: So it's not just what I happen to read on google+ because I follow some Australians with interests in politics.
As part of my job I write down security requirements in new projects. Those include 'connections between systems that transport non-public data need to be encrypted using up-to-date encryption'. At the same time, work is improving their testing procedures so new or upgraded applications come to production fully tested according to predefined testing scenarios. So now 'security' is also part of the test scenarios and I was asked to help build tests for our security requirements. For secure websites it is easy, I use the Qualys SSL Labs SSL Server Test. But there are a lot more ssl secured connections in use, and I would like those verified too without having to expose them to the outside world. Preferably both from Unix and Windows endpoints. And automated and/or as a scenario that can be done by the responsible system administrators. A simple websearch gave no answers but some asking around gave me SSLScan for Windows which is a windows port of SSLScan Fast SSL Scanner. It's even free, and it gives out just the reports I want:D:\sslscan win>SSLScan.exe wwwsec.cs.uu.nl:443 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2-win http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Compiled against OpenSSL 0.9.8m 25 Feb 2010 Testing SSL server wwwsec.cs.uu.nl on port 443 Supported Server Cipher(s): Rejected SSLv2 168 bits DES-CBC3-MD5 Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 128 bits IDEA-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 128 bits RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 Rejected SSLv2 128 bits RC4-MD5 Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 128 bits ADH-AES128-SHA Rejected SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA Rejected SSLv3 128 bits AES128-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Rejected SSLv3 168 bits DES-CBC3-SHA Rejected SSLv3 56 bits DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA Rejected SSLv3 128 bits IDEA-CBC-SHA Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 Rejected SSLv3 128 bits RC4-SHA Rejected SSLv3 128 bits RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 Rejected TLSv1 256 bits ADH-AES256-SHA Rejected TLSv1 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected TLSv1 128 bits ADH-AES128-SHA Rejected TLSv1 128 bits DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected TLSv1 168 bits ADH-DES-CBC3-SHA Rejected TLSv1 56 bits ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected TLSv1 56 bits DES-CBC-SHA Rejected TLSv1 40 bits EXP-DES-CBC-SHA Rejected TLSv1 128 bits IDEA-CBC-SHA Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Rejected TLSv1 128 bits RC4-MD5 Rejected TLSv1 40 bits EXP-RC4-MD5 Rejected TLSv1 0 bits NULL-SHA Rejected TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): TLSv1 128 bits RC4-SHA SSL Certificate: Version: 2 Serial Number: -4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=NL/O=TERENA/CN=TERENA SSL CA Not valid before: Mar 15 00:00:00 2012 GMT Not valid after: Mar 15 23:59:59 2015 GMT Subject: /C=NL/O=Universiteit Utrecht/CN=wwwsec.cs.uu.nl Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:da:af:31:f2:39:f5:66:d0:d5:96:5e:1d:1e:7a: 86:ba:3f:79:79:98:da:30:79:32:39:99:47:88:ea: 6c:2e:a0:2a:9b:29:0a:48:9e:0f:9e:9d:e1:9a:32: 8d:a6:ab:7b:bb:73:62:0a:43:31:cd:78:02:14:09: 23:b7:d1:28:4a:2e:b8:c0:c9:ea:7a:9b:5c:4b:ae: 73:af:7b:82:4d:dd:e9:ec:8f:6e:13:c9:db:d4:d0: 92:9f:d3:88:69:c2:d3:61:32:76:d6:12:d0:45:d7: c2:89:fb:cb:24:b0:5e:6b:11:89:5c:3b:3e:8b:02: 9b:3a:62:ca:ac:47:d1:97:1d:02:bd:50:2b:50:e5: be:55:f5:54:5c:68:99:28:c6:ca:05:70:79:84:1a: 24:6d:02:de:16:74:8b:05:ce:f0:9c:71:27:c0:99: 22:66:2e:00:31:ca:b7:1c:9d:78:8e:6e:e0:8f:94: 4d:42:a7:89:8f:8d:d4:3a:1d:91:e6:c8:59:a1:59: 3b:b3:e7:54:21:3c:38:0b:d3:27:37:33:48:8f:f4: e0:ba:e7:33:17:9b:a2:b1:b4:f0:7a:35:b3:27:4c: 81:ad:76:91:78:52:1a:18:bf:18:c9:93:84:aa:79: 49:ec:43:fe:56:5b:cc:82:ad:44:c7:4b:79:8f:d1: 6d:9d Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:0C:BD:93:68:0C:F3:DE:AB:A3:49:6B:2B:37:57:47:EA:90:E3:B9:ED X509v3 Subject Key Identifier: 99:E4:5C:2F:C5:E8:4F:D1:A5:91:AA:0B:28:18:F2:EF:2A:96:4B:49 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 184.108.40.206.4.1.64220.127.116.11.29 X509v3 CRL Distribution Points: URI:http://crl.tcs.terena.org/TERENASSLCA.crl Authority Information Access: CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt OCSP - URI:http://ocsp.tcs.terena.org X509v3 Subject Alternative Name: DNS:wwwsec.cs.uu.nl, DNS:wwws.cs.uu.nl Verify Certificate: self signed certificate in certificate chainAt this moment it complains about a self-signed certificate because I haven't given it a list of root certificates. I can't find out at the moment how to fix that, it doesn't seem to check the list of root certificates or not in a place I put them.
Waving to China:Oct 26 12:42:43 abaris sshd: User root from 18.104.22.168 not allowed because none of user's groups are listed in AllowGroups Oct 26 12:43:22 abaris sshd: User root from 22.214.171.124 not allowed because none of user's groups are listed in AllowGroups Oct 26 12:44:19 abaris sshd: User root from 126.96.36.199 not allowed because none of user's groups are listed in AllowGroups Oct 26 16:10:09 abaris sshd: User root from 188.8.131.52 not allowed because none of user's groups are listed in AllowGroups Oct 26 16:10:29 abaris sshd: User root from 184.108.40.206 not allowed because none of user's groups are listed in AllowGroups Oct 26 16:11:19 abaris sshd: User root from 220.127.116.11 not allowed because none of user's groups are listed in AllowGroups Oct 26 17:11:10 abaris sshd: User root from 18.104.22.168 not allowed because none of user's groups are listed in AllowGroups Oct 26 17:11:41 abaris sshd: User root from 22.214.171.124 not allowed because none of user's groups are listed in AllowGroups Oct 26 17:12:40 abaris sshd: User root from 126.96.36.199 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:02:41 abaris sshd: User root from 188.8.131.52 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:03:13 abaris sshd: User root from 184.108.40.206 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:03:55 abaris sshd: User root from 220.127.116.11 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:06:29 abaris sshd: User root from 18.104.22.168 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:06:59 abaris sshd: User root from 22.214.171.124 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:07:42 abaris sshd: User root from 126.96.36.199 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:54:45 abaris sshd: User root from 188.8.131.52 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:55:21 abaris sshd: User root from 184.108.40.206 not allowed because none of user's groups are listed in AllowGroups Oct 26 19:56:00 abaris sshd: User root from 220.127.116.11 not allowed because none of user's groups are listed in AllowGroupsI guess Shaoxing Dingqi Network Technology Co., Ltd. and WENZHOU GAOJIE TECHNOLOGY CO.LTD have a problem with intruders abusing their systems to attack third parties or they might just be very interested in attacking a certain class of systems.
: Knibbel, knabbel, knuisje, wie knabbelt daar aan mijn huisje?
Sloop #wentgebouw te volgen via http://www.projects.science.uu.nl/webcams/ met ook een timelapse.
Final part of demolishing a university building, taking out the floors and columns. Live webcam and timelapse video via url above.
This evening I tried working amateur satellites again. There was a nice ISS pass at 18:19 UTC and this time it was very easy to aim the antenna since the ISS was still illuminated by the sun so it was a bright spot in the sky. But no astronaut responded to my CQ call, not even when I remarked "I can see you!". I also looked up some more satellites that are one-way and this included the HO-68 amateur satellite. It transmits a CW (morse code) beacon and I tried to receive and decode it. Receiving works, but I can't decode morse by ear and fldigi tries but it doesn't look like valid HO-68 telemetry format as documented in the HO-68 page above. Update 2014-10-22: I asked PA5ABW, a very experienced CW operator to listen to the recorded audio and he helped decode the transmission above into:BJ1SA XW XW AAA TTT AUE ETT TTT TTT TTT TTT TTT TTT TTT TTT XW XWAnd noted the groups of three letters can also be 'shortened digits' and decode to:BJ1SA XW XW 111 000 121 100 000 000 000 000 000 000 000 000 XW XWwhich as a telemetry report decodes to:CH1 PA Output RF Switch status: 111 PA2 works (beacon only) CH2 Transponder working status: 000 Beacon only CH3 Transponder temperature: 121 = +21 degrees CH4 Beacon RF Output Power: 100 = 100 mW CH5 and further: 000
: A fun week in information security:
- Affected accounts are published from the 'Hold Security' dataset
- A heavy patch tuesday (note IE in there)
- Oracle critical patches
- Poodle SSLv3 vulnerability
and I'm probably missing a few 'interesting' things.
: I'll try and see if I can answer some CQ's from /J stations in the Jota weekend.
Een creatieve leugen in de spam vandaag:Je bent lid van deze mailing list omdat U ingelogd bent geweest bij Du Cap SoWifi.Blijkbaar vraagt die wifi toegang om een e-mail adres en iemand heeft daar een adres van mij opgegeven, en krijg ik dus maar de rommel.
: I made a recording of a pass of the SO-50 amateur satellite over Europe on 26 September 2014.
I noticed good operating procedures and a high number of completed QSO's. It almost sounded like some locator contest was going on.
When I compare this with the 'zoo' I heard in July, with CQ calls heard without any callsign... it is possible to have good operating procedures!
Still in the archives: another SO-50 pass recorded at 26 September 2014. Again good operating procedures, maybe some sort of locator contest was going on, since I heard several exchanges with in one go callsigns and locators. Callsigns heard: SV2KGA, S54LD, CT2GOY, S52LD, 9A3ST, SQ8RK, IW3RGK. And yes my definition of 'heard' includes listening to the announcements in the recording over and over, I did not understand them all when it happened.
: Thanks for another great video. It's a nice reminder that it is a good idea to prepare with repeater listings for a long roadtrip, especially when you'll be driving on your own.
Ik kijk even rond in het centrum van Uithuizermeeden op google streetview en ineens valt me een antenne op die wel erg lijkt op een antenne voor VHF II (FM omroepband) gebruik op een tijdelijke mast. Alleen staat er volgens het antenneregister helemaal niets op die plek, alleen een zendamateur aan de overkant van de straat. Het was vast een tijdelijke opstelling die ondertussen weg is.
This is really old-school: I see messages in the newsmaster mail from a newgroup/rmgroup war. Haven't seen that in email@example.com asks for christian.binaries.sermons to be created. If this is acceptable, type: /usr/lib/news/bin/ctlinnd newgroup christian.binaries.sermons y firstname.lastname@example.org And do not forget to update the corresponding description in your /var/lib/news/newsgroups file. The control message follows: .. For your newsgroups file: christian.binaries.sermons Christian sermons CHARTER: christian.binaries.sermons is a newsgroup for Christian sermons. The newsgroup and hierarchy will not be strictly moderated per se. Spam and heavy trolling is not permitted, however, and may be post-moderated after the fact. The christian top-level hierarchy does not follow the precise policies of the current free.* hierarchy. We do, however, share a similar vision of a relatively free and open hierarchy allowing almost anything created by virtually anyone, with few rules. JUSTIFICATION: Christianity being one of the world's largest religions, there are several Christian newsgroups in various hierarchies out there, but no established central structure that combines a variety of topics, and especially Christian binaries are fragmented in disjointed hierarchies throughout the Usenet. This newsgroup under the free.* mantle espouses the ideas of freedom, the liberty to create your own group, and allow relatively free posting with the exception of spam and heavy trolling. As Christian newsgroups are often trolled, this is a necessary evil for the hierarchy to thrive. In this new age of persecution and ostracization, the christian hierarchy is necessary to unite Christians worldwide and give them a digital home. There has been much discussion on the Usenet regarding the need for separate Christian groups, especially topic -specified binaries groups, which seem to be largely absent in terms of Christian media. The amount of Christian material found in any typical web search on this subject alone is sufficient justification for this group.I'm not sure usenet binaries are the best way to reach christians today. The church I visit uses live-streaming with availability on a mobile 'app' and the archive is available via the church website.
: I enjoy psk31 on 10 meters. The choice of band is simply because that is what size dipole I could fit under the roof easily. The 10 meter band isn't always open so it is a bit of hit and miss but I have had nice openings allowing me to have contacts with Greece, Italy, USA, Slovenia, Romania and other countries. I have seen signals from Brazil and South Africa but never managed a full QSO.
In the previous weekend there was clearly an RTTY contest going on, but switching to that mode in fldigi and answering a few CQ TEST calls also worked for me. I uploaded the log: I'm not in it for the contesting but I do want the contesters to get their QSOs validated.
: Via a report of a "security breach" in the correct style of most of those articles.
It seems the Garmin GPS 18 LVC for timekeeping in the ntp server on ritchie.idefix.net is having weird issues. It stops responding with the carrier high and sometimes restarts.$GPGSA,A,1,,,,,,,,,,,,,,,*1E $GPGSV,3,1,11,01,00,098,00,02,57,048,00,24,00,210,00,25,47,265,00*77 $GPGSV,3,2,11,26,05,15�On such a 'hang' the carrier detect is high. Weird problem.