No ads? Contribute with BitCoins: 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa
May 042018

I had the pleasure of upgrading a server today which involved fixing a number of little niggles; one of which was that connecting to switches suddenly stopped working :-

✗ msm@${server}» ssh admin@${someswitch}
Unable to negotiate with ${ip} port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

This was relatively easily fixed :-

✗ msm@${server}» ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@${someswitch}

Of course doing this command-by-command is a little tedious, so a more permanent solution is to re-enable all the supported key exchange algorithms. The relevant algorithms can be listed with ssh -Q kex, and they can be listed in the server-wide client configuration in /etc/ssh/ssh_config :-

Host *
    KexAlgorithms ${comma-separated-list}

But Why?

According the OpenSSH developers, the latest version of ssh are refusing to use certain key exchange algorithms (and other cryptographic ‘functions’).

Their intention is perfectly reasonable – by default the software refuses to use known weak crypto. I’m fully behind the idea of discouraging the use of weak crypto.

But the effect of disabling weak crypto in the client is unfortunate – all of a sudden people are unable to connect to certain devices. The developers suggest that the best way of fixing the problem is to upgrade the server so that it supports strong cryptography.

I fully agree, but there are problems with that :-

  1. Some of the devices may very well be unsupported with no means to upgrade the ssh dæmon. Now in an ideal world, these devices wouldn’t be on the network, but in the real world there are such devices on the network.
  2. Some devices may not be capable of being upgraded because of processor or memory limitations. Network switches are notorious for having slow processors and tiny amounts of memory, and it is entirely possible that such a device would not be capable of running more exotic and modern crypto. Similarly lights out management processors are often severely limited.
  3. Even if a device is capable of being upgraded, there are the standard problems – the vendor may be slow at releasing updates, change control gets in the way, and lastly resourcing may be an issue – upgrading several hundred switches manually with just one or two people doing it is not going to be a quick job.

Lastly, whilst security is important, breaking things just to make a point is a little extreme. Whilst it is possible to fix the problem, it is something that isn’t immediately obvious to someone who doesn’t routinely configure ssh. And someone, somewhere has had this breakage occur just before they really need to fiddle with a switch Right Now.

There is a far better option available – leave the weak crypto enabled, but warn noisily about its use :-

WARNING!!!!! (2 second delay)
WARNING!!!!! (2 second delay)

The device you are connecting to only supports known weak crypto which means this connection
is subject to interception by an attacker.

You should look at upgrading the device as soon as possible.

Telling people what is wrong noisily and continuing to work is far better than simply breaking with a rather terse message.

Foggy Reflection


Apr 142018

In the USA, a considerable number of states (30 counting 16 years as “adult”) allow the marriage of underage children under certain constraints. And these marriages do happen; whilst proportionally they are a tiny minority, to those victims it is nothing less than state-sanctioned child sex abuse.

In terms of numbers, Unchained at Last (via Wikipedia) found that between 2000-2010 there were 167,000 children in marriages; 13% were boys (I mention boys because most articles start with the girls). But weren’t they all children marrying each other? Only in 14% of cases.

The USA government condones and supports child sex abuse.

The overwhelming majority of not just the rest of the world, but even third-world countries are better on the marriage loophole allowing child sex abuse. Trump: For the victims of those marriages, USA is the “shit-hole”.

The Bench

Apr 072018

Now don’t get me wrong – I think all forms of execution are inhumane, but I have just seen a US progressive video which made it plain that hanging is supposedly more inhumane than current US forms of execution. I would mention them by name, but I’ve heard this from other places too.

A properly carried out (variable drop) hanging should be relatively humane – it should be fast (less than 15s from being removed from the cell to the end), and causes immediate paralysis and unconsciousness before death.

An interesting story from Pierrepoint (Britain’s last executioner) about the execution of Nazi war-criminals was that the US executions were carried out by volunteers rather than qualified executioners, and the volunteers refused to listen to Pierrepoint’s advice. Many of the US hangings were botched causing either decapitation (which probably isn’t especially inhumane, but would be rather messy) or slow strangulation over 20 minutes.

Perhaps it is this that has led to the belief that hanging is more inhumane than other US forms of execution.

Misty Trees

Apr 062018

The phrase “Islam is a religion of peace” gets bandied about a great deal these days – either by those saying that it is a religion of peace and islamic terrorists are an aberration, or by those who question whether islam is a religion of peace at all.

To be honest though, the phrase is irrelevant. You can have the most peaceable religion in existence and yet fundamentalist followers of that religion will resort to violence, and yes you can have a religion that calls for the torture to death of all non-followers, yet if the followers of that religion are peaceable nobody is at risk.

Questioning the religion as a whole is all very well (and as someone who would prefer that all religions disappear in a puff of logic, usually to be encouraged), but it does tend to encourage the kind of idiot who normally goes in for racism into attacking all muslims (and often sikhs as well) because of the sins of a few.

Muslims are just people; people with the disadvantage that they have been indoctrinated into a faith – not much different to christians, sikhs, hindus, jews, or zorastrians (and if I’ve left out your religion, yes I mean you too). Some are good people; some are bad.

But in the words of Steven Weinberg: “but for good people to do evil—that takes religion”.

But truisms like that are overly simplistic; religious terrorists are people who are convinced that they are good – probably better than their coreligionists – and who want to enforce their beliefs and standards of behaviour on others. And are prepared to do so in ways that most of us would call psychotic.

These people – the religious terrorists – are in all likelihood only a tiny minority of all muslims (or christians, …), and in a surprising number of cases are not especially well educated in their religion. In fact many of them are petty crooks, with a burning desire to be more significant than they deserve.

In the end, debating whether islam really is a religion of peace or not is pretty much a waste of time because it is irrelevant – even the religions with the most peaceful reputations have terrorists (major religions only).

Old Metal 3

Apr 012018

This is a continuation of an earlier post regarding ECC memory under Linux, and is how I added a little widget to display the current ECC memory status. Because I don’t really know lua, most of the work is carried out with a shell script that is run via cron on a frequent basis.

The shell script simply runs edac-util to obtain the number of correctable errors and uncorrectable errors, and formats the numbers in a way suitable for setting the text of a widget :-

# Use edac-util to report some numbers to display ...

correctables=$(edac-util --report=ce | awk '{print $NF}')
uncorrectables=$(edac-util --report=ue | awk '{print $NF}')

if [[ "$correctables" != "0" ]]
if [[ "$uncorrectables" != "0" ]]

echo "ECC: $correctables/$uncorrectables "

This is run with a crontab entry :-

*/7 * * * * /site/scripts/gen-ecc-wtext > /home/mike/lib/awesome/widget-texts/ecc-status

Once the file is being generated, the Awesome configuration can take effect :-

-- The following function does what it says and is used in a number of dumb widgets
-- to gather strings from shell scripts
function readfiletostring (filename)
  file =, "r")
  s =
  return s

eccstatus = wibox.widget.textbox()
eccstatus:set_markup(readfiletostring(homedir .. "/lib/awesome/widget-texts/ecc-status"))
eccstatustimer = timer({ timeout = 60 })
      eccstatus:set_markup(readfiletostring(homedir .. "/lib/awesome/widget-texts/ecc-status"))
layout = wibox.layout.fixed.horizontal, ... eccstatus, ...

There plenty of ways this could be improved – there’s nothing really that requires a separate shell script, but this works which is good enough for now.

Mar 312018

If you read any history at all, you will encounter many incidents of exploitation – the English exploiting the Irish, the Irish exploiting the Scottish (see Dál Riata), the English exploiting the Scottish, the Scottish exploiting the English, everyone exploiting the Welsh, etc.

As an example of how it wasn’t as simple as sometimes claimed, there is a small sliver of Anglo-Irish ancestry in my family history. Undoubtedly they exploited the Irish back in the 18th century and before, but whilst they started as English, in every generation they married into the Irish aristocracy; so in at least one case the exploiters of the Irish were half or more Irish themselves.

And that is just one small corner of the world – it was happening just about everywhere.

Take another example – slavery. Everybody immediately thinks of the Atlantic slave trade, but those who look closer are in for a surprise – firstly that most slaves were made slaves by African slavemasters. And secondly the African slave trade had been going on uninterrupted since the Roman era – chiefly to the east.

At the same time the Atlantic slave trade was going on (16th-19th centuries), the Barbary pirates were also taking slaves – European slaves. It is estimated that 1-1.5 million were taken, although these figures are disputed, it is also the case that the Barbary slave raiding caused many small towns and villages to be deserted along the coastlines of Spain, Italy, and other places with a Mediterranean coastline.

And the early history of Europe is awash with slavery – Romans, Vikings, Angles, Saxons, and others, all participates in raiding for slaves – for local use, to Rome (in the early days), and to Byzantium (later on).

It is easy to look at one historical incident, and see the English exploiting the Irish, the Europeans exploiting Africans, etc. And there is an element of truth in that.

But it can also be seen not as the members of a nation exploiting the members of another nation, but as a type of person exploiting another type of person. The pure Marxist would claim it is the rich exploiting the poor, and there is an element of truth to that, but it is overly simplistic.

It is really more that the exploiter is the kind of person willing to do almost anything to enrich themselves including exploiting others. There isn’t anything wrong with getting rich or being rich as long as it is done honestly and reasonably.

There is a certain kind of person who does not care what level of suffering they cause to another person. For convenience let us call these people “sociopaths”.

In every example of exploitation in history, no matter what we label those responsible I am sure that the exploiters were sociopaths.

Now this is all very intellectually interesting, but perhaps the real question here is what should we do about the invisible sociopaths in today’s society? Because there are plenty – we might call them bankers, or slum landlords, or Russian oligarchs, or other things, but in the end what they all have in common is that they are sociopaths.

Giving The Sky The Finger


Mar 292018

For some reason when I look at RADIUS packet captures using Wireshark, the attribute Operator_Name is instead interpreted as Multi-Link-Flag (an integer rather than a string). I’m not sure what this is, but it is much more useful to me to be able to see the Operator_Name properly – and for example, filter on it.

It turns out this is easy to “fix” (if it is a fix) :-

  1. Find the file radius/dictionary.usr (mine was /usr/share/wireshark/radius/dictionary.usr)
  2. Edit that file, and comment out three lines containing “Multi-Link-Flag” which in my case appeared like :-
    1. ATTRIBUTE Multi-Link-Flag 126 integer
    2. VALUE Multi-Link-Flag True 1
    3. VALUE Multi-Link-Flag False 0
  3. Save the modified file.

After a restart, Wireshark now understands it.

It is possible that later versions of Wireshark have fixed this, or not – it is possible that the bug is down to whoever assigned RADIUS attribute codes!

Mar 252018

It seems likely that the company Cambridge Analytica paid Facebook for access to data and using it’s access, downloaded as much data as possible for nefarious purposes. Nobody should be that surprised at this.

Facebook does not host an enormously expensive social network just because it is fun; it does it to make money. It probably does this primarily through advertising, but selling access to social network data is always going to take place.

And from time to time, scandals when companies like Cambridge Analytica are going to take place. At which point Facebook will protest saying that it didn’t realise that the associated firm was doing such naughty things. And once the story drops out of the news, Facebook will carry on leaking data.

As the saying goes: “If you are not paying for it, you are the product.”

In the end, the only solution to something like this, is to produce some kind of peer-to-peer application that is as easy to use as Facebook, uses strong end-to-end encryption, and keeps our data private to those people and groups we choose to share it with.

The Hole

Mar 182018

I recently scanned a blog entry claiming that Russia’s nerve agent attack on two people in Britain (plus the innocent bystander) wasn’t that big a deal, and that the reaction to it has been excessive. Well, perhaps.

But that blog went on to claim that militarily Russia is a bit of a pushover :-

  1. It’s less than a third the size of the Soviet Red Army. Perhaps but it still has 1 million active personnel and 2.5 million reservists. Not a size you can discount!
  2. It’s weaponry is obsolete. I can’t point to anything other than Russia spending $70 billion a year on defence to say otherwise, but “modernisation” crops up regularly in an discussion of the Russian military. And not in the sense of something that is required, but in the sense of something that is happening.

Lastly there was a reference to something that makes any student of history stare in amazement, and students of military history fall about the floor laughing. That is that Russia’s territory is flat and indefensible – ideal territory for mass tank battles (and indeed previously mass cavalry battles).

The Russian military knows this.

The last successful invasion of Russia whose territory has always been “ripe for invasion” was in the 13th century by the Mongol hordes.

There have been four major invasion attempts that failed to a greater or lesser extent :-

The Swedish military genius Charles XII tried in 1707, and was sounded beaten by the Russians assisted by the Russian winter.

Napoleon gave it a go in 1812, and the Russians inflicted a military disaster on him, again aided by a Russian winter.

Germany fought Russia during WWI, and managed to capture a considerable amount of Russian territory aided by the Russian revolution. But no major Russian cities were lost.

Again Germany tried in WWII, and Russia inflicted a major military defeat on them, with the assistance of the Russian winter.

The notion that anyone will try invading Russia is a bit ridiculous anyway (at least whilst Trump is Putin’s puppet).

So the threat from Russia is supposed “only” from cyberwar; which could be a damp squib or far more exciting than we believed possible. The fact is, we haven’t seen a full scale cyber attack against the UK, and don’t know what the results might be. Given the example of attacks against the Ukraine, we could expect wide-spread power blackouts, but it could be a great deal worse.

To be fair, I think the term “cyberwar” is a bit deceptive; attacking a nation’s connected technology is a tactic in a more widespread scheme of disruption and even war. There again, calling it “cyberwar” is a legitimate means to get funding for defences against such attacks.

The Window

Facebook Auto Publish Powered By :

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.