News archive July 2011 - Koos van den Hout

DVB-T service scan today, with an interesting service showing up:

tune to: QAM_AUTO f = 570000 kHz I999B8C999D999T999G999Y999 
(time: 10:52) set_frontend: using DVB API 5.1
>>> tuning status == 0x0f
>>> tuning status == 0x1f
SDT (actual TS)
        service = Nickelodeon/TeenNick (Digitenne)
        service = 13th Street (Digitenne)
        service = SLAM!TV (Digitenne)
        service = TV Drenthe  tijdelijk (Digitenne)
        service = BBC Radio 1 (Digitenne)
        service = BBC Radio 2 (Digitenne)
        service = BBC Radio 3 (Digitenne)
        service = BBC Radio 4 (Digitenne)

Due to the recent transmitter tower collapse in Hoogersmilde RTV Drenthe is currently available FTA in the entire country on Digitenne. So I was able to make a screengrab.

One interesting side-effect was mentioned on the tx-list: RTV Drenthe was received in South-east London on 586Mhz (channel 35) on Thursday, over 300 kilometer from the intended service area. This is due to the signals from the Goes transmitter making it over the water.

An article which reads like the reporter got introduced to low-security VoIP trunks and caller-id spoofing services for the first time: Authorities say 911 call in Wyckoff hoax came from fake, computer-generated phone number - NorthJersey.com.

The 911 caller whose hoax prompted a tense police standoff in a quiet Wyckoff neighborhood used a computer to mask the origin of the call, authorities said Sunday.

A computer crime expert is quoted:

[..] the 911 call likely originated from a so-called IP phone that makes calls over the Internet. Such phones are increasingly common and allow users to choose the phone number that would appear on caller identification devices [..]

They hope to trace the user back to the original IP of the SIP call. I wish them lots of luck finding the IP in the first place: I don't think a lot of the 'wholesale SIP trunking' or 'Caller-ID spoofing services' will log them. They might have more chance of finding the account and the billing information.

Found via Attack on 'Cyberbullying' critic prompts raid by armed cops - The Register.

Most of the attempts at toll fraud through an asterisk server set to catch and record these are lately for a number matching +97259xxxxxxx which according to Telephone numbers in Israel - Wikipedia is a 'Jawwal' mobile number in Palestina. Interesting... not a really expensive call to make but I can imagine a certain interest in hard-to-trace calls to that part of the world, especially since these seem to be routed via Israel. According to the explanation on Telephone numbers in the Palestinian territories - Wikipedia +970 is also the country code for Palestina but it depends on which country you are calling from whether +970, +972 or both work. Politics in phone numbers. The +970 route was never tried via my asterisk.

I was watching BBS: The Documentary again and that inspired me to put some more stuff on-line at bbs.idefix.net. Stuff now on: Fidonet standards descriptions.

First good catch after updating the scripts for capturing the audio on attempts at toll fraud through an asterisk server, some calls with incoming audio logged to disk, and some with absolute silence. The calls with audio have serious noise in the background, my best guess is airco noise. But some typing can be heard, some other sounds and one even with a word at the end. I added some audio from that last one.

Boiler-room type telecoms fraud operation? You decide!

What this does mean to me is that someone is actually doing real work to find opportunities for routing calls without paying. This is not an automated script, this is an actual person doing the work.

Big transmission news in the Netherlands today: the transmission tower/mast collapsed in Hoogersmilde after a fire and the transmission tower/mast in Lopik was shutdown after a small fire because the fire department wanted to be really sure about the situation after the collapse in Hoogersmilde.

Collected links to pictures / videos :

• Picture of the fire #tvtoren #hoogersmilde #brand. on Twitpic
• Detail picture of the tower, showing heat damage to the metal construction zie het rode kader waar #tvtoren van #hoogersmilde is geknapt. bovenste deel recht neer, tweede deel naar rechts
• Good images of the collapse: TV-toren Hoogersmilde bovenste 180 meter ingezakt - 112nederland.nl click on images for large versions.
• One video of the collapse, a police PR person explains and reacts quite calmly to the collapse, one of the possible outcomes: Zendmast Hoogersmilde stort in - nos.nl video
• Another video of the collapse, with someone cursing very loudly in Dutch: Mast tv-toren Hoogersmilde stort in - RTV Drenthe (15 juli 2011) this video was later used in news items with audio partly muted.
• Collapse from a bit further away: Mast Tv toren Smilde
• Another collapse video, showing the first break happening and the sequence of the collapse, starting at 0:53 in the video : instorten televisietoren hoogersmilde
• Newsarticle, pictures and video: Deel zendmast Hoogersmilde ingestort - nos.nl
• The remains, still smoking: Brand in TV mast Hoogersmilde - HvNieuws.nl
• Closer views of the remains: TV Toren Hoogersmilde and TV Toren Hoogersmilde Westkant and Zendmast Hoogersmilde afgebroken door brand 15-7-2011 (4) with smoke still coming from the remains
• Good overview pictures of fire, collapse and remains: Vrijdag 15 juli 2011 Hoogersmilde: Zendmast Alticom-toren stort in na brand look at the first picture of the collapse: the first break happened at one of the spots where heat-damage was showing.
• Radio en TV zenders in Nederland is maintaining an archive of images, news, movies, plans at Brand in de TV-toren in Hoogersmilde

A bit of history:

• Zendmast Smilde 50 jaar geleden gebouwd

I added the .local domain to the nameserver at home as a way to make sure avahi-related queries never escape onto the big Internet. But it seems avahi tests for the presence .local by querying for the SOA record in the DNS and disables itself when that is available. So every time an avahi implementation starts a query for .local has to 'escape' or avahi won't work. Not what I had in mind.

I disabled this .local domain in the local resolver until I can find a way to configure bind9 to return NXDOMAIN without querying the root servers.

Information via Avahi and Unicast Domains .local.

I updated the scripts for capturing the audio on attempts at toll fraud through an asterisk server so there is some call progress sound before the 'wrong number' recording is played. I also switched from MixMonitor to Monitor which saves incoming and outgoing audio separately, so it is easier (for me) to check the incoming audio for interesting bits.

This is what the asterisk code now looks like:

exten => _00.,1,Set(filename=${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)})
exten => _00.,n,Monitor(wav,wrongnum-${filename})
exten => _00.,n,Playback(wrong/callprogress)
exten => _00.,n,Goto(wrongnumber,s,1)

And you can hear what the 'caller' would hear in the attached mp3 file.

Just did a dvb-t services scan and I even found a new (to me) service: the new multiplex at 570 MHz, logged in DVB-T reception log for 20110714. I have received the DVB-H KPN Mobiel TV service on that frequency before so it is not a surprise, but seeing this multiplex on this frequency still counts as 'new'.

I did it.. I joined Google+. I actively avoided Facebook sofar and waited very long before joining Twitter but I got a reasonably early invite to Google+ and took it. The invite was from a German user so it took some changing settings before Google+ changed its userinterface language to english for me. Lots of people I know from certain places are on Google+ so there is something to read.

Google+ urls are somewhat unreadable: my page is at https://plus.google.com/114168607206195341184 so I added a redirect as http://gplus.idefix.net/.

End of an era: today we changed all computer science e-mail addresses to forward to central mail addresses where a big exchange server does all the work. After years of running the e-mail service, including dealing with problems like viruses and spam it still feels weird. Almost all local delivery has been stopped, postfix just has a big list of aliases now.

A history for as far as I can deduce (most way before I worked there) :
UUCP mail with a telebit trailblazer modem
SMTP based mail, sendmail
Postfix (cs.uu.nl ran postfix before it was called postfix) with mboxes/imap
Postfix with maildir / imapssl

I'll still be running my own e-mail setup at home, based on sendmail, my personal choice in mailer. But that's a different story.

Trying to clear out an old e-mailarchive (13215 messages) with the Thunderbird e-mail client (selecting all messages older than a month, pressing shift-delete) makes Thunderbird unresponsive for hours and in the end the mail is still not deleted.

Doing the same in the right place on the server with

# find . -mtime +31 | xargs rm

takes less than 30 seconds and Thunderbird rereads the folder fine.

Gisteren in de volkskrant een stukje over acquisitiefraude. Eigenlijk ook een vorm van Social engineering. Meestal wordt de term 'Social engineering' gebruikt voor het verzamelen van informatie rond computers maar ik zou in navolging van de uitspraken over social engineering bij 'Off The Hook' de term ruimer willen interpreteren. Ook de manieren waarop acquisitiefrauders proberen hun slachtoffers te benaderen vallen keurig in het rijtje van social engineering.

En nog even dit: de officiele website van het 'steunpunt acquisitiefraude' is http://www.fraudemeldpunt.nl/. Maar wat krijg je als je niet de voor de hand liggende domeinnamen registreert? Dan doet iemand anders dat wel en krijg je dus sites als www.acquisitiefraude.nl, www.advertentiefraude.nl, www.fraudemeldpunt.com volgens het artikel in de volkskrant allemaal van een van de bekendere acquisitiefrauders.

Meer informatie over de nieuwe keuze in het aanbod van digitale televisie bij Ziggo. Ziggo maakt nieuwe pakket indeling bekend - Digitale Kabeltelevisie. De eerder voorspelde Wie nu een enkel thema-pakket heeft van 3,95 per maand zal om alle zenders te behouden minstens moeten overstappen op het plus pakket dat per maand 8 euro extra kost lijkt uit te komen.

We hebben het 'kennis en nieuws' pakket, origineel aangevraagd om toegang te hebben tot Journaal24, maar we kijken ook wel eens naar Geschiedenis24. In de nieuwe opzet kost toegang houden tot die laatste 8 euro per maand, ten opzichte van 3.95 nu.

Ik denk dat we zonder Geschiedenis24 kunnen, voor die prijs kan je nog eens windows booten en via de Geschiedenis24 website de Silverlight stream kijken.

Vermakelijk nieuws: er was iemand die wel een businesscase zag in grootschalige fraude met ov-chipkaarten. Dat heeft Translink Systems altijd ontkent, het was allemaal theoretisch. Deze keer werd de poging snel ontdekt, maar ik ga er van uit dat binnen de kortste keren iemand dit beter probeert.

Via Gekraakte OV-chipkaarten massaal verhandeld - Webwereld. Voor degenen die probeerden met de kaarten iets te doen minder leuk: Reizigers dupe van vervalste OV-chipkaarten - Webwereld.

Met een mooi advies van TLS

De voorlichter heeft een duidelijk advies aan reizigers: "Advies aan de consument is deze kaart niet aan te schaffen, want ook het reizen met gemanipuleerde kaarten is en blijft strafbaar.

It is well-known that all IPv4 address blocks are either allocated or reserved for very good reasons, but some IP addresses in logs still make me think 'huh?' when I see them, thinking they might be reserved when they are for sure given out now. Stuff like:

Jul  1 09:12:17 greenblatt sshd[841]: Invalid user data from 1.9.21.4
Jul  1 09:12:23 greenblatt sshd[846]: Invalid user data from 1.9.21.4
Jul  1 09:12:26 greenblatt sshd[849]: Invalid user data1 from 1.9.21.4
Jul  1 09:12:28 greenblatt sshd[851]: Invalid user data2 from 1.9.21.4
Jul  1 09:12:34 greenblatt sshd[858]: Invalid user data4 from 1.9.21.4
Jul  1 09:12:37 greenblatt sshd[862]: Invalid user data1 from 1.9.21.4

Even the ssh scanners are popping up in the 'new' IPv4 ranges. And a quite stupid one too.