Mike Meredith

Apr 172024
 

Well that was interesting …

So I decided to upgrade the firmware on my ASRock TRX50 WS motherboard tonight. Partially because I had planned on trying it to sort out a mysterious crashing problem (which turned out to be the world’s worst SATA SSD ‘error’), and partially because I’d like to make sure I know how the process works. And funnily enough, finding ASRock’s instructions aren’t so simple.

The first really rather obvious step is to download the firmware from the ASRock support site. This comes down as a ZIP file, which needs to be unpacked :-

  • TRX50-WS_9.03.ROM

This needs to be copied to a USB stick formatted as FAT32, but whilst you’re checking that make sure that the partition type is set to an appropriate value (0x0b is the value I used; the second time), because it turns out that the ASRock firmware won’t recognise a FAT32 filesystem just based on the actual filesystem – it checks the partition types.

But before you shut down and start the upgrade process, record any firmware settings you may have made … for better or worse, the upgrade will reset any changes you have made.

Starting the upgrade is fairly simple – go into Setup, move across to Tools and select the “Instant Flash” option. This will pop up a menu of different firmware version files it has found that are compatible with your motherboard. Select the version you want (in my case it was just one option), and press Return.

After a warning, it’ll start the upgrade process; this consists of :-

  1. A progress bar which slowly progresses to 100%
  2. A reboot which takes you back into the firmware.
  3. A second progress bar which also progresses slowly.
  4. At some point when this has finished, it’ll just sit there for a few minutes and finally start booting with the new firmware.

Of course in my case, the settings reverting to default values resulted in the SlimSAS controllers both being reset to “NVME” rather than “SATA” meaning half my storage array wasn’t present! But it all worked in the end :-

✓ root@pica» dmidecode -s bios-version
9.03

Of course ASRock claim you only do a “BIOS Upgrade” (I hate that word “BIOS” – it’s not really appropriate) when it is absolutely necessary, but an upgrade when it isn’t necessary isn’t a bad idea. Just to get practice.

It should be noted that the firmware should be update-able with fwupdmgr so any urgent updates may well come via that route.

The Missing Sign
Apr 062024
 

Just came across someone today who wasn’t aware of the “BCC” (Blind Carbon Copy) header, and was wondering how an email reached her when her address wasn’t in the “To” header. It’s all too easy to laugh at people who somehow missed learning this stuff, but how often does email get taught these days?

Headers Are Just Comments

Well that heading is a bit of an exaggeration but it’s a helpful exaggeration. It is perhaps more accurate to say the headers are hints to the underlying software. There is a chain of software “under the hood” that takes the email you have composed in some kind of email client (which includes a web mail interface which is the most common way these days), formats it into a suitable format for a “mail transport agent” which then determines the “mail transport agent” is closest to the recipients and sends it there.

You -> Mail client -> Your MTA -> Recipient’s MTA

In terms of headers that you populate to instruct that chain where emails should go, there is :-

  • The “To” header which is what is most commonly used.
  • The “Cc” (“carbon copy” – an archaic reference) header which allows you to specify additional recipients, but it implies that the additional recipients are included as a courtesy (“You might want to see a copy of this for information.”).
  • The “Bcc” (“Blind carbon copy” ) header, which allows you to specify additional recipients but when your client transfers your email to the mail transfer agent it will add the recipients to the “envelope” (which we will explain shortly) but remove the header.

There are two reasons for using “Bcc”. One is basic politeness – if you are sending to a lot of addresses, the recipients will see that header and it can take up valuable screen real estate distracting from the content of the email. The second is security – if you are sending an email to lots of third-party contacts it may well be appropriate (and even required) to hide their addresses from each other. Not everyone wants their relationship with an STD clinic to be “public”!

The “Envelope”

When a client communicates with the mail transport agent, it will use something called SMTP (simple mail transport agent) which is very simplistic and the MTA does not look at the contents to determine anything (or rather it does not need to; some do especially if they do anti-virus scanning) :-

Connected to peach.
Escape character is '^]'.
220 zonky.org ESMTP Exim 24.12 Sat, 06 Apr 2024 09:57:50 +0100
helo pica
250 zonky.org Hello pica.zonky.org [2001:8b0:ca2c:dead::b000]
mail from:<some-forged-address@zonky.org>
250 OK
rcpt to:<address1@zonky.org>
250 Accepted
rcpt to:<address2@zonky.org>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
The email appears here including mail headers
.
250 OK id=1rt1ts-0001k8-MM
quit
221 zonky.org closing connection

That is a forged SMTP transaction with certain details changed. The important bits are in bold which are what your mail client would use to communicate with the mail transport agent. As you can see they are simple enough to be “faked” by a person. There is a great deal of trust going on here – far too much for the modern age – but there are additional controls in place to make forging things somewhat harder than this would imply.

The key commands are as follows :-

  1. mail from:<some-forged-address@zonky.org>: This specifies the address the email is apparently from. Normally this would be a setting in your mail client (whether you can change this or not), but there is nothing here to stop you setting any address you want. Although there are almost always additional controls in place to make this harder.
  2. rcpt to:<address1@zonky.org>. This specifies what email address the email should go to. It is usually pulled from the headers you filled in whether that was the To, CC, or BCC headers. At this stage there is no difference. However you can put in addresses that don’t appear in the email at all.
  3. data. This is where your mail client copies the email that has been composed including all the headers. It will remove the “BCC” header and add some additional ones (such as “Date”). This body may or may not be examined by the mail transport agent; it isn’t necessary to send the email onwards.

So the mail transport agent now has the necessary information it needs to route your email to the required destinations – without looking inside the body. Which is analogous to a letter – the Royal Mail doesn’t open your letter to see where it needs to go, they will just use the address on the envelope.

And so we have the explanation for an email envelope – it is the addresses specified in the SMTP transaction allowing the mail transport agent to route email without looking at the contents. In normal circumstances the mail transport agent for the recipient will discard the envelope before it is placed in the recipient’s mailbox.

Opening The Envelope

Just like real post where you have to trust that nobody along the route between the original writer and the recipient will open the envelope to peruse the contents, the same applies to email. Which all the ‘agents’ along the path can normally be trusted, there is nothing to stop a rogue agent examining the contents of email – whether that’s a snoopy system administrator, an employer with an overly suspicious nature, or law enforcement.

Which explains why it is strongly advisable not to use email for anything secret; or to investigate encrypting emails.

Rusty Handrail
Rusty Handrail
Apr 022024
 

The interesting thing about the Trans Day of Visibility accidentally (to state the bloody obvious, Easter keeps moving around so such accidents are inevitable) colliding with Easter Sunday is that it has caused all the really fucking nasty shits to come out of their hutches spitting lettuce everywhere.

And yes you are really fucking nasty shits.

According to the last UK census only 0.5% of the population are transfolk; you could spend your entire life without encountering one. And transfolk are quite probably the most bullied minority there is – one report referenced by this guide suggests that 34% of young transfolk have attempted suicide. That’s probably higher than the suicide rate (one estimate puts it at 25%) amongst Nazi concentration camp inmates.

Now that is attempted suicides but it is still astonishingly high and points to a horrendous level of alienation and indeed bullying.

That needs fixing. And part of that fix is to tell the really fucking nasty shits to keep quiet.

One of the dumbest things that the nasty shits want is to force transfolk to use the public toilets marked for the gender they were born with. In other words they want people who to all appearances are women to use the mens facilities; and they want bearded blokes to use the ladies.

Now I don’t especially mind ladies (or transwomen if you insist) using the gents toilets although it does cause a double-take and a moment wondering if I’ve mistaken the sign on the door. Especially with those “fun” signs.

Oh and that “principle of least astonishment”? If you have gender segregated toilets, you expect to find those who look like men in the gents and those who look like women in the ladies.

But can you imagine the reaction if someone with all the appearance of a bearded bloke walks into a ladies? There have apparently already been women assaulted in toilets for looking too masculine by the ‘gender police’.

You don’t have to understand gender dysphoria to feel sympathy for transfolk – I don’t. It’s completely incomprehensible to me. And the really fucking nasty shits who criticise transfolk? Well they’re probably really fucking nasty shits in other ways too. So figuratively slap ’em down every time they raise they heads.

Because they deserve it.

Apr 012024
 

So I was reading 𝕏 and came across one of those memes showing “Chinese bots” making connections to “open” SSH ports to Internet accessible servers. The suggestion to turn off password authentication in favour of public/private key authentication was certainly a sensible suggestion (on a very simplistic level it effectively makes a very strong “password”).

But the “Chinese bots” thing sort of irritated me a bit, so I decided to trawl my personal firewall logs looking for attempts to connect to my ssh port(s). Even ignoring the IPv6 probes, there were 1251 different addresses probing my network (just one public IPv4 address) in the months of March so far.

Why is this irritating? Because the addresses of the machines attempting to break into a non-existent ssh service here are those of compromised machines. They may be in China, or the USA, Russia, etc. but that in no way betrays who is controlling those “bots”.

Anyway, for some data :-

CountCountry
502,US USA 840 United States
128,CN CHN 156 China
97,KR KOR 410 Korea, Republic of
33,SG SGP 702 Singapore
27,BG BGR 100 Bulgaria
26,RU RUS 643 Russian Federation
22,HK HKG 344 Hong Kong
22,GB GBR 826 United Kingdom
20,DE DEU 276 Germany
16,SE SWE 752 Sweden

And “China” isn’t even in the lead in this case! I have included just the top 10 as a long list of random countries with one or two robots isn’t very enlightening.

The key point here is that the national identity of the compromised host attacking tells you nothing about where the true attacker is from. Russia is quite a likely candidate given it’s status as a rogue nation with a known tolerance for cyber criminals (as long as they co-operate with the state when the state needs their skills), but that is just background knowledge.

Mar 242024
 

There is currently a furore about JK Rowling having denied that the Nazis targeted transfolk with a comment specifically stating that the poster should “check their sources” which becomes amusing …

For the record, the historical suppression of the world’s first institute covering trans healthcare is a matter of record. And although I’m not going to chase down threads to verify this, there is very little doubt in my mind that transfolk would have been sent to concentration camps as homosexual men were.

Now the average person might be forgiven for being ignorant about the suppression of the Institut für Sexualwissenschaft; after all those who aren’t interested in the subject will make an assumption that the “Holocaust” was just about the killing of the Jews.

It is true that non-Jewish victims are somewhat less publicised and that most groups weren’t targeted for annihilation as the Jews and Roma were, but being worked to death in a concentration camp with random and brutal punishment up to and including murder isn’t a kind fate. And certainly qualifies as repression.

Any public figure should be more careful about denying that something did or did not happen.

I have just seen a video claiming that JK Rowling isn’t a Holocaust denier because the word Holocaust refers specifically to Jewish victims. Well, there’s a discussion to be had about that – but it should be noted that the Jewish have a specific word for what happened to them (Shoah), which some people believe leaves the word “Holocaust” free to use in reference to all of the victims of the Nazis; it certainly works better than “Nazi crimes against humanity”.

B&W Picture of the entrance to Winchester's Great Hall
Entering The Great Hall