No ads? Contribute with BitCoins: 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa
Mar 232017
 

It may be a bit early to comment in this way with 5 dead, and 40 injured after the attack in Westminster yesterday.

But it could easily have been so much worse.

For those who are not aware, every afternoon Westminster is crawling with hundreds or thousands of pedestrians. Any half-competent attacker armed with a vehicle would have a hard job keeping the casualty figures down to 50-odd.

And then to leap out of a hired car armed with a couple of knives just makes the attacker look pathetic.

Yes this is the worst terrorist attack in London for a decade – which just goes to show just how little terrorism there really is.

Yes there were deaths and terrible injuries, but to me it seems that mocking the attacker is an appropriate reaction.

If you look at recent terrorist attacks in Europe, most of the terrorists turn out to be pathetic petty criminals, and it won’t surprise me if this latest attacker also turns out to be a petty criminal. He’s certainly cowardly, pathetic and incompetent.

The New Defence

Mar 182017
 

The TiPro programmable keyboards are quite fun for those who are into their keyboards, but with one big problem: the programming tool is Windows only. Well at least if you happen to have a USB-based TiPro; otherwise you need to set up the serial interface as the PS/2 interface is only usable for programming with a 32-bit Windows.

As it turns out, if you try to run it under a virtual machine and assign the USB device of the keyboard to the virtual machine, it still fails – somehow it doesn’t like staying assigned to the virtual machine. However there is a fix for this – using the command-line VirtualBox tools to set up a permanent USB filter.

To assign, first of all determine the name of your virtual machine with :-

VboxManage list vms

Next, add a USB filter – you can normally assign it to “slot” (or index) 1, but you may have to check what slots are available if you already do this :-

VBoxManage usbfilter add 1 --target "W10" --name TiPro --vendorid 0x1222 --productid 0xfaca

Once that is done, the Windows tool should be able to find the keyboard to start programming it. If necessary, reboot the virtual machine or try assigning the USB device via the menu option.

During programming it is helpful to remember than raw USB HID codes can be used by right-clicking in the input field for a key, selecting “Text Input” and inputing the code in the form “/${hex hid code} ${hex hid code}\” – such as “/69 69\” (a list can be found at: http://www.usb.org/developers/hidpage/Hut1_12v2.pdf)

Removal at the end:

VBoxManage usbfilter remove 1 --target "W10"

After the removal it seems that disconnecting and reconnecting the device is necessary for Linux to pick it up (or possibly a udevadm trigger).

b

Mar 182017
 

There is a media commentator (Andrew Napolitano) in the USA who has solved the mystery of who was spying on Trump during the election. Apparently it was GCHQ after being asked to by Obama. If it had remained just a commentator on Fox News which is well known for letting kooks, weirdos, and the generally insane spout all sorts of garbage, that would have been it.

But Sean Spicer then repeated the claims in a White House briefing.

And GCHQ have denied it.

But can we believe them? In this case almost certainly.

There is a very long standing convention within British intelligence agencies of neither confirming nor denying any action. Refusing to comment no matter how embarrassing is better than being caught in a lie, so the extremely unusual denial by GCHQ is believable because it is so unusual. But there’s more.

Firstly, Obama as president didn’t have the phone number of GCHQ (which is after all a British agency). A request from the president directly to GCHQ would probably be (and should be) answered with something along the lines of “Wrong number pal”. If he wanted to make a surveillance request it would go to the NSA who would then make an inter-agency request to GCHQ.

Which would of course result in a very secret paper-trail.

And if the request did make it through to GCHQ, the only surveillance data they are likely to have access to is international data (phone calls, Internet, etc) from Trump Tower to places abroad (with probably particularly good capture rates when passing through Europe). Which may well be of interest, but to actually put surveillance equipment inside Trump Tower?

That’s the job of a domestic intelligence agency, and whilst GCHQ could get involved in such an operation on foreign soil (and probably have), it is exceptionally unlikely in this case because it would put the intelligence co-operation agreements between the US and the UK at risk.

Whilst believing statements of an intelligence agency is a risky business, in this case it is probably true that GCHQ had nothing to do with any supposed surveillance of Trump Towers given the number of reasons why GCHQ wouldn’t be involved.

 

 

Mar 052017
 

There is an article being advertised around that uses a scientific report detailing the carrying capacity (how many people agriculture can support) of different diets. The article itself is titled in a way to bash vegans for not being as environmentally friendly as they claim to be. Which is odd because the scientific report does show that a vegan diet is more efficient (in terms of how many people can be fed) than a normal diet; it’s just not quite as efficient as some diets – specifically diets that make use of grazing land that cannot be otherwise used.

So a relatively mainstream article is bashing vegans because?

Well the usual reason is because of the holier than thou attitude of vegans. Actually it’s the militant fundamentalist wing of the vegans who do the whole holier than thou thing; just like an iceberg most of the vegan population isn’t visible.

Of course any reputable news organisation would know this, so only resorts to demonisation of vegans as click-bait. Obviously desperate.

The interesting thing about the report is that they have actually shown that different diets can be more efficient (in terms of the number of people that can be fed) than others, and that the average diet is probably one of the least efficient possible diets. Even more interesting (especially for the meat eaters out there) is that omnivorous diets (admittedly with significantly reduced meat intake) can be even more efficient than a vegan diet.

This is apparently due to the fact that a vegan diet will not make use of marginal grazing land which can only be used for raising meat.

If the doom-mongers are right about climate change and rising population, all those dedicated meat eaters out there should probably be encouraging vegans (and vegetarians) so when things get marginal, there are still a few animals to share out.

Feb 282017
 

With the enfant terrible Trump in charge of the USA and petulant Putin in charge of the Russian bear, it seems like an interesting idea to subject politicians to psychological profiling to determine their suitability for public office and power over us.

When you look at the list of monstrous political leaders we have had over just the last 100 years – Hitler, Pol-pot, Stalin, etc., the idea of testing politicians to find out if they are psychos or loonies starts to make a great deal of sense.

The first complaint about this would be that it would be an invasion of privacy. Well we don’t need to know the details; we simply need to have a trustworthy organisation certify that person A is suitable (or unsuitable) candidate.

The second issue is determining just what makes a suitable or unsuitable candidate which is something we need to persuade a bunch of psychologists and psychiatrists to propose.

The final issue is to get politicians to agree to it, and there we can simply refuse to vote for any candidate who has not been certified.

Feb 272017
 

Strictly speaking how some cloud services do mail wrong, but whilst it is not all, there are still quite a few that do which is why there are no names contained within this rant.

When you have some cloud-based service send email, it makes sense for the “From” header (i.e. what sensible normal people think of as the sender address) to contain the email address of the person using the cloud-based service.

Fair enough.

But if the real sender address or envelope sender address (which is contained within the SMTP transaction) comprises the email address of the person using the cloud-based service you may well run into problems. Many organisations publish an SPF record in their DNS to indicate what network addresses are approved for, and many mail servers check the envelope sender against the published authorised network addresses.

If the network address used by the cloud service provider does not match what is in the organisation’s SPF record then the recipient’s mail server is free to reject the mail. And they often do.

Now the most obvious “fix” for this is to add the cloud service provider’s network address to the organisation’s SPF record.

The only trouble with that is that it isn’t always possible. There are various limits to how long an SPF record can be so adding addresses to the SPF record recklessly is unwise, and a sensible DNS administrator will only add to the SPF record for important services. So if the cloud service is being evaluated or being used by something less important, or is being used for non-work related purposes, then it likely won’t meet the “important enough to get added to the SPF record” criteria.

So why not fix the source of the problem?

All that has to be done is to use a different address for the envelope sender, and you can even arrange things to send bounces back to the right place.

Set the envelope sender to something like “customer+${original email}@${cloud service address}” (obviously when replacing the ${original email} you will have to change the “@” sign to something reversible). All of a sudden you are no longer “forging” the envelope sender, and not tripping over anyone’s spam defences.

Process the bounces to “customer@${cloud service address}” and you can send the bounces to the right place.

Feb 132017
 

As an atheist, I find it difficult to be polite and not fall about laughing at things like “Intelligent Design”, but for the duration of this blog posting, I’ll try.

On one side are the scientists who spend their working lives investigating biological processes who have their theory of evolution. Now that word “theory” needs a bit of explanation; it does not mean that evolution hasn’t been accepted as fact by scientists. Evolution is one of those rare scientific theories that has never been disproved; merely refined. Essentially the word “theory” here is a challenge to disprove evolution and come up with a better theory – if you think you’re hard enough!

On the other side are a collection of religious leaders (admittedly Charles Thaxton trained as a chemist) who have spent their working lives telling people about god; and coming up with the theory of “Intelligent Design” in their spare time. The suspicion is that these people are letting their religious beliefs influence their “scientific” thinking.

When I want to know about plumbing, I ask a plumber. When I want to know about welding, I ask a boiler-maker. And when I want to know about biology, I ask a biologist.

Feb 122017
 

A very long time ago, I used to collect spam in order to graph how much spam a single mail server was likely to get over time, and almost as long ago, I lost interest in maintaining it. As a consequence I still get a ton of spam every day and after a long period of procrastination I have been slowly raising defences against spam.

This particular recipe is not really a defence against spam – it verifies that the remote server is properly DNS registered with a reverse DNS registration – in other words that the IP address it is connecting from is registered. This is a requirement for all mail servers, and as it turns out, spammers don’t care for registering their servers in the DNS.

This ACL snippet goes into the ACL for checking the recipient or for checking the message :-

 deny
   message = Your mail server is not properly DNS registered
   log_message = BLOCKED: No rDNS
   condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
   # Check rDNS and block if not registered

There are three items of interest :-

  1. The message is intended to be easily read by recipients to determine what the problem is. It turns out that many people do not read NDRs, but if we get the message right at least we are doing the right thing.
  2. The log_message is intended to make automating log parsing easier.
  3. Within the condition, the $host_lookup_failed variable indicates that the reverse DNS lookup returned NXDOMAIN and not that it timed out (which would be $host_lookup_deferred).

That’s all there is to this little piece of configuration.

Feb 122017
 

Now this blog posting is not intended to defend the wrongs of colonialism; we all now accept that territorial expansion by conquest (except apparently Russia) is wrong. In fact it could be argued that Britain conquered India for commercial and not colonial reasons – for example no penal transportation to India occurred. Yes, British people went to live in India, but chiefly to do specific jobs – colonial administration, soldiering, or commercial activities.

Not mass migration.

We need to be wary of judging the past with the moral standards of today; it was not until the 20th century that conquest for territorial expansion was universally condemned. And the evils of the British Raj (and earlier) because it successfully conquered India; earlier (and there were many) attempts failed, although some were close. The very presence of islam within the Indian sub-continent is indicative of attempts to conquer.

And as for the notion that only the British Empire acted in evil ways in India, just take a look through the list of massacres in India; many of those listed had nothing to do with the British.

Does that excuse the excesses of British colonial rule? No of course it doesn’t.

But even if Europeans had not become involved with India, the evils of attempted conquest would still have occurred as they did occur before.

Feb 082017
 

One of the things that come up whenever IPv6 is mentioned on certain news sites, is that there are people out there who think that NAT solves all of the address size problems and doesn’t have any negatives. I could present a whole series of blog articles on why NAT is the work of the devil, and presents a clear and present danger to life, liberty, and the pursuit of happiness (I might be exaggerating just a touch here).

The naive approach to a security issue originating from a certain network address is to block that network address permanently, pending an appropriate response, or temporarily. Not a bad idea although it does resemble a game of hunt the wumpus, and to assist in this, there are community based collective blocklists.

But what happens when you block an address, and that address is the public address of a NAT device? You block everyone sharing that public address, which could be just a household or it could be thousands of unconnected people. For instance, I have up to 32,000 people behind a handful of public IP addresses.

And yes I do regularly see problems where blocks have been put in place, and from what I can see this is a problem that is widely shared amongst people who NAT.

And once you are blocked in this way, you may be able to get it removed if you manage to identify which blocklist you are on, stop the network abuse and it has a well-run mechanism for removal. Most blocklists (including the ones I run) don’t work this way.

Every IP address has a reputation associated with it, and if you share a public IP address that has a poor reputation, parts of the Internet will disappear for you, and these include some well known services.