No ads? Contribute with BitCoins: 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa
Apr 032017
 

Since getting a HiDPI screen, I have been plagued with claws mail merrily doing the right thing with proper emails, but showing HTML emails at a tiny size.

Whilst it doesn’t appear to be a preference you can change in the normal way, there is a zoom variable you can change within the Claws preferences file. Quit claws, and edit ~/.claws-mail/.clawsrc and scroll down through the file until you find the “[Fancy]” section :-

[fancy]
enable_images=1
enable_remote_content=1
enable_scripts=0
enable_plugins=0
open_external=1
zoom_level=100
enable_java=0
enable_proxy=0

Change the “zoom_level” to a suitable percentage (such as 200).

Mar 182017
 

The TiPro programmable keyboards are quite fun for those who are into their keyboards, but with one big problem: the programming tool is Windows only. Well at least if you happen to have a USB-based TiPro; otherwise you need to set up the serial interface as the PS/2 interface is only usable for programming with a 32-bit Windows.

As it turns out, if you try to run it under a virtual machine and assign the USB device of the keyboard to the virtual machine, it still fails – somehow it doesn’t like staying assigned to the virtual machine. However there is a fix for this – using the command-line VirtualBox tools to set up a permanent USB filter.

To assign, first of all determine the name of your virtual machine with :-

VboxManage list vms

Next, add a USB filter – you can normally assign it to “slot” (or index) 1, but you may have to check what slots are available if you already do this :-

VBoxManage usbfilter add 1 --target "W10" --name TiPro --vendorid 0x1222 --productid 0xfaca

Once that is done, the Windows tool should be able to find the keyboard to start programming it. If necessary, reboot the virtual machine or try assigning the USB device via the menu option.

During programming it is helpful to remember than raw USB HID codes can be used by right-clicking in the input field for a key, selecting “Text Input” and inputing the code in the form “/${hex hid code} ${hex hid code}\” – such as “/69 69\” (a list can be found at: http://www.usb.org/developers/hidpage/Hut1_12v2.pdf)

Removal at the end:

VBoxManage usbfilter remove 1 --target "W10"

After the removal it seems that disconnecting and reconnecting the device is necessary for Linux to pick it up (or possibly a udevadm trigger).

b

Feb 272017
 

Strictly speaking how some cloud services do mail wrong, but whilst it is not all, there are still quite a few that do which is why there are no names contained within this rant.

When you have some cloud-based service send email, it makes sense for the “From” header (i.e. what sensible normal people think of as the sender address) to contain the email address of the person using the cloud-based service.

Fair enough.

But if the real sender address or envelope sender address (which is contained within the SMTP transaction) comprises the email address of the person using the cloud-based service you may well run into problems. Many organisations publish an SPF record in their DNS to indicate what network addresses are approved for, and many mail servers check the envelope sender against the published authorised network addresses.

If the network address used by the cloud service provider does not match what is in the organisation’s SPF record then the recipient’s mail server is free to reject the mail. And they often do.

Now the most obvious “fix” for this is to add the cloud service provider’s network address to the organisation’s SPF record.

The only trouble with that is that it isn’t always possible. There are various limits to how long an SPF record can be so adding addresses to the SPF record recklessly is unwise, and a sensible DNS administrator will only add to the SPF record for important services. So if the cloud service is being evaluated or being used by something less important, or is being used for non-work related purposes, then it likely won’t meet the “important enough to get added to the SPF record” criteria.

So why not fix the source of the problem?

All that has to be done is to use a different address for the envelope sender, and you can even arrange things to send bounces back to the right place.

Set the envelope sender to something like “customer+${original email}@${cloud service address}” (obviously when replacing the ${original email} you will have to change the “@” sign to something reversible). All of a sudden you are no longer “forging” the envelope sender, and not tripping over anyone’s spam defences.

Process the bounces to “customer@${cloud service address}” and you can send the bounces to the right place.

Feb 122017
 

A very long time ago, I used to collect spam in order to graph how much spam a single mail server was likely to get over time, and almost as long ago, I lost interest in maintaining it. As a consequence I still get a ton of spam every day and after a long period of procrastination I have been slowly raising defences against spam.

This particular recipe is not really a defence against spam – it verifies that the remote server is properly DNS registered with a reverse DNS registration – in other words that the IP address it is connecting from is registered. This is a requirement for all mail servers, and as it turns out, spammers don’t care for registering their servers in the DNS.

This ACL snippet goes into the ACL for checking the recipient or for checking the message :-

 deny
   message = Your mail server is not properly DNS registered
   log_message = BLOCKED: No rDNS
   condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
   # Check rDNS and block if not registered

There are three items of interest :-

  1. The message is intended to be easily read by recipients to determine what the problem is. It turns out that many people do not read NDRs, but if we get the message right at least we are doing the right thing.
  2. The log_message is intended to make automating log parsing easier.
  3. Within the condition, the $host_lookup_failed variable indicates that the reverse DNS lookup returned NXDOMAIN and not that it timed out (which would be $host_lookup_deferred).

That’s all there is to this little piece of configuration.

Feb 082017
 

One of the things that come up whenever IPv6 is mentioned on certain news sites, is that there are people out there who think that NAT solves all of the address size problems and doesn’t have any negatives. I could present a whole series of blog articles on why NAT is the work of the devil, and presents a clear and present danger to life, liberty, and the pursuit of happiness (I might be exaggerating just a touch here).

The naive approach to a security issue originating from a certain network address is to block that network address permanently, pending an appropriate response, or temporarily. Not a bad idea although it does resemble a game of hunt the wumpus, and to assist in this, there are community based collective blocklists.

But what happens when you block an address, and that address is the public address of a NAT device? You block everyone sharing that public address, which could be just a household or it could be thousands of unconnected people. For instance, I have up to 32,000 people behind a handful of public IP addresses.

And yes I do regularly see problems where blocks have been put in place, and from what I can see this is a problem that is widely shared amongst people who NAT.

And once you are blocked in this way, you may be able to get it removed if you manage to identify which blocklist you are on, stop the network abuse and it has a well-run mechanism for removal. Most blocklists (including the ones I run) don’t work this way.

Every IP address has a reputation associated with it, and if you share a public IP address that has a poor reputation, parts of the Internet will disappear for you, and these include some well known services.

Jan 192017
 

Entropy.

Any serious cryptographic routines needs a good source of random numbers, and whilst Linux provides a random number generator by default it’s sources of entropy can be somewhat limited. Especially when you’re talking about a virtual machine.

Indeed if you try to pull too much randomness out of the Linux entropy pool (especially when it is especially limited), what you get might not be quite as random as you expect.

Which is where hardware randomness generators come in. And I finally have one (actually two), and have hooked them up. You may be able to guess what time I plugged it in from the graph below :-

So what real world difference does it make?

Well nothing is dramatically obvious, but :-

  1. I have slightly more confidence that any cryptographic software I might run has a good source of randomness and is less likely to accidentally perform poorly (in terms of cryptographic strength).
  2. Some cryptographic software blocks if the Linux entropy pool is empty; with a hardware source I can be more confident that any performance issues are not due to a lack of randomness.
Dec 282016
 

“You’re such a pedant” goes the insult as though being right about something is somehow wrong.

Now don’t get me wrong – there are some areas where being a pedant is not entirely right – such as declaring that Christmas Day isn’t a bank holiday but instead a common-law holiday. But there are many areas where being pedantic and precise is not just the right thing, it is essential.

I work in IT, and many of the biggest problems in IT are down to lack of precision and not getting things right. I can’t recall the number of times things have gone wrong or have been delayed (probably the most common result) because things have not been specified clearly enough, with enough detail, and correctly.

So in certain specialised areas – such as IT – it is good to be pedantic and precise. Include too much information rather than too little.

 

Dec 172016
 

In the dim and distant past when dinosaurs roamed the data centre (although it was called the machine room, or for trendy types who liked to keep up to date, the computer room), sometimes called the 1970s, a new type of computer gradually started to appear. This computer was intended to be used by one individual at a time, and more it was intended to be part of the furniture of an office (in the sense it belonged). It became known as the personal computer.

To quote Steve Wozniak: “To me, a personal computer should be small, reliable, convenient to use and inexpensive“. Of course “inexpensive” is relative and we wouldn’t think the personal computer of the 1970s was inexpensive. When you trawl through old copies of BYTE, please remember that when you get shocked at the prices that you have to add in inflation!

The field of personal computers grew so quickly that most of the dinosaur behemoths grew interested and joined in. One – the IBM PC – grew so popular that IBM grew to regret throwing it together so quickly, and it eventually came to dominate the market. Except for a small bunch of weirdos who insisted that the Apple Mac was the bees knees, and that the PC would soon die.

The argument between the two groups of fanatics grew so heated that “PC” become synonymous with the IBM PC – even well after IBM stopped dominating the market, and Macs were excluded from the “PC” label. Even after they become PC in all but name – today an Apple machine is no different to a normal PC from someone like Dell, HP, etc. except from the operating system.

Yet because of that ridiculous “cold war” between the Microsofties and the Applites, every time I issue a communique I have to use the phrase “PCs and Macs” because some cold war era warrior will claim “… but you didn’t say anything about Macs” or “… but not Macs?”.

So in the interests of clarity, although when I say PCs I mean both, I shall start using the phrase inclusive personal computers. Or iPCs.

And no, I don’t mean the Sun IPC.

 

Dec 112016
 

Vi (or vim) is one of those editors that at first appearance appears to be insanely user-hostile, and some will say it looks the same way on a second, and third glance. Yet it remains one of the most popular editors under Linux, and even if you choose another editor as your mainstay, you are likely to encounter it in use a fair bit.

(Apologies for the little line at the top of that screenshot; lazy editing)

The strange thing about vi is that nobody uses the real thing any more (well almost nobody), but instead clones of one kind or another. That is mostly because vi originated in the commercial world of Unix, and clones were written to be open-source. It is perhaps worth remembering that vi has remained the mainstay of editing under Unix-based operating systems for three decades despite there being many alternatives.

It may look plain, but vi has almost every editor feature you can think of and almost certainly a few you never thought of.

The Modes

Almost every every other editor currently in use is a modeless editor, or at least mostly modeless. Vi is different in that it has three different modes that operate differently – insert mode, command mode, and ex-mode (essentially for extended commands). Of the three modes, the insert mode is the most like other editors, although are relatively few commands to use. As you can see in the screenshot above, the words “- INSERT -” appears at the bottom of the screen whenever you are insert mode (and the same for replace mode which is effectively the same).

Most commands are performed in the command mode, which can be thought of as the default mode – there is nothing saying that you are in command mode. If in doubt, you can press Esc to get from insert mode into command mode. There are some who will argue that in fact vi is modeless and that the “insert mode” is in fact a parameter to the insert command. This has a certain ring of validity to it – if you enter 32iHelloEsc in command mode, you will end up with 32 copies of the word “Hello” inserted.

But conventionally vi is written of as a mode-based editor, so it is best to think of it as such until you have learned enough to throw off conventional wisdom and go your own way.

The last mode is ex-mode, which at a basic level is covered only in enough detail to tell you how to get out of it! It is entered from command mode with the “:” command, at which point the cursor moves to the end of the screen leaving you free to type in lengthier commands. To exit simply hit the backspace key until the cursor returns to its normal location.

The Insert Mode

(and the replace mode)

The insert mode is started with a variety of commands, but the simplest is i(nsert).

Once in insert mode, you can start typing normal text without worrying about what commands it will run. There are a fair few things you can do with the control keys, but we’ll skip over those for the “basics”. To correct a few historical limitations :-

  1. You can move the cursor around with the arrow keys. It might seem a bit strange to say so, but the original vi didn’t allow you to move in insert mode partially because it pre-dates arrow keys (yes, really!) and had to use commands to move the cursor around the screen.
  2. You can move anywhere within the file and make changes anywhere; not just where the original change was intended. This may seem like an unnecessary feature to explain, but when you are changing a single word, it can seem wrong to also go somewhere else in the file and make changes elsewhere.

Without going into the more esoteric features, there is not a great deal more to say about the insert mode except it is exited with the Esc key.

The Command Mode

The movement commands :-

Arrow Keys Moves the cursor
h & l Moves the cursor left and right.
j & k Moves the cursor down and up.

The use of the h,j,k, and l keys to move the cursor around the screen seems rather bizarre except when you realise that some early terminals connected to Unix systems lacked cursor keys. They remain for compatibility reasons and because some people feel that they can be quicker to use as they require less hand movement than the cursor keys, or like me that those keys are burnt into muscle memory and so they are used almost without thought.

b(ack) Move backwards one word.
e(nd) Move forward to the end of the word.
f(orward){char} Move forwards on the same line to the next occurrence of {char}.
n(ext) Move to the next occurrence of the last search.
 / Search for something.

The most basic command for deleting text is “x” which deletes the character under the cursor, but a hint of what can be done with vi comes with the d(elete) command. The d(elete) command takes a movement as a parameter, and deletes from the current cursor position until where there movement takes you :-

dd Deletes line.
d$ Deletes to the end of the line.
d0 Deletes until the beginning of the line.
dw Delete until the end of the word.
diw Delete “in” word – deletes the current word.
df{char} Deletes until the next occurrence of {char}

But we now move finally to adding text :-

i(nsert) Insert at the current cursor.
o(pen) Open a new line below the current line.
O(pen) Open a new line above the current line.
a(ppend) Append text after the cursor.
A(ppend) Append new text at the end of the line.

Lastly, we can save and exit vi with “ZZ”.

Ex-Mode

This is going to be even more truncated than the last section (I know the last section doesn’t seem truncated, but trust me – it is!). There is a great deal more to this mode than just the three commands below :-

:write (or :w)

Writes the file being edited. Two options I am going to mention here.

Firstly you can add a filename to the command to write to an alternate file (:write new-filename) – very handy if you find you’re making changes to a file that you do not have permission to overwrite.

If you need to override a warning vi has about overwriting the current file, you can do so by appending an exclamation (!). Just don’t do it automatically (I’ve a sorry song to sing about doing that!).

:quit

And to quit vi, simply use the :quit command. If there are unsaved changes in the file you are editing, it will stop you, in which case if you really want to lose your changes add an exclamation (!).

Nov 262016
 

(actually we don’t usually sit in the data centre; it’s too noisy and usually the wrong temperature for people)

There is a perception amongst people that security “gurus” who work in network security are spying on all your network traffic. Not the hackers (which is a whole other matter), but the people who run enterprise firewalls. We do, but we’re not interested in what you are doing but instead what is being done to you (and the enterprise as a whole).

Frankly nothing strikes me as more boring than spying on someone’s porn browsing – if I really need to, I’ll hunt down my own porn thank you very much! And we’re busy; you could probably double the size of every network security team in every organisation on the planet and still nobody would be sitting around twiddling their thumbs.

On the subject of porn (as an extreme example), it is not a security issue. There is an argument that browsing porn sites is putting yourself at greater risk of picking up some kind of nasty infection, but avoiding porn sites to avoid getting infected with malware is a tactic that results in your computer being infected. So the intended content isn’t a problem as far as security is concerned, but we’re interested in unintended content.

Now there are places that enforce browsing censorship – blocking anything that isn’t work-related. That role is usually dumped on the network security people because they have the tools to do the job.

Does porn browsing on the office matter? Of course it does – some people are upset by the sight of such things, and almost as important, when someone is browsing porn they are not working. But such matters are best dealt with in the office by the line manager – if someone isn’t doing their work it doesn’t matter if they are browsing porn, hitting Facebook, or snoozing under the desk. All should be dealt with appropriately by the line manager.

And centralised censorship is a rather clumsy tool – blocking Facebook is all very well if it is to prevent personal usage of the Internet, but what about the Marketing department using Facebook for publicity? Or the Customer Service department keeping an eye on Facebook for product problems that they need to look into? These can be allowed through on a case-by-case basis, but it highlights that censorship is a clumsy tool.

The word from a nameless vendor who is in this space, is that in many cases this censorship has less to do with preventing people from doing “naughty” things, and more to do with controlling bandwidth usage. And as bandwidth becomes cheaper, there is less interest in censoring Internet activities – certainly from a personal perspective I notice a decrease in the number of people who complain they cannot visit certain sites because of work’s “firewall”.

There is also the subject of TLS inspection where firewalls intercept and inspect TLS or SSL encrypted traffic between you and “out there”. Again there is a suspicion that we are for whatever reason spying on your activities. The answer to this is the same as previously – why should we bother? It is too much like hard work, and frankly most of the information that passes through a firewall is unbelievably boring.

No, TLS interception is used to do the boring task of inspecting traffic for malware, spyware, and other security threats. And with the increasing use of TLS to encrypt traffic it is becoming more and more important to do TLS interception for security reasons.

Yes there are those who would use that sort of technology to spy on your activities, but those organisations are typically nation states … and repressive ones at that. But it is extreme foolishness to blame a useful tool for the abuses that an abusive government perpetrates.  Your average enterprise just isn’t that interested in what you’re up to.

And if you still don’t believe this, there is a simple answer: Do anything private on your own private network.

b84v37631-cubist-eye

Facebook Auto Publish Powered By : XYZScripts.com

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close