News archive June 2011 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020

2011-06-28 (#) 8 years ago
Just had to do a cleanup after a spamrun, a new type to me: authenticated smtp abuse. Which goes a lot faster than webmail... Account blocked, cleanup done. Now some time to browse the logs and I note 10 different IPv4 addresses using the same account at the same time, almost all at the same ISP (Charter in the US) but in wildly varying states.

Tags: , ,
2011-06-28 (#) 8 years ago
If this doesn't ring all alarm bells for 'money mule' :
I take up a position of HR manager in a large multinational company.

This company is well known in various fields such as:
\ supporting in opening of banking accounts
Seen in the spam e-mail this morning. Dear people of the world: please don't fall for this. A very clear case of 'too good to be true'.

Tags: , ,
2011-06-22 (#) 8 years ago
I am at the surfnet office this afternoon, and that is a great opportunity to test my scripts for dynamic ipv6 addresses depending on network. Surfnet gives out 'real' IPv4 (no NAT) addresses on their wireless and IPv6 addresses.

Yes it works:
3: wlan0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:1f:e1:45:28:94 brd ff:ff:ff:ff:ff:ff
    inet 145.96.2.161/22 brd 145.96.3.255 scope global wlan0
    inet6 2001:610:188:431:14b8:6159:f87f:20fd/64 scope global secondary dynamic 
       valid_lft 604014sec preferred_lft 85014sec
    inet6 2001:610:188:431:21f:e1ff:fe45:2894/64 scope global dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fe80::21f:e1ff:fe45:2894/64 scope link 
       valid_lft forever preferred_lft forever
One downside: the 'old' dynamic address was deleted from the interface with my ssh sessions still running. Time to tweak the settings a bit more to fix this.
Second thought: Maybe a complete wireless disconnect / connect caused this. The current settings for temporary address lifetimes:
net.ipv6.conf.wlan0.temp_valid_lft = 604800
net.ipv6.conf.wlan0.temp_prefered_lft = 86400
604800 seconds is one week, 86400 seconds is one day.

Tags: , , ,
2011-06-20 (#) 8 years ago
Journalist Brenno de Winter wordt woensdag 22 juni 2011 verwacht bij de politie voor verhoor over fraude met ov-chipkaarten.

Statement over verhoor TLS - Brenno de Winter

Webwereld-journalist verhoord om OV-chipkraak - Webwereld

Klinkt als een geval 'aantonen dat de kleren van de keizer afwezig zijn is niet de bedoeling', Trans Link Systems wil duidelijk niet dat het zo duidelijk gemaakt wordt dat ze bezig zijn met miljarden uitgeven aan een slecht systeem met waardeloze privacy.

Tags: , ,
2011-06-20 (#) 8 years ago
Quite an interesting article this weekend When Secret Sats Spy on Us, Monsieur Legault Spies Back - Wired danger room. Thierry Legault, famous for a number of very great images of space phenomena is also busy tracking things in space which you're not supposed to know are there. Wired did a great article on the satellite-tracking community a few years ago: I Spy: Amateur satellite spotters can track everything government spymasters blast into orbit. Except the stealth bird codenamed Misty. Wired issue 14.02. The persistence of the spy satellite-tracking community combined with the telescope photography skills of Thierry Legault make for some very nice videos. I guess the owners of the spy satellites aren't too happy about these videos. They would be even more unhappy when the videos would be combined with the latest orbital data.

Tags: , ,
2011-06-19 (#) 8 years ago
Interesting: someone who mailed me about my dvb experiments and noted a frequency picked up by the scanning program which I didn't recognize as a valid multiplex: 714 MHz, 2/3 fec, 1/16 guard interval. That's odd, that frequency isn't in use in the Netherlands and no multiplex runs on 1/16 guard interval.

When I have a look at the details for Digitenne at DTV Monitor and I open the network information table in transport stream 2211 or 2212 I see a listing for a transport stream 12 with indeed guard interval 1/16 and 2/3 fec. Weird. Yet another multiplex in the planning or a glitch? But a glitch showing up on multiple transport streams in multiple locations is more like 'planned'.

To make sure I checked the Network Information Table in Mux 1 at home myself, with dvbsnoop for pid 0x10. Indeed, a description of transport stream 12 with 5 television services flies by:
    Transport_stream_ID: 12 (0x000c)
    Original_network_ID: 8720 (0x2210)  [= Netherlands Digital Terrestrial Television | Nozema]
    reserved_1: 15 (0x0f)
    Transport_descriptor_length: 52 (0x0034)

            DVB-DescriptorTag: 65 (0x41)  [= service_list_descriptor]
            descriptor_length: 15 (0x0f)
               service_ID: 1201 (0x04b1)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1202 (0x04b2)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1203 (0x04b3)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1205 (0x04b5)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]

               service_ID: 1206 (0x04b6)[ --> refers to PMT program_number]
               service_type: 1 (0x01)  [= digital television service]


            DVB-DescriptorTag: 90 (0x5a)  [= terrestrial_delivery_system_descriptor]
            descriptor_length: 11 (0x0b)
            Center frequency: 0x04417a40 (= 714000.000 kHz)
            Bandwidth: 0 (0x00)  [= 8 MHz]
            priority: 1 (0x01)  [= HP (high priority) or Non-hierarch.]
            Time_Slicing_indicator: 1 (0x01)  [= Time Slicing is not used.)]
            MPE-FEC_indicator: 1 (0x01)  [= MPE-FEC is not used.)]
            reserved_1: 3 (0x03)
            Constellation: 2 (0x02)  [= 64-QAM]
            Hierarchy information: 0 (0x00)  [= non-hierarchical (native interleaver)]
            Code_rate_HP_stream: 1 (0x01)  [= 2/3]
            Code_rate_LP_stream: 0 (0x00)  [= 1/2]
            Guard_interval: 1 (0x01)  [= 1/16]
            Transmission_mode: 1 (0x01)  [= 8k mode]
            Other_frequency_flag: 0 (0x00)
            reserved_2: 4294967295 (0xffffffff)

            DVB-DescriptorTag: 131 (0x83)  [= User defined/ATSC reserved]
            descriptor_length: 20 (0x14)
            Descriptor-data:
                 0000:  04 b1 fd f5 04 b2 fd f6  04 b3 fd f7 04 b5 fd f8   ................
                 0010:  04 b6 fd f9                                        ....

So an extra transport stream with 5 video services is announced, but not in use. Future plans? A reservation? Something left over from a test?

Note: dvbsnoop does not decode the Logical Channel Descriptor (0x83) at the end of the network information table. According to dtv monitor, services 1201 - 1205 are to be on logical channels 501 - 505.

Kudos to the person who noticed his scanning program searching on an unused frequency.

Tags: , ,
2011-06-15 (#) 8 years ago
Interesting development with the magna carta rfid card: I gained access to a card from a different organisation and what I found for the other card did not apply at all.

Tags: ,
2011-06-15 (#) 8 years ago
Today's XKCD Manual Override is good. And sometimes recognizable...

Tags: ,
2011-06-14 (#) 8 years ago
Rob O'Hara asks the interesting question Are all Hacks really Sophisticated? after seeing the word 'sophisticated' one time too many in the news about the recent network break-ins at Sony and the IMF.

A good question. A lot of this stuff seems more a case of systems and data with lots and lots of attack surfaces and attackers finding that one weak spot. The only people who get this right almost always are the military, but they are not afraid to put security way ahead on the balance of security versus usability.
Update 2011-06-15: Latest news on this front:
Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.
Source: Citigroup hack exploited easy-to-detect web flaw - The Register

Tags: ,
2011-06-13 (#) 8 years ago
De spam die money mules recruteert wordt steeds beter. Vandaag eentje in eigenlijk goed Nederlands (behalve wat charset damage).
Op het moment zijn er deeltijdbanen binnen de EU beschikbaar.

Wat bieden wij:
- 2000 EUR en een Bonus die betaald wordt als u 30 dagen in dienst bent. Deze Bonus wordt alleen betaald als u minimaal 8 uur in de week werkt.
- Wij garanderen dat u geld zult verdienen als zelfstandige ondernemer vanuit het gemak van uw thuiskantoor.
- Wij garanderen ook dat u genoeg geld zult verdienen om uw salaris aan te vullen. Deze garantie berust op het feit dat wij aannemen dat u hard zult werken en dat u onze instructies zult volgen binnen de beschikbaar gestelde tijd.
Vlieg hier niet in, het is inderdaad te goed om waar te zijn en je pleegt ook fraude. Die 30 dagen haal je niet, voor die tijd zit je op het politiebureau.

Tags: , ,
2011-06-13 (#) 8 years ago
I was capturing audio in Asterisk and playing it for a good reason: I noticed a while ago that attempts were made to route sip calls through an asterisk server I set up. Calls to numbers which looked valid. So they were probably attempts to make calls on 'my dime'. Which wasn't going to happen.

What better (on a server which has absolutely no credentials available to incur call costs anyway) to do with these than 'play' with these attempts a bit. I decided to answer the call with a random choice of the International Telephone Sounds & Recordings from telephone world and record the audio. I was hoping to hear someone be enthusiast in the background about their attempt maybe going through.

But in all the attempts I never heard anything more than the audio from the local end and maybe some echo.

Tags: , ,
2011-06-13 (#) 8 years ago
I captured some audio in asterisk using the MixMonitor command, like:
exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,NoOp(${CHANNEL} tried to reach ${EXTEN} logging to wrongnum-${filename})
exten => _00.,n,MixMonitor(wrongnum-${filename})
exten => _00.,n,Goto(wrongnumber,s,1)
But I wanted to listen to the audio. Which turned out to be a bit of searching. In the end I found the right sox call:
$ play -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw

keep-20110604-184522.raw:

 File Size: 647k      Bit Rate: 128k
  Encoding: Signed PCM    
  Channels: 1 @ 16-bit   
Samplerate: 8000Hz       
Replaygain: off         
  Duration: 00:00:40.42  

In:58.3% 00:00:23.55 [00:00:16.87] Out:188k  [!=====|=====!] Hd:0.0 Clip:0    
Converting to a .wav to process in audacity is easy too:
$ sox -e signed -r 8000 -b 16 -c 1 keep-20110604-184522.raw wrongnum-20110604-184522.wav

Tags: , , ,
2011-06-10 (#) 8 years ago
I like having the 'predictable' IPv6 address for my laptop at home, but at the same time I was pondering the implications of having the same EIU-64 address everywhere. Which can be fixed by enabling the privacy extensions.

As I use wicd for connection management I had a look at Adding pre and post (dis)connection scripts - Wicd Wiki which showed clear options. The easiest way to 'recognize' my home networks is by assigned v6 range. So I created /etc/wicd/scripts/postconnect/ipv6privacychoice with:
#!/bin/bash

connection_type="$1"

if [ "${connection_type}" == "wired" ]; then
        v6prefix=`rdisc6 eth0 -q -1`
        if [ "${v6prefix}" = "2001:980:14ca:1::/64" ]; then
                sysctl net.ipv6.conf.eth0.use_tempaddr=0
        else
                sysctl net.ipv6.conf.eth0.use_tempaddr=2
        fi
elif [ "${connection_type}" == "wireless" ]; then
        v6prefix=`rdisc6 wlan0 -q -1`
        if [ "${v6prefix}" == "2001:980:14ca:2::/64" ]; then
                sysctl net.ipv6.conf.wlan0.use_tempaddr=0
        else
                sysctl net.ipv6.conf.wlan0.use_tempaddr=2
        fi
else
        echo "Unknown connection type: ${connection_type}"
        exit
fi

Tags: , , ,
2011-06-10 (#) 8 years ago
I guess I just ran into one of the most undocumented file formats: saslauthd.conf. But eventually I got it working (as authentication provider for a local ldap server). To use Windows active directory domain controllers as backend for slapd:
ldap_servers: ldap://dc01.example.com:389/
ldap://dc02.example.com:389/
ldap_bind_dn: DC=example,DC=com
ldap_auth_method: fastbind
ldap_filter: EXAMPLE\%U
Which means you can have ldap users with
userPassword: {SASL}username@EXAMPLE.COM

Tags: , ,
2011-06-08 (#) 8 years ago
Too bad I'll be in a location with only legacy IP or completely 'disconnected' today, so I can't really follow everything around World IPv6 day.

But things are up and running. Things I noted sofar: The AMS-IX sFlow IPv6 stats seem to show a drop in IPv6 traffic. Caused by the Microsoft ipv6day patch? And the Akamai IPv6 Statistics show not a lot of traffic, given what Akamai should process in theory.

Update : DE-CIX traffic statistics (scroll down a bit for IPv6) show an uptake in IPv6 traffic.

Tags: ,
2011-06-07 (#) 8 years ago
The NTP pool project is participating in World IPv6 day. Well, not participating in the 'switching off after 24 hours' bit: 2.pool.ntp.org now has AAAA records and will keep them. In the current default configuration this means a system with broken IPv6 connectivity will still work, it will just decide one of the servers is unreachable and tick on happily.
koos@greenblatt:~$ host 2.pool.ntp.org
2.pool.ntp.org has address 213.249.66.35
2.pool.ntp.org has address 91.148.192.49
2.pool.ntp.org has address 72.26.217.210
2.pool.ntp.org has IPv6 address 2001:4f8:fff7:1::17
2.pool.ntp.org has IPv6 address 2607:f128:42:63::2
2.pool.ntp.org has IPv6 address 2600:3c00::2:b401
Source: Experimentally enabling IPv6 - NTP Pool News.

It's not possible to add ntp.cs.uu.nl to the ipv6 pool at the moment, but ntp.idefix.net is reachable via IPv6 and is ok as a server. So it is in the pool.

Tags: , , ,
2011-06-05 (#) 8 years ago
I just (re)watched The Boat that Rocked also known as 'Pirate radio'.

The goof I noticed this time is the 2 DJs climbing the 'antenna mast'. On a mediumwave transmitter that is a big no-no: either the mast itself is antenna and has a high voltage difference to ground or the feeder lines go to a wire antenna at the top where you don't want to get close due to the RF energy. But there are no feeder wires visible anyway...

But this is not a documentary, this is a movie based on/following the events and people of the time. As such it works great. It really shows the 'radio people should listen to' versus 'radio people want to listen to' difference which played in those days. Great music in the movie. I really like the visual switching between the making of the radio and the listening to the radio.

Tags: ,
2011-06-01 (#) 8 years ago
And even after I never accepted the verification of my e-mail address to add it to someones 'Apple ID' I now get iTunes spam:
Subject: New On iTunes: The Beatles, Wired for iPad, True Blood, Free Lonely
        Planet Travel Book, and More
So pure and simple spam.

Tags: , ,


, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.46 2019/10/20 15:42:02 koos Exp $ in 0.032653 seconds.