those that can't do bring suits
Cry to your Uncle Sam to settle disputes
Thought you'd tackle this with a little more tact
But then again fudgepackers, I don't know Jack
I shed a tear everytime I think of Lik Sang
But shit man, they're a corporation
And I'm a personification of freedom for all
You fill dockets, like thats a concept foreign to y'all
While lawyers muddy water and TRO's stall
Out of business is jail for me
And you're sueing me civilly
Exhibit this in the courtroom
Go on, do it, I dare you

donderdag 10 februari 2011

Why not

Esse parece algum servidor de imagens do Picasa. This seems some server images from Picasa.

Today Craig showed up at the airport. We discussed not solutions but issues. And dox'ing.

And concluded that analog interference sounds better then binary so please take the binary out of the digital music.

dinsdag 11 januari 2011


While looking into certain particular aspects of 'tracking software' I stumbled upon the PreyProject. So I added a couple of my own devices and marked some as missing to see what information it would actually be able to give me.

Unknowningly to my son, he was participating in this trail. So here he is using his machine in a for him normal way. That means among others that he will have turned off as many as possible services and tray icons and other bloatware to get the best possible FPS. PreyProject was still running however and producing results:

I had to laugh when I saw the screenshot...

maandag 13 december 2010

bullet proof TLD - part deux

And I am not alone on this. Seems the guys and gals from the Pirate Bay thought the same and moved their arses.

Enter P2P DNS

Some observations here

zaterdag 4 december 2010

bullet proof TLD

We need a "bullet proof tld". Seeing what happens with wikileaks ATM makes me worry.

I do not like what wikileaks does, but they are merely the publishers, not the creators, nor the leakers...

woensdag 3 november 2010

HUAWEI Mobile == horror

This happens once a day, simply open up gmail with gtalk enabled will whack my machine. HUAWEI makes it possible.

Interval Since Last Panic Report: 67994 sec
Panics Since Last Report: 1
Anonymous UUID: 3879FB28-9833-4155-99DD-722A33411EAB

Wed Nov 3 07:57:30 2010
panic(cpu 0 caller 0x2a8ab2): Kernel trap at 0x227d78a3, type 14=page fault, registers:
CR0: 0x8001003b, CR2: 0x000004a8, CR3: 0x00100000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x04e4f000, ECX: 0x09000000, EDX: 0x0426e800
CR2: 0x000004a8, EBP: 0x22433b08, ESI: 0x04e4f000, EDI: 0x03fc2b00
EFL: 0x00010206, EIP: 0x227d78a3, CS: 0x00000008, DS: 0x00000010
Error code: 0x00000000

Backtrace (CPU 0), Frame : Return Address (4 potential args on stack)
0x22433918 : 0x21b455 (0x5cf328 0x2243394c 0x2238b1 0x0)
0x22433968 : 0x2a8ab2 (0x591664 0x227d78a3 0xe 0x59182e)
0x22433a48 : 0x29e9a8 (0x22433a60 0x4e4f000 0x22433b08 0x227d78a3)
0x22433a58 : 0x227d78a3 (0xe 0x48 0x10 0x4e40010)
0x22433b08 : 0x9590cb (0x4e4f000 0x3fc2b00 0x0 0x8)
0x22433b48 : 0x958e0a (0x4e4f000 0x2 0x3fc2b00 0x0)
0x22433b88 : 0x548cf9 (0x4e4f000 0x22433c00 0x0 0x0)
0x22433bd8 : 0x958e86 (0x488d600 0x958dc8 0x22433c00 0x0)
0x22433c28 : 0x958f17 (0x4e4f000 0x3fc2b00 0x958fc6 0x4e4f000)
0x22433c58 : 0x953d68 (0x4e4f000 0x3fc2b00 0x7 0x3fc2b00)
0x22433c78 : 0x5356be (0x3fc2b00 0x4e4f000 0x7 0x4fe006)
0x22433ce8 : 0x547337 (0x4e4f000 0x7 0x4809f40 0x0)
0x22433d18 : 0x531ee8 (0x395df80 0x5355b0 0x4e4f000 0x7)
0x22433d68 : 0x536251 (0x4809f40 0x0 0x0 0x449bf40)
0x22433de8 : 0x537363 (0x7 0x3e98500 0x1 0x0)
0x22433e48 : 0x537a9b (0x3e98500 0x6 0x0 0xffffffff)
0x22433ec8 : 0x537ac3 (0x3e98500 0x6 0x22433f08 0x542f000)
0x22433ee8 : 0xe64e9c (0x3e98500 0x2 0x1 0x456ab80)
0x22433f08 : 0xe6c329 (0x3e98500 0x2 0x456ab8c 0x293b71)
0x22433f28 : 0xe6c419 (0x542f000 0x7 0x22433f58 0x4fb982)
0x22433f58 : 0xe6c4d4 (0x542f000 0x0 0x22433f78 0x2a1591)
0x22433f78 : 0x22fb84 (0x542f000 0x0 0x0 0xbfffdcfc)
0x22433fc8 : 0x29e6cc (0x863ea0 0x0 0x10 0x43c8de4)
Kernel Extensions in backtrace (with dependencies):
dependency: com.apple.iokit.IOUSBFamily(4.0.2)@0xe5c000
dependency: com.apple.iokit.IONetworkingFamily(1.9)@0x952000
dependency: com.apple.iokit.IOPCIFamily(2.6)@0x926000

BSD process name corresponding to current thread: kernel_task

Mac OS version:

Kernel version:
Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386
System model name: MacBook3,1 (Mac-F22788C8)

System uptime in nanoseconds: 68307501559045
unloaded kexts:
com.apple.driver.AppleWWANSupport 2.0.3b0 (addr 0xcc8000, size 0x12288) - last unloaded 68242737696090
loaded kexts:
de.novamedia.driver.NMSmartplugSCSIDevice 1.0.1 - last loaded 68167435223328
com.huawei.driver.HuaweiDataCardECMData 1.19.00
com.huawei.driver.HuaweiDataCardECMControl 1.19.00
com.huawei.driver.HuaweiDataCardACMData 4.05.00
foo.tun 1.0
foo.tap 1.0
com.apple.filesystems.smbfs 1.6.2
com.apple.driver.AppleHWSensor 1.9.3d0
com.apple.driver.SMCMotionSensor 3.0.0d4
com.apple.filesystems.autofs 2.1.0
com.apple.driver.AudioAUUC 1.4
com.apple.driver.AppleHDA 1.8.7f1
com.apple.driver.AppleUpstreamUserClient 3.3.2
com.apple.Dont_Steal_Mac_OS_X 7.0.0
com.apple.iokit.CHUDUtils 364
com.apple.iokit.CHUDProf 364
com.apple.driver.AudioIPCDriver 1.1.2
com.apple.driver.AppleIntelMeromProfile 19.1
com.apple.driver.AppleBacklight 170.0.24
com.apple.driver.ACPI_SMC_PlatformPlugin 4.1.2b1
com.apple.driver.AppleLPC 1.4.12
com.apple.driver.AppleIntelGMAX3100 6.1.8
com.apple.driver.AppleIntelGMAX3100FB 6.1.8
com.apple.driver.AppleUSBTrackpad 1.8.1b1
com.apple.driver.AppleUSBTCKeyEventDriver 1.8.1b1
com.apple.driver.AppleUSBTCKeyboard 1.8.1b1
com.apple.driver.AppleIRController 303.8
com.apple.iokit.SCSITaskUserClient 2.6.5
com.apple.iokit.AppleYukon2 3.1.14b1
com.apple.iokit.IOAHCIBlockStorage 1.6.2
com.apple.driver.AppleAHCIPort 2.1.2
com.apple.driver.AppleIntelPIIXATA 2.5.1
com.apple.BootCache 31
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib 1.0.0d1
com.apple.driver.AppleUSBHub 4.0.0
com.apple.driver.AppleSmartBatteryManager 160.0.0
com.apple.driver.AppleFWOHCI 4.7.1
com.apple.driver.AppleUSBEHCI 4.0.2
com.apple.driver.AppleUSBUHCI 4.0.2
com.apple.driver.AirPortBrcm43xx 423.91.27
com.apple.driver.AppleEFINVRAM 1.3.0
com.apple.driver.AppleRTC 1.3.1
com.apple.driver.AppleHPET 1.5
com.apple.driver.AppleACPIButtons 1.3.2
com.apple.driver.AppleSMBIOS 1.6
com.apple.driver.AppleACPIEC 1.3.2
com.apple.driver.AppleAPIC 1.4
com.apple.driver.AppleIntelCPUPowerManagementClient 105.10.0
com.apple.security.sandbox 0
com.apple.security.quarantine 0
com.apple.nke.applicationfirewall 2.1.11
com.apple.driver.AppleIntelCPUPowerManagement 105.10.0
com.apple.iokit.IOSCSIBlockCommandsDevice 2.6.5
com.apple.iokit.IOUSBMassStorageClass 2.6.1
com.apple.driver.AppleProfileReadCounterAction 17
com.apple.iokit.IOFireWireIP 2.0.3
com.apple.driver.DspFuncLib 1.8.7f1
com.apple.driver.AppleProfileTimestampAction 10
com.apple.driver.AppleProfileThreadInfoAction 14
com.apple.driver.AppleProfileRegisterStateAction 10
com.apple.driver.AppleProfileKEventAction 10
com.apple.driver.AppleProfileCallstackAction 20
com.apple.iokit.IOSurface 74.0
com.apple.iokit.IOBluetoothSerialManager 2.3.3f8
com.apple.iokit.IOSerialFamily 10.0.3
com.apple.iokit.CHUDKernLib 365
com.apple.iokit.IOAudioFamily 1.7.6fc2
com.apple.kext.OSvKernDSPLib 1.3
com.apple.driver.AppleHDAController 1.8.7f1
com.apple.iokit.IOHDAFamily 1.8.7f1
com.apple.iokit.AppleProfileFamily 41.4
com.apple.driver.IOPlatformPluginFamily 4.1.2b1
com.apple.driver.AppleSMC 3.0.1d2
com.apple.iokit.IONDRVSupport 2.1
com.apple.iokit.IOGraphicsFamily 2.1
com.apple.driver.CSRUSBBluetoothHCIController 2.3.3f8
com.apple.driver.AppleUSBBluetoothHCIController 2.3.3f8
com.apple.iokit.IOBluetoothFamily 2.3.3f8
com.apple.driver.AppleUSBMergeNub 4.0.0
com.apple.iokit.IOUSBHIDDriver 4.0.2
com.apple.driver.AppleUSBComposite 3.9.0
com.apple.iokit.IOSCSIMultimediaCommandsDevice 2.6.5
com.apple.iokit.IOBDStorageFamily 1.6
com.apple.iokit.IODVDStorageFamily 1.6
com.apple.iokit.IOCDStorageFamily 1.6
com.apple.driver.XsanFilter 402.1
com.apple.iokit.IOATAPIProtocolTransport 2.5.1
com.apple.iokit.IOSCSIArchitectureModelFamily 2.6.5
com.apple.iokit.IOAHCIFamily 2.0.4
com.apple.iokit.IOATAFamily 2.5.1
com.apple.iokit.IOUSBUserClient 4.0.0
com.apple.iokit.IOFireWireFamily 4.2.6
com.apple.iokit.IOUSBFamily 4.0.2
com.apple.iokit.IO80211Family 311.1
com.apple.iokit.IONetworkingFamily 1.9
com.apple.driver.AppleEFIRuntime 1.3.0
com.apple.iokit.IOHIDFamily 1.6.4
com.apple.iokit.IOSMBusFamily 1.1
com.apple.kext.AppleMatch 1.0.0d1
com.apple.security.TMSafetyNet 6
com.apple.driver.DiskImages 283
com.apple.iokit.IOStorageFamily 1.6.1
com.apple.driver.AppleACPIPlatform 1.3.2
com.apple.iokit.IOPCIFamily 2.6
com.apple.iokit.IOACPIFamily 1.3.0
Model: MacBook3,1, BootROM MB31.008E.B02, 2 processors, Intel Core 2 Duo, 2.2 GHz, 1 GB, SMC 1.24f3
Graphics: Intel GMA X3100, GMA X3100, Built-In, 144 MB
Memory Module: global_name
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x88), Broadcom BCM43xx 1.0 (
Bluetooth: Version 2.3.3f8, 2 service, 19 devices, 1 incoming serial ports
Serial ATA Device: Hitachi HTS542512K9SA00, 111,79 GB
Parallel ATA Device: HL-DT-ST DVDRW GSA-S10N
USB Device: Built-in iSight, 0x05ac (Apple Inc.), 0x8501, 0xfd400000
USB Device: HUAWEI Mobile, 0x12d1, 0x1465, 0xfa200000
USB Device: Apple Internal Keyboard / Trackpad, 0x05ac (Apple Inc.), 0x022a, 0x5d200000
USB Device: IR Receiver, 0x05ac (Apple Inc.), 0x8242, 0x5d100000
USB Device: Bluetooth USB Host Controller, 0x05ac (Apple Inc.), 0x8205, 0x1a100000

dinsdag 2 november 2010

Buy apple, forget orange

As all sane people should, I like to buy shares of a company that sells products that I believe in and as soon as the shares have rissen enough to pay for the product I buy it.

This is the moment [again] to get yourself some Apple shares. Why? Because they so get what we want.

The next super step will be the iPhone5. It will change your live or at least [if you do not owe a mac by then], the way you will expect your computer live to be. How? This is how:

If users wave an NFC-equipped iPhone and an NFC-equipped Mac, the Mac will load all their applications, settings and data. It will be as though they are sitting at their own machine at home or work. When the user leaves, and the NFC-equipped iPhone is out of range, the host machine returns to its previous state.”
The source told Cult of Mac: “The system would essentially turn any Apple computer in to your own, like you’re actually working on your own computer; same settings, look, bookmarks, preferences. It would all be invisible. Your iPhone would be all you needed to unlock your Mac.”

See, that is what you never knew you wanted but actually is. Just like the interface of the iPhone, it's something you never knew you missed but once you touched it, you can not let go. This will rock your world.

The smart money is there already ofc. 52 week high and low 185.57 - 319.00. But still, still I bet you that buying a couple of stocks now, will give you a premium when you will buy your iPhone5 and NFC-equipped Mac. Check for current stock prices here.

Edit: 9/11 2012. One day before the [roumored] launch of the iPhone5.
665.82 Up 3.08(0.46%) 11:59AM EDT - Nasdaq Real Time Price

maandag 1 november 2010

See through: IP6 iphone-XXXXXXX.local > ff02::2: ICMP6, router solicitation

Please help a connection searching iPhone out and give it an IPv6 address. And while at it, a default router too. After being so nice, I am sure you've collected enough karma to warrant some cookie sniffing or even the occasional traffic modification.

In about 3 hours on a public hotspot I saw nearly 30 [that is thirty!] iOS 4 iPhones crying for router solicitations. Knowing the rules layed out in rfc3484, it should not be to hard to get the application/OS to prefer v6 over v4. This makes getting these pesky SSL'ed cookies so much easier without ARP poisoning.

donderdag 7 oktober 2010


randstad/ hofstad/ domstad/ kaasstad/ maasstad
hanzestad/ slaapstad/ spookstad/ vestingstad

parkeerplaats/ marktplaats/ speelplaats/ zitplaats
luchtplaats/ vrijplaats/ ligplaats/ drinkplaats

inktvlek/ vetvlek/ schandvlek/ bloedvlek

ton lebbink

maandag 20 september 2010

Op het nieuwe scateboard


Intrusion Tolerance in Istanbul

If 'things' normally never go wrong, you're in deep sheit when they do. But if you work as a hairdresser in Istanbul, and you've grown used to powercuts, a simple all-lights-out situation will not knock you out of your socks but you just keep doing your thing.

When a friendly neighbor called Achmed walks in with a handheld torch, you thank him casually and keep on cutting.

donderdag 9 september 2010

AR Drone in tha house!

This gets me all excited:

Van AR Drone

A cool Parrot AR drone. Available now in the US and in France, but in Holland it is not for sale untill October. No mention as to where, yet.

Who cares, I am close to one, let's fly it!


Van AR Drone

Then this:
Van AR Drone

Van AR Drone

Van AR Drone


How not to mess up your AR Drone

From Bruce

From NPR:

Based on surveys Barnes collected, the top five worries of parents are, in order:

School snipers
Dangerous strangers

But how do children really get hurt or killed?

Car accidents
Homicide (usually committed by a person who knows the child, not a stranger)

Why such a big discrepancy between worries and reality? Barnes says parents fixate on rare events because they internalize horrific stories they hear on the news or from a friend without stopping to think about the odds the same thing could happen to their children.

No surprise to any regular reader of this blog.

More on the subject

donderdag 29 april 2010

IPv6: lies damned lies and power point

On the 12th of April 2010, the state secretary of Binnenlandse Zaken & Koningsrelaties, formally answered questions raised by Arda Gerkens, member of the 2de kamer about the warnings from the ICANN about the shortage of Internet Protocol addresses.

Yes, our politicians know about these, for most people, obsecure and deeply technical issues. The formal and written answers are, well, interesting to say the least. First there is a little chit chat about the 10% of IPv4 space being available, the prediction that these might be used up in the next 2 years etc. Then comes the part where Marja J.A. van der Hoeven [minister van Economische Zaken] writes:

"I have the recent results from research by the European Commision regarding the transistion to IPv6. This research shows us that 56% of the internet service providers in Europe support IPv6. Participating Dutch ISP's score significantly higher: 92%. From the research it is shown that factual useage of IPv6 in the Netherlands is 3%, higher then Germany, France and the UK."
[Note: slobby translation all done by me]

These numbers are based on this 'document'. I challange you to find any basis of the 92% of Dutch ISP's supporting IPv6.

But it gets worst. The 3% of factual Dutch IP traffic being IPv6 is based on access to one single website of TNO, aka Netherlands Organization for Applied Scientific Research. Certainly a high profile & representative website? I am afraid not.

The reality is sad, and getting sadder. Where the local IT news site Tweakers was happy to show that IPv6 traffic on the AMS-IX 'thouched' the 2Gbps. At the same time the AMS-IX had about 700Gbps IPv4 traffic. That means the total amount of IPv6 traffic was 0.285% of the amount of IPv4 traffic. Around May this year the amount was around 0.2% So were still seeing growth, just not as fast as it has been the last years.

That was back in October 2009. Enter 2010 and IPv6 in absolute numbers is degrading. From a stagering 0.285% it is now even lower and NO WHERE NEAR the 3% our minister van Economische Zaken claims.

I have tried to contact Maarten Botterman [the author of the document that these 'numbers' are based on] for some more insight on the data he based at least his own number on, but to no avail.

Here's some more of my ranting.

Niet rooskleurig, maar wel realistisch en dat mag best wel eens. Rond kijkend in 'mijn netwerk' kan ik alle partijen die ook werkelijk V6 doen op 1 hand tellen [en drie daarvan hebben members op deze lijst]. Kijkend naar klanten van mijn huidige opdrachtgever kom ik ook niet veel verder.

Rond vragen in de [pre-] sales omgeving levert ook een bedroevend beeld op qua interesse voor V6.

Het is niet onwil of onkunde, veel van de clubs waar ik kom doen wel lastigere dingen dan v6, het is veel meer het oorverdovende gebrek aan drivers. Er zijn geen klanten op v6, er is geen content op v6, er is kortom niets te halen.

ISP's als XS4ALL hebben een notoire techniek-bewuste klantenkring en zijn daar mee de uitzondering op de regel, vandaar dat er voor hen een goede driver is om v6 wel aan te bieden. Bij Bit & surfnet werken ongelofelijk goede mensen dus die kunnen het voor een relatief lage prijs aanbieden omdat de kennis er aanwezig is. Maar voor de KPN's, de UPC's, de banken, de Aholds en andere die geld moeten verdienen kost V6 geld, betekend risico, en belooft voorlopig helemaal geen extra opbrengsten.

Vandaar de behoefte om de overheid maar weer in te schakelen. Daar kost geld niets en maakt laten de verantwoordelijke zich met een vage selectie van wat obscure cijfertjes uit een powerpoint presentatie afserveren.

In de commerciële markt is er [nog] helemaal geen vraag naar v6. De kans dat die vraag binnen 2 jaar op grote gaat komen is klein, binnen 5 jaar eventueel, maar garanties zij er niet. De voordelen van nu v6 ondersteunen ten opzichte van de risico's & kosten zijn marginaal als ze al bestaan.

Maar hoe komt dat toch? v6 is toch 'klaar' en bestaat al zo veel jaren? Nou nee, niet echt. v6 verkeerd nog immer in het 'individuele contributie moet het aan de praat krijgen want wij overzien het nog steeds niet helemaal stadium [zie http://fud.no/ipv6 voor een klasiek voorbeeld van 1 individu die 'alle' OS makers moet vertellen hoe v6&v4 te ondersteunen]. Zoals ik, begin 90'er jaren, zelf mijn bastion hosts moest [lees: mocht] bouwen voor bedrijven die 'veilig' wilde snuffelen aan 'het Internet', zo moeten bedrijven nu ook v6 implementeren.

Begin jaren 90 verdiende [grote] bedrijven niets met Internet access, het was een speeltuin waarbij uitval van een dag niet to grote consternatie leiden. Anno nu kan het niet functioneren van 1 knop op een website van een bank leiden tot moeten opdraven van de CEO op het 8 uur journaal om de onrust in de markt te bezweren.

Kortom, v6 staat in de kinderschoenen, er is niets te verdienen, noch te verkopen. Laten we dus ajb een beetje realistisch met de materie omgaan en 'v6 mailing server whitelist' en 'v4 is op over 153 dagen' en '91% van de isp.nl zijn er klaar voor' en 'v6 is mature & prime time ready' gewoon adresseren & behandelen als pipe dreams.

woensdag 21 april 2010

Typoos? It shuold be verboten!

Want to hide information in a sea of data? Try typoos.

From the RSS feed of Bruce Schneier I was pointed to an article about the nominated head the of US Cyber Command, Lt. Gen. Keith Alexander, the current Director of NSA. In a snipped of his 'job interview' there has slipped a typo that has been copied & pasted in to 9 sites indexed by google.

Google "both government and insustry to consider" [with quotes ofc] and get 9 hits [21st of april 2010 at 09:18 GMT].

Gotta love unique typoos for tracking information spread.

But what if the bad guys would do the same? Use some 'easy to remember but unlikely to make' spelling errors so their cells can easily find instructions?

Just like Steganography, this should be investigated and a lot of money poured into to keep the spy catchers happy & busy.

zaterdag 28 november 2009

IPv6 anytime

Having IPv6 connectivity is really sweet, at times. The preferred way would be a native connection, but since there are hardly any ISP offering IPv6 on their networks, one needs to tunnel.

Tunneling is basically accepting IPv6 traffic on a local interface, putting it into an IPv4 packet, sending it to a host in the Internet that does have IPv6 connectivity, unpacking the IPv6 packet out of the IPv4 container, and letting it go via the IPv6 network. Tunnel brokers like SiXXs & HE are really good for this. They offer free connectivity, clients, instructions and what have you not, to setup a nice Any to Any tunnel.

But when you are in a network that is somehow blocking tunneled IPv6, easily detectable by firewalls because it is marked as a protocol 41, you will not be able to setup your elegant tunnel. Public WiFi, hotels, companies, all sorts block protocol 41.

Luckily there are more options. One of the more stealthy methods is implemented in the Teredo tunnel. It is specifically designed to work behind NAT'ed devices, something the ISATAP router does not handle since it needs public IP connectivity. "Nice' thing about ISATAP is that Vista, 7 and windows 2008 machines will automatically configure an ISATAP interface when the name isatap is resolvable in the local domain [hint]. So if the record isatap.example.com IN A exists, you're in business. But I digress.

Teredo is also implemented for free and automagically on your windows machines... IF they are not member of an Active Directory [hint]. It is also available for linux & BSD and there is a [old] implementation that runs on OSX [including Snow Leopard] too.

The name is not an incident either. As on WikiPedia: "The initial nickname of the Teredo tunneling protocol was shipworm. The idea was that the protocol would pierce holes through NAT devices, much like the shipworms bore tunnels through wood. Shipworms are responsible for the loss of very many wooden hulls, but Christian Huitema in the original draft noted that "the animal only survives in relatively clean and unpolluted water; its recent comeback in several Northern American harbors is a testimony to their newly retrieved cleanliness. Similarly, by piercing holes through NAT, the service would contribute to a newly retrieved transparency of the Internet."
Christian Huitema quickly changed the name to Teredo to avoid confusion with computer worms[2]. Teredo navalis is the Latin name of one of the best known species of shipworm."

The 'self healing capabilities' of 'the Internet' and the features in IPv6 especially, called Neighbor Discovery, open a whole class of challenges themselves. Initially for the network designers and operators but soon for malware writers too. Luckily the part of the RFC for IPv6's Type 0 Routing Header has already been depreciated. It made possible the good ol' source routing but then 88-fold amplification. It has been demonstrated at CanSecWest07 by Philippe Biondi & Arnaud Ebalard, they are the developers of 'scapy' a powerful interactive packet manipulation program.

Have fun and good luck getting packets flowing the way you like it.

dinsdag 17 november 2009

Treasure hunting ;)

With the 'holiday season' coming up, buying presents is on it's all time high. I like buying presents. As a matter of fact, giving presents becomes more fun with age then receiving. I guess that dates me :)

With marktplaats in Holland & ebay as a global fleemarket, hunting for cheap stuff is easier then ever. But there is an angle to make it more fun, because paying too much is for tourists. So lets employ some good old SE on the matter.

A good lesson to start with is to get to know the subject. As an example let's use Steam Engines. The top of the world market is being served by the long standing traditional firm Wilesco. They've been in the steam engine market since [or slightly before] James Watt improved the concept of steam power to a useable level, and even have a Wiki page, in three languages, including Japanees [someone say market?] :)

Reading fan pages is a treasure trove of 'unwritten' useable information, mostly you will be looking for hobbyists and other self proclaimed experts.

Then it's time to scrunch the Internets. Hit graigslist, Marktplaats, Ricardo and other 'local' fleemarkets and compair the offers and prices with the 'global' ebay prices.

Of course, the Wilesco D32 is the all time classic, with prices ranging between 1.000 and 1.500 euroos. A super collectors item is the Wilesco R200 atomkraftwerk, rare & expensive. The top spots will be a rough market and not something we amateurs want to burn our fingers on with a first try.

Since the example of the Wilesco repairman deals with a D24, I propose we start hunting for a nicely priced D24. The D24 is a powerhouse. It is the steam engine with the largest cattle volume of the whole Wilesco range.

One of the cool features of the D32 is the controle panel, the D24 has that [smaller and less] too. See here:

Google "Wilesco D24" for starters and see what you come up with. Then do the same but on your local flee market and repeat it on the International ebay. There are some pretty astounding price differences to be observed. Certainly some of them can be explained based on quality and age but the local culture is a big factor too. Try to leverage that. Dealing with people from other countries used to be hard and painful. With the coming of the Internet and the disappearing of the borders in our global villages, things are getting easier by the day. Often sellers will even state if they will post items international and if they do not, a couple of words in their own language is a good starting point. I like to use google's translate for that purpose.

Very good [for you] deals can be made with people who do not know what they're dealing with. Tell tail signs are misspelled items, incorrectly labeled items [not mentioning the type in the description is sweet], lousy pictures [too much mess around the object, dark, unsharp] and people who are clearly selling stuff that is not theirs [from past away family members, NOT stolen stuff!].

A deadly sin and pit fall in the process is... making a bit.

Never ever make a bid. Do not even think about it. People are lemmings, once they see -you- making your bid, they will not hesitate to over bid. With most online flee markets I have seen it is easy to start an email or skype conversation that is out of sight of your fellow hunters. In case of ebay that is all nice and good but most sellers there do want you to bid. If it has to be, we will comply, but on our terms.

AuctionSniper is one such 'turn the table' tools. It allows for automatic & scheduled bidding. This is good for multiple reasons:
- it allows you to bid at the last second [no one can over bid]
- you do not have to sit behind your screen at odd times when specific auctions end
- most important: it takes the emotion out of your bidding

The emotion thing is where we are suckered into spending way too much on far too little. I will not even start giving examples ;) The cool feature of a scheduled bid is that it allows you to check your information sources, make up a price and forget about it. You will not get suckered into over bidding the guy who hunts for the same items and over bids you by 2 Euroos every time. No, you've set your price and either get it or do not.

I picked up a very decent D24 for <100 Euro. Sinterklaas will be proud to see the smile on the receivers face.

Happy hunting.

zondag 15 november 2009

IPv6 work...ed!

Apple owners where responsible for a surprisingly large number [0.238 percent ] of IPv6 enabled google users. Thanks to the wizards at Cupertino, who decided on Infinite wisdom Loop to meddle with mDNSResponder so now it cancels the queries and shuts down the socket after the first responses are in. Big change these are A responses so the AAAA replies will be /dev/null'ed leaving the end user [application] with no option but to access the resource via... IPv4.

Mistakes happen, but with 10.6.2 the issue is still here.

The DHCPv6 client is not available for MAC users either, that does not help since it's basically required to play nice with ISP's and other large network operators [large[r] companies come to mind]. Neither is there a lot of documentation on the IPv6 implementation.

Finally improving the Apple Airports with [more complete] IPv6 support is a good thing... unfortunately: it is a New Feature and as such, will NOT be available for us loyal Apple hardware buyers. Only the currently for sale AirPort Extreme & Time Capsule are lucky enough to have this 'New Feature' so you're out of luck if you thought you could snatch up a 'cheap' AirPort Express: they do not have it.

So IPv6 on my beloved Apple setup is basically broken and the future looks dim. Microsoft is miles ahead with working IPv6 since Vista. Thank G*d not to many people read this since otherwise the street credibility of OSX would be down yet another point. Microsoft's DirectAccess could develop into the first IPv6 'killer app' and that both makes me happy [IPv6 FTW!] and sad: why my BSD based OS is not leader of the pack is beyond me, except that maybe, just maybe, IPv6 is really not as much in demand as I -think- hoped it was.

As a desert, I offer you a link that I missed before, but certainly love as much as a lot of the other work of the author.

maandag 9 november 2009

Mod'ing for fun and pleasure

The PSP's the PS the Wii: all can be moded to allow for 'distributed backups' of your [owned OFC] games to be run. One of my daughters participated and won a contest last weekend and came home with a fresh Wii. Our first Wii we got from Austria via friends when it was just released 3 years ago and unobtainable here in Holland. The kids liked it alright, but after a couple of weeks the novelty was off and the Wii turned into a dust collector. We made someone very happy by selling it complete with the controllers, accessories & games right before new years eve.

So now, 3 years later we are the happy owners of a Wii again. It came with the usual Wii Sports game, but nothing more. Blast: the box comes with only one controller, and what is more exciting then beating someone in a heads on? So lets run out and get a second controller FAST.

Configuring & connecting the device is a brease although it is a pity there is no HDMI connectivity. After entering the 'WEP' password [riiiight] a whole Wii world opened up like a deja vu: the Wii shop & Wii credits! How could I have forgotten? Let's open the box of pandora and soft mod it first to be able to test drive some of these distributed backups first.

It takes the better part of an hour to finally get to the source of the homebrew scene. Just like most moding software, be it for the iPhone or Wii or any other device, there is people who are scamming their arses off and want to make you pay for download links and instructions. Somehow these dudes are such experts on SOE that they manage to basically p0wn the first page of google and make you navigate through all sorts of blogs, affiliation links and what not. After glancing over a page or 10 you get the idea of the gist of the basic requirements & tools like BannerBomb BootMii WiiKey and what have you not.

All pieces fall together when you find instructions in simple documents called README-HBC.txt and the like. The process is fairly simple:
Have & format your SD card, download and copy a couple of files, start the Wii, install the HomeBrew channel: done!

All in all it took longer to find the 'I accept all legal mumbo jumbo' agreement in the Wii menu to be able to access the online content of the original Wii channels then it took to mod the box. Now that Linux is running on the box, the kids can relax and spend their time breaking records & battling out competitions with friends for bragging rights.

vrijdag 23 oktober 2009

Adam Curtis makes me want to delete this blog...

Adam Curtis: "The basic fact is they gave me a website on which I put up this film, It Felt Like A Kiss and things associated with it. When I'd done that they asked what I wanted to do next. They wanted me to all sorts of bloggy stuff and I just would not do that. I think that's so boring. It's noodling and doodling and it's exactly what I criticise the web for being - the idea that half formed, half, vague, badly researched aperçu, we used to call them, can be some new form of journalism."

donderdag 15 oktober 2009

Whatever happened to IPvSEXY?

IPv6 is needed, both readers of this blog know that, right? So how come the implementation is so slow?

Is it [at least locally here] the rules for lawful interception holding us back?
Is it again the question who pays for the huge investments for the equipment needed for lawful interception?
Is it the customer [me and you] not willing to pay for IPv6?
Or is it not ready for primetime?

There are hardly any technical reasons not to get wet your appetite. Or it must be for the lack of consumer grade [read cheep] hardware. Setup a tunnel in a minute and go!

But where does one go on the IPv6 Internet?

Google 'IPv6' and the first hit is the wikipedia entry for IPv6, the second is ipv6.org with the tempting page title "IPv6: The Next Generation Internet!" Sweet! But ever bothered to look at the content? It's older then my first born! It's totally outdated and not maintained. How's that for marketing?

Third hit, IPv6 (tutorial) - DD-WRT Wiki. Excellent! A cheap easy to get your hands on IPv6 able [WiFi] router. Ooops: "IPv6 is apparently NOT WORKING on all versions of DD-WRT version 24 (tested on RC5 and final). If you want IPv6 on v24, try one of the custom builds"

So, let's try another angle, google "IPv6 WRT54G" First hit leads to JoatWiki, stating "While the actual setup/configuration takes less than an hour if you know what you're doing, it make take a couple weekends to get up and running if you never done this sort of thing. You also run the risk of turning your WRT54G into a brick"

Hmm, hit two sounds promising: "Earthlink IPv6 in the Home" Earthlink being a large ISP in the US, surely offers something more useable then the 'do it wrong and you'll brick your device' right? Well, the footer of the page might dim that expectation a little: Last modified: Wed Jul 06 18:29:15 PDT 2005. 2005, that is like a million Internet years ago! The concept is to make it so simple that there is not even a possibility to login [http nor ssh nor telnet] to the box. That does not help unless you truly want to go IPv6 via earthlink and I do not since I am on the other end of the world.

But lets say you, as a dedicated hobbyist are not stopped by all the dead links and manual work to get your WRT54 up and running, or you're rich and just bought a Fritz 7270 and loaded the lab firmware version and get your IPv6 working, then what?

What is waiting out there for you? How will it feel to browse the Internet of the future? What prices will you be able to collect and pry the eyes of your friends? Hold tight, take a seat and look at these impressive numbers:


As Lars explains: "The scripts that update this page retrieve the names of the web sites that are most popular across the globe, as well as in select countries, from alexa.com in regular intervals. They then check whether the DNS entry for each site name reflects that it uses IPv6. The numbers above show the percentage of these top sites that are IPv6-enabled, as well as the absolute numbers."

There are about 200 [yes, two hundert] IPv6 enabled sites! In the IPv4 world, back when the Internet still was DARPA's that number was reached in 1983. Ok, I give it to you, I am comparing apples and oranges: the 200 number of IPv6 hosts are 'the most popular' sites and the 190 hosts are an absolute number, but it does show how PATHETICALLY slow IPv6 adaptation is.

We celebrate single 'well known' IPv4 hosts who are accessible via IPv6 by means of a proxy. WOW hold the presses, the eagle has landed!

At the same time, the one true IPv6 pushing ISP in Holland called XS4ALL has to STOP the rollout because Legal Interception is too costly.

But there must be good news? Any news? Well on the Dutch IPv6 taskforce site, there are a stunning 5 [yes five] links listed with IPv6 news...

But why trust me and my flakey and spotty observations! Let's find some smart guys who care and actually know things. Derek Morr for instance. On his [ice to read] blog called "Living with IPv6" he made some [wishful] predictions about IPv6 deployment in 2009 and some excellent observations of the lack of good IPv6 monitoring.

Let me wrap up by making some predictions for IPv6 metrics in December, 2009:

90% of top-level domains will have IPv6 glue in the root (right now, 75% do).
50% of the DNS root servers will support IPv6 (right now, 25% do)

At AMS-IX, 1% of traffic will be native IPv6.
1400 ASes will have IPv6 prefixes.
Europe will continue to have the most allocated and deployed IPv6.

The prediction for the AMS-IX is wrong. Currently it is about 0.3% IPv6 a far cry from the predicted 1%

What's wrong with these pictures:

Screenies taken about 3 months apart, left one first: 40.000 IPv6 domains 'disappeared' and IPv4 gained 40 days :D

Let's see what Derek Morr will come up with in a couple of months.

Bottom line: we have a need, we have a solution, we have [some] knowledge but our marketing is horrific, the customers [yes: you!] have no need and thus are not demanding [read: pay for] it. It is up to us [as ISP's and networkers as a whole] to get it out. There is good news too, of course. When you see CDN's like netflix implement IPv6 in 2 [yes, TWO!] months, you know it is realy possible... even if they too are a little scared to let 'normal' users access their service via IPv6 and 'hide it' in a IPv6 subdomain.

Pair that with this news flash: "In the first nine months of 2009, the American Registry for Internet Numbers (ARIN) received 300 requests from carriers for blocks of IPv6 address space. This compares to 250 requests received in all of 2008 and 2007." and it just looks like there is some real IPv6 work being done.

Now let's see how IPvSexy will actually make a real life comeback and forefil its destiny.

PS For those with love for numbers, the Ghost Route Hunter by SixXS is a must bookmark.

woensdag 30 september 2009

Posting drafts: duh!

It happens at moments I am not paying any real attention to the posting itself. Something arouses my typing finger and boom, off it goes. I forget a picture, links, spell chekcing, and post right out nonsense that is soo totally off the wall not even the conspiracy specialists see anything useful in it.

So what do you do with incorrectly posted material? Of course I have the option to alter the text and up scale it and even to retract it, but that feels like cheating. It's like clearing up that blatant hole 'someone' left in the firewall ruleset and silently close it... it's just wrong. It's wrong because errors are an excellent stepping stone to knowledge.

As a rule I like asking the people I work for|with "So how many major incidents have you seen lately". The answer is often more revealing then one might expect. The classics are "None!" and "Define incident" and "That is classified". The one I really like is "One major last 6 to 12 months".

Companies claiming 'none' are more at risk then the others. Thing -do- go wrong and you not knowing is plain dangerous. The people asking for clarification work in a back stabbing culture where bad news shall and will be punished and thus manipulated till the color scheme of the report is all white, yellow and green. The final answer "one" gives me an indication that "major incident" is a weighted value where the worst incident of the year is major, a nice relative scale that I feel most comfortable with. Threats and risk do change, no matter what metrics one uses, no matter how many 'risk managers' and 'risk analysis standards' one uses.

Good [and a little lucky] security officers have the gift to correctly context incidents and know when things are really going down hill and when incidents are more defcon red in the political arena. Both requiere a different approach and a different toolset. Most of us love technology issues:
- Man in the Browser
- Sly holes in firewall
- Rogue route advertisements
- Script kidies
- Lack of bandwidth
- Application layer exploits
- Arp storms

These are in our comfort zone, we deal with them daily and enjoy the puzzle and the diffs we see in the pre and after traffic dumps. A few people I have met in the availability scene like the part of corporate culture where the presentations kick in. The moments of debriefing not-so-hot technical aspects to people who know more about golfclubs then we know about ASM. However, more often then not, that is where the real difference is made: they p0wn the resources and set the priorities.

So when I go out and look for a person to lead the availability department, I look for the person who gets his coffee from the machine that is closest to the techies. The person who actually gets the autistic CCIE to share anecdotes about his holiday and at the same time dares to make a remark about the drawing at the whiteboard.

They're few and far between but easy to spot as they stand out like wolf among sheep.

PS Click on the picture. It will take you to a free download of the whole album of 'The Slew'. A band that just loves to mingle rock, instruments & DJ's in a refreshing mix that is a perfect example how a healthy mix of different 'character & ability' upscales the individual parts of the sum.

dinsdag 29 september 2009

IPv6? Nowhere to be found!

IPv6 has basically disappeared from the wireless router landscape. Try finding a current one < 100 euro. Except for some obscure releases, like the DIR-615 Wireless b/g/n Router but only the hardware revision C with firmware 3.01

Hard to find, and certainly online nearly impossible to get any assurance about the hardware revision level.

Oh wait, my good old loyal WRTG54 [V4 with plenty of RAM] to the rescue! Oh no, not now, with the current 2.6 kernel and the open source b43 broadcom chipset and it's issues. Only with kernel 2.4 and it's 'limited' IPv6 support. You can roll your own WRT54 dd-wrt, if you feel adventures but the drawback is that there is no way to use the GUI. Not a nice plan if you plan to send the devices to parts far far away from home to end users.

There is the Fritz!Box 7270 but that goes for about 200 euro. That is nearly Cisco level pricing. And only with a lab release of the firmware, that is RC in dialect in the rest of the software world. Cisco of course does support IPv6 too but using the word Cisco and a price tag of <100 is like demanding justice from a African dictator.

So is there no solution? Oddly enough, there is... and it is produced by Apple: the AirPort Extreme [ and the AirPort TimeCapsule but for a >100 price tag]. Unfortunately there are gazillion stability issues specially in combination with Apple MBP's but they do IPv6 well with a simple interface.


Not too bad! Native IPv6 ADSL for 7 euroos a month.

And Fritz!Box 7270 is indeed the only commercial IPv6 enabled home grade device available, also used by XS4ALL

dinsdag 8 september 2009


na een dampend optreden
aanbeden door een uitverkochte menigte
de zoete geur van succes in de hersenpan
viel het de dichter tegen
dat niemand op de Afsluitdijk
met vlaggetjes staat te zwaaien

die eens zo toegejuigde aanbedene
vermakelijke tot nadenken stemmende hersenspoelende
alle handen opelkaar gekregene
zet thuis de televisie an
as een uitgebluste brandweerman

ton lebbink

vrijdag 28 augustus 2009




SixXs tunnel, not native yet, how on earth is it possible that LARGE colocs still do not support native IPv6?
No AAAA record yet, how on earth is it possible that LARGE registars still do not support IPv6?
No native IPv6 from my ISP, how on earth is it possible that LARGE IPS's still do not support native IPv6?

Like John Curran makes clear, it has to be "the boy that cried wolf" syndrom. See for yourself:

maandag 24 augustus 2009

UPC throttling ALL traffic, not specific.

Of course QoS is important to the customer. I am one myself. I like getting what I pay for. I understand Internet traffic costs money and I am [willingly] paying for it. So when UPC decided to cut all bandwidth between 12:00 and 00:00 by 2/3 to ensure the QoS for all customers would be able to enjoy Internet access at expected speeds, I was a little worried.

Well, my browsing the Internet experience has not changed too much.

But what did change a lot was my usenet experience. Is : Download speed: 638.85 KB/s Was: [Avg-Speed]: 1895kB/s. That is drastic but expected, right? WRONG.

UPC is not just throttling Internet access, it throttles ALL traffic.

My traceroute [v0.75]
macbookpro-meij-net.local ( Mon Aug 24 22:59:35 2009
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 0.0% 455 1.2 1.3 0.7 14.7 1.5
2. 0.0% 455 4.4 8.4 2.6 34.3 4.1
3. p21161.net.upc.nl 0.0% 455 6.7 10.6 4.2 57.0 7.0
4. 0.0% 455 5.7 13.9 4.6 78.4 12.6
5. 10ge-upc.xmr16-1.ams5.as5580.net 0.0% 454 12.2 14.0 5.0 47.6 6.0
6. ???

My usenet traffic never hits 'the Internet', it goes straight out to XSNews. XSNews is my current [and good!] usenet provider. I hope they will resolve this issue with UPC.