Koos picture small

Koos van den Hout

Welcome. This is my homepage where I write about my opinion, projects, things I note, things I try and other random stuff. Newsitems have tags for a bit of structure.

Latest news/thoughts/geeking/rants/notablog

2014-10-30 (So it's not just what I happen to read on google+ because I follow some Australians with interests in...) 3 hours ago
Google+Koos van den Hout : So it's not just what I happen to read on google+ because I follow some Australians with interests in politics.
2014-10-29 (#) 23 hours ago
As part of my job I write down security requirements in new projects. Those include 'connections between systems that transport non-public data need to be encrypted using up-to-date encryption'. At the same time, work is improving their testing procedures so new or upgraded applications come to production fully tested according to predefined testing scenarios. So now 'security' is also part of the test scenarios and I was asked to help build tests for our security requirements.

For secure websites it is easy, I use the Qualys SSL Labs SSL Server Test. But there are a lot more ssl secured connections in use, and I would like those verified too without having to expose them to the outside world. Preferably both from Unix and Windows endpoints. And automated and/or as a scenario that can be done by the responsible system administrators.

A simple websearch gave no answers but some asking around gave me SSLScan for Windows which is a windows port of SSLScan Fast SSL Scanner. It's even free, and it gives out just the reports I want:
D:\sslscan win>SSLScan.exe wwwsec.cs.uu.nl:443
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server wwwsec.cs.uu.nl on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=NL/O=TERENA/CN=TERENA SSL CA
    Not valid before: Mar 15 00:00:00 2012 GMT
    Not valid after: Mar 15 23:59:59 2015 GMT
    Subject: /C=NL/O=Universiteit Utrecht/CN=wwwsec.cs.uu.nl
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
          00:da:af:31:f2:39:f5:66:d0:d5:96:5e:1d:1e:7a:
          86:ba:3f:79:79:98:da:30:79:32:39:99:47:88:ea:
          6c:2e:a0:2a:9b:29:0a:48:9e:0f:9e:9d:e1:9a:32:
          8d:a6:ab:7b:bb:73:62:0a:43:31:cd:78:02:14:09:
          23:b7:d1:28:4a:2e:b8:c0:c9:ea:7a:9b:5c:4b:ae:
          73:af:7b:82:4d:dd:e9:ec:8f:6e:13:c9:db:d4:d0:
          92:9f:d3:88:69:c2:d3:61:32:76:d6:12:d0:45:d7:
          c2:89:fb:cb:24:b0:5e:6b:11:89:5c:3b:3e:8b:02:
          9b:3a:62:ca:ac:47:d1:97:1d:02:bd:50:2b:50:e5:
          be:55:f5:54:5c:68:99:28:c6:ca:05:70:79:84:1a:
          24:6d:02:de:16:74:8b:05:ce:f0:9c:71:27:c0:99:
          22:66:2e:00:31:ca:b7:1c:9d:78:8e:6e:e0:8f:94:
          4d:42:a7:89:8f:8d:d4:3a:1d:91:e6:c8:59:a1:59:
          3b:b3:e7:54:21:3c:38:0b:d3:27:37:33:48:8f:f4:
          e0:ba:e7:33:17:9b:a2:b1:b4:f0:7a:35:b3:27:4c:
          81:ad:76:91:78:52:1a:18:bf:18:c9:93:84:aa:79:
          49:ec:43:fe:56:5b:cc:82:ad:44:c7:4b:79:8f:d1:
          6d:9d
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Authority Key Identifier:
        keyid:0C:BD:93:68:0C:F3:DE:AB:A3:49:6B:2B:37:57:47:EA:90:E3:B9:ED

      X509v3 Subject Key Identifier:
        99:E4:5C:2F:C5:E8:4F:D1:A5:91:AA:0B:28:18:F2:EF:2A:96:4B:49
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Certificate Policies:
        Policy: 1.3.6.1.4.1.6449.1.2.2.29

      X509v3 CRL Distribution Points:
        URI:http://crl.tcs.terena.org/TERENASSLCA.crl

      Authority Information Access:
        CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt
        OCSP - URI:http://ocsp.tcs.terena.org

      X509v3 Subject Alternative Name:
        DNS:wwwsec.cs.uu.nl, DNS:wwws.cs.uu.nl
  Verify Certificate:
    self signed certificate in certificate chain
At this moment it complains about a self-signed certificate because I haven't given it a list of root certificates. I can't find out at the moment how to fix that, it doesn't seem to check the list of root certificates or not in a place I put them.

Tags: ,
2014-10-26 (#) 3 days ago
Waving to China:
Oct 26 12:42:43 abaris sshd[4602]: User root from 122.225.109.114 not allowed because none of user's groups are listed in AllowGroups
Oct 26 12:43:22 abaris sshd[4605]: User root from 122.225.109.114 not allowed because none of user's groups are listed in AllowGroups
Oct 26 12:44:19 abaris sshd[4608]: User root from 122.225.109.114 not allowed because none of user's groups are listed in AllowGroups
Oct 26 16:10:09 abaris sshd[5655]: User root from 122.225.97.84 not allowed because none of user's groups are listed in AllowGroups
Oct 26 16:10:29 abaris sshd[5658]: User root from 122.225.97.84 not allowed because none of user's groups are listed in AllowGroups
Oct 26 16:11:19 abaris sshd[5663]: User root from 122.225.97.84 not allowed because none of user's groups are listed in AllowGroups
Oct 26 17:11:10 abaris sshd[5929]: User root from 122.225.109.215 not allowed because none of user's groups are listed in AllowGroups
Oct 26 17:11:41 abaris sshd[5933]: User root from 122.225.109.215 not allowed because none of user's groups are listed in AllowGroups
Oct 26 17:12:40 abaris sshd[5937]: User root from 122.225.109.215 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:02:41 abaris sshd[6434]: User root from 122.225.109.195 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:03:13 abaris sshd[6438]: User root from 122.225.109.195 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:03:55 abaris sshd[6444]: User root from 122.225.109.195 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:06:29 abaris sshd[6466]: User root from 122.225.109.108 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:06:59 abaris sshd[6470]: User root from 122.225.109.108 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:07:42 abaris sshd[6473]: User root from 122.225.109.108 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:54:45 abaris sshd[6744]: User root from 122.225.109.217 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:55:21 abaris sshd[6749]: User root from 122.225.109.217 not allowed because none of user's groups are listed in AllowGroups
Oct 26 19:56:00 abaris sshd[6754]: User root from 122.225.109.217 not allowed because none of user's groups are listed in AllowGroups
I guess Shaoxing Dingqi Network Technology Co., Ltd. and WENZHOU GAOJIE TECHNOLOGY CO.LTD have a problem with intruders abusing their systems to attack third parties or they might just be very interested in attacking a certain class of systems.

Tags: ,
2014-10-23 (Knibbel, knabbel, knuisje, wie knabbelt daar aan mijn huisje? Sloop #wentgebouw te volgen via http:/...) 1 week ago
Google+Koos van den Hout : Knibbel, knabbel, knuisje, wie knabbelt daar aan mijn huisje?
Sloop #wentgebouw te volgen via http://www.projects.science.uu.nl/webcams/ met ook een timelapse.
Final part of demolishing a university building, taking out the floors and columns. Live webcam and timelapse video via url above.
2014-10-17 (#) 1 week ago
This evening I tried working amateur satellites again. There was a nice ISS pass at 18:19 UTC and this time it was very easy to aim the antenna since the ISS was still illuminated by the sun so it was a bright spot in the sky. But no astronaut responded to my CQ call, not even when I remarked "I can see you!".

I also looked up some more satellites that are one-way and this included the HO-68 amateur satellite. It transmits a CW (morse code) beacon and I tried to receive and decode it. Receiving works, but I can't decode morse by ear and fldigi tries but it doesn't look like valid HO-68 telemetry format as documented in the HO-68 page above.

Update 2014-10-22: I asked PA5ABW, a very experienced CW operator to listen to the recorded audio and he helped decode the transmission above into:
BJ1SA XW XW AAA TTT AUE ETT TTT TTT TTT TTT TTT TTT TTT TTT XW XW
And noted the groups of three letters can also be 'shortened digits' and decode to:
BJ1SA XW XW 111 000 121 100 000 000 000 000 000 000 000 000 XW XW
which as a telemetry report decodes to:
 CH1 PA Output RF Switch status: 111 PA2 works (beacon only)
 CH2 Transponder working status: 000 Beacon only
 CH3 Transponder temperature:    121 = +21 degrees
 CH4 Beacon RF Output Power:     100 = 100 mW
 CH5 and further: 000
Listen to audio attachment:
MP3 media: Audio from HO-68 pass recorded at JO22nc 2014-10-17-1856utc by PD4KH (rightclick, select save-as to download)

Tags: ,
2014-10-15 (A fun week in information security: - Affected accounts are published from the 'Hold Security' dataset...) 2 weeks ago
Google+Koos van den Hout : A fun week in information security:
- Affected accounts are published from the 'Hold Security' dataset
- A heavy patch tuesday (note IE in there)
- Oracle critical patches
- Poodle SSLv3 vulnerability
and I'm probably missing a few 'interesting' things.
2014-10-15 (What is JOTA?) 2 weeks ago
Google+Koos van den Hout : I'll try and see if I can answer some CQ's from /J stations in the Jota weekend.
2014-10-12 (#) 2 weeks ago
Een creatieve leugen in de spam vandaag:
Je bent lid van deze mailing list omdat U ingelogd bent geweest bij Du Cap SoWifi.
Blijkbaar vraagt die wifi toegang om een e-mail adres en iemand heeft daar een adres van mij opgegeven, en krijg ik dus maar de rommel.

Tags: ,
2014-10-10 (#) 2 weeks ago
Interesting spam on a role-account at work from biorbyt. According to Biorbyt - Spam for science - BioSPAM they will spam addresses from scientific papers. According to their privacy policy they will not spam:
Biorbyt will not send you email that you have not agreed to receive.
but I have a hard time believing that when I get their mail on a role account related to security, absolutely not interested in
Leukemia markers optimized with FIX&PERM® flow cytometry reagent Introducing our new range of FIX&PERM® for flow cytometry and validated, CE certified leukemia markers which allows for mild, fast and simultaneous staining of both intracellular and cell surface markers.
Showing mainly that the business model of spam is that spamming 100.000 accounts for one sale is a perfectly viable business model when you're not encumbered by any ethics.

Tags: , ,
2014-10-10 (I made a recording of a pass of the SO-50 amateur satellite over Europe on 26 September 2014. I noticed...) 2 weeks ago
Google+Koos van den Hout : I made a recording of a pass of the SO-50 amateur satellite over Europe on 26 September 2014.
I noticed good operating procedures and a high number of completed QSO's. It almost sounded like some locator contest was going on.
When I compare this with the 'zoo' I heard in July, with CQ calls heard without any callsign... it is possible to have good operating procedures!
2014-10-09 (#) 2 weeks ago
Still in the archives: another SO-50 pass recorded at 26 September 2014. Again good operating procedures, maybe some sort of locator contest was going on, since I heard several exchanges with in one go callsigns and locators. Callsigns heard: SV2KGA, S54LD, CT2GOY, S52LD, 9A3ST, SQ8RK, IW3RGK. And yes my definition of 'heard' includes listening to the announcements in the recording over and over, I did not understand them all when it happened.
Listen to audio attachment:
MP3 media: Audio from SO-50 pass recorded at JO22nc by PD4KH 2014-09-26 (rightclick, select save-as to download)

Tags: ,
2014-10-09 (Thanks for another great video. It's a nice reminder that it is a good idea to prepare with repeater...) 2 weeks ago
Google+Koos van den Hout : Thanks for another great video. It's a nice reminder that it is a good idea to prepare with repeater listings for a long roadtrip, especially when you'll be driving on your own.
2014-10-08 (#) 3 weeks ago
Ik kijk even rond in het centrum van Uithuizermeeden op google streetview en ineens valt me een antenne op die wel erg lijkt op een antenne voor VHF II (FM omroepband) gebruik op een tijdelijke mast. Alleen staat er volgens het antenneregister helemaal niets op die plek, alleen een zendamateur aan de overkant van de straat. Het was vast een tijdelijke opstelling die ondertussen weg is.

Tags: ,
2014-10-08 (#) 3 weeks ago
This is really old-school: I see messages in the newsmaster mail from a newgroup/rmgroup war. Haven't seen that in decades!
god@heaven.com asks for christian.binaries.sermons
to be created.

If this is acceptable, type:
  /usr/lib/news/bin/ctlinnd newgroup christian.binaries.sermons y god@heaven.com

And do not forget to update the corresponding description in your
/var/lib/news/newsgroups file.

The control message follows:

..

For your newsgroups file:
christian.binaries.sermons      Christian sermons

CHARTER: christian.binaries.sermons is a newsgroup for Christian
sermons.

The newsgroup and hierarchy will not be strictly moderated per se. Spam
and heavy trolling is not permitted, however, and may be post-moderated
after the fact. The christian top-level hierarchy does not follow the
precise policies of the current free.* hierarchy. We do, however, share
a similar vision of a relatively free and open hierarchy allowing almost
anything created by virtually anyone, with few rules.

JUSTIFICATION: Christianity being one of the world's largest religions,
there are several Christian newsgroups in various hierarchies out there,
but no established central structure that combines a variety of topics,
and especially Christian binaries are fragmented in disjointed
hierarchies throughout the Usenet. This newsgroup under the free.*
mantle espouses the ideas of freedom, the liberty to create your own
group, and allow relatively free posting with the exception of spam and
heavy trolling. As Christian newsgroups are often trolled, this is a
necessary evil for the hierarchy to thrive. In this new age of
persecution and ostracization, the christian hierarchy is necessary to
unite Christians worldwide and give them a digital home.

There has been much discussion on the Usenet regarding the need for
separate Christian groups, especially topic -specified binaries groups,
which seem to be largely absent in terms of Christian media. The amount
of Christian material found in any typical web search on this subject
alone is sufficient justification for this group.
I'm not sure usenet binaries are the best way to reach christians today. The church I visit uses live-streaming with availability on a mobile 'app' and the archive is available via the church website.

Tags: ,
2014-10-05 (I enjoy psk31 on 10 meters. The choice of band is simply because that is what size dipole I could fit...) 3 weeks ago
Google+Koos van den Hout : I enjoy psk31 on 10 meters. The choice of band is simply because that is what size dipole I could fit under the roof easily. The 10 meter band isn't always open so it is a bit of hit and miss but I have had nice openings allowing me to have contacts with Greece, Italy, USA, Slovenia, Romania and other countries. I have seen signals from Brazil and South Africa but never managed a full QSO.
In the previous weekend there was clearly an RTTY contest going on, but switching to that mode in fldigi and answering a few CQ TEST calls also worked for me. I uploaded the log: I'm not in it for the contesting but I do want the contesters to get their QSOs validated.
2014-10-05 (The Clickhole carries on the fine Onion tradition of almost passing for what passes for "real" journalism...) 3 weeks ago
Google+Koos van den Hout : Via +God Emperor Lionel Lauer a report of a "security breach" in the correct style of most of those articles.
2014-10-04 (#) 3 weeks ago
It seems the Garmin GPS 18 LVC for timekeeping in the ntp server on ritchie.idefix.net is having weird issues. It stops responding with the carrier high and sometimes restarts.
$GPGSA,A,1,,,,,,,,,,,,,,,*1E
$GPGSV,3,1,11,01,00,098,00,02,57,048,00,24,00,210,00,25,47,265,00*77
$GPGSV,3,2,11,26,05,15�
On such a 'hang' the carrier detect is high. Weird problem.

Tags: ,

News archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014

The person

Father, cat owned/owner, Unix/Linux fan, Internet user, reader, recumbent byciclist, snowboarder, ipv6 fan. For those who don't speak Dutch: how to pronounce Koos van den Hout.

The job

Specialist information security at Utrecht University with a modern Profile page.
 

Search idefix.net

Custom Search

Visitor using legacy IPv4

Your IPv4 address is 54.205.98.35 in United States

Other webprojects I work on

Weather projects

Weather station

Temperature : 17.4 °C
Humidity : 86.5 %
Airpressure : 1017.9 hPa

Pages on specific projects

Loads more pages


Koos van den Hout, reachable as koos+website@koos.idefix.net. PGP key DSS/1024 2C66 3B5D F0D7 C263 via keyservers PGP key DSS/1024 2C66 3B5D F0D7 C263 local copy pgp key statistics for 0x2C663B5DF0D7C263 Koos van den Hout
This page is best viewed with any browser in any resolution. Some browsers will wait with rendering most of the page until allmost all HTML is loaded. RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
This page generated by $Id: index.cgi,v 1.43 2014-03-21 10:51:45 koos Exp $ in 0.118037 seconds.