News archive 2011 - Koos van den Hout

Browsing the tables for Digitenne at DTV monitor shows the transport stream 12 I noticed still listed. Pick one of the transport streams at the left, and open Tables, NIT-actual, Network ID 8720 (Digitenne). When I try the same on several of the muxes here I get no mention of TS 12 in the network information table. According to DTV monitor the analysis was done today, so some interesting things going on? My best guess is that DTV Monitor does the scanning from somewhere near Den Haag.

Iemand heeft een e-mail adres van mij bij een first-impressions site ingevuld en prompt is het raak: eerst een 'eenmalige bevestigingsmail' en vervolgens spam (ongewenste e-mail, dus de eenmalige bevestigingsmail was ook al een leugen) zonder enige verdere controle of het adres geldig is, over aanbiedingen ziektekostenverzekeringen van FBTO, Zilverenkruis en Zekur. En een poging tot afmelden heeft geen effect, de volgende dag komt er weer een spam specifiek over FBTO. Waarmee dus duidelijk is dat bedrijven als FBTO zaken doen met gewone spammers. Er is niet veel veranderd sinds de Nederlandse spampraktijken waar Karin Spaink in 2003 over schreef. De enige verandering is dat het percentage spam hoger geworden is. Wat vooral niet veranderd is: spammers liegen.

Klachtenmelding gedaan naar de provider, naar spamklacht.nl en naar FBTO. Bedrijven die zaken doen met spammers zijn ongewenst.

Update 2011-12-31: Nu zelfs casino spam via first impressions. Ze zijn wel heel diep gezakt daar.

So the Noxon DAB USB stick indeed showed up as a christmas present. I directly tried it in Zuid-Limburg the southern part of the country where I found several countries' DAB ensembles before. No such luck with the Noxon DAB USB stick and its own antenna. Searching for other experiences in English or Dutch found nothing, but searching in German for noxon dab usb kein empfang found DAB+ USB Stick Terratec Noxon which has several mentions of the accompanying antenna not being great for VHF band III and being susceptible to interference from the computer. I also had the Pure One Mini receiver with me which found most expected ensembles without a problem. The Deutschlandradio ensemble was missing this time.

Back at home I saw the same problem: on the top floor of the house where the Pure One Mini finds both the Publieke Omroep ensemble on 12C and MTVNL on 11A the Noxon DAB USB stick in default configuration finds nothing. Switching to the antenna I built myself for DVB-T scanning or to the Funke DSC310 antenna does give me both ensembles in the scan with good reception for 12C and good/average reception for 11A.

One tip in the above forum was to move the antenna away from the computer. I tried this with a long USB-cable and that helped a bit: the Publieke Omroep ensemble showed up.

So the accompanying antenna is bad, or the input sensitivity of the receiver in the stick isn't that great, or both. Which doesn't make it a great stick for trying to discover distant DAB ensembles just making it through. Or for bringing it along on trips.
Update 2011-12-29: Today I had the Pure One Mini playing a DAB station and booted the laptop and the reception completely stopped for a few seconds and returned with a drop in quality. Solution: move the radio away from the laptop. So VHF band III reception is quite susceptible to interference from computers.

I answer an e-mail from someone with an @bellsouth.net address, and I get the error message:

<<< 550-aa.bb.cc.dd blocked by ldap:ou=rblmx,dc=att,dc=net
<<< 550 Error - Blocked for abuse. See http://att.net/blocks
554 5.0.0 Service unavailable

But http://att.net/blocks is useless in finding out why att.net would think my IPv4 address is a spam source. The available options seem to be I am the responsible admin for this system and I did (x and y) to stop the well-known spamflood or I am an end-user and I will wait nicely for the admins to sort this out.

The second option does give an e-mail message after a while which is not very informational:

We are writing to let you know that we are blocking messages addressed to one of our customers at the domain bellsouth.net by one of your customers at domain kzdoos.xs4all.nl. The stream of messages coming from your system appears to consist mostly of unwanted commercial e-mail (UCE, or "spam"). To protect our system a nd to ensure that it operates well for all of our customers, we have decided to block all messages originating from your system.

Please consult your logs to see what might be causing this situation and how it can be fixed. Then visit http://rbl.att.net/block_inquiry.html to request a remo val of the block. Most requests for removal are honored within two days.

The specific error message received by your customer was: 550-aa.bb.cc.dd blocked by ldap:ou=rblmx,dc=att,dc=net

Thank you for your assistance in helping our respective customers communicate.

All I see in the logs with att.net / bellsouth.net is incoming spam.

So I will request a delisting with as reason 'no OUTGOING spam found in the logs'.

With DVB based television it is quite possible to temporarily add a service, given available bandwidth within the transport streams. Service BNN 101.TV is at the moment temporarily available in Digitenne as part of the Serious Request event. The capacity was used earlier for RTV Drenthe after the collapse of the transmitter tower at Hoogersmilde.

3FM Serious Request gratis voor KPN klanten op zender 101TV - KPN news stream (Dutch). The detail missed in this press release is that 101TV on DVB-T (Digitenne) is free-to-air.

Update 2011-12-29: The next event is now happening: Top2000 editie 2011 is on Radio 2 at the moment and Digitenne now has service Cultura24 with the accompanying live view of the radio studio. So I captured the logo since it is free-to-air.

A co-worker from years ago at Cetis sent me LinkedIn invites and I decided to give LinkedIn a go. People reading this who are on LinkedIn and want to 'add me to their professional network' are very welcome!

LinkedIn profile Koos van den Hout.

DAB ensembles worldwide pointed me to Muxx Inspector for decoding and interpreting the DAB datafiles from the Noxon DAB USB stick which shows exactly the kind of deep detail I want to know about the available DAB ensembles. Only in Windows at the moment, but I can boot the laptop into Windows from time to time if that allows me to play with the detailed information I want to get.

And I expect such a DAB USB stick for christmas so I'll be able to do my own scans and datadumps. And I could have a look into the fileformat myself so I can do my own interpretations.

And if you want to look at ensembles you can't receive at home / during your travels: a collection of dab scan files has already been set up. There I got the file used in the screenshot above, 2011-11_5C_DR-DEU_12D_NRW_12A_VRT_12B_RTBF_12C_PubliekeOmroep.dat and I really wonder what the location was of that scan as it includes both the Dutch Publieke Omroep ensemble and the RTBF ensemble. Probably somewhere between the transmitters Mierlo, the southernmost transmitter with 12C Publieke Omroep and Liège (Lüttich/Luik), the nearest transmitter with 12B RTBF.

Tried a few DVB-T service scans today in the rainy weather and unsurprisingly rain degrades the UHF reception. Even the Digitenne Flevoland multiplex wasn't always error-free enough to show in the scan.

DVB-T service scan for 2011-12-15.

At work we found a set APC AP7920 switched rack PDUs. A power distribution unit with a console / telnet / ssh / web interface. But they didn't accept the DHCP offers at work, I found out from the documentation they need a vendor specific dhcp option set. Which I can disable in the configuration, after I get access via the network (the serial access requires a special cable).

DHCP in homeserver greenblatt to the rescue. Added to the configuration of ISC DHCP server:

option apc-vendor-cookie code 43 = string;
option apc-vendor-cookie 01:04:31:41:50:43;

and the unit accepts the DHCP offer and I can switch that option off in the configuration. They are nice units, especially for far away server rooms. Including the option to delay power-on of each outlet to avoid high power surges and dependency problems.

Update 2012-01-01: Later I noticed a PC booting via PXE using the heavy duty boot environment was confused by the apc option being set for all devices. Better solution for the above:

option apc-vendor-cookie code 43 = string;

if substring (option vendor-class-identifier, 0, 3) = "APC" {
	option apc-vendor-cookie 01:04:31:41:50:43;
}

After starting with using rdnssd to use IPv6 resolvers on my laptop I sometimes note the following in the logs on the server:

Dec 14 17:55:24 greenblatt named[16213]: client fe80::21f:e1ff:fe45:2894%5#35985: query (cache) 'local/SOA/IN' denied

I guess my laptop uses link-local IPv6 addresses for the first few dns queries. Strange, because it only knows the address of the resolver because it has received a router announcement. The most logical explanation is that the system is still trying to detect duplicate addresses before actually assigning the global IP, but DNS traffic is already going out because some script in my browser is very anxious to fetch updates. Anyway, configuring the resolver to see fe80::/10 as a local network which is allowed to do queries does not help.

Amusing or a serious attack? IPv4 address 70.38.12.106 triggered the fail2ban thresholds with ssh attempts on both koos.idefix.net and abaris.idefix.net within minutes of each other, machines with quite different IPv4 addresses. Listings for this IPv4 address like DroneBL lookup for 70.38.12.106 make me think this system does more things like this.

Reader's Digest is met de tijd meegegaan: ze stoppen nu ook e-mail boxen vol met ongewenste rommel. En zijn niet te beroerd om te liegen over de herkomst van het e-mail adres:

U ontvangt deze email van Reader's Digest i.s.m. E2Ma op koos .. xs4all.nl, omdat u
zich bij Reader's Digest heeft ingeschreven.

Dat heb ik niet, iemand heeft dat e-mail adres ingevuld ergens bij Reader's Digest (of bij een ander bedrijf wat een bestand heeft verkocht aan Reader's Digest) en nu krijg ik als eigenaar van dat adres de spam van Reader's Digest omdat ze nooit gecontroleerd hebben of dat adres wel geldig is en spam van Reader's Digest wil ontvangen.

Zou ik nu vaak genoeg Reader's Digest genoemd hebben om een relevant zoekresultaat opgeleverd te hebben?

Update 2011-12-21: En het 'uitschrijven uit de verzendlijst' heeft niet geholpen, ik krijg weer spam van ze.

Update 2012-01-20: Stug volhouden: nogsteeds spam. Stug volhouden met spamklachten sturen, dus.

Google may be very careful with making their services available via IPv6, but internally they are going further already: Usenix: Google deploys IPv6 for internal network - ITWorld.

Google has learned that an IPv6 migration involves more than just updating the software and hardware. It also requires buy-in from management and staff, particularly administrators who already are juggling too many tasks. And, for early adopters, it requires a lot of work with vendors to get them to fix buggy and still-unfinished code.

The migration to IPv6 is not an L3 problem. It is more of an L7-9 problem: resources, vendor relation-ship/management, and organizational buy-in.

Paper: Deploying IPv6 in the Google Enterprise Network. Lessons learned. Haythum Babiker, Irena Nikolova, Kiran Kumar Chittimaneni.

The paper notes that a big problem with "IPv6 support" in networking devices means "support in software" which will cause CPU load at real usage. Some interesting bugs in IPv6 implementations were also showing, such as router announcement packets leaking from one wireless VLAN to the other. My best guess: a not-too-brilliant implementation of multicast.

Google also received the big vendor IPv6 lie:

When trying to talk to the ven-dors they were always saying - if there is a demand for IPv6 support at all, we’ve never heard it before.

That is what they tell every client with questions about IPv6.

Found via Google Deploys IPv6 For Internal Network - Slashdot.

Another weird thing recorded on the SIP honeypot: Something which to me sounds like a recording of a voice artist (or 'golden voice'). It was an attempt to use the server from a Palestinian IP to reach +1-404-260-5390, a US phone number for a conferencing system. The recording is attached: note that the audio is very choppy, probably due to packet-loss between the originator in Palestina and my server.

I haven't had to fight this behaviour yet, but I'm glad somebody did the searching and ranting already: Fear and Loathing in Debian/Ubuntu (or: who needs /etc/motd) on a blog appropriately named 'Blindly Accept the Defaults'.

Via @fanf: Who looked at /etc/motd on ubuntu and thought, HEY, I KNOW WHAT THIS NEEDS – SHELL SCRIPTS!?

It took a bit of searching but it is possible to send the Magic SysRq key for Linux kernels over an AdderView CatX IP kvm server. It took a bit of searching in the manual but I found the right way: send the keycodes Alt+Printscreen+s, Alt+Printscreen+u, Alt+Printscreen+b for sync, umount, boot.

The following packages will be upgraded:
  unattended-upgrades

Do you want to continue [Y/n]? 

I think I see a small inconsistency here!

I just rescanned the Network Information Table of Digitenne Mux 1 to see if the strange multiplex 12 being listed for digitenne 6 months ago still shows up. It doesn't, the whole transportstream 12 is gone from the NIT. Artefacts of some test by Digitenne?

Listed transport streams:

    Transport_stream_ID: 2211 (0x08a3)
    Transport_stream_ID: 2212 (0x08a4)
    Transport_stream_ID: 2213 (0x08a5)
    Transport_stream_ID: 2214 (0x08a6)
    Transport_stream_ID: 2244 (0x08c4)

DVB-T services scan for 2011-12-04.

Dear "you must renew your domain now! (and transfer it to us costing 7 times as much as your current registrar)" scammers: you could at least try and look at the expiry date and not ass-ume it is a year after the last modified date. This makes you look like an even bigger scammer/idiot than you already are.

In this case: domannual.com.

In de brievenbus vandaag: "Een kado van Ziggo", een chocolade afstandsbediening. Grappig, maar geen woord uitleg erbij. Een briefje met "voor onze trouwe klanten" had het net even wat duidelijker gemaakt en volgens mij wat meer aandacht opgelevert.
Update: het was een surprise! bij het weggooien van het doosje bleek de uitleg aan de binnenkant te zitten. Je kunt een reis naar Madrid winnen.

Prachtige 'gepersonaliseerde' spam naar een beheersaccount:

Hallo, usenet.
Wij vestigen uw aandacht op het feit dat u een onbetaalde rekening hebben.

Ik denk dat usenet wel meer onbetaalde rekeningen heeft. Maar de rekening heeft na uitpakken de bestandsnaam CommercialInfo.Doc____________________________________________________________________.exe dus daar geloof ik weinig van.

All the reading and thinking about DAB+ made me interested in doing DAB service scans like I scan DVB-T services. The DAB+ radio I bought does not show technical details of the found services. Something which can be hooked up to the linux laptop would be best: I could use an existing scan application to get the details I want and bring it along to interesting places (such as the very south of the Netherlands).

At the moment the Terratec Noxon DAB stick looks quite promising and cheap (less than 30 euros). But, no linux driver at the moment, although some work is being done: both someone on the linux kernel mailing list reports some progress and USB-Tuner für Digitalradio DAB+ (und DVB-T) - vdr-portal.de mentions a reply from the Frauenhofer institute that a Linux driver is being worked on: ich kann Ihnen aber versichern, dass hier gewerkelt wird und es in Zukunft Linux als auch Mac Unterstützung geben wird.

Like in July, attempts to reach Jawwal telecom mobile numbers in Palestina via an asterisk server. But this time with incoming audio, I hear kids in the background and some talking. Very garbled: lots of packet loss on the line and the audio clips. So somebody got a bit of a disappointment when this route for free calls wasn't working out.

Wardriving results 26 September - 27 November: 2529 new networks with GPS locations. Wardriving uncharted or less charted parts of the city delivers a lot more networks at the moment than bringing the wardrivebox along on trips over mostly known roads. I took the wardrivebox along on a trip to Den Haag today but it seems that city is almost completely covered by quite active wardrivers. WiGLE.net wardrive map Den Haag.

The Dutch public broadcasters have chosen clearly to invest in a DAB+ future but the Dutch commercial broadcasters are mainly concerned with not losing listeners. The association of Dutch commercial broadcasters predicts FM radio will be active for at least the next 20 years.

I guess this is a result of commercial broadcasters being in it for the money: big changes like DAB+ are only interesting to them when there is clearly a business case for it. A higher number of services is not necessarily a good thing: it dilutes the advertising market.

There is an upside for the commercial broadcasters: coverage on DAB+ will be easier eventually. But in those 20 years there will be overlapping coverage between FM and DAB+, and the first time a commercial radio station will advertise having better reception in a region via DAB+ is a long way away. DAB+ radios being standard in cars will help: drivetime radio is very important to commercial broadcasters.

Source article (in Dutch) 'Uitzenden via FM nog twintig jaar - Broadcastmagazine.
More (in Dutch) "DAB had 8 jaar geleden al moeten zijn gestart" - Radio.NL

Tried to upgrade the firmware on the pure one mini dab radio I bought a while ago. I needed a number of tips from PURE One Mini (War: Promo-DAB-Radios vom BR?) - mysnip.de Radioforum. It came with the 5.0_EU firmware, and I tried the 5.1_UK firmware first because I didn't see the 5.1_EU firmware via the english route on the pure support website. The above forum discussion links to the right version in german, which does have the 5.1_EU version. Next the 5.0_EU firmware didn't communicate with the radio. It took a bit of fiddling in windows to install the right usb driver from the 5.1_EU upgrader. After that the USB driver worked and allowed me to do the upgrade.

So my own misunderstandig of versions caused most of the problems, but now I am quite curious whether I get this right:

• UK version supports DAB
• EU version supports DAB and DAB+
• FR version supports DAB and DMB-A

DMB-A and DAB+ both have licensing, so I can imagine Pure selecting the right software for the right part of the world.

Lots of sites reporting that the Dutch public broadcasters (NPO, Nederlandse Publieke Omroep) have chosen for DAB+ and want a 97% coverage of the country by 2017. Plans include 20 DAB+ radio stations and up to 3 T-DMB video channels.

The fact that a switch to DAB+ is planned isn't new. The equipment was replaced at the beginning of this year to allow a switch to DAB+, according to Nieuw DAB-systeem voor Publieke Omroepen (radio.nl) Dutch. The planned amount of services is news.

Original publication: The Netherlands Public Broadcaster (NPO) commits to DAB+ - World DMB forum (pdf format).

Reports at

• NPO start aanbesteding DAB-zenderpark (radio.nl) in Dutch.
• Dutch Commitment to DAB+ (Radio World)
• NPO: Nederland gaat over naar DAB+ (dabtuners.nl) in Dutch.

Recently when showing some pictures on the pictures site Koos van den Hout I noticed that the browser Safari on the iPad actually uses the exif tag orientation. So pictures I took in rotated mode were rotated again by the browser. And the iPad is a bit too smart in this matter: trying to rotate the iPad 90 degrees makes the orientation sensor 'compensate' for this, so the pictures were still sideways.

Solution: clean out the orientation tags after rotating the pictures. And while looking at the exiftool script to do that, I had a look at the other tags in my pictures and noticed a load of information I'm not really wanting to share, such as the camera serial number. A sample of what I wanted was easily found at Removing "sensitive" meta data using ExifTool - underscan and I adopted this for my own scripts.

At the same time I did some updates to the copyright-statement text part so I can for example add a creative commons license statement or no text at all.

Recently we had to move our computer science server-room. Which was a project in itself, but as part of the move we had to move the 'time lab' to a different location because there is no antenna access in the new server-room.

That was the harder project. A new location had to be found, the antenna set up there, power and network made available. Antenna cabling wasn't the easiest part: N-connectors are hard to get right. As part of the move the IP of the public ntp server ntp.cs.uu.nl changed too: the load of requests has a noticeable influence on firewall performance. It's now behind a simpler firewall which does not attempt to keep state on ntp requests.

It's now up and running again, serving the correct time. Part of the NTP Pool, at the moment peaking at 445 requests per second.

If I ever need to use N-connectors for a transmitting antenna where actual power will cross the wires I will get help to get it connected to the cable. Getting that right is hard!

Now we have a child growing up, children's television is also something to look at. The program for young children in the Netherlands is Sesamstraat, the Dutch version of sesame street. But it's scheduled at times that we are still on our way home. The solution: connect the dvb-t stick to the server and record there, to be played on the netgear mediaplayer. I first looked at the linux video disc recorder and MythTv but both are a bit too much everything and the kitchen sink for just regularly recording a tv program to be played somewhere else. There are options for Headless VDR mode but as stated the software is optimized for tunerdevices and playing in one box, like a settop box with harddisk recorder.

I asked a bit around and got a good tip from Matt McLeod: a simple script around dvbstream to fetch the video and audio pid from the dvb stream and save the result. Originally dvbstream is designed to take dvbstreams and put them on a (multicast) network, but it can also save to file. I changed the script to use the right settings for the Dutch programs, and it works and the result plays nicely on the netgear eva mediaplayer. My version:

#!/usr/bin/perl

%nets = (
                'NL1', '-qam 64 -cr 1_2 -gi 4 -bw 8 -tm 8 -f 706000',
                'NL2', '-qam 64 -cr 1_2 -gi 4 -bw 8 -tm 8 -f 706000',
                'NL3', '-qam 64 -cr 1_2 -gi 4 -bw 8 -tm 8 -f 706000',
                );

%pids = (
                'NL1-sd', '7011 7012',
                'NL2-sd', '7021 7022' ,
                'NL3-sd', '7031 7032',
                );

$net = shift @ARGV;
$time = shift @ARGV;
$filename = shift @ARGV;
$type = "sd";

#print "$time, $net, $type\n";

$cmd = "dvbstream " . $nets{"$net"} . " -n $time -ps -o " . $pids{"$net-$type"};

system qq($cmd > "$filename");

A 2 minute testrun gave me a 42 megabyte file. If I have it correct, this is a program stream with the video and audio in mpeg-2 format. Which explains why it's quite big for the quality and amount of time recorded. If I want to keep stuff for longer, conversion to better formats will have to be done.

Update: It works as a VCR with a unix commandline interface:

koos@greenblatt:~$ at 17:25
warning: commands will be executed using /bin/sh
at> cd /scratch/sesamstraat
at> ~/webvcr/wvcrrec-nl.pl NL1 900 NL1-2011-11-22-sesamstraat.mpg
at> 
job 73 at Tue Nov 22 17:25:00 2011

Strong words from Lauren Weinstein: The Coming Fascist Internet.

But with the fullness of time, the phone companies, cable companies, governments, and politicians galore came to most intensely pay attention to the Internet, as did the entertainment industry behemoths and a broad range of other "intellectual property" interests.

Their individual concerns actually vary widely at the detailed level, but in a broader context their goals are very much singular in focus.

They want to control the Internet. They want to control it utterly, completely, in every technologically possible detail (and it seems in various technically impossible ways as well).

Strong words, and quite USA-centric, but developments to keep an eye on. I don't always agree with his opinions, but this one about commercial and political pressure to restrict the openness of Internet to further those commercial and political goals is something I want to point people at.

For the first time since we acquired a HP scanjet 3970 I tried to use it as a copier to avoid walking over to the supermarket and use the (bad) copiers there.

The 'copy' mode in xsane resulted in nothing happening with the laserjet 4050 printer. Next thing I tried was scanning to a .png and printing that from the gimp, but the result was that the printer was still processing the print job after more than an hour.

The solution was to install gimp-gutenprint. First I tried printing to the Epson Color 760 which printed instantly but took a while to finish the page. I had a look in the available drivers and gimp-gutenprint has native support for the HP laserjet 4050. Using this driver resulted in something in the right resolution coming out of the printer within half a minute of submitting the print job. I remembered from earlier attempts that configuring gimp-gutenprint might be a lot of work but since it was all configured in the home directories it still knew the right setup and it was easy to get working again.

Scanned DVB-T and '35 cm pirates' at the same time: no new results on either band. I tried the log-periodical antenna I built myself in horizontal polarisation, just a very faint signal in the wireless headset part of the TV channel in westerly direction but no radio stations.

When you look at the antennas in use like the ones show on the MayhemFM! website, it is imaginable I am not simply going to receive something unless a transmitter in the same region gets active.

Het werk aan het knooppunt Burgemeester de Withstraat / Dorpsstraat / Kapelseweg in de Bilt duurde van april 2011 tot zeker tijdens onze zomervakantie (in september 2011). Deze week zag ik al weer borden 'mijn slechtste fietspad'. Dat hebben ze vlot voor elkaar gekregen. Het tunneltje daar staat al tijden op die lijst: het is van zichzelf al smal en officieel is het ook nog een fietspad en een voetpad.

Interesting article from the Harvard Law and Policy Review volume 5-2: The Communications Crisis in America - Susan P. Crawford (pdf) about the current state of high-speed data transport to American consumers.

One quote:

The industry is poised to reap the central reward for geographical clustering, upgrades, and de facto monopoly presence - unconstrained pricing ability and an unmatched high-speed communications service in a marketplace where consumers are agitating for higherspeed communications and the cable companies are making north of 90% margins on their data services.

Found via Telecom Digest.

A very interesting read, making a valid point about the move towards IP based services and at the same time very little competition in high-speed last-mile access in the US with interesting connections between access providers and entertainment producers / distributors.

The Dutch market is somewhat better for as far as I know: most places with cable will have competition for 10 mbit downstream and faster Internet access, and regulators in this country are keeping a close eye on things.

Met de 'verbetering' van het regionale aanbod van Ziggo zijn we L1-TV kwijt.

Voor de grap eens uitgerekend hoe hoog een antenne moet zijn om kans te maken het 'dichtsbijzijnde' dvb-t signaal met L1-TV te ontvangen: 223 meter. De afstand tot de zendmast in Venlo is 110 kilometer (afstand uitgerekend met behulp van Google maps distance calculator), de zender zit op 143 meter boven NAP (volgens Overzicht dvb-t zenders Digitenne - radio-tv-nederland.nl), dus dan is wegens de kromming van de aarde er pas line-of-sight op 223 meter hoogte (uitgerekend met VHF/UHF TV Line of Sight Calculator).

Ik denk dat we er wel komen met de livestream van L1-TV via de website, voor die ene keer in de zoveel tijd dat we het ook echt willen zien.

After the presentation which used virtualbox I did the upgrade but I noticed last friday that remote desktop support wasn't working anymore (which I needed at that moment). I found out that 'VRDE' support (virtual remote desktop extension) is now part of the extension pack. VirtualBox asks for this extension pack once but you need to install it by hand.

Did the upgrade and installed the extension pack and now everything works again. I would have liked a bit more warning: the only thing warned about was that the extension pack was needed for USB support.

So now I can run VBoxHeadless again and portforward the remote desktop port over ssh. I'm not opening that port to the big bad internet: I see enough portscans for it.

I scanned digitenne dvb-t services and noticed something in the w_scan output:

        service = SkyRadio 101 FM (Digitenne)

Sky Radio really wants the FM broadcast allocation to be part of their brand. But if they wanted to be correct on Digitenne it would be:

SkyRadio transport stream 2305 frequency 818 MHz service 113 (0x71), PMT
0x46a, audiopid 1162.

.. but it wouldn't sound the same. Can't find the 'logical channel number' at the moment (the number a receiver listening to Digitenne would give the service).

Living one's life as performance art - Chris Jones on Google+.

Website for Hasan M. Elahi which is currently a bit slow, probably due to the New York Times article.

Volgens het laatste Ziggo Zie magazine komt er de optie "TV op bestelling" wat ze in de bijbehorende FAQ ook al gauw 'PPE' noemen, oftewel pay per event. Het papieren magazine bevatte ook een opmerking over een optie om kinderprogramma's op deze manier te bestellen, maar op de website zie ik alleen voetbalwedstrijden.

De conclusie is wel dat de infrastructuur voor conditional access wijzigingen bij Ziggo verbeterd moet zijn om dit soort diensten commercieel te bieden. Hoewel ik benieuwd ben hoeveel klanten ze aan kunnen. Maar als je 3 of meer wedstrijden per maand kijkt is gewoon altijd eredivisie live nemen handiger. En voor overtuigde voetbalhaters zoals ik is het alleen technisch interresant dat het kan.

Het is duidelijk een commerciele keuze: voor het snel in- en uitschakelen van keuzepakketten zoals ik had verwacht toen ik het 'kennis en nieuws' pakket bestelde wordt het juist niet ingezet.

I realized I never made the scripts available to fetch the carrier stats for the Speedtouch 546/546i modem. So I packaged them and made them available as part of the Generating Alcatel Speedtouch graphs micro-howto. I also updated the howto with information about ADSL2+ and the speedtouch 546i. The first serious update since I released the scripts for fetching the carrier stats from the speedtouch home in 2002.

Ik kom net een mooie virtuele foto-expositie tegen van Theo Peters over IJsland op hiking-site.nl. Prachtige beelden. Ik herken een aantal plekken direct zoals Landmannalaugar maar dat weerhoudt me er niet van zo weer een keer IJsland te willen bezoeken.

Read somewhere today:

Just got a support call to add some IPv6 addresses to one of our mail clusters, since a customer needed to mail one of their partners in China, who did not have MX in IPv4 space...

IPv4 address exhaustion is REAL. And it is happening now. You need IPv6 to talk to the entire Internet.

I heard about rdnssd today at the NLUUG meeting I attended. I gave it a try on my laptop. As an ubuntu package it uses the resolvconf package. I had to change the /etc/resolvconf/interface-order file to use the rdnssd results before the dhcpv4 answers:

# interface-order(5)
lo.inet*
lo.dnsmasq
lo.pdnsd
lo.!(pdns|pdns-recursor)
lo
000.rdnssd
tun*
tap*
hso*
eth*
ath*
wlan*
ppp*
*

And now I get the resulting /etc/resolv.conf I want:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 2001:980:14ca:42::694
nameserver 10.42.2.1
search idefix.net koos.koffie.dot

And resolver traffic goes over IPv6.

Update 2011-11-25: Trying the same on a workstation on the wired network doesn't give the right result:

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Yes, empty. No data from rdnssd and no data from dhclient. Back to the working config...

Vandaag naar de NLUUG najaarsconferentie 2011 "Networking: IPv6 en de rest.." geweest. Inspirerend, gehoord over IPv6 (nieuwe dingen geleerd over DHCPv6 en over IPv6 unique local adresses). Daarnaast bijgepraat over dnssec, waar ik ook weer eens tijd in moet steken.

Commented on Carriers Aim to Curb the 'Bill Shock' of Excessive Roaming, Data Charges | Gadget Lab | Wired.com

My comment about earlier forms of 'bill shock':

Just like the 'bill shock' on the first telephone bill after you got a modem. Or when discovering out of area BBSes, or Compuserve. History just repeats itself, but this time it is news.

All the feared mayhem with the timezone database lawsuit should calm now: the ICANN took over and the new home of the timezone database is at the IANA website. Source: ICANN rescues time zone database - The Register.

There is still a lawsuit in which Astrolabe looks quite stupid.

Visiting relatives in Zuid-Limburg I took the DAB+ radio with me to do a quick service scan. This location is interesting for radio coverage: it is a bit hilly country, there are very local radio stations for the servicemen at the local military bases and all the surrounding countries have their own transmitters. Flemish (vlaanderen), Walloon (Wallonie), German national, German regional (Northrein-Westfalen).

Services found:

1LIVE
1LIVE diggi
90elf Fußball
90elf Livespiell
90elf Livespiell2
90elf Livespiell3
90elf Livespiell4
90elf Livespiell5
Absolut Radio
BRF 1
Program information: Sie hoeren das BRF1-Programm in digital ueber das DAB-netz der RTBF
BRF 2
Program information: Sie hoeren das BRF2-Programm in digital ueber das DAB-netz der RTBF
Classic 21
Program information: Vous ecoutez Classic21 en numerique sur le reseau DAB de la RTBF
DAB+ Test A    <- rtbf
Program information: Tests en DAB+ Vos commentaires : radionumerique☭rtbf.be ou rnt☭csa.be
DAB+ Test B
Program information: Tests en DAB+ Vos commentaires : radionumerique☭rtbf.be ou rnt☭csa.be
DAB+ Test C
Program information: Tests en DAB+ Vos commentaires : radionumerique☭rtbf.be ou rnt☭csa.be
DAB+ Test D
Program information: Tests en DAB+ Vos commentaires : radionumerique☭rtbf.be ou rnt☭csa.be
Deutschlandfunk
DKultur
Domradio
Dradio DokDeb
DWissen
ENERGY
ERF Plus
FUNKHAUS EUROPA
KinderRadioKanal
KISS FM
Klara
Klara continuo
KLASSIK RADIO
La Premiere
LoungeFM
MNM
MNM hits
Musiq3
nieuws+
Pure FM
Radio 1
Radio 2
RADIO BOB!
Radio Horeb
Sporza
Studio Brussel
VERA
VivaBruxelles
WDR 2
WDR Event

Nothing special when I compare it to the DAB ensembles for Belgium, DAB ensembles for Germany and DAB ensembles for Nordrein-Westfalen. If I am correct I see the ensembles VRT DAB, RTBF DAB, DR Deutschland and Radio fuer NRW. The receiver sorts the found services by alphabet and I can't (yet) find technical details per service such as operator and frequency.

The ☭ sign in the program information above was originally an at-sign, but I don't want to cause extra noise in those mailboxes. I mailed a reception report for those DAB+ tests. Which failed to deliver: both addresses are bad. Which may say something about tests running on autopilot for long times.

BRF1 / BRF2 (Belgischer Rundfunk) are specific stations for the german speaking community in Belgium.

News about the passing away of Dennis Ritchie made me update the machine names at home page. A bit of history collected.

An interesting picture on top of the article Get Hacked, Don't Tell: Drone Base Didn't Report Virus - Wired Danger Room, with just an image credit to the US Air Force.

I am very sure it is a US air force member in a phone exchange somewhere in the world. He is working on the main distribution frame (Nederlands: hoofdverdeler) and those wires (Dutch: kruisdraad) connect the exchange equipment to the outside wires.

The relevance to the story is not very clear to me: the story is about computer networks, drones and a virus.

I tried to look up the picture on the Official Site of the U.S. Air Force - Photos but couldn't. Search terms I used like 'phone' or 'network' gave lots of nice pictures, but not that specific one. I know the picture is from that site: the local filename on the wired site http://www.wired.com/images_blogs/dangerroom/2011/10/110402-F-NW653-130.jpg can be found in the large size archives: http://www.af.mil/shared/media/photodb/photos/110402-F-NW653-130.jpg exists.

But I want to read the story behind that picture!

I did a traineeship with the Dutch phone company back in 1988 and spent some time in those distribution frames.

Update: Lazyweb Google+ helped: in response to me posting this to google+ : Wired used an US airforce stockphoto in the article Get Hacked, Don’t Tell: Drone Base Didn’t Report Virus Reinoud van Leeuwen found the source of the image in the story: Yokota Comm keeps interagency team connected during Operation Tomodachi - Yokota Air Base 7th picture.

The story:

YOKOTA AIR BASE, Japan -- Airman 1st Class Nicholas Leon, 374th Communications Squadron cyber transport technician, connects a new Defense Switched Network line at the 374th CS building, Yokota Air Base, Japan, April 2, 2011. Airman Leon helped install additional DSN lines for easy communication with units temporarily assigned to Yokota AB for Operation Tomodachi. (U.S. Air Force photo/Staff Sgt. Samuel Morse)

Kudos to Airman 1st Class Nicholas Leon of the 374th Communications Squadron.

Once, a long time ago, I chose request tracker by best practical. In implementing RT I found some bug in it. Since I have a history of finding 'interesting' bugs in corner cases of software use that was no complete surprise. When I reported it on the mailing list I had a suggested fix within half a day. Which fixed my problem, so I could report that back and the fix made it into the distribution.

Now I work in a situation where other people have chosen helpdesk workflow software. Which is now usable for me after some heavy cursing at it. It is web-based but the whole web interface gives me the feeling I am looking at the web implementation of a windows program interface.

This web-interface has a nasty problem recently: giving 'connection reset by peer' when I reload pages after a few days. I know the workaround: restart my browser (removing all session cookies does not help!). Which suggests to me it is some bug in the webserver or in the application. Reported to the local support, see how long it takes...

Update: After the weekend, the local support reported the webserver had certain problems and the was restarted...

Politiek witheet door Lektober, wil actie Donner - Webwereld

Het ict-beleid van de overheid moet echt verbeteren

"joh"

Arjan el Fassed (GroenLinks) wil ook een team. Maar dan een audit-team dat jaarlijks de ict-beveiliging van gemeenten test. Volgens El Fassed zijn de slecht beveiligde gemeentesites geen incidenten meer, maar een symptoom van gebrek aan controle op ict-veiligheid en privacy bij de overheid.

Juridisch goed onderbouwd werken bij de overheid is stoer. Met veilige en betrouwbare ICT werken die gegevens van burgers goed beschermd blijkbaar nog niet.

Slate magazine has reprinted the "Secrets of the Little Blue Box" article from 1971 which inspired Steve Jobs. The same Ron Rosenbaum now writing for Slate was the author of the 1971 esquire article, which can be found via Secrets of The Little Blue Box - The History of Phone Phreaking Blog where Phil Lapsley has a quality scan of the original.

It's still amazing to read about the original phreaking community and how technical knowledge spread before the worldwideweb.

Found via Slate Reprints Blue-Box Article That Inspired Jobs - slashdot.

Fokke en Sukke zijn veilig voor elke vorm van cybercrime.

An obsolete scanner found its way into our home, an HP scanjet 3970. Connect scanner to (Ubuntu) laptop, start xsane, searching for devices, found an hp scanjet 3970, ready to scan.

Where is the hardcore hacking nowadays! I know, lots of other stuff to hack left, especially when you want things to look different than what the designers/packagers thought would be great (I want my fvwm2).

Ok, I will admit I did do a search for 'linux hp scanjet 3970' before it got taken home. But this says something about how friendly modern open source software can be.

Grappig: bij het spelen met de google webmaster tools kwam ik dit artikel tegen: Voorlopers en geboorte van het (publieke) internet - Radoveden met verwijzingen naar de geschiedenis van BBS Koos z'n Doos.

Updated the Weather station Utrecht Overvecht page to give the latest measurements. In the background it changed from an rrdcgi page to a perl page so I could easily add those measurements.

Pepijn van webmenshirts is blijkbaar een zware en hardnekkige spammer die denkt dat beheeraccounts ook geinterreseerd zouden zijn in het ontvangen van de laatste html-bagger over de "herfstcollecue".

   Domain Name: WEBMENSHIRTS.COM
   Registrar: NORDNET
   Whois Server: whois.nordnet.net


Registrant:
        Philippo Patrick (NNR-p2hinv0) p2hinvestissement@orange.fr
                P2h Investissement
                57 Avenue D Enghien
                93800 Epinay Sur Seine
                FR
                Phone: +33.148411349

        Registrar....: Nordnet
        Web..........: http://www.nordnet.net
        Whois........: whois.nordnet.net

        Domain Name: webmenshirts.com

Maar ook gezien in dezelfde mail: web-manshirt.com, chemise-web.eu. Een websearch geeft me duidelijk het idee dat dit een hardnekkig geval is.

Interesting photo set: Devil's mountain: NSA's Abandoned Cold-War Listening Post | Threat Level | Wired.com.

Both a great set of pictures of 'urban decay' and a view into cold war history.

We cycled up Teufelsberg when we cycled through Germany in 2009. We did not get a view like in the pictures above because we didn't go through the heavy barbed wire fence.

Aam het item over de de hcc mediadag 1 oktober 2011 zijn nu mijn presentaties toegevoegd in openoffice en pdf formaat.

The planned presentation for hcc mediadag 1 oktober 2011 didn't go very smooth: I wanted to demonstrate virtualbox running at home with virtualbox over ssh. But screen performance (X11 over ssh) was unusable. After a few tries I gave up and tried it via VBoxHeadless and rdesktop via ssh portforwarding. Still bad performance. I switched to legacy IPv4 for the ssh portforwarding and that 'fixed' things: usable performance to show pxebooting working.

The different thing about IPv6 is that it's routed via an openvpn tunnel which introduces a bit extra latency and other overhead. Maybe something to investigate later.

I'm preparing a presentation on PXE booting for hcc mediadag 1 oktober 2011.

As I don't have much time to prepare I want to do the demo using the Heavy Duty Boot environment at home. I set up a not-installed virtual machine in VirtualBox and it only worked once, crashing ever since (the virtual machine crashing and powering down before the pxeboot was finished). A websearch came with the suggestion to disable the VT-x/AMD-V options for the virtual machine: #2536 (PXE Boot failure -> Fixed in SVN) - VirtualBox. Upgrading VirtualBox will probably fix this, but I'm not going to upgrade it one day before I use it in a presentation.

I also added a simple menu for the demonstration: this makes the inner workings easier to see than via vesamenu.c32. PXELinux Setup from Joseph Newman was the first sample I found on this. But the 'Heavy Duty Boot environment' is funnier and shows the full power of pxelinux.

I found simple FreeDOS images at FreeDOS: FDOS site which I could also add to the pxelinux menu. So I can boot FreeDOS and get a real A:\> prompt. On a virtual machine.

De phishers die ING gegevens willen hebben krijgen het nu voor elkaar om goed genoeg Nederlands te schrijven. En ze komen met een nieuw excuus dat gebruikers over moeten op inloggen met calculator:

Leeuwarden, 27/09/2010

Betreft: Inloggen met Calculator

Geachte Mijn ING gebruiker,
Vanwege de toename aan fraude op Mijn ING zijn wij genoodzaakt een systeemupdate uit te voeren.
Dit houd in dat u binnen enkele dagen per post een nieuw activeringscode voor Mijn ING zult
ontvangen.

Wilt u deze informatie via de beveiligde hyperlink hieronder invoeren, vervolgens zal ING
uw Mijn ING rekening activeren en een veilige overstap naar inloggen met calculator realiseren.

Nadat uw Mijn ING rekening is geactiveerd duurt het maximaal 10 werkdagen voordat uw
calculator binnen is.
Mocht u het binnen 5 werkdagen niet binnen hebben neem dan contact op met de
klantenservice van de ING bank.


Volg de volgende hyperlink: Inloggen Mijn ING

Trap hier niet in.

On Monday I got around to working on the weatherstation project again and I assembled the 'weather shed' I built and fixed it to the shed. It's painted white, it faces north, it is 1.5 meters above the ground level and it ventilates outside air. It's just not in a grassy field with lots of space in all directions, it's in our back yard.

The result: the Weather station Utrecht Overvecht now has 'real' numbers for the temperature and humidity (air pressure inside and outside the shed is the same). Comparing it to measurements inside the shed shows that there was quite some dampening of changes and a delay.

It's good to have something I've been working on for ages 'done'. It is partially done because I still need to develop the (low-power) computer for inside the shed.

Update: Pictures! Weatherstation set on Flickr by kvdhout.

Just noticed the linuxcounter moved and is being redesigned. The new url is http://linuxcounter.net/. I have added machines to the linux counter for years, with the last half year or so issues with the updates via mail.

I noticed this new activity due to a notification from the new linuxcounter that one of my systems was going inactive. A short explanation of the changes at linuxcounter in that message would have been helpful.

Wardriving results 20 August - 25 September: 968 new networks with GPS locations according to WiGLE. Lots of small testruns for the wardrivebox I was working on. During the holiday I was the first wardriver to put Garderen, the Netherlands on the WiGLE wardriving map.

Sommige dingen veranderen niet.. ze innoveren wel. Fraude met telefooncentrales blijft voorkomen en neemt zelfs weer toe volgens berichten van KPN: Telefooncentrales bedrijven vaker doelwit crimineel - nu.nl, Telefooncentrales vaker gekraakt - NOS Nieuws

Het staat niet in de artikelen, maar VoIP helpt vast met het mogelijk maken van deze fraude. En toegang van buiten tot de beheerinterface van een telefooncentrale moet goed afgeschermd zijn. Er zijn vast omgevingen waar dat nodig is, bijvoorbeeld voor beheer op afstand, maar zorg dan voor goede afscherming door middel van onder andere VPN. En 'standaard' wachtwoorden zijn natuurlijk al helemaal fout.

Zolang via systemen aangesloten aan het publieke telefoonnet er manieren zijn om of geld te verdienen (0900-nummers) of kosten naar anderen te verplaatsen (voor dure gesprekken naar het buitenland) is er een reden om te zoeken naar wegen voor 'toll fraud'. En met een groot genoeg aanbod van slachtoffers werkt het ook met de 'hit and run' aanpak: zoveel mogelijk geld binnenhalen in zo kort mogelijke tijd voor de volgende rekening komt en de route afgesloten wordt.

Ik zie een duidelijke toegevoegde waarde in snelle detectie van duidelijke onregelmatigheden: dagelijks de kosten in de gaten houden en bij grote afwijkingen direct alarm slaan. En als gegevens over de kosten niet direct dagelijks beschikbaar zijn is het in ieder geval verstandig om per dag de totalen minuten per categorie uit te rekenen en daar afwijkingen in te signaleren. Bij categorieën denk ik dan aan binnenland, west-europa+usa, rest van europa en verder daarbuiten. En de andere vraag is of in een bedrijf uberhaupt toegang tot dure 0900 nummers of verre buitenlanden nodig is, maar als er toegang verkregen is tot een beheersinterface is het natuurlijk een simpel kunstje om voor de frauduleuze gesprekken deze toestemming (weer) aan te zetten.

A real IPv6 portscan!

Sep 22 10:55:34 greenblatt kernel: [3664265.488791] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=52215 DPT=1025 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 10:55:34 greenblatt kernel: [3664265.488874] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=48673 DPT=445 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 10:55:34 greenblatt kernel: [3664265.500075] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=49612 DPT=3306 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 10:55:34 greenblatt kernel: [3664265.554699] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=44686 DPT=110 WINDOW=12200 RES=0x00 SYN URGP=0 
..
Sep 22 11:08:05 greenblatt kernel: [3664584.510834] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=47639 DPT=1801 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 11:08:07 greenblatt kernel: [3664581.057958] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=52005 DPT=301 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 11:08:07 greenblatt kernel: [3664581.078910] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=45484 DPT=7800 WINDOW=12200 RES=0x00 SYN URGP=0 
Sep 22 11:08:08 greenblatt kernel: [3664581.282670] FW reject: IN=ppp0 OUT= MAC= SRC=2001:0000:53aa:064c:3cf9:7720:bc59:4ca0 DST=2001:0980:14ca:0042:0000:0000:0000:0694 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=42826 DPT=27356 WINDOW=12200 RES=0x00 SYN URGP=0 

I wonder which portscanner would use teredo..

whois 2001:0000:53aa:064c:3cf9:7720:bc59:4ca0

Querying for the IPv4 endpoint 67.166.179.95 of a Teredo IPv6 address.

#
American Registry for Internet Numbers NET67 (NET-67-0-0-0-0) 67.0.0.0 - 67.255.255.255
Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255
Comcast Cable Communications, Inc. CHESTERFIELD-13 (NET-67-166-160-0-1) 67.166.160.0 - 67.166.191.255

Sometimes I wish I could do things like this when I hear about certain security incidents: He Who Giveth - Not Always Right

"We can disable your account permanently and recommend disciplinary action against you."

"Ha! Well, go ahead. I don't care. You can't do anything to me. I've been here for years and I retire in two years anyway, so there!”

[..]

Me: "I’ve spoken to your manager. He said you can do your job without a computer for the next two years."

I am currently at a location where the wardriving box has a problem uploading files automatically: The holiday park network needs the client to click 'OK' somewhere. I did not expect that for wired networks. The script which uploads the wardriving logs to my server assumes the network will allow ssh access after dhcp / router discovery has finished. Pressing OK in a browser is a bit complicated for this script.

In this case I worked around it by changing the ethernet address of my laptop to the same as the one for the wardrivebox. But I can imagine situations where one needs to get the data from the wardrivebox to somewhere else without using networking options. The other wardriving box user suggested using usb storage. This will take some programming, mainly in detecting the addition of the USB stick and starting events when that happens.

ICT en de Nederlandse overheid gaan de laatste tijd erg slecht samen. Op zich niets nieuws voor de regelmatige lezers van onder andere Webwereld. Uit de gezamenlijke nederlandse hackerspaces is nu een brandbrief gekomen: zo kan het niet langer, besef van beveiliging moet echt doordringen. De ontwikkelaar op zijn of haar mooie ogen vertrouwen dat het 'gegarandeerd veilig' is duidelijk niet de goede keuze.

brandbrief van nationale hackergemeenschap inzake ICT-beveiliging overheid / brandbrief van nationale hackergemeenschap inzake ICT-beveiliging overheid (PDF) met onder andere:

De Nederlandse hackergemeenschap, vertegenwoordigd door de ondergetekende organisaties, maakt zich zorgen over de beveiliging van ICT-systemen van de Nederlandse overheid. Keer op keer zien wij hoe basale beveiligingsprincipes niet worden toegepast binnen bestaande en nieuwe ICT-systemen.

Recente voorbeelden zijn de kwestie rond Diginotar en de SSL-certificaten, de OV-chipkaart, het elektronisch patiëntendossier (EPD) en nog vele andere systemen en omgevingen. Wij hebben een omvangrijke lijst van voorbeelden van overheidssystemen die persoonsgegevens bevatten of persoonsgegevens vragen aan burgers waar de beveiliging niet op orde is.

Berichtgeving onder andere: Nederlandse hackers slaan alarm over digibete overheid - Webwereld.

Voor mij nieuws: er is een actieve hackerspace in Utrecht: Randomdata. Misschien, gegeven beschikbare tijd (hahaha) moet ik daar eens kennis mee maken.

Flying Wild Alaska, my opinion:

For me, it could do with less soap and more stunning Alaska images. But the whole reason I watch is those Alaska images, as I like Alaska the continent and planes are the way to get to some of the more remote parts.

The soap ("Oh no, the weather turned bad, now Era Alaska isn't making any money, visuals of planes on the ground and a sad look on the face of the owner" .. which I would call "normal risk of running this business, nothing new") could be less for me. But the stunning images of Alaska, the insight into the role planes have in day to day life in Alaska and the changes of the seasons make all up for this.

I hope they will make more seasons. Announcements on the discovery channel website look like they will.

I also hope for a 'how did we do this' episode. It's quite clear some interesting camerawork is done to create this series and I'd like for Discovery to have the honesty to do a bit about the setup, whether there is an extra film-crew plane flying to remote locations to get those landings and take-offs and whether the film crew gets a bit "Alaskan" too.

The Internet access offering in our holiday park is quite special:

RFC1918, collect the whole set:

traceroute to koos (xx.xx.xx.xx), 30 hops max, 60 byte packets
 1  firstspot.org (10.85.192.11)  15.912 ms  15.886 ms  15.858 ms
 2  172.16.0.1 (172.16.0.1)  16.633 ms  17.240 ms  17.866 ms
 3  192.168.1.254 (192.168.1.254)  90.759 ms  90.480 ms  90.225 ms
 4  nl-asd-dc2-ias-ard30.kpn.net (62.12.4.72)  34.213 ms  35.957 ms  37.628 ms

This suggests 3 layers of NAT, but I'm not sure. Network seen at a holiday park. 192.168.1.254 seems to be a thomson product (adsl router?), 172.16.0.1 some edimax router. Firstspot is a captive portal for wireless networks (although the network is used wired here): Firstspot captive portal.

Found: a not so subtle wardriving antenna. I am very sure my wife doesn't want me to do something like this to our car.

Doing some updates to the wardriving box documentation because of all the new things I learned while building a wardriving box for a friend. I may put the sources and scripts on-line for others to be able to play with them.

One learns a lot from trying to re-do something!

Dear all on-line shops using an external payment processor (such as paypal): when I finish the transaction and get redirected to the website again, it would be really nice when that page would list that fact very very clearly ("your order number NNNN was processed and payed for, we will now start delivery") and not be an exact copy of the welcome page of your site making me wonder whether you got the payment hint from the payment processor.

Laatste info over diginotar, het vertrouwen is definitief over bij Mozilla / Firefox: DigiNotar Removal Follow Up. Inclusief stoppen van vertrouwen in PKIoverheid. De PKIoverheid was apart van de chain of trust van Diginotar maar werd wel door Diginotar beheerd, en eerst was daar nogwel vertrouwen in maar dat is nu over.

Govcert bulletin: Overheid zegt vertrouwen in de certificaten van Diginotar op - Govcert.

Gevonden via Dutch CA banished for life from Chrome, Firefox / Game over for DigiNotar and its PKIoverheid fiefdom - The Register.

New version of self-service svn hosting software repocafe released. Showing (to me) that open source actually works: most improvements in this version are patches from users or based on feedback by users of repocafe.

Repocafe entry on freshmeat.

Met de nodige regen de afgelopen tijd was het niet geheel onverwacht: de adsl doet soms weer hik. Op zich is de snelheid redelijk stabiel, maar de error counters lopen prima op. Wat me (nu) wel opvalt is dat de margin en attenuation getallen ietsje beter lijken dan in het verleden. Volgens ADSL Noise Margin and Attenuation Numbers:

Noise Margin (AKA Signal to Noise Margin or Signal to Noise Ratio): Relative strength of the DSL signal to Noise ratio. The higher the number the better for this measurement.

Line Attenuation: Measure of how much the signal has degraded between the DSLAM and the modem. This is largely a function of the distance from the exchange. The lower the dB the better for this measurement.

Huidige waarden:

=>adsl info
Modemstate            :  up 
Operation Mode        :  G.992.5 Annex B
Channel Mode          :  interleaved 
Number of resets      :  60 

Vendor                              Local           Remote   
  Country             :               0f               b5 
  Vendor              :             TMMB             BDCM 
  VendorSpecific      :             0000             ff91 
  StandardRevisionNr  :               00               02 

                                  Downstream        Upstream 
Margin       [dB]     :             11.0             10.0 
Attenuation  [dB]     :             21.5             12.0 
OutputPower  [dBm]    :             21.0             12.5 

Available Bandwidth                 Cells/s           Kbit/s 
  Downstream          :            23596            10005 
  Upstream            :             2426             1029 


Transfer statistics
    Errors 
      Received FEC    :         1169962632 
      Received CRC    :         179399476 
      Received HEC    :           984669 
      Transmitted FEC :                0 
      Transmitted CRC :           150860 
      Transmitted HEC :           125204 

Jammer dat ik niet de 'attainable line rate' (maximum snelheid) er uit kan krijgen, dan zou ik kunnen zien of weer upgraden naar 16 megabit zin zou hebben. Of misschien dat een overstap naar VDSL zin heeft om 20/2 te krijgen.

Update 2012-05-05: Die update heeft geen zin: wat ik bij xs4all zie is dat ik 'tot 20/2' kan krijgen, maar de huidige snelheid is redelijk stabiel. Als er VDSL tot in de straatkast zou zijn zou ik ook wel 'tot 40/4' in het overzicht van mogelijke *dsl abonnementen staan. Volgens tweakdsl is de maximale snelheid op dit adres 14 megabit down en 1 megabit up. Toch jammer dat deze informatie makkelijker bij een andere provider dan xs4all te zien is.

Het valt me ineens op: bij vodafone zie ik niet meer de regio waar ik ben (netnummers) als cellbroadcast. Dat was natuurlijk al jaren en jaren niet echt commercieel nuttig meer omdat de abonnementen waarin dat uitmaakte uitgefaseerd waren maar ik vond het altijd wel grappig. Het was wel leuk om te zien en heel soms nuttig omdat je kon zien of je soms veel van 'mast' aan het wisselen was of op een mast ver weg zat.

Great pictures and videos of lightning striking (or moving up from ..) transmitter towers and other tall structures. Showing that lightning can strike twice in the same spot in the same thunderstorm. Or even 11 times in the same thunderstorm striking the WKYT / WTVQ towers in Lexington, Kentucky. Great stuff with lots of attention to detail and great stories behind the making of the pictures and videos by Dan Robinson.

Posted on the tx-list in a discussion about lightning safety in transmitter towers.

Het valse beveiligingscertificaat voor *.google.com wat zeer waarschijnlijk gebruikt werd voor het afluisteren van gmail verkeer door de overheid in Iran is dus een Diginotar certificaat.

Berichtgeving via onder andere Iran kan Gmail aftappen door Nederlands certificaat - webwereld en Overheidsites gedupeerd na aftappen Gmail - nu.nl. Hoe een 'via inbraak in een computersysteem verkregen' certificaat eindigt in een server bij een ISP in Iran die alle verkeer daarlangs omleid is iets wat vast onder andere de AIVD zich afvraagt.

Een detail wat mij opvalt is dat het valse certificaat de X509v3 Subject Alternative Name verkeerd gebruikt:

            X509v3 Subject Alternative Name:
                email:admin@google.com

In het goede (.. hoop ik) certificaat is dat:

            X509v3 Subject Alternative Name: 
                DNS:*.google.com, DNS:google.com, DNS:*.atggl.com, DNS:*.youtube.com, DNS:youtube.com, DNS:*.ytimg.com, DNS:*.google.com.br, DNS:*.google.co.in, DNS:*.google.es, DNS:*.google.co.uk, DNS:*.google.ca, DNS:*.google.fr, DNS:*.google.pt, DNS:*.google.it, DNS:*.google.de, DNS:*.google.cl, DNS:*.google.pl, DNS:*.google.nl, DNS:*.google.com.au, DNS:*.google.co.jp, DNS:*.google.hu, DNS:*.google.com.mx, DNS:*.google.com.ar, DNS:*.google.com.co, DNS:*.google.com.vn, DNS:*.google.com.tr, DNS:*.android.com, DNS:*.googlecommerce.com

Maar wat natuurlijk verifieerbaar moet zijn, de key identifier. Van het foute certificaat:

            X509v3 Subject Key Identifier:
                07:4A:7D:16:27:32:28:D1:E3:01:31:05:0D:B0:CA:8D:E9:E1:7F:ED

En het goede certificaat:

            X509v3 Subject Key Identifier: 
                72:1F:13:DF:BF:E2:E7:9B:62:A0:89:DE:F6:8D:AD:E9:3A:CC:CC:B2

vanaf meerdere plekken krijg ik dezelfde fingerprint.

Nu nog het duidelijk publiceren van deze fingerprints, ook van bijvoorbeeld mijn.ing.nl:

            X509v3 Subject Key Identifier: 
                CC:14:12:CD:FA:A1:54:57:75:AA:69:8E:03:11:57:95:DF:0D:86:A6

Het is eigenlijk best eng dat een google search op deze string maar 2 hits geeft. Waarom staat deze informatie niet onder elk bankafschrift van de ING?

Update: Nu vermakelijk: de Koninklijke Notariële Broederschap was blijkbaar niet blij met de uitleg over een "Notary" bij de uitleg van Jacco de Leeuw over certificaten en wenste een disclaimer. Omhoog scrollen voor een goede uitleg over certificaten.

Vandaag e-mail van de Gall & Gall: blijkbaar heeft iemand in de winkel bij het kopen van een Gall & Gall kaart een e-mail adres van mij opgegeven en krijg ik nu de bijbehorende "informatie". In de welkomst e-mail staat ook het kaartnummer, wat tezamen met het e-mail adres voldoende is om op de Gall & Gall kaart gegevens site in te loggen, waar ik kan zien wat de verdere gegevens zijn die degene die de kaart heeft aangevraagd heeft ingevoerd. Leuke gegevens voor wat social engineering ... ("Ik bel namens Gall & Gall met een enquete.."). Spammen en slecht omgaan met persoonsgegevens passen wel bij elkaar.

Ik heb maar even het e-mail adres aangepast naar een abuse-adres passend bij de hosting van gall.nl.

Lots more interesting stuff on the F-secure weblog, such as Analysis of MBR File System Infector - F-secure weblog. This article has helped me understand the whole deal about the Torpig/Mebroot infection which I hear about at work.

A real Internet worm attack active again, giving me lots of tcp/3389 attempts in the firewall logs.

Aug 28 10:49:54 greenblatt kernel: [2779836.731355] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18577 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 10:49:54 greenblatt kernel: [2779836.932856] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18701 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 11:11:33 greenblatt kernel: [2780369.772706] FW reject: IN=ppp0 OUT= MAC= SRC=184.22.73.103 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0 
Aug 28 15:37:32 greenblatt kernel: [2786904.189671] FW reject: IN=ppp0 OUT= MAC= SRC=60.190.1.15 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=6587 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0 

Described in detail at Windows Remote Desktop worm "Morto" spreading - F-secure weblog.

Found via Worm spreading via RDP - The Register.

This evening I hooked up the radio scanner to the UHF TV antenna to see if using that might get me one of those '35 cm pirates' which should be active in the 856 - 862 MHz and 865 - 868 MHz ranges which is UHF TV channel 69/70. So the preamp should work.

IEC-169-2 connector, picture by Colin from Wikimedia commons (CC-BY-SA license)

It took a bit of searching through the junkbox to find parts for a cable to get from the output of the UHF TV antenna (through the power inserter) which is a Belling-Lee connector (as shown in the picture) to the input of the scanner which is a BNC connector.

My guess is these transmitters would be active on a Sunday evening. But, the only thing I heard in wide FM mode was a wireless headset.

Wardriving results 6 May - 19 August 2011: 5820 new networks with GPS locations according to WiGLE.

I like having a look at The Onion and the last few days I keep running into their 'experimental' paywall. According to statements by Michael Greer, the Onion’s chief technology officer at The Onion's CTO: Our paywall experiment is just that - Nieman Journalism Lab most visitors should never notice it:

the vast majority of Onion’s readers — the thousands of people who share funny headlines with their friends — “will never even notice,”

I guess I read 'too much' The Onion because I noticed. Oh well, too bad, The Onion is funny, but not $29.95/year funny.

It's too tempting not to try it when William Hepburn's Worldwide Tropospheric Ducting Forecasts for Northwest Europe show interesting conditions: going to the top floor of the house and doing a DVB-T service scan. But no real 'DX' reception. At the same time I let the DAB+ receiver do a service scan and it found the T-DMB / DAB service on 216.93 MHz (VHF broadcast 11A) from Hilversum. The only working service (for me) is the 3FM radio station: The pure one mini receiver has no DMB support at the moment and points me at www.pure.com/upgrade. Where I don't see the option to buy the DMB license code.

Commentaar achtergelaten voor stichting DigiRadio:

Ik heb recent zelf gewinkeld voor een DAB/DAB+ ontvanger. Eigenlijk wilde ik er ook een met L-band support om echt 'toekomstvast' te zijn maar toch kwam ik uiteindelijk terecht bij een pure one mini die dat niet ondersteund. Bij contact met pure hierover (of ze in ieder geval hun informatie zouden willen verbeteren) kreeg ik (ook) als antwoord dat L-band ondersteuning bij hun eigenlijk uitgefaseerd wordt. Andere aanbieders lijken ook weinig L-band ondersteuning te hebben als je als potentieel koper goed zoekt (bijvoorbeeld de Sagean radio's via Conrad.nl hebben ook allemaal geen L-band support).

Als de L-band de toekomstige plek is van lokale radio zal de slechte ondersteuning in ontvangers zorgen dat de overstap daarvoor nog problematischer is dan nu al optreed met de aankomende overstap van de commerciële radio zenders.

Rondbladeren in het aanbod op sites waar het gegeven of L-band ondersteuning aanwezig is wel te vinden is zoals digicomparison DAB+ and DMB Radio (DMB-A) Radios laat zien dat L-band ondersteuning vaker niet dan wel voorkomt in het huidige aanbod.

Update: De stichting DigiRadio is het met me eens, en de invoering van programma's in de L-band is vertraagd. Dus geen vraag naar L-band ontvangers want geen content.

Vanmorgen deed het ineens 'klik' en toen zaten we in een verdachte stilte op het werk, zonder computers en kamerverlichting. Grote stroomstoring. Dan is er weinig over om te doen behalve eens rustig buiten gaan staan kijken of iemand weet wat er aan de hand is en of het nog lang gaat duren. Uiteindelijk was de storing van 10:15 tot 13:26 volgens Stedin op twitter. Opvallend is dat die twitter feed informatiever is dan de officiele storingen pagina van stedin waar je ook nog eens niet kan deeplinken naar de versie voor Utrecht.

Een ontruiming was bij ons niet nodig omdat we in een gebouw zitten zonder enge dingen zoals zuurkasten die zonder ventilatie een gevaar voor de omgeving gaan vormen.

Berichtgeving:

• Stroomstoring legt deel Uithof plat - www.dub.uu.nl
• Ontruiming Universiteit Utrecht na storing - www.nu.nl

The printer at home is multifunctional: it can have duplexer jams, manual feed jams and general paper jams. Maybe I should create an alias aperjam for the printqueue so I can enter:

$ lpr -Paperjam

and have the right expectations.

In een interresante combinatie van spooknota en IPv6: Spooknota’s voor IPV6Register. Het lijkt er op dat je uiteindelijk betaalt om een informatiesite over IPv6 te mogen bezoeken.

Bij het testen van de nieuwe wardrivebox kom ik onderstaande netwerk tegen. Dit toont gelijk aan waarom een 'hidden SSID' niet werkt, binnen 10 seconden is de link tussen probe en hidden ssid gemaakt.

Sun Aug 14 18:23:22 2011 Found new probed network "Ga_zelf_internet_halen" bssid 00:22:69:xx:xx:xx
Sun Aug 14 18:23:32 2011 Found new network "<no ssid>" bssid 00:0C:F6:xx:xx:xx Crypt Y Ch 0 @ 0.00 mbit
Sun Aug 14 18:23:32 2011 Associated probe network "00:22:69:xx:xx:xx" with "00:0C:F6:xx:xx:xx" via data.

Maar naast deze omschrijving is de security ook WPA2, dus je kunt het niet zomaar misbruiken.

A friend asked me to help him get his own wardrivingbox going. I had a harder time doing this than expected, so I decided to retrace the steps.

He had installed ubuntu 11.04 on it from usb stick. This wouldn't boot, the grub setup was al wrong. Fixing the grub setup still left it non-booting.

This time I had the Heavy Duty Boot Environment available to help me, since the alix.1c / alix.1d boards are quite capable of PXE booting. This didn't turn everything into a simple install-party as the via_rhine drivers in anything but the most recent linux distro give issues. So the complete pxe load via network works fine but after that the network drivers don't work, making it impossible to do an OS installation which I can reproduce.

A very weird keyboard in my Xorg startup log:

(II) config/udev: Adding input device Burr-Brown from TI               USB Audio CODEC  (/dev/input/event4)
(**) Burr-Brown from TI               USB Audio CODEC : Applying InputClass "evdev keyboard catchall"
(**) Burr-Brown from TI               USB Audio CODEC : always reports core events
(**) Burr-Brown from TI               USB Audio CODEC : Device: "/dev/input/event4"
(II) Burr-Brown from TI               USB Audio CODEC : Found keys
(II) Burr-Brown from TI               USB Audio CODEC : Configuring as keyboard
(II) XINPUT: Adding extended input device "Burr-Brown from TI               USB Audio CODEC " (type: KEYBOARD)

It is an input device (of the audio kind) but I wouldn't call it a keyboard in any shape or form.

Still going on a whole week after I first noticed the weird traffic:

[2230749.018713] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60425 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[2230751.519582] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60425 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[2230782.825706] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60430 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 
[2230795.672690] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60433 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[2230796.876014] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60433 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[2230800.794671] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:9062:b89e:e90e:5a07 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=60433 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 

Still 6to4 behind the same IPv4 address 93.188.145.225 which is funny: according to whois it is a Wimax address range, which would usually mean somewhat dynamic addresses. The variation in IPv6 source address is due to the IPv6 privacy extensions in use.

Bijzondere ergernis met TNT post: we kregen vandaag een pakketje en we waren niet thuis. Kan gebeuren op zich. Omdat er getekend moet worden voor ontvangst is het ook niet bij de buren afgeleverd. Vervolgens staat er op het afhaalbericht dat het afgehaald moet worden op een 'afhaalpunt' niet al te dichtbij en dat op www.tntpostpakketservice.nl de openingstijden van het afhaalpunt te vinden zijn.

Helaas. Ik heb flink door de site gezocht maar nergens kan ik iets vinden over afhaalpunten en openingstijden ervan.

Gelukkig krijg ik als suggestie bij zoeken op de website al de optie 'Klacht' en bij Overige klachten PostNL is de website een van de voorkeuzes.

I'm browsing offerings of DAB radio tuners. Not because a lot of radio services are available already, but I am interested in transmission technology and somebody has to be the first.

Currently I should be able to receive the public radio stations and a thematic station (Radio Top 2000) according to T-DAB netwerk van de Publieke Omroep. Frequencies have been allocated for the commercial radio stations and they will use DAB+ according to T-DAB+ netwerk van de publiek regionale, de landelijke en niet-landelijke commerciele omroepen

There is not a lot on offer. Nothing in the physical shops I see, some offerings in webshops. But technical details are really sparse in the webshops. A simple detail like 'DAB+ support' which is needed to be a bit future-proof, or which frequencies can be received. Licenses have been given out in the Netherlands for Band III VHF (174-240 MHz) and L band (1452-1492 MHz). There is a frequency allocation for local radio stations in the L-band, but it will take years before anything happens there. If I invest any money in this experiment, I want it to be future-proof.

I looked at the following:

• Acoustic Solutions SP111 DAB FM Tuner met RDS on marktplaats. Searching and searching for specs finds Acoustic Solutions SP 111 DAB / FM Tuner which lists the bands received, but I miss DAB+ support. Which seems to be the issue with most second-hand equipment.
• Sangean DAB radio draagbaar DPR 99 conrad which has DAB+ but only Band III support.

Lots of information about DAB at Digital Audio Broadcasting - Wikipedia

Ideal would be to have an interface for my laptop to receive DAB/DAB+ metadata and audio so I can scan services even at other locations, but there is nothing available at the moment. It seems the hardware developed for DAB receiving and monitoring hardware with Linux support has been discontinued.

Maybe I need to get involved with Hx2 radio and work to add a DAB transmitter for the next hacker conference in the Netherlands on an 'event' and/or 'experimental' license. There is a complete toolchain for generating DAB/DAB+ radio streams using Linux at Open digital radio. Funny: transmitting DAB+ with Linux is easier than receiving it.

Update: Carefully browsing the manuals for all the products in the DAB-radio's category at conrad.nl shows me none of them supports L-band DAB. I predict L-band local radio (for which there is a frequency allotment, see L-band planning lokale omroep - radio-tv-nederland.nl) will have a very difficult start when most receivers can't receive them.

Update 2011-08-15: Browsing some on-line sellers found the answer for a simple DAB/DAB+ and Band III / L-Band capable DAB radio: The Pure One Mini. But in order to buy it with the right powerplug and the right firmware I had to shop via Germany. Simple solution ... Pure One Mini Tragbares Radio (DAB/DAB+/UKW-Tuner, 1,6 Watt RMS) schwarz - Amazon.de.

Update: And now I discover there is a Dutch webshop which offers DAB+ radio's, including Pure models. For the next person looking: De radiowinkel.

Update 2011-08-16: No the Pure One Mini is NOT L-band capable. I thought I checked thoroughly, but I guess I assumed something wrong.

Update 2011-08-18: I asked Pure technical support about making the listings clearer for L-band support. The answer is that L-band support is being phased out, but radios sold to countries where L-band is in use will support it. Too bad there is no Pure Netherlands website (yet).

Following the mp3 stream from Hx2 radio Hackerspaces signal from the Chaos communications congress and I suddenly notice something:

$ host broadcast.sonologic.net
broadcast.sonologic.net has address 82.94.245.7
broadcast.sonologic.net has IPv6 address 2001:888:2156::2:2:9

All available via IPv6.

And again the English 'news' paper The Sun doesn't think facts should get in the way of a story: Internet is 20 years old today - thesun

TODAY is the 20th anniversary of the invention of the internet by British scientist Sir Tim Berners-Lee.

He came up with the idea in a research paper on March 13, 1989.

Sir Tim gave it to his boss at the CERN nuclear research centre, who called it "vague but exciting".

The first website was built at the lab in Switzerland and went online in 1991.

Even one of the comments beneath the story mentions the error.

Lots of weird firewall log entries the last hours:

Aug  5 20:14:29 greenblatt kernel: [1979778.811312] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57475 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  5 20:14:32 greenblatt kernel: [1979780.010928] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57475 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  5 20:14:38 greenblatt kernel: [1979782.469487] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57475 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  5 20:15:48 greenblatt kernel: [1979814.822653] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57480 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  5 20:15:51 greenblatt kernel: [1979816.011978] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=72 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57480 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
Aug  5 20:15:57 greenblatt kernel: [1979818.396778] FW reject: IN=ppp0 OUT= MAC= SRC=2002:5dbc:91e1:0009:f018:413b:114c:558e DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=57480 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 

Those addresses are the 6to4 range with 93.188.145.225 as IPv4 source. But I can't find any mention of the IPv6 range or that IPv4 address in any logs. And I wouldn't know why some machine would try to access smb services on idefix.net from the outside.

I was digging in apache 2.2 to see if SSLRequireSSL would enable me to make sure locations within the webserver that require passwords would always use SSL without having to duplicate the entire vhost config. And I found a working setup which allows me to give those locations once. On the port 80 server is the specific config:

<VirtualHost *>
        ServerName octagone.idefix.net
        ErrorLog /home/httpd/octagone/logs/error_log
CustomLog /home/httpd/octagone/logs/access_log combined

        AddHandler cgi-script .cgi
        ErrorDocument 403 /youwanthttps.cgi

        Include special/octagone
</VirtualHost>

And on the port 443 server:

<VirtualHost *:443>
        ServerName octagone.idefix.net
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        ErrorLog /home/httpd/octagone/logs/ssl_error.log
        TransferLog /home/httpd/octagone/logs/ssl_access_log

        Include special/octagone
</VirtualHost>

The shared bit:

        DocumentRoot /home/httpd/octagone/html

        <Directory /home/httpd/octagone/html>
                Options Indexes ExecCGI
                AllowOverride None
                Order allow,deny
                allow from all
                IndexOptions FancyIndexing
        </Directory>

        <Location /test>
                AuthName "Koos z'n Doos beheer"
                AuthType basic
                AuthUserFile /home/httpd/data/sitemanagers
                AuthGroupFile /dev/null
                Require valid-user
                Satisfy All
                SSLRequireSSL
        </Location>

Now an access to http://octagone.idefix.net/test/ will throw a 403 error. I created a simple youwanthttps.cgi which changes this to a temporary redirect to the https equivalent:

#!/usr/bin/perl -wT

use strict;

use CGI qw/:standard/;

my $query = new CGI;

my $redir='https://octagone.idefix.net'.$ENV{"REQUEST_URI"};

print $query->header( -type => 'text/html', -status=> 302, charset=> 'UTF-8', -location=> $redir );

print <<EOF

Go <a href="$redir">here</a>.

EOF
;

The downsides are:

• Other reasons for a 403 error will also see the redirect. But they will get the 'original' 403 error on the https side again.
• This does not mix with Satisfy Any which you use for example because you want a restricted IP or a username/password because then SSL will just be one of the constraints to satisfy.

The other option is to change the 401 (authentication required) handler to do the redirect. I'm also testing that. That would combine better with the Satisfy Any directive which is used in some places in the webserver where I want to implement this.

Ok, this works too. One slight downside to this approach: when the client still has the username/password cached, it will present those and the server will never use its 401 handler. But those sessions will die out soon anyway.

In the end I configured the server with the '401 handler' trick. One upside: I did not need to sprinkle SSLRequireSSL statements, so even the restricted content with address check or username/password check continue to work.

From the latest blackhat conference: Flying Drone Can Crack Wi-Fi Networks, Snoop On Cell Phones - Andy Greenberg - The Firewall - Forbes magazine. A bit of a sensationalist article, but the flying platform makes a lot possible and the described attacks on wifi and GSM are not new.

DIY Spy Drone Sniffs Wi-Fi, Intercepts Phone Calls - Threat level - Wired is less sensationalist and a better description. And the latest is at the Rabbit-Hole - DIY UAVs for Cyber Warfare – Wireless Aerial Surveillance Platform where the makers of this plane tell about their progress.

I would not mind having a plane like this flying around with an airborne version of the wardriving box. More a 'warflying box'. There is some mention of running kismet on the W.A.S.P.

For as far as I can find 'serious' model plane flying in the Netherlands requires some training and having a view of the plane, which a drone like the one above doesn't have. If you ask model airplane clubs you have to be a member to be allowed to fly a model airplane at all, but opinions outside those clubs are that light planes are permitted (up to a certain height) with permission of the owner of the land where you take of and land.
Update 2011-08-06: An interesting related story: Murdoch accused of operating illegal US air force with

The Daily may be in breach of FAA regs regarding "operations of unmanned aircraft in the National Airspace System". As Forbes notes, the FAA requires wannabe drone pilots to have an airworthiness certificate for their "Unmanned Aircraft System" (UAS) and an "experimental certificate" which limits them to "research and development, marketing surveys, or crew training".

Reading the referenced article FAA Looks Into News Corp's Daily Drone, Raising Questions About Who Gets To Fly Drones in The U.S. notes the huge difference between hobby and commercial use:

Hobbyists are basically free to use drones as long as they keep them under 400 feet. At this point, civil and commercial use of drones is only allowed for research and development purposes. “Not for compensation or hire” says one FAA notice. To get government permission to use a drone (for non-hobby purposes), a private entity has to jump through hoops including getting an airworthiness certificate — meaning the thing is safe to fly — and an experimental certificate, approving the planned use of the unmanned system (uses are currently limited to research and development, marketing surveys, or crew training).

So Murdoch papers can have wet dreams about using something like the W.A.S.P. for news reporting but will find heavy resistance.

Sometimes just trying to post a simple comment on a website can lead to a programming project (just another one for the long long todo-list). I tried to post a comment on a blogspot.com blog and the option I wanted to use is OpenID for which I have set up phpMyID in the past. But this gave interesting errors from phpMyID:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/koos/public_html/MyID/MyID.php on line 1145

With debugging on, it seems the openid_assoc_handle is used as a session identifier to remove, which is (to me) weird. As the phpMyID page says, development is stopped so this error will probably not be fixed. I may have triggered it by previewing my comment a number of times.

The next option was to respond 'with a google account' but that actually means 'with the google blogspot identity' which links for me to http://www.blogger.com/profile/13366290473700859526 which tells absolutely nothing since I don't use blogspot. I added a link to my homepage since that's where stuff really gathers.

In the long run, I'll have to run a better OpenID provider. No I am not going to use some on-line provider, I want the OpenID url to stay http://idefix.net/.

De fraudeurs die nog 'money mules' zoeken om hun gestolen geld te verplaatsen weten niet helemaal zeker wat money mule werk nu precies oplevert:

0-2h@semblog.com      extra inkomen € 2924 per maand
0-carlm@accomline.com extra inkomen € 2.310 per maand
0-1939-4789choopan@cmg.co.th extra inkomen € 2943 per maand
0-s.mail@ftnet.dk     extra inkomen € 2929 per maand
0-ka@young-world.com  extra inkomen € 2.912 per maand
0-8-15.home@bbdo.at   extra inkomen € 2.635 per maand

Ik weet het wel: je mag alles terugbetalen en je hebt er heel veel last van als je daarna nog iets met een bank wil. Niet dat banken de meest klantgerichte instituten zijn, maar je hebt ze toch nodig in het dagelijks leven.

Big surprise yesterday: UPS logistics is able to do a 'deliver to neighbour' on a residential address. Since we have nice neighbours in the street a package was delivered there and we found the note to pick it up. That is quite an improvement over having to go to some warehouse in a far away industrial area only reachable by car.

In the package: two Amazon Kindles. Yes, we're going e-book! The main reason is quite simple: on cycling holidays books are a serious part of the weight we drag along. Having the entire library as a lightweight (240 gram) e-reader is nicer.

One effect is that I think I want to add something with editions / versions of books to detail pages about books on virtualbookcase so it is visible when a book is available in a kindle version. This has already been on my mind for UK/US versions (which happened for books like Harry Potter and the Half-Blood Prince (UK version) / Harry Potter and the Half-Blood Prince (US version). Ideally, I'd like to link all versions of the same book so I can show all reviews together. And as an added bonus I could show availability of hardback / paperback / kindle versions at places like amazon. But that will take some serious programming time...

Another load of attempts to get e-mail accounts at work with a phishing scam. And while diagnosing headers to notify sites with accounts with stolen credentials I noticed a pattern I've seen before: authenticated smtp sessions from charter.com IPs.

from 24-183-196-50.dhcp.jcsn.tn.charter.com [24.183.196.50]
from 97-81-17-250.static.gwnt.ga.charter.com ([97.81.17.250])

I haven't hacked a script to auto-copy to my homepage what I post to my gplus account, so this one by hand:

Signal of the end of an era (and confirming that the phishers keep up with our e-mail migration): the latest e-mail address phishing sites are an imitation of outlook web access. No more squirrelmail phishing...

'High resolution' GIF images used to be one of the ways to advertise for BBSes. High resolution then meaning 640x480 pixels for 'high resolution scans' and 320x200 for 'video capture'. A set of those BBS ads is collected at BBS Ads by matbergman, showing what was interesting back then. Puppies, pirates, cars, raytracing, male models, kittens and naturally ladies in bikinis.

DVB-T service scan today, with an interesting service showing up:

tune to: QAM_AUTO f = 570000 kHz I999B8C999D999T999G999Y999 
(time: 10:52) set_frontend: using DVB API 5.1
>>> tuning status == 0x0f
>>> tuning status == 0x1f
SDT (actual TS)
        service = Nickelodeon/TeenNick (Digitenne)
        service = 13th Street (Digitenne)
        service = SLAM!TV (Digitenne)
        service = TV Drenthe  tijdelijk (Digitenne)
        service = BBC Radio 1 (Digitenne)
        service = BBC Radio 2 (Digitenne)
        service = BBC Radio 3 (Digitenne)
        service = BBC Radio 4 (Digitenne)

Due to the recent transmitter tower collapse in Hoogersmilde RTV Drenthe is currently available FTA in the entire country on Digitenne. So I was able to make a screengrab.

One interesting side-effect was mentioned on the tx-list: RTV Drenthe was received in South-east London on 586Mhz (channel 35) on Thursday, over 300 kilometer from the intended service area. This is due to the signals from the Goes transmitter making it over the water.

An article which reads like the reporter got introduced to low-security VoIP trunks and caller-id spoofing services for the first time: Authorities say 911 call in Wyckoff hoax came from fake, computer-generated phone number - NorthJersey.com.

The 911 caller whose hoax prompted a tense police standoff in a quiet Wyckoff neighborhood used a computer to mask the origin of the call, authorities said Sunday.

A computer crime expert is quoted:

[..] the 911 call likely originated from a so-called IP phone that makes calls over the Internet. Such phones are increasingly common and allow users to choose the phone number that would appear on caller identification devices [..]

They hope to trace the user back to the original IP of the SIP call. I wish them lots of luck finding the IP in the first place: I don't think a lot of the 'wholesale SIP trunking' or 'Caller-ID spoofing services' will log them. They might have more chance of finding the account and the billing information.

Found via Attack on 'Cyberbullying' critic prompts raid by armed cops - The Register.

Most of the attempts at toll fraud through an asterisk server set to catch and record these are lately for a number matching +97259xxxxxxx which according to Telephone numbers in Israel - Wikipedia is a 'Jawwal' mobile number in Palestina. Interesting... not a really expensive call to make but I can imagine a certain interest in hard-to-trace calls to that part of the world, especially since these seem to be routed via Israel. According to the explanation on Telephone numbers in the Palestinian territories - Wikipedia +970 is also the country code for Palestina but it depends on which country you are calling from whether +970, +972 or both work. Politics in phone numbers. The +970 route was never tried via my asterisk.

I was watching BBS: The Documentary again and that inspired me to put some more stuff on-line at bbs.idefix.net. Stuff now on: Fidonet standards descriptions.

First good catch after updating the scripts for capturing the audio on attempts at toll fraud through an asterisk server, some calls with incoming audio logged to disk, and some with absolute silence. The calls with audio have serious noise in the background, my best guess is airco noise. But some typing can be heard, some other sounds and one even with a word at the end. I added some audio from that last one.

Boiler-room type telecoms fraud operation? You decide!

What this does mean to me is that someone is actually doing real work to find opportunities for routing calls without paying. This is not an automated script, this is an actual person doing the work.

Big transmission news in the Netherlands today: the transmission tower/mast collapsed in Hoogersmilde after a fire and the transmission tower/mast in Lopik was shutdown after a small fire because the fire department wanted to be really sure about the situation after the collapse in Hoogersmilde.

Collected links to pictures / videos :

• Picture of the fire #tvtoren #hoogersmilde #brand. on Twitpic
• Detail picture of the tower, showing heat damage to the metal construction zie het rode kader waar #tvtoren van #hoogersmilde is geknapt. bovenste deel recht neer, tweede deel naar rechts
• Good images of the collapse: TV-toren Hoogersmilde bovenste 180 meter ingezakt - 112nederland.nl click on images for large versions.
• One video of the collapse, a police PR person explains and reacts quite calmly to the collapse, one of the possible outcomes: Zendmast Hoogersmilde stort in - nos.nl video
• Another video of the collapse, with someone cursing very loudly in Dutch: Mast tv-toren Hoogersmilde stort in - RTV Drenthe (15 juli 2011) this video was later used in news items with audio partly muted.
• Collapse from a bit further away: Mast Tv toren Smilde
• Another collapse video, showing the first break happening and the sequence of the collapse, starting at 0:53 in the video : instorten televisietoren hoogersmilde
• Newsarticle, pictures and video: Deel zendmast Hoogersmilde ingestort - nos.nl
• The remains, still smoking: Brand in TV mast Hoogersmilde - HvNieuws.nl
• Closer views of the remains: TV Toren Hoogersmilde and TV Toren Hoogersmilde Westkant and Zendmast Hoogersmilde afgebroken door brand 15-7-2011 (4) with smoke still coming from the remains
• Good overview pictures of fire, collapse and remains: Vrijdag 15 juli 2011 Hoogersmilde: Zendmast Alticom-toren stort in na brand look at the first picture of the collapse: the first break happened at one of the spots where heat-damage was showing.
• Radio en TV zenders in Nederland is maintaining an archive of images, news, movies, plans at Brand in de TV-toren in Hoogersmilde

A bit of history:

• Zendmast Smilde 50 jaar geleden gebouwd

I added the .local domain to the nameserver at home as a way to make sure avahi-related queries never escape onto the big Internet. But it seems avahi tests for the presence .local by querying for the SOA record in the DNS and disables itself when that is available. So every time an avahi implementation starts a query for .local has to 'escape' or avahi won't work. Not what I had in mind.

I disabled this .local domain in the local resolver until I can find a way to configure bind9 to return NXDOMAIN without querying the root servers.

Information via Avahi and Unicast Domains .local.

I updated the scripts for capturing the audio on attempts at toll fraud through an asterisk server so there is some call progress sound before the 'wrong number' recording is played. I also switched from MixMonitor to Monitor which saves incoming and outgoing audio separately, so it is easier (for me) to check the incoming audio for interesting bits.

This is what the asterisk code now looks like:

exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,Monitor(wav,wrongnum-${filename})
exten => _00.,n,Playback(wrong/callprogress)
exten => _00.,n,Goto(wrongnumber,s,1)

And you can hear what the 'caller' would hear in the attached mp3 file.

Just did a dvb-t services scan and I even found a new (to me) service: the new multiplex at 570 MHz, logged in DVB-T reception log for 20110714. I have received the DVB-H KPN Mobiel TV service on that frequency before so it is not a surprise, but seeing this multiplex on this frequency still counts as 'new'.

I did it.. I joined Google+. I actively avoided Facebook sofar and waited very long before joining Twitter but I got a reasonably early invite to Google+ and took it. The invite was from a German user so it took some changing settings before Google+ changed its userinterface language to english for me. Lots of people I know from certain places are on Google+ so there is something to read.

Google+ urls are somewhat unreadable: my page is at https://plus.google.com/114168607206195341184 so I added a redirect as http://gplus.idefix.net/.

End of an era: today we changed all computer science e-mail addresses to forward to central mail addresses where a big exchange server does all the work. After years of running the e-mail service, including dealing with problems like viruses and spam it still feels weird. Almost all local delivery has been stopped, postfix just has a big list of aliases now.

A history for as far as I can deduce (most way before I worked there) :
UUCP mail with a telebit trailblazer modem
SMTP based mail, sendmail
Postfix (cs.uu.nl ran postfix before it was called postfix) with mboxes/imap
Postfix with maildir / imapssl

I'll still be running my own e-mail setup at home, based on sendmail, my personal choice in mailer. But that's a different story.

Trying to clear out an old e-mailarchive (13215 messages) with the Thunderbird e-mail client (selecting all messages older than a month, pressing shift-delete) makes Thunderbird unresponsive for hours and in the end the mail is still not deleted.

Doing the same in the right place on the server with

# find . -mtime +31 | xargs rm

takes less than 30 seconds and Thunderbird rereads the folder fine.

Gisteren in de volkskrant een stukje over acquisitiefraude. Eigenlijk ook een vorm van Social engineering. Meestal wordt de term 'Social engineering' gebruikt voor het verzamelen van informatie rond computers maar ik zou in navolging van de uitspraken over social engineering bij 'Off The Hook' de term ruimer willen interpreteren. Ook de manieren waarop acquisitiefrauders proberen hun slachtoffers te benaderen vallen keurig in het rijtje van social engineering.

En nog even dit: de officiele website van het 'steunpunt acquisitiefraude' is http://www.fraudemeldpunt.nl/. Maar wat krijg je als je niet de voor de hand liggende domeinnamen registreert? Dan doet iemand anders dat wel en krijg je dus sites als www.acquisitiefraude.nl, www.advertentiefraude.nl, www.fraudemeldpunt.com volgens het artikel in de volkskrant allemaal van een van de bekendere acquisitiefrauders.

Meer informatie over de nieuwe keuze in het aanbod van digitale televisie bij Ziggo. Ziggo maakt nieuwe pakket indeling bekend - Digitale Kabeltelevisie. De eerder voorspelde Wie nu een enkel thema-pakket heeft van 3,95 per maand zal om alle zenders te behouden minstens moeten overstappen op het plus pakket dat per maand 8 euro extra kost lijkt uit te komen.

We hebben het 'kennis en nieuws' pakket, origineel aangevraagd om toegang te hebben tot Journaal24, maar we kijken ook wel eens naar Geschiedenis24. In de nieuwe opzet kost toegang houden tot die laatste 8 euro per maand, ten opzichte van 3.95 nu.

Ik denk dat we zonder Geschiedenis24 kunnen, voor die prijs kan je nog eens windows booten en via de Geschiedenis24 website de Silverlight stream kijken.

Vermakelijk nieuws: er was iemand die wel een businesscase zag in grootschalige fraude met ov-chipkaarten. Dat heeft Translink Systems altijd ontkent, het was allemaal theoretisch. Deze keer werd de poging snel ontdekt, maar ik ga er van uit dat binnen de kortste keren iemand dit beter probeert.

Via Gekraakte OV-chipkaarten massaal verhandeld - Webwereld. Voor degenen die probeerden met de kaarten iets te doen minder leuk: Reizigers dupe van vervalste OV-chipkaarten - Webwereld.

Met een mooi advies van TLS

De voorlichter heeft een duidelijk advies aan reizigers: "Advies aan de consument is deze kaart niet aan te schaffen, want ook het reizen met gemanipuleerde kaarten is en blijft strafbaar.

It is well-known that all IPv4 address blocks are either allocated or reserved for very good reasons, but some IP addresses in logs still make me think 'huh?' when I see them, thinking they might be reserved when they are for sure given out now. Stuff like:

Jul  1 09:12:17 greenblatt sshd[841]: Invalid user data from 1.9.21.4
Jul  1 09:12:23 greenblatt sshd[846]: Invalid user data from 1.9.21.4
Jul  1 09:12:26 greenblatt sshd[849]: Invalid user data1 from 1.9.21.4
Jul  1 09:12:28 greenblatt sshd[851]: Invalid user data2 from 1.9.21.4
Jul  1 09:12:34 greenblatt sshd[858]: Invalid user data4 from 1.9.21.4
Jul  1 09:12:37 greenblatt sshd[862]: Invalid user data1 from 1.9.21.4

Even the ssh scanners are popping up in the 'new' IPv4 ranges. And a quite stupid one too.

Just had to do a cleanup after a spamrun, a new type to me: authenticated smtp abuse. Which goes a lot faster than webmail... Account blocked, cleanup done. Now some time to browse the logs and I note 10 different IPv4 addresses using the same account at the same time, almost all at the same ISP (Charter in the US) but in wildly varying states.

If this doesn't ring all alarm bells for 'money mule' :

I take up a position of HR manager in a large multinational company.

This company is well known in various fields such as:
\ supporting in opening of banking accounts

Seen in the spam e-mail this morning. Dear people of the world: please don't fall for this. A very clear case of 'too good to be true'.

I am at the surfnet office this afternoon, and that is a great opportunity to test my scripts for dynamic ipv6 addresses depending on network. Surfnet gives out 'real' IPv4 (no NAT) addresses on their wireless and IPv6 addresses.

Yes it works:

3: wlan0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:1f:e1:45:28:94 brd ff:ff:ff:ff:ff:ff
    inet 145.96.2.161/22 brd 145.96.3.255 scope global wlan0
    inet6 2001:610:188:431:14b8:6159:f87f:20fd/64 scope global secondary dynamic 
       valid_lft 604014sec preferred_lft 85014sec
    inet6 2001:610:188:431:21f:e1ff:fe45:2894/64 scope global dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fe80::21f:e1ff:fe45:2894/64 scope link 
       valid_lft forever preferred_lft forever

One downside: the 'old' dynamic address was deleted from the interface with my ssh sessions still running. Time to tweak the settings a bit more to fix this.
Second thought: Maybe a complete wireless disconnect / connect caused this. The current settings for temporary address lifetimes:

net.ipv6.conf.wlan0.temp_valid_lft = 604800
net.ipv6.conf.wlan0.temp_prefered_lft = 86400

604800 seconds is one week, 86400 seconds is one day.

Journalist Brenno de Winter wordt woensdag 22 juni 2011 verwacht bij de politie voor verhoor over fraude met ov-chipkaarten.

Statement over verhoor TLS - Brenno de Winter

Webwereld-journalist verhoord om OV-chipkraak - Webwereld

Klinkt als een geval 'aantonen dat de kleren van de keizer afwezig zijn is niet de bedoeling', Trans Link Systems wil duidelijk niet dat het zo duidelijk gemaakt wordt dat ze bezig zijn met miljarden uitgeven aan een slecht systeem met waardeloze privacy.

Quite an interesting article this weekend When Secret Sats Spy on Us, Monsieur Legault Spies Back - Wired danger room. Thierry Legault, famous for a number of very great images of space phenomena is also busy tracking things in space which you're not supposed to know are there. Wired did a great article on the satellite-tracking community a few years ago: I Spy: Amateur satellite spotters can track everything government spymasters blast into orbit. Except the stealth bird codenamed Misty. Wired issue 14.02. The persistence of the spy satellite-tracking community combined with the telescope photography skills of Thierry Legault make for some very nice videos. I guess the owners of the spy satellites aren't too happy about these videos. They would be even more unhappy when the videos would be combined with the latest orbital data.

Interesting: someone who mailed me about my dvb experiments and noted a frequency picked up by the scanning program which I didn't recognize as a valid multiplex: 714 MHz, 2/3 fec, 1/16 guard interval. That's odd, that frequency isn't in use in the Netherlands and no multiplex runs on 1/16 guard interval.

When I have a look at the details for Digitenne at DTV Monitor and I open the network information table in transport stream 2211 or 2212 I see a listing for a transport stream 12 with indeed guard interval 1/16 and 2/3 fec. Weird. Yet another multiplex in the planning or a glitch? But a glitch showing up on multiple transport streams in multiple locations is more like 'planned'.

To make sure I checked the Network Information Table in Mux 1 at home myself, with dvbsnoop for pid 0x10. Indeed, a description of transport stream 12 with 5 television services flies by:

    Transport_stream_ID: 12 (0x000c)
    Original_network_ID: 8720 (0x2210)  [= Netherlands Digital Terrestrial Television | Nozema]
    reserved_1: 15 (0x0f)
    Transport_descriptor_length: 52 (0x0034)

            DVB-DescriptorTag: 65 (0x41)  [= service_list_descriptor]
            descriptor_length: 15 (0x0f)
               service_ID: 1201 (0x04b1)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1202 (0x04b2)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1203 (0x04b3)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1205 (0x04b5)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1206 (0x04b6)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]


            DVB-DescriptorTag: 90 (0x5a)  [= terrestrial_delivery_system_descriptor]
            descriptor_length: 11 (0x0b)
            Center frequency: 0x04417a40 (= 714000.000 kHz)
            Bandwidth: 0 (0x00)  [= 8 MHz]
            priority: 1 (0x01)  [= HP (high priority) or Non-hierarch.]
            Time_Slicing_indicator: 1 (0x01)  [= Time Slicing is not used.)]
            MPE-FEC_indicator: 1 (0x01)  [= MPE-FEC is not used.)]
            reserved_1: 3 (0x03)
            Constellation: 2 (0x02)  [= 64-QAM]
            Hierarchy information: 0 (0x00)  [= non-hierarchical (native interleaver)]
            Code_rate_HP_stream: 1 (0x01)  [= 2/3]
            Code_rate_LP_stream: 0 (0x00)  [= 1/2]
            Guard_interval: 1 (0x01)  [= 1/16]
            Transmission_mode: 1 (0x01)  [= 8k mode]
            Other_frequency_flag: 0 (0x00)
            reserved_2: 4294967295 (0xffffffff)

            DVB-DescriptorTag: 131 (0x83)  [= User defined/ATSC reserved]
            descriptor_length: 20 (0x14)
            Descriptor-data:
                 0000:  04 b1 fd f5 04 b2 fd f6  04 b3 fd f7 04 b5 fd f8   ................
                 0010:  04 b6 fd f9                                        ....

So an extra transport stream with 5 video services is announced, but not in use. Future plans? A reservation? Something left over from a test?

Note: dvbsnoop does not decode the Logical Channel Descriptor (0x83) at the end of the network information table. According to dtv monitor, services 1201 - 1205 are to be on logical channels 501 - 505.

Kudos to the person who noticed his scanning program searching on an unused frequency.

Interesting development with the magna carta rfid card: I gained access to a card from a different organisation and what I found for the other card did not apply at all.

Today's XKCD Manual Override is good. And sometimes recognizable...

Rob O'Hara asks the interesting question Are all Hacks really Sophisticated? after seeing the word 'sophisticated' one time too many in the news about the recent network break-ins at Sony and the IMF.

A good question. A lot of this stuff seems more a case of systems and data with lots and lots of attack surfaces and attackers finding that one weak spot. The only people who get this right almost always are the military, but they are not afraid to put security way ahead on the balance of security versus usability.
Update 2011-06-15: Latest news on this front:

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.

Source: Citigroup hack exploited easy-to-detect web flaw - The Register

De spam die money mules recruteert wordt steeds beter. Vandaag eentje in eigenlijk goed Nederlands (behalve wat charset damage).

Op het moment zijn er deeltijdbanen binnen de EU beschikbaar.

Wat bieden wij:
- 2000 EUR en een Bonus die betaald wordt als u 30 dagen in dienst bent. Deze Bonus wordt alleen betaald als u minimaal 8 uur in de week werkt.
- Wij garanderen dat u geld zult verdienen als zelfstandige ondernemer vanuit het gemak van uw thuiskantoor.
- Wij garanderen ook dat u genoeg geld zult verdienen om uw salaris aan te vullen. Deze garantie berust op het feit dat wij aannemen dat u hard zult werken en dat u onze instructies zult volgen binnen de beschikbaar gestelde tijd.

Vlieg hier niet in, het is inderdaad te goed om waar te zijn en je pleegt ook fraude. Die 30 dagen haal je niet, voor die tijd zit je op het politiebureau.

I was capturing audio in Asterisk and playing it for a good reason: I noticed a while ago that attempts were made to route sip calls through an asterisk server I set up. Calls to numbers which looked valid. So they were probably attempts to make calls on 'my dime'. Which wasn't going to happen.

What better (on a server which has absolutely no credentials available to incur call costs anyway) to do with these than 'play' with these attempts a bit. I decided to answer the call with a random choice of the International Telephone Sounds & Recordings from telephone world and record the audio. I was hoping to hear someone be enthusiast in the background about their attempt maybe going through.

But in all the attempts I never heard anything more than the audio from the local end and maybe some echo.

I captured some audio in asterisk using the MixMonitor command, like:

exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,NoOp(${CHANNEL} tried to reach ${EXTEN} logging to wrongnum-${filename})
exten => _00.,n,MixMonitor(wrongnum-${filename})
exten => _00.,n,Goto(wrongnumber,s,1)

But I wanted to listen to the audio. Which turned out to be a bit of searching. In the end I found the right sox call:

$ play -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw

keep-20110604-184522.raw:

 File Size: 647k      Bit Rate: 128k
  Encoding: Signed PCM    
  Channels: 1 @ 16-bit   
Samplerate: 8000Hz       
Replaygain: off         
  Duration: 00:00:40.42  

In:58.3% 00:00:23.55 [00:00:16.87] Out:188k  [!=====|=====!] Hd:0.0 Clip:0    

Converting to a .wav to process in audacity is easy too:

$ sox -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw wrongnum-20110604-184522.wav

I like having the 'predictable' IPv6 address for my laptop at home, but at the same time I was pondering the implications of having the same EIU-64 address everywhere. Which can be fixed by enabling the privacy extensions.

As I use wicd for connection management I had a look at Adding pre and post (dis)connection scripts - Wicd Wiki which showed clear options. The easiest way to 'recognize' my home networks is by assigned v6 range. So I created /etc/wicd/scripts/postconnect/ipv6privacychoice with:

#!/bin/bash

connection_type="$1"

if [ "${connection_type}" == "wired" ]; then
        v6prefix=`rdisc6 eth0 -q -1`
        if [ "${v6prefix}" = "2001:980:14ca:1::/64" ]; then
                sysctl net.ipv6.conf.eth0.use_tempaddr=0
        else
                sysctl net.ipv6.conf.eth0.use_tempaddr=2
        fi
elif [ "${connection_type}" == "wireless" ]; then
        v6prefix=`rdisc6 wlan0 -q -1`
        if [ "${v6prefix}" == "2001:980:14ca:2::/64" ]; then
                sysctl net.ipv6.conf.wlan0.use_tempaddr=0
        else
                sysctl net.ipv6.conf.wlan0.use_tempaddr=2
        fi
else
        echo "Unknown connection type: ${connection_type}"
        exit
fi

I guess I just ran into one of the most undocumented file formats: saslauthd.conf. But eventually I got it working (as authentication provider for a local ldap server). To use Windows active directory domain controllers as backend for slapd:

ldap_servers: ldap://dc01.example.com:389/
ldap://dc02.example.com:389/
ldap_bind_dn: DC=example,DC=com
ldap_auth_method: fastbind
ldap_filter: EXAMPLE\%U

Which means you can have ldap users with

userPassword: {SASL}username@EXAMPLE.COM

Too bad I'll be in a location with only legacy IP or completely 'disconnected' today, so I can't really follow everything around World IPv6 day.

But things are up and running. Things I noted sofar: The AMS-IX sFlow IPv6 stats seem to show a drop in IPv6 traffic. Caused by the Microsoft ipv6day patch? And the Akamai IPv6 Statistics show not a lot of traffic, given what Akamai should process in theory.

Update : DE-CIX traffic statistics (scroll down a bit for IPv6) show an uptake in IPv6 traffic.

The NTP pool project is participating in World IPv6 day. Well, not participating in the 'switching off after 24 hours' bit: 2.pool.ntp.org now has AAAA records and will keep them. In the current default configuration this means a system with broken IPv6 connectivity will still work, it will just decide one of the servers is unreachable and tick on happily.

koos@greenblatt:~$ host 2.pool.ntp.org
2.pool.ntp.org has address 213.249.66.35
2.pool.ntp.org has address 91.148.192.49
2.pool.ntp.org has address 72.26.217.210
2.pool.ntp.org has IPv6 address 2001:4f8:fff7:1::17
2.pool.ntp.org has IPv6 address 2607:f128:42:63::2
2.pool.ntp.org has IPv6 address 2600:3c00::2:b401

Source: Experimentally enabling IPv6 - NTP Pool News.

It's not possible to add ntp.cs.uu.nl to the ipv6 pool at the moment, but ntp.idefix.net is reachable via IPv6 and is ok as a server. So it is in the pool.

I just (re)watched The Boat that Rocked also known as 'Pirate radio'.

The goof I noticed this time is the 2 DJs climbing the 'antenna mast'. On a mediumwave transmitter that is a big no-no: either the mast itself is antenna and has a high voltage difference to ground or the feeder lines go to a wire antenna at the top where you don't want to get close due to the RF energy. But there are no feeder wires visible anyway...

But this is not a documentary, this is a movie based on/following the events and people of the time. As such it works great. It really shows the 'radio people should listen to' versus 'radio people want to listen to' difference which played in those days. Great music in the movie. I really like the visual switching between the making of the radio and the listening to the radio.

In the news-alerts for Camp Wireless I noticed a few interesting news items.

One was Nature and the Internet: Idaho state parks have campsites, campfires and Wi-Fi - the Bellingham Herald so I updated the listings of campsites with wireless Internet access in Idaho, USA.

The other was Gratis wifi voor gasten Kempense campings (Dutch) .. resulting in some extra listings of campsites with wireless Internet access in Belgium.

And even after I never accepted the verification of my e-mail address to add it to someones 'Apple ID' I now get iTunes spam:

Subject: New On iTunes: The Beatles, Wired for iPad, True Blood, Free Lonely
        Planet Travel Book, and More

So pure and simple spam.

Exit KPN mobiel tv / dvb-h in the Netherlands: I just did a dvb-t services scan and nothing is active on the frequencies the DVB-H service used. DVB-T reception log for 20110531. I expect the new multiplex to come up overnight.

Update 2011-06-01: Indeed, in the DVB-T reception log for 20110601 the old DVB-H frequency (522 MHz) is reused for the new multiplex. But a serious shuffle of services has happened too: the new multiplex lists:

SDT (actual TS)
        service = Nickelodeon/TeenNick (Digitenne)
        service = 13th Street (Digitenne)
        service = SLAM!TV (Digitenne)
        service = iTV Promo (Digitenne)
        service = BBC Radio 1 (Digitenne)
        service = BBC Radio 2 (Digitenne)
        service = BBC Radio 3 (Digitenne)
        service = BBC Radio 4 (Digitenne)

BBC One and BBC Two have been put in another multiplex:

SDT (actual TS)
        service = Eredivisie Live 1 (Digitenne)
        service = Eredivisie 2/AT5 (Digitenne)
        service = BBC One (Digitenne)
        service = MTV (Digitenne)
        service = Animal Planet (Digitenne)
        service = CNN (Digitenne)
        service = BBC Two (Digitenne)
        service = National Geographic (Digitenne)
        service = BNR Nieuwsradio (Digitenne)
        service = Arrow Classic Rock (Digitenne)
        service = Radio 538 (Digitenne)
        service = SSU 1 (Digitenne)
        service = SSU 2 (Digitenne)

Or should I say 'crammed' : that's 8 tv services, 3 radio services and 2 data services in a QAM64 multiplex. I'll try to do measurements of the actual bitrates within the multiplex, but it can't be a lot per service.

Don't mix christmas lights and wifi, according to What can get in Wi-Fi's way? - PC Pro:

Every holiday season, ISPs receive a spike in complaints that internet connections aren’t working. The culprit: that festive, sparkly, lit-up tree in the living room.

TalkTalk said Christmas tree lighting and other household lights can reduce Wi-Fi performance by 25%, and interference is at its worst when the lights are blinking.

Via What's Killing Your Wi-Fi? - Slashdot

Comforting words at the top of /sbin/dhclient-script on scientific linux 5.1:

# No guarantees about this. I'm a novice at the details of Linux
# networking.

Uh. Yeah. Great. So we're lucky this usually works?

I did a dvb-t services scan today to get a feel for the situation before the upcoming change with KPN mobile TV (DVB-H) disappearing and Digitenne starting a new multiplex. The DVB-T reception log for 20110526 still shows the current situation with KPN DVB-H active.

Het is vanmorgen wel weer 'feest' met phishing mail voor ING rekeningen. Gelukkig zijn de teksten direct uit de automatische vertaler en dus zo krom Nederlands als het maar kan:

We zijn toegewijd om uw veiligheid, om te ontdekken hoe houden wij u op veilige online en wat u kunt doen om uw online profiel te beschermen. Wij weten dat u wilt het gemak van internetbankieren zonder zorgen over veiligheid. We hebben geconstateerd een fout op uw persoonlijke gegevens tijdens het systeem van onze 'multi-factorieel authenticatie' update.

Of deze:

Het laatste nieuws over veilig internetbankieren bij ING Je hebt het maximale aantal toegestane logon pogingen.

Als gevolg daarvan hebben we uitgeschakeld uw online toegang tot uw vertrouwelijke financiële informatie te beschermen. Klik op "De onderstaande hyperlink" om verder te gaan.

Allemaal weer doorgegeven aan de afdeling van ING die graag hoort over de nieuwste phishing pogingen.

Update 2010-05-27: En nog zo'n mooi stukje taal vandaag:

Belangerijk Mijn ING Nieuws

Beste gewaardeerde klant, U hebt een nieuwe beveiligingsupdate van ING. Alstublieft Log in op uw account om deze update te bevestigen

Luck in Iceland with research into the ash plume from Grímsvötn volcano:

The IMO has a mobile weather radar on loan from the Italian Civil Response Authorities. When Grimsvötn erupted it was placed near the village Kirkjubæjarklaustur, about 80 km from the volcano. The weather radar is used to monitor changes in the height of the volcanic plume, but those are indicative of the strength of the eruption.

The mobile weather radar helps understand the size and direction of the ash plume, without having to get too close.

Source: Update on volcanic activity in Grímsvötn - Iceland Meteorological Office. I am a fan of Iceland, I want to go visit it again some day.

De adsl verbinding was gisteren weer zwaar instabiel, inclusief een complete uitval tussen 04:20 en 04:58. Vandaag kwam er een aankondiging van xs4all dat er onderhoud is op het netwerk tussen 23 maart en 17 juni. Blijkbaar was onze centrale gelijk aan de beurt. Ik verwacht eigenlijk van xs4all dat ze dat op tijd aankondigen, maar ze zijn natuurlijk afhankelijk van de mededelingen van KPN.

Update 2010-05-28: Verder viel het gisteren ook nog een compleet uur uit en zie ik verder vaak weer 'hikken' en snelheidsveranderingen. Maarja, het is ook een paar keer regenachtig geweest deze week.

Spent some time working on an Ubuntu server which has to be an iscsi initiator (it has to mount an iscsi lun from a netapp server). It took a bit of work to find all the right options to make the filesystem mount and unmount repeatedly and reliably. Lots of reading in Using iSCSI On Ubuntu 10.04 (Initiator And Target) - HowtoForge.

My two tips:

• Use the _netdev mountflag in fstab
• Making sure the session is started at boot:

  iscsiadm -m node -o update --targetname iqn.1992-08.com.netapp:sn.******** --name node.startup --value automatic
  

Tomtit feeding young.

Curious tomtit young.

A very hungry tomtit young ready to get fed.

Some pictures I took in the backyard of the nest with tomtits. I felt very lucky for even getting the one of the feeding.

Coming 21 June 2011: The ALPOCALYPSE! Be prepared!

Interesting sequence of events: On 14 May 2011 I get e-mail:

Dear Koos ********,

You've entered koos@******.** as the contact email address for your
Apple ID. To complete the process, we just need to verify that this
email address belongs to you. Simply click the link below and sign in
using your Apple ID and password.

Since I'm not giving my soul to Apple I didn't click that verification link. But now, 21 May 2011 I get this for the same address:

To: koos@******.**
Subject: ID:770-82605243 Apple AppStore Order Cancellation

Dear Apple AppStore Customer, Your Order ID:770-82605243 ([1]order status)
has been successfully canceled.  You can also contact Apple AppStore
Customer Service or visit online for more information.

With a url pointing at a website selling illegal drugs.

Pure coincidence or interesting data-loss stories coming up from Apple?

I like this Film1 promo I see fly by on 13th street. It uses auto-tune in interesting ways. Kudos to Fedde Wapstra.

I like using xmms to play mp3's such as podcasts I follow. But xmms has some issues in combination with alsa. It just stops at the end of an mp3 on my laptop. Selecting OSS output and not alsa 'fixes' this but then I get the problem of an unshareable audiodevice (how ancient!). In the Ubuntu community documentation for XMMS I found this remark:

You may want to check out Audacious or BeepMediaPlayer which is a fork of XMMS using GTK2 - meaning that its menus and dialogs integrate with your system's themes better than XMMS's.

I gave audacious a try and it's indeed nice. Works for me. The annoyances are gone. Now to train the new finger macros.

Found some time to sort out pictures:

Transmitter Wooler, England.

Latest news on Byron Sonne: G20 accused Sonne out on bail; strict limits on Web use, leaving home - Toronto Star.

The whole Byron Sonne case seems to me like a serious case of the police not wanting someone to publish the fact that the emperor's clothes were only marketing.

Enigzins verbazend: de politie wil een aangifte over de deep packet inspection van KPN tenminste accepteren: Politie bij DPI-aangifte: wat is daar erg aan? - Webwereld. Nu hangt dit erg af van de politie-agent en mentaliteit ter plaatse, maar ict-gerelateerde onderwerpen zijn vaak erg moeilijk voor de politie en daar willen ze dus liever geen aangifte van. En vervolgens klagen de deskundigen bij de politie op dit gebied dat er te weinig aangiftes op dit gebied binnenkomen.

Interresante charset schade in een mail van Bètawetenschappen:

De verkiezingen van de Faculteitsraad BÚtawetenschappen zijn begonnen.

En daarmee basta?

Coolest flightsimulator ever: Original DC-10 flightsimulator up and running computing by a PDP11. But 20/times second the position data is used to feed Flightsimulator 2004!

Dikke middelvinger voor KPN mobiel voicemail: iemand had daar voor mij donderdag een berichtje achtergelaten. Dus krijg ik vanmoren een 2e sms dat ik dat toch echt moet afluisteren via 1233. Maar daar mag ik niks afluisteren tot ik alles ingesteld heb. Ik probeer de stap 'welkomstboodschap inspreken' over te slaan maar ik krijg alleen te horen dat de opname gewist is en ik het opnieuw moet doen. Dus toen was ik al niet meer geinterreseerd in het voicemailbericht. Maar daarna 12339 gebeld om dan tenminste voicemail helemaal uit te zetten en dan krijg ik 'deze functie is momenteel niet beschikbaar wegens een storing'. Lekker gebruikersonvriendelijk allemaal.

Tip voor gebruikersvriendelijke voicemail: geef gebruikers de optie als ze voor het eerst bellen naar voicemail en al een bericht hebben de optie de instellingen over te slaan en het bericht af te luisteren.

Loads of spam today..

Hello, we have a job offers avalible for people from Europe only.

With big alarm bells for 'money mule' attached:

We have funds coming from our clients that needs to be received in Europe.

Don't fall for it.

Technically, it seems a large botnet has been activated just to run this spam, showing the interesting links between botnets, phishing, several types of fraud including money laundering and spam.

I almost wonder if the Dutch cybercrime reporting site would do something with this. Nope: not within their very limited scope.

Interresant bericht Zendmast Trintelhaven blijft stoorzender - Watersportbond van vandaag 13 mei 2011:

Al jaren zijn er klachten over schade aan apparatuur aan boord van schepen, die een bezoek brengen aan Trintelhaven, gelegen aan de dijk Enkhuizen-Lelystad. De beschuldigende vinger wordt daarbij gewezen naar de zendmast op deze haven. Ook afgelopen jaar waren er opnieuw klachten.

Ik ben toch benieuwd hoeveel klachten ze binnenkrijgen over 2011, want de 1395 kHz AM zender in de Trintelhaven is in januari 2011 definitief gestopt. Dit was de AM zender van Big L radio.

En een nieuwe gebruiker van 1395 kHz AM zal liever niet op deze plek zitten: Big L heeft meerdere keren problemen gehad met de generator die de zender voedde, blijkbaar is er geen of niet voldoende electrisch vermogen uit het stroomnet te krijgen op die plek. Maar ik weet niet in hoeverre de vergunning voor 1395 kHz AM gekoppeld is aan de locatie Trintelhaven.

With all the news about Dutch KPN doing DPI (deep packet inspection) on its mobile IP users to find out how many users use WhatsApp instead of overpaying for SMS messages I ran across this declaration by AAISP in the UK:

AAISP: Real internet connection. Very clear on what they do:

We provide a real internet connection with our internet/broadband services. A real internet connection that IP packets from you get to where they should do, and IP packets to you get to you.

Too bad they don't offer broadband in the Netherlands. They would not be able to maintain the paragraph about lawful intercept in this country:

We have no so called black boxes to covertly monitor traffic and/or pass traffic monitoring to the authorities or anyone else. Obviously the law is such that we may have to add such black boxes, but we would resist as far as possible.

But otherwise they would fit nicely with 'real Internet' users in the Netherlands.

Vandaag kwam 'de uitslag' (volgens Ziggo dan) van welke zenders er definitief uit het analoge pakket verdwijnen (dit was nieuws rond december 2010: Duidelijkheid van Ziggo over de toekomst van de analoge kanalen in Utrecht: het worden 24 kanalen. Ik vroeg me toen ook af hoe de reactie zou zijn op prijsverhoging en aanbodverlaging analoog maar dat heeft Ziggo opgelost door de brief naar de klanten over het analoge pakket pas 5 maanden later te sturen.

In de hele brief geen woord over de Utrechtse programmaraad die een net iets ander advies had gegeven. Het enige verschil is dat TV5 Monde niet meer analoog beschikbaar is, maar dat is wat TV5 Monde Nederland en Ziggo ook afgesproken hebben.

Mooie politiek: Ziggo kan net doen alsof ze de programmaraad negeren en de programmaraad heeft niet echt iets om over te klagen.

idefix.net staat nu in de ip6.nl hall of fame omdat de standaard diensten (dns, smtp, www) even goed via ipv6 als via ipv4 te bereiken zijn. Hetzelfde bereiken voor domeinnamen op het werk gaat voor het 'laatste stukje' nog lastig zijn.

Tomtit taking off

Sometimes interesting nature comes right to your backyard.

I have the openvpn setup I wrote about 2 years ago sort of in use at the moment: it's the test computer for the weather station project. But: this afternoon the ipv6 access just stopped. It wasn't very hard to find the error message:

Tue May 10 16:25:44 2011 VERIFY ERROR: depth=0, error=certificate has expired: /C=NL/CN=metcalfe.pcgg.nl

And that was correct:

        Validity
            Not Before: May 20 14:10:17 2009 GMT
            Not After : May 10 14:10:17 2011 GMT
        Subject: C=NL, CN=metcalfe.pcgg.nl
        Subject Public Key Info:

The certificate expired. Generated a new one, restarted the openvpn client and things ran again.

Zojuist gepost in xs4all.general naar aanleiding van shortiezzz: Nieuwe column over hoe topprovider XS4ALL mij de afgelopen dagen bruuskeerde en dupeerde. Zie: www.GoHansBrinker.com. Waar John Piek beschrijft hoe de xs4all podcast dienst ineens opgeheven bleek te zijn:

Subject: podcast.xs4all.nl opgeheven: communicatie 0
Newsgroups: xs4all.general

Blijkbaar is podcast.xs4all.nl opgeheven. Nu had ik daar ooit een account
op aangemaakt 'om eens te proberen' maar nooit echt iets mee gedaan, dus
geen ramp voor mij.

Maar de vermoedelijk grootste gebruiker wist ook van niks, zie
http://www.gohansbrinker.com/

Wat me vooral tegenvalt van xs4all is de communicatie: afwezig. Nergens een
aankondiging, geen optie voor gebruikers om eventueel hun content veilig te
stellen als ze die niet meer op andere plekken hadden.

Ja, het was een experimentele dienst. Maar dan nog kan je het netter
afsluiten dan 'oh ja het staat nu uit'.

                                               Koos

Ik moet een beetje denken aan de rants van Jason Scott over het einde van Geocities en andere Yahoo diensten. Alleen hadden hierbij mensen helemaal geen kans om hun content eventueel veilig te stellen of op tijd te melden dat ze ergens anders gingen hosten.

Voor de zoekenden: de shorties FM rss feed woont nu op http://podcast.shorties.nl/rss.xml.

Zondagavond leek me een mooie avond om nog eens te zoeken naar de '35cm radio amateurs' maar ook nu hoor ik geen wideband FM radio uitzendingen. Wel iemand in de omgeving die met een draadloze koptelefoon TV kijkt en de film op RTL-4 aan het volgen is.

Het kan zijn dat ik een betere antenne (-positie) nodig heb, veel van deze zenders lijken in het noorden en oosten van Nederland te zitten.

Good (ab)use of the 8G memory and 64bit architecture of the home server greenblatt : plot wardrive maps of all years I've been doing that. In the first run gpsmap took up a maximum of 8115 megabyte memory and the system was actually using swap:

             total       used       free     shared    buffers     cached
Mem:       7929324    7885124      44200          0       1792      45276
-/+ buffers/cache:    7838056      91268
Swap:      1959888    1836416     123472

But! I get my maps.

Mijn werkgever besloot dat 6 mei ook een vrije dag zou zijn. Ik heb eens de kans genomen om een fietstochtje te maken langs een aantal zendlocaties in de stad Utrecht om eens foto's te maken. Een van de locaties gaat vervangen worden: er is een paar honderd meter van de DVB-T zender op de Burgemeester Fokkema Andrealaan een nieuwe DVB-T zender gebouwd op een net iets hoger gebouw. Dus daar moest ik 'op tijd' langs. En gelijk de nieuwe locatie fotograferen en een AM-zender in de buurt.

• Zendlocatie Burgemeester Fockema Andrelaan, Utrecht waar naast de DVB-T antennes ook nog andere antennes staan: GSM (900 MHz, 1800 MHz), GSM-R (920 MHz), Ermes paging (169.75 MHz)
• Zendlocatie Herculesplein gebouw Galghenwert, Utrecht
• Zendlocatie Konigsweg, Utrecht waar volgens het overzicht van middengolfzenders bij Radio en TV zenders in Nederland en volgens het antenneregister van het agentschap telecom de 1332 kHz en 1584 kHz zender zit van Radio Paradijs.

Alleen is op de wikipedia pagina over Radio Paradijs (Utrecht) op nl.wikipedia.org dit anders weergegeven. Ik geef het antenneregister gelijk en heb dit maar eens op de overlegpagina neergezet.

In between fatherhood today I found some time to do adjustments on the barometric pressure sensor for the weather station project which had a notable difference with the two nearest weather stations. Simply by adjusting the offset until the readout was near to the current values for De Bilt from actuele waarnemingen KNMI. Which gets interesting because the KNMI website has a 15-30 minute delay. The current offset is somewhat less than 1 millibar/hectoPascal but the pressure was dropping today. Maybe I should try to get that last bit on a day with more constant air pressure. For now it is a good approach.

With all the recent news about Osama Bin Laden I had to dig up this bit of comedy: The Taliban telemarketeer attack. Copied all over the Internet in mp3 and flash and I can't find a real original source for it. The best source is here: Taliban Takes on Telemarketers (Taliban Telephone) by Sector 8 Animation.

This must be why the building had no phone lines or Internet, to avoid this weapon.

This morning I zapped to NDR, the German regional TV for North-Eastern Germany. I saw an announcement that on 30-04-2012 analog satellite TV distribution of german channels will be switched off which I think is part of a complete shut-off of the last analog satellite TV.

My main surprise was that it still existed, transponders filled with one analog channel and audio-carriers. But browsing for example Astra 1H/1KR/1L/1M at 19.2°E at LyngSat shows several German PAL transponders still up and running.

So analog terrestrial TV has ended in Germany, but analog satellite TV is still up and running. Unexpected, to me.

Na wat verdwaalt te raken in websites over radio en televisie kwam ik dxrapporten.nl tegen, en ontdekte ik een voor mij onbekende subcultuur: 35cm broadcast radio. Dit is niet de 'normale' FM omroep band maar er wordt op de frequenties 856-862 MHz en 865-868 MHz gewerkt met wideband FM, compleet met stereo modulatie en rds.

Het eerste deel valt samen met UHF tv kanaal 69 (854 - 862 MHz), het tweede deel staat alleen genoemd voor RFID. Dat eerste deel is/wordt uitgefaseerd als TV-kanaal en zal dan voor iets als een volgende generatie mobiele telefonie en datadiensten gebruikt gaan worden.

Maar mijn scanner heeft een 'wideband fm' setting, en ik kan de ontvangstmode altijd wijzigen ten opzichte van de default voor die band. Gisterenavond dus eens wat geluisterd en niets gehoord behalve een duidelijke draadloze koptelefoon op 864.5 MHz. Maar omdat de '35cm radio amateurs' een overlap met / opvolging van FM radio piraten zijn zal een en ander wel actiever zijn in het weekend. In theorie is NoName.fm in Utrecht actief op 860.2 MHz.

Ik kan me zo voorstellen dat zolang deze activiteit in obscure banden gebeurt waar geen commerciële belangen er last van hebben het agentschap telecom ook erg weinig neiging heeft om erachteraan te zitten. Dus als er 800 MHz spectrum naar mobiele aanbieders gaat zal de wide-fm daar gauw over zijn.

Nog een nieuwe: Algemene BBSlijst Nederland van November 1996. Wat een hele mooie is voor het verloop van het aantal BBSen:

abn199405.lst: Het aantal BBSen in deze ABNlijst bedraagt 200
abn199503.lst: Het aantal BBSen in deze ABNlijst bedraagt 1350
abn199601.lst: Het aantal BBSen in deze ABNlijst bedraagt 1494
abn199605.lst: Het aantal BBSen in deze ABNlijst bedraagt 1420
abn199611.lst: Het aantal BBSen in deze ABNlijst bedraagt 1515
abn199701.lst: Het aantal BBSen in deze ABNlijst bedraagt 1458
abn199707.lst: Het aantal BBSen in deze ABNlijst bedraagt 1116
abn199708.lst: Het aantal BBSen in deze ABNlijst bedraagt 1087
abn199711.lst: Het aantal BBSen in deze ABNlijst bedraagt 1067
abn200109.lst: Het aantal BBSen in deze ABNlijst bedraagt 178

precies op de piek.

Just did an interesting adjustment: moved the solar sensor from the shade to the full sun. The readouts are interesting:

2011-05-01T14:02:00+0200 Solar 8.299400 mV
2011-05-01T14:04:00+0200 Solar 119.853104 mV

According to the w1retap documentation this means the sun power is 24.63 Watt/m^2 in the shade and 355.75 Watt/m^2 in the sun at the moment.
Update 2011-05-02: Mounting the solar sensor outside is a bit more 'interesting' as it has to look up at the sky (logically) but at the same time I want the other two sensors in that housing to be in the shade in the future 'weather hut'. I found a description of mounting a 1-wire hobby-board solar sensor which has a good suggestion. Downside is that I will need more space in our backyard for the 'weather experiments'.

Interesting bit with the pressure measurements at the moment. I now have two running sensors, the old one from the Conrad weather station and the new one from Hobby-Boards. The new one is calibrated for 2 meter above sea level which matches the height reported for our street and backyard at Actueel Hoogtebestand Nederland. And as a reference there is the measurement from De Bilt and Cabauw at the actuele waarnemeningen Nederland knmi. And there is a big disagreement between our shed and the officials. For today 12:00:

• The 'old' sensor (Conrad) in the shed: 960 hPa
• The 'new' sensor (Hobby-Boards) in the shed: 988.8 hPa
• KNMI measurement De Bilt: 1012.8 hPa
• KNMI measurement Cabauw: 1012.5 hPa

I've been mapping the difference between the old sensor and the measurement from De Bilt at the weather station page and it seems to be nearly constant. I first thought the age of the old sensor was showing. But with two sensors here showing about the same difference with official sensors I'm not sure what the cause is.

First thought after I finished typing: move the sensor outside. But that does not 'fix' the problem.
Update 2011-05-02: More thinking and reading made me wonder if 'above sea level' has different meanings between the US (where hobby-boards calculated the offset for me) and the Netherlands, but that doesn't seem to be the right way. If I try to follow the calculations at Air Pressure and Altitude above Sea Level - The Engineering Toolbox it seems I miss 19 meter height above sea level.

Difference: 21 hPa, using the formula above I can get the closest to that difference with a height of 19 meters in that formula:

101325 * (1 -2.25577*(19/10000))^5.25588
Runtime warning (func=(main), adr=42): non-zero scale in exponent
99172.15726627368573690675

The ordered weather sensors arrived so I want to test them using w1retap. Time for rounds of configure / fix missing stuff. The resulting logging will be to postgres / rrdtool but I want to test with filebased logging first just to make sure the sensors work.

The configure script of w1retap insists on libxml2-dev and I don't see an easy way to disable this test. On the planned low-power, running from ramdisk weather station computer I won't allow for unused libraries, but for now the easy solution is just installing that library. Even ./configure --without-applet --disable-xml or ./configure --without-applet --disable-xml2 or other variants show:

checking for xml2-config... no
configure: error: missing program 'xml2-config'; is 'libxml2' or
'libxml2-devel' installed?

Fixed by installing libxml2-dev. The next thing it insists on is pkg-config and gmodule-2.0. The gmodule library is needed for dynamic loading of modules. This comes from ubuntu package libglib2.0-dev. The last bit is libusb-dev. Now I can build the package. First everything needs to run as root, but I fixed that later with

# chmod 666 /dev/bus/usb/001/002

Later improvement will be to find an udev rule which does this automatically for device:

Bus 001 Device 002: ID 04fa:2490 Dallas Semiconductor DS1490F 2-in-1 Fob, 1-Wire adapter

With the humidity, temperature, solar sensor and the barometer I see:

# w1find DS2490-1
(1) 108FB1130208003E    18S20:high precision digital thermometer
(2) 26C1E0F1000000ED    2438:smart battery monitor
(3) 26BD60B50000002D    2438:smart battery monitor
(4) 81AF632F00000067    :Serial ID Button

With just the barometer:

# w1find DS2490-1
(1) 26BD60B50000002D    2438:smart battery monitor
(2) 81AF632F00000067    :Serial ID Button

The general config is by default in ~/.config/w1retap/rc, where I have:

init = w1file
log = w1file=/tmp/w1log
altitude = 2
device = DS2490-1

It took a bit of browsing in the documentation, but the first three sensors were easy to set up in ~/.config/w1retap/sensors:

# w1retap sensors
26BD60B50000002D:HB-BARO:Pressure:PRES:hPa::
108FB1130208003E:DS1820:Temperature:TEMP0:⁰C::
26C1E0F1000000ED:MS-TH:Humidity:HUMI:%::

And the results:

Pressure=986.59 hPa
Temperature=32.25 ⁰C
Humidity=29.06 %
udate=1304169061
date=2011-04-30T15:11:01+0200

It took a bit more to get the Solar sensor working. The DS2438 is used for both the humidity and the solar sensor according to the hobby-boards documentation for the Humidity / Temperature / Solar sensor. Browsing the samples suggests I should configure it as a DS2438 sensor with dual measurements, like

26C1E0F1000000ED:DS2438:Solar:Solar (Vsens):mV:VTMP:Temperature GHT2:⁰C::

And indeed I get a reading:

Solar=0.49 mV
VTMP=33.34 ⁰C

Switching the light in the shed back off makes the readout drop to 0, so I believe I am looking at the right value.

And now the logging works too, after waiting a bit:

2011-04-30T15:42:00+0200 Pressure 986.591492 hPa
2011-04-30T15:42:00+0200 Temperature 31.312500 ⁰C
2011-04-30T15:42:00+0200 Humidity 29.057188 %
2011-04-30T15:42:00+0200 Solar 0.000000 mV
2011-04-30T15:42:00+0200 VTMP 32.531250 ⁰C
2011-04-30T15:44:00+0200 Pressure 986.369263 hPa
2011-04-30T15:44:00+0200 Temperature 31.312500 ⁰C
2011-04-30T15:44:00+0200 Humidity 29.373028 %
2011-04-30T15:44:00+0200 Solar 0.000000 mV
2011-04-30T15:44:00+0200 VTMP 32.531250 ⁰C

Update 2011-05-01: Found the udev rule in the w1retap documentation:

root@metcalfe:/etc/udev/rules.d# cat 45-local-usb-special.rules 
#
SUBSYSTEMS=="usb", GOTO="usb_w1_start"
GOTO="usb_w1_end"
LABEL="usb_w1_start"
ATTRS{idVendor}=="04fa", ATTRS{idProduct}=="2490", GROUP="w1retap",
MODE="0666"
LABEL="usb_w1_end"

Het College Bescherming Persoonsgegevens heeft onderzoek gedaan naar het opvragen van telecomgegevens door opsporingsdiensten via het CIOT. De conclusie is ingehouden kwa woordkeuze maar erg duidelijk:

De gegevensuitwisseling tussen de opsporingsdiensten en telecommunicatieaanbieders via het Centraal Informatiepunt Onderzoek Telecommunicatie (CIOT) vindt niet plaats overeenkomstig de toepasselijke wet- en regelgeving met de daarin opgenomen waarborgen tegen misbruik van de bestanden.

Ik vind de reactie van Opstelten erg interresant: die wil politie en opsporingsdiensten die na 1 mei nog de fout in gaan de toegang tot het CIOT ontzeggen.

Ik ben benieuwd wat dit oplevert: als de politie zich aan de wet houdt stort het aantal opvragingen in. Als de politie zich niet aan de wet houdt en Opstelten voert z'n dreigement uit stort het aantal opvragingen in.

Opmerkelijk: Na alle eerdere berichten dat de tegenstand tegen het opslaan van vingerafdruk (ook) uit de gemeente Utrecht kwam (Volkskrant). Geformaliseerd door een op 10 maart 2011 aangenomen motie door de gemeenteraad Utrecht om de opslag van biometrische gegevens (vingerafdrukken) te stoppen:

Tekst van de motie: Draagt het college op:
- hiertoe een krachtig signaal af te geven aan de Minister van Binnenlandse Zaken en aan de Tweede Kamer;
- waarbij opgeroepn wordt, de wet zodanig aan te passen dat gestopt wordt met de opslag van biometrische gegevens ten behoeve van een residocumentenregistratie in enig digitaal overheidsregister.

Andere ergernis: bovenstaand is niet te vinden met zoeken in de website van de gemeente op 'vingerafdrukken'. Wat kan ik nog meer aan relevante dingen niet terugvinden?

Maar de uitvoering bij de afdeling burgerzaken van de gemeente Utrecht loopt achter: Eis van afgifte vingerafdrukken voor ID-bewijs op woensdag 27 april officieel afgeschaft - Vrijbit.nl

voorlopig is vrijbit nu in de slag met de gemeente Utrecht, waar de hele volgende dag de afname en opslag van vingerafdrukken vrolijk doorging

Toch nog maar even wachten met dat nieuwe paspoort.

Normally I use PGP/GnuPG to send signed/encrypted e-mail, but today I wanted to send someone 'from the other camp' an encrypted e-mail. He uses S/MIME, which means every mail he sends me has his public certificate included. So I configured mutt to understand s/mime with the following in .muttrc:

set smime_certificates="/home/koos/.mutt-smime/certs"
set smime_keys="/home/koos/.mutt-smime/keys"
set smime_ca_location="/etc/ssl/certs/ca-certificates.crt"

The last line means I use the system wide ca-certificates as trust base.

The rest of the config I copied from this sample of smime.rc for Mutt.

First I want the certificate from one of the previous mails. To be sure I did this by hand. I copied a previous message to the file 'importkey'. These commands are from Signing and Encrypting S/MIME Messages with mutt. First extract the PKCS#7 object:

$ openssl smime -verify -in importkey -noverify -pk7out > henk.pk7

And dump the certificates in that file:

$ openssl pkcs7 -print_certs -in henk.pk7 > henk.pem

Now I have extracted the certificate, but it isn't seen as valid:

$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem
henk.pem: /O=Persona Not Validated/CN=StartCom Free Certificate Member/emailAddress=henk@...
error 20 at 0 depth lookup:unable to get local issuer certificate

I looked at the startcom webpages but all the explanation is for the https certificates. But I found the StartSSL root certificate and the StartSSL intermediate certificate. I added these to the ubuntu certificate repository, and now:

$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt henk.pem 
henk.pem: OK

I initialized the s/mime store:

$ smime_keys init

And try to add the key:

$ smime_keys add_cert henk.pem

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...
error opening the file, /home/koos/.mutt-smime/certs/74ab03d9.0
Error loading untrusted file /home/koos/.mutt-smime/certs/74ab03d9.0
675:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/home/koos/.mutt-smime/certs/74ab03d9.0','r')
675:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
'/usr/bin/openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -purpose smimesign -purpose smimeencrypt -untrusted ~/.mutt-smime/certs/74ab03d9.0 ~/.mutt-smime/certs/74ab03d9.0' returned 256 at /usr/bin/smime_keys line 838,  line 1.

It seems smime_keys does something REALLY stupid:

$ ls -l /home/koos/.mutt-smime
ls: cannot access /home/koos/.mutt-smime: No such file or directory
$ ls -l /home/koos/~/.mutt-smime
total 8
drwx------ 2 koos users 4096 2011-04-29 10:19 certs
drwx------ 2 koos users 4096 2011-04-29 10:18 keys

Somewhere ~ is used without shell-expansion. The icky workaround:

$ ln -s ./~/.mutt-smime .mutt-smime

Now I can redo the whole trick knowing this:

$ smime_keys add_cert henk.pem 

You may assign a label to this key, so you don't have to remember
the key ID. This has to be _one_ word (no whitespaces).

Enter label: henk

certificate 74ab03d9.0 (henk) for henk@... added.

==> about to verify certificate of henk@...

/home/koos/.mutt-smime/certs/74ab03d9.0: OK

And now I can send an e-mail!
Update 2011-05-01: Ok, the other side is (no surprise there) Henk van de Kamer who wrote about his experience receiving my S/MIME encrypted but not signed e-mail, in Dutch. He did install GPG / the enigmail plugin in the past but I just couldn't find his pgp key.

As I joked: just documenting all this and writing it down gives enough material for one or two 'Het Lab' articles.

Naast het bijhouden van de Mifare classic kaarten waar ik naar gekeken heb op de ov-chipkaart wiki bij pc-active wil ik natuurlijk ook mijn onderzoek zelf publiceren. Het blijft een wiki, dus wil ik 'mijn' feiten ook ergens neerzetten waar ze van mij blijven. Dus alles rond mijn RFID experimenten nu bij elkaar: RFID experimenten met ook hoe ik de touchatag reader gebruik onder Linux

Het lijkt er op dat het (tijdelijk) goed komt: Opslag vingerafdrukken voorlopig van de baan - volkskrant.nl

De opslag van vingerafdrukken uit een biometrisch paspoort wordt voorlopig stilgezet.

Eigenlijk is het stukgelopen op de kwaliteit van de vingerafdrukken en de controleerbaarheid:

De verscheidene deskundigen lieten blijken weinig vertrouwen te hebben in het biometrische paspoort en ze zagen risico's voor de veiligheid en privacy. Ook de effectiviteit zou te wensen overlaten. Max Snijder van European Biometrics Group zei dat er in 21 procent van de gevallen geen herkenning van het paspoort plaatsheeft, terwijl 3 procent acceptabel werd geacht.

Dat probleem is er dus ook als bij een grens de vingerafdruk opgeslagen in het paspoort vergeleken gaat worden met de vinger van de eigenaar. Ik zou zelfs verwachten dat het aantal fouten toeneemt op de lange termijn: die 21% fouten was al tussen aanvragen van het paspoort en ophalen.

De al verzamelde vingerafdrukken moeten vernietigd worden: Afgenomen vingerafdrukken worden vernietigd.

Maar Donner lijkt duidelijk de opties voor de toekomst open te houden. Het zou mooi zijn als deze wetten eens getoetst zouden worden aan de Nederlandse grondwet, en dan vooral op hoofdstuk 1 artikel 10 van de Nederlandse grondwet lid 1:

Ieder heeft, behoudens bij of krachtens de wet te stellen beperkingen, recht op eerbiediging van zijn persoonlijke levenssfeer.

Mijn mening is dat 'iedereen als potentiële crimineel behandelen' niet meer valt onder 'beperkingen' zoals de wetgever het hier bedoelt moet hebben.

Het blijft altijd opletten of onze rechtsstaat niet bedreigd wordt van binnenuit.

Eerder merkte ik op hoe er een community aan het ontstaan was rond de kennis over de ov-chipkaart.

Ondertussen is www.ov-chipkaart.org ten onder gegaan aan juridische druk. Maar PC-Active heeft het stokje opgepakt en de ov-chipkaart.org wiki weer on-line gezet. Wat ik al in de gaten had omdat ik gelezen had over het inrichten van de mediawiki hiervoor. Omdat de onderzoeksmethoden die ik gebruik voor de Magna Carta kaart ook werken voor andere Mifare classic kaarten ben ik begonnen daar ook een en ander over te schrijven op die wiki. Zo kan ik ook mijn kleine bijdrage leveren aan die community en aan de verzamelde kennis.

Just had a call with a caller-id in Djibouti and when I answered I heard a short beep followed by silence and the word "Goodbye" clearly from an Alison recording as available in Asterisk.

I guess at least a voip server somewhere in Djibouti has an abuse problem.

De cryptowars komen weer terug: Justitie wil encryptie verbieden. Het lijkt er op dat justitie het wel vaker maar erg lastig vindt dat de grondwet een duidelijke mening over privacy heeft. Maar Jet Hoogendijk roept maar wat in een wens om een handvat te hebben om iedereen aan te pakken die niet meewerkt aan zijn of haar veroordeling. Niet gehinderd door enige kennis van zaken. Het nadeel is alleen dat Jet Hoogendijk wel in een positie is om schade aan de samenleving en schade aan personen toe te brengen.

De vorige Nederlandse cryptowars waren in 1994: Woedende reacties op cryptoverbod.
Update 2011-04-22: OM prikt proefballon encryptieverbod door - Webwereld

Het komt misschien toch weer een beetje goed met de privacy in Nederland: Steeds meer tegenstand centraal opslaan vingerafdrukken.

Steeds meer gemeenteraden keren zich tegen het opslaan van vingerafdrukken uit het paspoort. Utrecht en Amersfoort willen een einde aan de opslag, zowel centraal (landelijk) als lokaal.

Misschien haal ik het om net niet mijn vingerafdrukken opgeslagen te krijgen buiten mijn paspoort, dat moet in mei van 2011 vervangen worden.

De eerste kamer heeft ook nog wat potentiele schade aan onze privacy voorkomen: AIVD mag toch niet dataminen in alle Nederlandse databases.

Het gaat hier om de aanpassing op de Wet Inlichtingen- en veiligheidsdiensten. Met deze wet zou het mogelijk worden voor de AIVD om alle databases van alle overheidsinstanties en bedrijven op te vragen om te gebruiken voor “analyse”. Deze wet wat door de Tweede Kamer al goedgekeurd. Maar de Eerste Kamer blijkt haar rol als bewaker van de grondwet dit keer zeer serieus genomen te hebben. Daar ontstond zoveel weerstand dat verder afgezien wordt van verdere behandeling van deze wet.

At work I set up a shared mediawiki setup, where there is one install of the complete mediawiki source and mediawiki instances are a few symlinks and a LocalSettings.php with each their own database, dns name and other settings. Works like a charm for new mediawiki instances.

But now I wanted to migrate an existing mediawiki to this setup. A mediawiki old enough to not have the MediaWiki dumpBackup.php script so I had to export data by hand. It took a bit of searching, but in the end the documentation for the MediaWiki export function had the right hint:

Using 'Special:Export'

• Go to Special:Allpages and choose the desired namespace.
• Copy the list of page names to a text editor
• Put all page names on separate lines
• Prefix the namespace to the page names (e.g. 'Help:Contents'), unless the selected namespace is the main namespace.

Putting the page names on separate lines was a :%s/\t/^M/g in vim, and indeed the trick worked although I needed to change the php settings a bit according to the MediaWiki import function to allow for the import to take its time.

One thing that I found was that the Main_Page in the newly setup MediaWiki was newer than all the imported revisions, so I still saw the 'welcome' version and couldn't revert it. As a workaround I deleted the Main_Page and redid the import which went a lot faster as the import function checks whether the page/revision in the import is already in the wiki.

Have you tested your readyness for world IPv6 day yet?. Go test your IPv6 readyness now! A good test which gives details and good explanations about what works and what doesn't.

Lots of news on the web today that Comcast in the US is offering a new cable Internet service with 105 megabit/second downstream speed. I first read it in Comcast Offers Smoking-Fast Broadband at Wallet-Burning Price - Wired. Also at Comcast bumps up speed for home-Internet users - USA Today.

In the advertising they compare it to T-1 speeds (1.544 megabit/second symmetrical): this service is more than 60 times as fast. Well, it is in the downstream direction at least, I see no mention at all of the upstream speed.

But as I wrote in Usenet newsgroup comp.dcom.telecom aka the telecom digest in response, the monthly cap at comcast is still lower than the one on that business T-1.

Jim Bennett wrote in <20110415041510.GD32349.msgid.telecom.csail.mit.edu>:
>> Jon Swartz, writing in USA TODAY [April 14, 2011] wrote:
>>
>> The service delivers data at 105 megabits per second - more than 60
>> times faster than a T-1 line, which most businesses rely on, Comcast says.
>>

> Comcast has been comparing their basic business package to T1 service in
> their radio ads for a while now.  I have always found it to be an
> "apples to oranges" comparison, because most businesses that I know who
> have a T1 use it for phone service - as it was intended.

It (has been) a popular measure of bandwidth: I have seen cases where
marketing types of european internet-related companies kept insisting an
answer whether they had T1 or T3 connectivity (back when T1 was
'affordable' for a company and a T3 'expensive'). Having something else was
incomprehensible.

But there is one thing a (business-rate) T1 Internet connection offers[3]
which comcast isn't even getting close to: you can fill it with IP
traffic 24 hours per day for the entire month and the worst that could
happen is a salesguy calling up if you might be interested in an upgrade.

Back of the envelope calculation[1]: that's over 380 gigabyte/month in one
direction.

Current highest monthly cap for comcast services is 250 gigabyte/month[2].

[1] 150000 bytes/second * 3600 seconds * 24 hour * 30 days = 388800000000
bytes.

[2] source:
http://www.maximumpc.com/article/news/comcast_rolls_out_105mbps_internet_across_nation

[3] based on http://ascii.textfiles.com/archives/1825

Friday afternoon, so I tried to make Ubuntu talk to my bluetooth headset. I couldn't get it to work in my own (non-gnome) environment. The pairing worked, but alsa-bluetooth didn't get active. In a gnome environment I could select the bluetooth as default audio and get delayed and bad-sounding audio events in one ear. But playing an mp3 caused just a bunch of noise.

Ages ago I added scripts to our zabbix install to monitor a 3ware raid controller for raid failures. But at the moment we have a raid with a disk in error state but the raid unit is still listed as 'optimal'. Change of measuring script:

#!/bin/sh

sudo /usr/local/sbin/tw_cli '/c0 show drivestatus' | grep '^p' | awk ' $2 != "OK" { print } ' | wc -l

This now counts the number of disks not reporting 'OK' as state. Which is for the unit currently:

# /usr/local/sbin/tw_cli '/c0 show drivestatus'

Port   Status           Unit   Size        Blocks        Serial
---------------------------------------------------------------
p0     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p1     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p2     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p3     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p4     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p5     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p6     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p7     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p8     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p9     OK               u0     931.51 GB   1953525168    xxxxxxxx            
p10    OK               u0     931.51 GB   1953525168    xxxxxxxx            
p11    OK               u0     931.51 GB   1953525168    xxxxxxxx            
p12    OK               u0     931.51 GB   1953525168    xxxxxxxx            
p13    DEVICE-ERROR     u0     931.51 GB   1953525168    xxxxxxxx            
p14    OK               u0     931.51 GB   1953525168    xxxxxxxx            
p15    OK               u0     931.51 GB   1953525168    xxxxxxxx            

But the entire state is stil 'Opt' :

# /usr/local/sbin/tw_cli 'show'

Ctl   Model        (V)Ports  Drives   Units   NotOpt  RRate   VRate  BBU
------------------------------------------------------------------------
c0    9650SE-16ML  16        16       1       0       1       1      OK

So the test had to change.

Back to the old-school 'what is someone doing' interface which old-timers used way before the world wide web:

koos@greenblatt:~$ finger khoos@twitter@any.io
[any.io]
Login: khoos                            Name: Koos van den Hout
Directory: http://twitter.com/khoos     Shell: twitter
Office: Netherlands                     Home Page: http://idefix.net/
Last login Thu Apr 14 09:18:31 GMT 2011 on web
Project:
Father, system administrator, book lover, cat owned, photographer, recumbent cyclist, snowboarder
Plan:
RT @marcodavids: My #IPv6 tip of today: one good way of deprecating IPv4 is to consistently refer to it as a 'legacy protocol' (which it ...

Awesome. See more interfaces between the old and the new at Any.io - Twitter and Identi.ca through DNS and finger.

Ervaring van de dag: de route werkplek naar kinderdagverblijf is met de auto een stuk trager dan met de fiets. De grote verkeersstromen in de Uithof richting (de file op) de A28 zorgen voor veel wachten.

Mijn woon-werk fietsroute is 3 of 4 dagen per week via de Bilt, omdat die route met de fietskar achter de ligfiets normaal wat vriendelijker is. Maar de laatste week is het lastig fietsen op een voor fietsers belangrijk knooppunt in de Bilt wegens werkzaamheden. Toch maar een e-mail over geschreven aan D'66 de Bilt en de Fietsersbond afdeling de Bilt:

Ik woon in het noorden van de stad Utrecht en ik werk in de Uithof. Ik ga
als het enigzins kan met de fiets naar mijn werk. Voor mij is de route
via de Bilt (Blauwkapelseweg, Burgemeester de Withstraat, Kapelseweg,
fietstunnel, Oude Bunnikseweg) een prettige doorgaande route om zonder
al te veel verkeerslichten op mijn werk te komen.

Op dit moment wordt aan de bestrating gewerkt, eerst op de Burgemeester de
Withstraat en nu op de Dorpsstraat.

Bij de eerste fase op de Burgemeester de Withstraat was er nog een
omleiding voor fietsers vanuit de richting Fort Voordorp.

Maar nu het knooppunt Burgemeester de Withstraat / Dorpsstraat / Kapelseweg
compleet open ligt is er niets voor het doorgaande fietsverkeer. Ik heb
vandaag nog eens rondgekeken op de diverse routes er naar toe maar het
beste wat ik op sommige van de wegen kan vinden is een bordje 'doorgaand
rijverkeer gestremd'.

Als fietser mag ik daar maar uitzoeken hoe ik verder kom en eventueel de
fiets door het zand slepen.

Uiteindelijk is er wel een omleidingsroute te beredeneren maar het zou toch
een stuk vriendelijker zijn naar de doorgaande fietser als er beter
aangegeven wordt wat de omleidingsroutes zijn en als bij werkzaamheden die
doorgaande fietsroutes betreffen daar rekening mee gehouden wordt.

Ik heb het gedrag van de bouwvarkers ten opzichte van fietsers maar niet genoemd, dat is niet direct het probleem van de opdrachtgever maar meer van de aannemer (jammer is dan dat een aannemer niet verplicht duidelijk contactgegevens hoeft te geven bij werkzaamheden aan de openbare weg).
Update 2011-04-10: Reactie van D'66 De Bilt dat ze aandacht zullen vragen voor het tekort aan bewegwijzering.

A Tiny Day in the Jackson Hole Backcountry by Tristan Greszko. Great video by Tristan Greszko using tilt-shifting and a stop-motion effect. The brain really thinks it is watching an animation in miniature scale, but it is all video of 'real' things and views.

Found via Tilt-Shifted Ski Resort Delivers Thrills in Miniature - wired.com

Did a DVB-T services scan this morning because the tropospheric ducting forecast for north-west Europe showed interesting conditions coming up. In the first part of the scan I saw something happen at 690 MHz which may have been the German ARD Mux from Nordrein-Westfalen but it went away before the service enumerating phase. So it's not listed in the DVB-T reception log for today.

Tip: when searching DNS answers for certain IP addresses, use the -n flag for tcpdump. Otherwise tcpdump will 'helpfully' resolve the IP back to a name.

You may need to scroll the output below to the right to see what I mean.

# tcpdump -r zorin.pcap port 53 -v | grep webcam
14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) zorin.cs.uu.nl.53459 > kwak.cs.uu.nl.domain:  41099+ A? webcam.idefix.net. (35)
14:02:27.734230 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 17, length: 241) kwak.cs.uu.nl.domain > zorin.cs.uu.nl.53459:  41099 1/3/5 webcam.idefix.net. A koos.idefix.net (213)

And what I was testing for:

# tcpdump -nr zorin.pcap port 53 -v | grep webcam
reading from file zorin.pcap, link-type EN10MB (Ethernet)
14:02:27.731039 IP (tos 0x0, ttl 128, id 24132, offset 0, flags [none], proto 17, length: 63) 131.211.80.21.53459 > 131.211.80.32.domain:  41099+ A? webcam.idefix.net. (35)
14:02:27.734230 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 17, length: 241) 131.211.80.32.domain > 131.211.80.21.53459:  41099 1/3/5 webcam.idefix.net. A xx.xx.xx.xx (213)

That is something I can grep for a weird IP.

About 6 years after the maximog special vehicle based on an Unimog Wired comes with a gallery of pictures of the custom Mercedes-Benz Zetros trucks built for Mongolian businessmen. Niiice!

Wow, e-mail with two warnings! Not only:

Sent from my iPhone

But it gets worse:

Shot with my Hipstamatic for iPhone

And indeed, just two attachments with distorted pictures. Maybe 'shot with my hipstamatic' means 'shoot from the hip and embarass people to dead with the resulting pictures!'

Project sundial, my project for a low-power weather-station / ntp server in the shed still lives. I have thought about the software setup and I think w1retap, developed for the Netley Marsh 1-wire weather station is an ideal candidate as it deals with the usb-1-wire interface without a hitch. But I want the project sundial 'computer' to be a minimal system and I want the data to be logged to the home server. So I checked whether w1retap can work in this setup. The simplest solution would be to use the postgres database on the server and install a postgres database on the client.

I can develop/debug this on the shednet computer and weather station. Time to whip out the plastic and order weather sensors at Hobby-boards. Ordered: USB 1-wire interface, barometer, thermometer and humidity sensor with needed powersupply and all with moisture-resistant coating.

The Netley Marsh weather station also has nice pictures how to house the outside weather sensors nicely. I'll use those as inspiration.
Update 2011-04-04: Order status: Processing...
Update 2011-04-07: Order status: Shipped...
Update 2011-04-28: Package received! It took a while.

Some searching (and some more searching) seems to suggest that there is no current offering in dab / dab+ receivers in the form of an usb stick with linux drivers. Google searches only find one project which talks about hardware which is very specialized or not available anymore.

The weird thing is, ubuntu comes with a dabusb.ko:

filename:       /lib/modules/2.6.32-30-generic/kernel/drivers/media/video/dabusb.ko
license:        GPL
description:    DAB-USB Interface Driver for Linux (c)1999
author:         Deti Fliegl, deti .at. fliegl.de
srcversion:     42A420F0B848548BB5209BB
alias:          usb:v0547p9999d*dc*dsc*dp*ic*isc*ip*
depends:        
vermagic:       2.6.32-30-generic SMP mod_unload modversions 586 
parm:           buffers:Number of buffers (default=256) (int)

But I can only find a dab reference reciever as a project Digital Audio Broadcasting by (indeed) Deti Fliegl, which references a hardware design by BayCom for an usb dab receiver by BayCom which looks like it now should live at Terratec. It does link to pages about the Terratec DRBox1 on their ftp server but I can't find it on the Terratec products website anymore. For as far as I can see this device does not support DAB+. But it does allow full access to all intimate details of DAB. A public version of this can be seen at www.dabmon.de.

The inspiration for this search was the news that commercial radio stations in the Netherlands will start testing with DAB+ somewhere in the future. There is a DAB feed for the public broadcasters already. If this gets accessible on a budget I will be interested.

Eindelijk! Chriet Titulaer maakt schoon schip bij NASA - De speld.

Briljant stukje werk weer van de speld.

Wardriving results 2 August 2010 - 30 March 2011: 3432 new networks with GPS locations according to WiGLE.

Yes, six months for a wardriving results update. Something to do with other priorities in life!

I wanted to test the old gpskit gps receiver I originally bought for wardriving with the shednet computer. I had the gps antenna on the roof of the shed and the gps module inside and wanted to hook up the serial cable to the back of the PC.

One minor detail: the PC only has one serial port...

[   12.874582] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[   12.875353] 00:07: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

which is in use by the weather station in the shed. So.. back into the crate with old but usable computer hardware with the gpskit.

What is it with modern PCs and the shortage of serial ports (or complete lack of them). I want to test gps timekeeping over serial, so usb to serial is not usable (introduces jitter). Time to make sure the planned hardware for project sundial has enough 'real' serial ports.

And it has, the dmesg for an alix.1c mainboard from the wardriving box shows the right answer:

Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
00:07: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
00:08: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A

KPN stopt met MobielTV via DVB-H.

DVB-H is uiteindelijk niet de wereldwijde standaard geworden voor MobielTV. Er komen geen nieuwe toestellen op de markt, die de techniek ondersteunen. KPN heeft daarom besloten te stoppen met MobielTV via DVB-H en de frequenties die nu daarvoor worden gebruikt straks in te zetten voor verbetering van Digitenne.

Hoe 'mobiele TV' via dvb-h apart nog kon bestaan vroeg ik me anderhalf jaar geleden al af. KPN heeft de conclusie duidelijk ook getrokken en kan de vrijgekomen frequentieruimte ook prima gebruiken om BBC 1 en 2 door te geven en misschien de andere digitenne kanalen wat meer bandbreedte te geven (ik kan dromen..). Gevonden via: KPN trekt stekker uit mobiele televisiedienst - nu.nl

Ik ben benieuwd wat Callmax en mobiele tv nederland nu gaan doen.

Callmax heeft sinds 11 februari 2009 een vergunning voor de L-band maar voldoet al niet meer aan de eisen in deze vergunning:

De vergunninghouder neemt binnen 36 maanden na de inwerkingtreding van de vergunning in ten minste in 16 van de in 117 gebieden bedoeld in de figuren 2.1 tot en met 2.16 een opstelpunt in gebruik en houdt deze in gebruik

Bron: Radio-tv-Nederland.nl: vergunning digitale omroep L-Band Callmax. Op hun eigen website noemt Callmax hun mobiele tv plannen al niet meer zo te zien.

Mobiele tv Nederland is iets meer in beweging en heeft zelfs begin maart 2011 de proefuitzendingen uitgebreid (ook gevonden via radio-tv-nederland.nl). Waarmee ze ook aardig achter lopen op hun eigen planning (in 2010 landelijke dekking). Ik zie hun specifieke vergunning zo gauw niet, dus ik kan niet zien wat daarin voor eisen staan kwa datums en dekkingsgraden.

Bit of irritation at work today: several servers to be decommissioned so I wanted to wipe the disks. Armed with 2 dban cd's and one dban bootable usb stick I thought I had everything. But the end result was 0, due to cd players with trouble reading the cd's, drivers missing for newer harddisk controllers and 3 systems not wanting to boot from usb. The newest server saw usb for boot but gave a boot error when trying. Time to bring out the pxeboot pxelinux setup (aka heavy duty boot service). But with a twist: on the big client vlan at work there is a pxe/dhcp setup for centrally managed windows desktop PCs which responds to *all* pxe dhcp requests and not just those from the managed PCs. So I had to move systems to a vlan where this doesn't happen.

It all worked although 2 systems didn't want to boot the dban pxe image. Workaround: Boot the PLD Linux rescue CD which I added to the Heavy Duty Boot Services (screenshot of bootmenu). The PLD Linux rescue cd includes the wipe program.

Interesting: yesterday between 04:05 and 04:37 ADSL was down completely, including loss of DSL sync according to the modem. But since that period the connection is more stable and the error counters don't go as fast as they used to.
Update 2011-04-08: Interesting: when I visit the xs4all adsl site and try to order a new DSL product at our home address I get the option for 40 mbit downstream/3 up. When I use the option to change our current subscription the limit is still 20/1. Something has changed...

Found via Help Make Better Map of Global Light Pollution - Wired science: The Globe at Night project gathering data about the light pollution all over the world.

I remember really 'seeing' light pollution when on a late trip in a very dark area in Schotland we stopped and I looked up and I saw the Milky Way for the first time.

So all go, look at the sky in the evening and help improve the light pollution map of the world!
Update: The Bad Astronomer also writes about light pollution (but does not mention the globe at night project): The skies at night, are too darn bright found via Help Map Global Light Pollution, By Starlight - Slashdot.

The UU has changed certain settings of the Eduroam wireless network. And this change causes a problem with my Nokia E71. The change to the network includes a change in the certificate which has a different root certificate. I tried installing the AddTrust External CA Root certificate in the phone. It took me a while to find what the correct form of a certificate is: it has to be a DER format certificate and mime-type application/x-x509-ca-cert. To convert the certificate from the usual pem form I had to use:

openssl x509 -in AddTrust_External_CA_Root.pem -outform der -out AddTrust_External_CA_Root.crt

And download that .crt into the phone using the system browser. But even when I select that certificate for verifying the Eduroam network it fails at the moment.
Update 2011-03-23: Support had one look at the phone and decided to update the firmware first before trying to get eduroam running.
Update 2011-03-25: Updated firmware now gives me a working connection.

I recorded a podcast narrating an experiment in telephony and blueboxing.

Via the blog linked to the history of phone phreaking I found about an audio art project dedicated to Joybubbles, one of the oldest phone phreaks. This audio art is available in style, via the telephone. On a phone number in New York city: country code 1, number 718-362-9578.

I can call this as an international call, which will cost me, but with the current competition on prices for phone calls that isn't too big a deal.

But there is a better way. More in style. Combining the modern technology of Voice over IP with old-school phone phreaking.

Listen to me setting up the call via voip and ProjectMF in the US and blueboxing it from there to New York. But with permission from the owner of ProjectMF.

Websites mentioned in this podcast:

• The History of Phone Phreaking where Phil Lapsley is working on documenting the history of phone phreaking.
• Blueboxing revival page with the beepbeep bluebox for Linux
• Project MF a simulator of an analog MF telephone system.
• Rachael Morrison's "Joybubbles" - The History of Phone Phreaking Blog
• Joybubbles audio collage by Rachael Morrison.

Yes, quality of the recording isn't great. The setup with a speakerphone generates lots of echo. And I need to work on my presentation.

Wise words from The Register in Fukushima is a triumph for nuke power: Build more reactors now!. The conclusion:

all plants are now well on their way to a cold shutdown. At no time have their operators come even close to running out of options. No core has melted down and come up against the final defensive barriers: the safety systems did not come even close to failing, despite being tested far beyond what they had been designed to take. One person has sustained a small dose of radiation which need cause him no concern.

Certain subjects to search for are really 'contaminated' by lots of sites trying to earn a bit from those searches. I tried to search (using google) for the lyrics of "Radioactivity" by Kraftwerk. Lots of sites with popups, blinking stuff and loads of ads where the content I was looking for is hidden deep below those layers.

Someone suggested lyricsmode and there the interface is 'doable'. 'Just' 4 google ads (one graphic, one flash) and a ringtone link: Kraftwerk Radioactivity lyrics

Maybe 'Fukushima' will fit in the list 'Tschernobyl, Harrisburgh, Sellafield, Hiroshima'.
Update 2011-03-15: Good news reporting is taking over with regard to the Fukushima power plant and it's clear that currently the situation is under control.

Voor het weerbericht in Asterisk gebruik ik nu festival open source speech synthesis (spraak generator). Ik heb voor de aardigheid eens gespeeld met de demo-versie van Cepstral text-to-speech en dat klinkt stukken beter. Als ik iets serieuzer dan 'demo scriptje' text to speech zou willen zou ik wel cepstral aanschaffen en gebruiken.

Vanmorgen diverse meldingen van dezelfde phishingmail op het werk. Zo'n enorm kletsverhaal en zo ranzig slecht Nederlands dat er een record aantal meldingen over binnenkwam en er niemand op gereageerd heeft.

Geachte Account Abonnee,
Account Server: https: / / mail.cs.uu.nl / webmail / src / login.php
Afdeling Informatica
  
    
Dit E-mail is uit het Squirrelmail administratieve eenheid en we zijn
te sturen naar elke cs.uu.nl rekeningen gebruiker voor
onderhoud / upgrade Gebruiker beveiligingssysteem. We zijn met congesties
te wijten aan
de anonieme registratie van cs.uu.nl rekeningen dus we zijn
het afsluiten van een aantal cs.uu.nl rekeningen, zodat uw rekening moet
opnieuw worden bijgewerkt als gevolg van deze aandoening.
    
Wij sturen u deze e-mail, zodat u kunt controleren en om voor
veiligheid en het onderhoud van uw account. Als u nog steeds
geïnteresseerd in
zijnde een cs.uu.nl accountgebruiker gelieve te bevestigen van uw account
door het invullen van de ruimte hieronder.
Informatie nodig zou zijn om uw account te verifiëren.

* Gebruikersnaam: (.................) (verplicht)
* Wachtwoord: (..........................)( Verplicht)
* Geboortedatum: (..........................) (optioneel)
* Land of gebied: (..................) (optioneel)
* Beveiliging Vraag: (....................) (Verplicht)
* Beveiliging Antwoord: (.....................) (Verplicht)
    
Voordat u uw account gegevens aan ons, bent u adviseren Log in
deze onderstaande link:
    
https: / / mail.cs.uu.nl / webmail / src / login.php

OPMERKING: Als uw account te doen Login stuur ons de details, anders
betekent het
het is al verwijderd. Sorry voor het ongemak dat dit kan
ertoe leiden dat u We proberen alleen maar om ervoor te zorgen u surfen op
het net te maken met perfectely
onze rekeningen.

Alles wat je hoeft te doen is Klik op Reageer en het aanbod van de
bovenstaande informatie, uw
rekening zal niet worden onderbroken, maar alleen opgewaardeerd.
Bedankt voor uw aandacht op dit verzoek.
Nogmaals Onze excuses voor het eventuele ongemak.

* * * LET OP * * *

Gebruikers die weigert zijn / heraccount update na 7 dagen
ontvangst van deze waarschuwing verliest zijn of haar account permanent.

Ongeautoriseerde toegang tot deze computer is in strijd met de geannoteerde
Code, Strafrecht artikel? 8-606 en 7-302 en de Computer Fraud and
Abuse Act, 18 U.S.C. ? 1030 ev. Dit kantoor kan toezicht houden op het
gebruik van haar
IT-middelen, zoals toegestaan door de staat en federale wetgeving, met
inbegrip van de
Electronic Communications Privacy Act, 18 U.S.C. ? 2510-2521 en de Md
Geannoteerde Wetboek, rechtbanken en gerechtelijke procedures artikel,
artikel 10,
Ondertitel 4. Iedereen met behulp van dit systeem erkent dat alle
toepassingen die onderworpen is
tot (cs.uu.nl /) Beleid inzake de Acceptable Use van informatie
Technologische middelen beschikbaar op:


https: / / mail.cs.uu.nl / webmail / src / login.php

Webmail Eenheid / Universiteit Utrecht (cs.uu.nl)

Gewoon puur vermaak. Grappig is dat als ik probeer met google translate het originele Engels af te leiden (er zitten wat hints in dat dit origineel Engels was) ik beter Nederlands krijg. Dus ik denk dat de originele auteur ook niet Engels als primaire taal heeft.
Maar ik heb de bron wel getraceerd (was niet moeilijk).

Wegens de aangekondigde prijsverhogingen van xs4all ga ik het 08587 nummer van mijn asterisk demo projecten opheffen. Het is leuk om een 'vastnet' telefoonnummer te hebben wat een paar keer per maand gebeld wordt door mensen die mijn asterisk scriptjes willen uitproberen maar daar heb ik geen 2.50 euro per maand voor over.

Maar niet getreurd: Via UK DDI kan ik wel een telefoonnummer in Engeland krijgen wat mij verder niets kost (wel degenen die er naar bellen natuurlijk) en afgeleverd wordt op de SIP server naar keuze. En dat heeft nog als voordeeltje dat bij sommige Nederlandse aanbieders een vastnet telefoonnummer in Engeland bellen goedkoper is dan een 085 nummer in Nederland. Het mooie van concurrentie in de telecommarkt.

Het nieuwe testnummer voor asterisk demo projecten: +441284400032 waar de aardige meneer zal vragen de verdere bestemming in te voeren. De keuze van het plaatsje Bury St. Edmonds in Engeland is vanwege goede herinneringen aan een bezoek daar jaren geleden.

Ooit toen ik jong was wilde ik graag luisteren naar AFN (American Forces Network) Soesterberg. Vanuit Nieuwegein lukte dat soms (meestal niet), maar op de autoradio iets dichter in de buurt lukte dat wel. Mooi om te horen altijd, ik herinner me heel sterk: "It's three o'clock in central europe and the news is next on AFN!"
Dat was toen, ondertussen is het station weg met het verdwijnen van de Amerikanen van Soesterberg. Maar ik kreeg toch een beetje een 'blast from the past' toen ik onderweg naar mijn schoonouders in Brunssum recent een beetje zat te zoeken op de radio en een zender tegen kwam met als RDS ident 'CFN-RFC'. Dat blijkt de Canadian Forces Network (of natuurlijk Réseau des Forces canadiennes) te zijn, de radio zender van het Canadese leger die in de omgeving van Brunssum gewoon 'on-air' is. Het bereik is nog best groot: ik vond de zender bij Windraak en op de terugweg viel het pas weg op de A2 ten noorden van Sittard. Met in het avondprogramma de te verwachten lokale aankondigingen van het leger en makkelijk te luisteren muziek. Maar ook gewoon te beluisteren via een internet radio stream.

Welkom Bij Uw ING Bank,

Je hebt een nieuw bericht van ING.U uitgenodigd Om in te loggen.
Uw ING internetbankieren te lezen uw bericht.
Inloggen Mijn ING

Online banking security Yoda needs!

Toch maar even doorgegeven naar het juiste adres voor phishing meldingen bij ING.

De urls wijzen er op dat de phishing sites draaien op joomla sites waar op ingebroken is.

I tested saving all traffic from a SIP phone using tcpdump and extracting the audio using wireshark. This works fine, which means I can record a call for a podcast project I'm working on (writing the script, working on technical details). Watch this space for updates...

First thing in the planned asterisk cleanup: IAX2 trunking. It took me a few tries and some debugging settings to get it right. So I'm sharing it with the world.

First of all a description of the setup: the pcgg demo asterisk which can hang out wherever on the Internet behind a NAT router. The other asterisk is pbx.idefix.net which lives at a fixed IP. So the config on the dynamic host is to register with the static host. Relevant parts of iax.conf on the pcgg demo asterisk:

register => link2idefix:secret@pbx.idefix.net

..

[link2idefix]
type=friend
username=link2idefix
secret=secret
auth=md5
context=idefix-in
host=pbx.idefix.net
trunk=yes
qualify=yes

And using it in extensions.conf for dialing from the pcgg demo asterisk to extensions on pbx.idefix.net:

exten => 8100,1,Dial(IAX2/link2idefix/${EXTEN})

Context idefix-in in extensions.conf is a simple one:

[idefix-in]

include => localnumbers

But I like to create separate contexts for different incoming links. Most will include one or more contexts of usable numbers.

The other end looks quite similar. Part of iax.conf on pbx.idefix.net:

[link2idefix]
type=friend
host=dynamic
context=pcgg-in
username=link2idefix
auth=md5
secret=secret
trunk=yes

Naming the context different from the username gave errors like:

chan_iax2.c:5355 register_verify: No registration for peer 'link2idefix' (from xx.yy.zz.pp)

So that is why those are the same. The pcgg-in context is similar:

[pcgg-in]

include => localnumbers
include => localscripts

Dialing from pbx.idefix.net to the pcgg demo asterisk is also simple. An entry in extensions.conf:

exten => _800[045],1,Dial(IAX2/link2idefix/${EXTEN})

Which indeed fails when the other exchange hasn't registered itself. To improve this (and give a reasonable error tone or audio message when this happens) I wrote a macro to deal with the return status from the Dial() command:

[macro-remoteexten]
;
; dial a remote extension (another asterisk or over sip trunk)
; ${ARG1} - Dialstring (IAX2/link2idefix/8100)
;
; ${CALLERID} is untouched and supposed to be set correctly already
;
; typical uses
;
; Macro(remoteexten,IAX2/link2idefix/${EXTEN})
; Macro(remoteexten,SIP/voip.phonecaster.de/49931663991377)
; Macro(remoteexten,IAX2/cnetguest@projectmf.homelinux.com/17622600)

exten => s,1,Progress()
exten => s,2,Dial(${ARG1},30)           ; Ring the remote, 30 seconds maximum
exten => s,3,Goto(s-${DIALSTATUS},1)            ; Jump based on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)
exten => s-BUSY,1,Playtones(busy)
exten => s-BUSY,n,Wait(120)
exten => s-CHANUNAVAIL,1,Playtones(info)
exten => s-CHANUNAVAIL,n,Wait(120)
exten => s-CONGESTION,1,Playtones(congestion)
exten => s-CONGESTION,n,Wait(120)

Which changes the above to:

exten => _800[045],1,Macro(remoteexten,IAX2/link2idefix/${EXTEN})

This makes the result of dialing a lot better to understand. Another upgrade would be nice audio messages. Or not completely nice ones, such as this "Due to the earthquake in the area you are calling, your call cannot be completed as dialed".

Lots of use of Asterisk config iax.conf - voip-info.org and Asterisk cmd Dial - voip-info.org

Hmm.. lots of stuff in the configs for my asterisk systems seems to be 'organically grown' and isn't quite right anymore after upgrades on several of the systems.

Time for a cleanup, switch all trunks between asterisk servers to IAX (SIP trunks have limits when using 'known' phone user ids). And a dialplan cleanup, which script runs where and which handset can register where.

But not right now.

Pfew.. most of the day lost to getting the Xen cluster at work working again. It's based on redhat cluster 2 and that part failed miserably. Both nodes were in a state which reminded me of a zombie cowboy: constantly shooting each other and rebooting. In the end I disabled one node physically (shutdown, removed power cables) and configured the other one to work alone. I think the cause of the problems was all virtual machines starting at once, all going intensive on their disk images via iscsi (all probably doing an fsck because of the unclean shutdown), causing delays and blocked processes, causing non-response to the cluster communications, causing the other node to fence the node, causing more problems, repeat.

Ik heb duidelijk wat gemist: het openingsfeest van Hack42. Maargoed, ik heb andere lol gehad met een zoon die nieuwe dingen aan het leren is.

Erg gaaf dat het ze gelukt is in Arnhem om een hackerspace te krijgen met een enthousiaste groep mensen er om heen. Ik ken er een paar van en op de foto's zie ik ook de nodige bekende gezichten. Ik wens iedereen van Hack42 veel succes bij het project, veel kennis uitwisseling en heel veel toffe projecten.

Mooie visualisatie van zes maanden telecommunicatie gegevens van Malte Spitz, lid van de 'Bundesvorstand' (leiding) van partij BÜNDNIS 90/DIE GRÜNEN. Het heeft hem de nodige moeite gekost om de gegevens te verkrijgen. Een hele goede visualisatie van wat een telecom-bedrijf over je weet. En dus ook politie, veiligheidsdiensten en de boswachter.

As part of the planned reboot on homeserver greenblatt to upgrade memory and upgrade the kernel I also disabled the last remains of my endpoint of the old IPv6 tunnel, which was my way of getting IPv6 at home from 27 September 2001 until 13 August 2010. I haven't disabled the tunnel at xs4all yet, so there is still some of that icmp6 ping traffic showing up:

tcpdump -pni ppp0 proto 41
13:54:43.835071 IP xxx.xxx.xxx.xxx > mm.nn.oo.pp: IP6 2001:418:2007::c611:f352 > 2001:888:1011::694: ICMP6, echo request, seq 25869, length 64
13:54:46.401613 IP xxx.xxx.xxx.xxx > mm.nn.oo.pp: IP6 2001:559:0:300::6011:9026 > 2001:888:1011::694: ICMP6, echo request, seq 31125, length 64

Let's see what happens now I don't respond anymore.

Memory upgrade on the homeserver greenblatt. The main reason was that the price of the right type of DIMM was slowly rising so I decided to max out the mainboard. No really good reason other than 'I may want to run multiple VirtualBox instances later'. With the reboot I also upgraded the kernel. Since the system had a high uptime things took a while: 5 minutes of actual opening the system, installing memory and closing the system and 40 minutes of watching fsck.

Little sysadmin trick: you can prepare modules which are separate from the default modules and everything to be ready when you reboot into your new kernel so everything should be up and running right after the reboot. At least in the Debian / Ubuntu ecosystem.

I just upgraded to kernel version 2.6.24-28-server and before the upcoming reboot I did the following:

# module-assistant -l 2.6.24-28-server prepare

# module-assistant -l 2.6.24-28-server build zaptel

# dpkg -i /usr/src/zaptel-modules-2.6.24-28-server_1.4.10~dfsg-1+2.6.24-28.81_amd64.deb

So post-reboot asterisk will have everything available again. For mISDN I did:

$ make clean

$ KVERS=2.6.24-28-server make

$ sudo KVERS=2.6.24-28-server make install

# depmod modules-2.6.24-28-server -A

And everything is ready for the upcoming reboot. I hope (can't check without said reboot).
Update: Yes, it all worked.

Found via Online Multiplayer Games On TI Calculators? - Slashdot, CALCnet Chat! v1.0: IM and IRC for Calculators. This reminded me of my own entry into the arena of chat programs: NetCB which was for MS-DOS systems with Novell IPX networking and allowed people to simply chat.

Back then there were two kinds of responses to NetCB: school networks were any use of NetCB was reason for revoking accounts and such. I have received e-mails from students have done yard-work and other cleaning for using NetCB and were proud in reporting that to me. One sample of this can be found from old discussions on how to 'police' the network in bit.listserv.novell. But I found those discussions in the academic-freedom discussion archives Electronic Frontier Foundation academic freedom discussions

On Thu, 30 Jun 1994, Gys Driessen wrote:

> Hi Netters!
>
> Our faculty has this year for the first time started to use our
> network for tution. Some common problems which has arisen was the
> following:

> 6 Playing of Netcb. (Chat program which runs on ipx. User does not
>   need to be logged in.)

I remember being at the Hogeschool Utrecht myself were it soon got noticed that in the lunch breaks there were people using the room with the old XT computers on the network when the room with the 16 MHz 386 power monsters was filled. The XT computers were fast enough for NetCB.

The other response was from companies and such were NetCB was welcomed. Or certain universities:

I administer several Novell Networks at The University of Alabama in
Huntsville (in the southern U.S.). NetCB use spread like wildfire. It's
easy to use. It's fun. It's helpful! Thank you for such a gem of a program.

Causing a bit of a 'what the ?' reaction in me:

The BBC has been told that proposals to move Britain’s clocks forward to bring local time into line with most of the EC countries will be published by the Department of Culture, Media and Sport in the coming week.

I would rather have the Netherlands move to the more fitting timezone of the UK so our day is more balanced. And get rid of the insanity of 'daylight saving time' which makes it even worse.

Source: UK government to propose changing to WEu time - Media Network

A bit of playing on a friday afternoon: getting the Nokia E71 and Asterisk to play with eachother. I needed the power of google to make it work, because you need to link a SIP profile with internetdialing before it actually works. So I used the walkthrough at Using a Nokia E71 with Asterisk (3G or WiFi) by Leif Madsen. And now the handset registers to the demo asterisk and I can play with it. Another way to drain the battery! And it allows for accessing cool asterisk tricks from my mobile phone.

I followed a link to the Linux Call Router and found this gem on the page: www.blueboxing.org which has some good descriptions of blueboxing as it was 'back then' from the European view. And the Linux call router offers the option of CCITT-5 handling. You can also download Beep-Beep on the site which is a nice software bluebox (CCITT-5 dialer) for Linux. One advantage over CAESAR which I tried before in 2008 is that it can set a sequence of multiple digits and play it at once. Which has at least one advantage: the result sounds a lot like I expect from 'phreaking' sounds. And Jolly Eversberg runs a CCITT #5 exchange which you can phreak. Indeed, "Phreaking never dies!".

Nice article: Nine traits of the veteran Unix admin by Paul Venezia. Checking my own style:

1. sudo versus su - .. I'm no fan of sudo command ; sudo command ; sudo command so I lean towards sudo -i which is functionally the same as su -.
2. vim or vi. Yes. Preferably vim.
3. greedy or non-greedy regular expressions? That is a yes.
4. smart and robust scripts for repeating tasks are so much better. Yes.
5. oh yes.
6. sometimes .. although repeated questions about the system environment also mean it may be way too complicated or the communications with your users suck.
7. oh yes. Not only in unix admin work, also in security work.
8. not commenting on this matter. yes.. on certain windows admin work, not on user interface annoyances
9. rebooting isn't problem solving, it's bringing a system to a known state.

Ik lees de laatste stunt rond de OV-chipkaart: Fout in OV-chipkaart legt NS-kaartverkoop plat - nu.nl. Als ik dat vergelijk met mijn experimenten met de Magna carta koffiekaart dan is de robuustheid en fraudepreventie van de koffiekaart beter dan van de OV-chipkaart.

Interesting visual and clear IPv6 test at http://ip6.nl/test. It makes clear how ready the infrastructure around a domain is for an Internet which prefers IPv6 or is even IPv6-only.
My domains such as idefix.net: ip6.nl test for idefix.net don't score the top score because I have no secondary MX servers, which is a personal choice (to avoid spam and configuration problems).

Another bit of dhcp configuring. This time not to deny an entire subset of ethernet addresses such as the previous case of denying DHCP to an entire vendor range but this time to one specific ethernet address. Config snippets:

class "rogue-clients" {
    match hardware;
}

# rogue clients. Match hardware including type 1 (ethernet)
# internet connection sharing + v6 probleem
subclass "rogue-clients" 1:00:00:00:xx:aa:bb;

subnet .. {
    pool {
        range ..;

        deny members of "rogue-clients";
    }
}

and the DHCPNAK and 'no free leases' messages show up as wished.

The correct notation of a 'hardware' class in dhcpd got me again on the first try: you need to include the hardware type (1 for Ethernet).

Sources: Deny DHCP Address by MAC Address? (with the WRONG notation for hardware + mac address and Problem using subclasses, getting no free leases with the right notation.

Echte stukken BBS historie komen binnen: De Gecontroleerde BBSlijst van Nederland & Belgie, geldig: Augustus 1989 en De Gecontroleerde BBSlijst van Nederland & Belgie, geldig: Februari 1990. Mooi om te zien hoe de lijsten gegroeid zijn tussen 1989 en 1992. En ook nog uit de archieven van -.sOUNDGARDEn.- BBS.

The Revolution Will Not Be Televised .. oh yes it will:

Great work being done by AlJazeera

I've been mailing a few times with Varia store about parts I want to order for building project sundial, my weather station and ntp refclock. They are very good at helping me with the right case and configuration.

So one of these days I'll start ordering real hardware and this long running idea for a project may actually start to become real.

Op zoek naar een optie op de website van de politie zie ik verwijzingen naar het meldpunt cybercrime. Ik dacht even dat er eindelijk interesse voor en kennis van IT gerelateerde criminaliteit bij de politie aan het komen was maar dat valt zwaar tegen. Het 'meldpunt cybercrime' is alleen voor 3 heel specifieke gebieden van opsporing, waarvan volgens mij kinderporno gebruik maakt van IT voorzieningen en Internet, terrorisme soms ook en het verband tussen kindersekstoerisme en cybercrime zie ik helemaal niet. Hooguit dat bij een onderzoek naar kindersekstoerisme vast de computer van de verdachte onderzocht zal worden.

Maar een afdeling die snapt dat een webserver gehackt is via phpmyadmin en dat je een image getrokken hebt voor onderzoek, die is er nogsteeds niet in een voor het publiek aanspreekbare vorm.

Zolang de Nederlandse justitie zo weinig snapt van IT is er volgens mij ook het grote risico dat die onkunde doorzet in het omgaan met gegevens zoals uit het CIOT of uit de bewaarplicht komen. Waarmee niet alleen onze privacy geschonden wordt maar onkunde ook tot onterechte beschuldigingen zal leiden.

Always up to speed with the news, those Nigerians:

I am Mr Abdallah Kallel. former presidential adviser to the former Tunisia president ( Zine El Abidine Ben Ali) who was force out of power last month January 2011 after 23 years in Power.

I have a very sensitive and confidential request for your partnership in re-profiling funds $62.3 Million into your country for safe keeping as soon as possible.

The mail had some links to articles about the investigation into the missing millions of the former Tunesian president. Interesting term, re-profiling funds for embezzlement. Almost sounds like 'organisational restructuring' as a term for 'massive job cuts'.

I wanted a global option to deny access to any phpmyadmin url in an apache config. We are migrating long-existing websites with sometimes old content to new hardware and storage. And in the far past some people installed phpmyadmin. With good reasons back then but phpmyadmin has quite a list of security issues. They all get fixed, but we have to hunt down the old versions. So as a stopgap I want to disable all urls on all vhosts which include /phpmyadmin. Global config:

RewriteEngine On
RewriteRule /phpmyadmin - [F,NC,L]

But this isn't inherited by VirtualHosts immediately, as documented in mod_rewrite and vhosts - Apache HTTP server documentation. I need to configure each vhost to inherit the global rewriterules:

RewriteEngine On
RewriteOptions Inherit

Commented on A Hands On-Project - Jason Scott where I read this great comment:

Those hackerspaces look an aweful lot like the tech area of the computer store I used to work at.

by Chris M. My comment on that:

Hackerspaces are good, that is where you can go to learn about tech. And yes, they look like the back of a computer store because (in my opinion) donated old hardware is a good thing for running a hackerspace.

Yes, I was thinking of the old SGI hardware we donated from work to the future vintage computer hardware museum of hack42.

Just tested whether the Nokia E71 I use does IPv6. Yes, it acquires a global IPv6 address over wifi which can be pinged. And that is it. No application prefers IPv6, and in the first test a v6-only destination is unreachable. But.. this is an artifact of the connection manager I use (wuh?). The builtin browser can visit IPv6-only pages when I force it to use the home wifi. Normally I use a connection profile which includes 3G options and IPv6 makes the connection manager switch to 3G, with KPN not yet offering this. And dual-stack pages are still visited via IPv4. Same with putty for symbian: it only uses ipv6 when no A record is found and it can only reach the site when I force it to use wifi.

For a while I dumped my work 'coffee card' Magna Carta mifare card every day and found where the 'last used' date is stored (record changes only once a day). But I can't think of the right encoding. So I'll post what I have at the moment, maybe someone else sees what I can't decode.

Ik ben blij dat ik geen """internet""" van Ziggo heb, want dat gedoe met IPv6 vinden ze daar maar overdreven:

Volgens Ziggo-woordvoerder Gradus Vos is het Ziggo-netwerk halverwege 2012 geschikt voor ipv6. Nieuwe klanten krijgen dan automatisch zowel een ipv4- als een ipv6-adres. Bij bestaande klanten gebeurt dat niet, zegt Vos. "Voor de meeste van onze klanten is het niet interessant welke versie van het ip-protocol zij gebruiken." Zakelijke klanten hebben al ipv6-routers; particulieren zijn daar zelf verantwoordelijk voor, stelt Vos. De woordvoerder geeft aan zich te ergeren aan de wijze waarop de media aandacht aan ipv6 besteden: die zou 'over the top en ongenuanceerd' zijn en onnodige onrust veroorzaken.

Bron: Laatste ipv4-blocks zijn toegewezen - Tweakers.net

Gelukkig zit ik bij xs4all die alle klanten met xs4all-only nu al ipv6 beschikbaar heeft.

Mocht een glasvezelaanbieder het ooit wel tot onze voordeur halen dan is een ding in ieder geval nu weer goed gekomen: BBC zenders per juni 2011 beschikbaar via glashart media en BBC zenders in 2011 beschikbaar via TV van KPN.

Usenet lives! I just saw a new posting in rec.humor.funny.

The real pain point of carrier-grade NAT isn't breaking the Internet for your customers...

Large-scale NAT could also make troubleshooting harder for the service provider and interfere with application acceleration or even targeted advertising, if an advertiser tried to build a profile based on a shared IP address.

"If the guy next to you is into hunting and fishing, and you're not, you might start seeing ads for hunting and fishing," Schiller said.

It's diluting the value of the eyeballs you are selling. Really classy, Verizon.

Source: As IPv4 disappears, transition poses hazards - Networkworld

A nice overview of what BBSes were: Connect: A Look At Bulletin Board Systems (youtube). Listening to these people explaining what was so great about calling BBSes also makes it quite clear how Internet and the world wide web took over and made them obsolete.

Found via quite other ways, but something to keep in mind when rebuilding the kernel for the wardriving box or building a kernel for the future weather station: Debian on Soekris lists some specific Linux kernel compile settings for Geode processors. Another powersaving option could always be a good idea for both. Although I plan to make the weather station also work as ntp server so any power saving which influences timing is a bad idea.

We hoopten net dat het inschakelen van het 'kennis en nieuws' keuzepakket van ziggo zo instantaan zou zijn dat we binnen 10 minuten journaal24 zouden kunnen kijken. Het originele activeren van de smartcard lukte ook binnen ongeveer 10 minuten. Maar blijkbaar nemen pakketwijzigingen bij Ziggo iets meer tijd in, het duurt 2 dagen.
Update 2011-01-30: Blijkbaar zijn die 2 dagen maximaal 2 dagen want het stond vanavond al aan. Tijd om de favorietenlijst bij te werken.
Update 2011-02-04: Prompt gaat Ziggo televisie pakketten wijzigen en vervallen de thema pakketten, waarmee 'een paar zenders extra' dus gelijk weer een nogal dure uitbreiding wordt. Minstens een prijsverdubbeling:

Wie nu een enkel thema-pakket heeft van 3,95 per maand zal om alle zenders te behouden minstens moeten overstappen op het plus pakket dat per maand 8 euro extra kost, maar het is waarschijnlijk dat Ziggo de zenders zodanig verdeeld over plus en extra dat deze klant per maand 13 euro extra moet betalen om zijn huidige aanbod te behouden.

Bron: Ziggo gaat televisie pakketten wijzigen - Digitale Kabeltelevisie.

Food for thought about fiber to the home projects and their financing: Tale of the trench: what if your subdivision laid its own fiber? - Ars Technica. In the project discussed there is no choice in ISP, and having a house within the project area means you need to pay the monthly ISP fees. And the size of the project is so small that other services (telephony, TV) over the fibre never really took of. I see lots of arguments in favor of the model where the fiber infrastructure is carrier-neutral and several service providers can offer their services. There still is the (big) matter of the initial investment and how to finance it. Digging fiber is expensive. Will the home-owner pay and have very cheap bit transport. Or will the service-providers have to pay to access the home-owners, charging them afterwards which means a lot of interest will have to be payed on the infrastructure.

De ov-chipkaart is nu nog gekraakter, er is een saldo-editor applicatie. Journalisten hebben ook veel langer met een kaart met aangepast saldo kunnen reizen dan origineel door Translink systems aangegeven. Bij controles in de trein wordt een aangepaste kaart niet ontdekt, zelfs niet als de kaart door de kaartautomaat gezien wordt als geblokkeerd.

Ondertussen is er ook de 'uitbreiding', naast het verhogen van het saldo en daarna op de normale manier inchecken wat bij bij de NS incheckpalen dus uiteindelijk gedetecteerd zal worden als fraude is er ook de aanpak om een kaart een fake incheck-record te geven wat bij controle in de trein nog niet gedetecteerd wordt.

Berichtgeving:

• OV-chipkraak nu voor elke Windows-gebruiker Webwereld, goed werk van Brenno de Winter
• OV-chipkaart definitief gekraakt PC-active
• Manipuleren ov-chip kinderlijk eenvoudig nos.nl (Jeroen Wollaars, Brenno de Winter)
• Saldo op ov-chipkaart eenvoudig te manipuleren (Video) nos.nl
• Een paar kliks en je reist vogelvrij Webwereld
• Inchecken OV-chipkaart niet meer nodig PC-active
• Nieuwste OV-chipkraak maakt zwartrijder onzichtbaar Webwereld
• Hacktools OV-chipkaart gelekt op internet Webwereld

Info op ov-chipkaart.org:

• OV-chipkaart nu ‘definitief’ gekraakt
• OVSaldo.exe uitgelekt
• Broncode OVSaldo.exe
• Gratis reizen is moeilijker dan u wellicht denkt, de media hadden het anders mogen brengen

Ik heb het nieuws hierover even neutraal aangekeken, maar dit zijn natuurlijk ook dingen waar ik een Mening™ over heb.

Translink systems blijft op een naïeve manier volhouden dat er niets aan de hand is. Eerst met beweren dat het allemaal heel theoretisch is en dat fraude heel snel gedetecteerd wordt. En nu blijven ze volhouden dat fraude verboden is en dus niet voorkomt. Te hard rijden is ook verboden, toch gebeurt het.

In een ideale wereld vervangt Translink systems de OV-chipkaart nu door iets veiligers wat verbeteringen brengt voor de reiziger, zowel kwa privacy als kwa gebruiksgemak. Een systeem waarbij minimale gegevens opgeslagen worden en zo snel mogelijk aggregatie toegepast word. En tegelijkertijd hoeft de reiziger niet vantevoren te bedenken wat het ideale reisproduct is voor zijn reisbehoefte maar achteraf wordt de beste aanpak berekend. Ja dit zijn tegenstrijdige eisen, maar voor de bedragen die er in Translink systems gestopt zijn kunnen ze ook wat hele knappe koppen inhuren om dat op te lossen. Oh, en met een rfid kaart die wel gewoon leesbaar is zodat de gebruiker z'n eigen kaart kan lezen en het saldo kan zien (en reishistorie) zonder dat daarvoor de kaartautomaat of het loket opgezocht hoeft te worden.

Slashdot launched a new design of slashdot today.

In my opinion An improvement and in line with a larger web trend to have sites easier on the eyes. Good use of CSS to adapt the page to the width of the browser.

Interesting SSH attack from 216.75.199.33. All attempts for root and the attacker takes fail2ban default settings into account. The attack waits about half an hour when there is no reply.

17:14:37.332569 IP 216.75.199.33.56158 > mm.nn.oo.pp.22: S 3208575306:3208575306(0) win 5840 <mss 1380,sackOK,timestamp 2532346093 0,nop,wscale 2>
17:14:40.332240 IP 216.75.199.33.56158 > mm.nn.oo.pp.22: S 3208575306:3208575306(0) win 5840 <mss 1380,sackOK,timestamp 2532349093 0,nop,wscale 2>
17:14:46.332290 IP 216.75.199.33.56158 > mm.nn.oo.pp.22: S 3208575306:3208575306(0) win 5840 <mss 1380,sackOK,timestamp 2532355093 0,nop,wscale 2>

17:47:48.498287 IP 216.75.199.33.3446 > mm.nn.oo.pp.22: S 982440641:982440641(0) win 5840 <mss 1380,sackOK,timestamp 2534337258 0,nop,wscale 2>
17:47:51.497769 IP 216.75.199.33.3446 > mm.nn.oo.pp.22: S 982440641:982440641(0) win 5840 <mss 1380,sackOK,timestamp 2534340258 0,nop,wscale 2>
17:47:57.498146 IP 216.75.199.33.3446 > mm.nn.oo.pp.22: S 982440641:982440641(0) win 5840 <mss 1380,sackOK,timestamp 2534346258 0,nop,wscale 2>

Too bad I changed the defaults.

BBS: The Documentary is available in large numbers again, writes Jason Scott: The BBS Documentary reborn - Jason Scott.

The BBS Documentary does focus on the American version of the story of the BBS so specifics about other countries are left out. But a lot of the things which were universal for BBS users and sysops all over the world are documented very well.

'Hackende scholieren betrapt op cijferfraude'. Zeker goed naar de film WarGames uit 1983 gekeken. I don't think I deserved an F, do you?

In het originele artikel in het AD Scholieren geschorst na handel in rapportcijfers komt wel een beruchte factor voorbij:

Nog eens tien leerlingen zijn geschorst, weet het AD, omdat zij voor fraude met hun cijfers hebben betaald. Volgens de vader van een van de fraudeurs is de schorsing van zijn zoon onterecht. ,,Er was geen enkel bewijs dat hij hier daadwerkelijk bij betrokken is."

Middelbare scholen zijn soms erg goed in scholieren verdenken, veroordelen en berechten op basis van heel weinig en eenzijdige gegevens, maar daarmee wel de scholieren opzadelen met vertraging en andere problemen.

Real dependency hell: trying to cut back the number of packages on a centos server system a bit. Yes, not installing them would be even better, but that was a thing in the past. The winner for dependency is:

yum remove alsa-lib-1.0.17-1.el5 alsa-utils-1.0.17-1.el5 alsa-lib-devel-1.0.17-1.el5
..
Removing for dependencies:
..
 system-config-lvm             noarch 1.1.5-1.0.el5             installed 2.9 M
 system-config-network         noarch 1.3.99.12-1.el5           installed 2.3 M

Configuring your network and logical disk volume manager depends on sound drivers. Right. A reminder to use Ubuntu server for any next server.

Nog meer uit de floppybak van -.sOUNDGARDEn.- BBS: de N(eutrale) N(ederlandse) B(ulletin Board) L(ijst) en de gecontroleerde BBSlijst van Nederland.

Er was blijkbaar een divers aanbod aan BBS lijsten die allemaal 'concurrenten' waren op welke er beter gecontroleerd of completer was. En als BBS sysop bleef je je aanmelden...

Searching for weather stations I ran into the wireless sensors on ISM frequencies again. Somehow manufacturers of these sensors seem to want to limit the customer to receiving the data on their equipment. For the well-known wireless sensors on 433 MHz this is 'fixed', nicely described in Sniffing Oregon Scientific Weather Sensor Data. RFXCOM sells receivers which decode a lot of the telemetry and home automation signals. The receiving of oregon scientific sensors is thanks to reverse engineering. The protocol is not properly documented, but I guess it was simple enough to decode.

I asked RFXCOM about the weather sensors on 868 MHz but the lack of documentation on the exact frequency, encoding, protocol I found matches their experience, so they don't offer hardware / software for receiving it. Too bad the makers of the weather stations do not open up their protocols so you can receive your weather station on something besides the display.

Anyway, time to fire up the scanner and see whether specific frequencies carry anything which sounds like data transmissions. Maybe some of our neighbours are sharing temperature and other sensors.
Update : Found some time for the scanner and listened while keeping an eye on my watch:

433.920 listed in some places as 'oregon scientific' frequency, 433.9250 on my scanner:

22:33:13 databurst
22:33:22 databurst
22:33:27 faint databurst
22:33:52 databurst
22:34:01 faint databurst
22:34:16 databurst
22:34:32 databurst
22:35:11 databurst

433.840 listed in some places, 433.8375 on my scanner:
22:36:07 faint databurst
22:36:59 faint databurst

Nothing (sofar..) on the 868 MHz frequencies. But the description "instant transmission" can also mean the weather station only sends out data when it has something to report such as a change in temperature or other measurement, and not constantly.
Given the around 40 second updates mentioned by Sean Dague I guess there are 2 or 3 'usable' sensors in the neighbourhood. With no warranty of them staying available. That means it is a bit much to invest 115 euros in for an RFXCOM receiver.

Een maand adsl downstream snelheid

Eigenlijk zijn alle variaties in ADSL snelheid na regenbuien gewoon een herhaling van wat ik een jaar of 10 geleden zag met de 2-draads huurlijn die na stevige regenbuien van 33k6 naar 28k8 ging. De getallen zijn nu anders, maar oorzaak en gevolg lijken nogsteeds hetzelfde.

Mooie opmerking van Arnoud Engelfriet in de Kroniek van het Internetrecht in 2010 :

Journalistiek verantwoord kraken leidde tot een blafbrief van TLS: wij houden u in de gaten. Maar dat wisten we al: daar is de OV-chipkaart immers voor gemaakt.

Soms heeft er iemand anders ook een blast from the past.. en duikt nog een paar uitgaves van De Algemene BBSlijst Nederland op. Stukjes historie uit augustus 1997 en mei 1996. De ontwikkeling van het aantal BBS-en begint nu ook zichtbaar te worden:

abn199405.lst: Het aantal BBSen in deze ABNlijst bedraagt 200
abn199503.lst: Het aantal BBSen in deze ABNlijst bedraagt 1350
abn199601.lst: Het aantal BBSen in deze ABNlijst bedraagt 1494
abn199605.lst: Het aantal BBSen in deze ABNlijst bedraagt 1420
abn199701.lst: Het aantal BBSen in deze ABNlijst bedraagt 1458
abn199707.lst: Het aantal BBSen in deze ABNlijst bedraagt 1116
abn199708.lst: Het aantal BBSen in deze ABNlijst bedraagt 1087
abn199711.lst: Het aantal BBSen in deze ABNlijst bedraagt 1067
abn200109.lst: Het aantal BBSen in deze ABNlijst bedraagt 178

Met dank aan -.sOUNDGARDEn.- BBS

Ik kwam ook het archief tegen van Fidonet nodelists en nodediffs. Niet volledig, en namen in deze lijst staan allemaal in Fidonet nodelist notatie, dus pas toen ik zocht op HCC_IBM_PC_GG kwam ik een bekende entry tegen:

,101,HCC_IBM_PC_GG,Nieuwegein,Koos_van.den.Hout,31-3402-90878,9600,V32B,V42B,CM,XA

Some updates to the document on using dynamic dns for your own dynamic IP since someone reported problems getting it to run with bind 9.7. I could not reproduce the errors.

A bit of history there: the previous time I worked on that howto was in 2005 because I ported it from linuxdoc (sgml2html) to docbook (xmlto). And that document was worked on in 2001 and 2002. Funny to get a response in 2010 from someone still using it. And the original 'problem' was from June 2001 On the same day I got my casema account data so my cable modem is now working to September 2001: The cute feature of the webserver at home is that a nice dynamic dns hack is used in order to update the dns. And I switched to ADSL on 25 September 2001: Received the adsl stuff from xs4all.. more bandwidth for a better price (and xs4all as ISP-with-lots-of-clue).

My notes on how I got the touchatag reader working to access 13.56 MHz rfid cards like the mifare classic.

De 'trots op nederland' van Landgraaf heeft blijkbaar wat moeite met al die ingewikkelde concepten van afbeeldingsrechten en gebruik van afbeeldingen op externe servers, want nu toont een artikel op hun site dat ze geen toestemming hebben om images vanaf idefix.net te gebruiken. In het originele artikel over de hele mooie satellietopname van Nederland met sneeuwdek geef ik NASA/GSFC, MODIS Rapid Response tenminste de verdiende credit.

Hier kan ik natuurlijk allemaal vervelende dingen mee, zoals een terdege goatse. Of een overzicht publiceren van alle bezoekers van dit artikel.

Up and coming: the World IPv6 day on 8 june 2011, where major sites like google participate in a 24-hour "IPv6 test drive".

If you have trouble accessing one of the major sites listed on that day, you will have trouble with the future Internet. I hope to be able to contribute my own bits somehow. Having work websites reachable over IPv6 would be very nice.

News coverage:
Facebook, Google, Yahoo commit to 'World IPv6 Day' trial - Networkworld
Major Websites Commit to 24-Hour Test Flight for IPv6 - BusinessWire

I recently re-read The Fugitive Game: Online with Kevin Mitnick and noticed I never wrote a review for it. So I fixed that omission. It's a great book to read as it reads as a big adventure. But it took me a while to write a good review.

Uit de xs4all nieuwsbrief januari 2011:

Sneller internet: in 2011 beginnen we in een aantal regio's met glas waarover je alle XS4ALL-diensten incl. TV kunt krijgen.

Ik ben benieuwd. Maar eerst komen er natuurlijk reacties in xs4all.general van het type:

• "Kan ik het al aanvragen ennudan ennudan ennudan?"
• "Natuurlijk weer niet in mijn regio en we worden hier altijd achtergesteld en het is niet eerlijk"
• "In vergelijking met aanbod XYZ weer veel te duur en ik snap niet dat mensen nog bij xs4all blijven"

Ik gok dat gebieden waar al glasvezel met providerkeuze is het eerst aan de beurt komen.
Update : Niet officieel bevestigd: het gaat om gebieden waar glashart infrastructuur levert. Het gaat nog wel even duren voor Utrecht daarbij hoort. Voorlopig lijkt de beschikbaarheid van xmsnet ook niet meer Utrecht te bevatten.

In between other stuff I also found time to play with the touchatag rfid reader I ordered.

Some of the things which got me interested which I previously did not mention:

After an article in the Dutch magazine PC-active how easy it is to access your data on the ov-chipkaart people (naturally) got interested again. People on the site www.ov-chipkaart.org started decoding the card. Resulting in a wiki with all known data on the ov-chipkaart decoded which got implemented as open-source scripts to decode and view your own ov-chipkaart dump. Including lists of known station numbers.

In true open-source style: a lot of cooperation (browse the comments on the ov-chipkaart.org site to see this happen) and people sharing the tools they wrote so other people can improve them.

The next implementation of the ov-chipkaart with better security, positive effects for the traveller and improved privacy for the traveller can learn from this. Give people access to their own data (and not just through a crappy website) and learn from projects like the one above. Transportation rfid cards from other countries also get decoded, read for example Public transportation passes and their secrets

I added a new encryption key to my gpg public key 0xF0D7C263, 4096 bits size. Which means I want the 'lesser' (2048 bit) key to not be used anymore by people encrypting stuff to send to me. So I try to set an expiry for this subkey. But strangely this change does not 'stick' :

Command> key 1

pub  1024D/F0D7C263  created: 1998-12-17  expires: never       usage: SCA 
                     trust: full          validity: full
sub* 2048g/CD125A2B  created: 1998-12-17  expires: never       usage: E   
sub  4096g/1F480E9A  created: 2011-01-11  expires: 2016-01-10  usage: E   
[  full  ] (1). Koos van den Hout <koos   kzdoos.xs4all.nl>
[  full  ] (2)  Koos van den Hout <koos   idefix.net>
[ revoked] (3)  Koos van den Hout <koos   pizza.hvu.nl>
[ revoked] (4)  Koos van den Hout <koos   wu-ftpd.org>

Command> expire
Changing expiration time for a subkey.

Key is valid for? (0) 6m
Key expires at Sun 10 Jul 2011 10:30:34 PM CEST
Is this correct? (y/N) y

You need a passphrase to unlock the secret key for
user: "Koos van den Hout <koos   kzdoos.xs4all.nl>
1024-bit DSA key, ID F0D7C263, created 1998-12-17

                  
pub  1024D/F0D7C263  created: 1998-12-17  expires: never       usage: SCA 
                     trust: full          validity: full
sub* 2048g/CD125A2B  created: 1998-12-17  expires: never       usage: E   
sub  4096g/1F480E9A  created: 2011-01-11  expires: 2016-01-10  usage: E   
[  full  ] (1). Koos van den Hout <koos   kzdoos.xs4all.nl>
[  full  ] (2)  Koos van den Hout <koos   idefix.net>
[ revoked] (3)  Koos van den Hout <koos   pizza.hvu.nl>
[ revoked] (4)  Koos van den Hout <koos   wu-ftpd.org>

Strange. Seems the working solution will be to revoke the subkey. Which I'd rather not do because I want to be able to keep decoding old mails.

It's public! repocafe has been cleaned up and version 0.9 has been released! Repocafe page on freshmeat Repocafe 0.9 page on SourceWell

Since almost all my websites are now hosted at home behind a not-too-bright ADSL link with 1 megabit upstream I sometimes wonder about what I'll do when something I host gets slashdotted. I don't write that much which might suddenly be interesting but sometimes the intarwebs decide something else.

I do have a server at work with enough upstream bandwidth, but I will not use that server for anything which would remotely be interpretable as 'commercial'. So I could only use that server when it would involve for example the weather maps.

Another solution for bandwith-hogging binaries would be to host them on my xs4all homepage which has enough space. But copying stuff over there would be a lot of work or take some serious scripting.

What could be interesting (in the case of images or other binary stuff causing the problem) is trying Coral Cache which can be done using some simple mod_rewrite tricks as noted in Saving Bandwidth and Preventing Hotlinking With Coral Cache. The note about not using Coral Cache when not being slashdotted is true: the demo image loads slower at the moment. The article is from August 2007.

Anyway, this is all very very theory: even when a comment on an article on a very popular site linked to a file on the bbs archive it still didn't cause any real trouble.
Update : A small test does not give me a lot of confidence in Coral Cache:

koos@kolham:~$ host idefix.net.nyud.net
nyud.net has DNAME record http.l2.l1.l0.nyucd.net.
idefix.net.nyud.net is an alias for idefix.net.http.l2.l1.l0.nyucd.net.
idefix.net.http.l2.l1.l0.nyucd.net is an alias for http.l2.l1.l0.nyucd.net.
http.l2.l1.l0.nyucd.net has address 200.19.159.35
http.l2.l1.l0.nyucd.net has address 169.229.50.3
http.l2.l1.l0.nyucd.net has address 171.66.3.182
Host http.l2.l1.l0.nyucd.net not found: 3(NXDOMAIN)
koos@kolham:~$ host idefix.net.nyud.net
Host idefix.net.nyud.net not found: 3(NXDOMAIN)
koos@kolham:~$ host idefix.net.nyud.net
Host idefix.net.nyud.net not found: 3(NXDOMAIN)

Seems like their DNS and the local resolver dislike eachother.

Another interesting site with stories from the Antartic: Antarctic Section: Penguins, Cold and Winterovers - Guillaume Dargaud. I really enjoyed reading the report of his winterover at Concordia station.

It is always nice to read these stories. The Antarctic is a very special area, especially in the winter when transport of people and material is impossible due to ice, darkness and extremely low temperatures. The record temperature in the 2005 winter was -79° Celcius.

Trans Link Systems houdt hardnekkig vol en gaat de OV-chipkaart als betaalpas testen. Vijfhonderd medewerkers mogen in een test de OV-chipkaart gebruiken om te betalen in diverse winkels op station Amersfoort waar het kantoor van TLS staat: OV-chipkaart getest als betaalpas - nu.nl.

Mijn eerste gedachte bij het lezen is 'TLS heeft dus meer dan 500 medewerkers? en levert nog dit resultaat?'. Maar dat terzijde. Het bericht is ook te lezen alsof het om 500 NS medewerkers gaat.

Ondanks de bekende problemen met de veiligheid van de OV-chipkaart gaan ze dus hardnekkig door op deze basis. Grote kans dus dat er een herhaling komt van wat er in Taiwan al voorspeld is en toch ook doorging en nu fraudegevoelig blijkt: Unsmart Investments in Smartcards - Wired Threat Level. Ik voorspel vergelijkbare problemen als de ov-chipkaart als betaalkaart doorzet als niet eerst op iets veiligers dan mifare classic overgegaan wordt. En als je toch iets beters doet, pak dan gelijk de privacy aan.
Update 2011-01-06 : Webwereld meldt het iets leesbaarder: het gaat om 500 medewerkers van de Nederlandse Spoorwegen NS test OV-chipkaart als betaalpas - Webwereld met (natuurlijk ..):

Officieel is het niet bekend waarom DNB alleen een beperkte toestemming aan de OV-chipkaart gaf. Volgens de SP gebeurde dit omdat de OV-chipkaart kampt met een gebrekkige beveiliging. Gebruikers kunnen de gegevens op de kaart namelijk eenvoudig uitlezen of zelfs aanpassen.

Uitlezen zou ik niet als fout willen zien (het zijn gegevens over mij, daar wil ik toegang toe!) maar met aanpassen is fraude mogelijk.

Na het debacle van de Utrechtse burgemeester over vingerafdrukken had ik niet veel positieve verwachtingen van een editie van trajectum, het blad van de Hogeschool Utrecht met Aleid Wolfsen als gasthoofdredacteur. Maar ietwat verborgen in het blad en on-line: Column André Weststrate: Wel in WikiLeaks, niet in deze Trajectum met

Een filosofische en ethische uiteenzetting over het verschil tussen een persoonlijke vingerafdruk, persoonlijkheid en persoonlijke gegevens. Want, kom op, vingerafdrukken zeggen niets over iemands persoonlijkheid, dus zijn ze niet persoonlijk. Dat snapt iedereen.

Hee, ineens is de gemeente Utrecht ook aan de digitale nota via de bank. Zoals ze al geschreven hadden toen ik er 5 maanden geleden naar vroeg.

Bijna 2 maanden nadat ik constateerde dat de voorrem van mijn ligfiets stuk was heb ik eindelijk het geheel weer gemonteerd en een testritje gemaakt. Van die 2 maanden komt dus ruim 1 maand voor rekening van de fietsenmaker en 1 maand waarin ik zelf weinig tijd had door het nieuwe vaderschap.

Na het uitzoeken hoe ik het geheel weer netjes in elkaar kreeg omdat het voorspatbord van mijn Nazca Pioneer ligfiets de houder van de voorste remklauw als steun gebruikt ging het monteren verder redelijk eenvoudig. Veel actie met de inbussleutel. En dus met een inbussleutel en de ratelaar uit de dopsleutelset, zeker met het proberen een inbusboutje door 6 ringetjes en andere onderdelen heen ergens goed heen te sturen zonder dat zo'n ringetje valt. Ik wil graag dat soort ergernis voor zijn...

Bij het testritje gelijk de kinderkar er achter gehangen om dat eens te testen (inclusief bochtenwerk en de draai de tuin in en uit). Dat werkt net als met de bagagekar dus dat is op zich wel te doen.