Recent dook het youtube algoritme voor mij de video Booting up the 3ESS - Connections Museum
op en die heb ik van harte bekeken. Dat bracht wel een herinnering bij me boven:
in 1988 heb ik stage gelopen bij KPN telecom.
Deze stage was als onderdeel van mijn opleiding MTS electronica. Eigenlijk deed
ik die opleiding omdat ik iets met computers wilde maar er geen passende MTS
opleiding was, electronica leek me de manier om alvast de goede kant uit te
gaan. Hoe ik bij KPN telecom ben uitgekomen weet ik niet meer precies.
In deze stage heb ik eigenlijk van allerlei types centrales meegemaakt, in 1988
had KPN telecom een zeer ruime keuze aan centrales in gebruik:
Electromechanische centrales types F, UR, UV, computergestuurde centrale
type PRX-A en volledig gecomputeriseerde centrale 5ESS. Ik heb ook al deze
types centrales van dichtbij gezien en er aan gewerkt.
Het typische verschil tussen de PRX-A en de 5ESS was volgens mij dat de PRX-A
nog schakelde met reed-relais, de aansturing is bij allebei wel met een
programmeerbare computer. PRX staat voor Programmable Reed-relais eXchange. De
AT&T 5ESS schakelde met electronische onderdelen.
Op zoek naar meer informatie over de PRX-A kwam ik er ook achter dat dit nog
een echte Nederlandse telefooncentrale was die naast inzet in Nederland ook in
een paar andere landen in gebruik is geweest. Gelukkig is er een website met de
nodige geschiedenis, foto's, documenten en andere herinneringen aan de PRX-A:
PRX 205 waar ik ook leerde
dat de telefooncentrale waar onze ISDN telefoonlijn ooit vandaan kwam ook de
centrale was waar de eerste PRX-A in test gebruik was.
Het was erg mooi om de dingen over de PRX-A terug te zien. Een mooi stukje
Nederlandse telecommunicatie geschiedenis. Ook een echt Nederlands product:
de PRX-A werd ontwikkeld bij Philips Telecommunicatie Industrie (PTI) in
Hilversum.
Als ik tijdens deze stage geweten had wat ik later geleerd heb over phone
phreaking had ik misschien dingen gedaan die verkeerd hadden kunnen gaan.
Ik heb in een districtscentrale testapparatuur gezien en gehoord die
Signaling System No. 5
signalen decodeerde. Toen viel me alleen op dat het geen DTMF was. Later heb
ik veel geleerd over hoe dit werkte.
My enthusiast stories about getting uart access on the previous cable router
devices are causing more hardware to come my way to play with.
This time two Corinex HD200 CableLAN Wall Mount Adapter CXC-HD200-WMEe units
showed up. They are compact interfaces for ethernet-over-cable according to
Corinex standards. The size and the status leds remind me a lot of
devolo powerline units
which I used years ago to get network in our garden shed.
After voiding the warranty by breaking the sticker and unscrewing the two
screws the case doesn't want to open yet. Some force is needed, plastic tabs in
the corners kept it closed. I notice there is one very compact board with
everything including the power supply. There is a clear demarcation on the
board between the power supply area and the rest with slits in the board on
parts of this line. Two other screws hold the board to the case and after
removing those I can take it out. There are wires from the board to the power
plug and a coax cable to the F connector for the coax cable.
There is probably a main system on a chip (SoC) but it's hiding under a
heatsink. Most components are surface mount devices (SMD).
On the other side of the board I see a RTL8201EN ethernet chip near the
RJ45 network connector. And an EM638165TS-6IG chip which turns out to be
64 Mbit of Synchronous DRAM. And a 25L3206E, 32 Mbit serial flash.
For now I have no idea if this device has a UART somewhere. The only row
of 4 small soldering pads didn't give me continuity to any part that I
thought would be at the electric ground level so no idea whether that is
the UART or not.
Although there are two units they don't want to talk to each other over a coax
cable with F connectors. The manuals I can find state clearly that they want to
see a Corinex Ethernet over cable master device. The person that gave them to
me has experience with these devices and their implementation of the standards
and stated to me Corinex ethernet over cable devices only talk to Corinex
ethernet over cable masters.
In Oktober 2022 the Sigi Presch - DL7DF and Crew DXpeditions
team was active from Guadeloupe,
a set of islands in the Carribian that is an overseas department and region
of France.
I already had a digital contact with Guadeloupe confirmed, but I really wanted
to get more countries in morse so I worked on getting a contact with this
dxpedition. I worked them on the 17 meter band in morse on 15 October of
this year.
With all the costs of such a DXpedition I can imagine they like a donation. And
I like to get a real QSL card, so these two came together and there is a card
on the way. And I already received a digital confirmation via Logbook Of The
World. All contacts will be digitally confirmed eventually, more DXpeditions do
an announcement that they will upload all the logs after a while (usually half
a year). I think this is a positive development: if you want a physical card or
a speedy confirmation you help with the costs of the DXpedition and otherwise
you get a confirmation anyway eventually.
I will keep an eye on DXpedition announcements from Sigi Presch DL7DF and
team!
In August 2022 I received a report of a cross-site scripting vulnerability in The Virtual Bookcase
and the reporter of the vulnerability never replied after I told him there was
no financial reward for reporting bugs.
In November the bug report became public at openbugbounty:
virtualbookcase.com Cross Site Scripting Vulnerability Report ID: OBB-2858037 - Open Bug Bounty
so this confirms my theory of what the vulnerability was. Which I have fixed,
but this isn't visible at openbugbounty.
In this case the vulnerability wasn't severe and with the little amount of
information I had from the report plus the access logs I was able to fix it.
But in other cases the vulnerability may be more complex and the site-owner
who deals with a report like this can't just analyze the logfiles to get an
idea of where the vulnerability might be.
I don't think the world becomes a safer place if information about
vulnerabilities is only available if you pay for it.
The About the Project of the Open Bug Bounty project
seems to promote actual 'bounty':
A website owner can express a gratitude to a researcher for reporting
vulnerability in a way s/he considers the most appropriate and proportional to
the researcher's efforts and help.
As a matter of example, Google pays from $7,500 to $100 per XSS vulnerability
submitted by security researchers. But Google is Google, you may adjust your
remuneration range to any amounts comfortable for you.
At the same time demanding a bounty before disclosing the bug is not ok on
this platform. From the same 'About' page:
We always encourage the researchers to be respectful, responsive and polite, to
provide website owners with all reasonable help and assistance.
If a researcher violates the enacted standards of ethics and good faith
including but not limited to:
demanding remuneration to delete a submission
demanding remuneration to disclose vulnerability details
such submissions will be immediately deleted from our platform.
I hope the next vulnerability disclosure causes less irritation.
When I started with HF in amateur radio (below 30 MHz) in
August 2014 making PSK31
contacts on the 10 meter band
the number of sunspots was falling, the maximum frequency for ionospheric
propagation was falling and therefore the possibilities of making contacts on
the 10 meter band were dropping.
In 2022 we are in the rise of the number of sunspots as part of solar cycle
25. And this year there are clearly moments where I can get interesting
contacts on the 10 meter band.
Today I had some time to play radio in the morning and I got contacts with
China, India, UK bases on Cyprus, Macedonia and Hong Kong. The contacts were
in FT8 mode.
It is nice to see this. Radio amateurs who have been active for years will
tell you about the good times when you can make contacts on the 10 meter band
during the day with minimal means. Now I am enjoying this myself and having
fun all over the world.
On 9 December this year was the annual SURFcert Capture The Flag (CTF) event.
The end result is that team "I'm not a robot" from Radbout University Nijmegen won
with the most points.
When I participate in a CTF, I like to keep notes and write about my
experiences and what I learned solving the challenges. Being on the 'other'
side creating the challenges is as much fun, but while creating the challenges
you have to be really silent about it. For me personally it is extra
challenging because one of the regular SURFcert CTF players works with me in
the same team.
But sometimes designing a challenge and making it happen gives the same great
feeling as actually solving it! This was the case with the challenge that
ended up as Scan the radio on the SURFcert CTF. The name of
the challenge was somewhat confusing by design: there was a challenge which
was designed to make people use a 1990s style ghettoblaster radio,
there was a challenge mentioning 'broadcast' which was actually about
names of wifi networks and this challenge. All three were marked 'physical'
with a description of the challenge.
For this challenge I wanted to create an NFC tag that could be read easily.
I found out information can be put in NFC tags using the NDEF standard (NFC
Data Exchange Format) which has options to embed URLs, options to start
certain apps or simple strings. I wanted a simple string with a flag as
our flag format was SCF2022- plus 32 characters uppercase. I found out the
developer of proxmark is working on NDEF support but it is all quite new.
At this point I was worried I had to write my own code and use parts from a
fresh library to get an NDEF message on a card. I did bring some MiFare classic
cards home to test on. But searching for information I came across
NDEF and Magic Mifare Cards with the very important remark:
My suggestion would be to get an Android phone
with nxp reader chip (there are many) and use tagwriter from NXP to format and
write ndef data to the Mifare classic chip.
I do have NFC TagWriter by NXP
on a smartphone, I just haven't used it a lot.
And indeed it was really easy to create an NDEF dataset with a string,
write this to a MiFare classic and read this with an Android phone with NFC
support, even without opening the NXP TagInfo application.
So that was an easy challenge to make, a lot easier than I first thought.
Or was it? The final test would be to read this on an Apple iphone too.
And there came the snag, the Apple iphone doesn't work with MiFare classic
tags somehow. But the person who helped me test it had another tag with an
NDEF message on it, and that worked fine. So the conclusion was that another
type of tag would work better. Luckily one of the other people of the team
creating the SURFcert CTF has a big collection of NFC tags and it turned
out the tag given out by Tweakers reads fine on Android and iphone.
So that's how the 'scan the radio' challenge was to notice the clearly not
from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard
NFC support in a smartphone or use NXP TagInfo and find the flag.
While creating this challenge I also tried writing information to the tags
which were given out / sold about 15 years ago which looked like a circle with
a hex serial number. I always assumed they were just a serial number to look up
in a database. But they turned out to be actual NDEF tags with the hex serial
number on the outside as an URL:
For the tag with 04B7CC193E2580 on the outside: protocol 01 http://wwwuri field ttag.be/m/04B7CC193E2580
But ttag.be has changed owners since this was active and it's now
redirecting to 609.es which is a real-estate agent in Spain. I guess
everybody who scans a round tag with a serial number wonders how they end up
with a real-estate agent.
Ik heb een tijd niet over de bitcoin afpersingsmails geschreven, maar deze
kwam vandaag voorbij in redelijk goed nederlands. Het leest alsof de originele
taal anders is maar het is goed vertaald zonder kromme zinnen.
Helaas begin ik met slecht nieuws voor je. Enkele maanden geleden heb ik
toegang weten te krijgen tot het apparaat waarmee je nu op het internet zit te
surfen. Sinds die tijd heb ik al je internetactiviteiten bijgehouden.
Omdat je een regelmatige bezoeker bent van pornosites, denk ik dat je nu even
op moet letten. Je hebt je lot namelijk zelf in de hand. Ik zal het simpel
houden, ik via de website die je hebt bezocht toegang gekregen tot je gegevens.
Ik heb een trojan horse geupload naar het driver systeem die zijn fingerprint
meerdere keren per dag blijft updaten, zodat het onmogelijk is voor jouw
antivirus software om hem te detecteren. Bovendien geeft deze me toegang tot je
camera en microfoon. Ook heb ik een back-up gemaakt van alle gegevens,
inclusief foto's, social media, chats en contacten.
Maak het bedrag van 950 USD in BTC over naar mijn Bitcoin-wallet, en ik zal
deze hele situatie laten rusten. Ik garandeer dat ik alle data en video's
permanent zal verwijderen zodra de betaling is ontvangen.
Dat lijkt me een bescheiden en redelijke vergoeding voor al mijn harde werk. Je
kunt zelf wel uitzoeken hoe je Bitcoins kunt kopen met behulp van zoekmachines
als Google of Bing, want dat is allemaal helemaal niet zo moeilijk.
Mijn Bitcoin-portemonnee (BTC): 1CKiipxrHHRz4HFWMxk6Q4v5hGUs7vHPML
Hier staat al een melding van iemand die hetzelfde mailtje heeft ontvangen,
waarmee gelijk duidelijk is dat de afzender helemaal niets heeft maar het leuk
zou vinden als de bitcoin-wallet bijgevuld wordt.
Er staat ook een link naar een site die beweerd je te helpen als je het
slachtoffer wordt van bitcoin-oplichters. Die hulp zorgt er dan voor dat je
twee keer het slachtoffer wordt van bitcoin-oplichters, dus dat is ook niet aan
te raden.
Afgelopen dagen hadden we weer instabiliteit van de VDSL verbinding. Op een
bepaald moment duurden de PPP verbindingen niet langer dan 2 minuten:
Dec 2 10:39:05 wozniak pppd[4211]: Connect time 0.7 minutes.
Dec 2 10:45:02 wozniak pppd[4211]: Connect time 1.5 minutes.
Dec 2 10:49:13 wozniak pppd[4211]: Connect time 1.2 minutes.
Dec 2 10:51:10 wozniak pppd[4211]: Connect time 1.0 minutes.
De eerste onderbreking was woensdagavond 20:28. Donderdag overdag waren de
onderbrekingen vervelend maar was er nog wel een uur te werken. Donderdagavond
kwamen de onderbrekingen vaker.
Dit leverde natuurlijk geen werkbare situatie op. We konden dus vrijdag ook
niet thuiswerken. Ik heb vrijdagochtend gebeld met Freedom, onze Internet
provider. Deze gaven een aantal opties om te testen voor ze een monteur gaan
sturen. Logisch, want een monteur sturen kost vrij veel geld dus willen ze dat
pas doen als andere opties uitgesloten zijn.
Nu zaterdagochtend is de verbinding weer stabiel: om 04:46 is de verbinding
teruggekomen en sindsdien is de snelheid iets hoger geworden en lopen de
tellers 'near end errors' en 'far end errors' niet meer op.
Dit voelt alsof het probleem niet opgelost is, maar het probleem tijdelijk weg
is. Een storing tussen dit soort tijden lijkt ook niet iets met menselijke
werkzaamheden.
Ik kan niet wachten op een glasvezel aansluiting, dan is er minder kans op
storingen door mijn radiosignalen of andere interferentie uit de buurt.
Deze storing is wel erg vergelijkbaar met de VDSL onderbrekingen die ik in juli 2022 had.
Update 2022-12-04
Vandaag tussen 02:05 en 11:02 is de verbinding weer zeer instabiel geweest,
daarna weer redelijk stabiel met maar een onderbreking. Het blijft erg
onduidelijk wat er aan de hand is.
Ik heb tussen vrijdagavond en zondagmiddag een andere kabel tussen isra punt en
modem in gebruik gehad, er lijkt weinig verband tussen het gebruik van een
andere kabel en stabiliteit of instabiliteit.
Update 2022-12-06
Afgelopen nacht weer haperingen, vooral 's nachts. Het is erg onduidelijk
onder welke omstandigheden de verbinding hapert.
Update 2022-12-07
Omdat het Draytek vigor 130 VDSL modem ondertussen 4 jaar oud is heb ik nu
een Zyxel VMG4005-B50A gekocht en binnen. Bij dit modem is 'PPPoE passthrough'
de standaard configuratie in plaats van iets wat met meer of minder moeite
te realiseren is. Werkt dus meteen met mijn eigen configuratie. De latency
is iets lager met dit modem en de stabiliteit is zeer goed.
Update 2022-12-14
De verbinding was ondertussen weer grotendeels stabiel, maar op basis van de
melding die ik heb gedaan bij onze Internet provider freedom over de
instabiliteit op 2 tot 5 december is er een monteur van KPN langsgekomen.
Die heeft het ISRA punt vernieuwd en alle kabels nagelopen en wat connectors
vervangen. En daarnaast de hoop mee uitgesproken dat we over niet al te lange
tijd glasvezel krijgen. Daar ben ik het helemaal mee eens!
Last weekend was the CQ World-Wide DX Contest CW
and I participated in that contest on parts of Saturday and Sunday. I ended
with 189 contacts. Daytime I worked on the 10 and 15 meter bands and when those
started to dry out I switched to the 20 meter and 40 meter amateur bands.
Most of the time I chased stations in search+pounce mode
but I also called CQ on the 15 meter band on Sunday afternoon. I will need
to practise more with calling CQ: stations came to me at higher speeds than I
was used to with running PA900UTR and if I didn't
decode the callsign and reacted immediately some give up fast.
But my morse is improving, even at contest speeds and I got a nice number
of countries in the log. Even countries I didn't have in morse before:
PJ2 Curacao, PJ4 Bonaire, CX Uruguay, 3B8 Mauritius, CN Morroco, SV9 Crete.
Of those Mauritius is a completely new country in amateur radio for me.
I put in some extra effort to get those new countries in the log, with other
stations that I know are confirmed countries I give up after a few tries and
try to get another call in the log. Radio contesting is about the numbers: both
number of contacts and the multipliers. In this contest the number of CQ zones
and countries is the multiplier, so I optimise a bit for that number. And I
suspect a lot of the other contestants do the same.
The overview of my single operator multi band effort:
This was one of those contests where I had it all planned beforehand to
participate, made sure everything was working optimally and had it marked in
the family calendar. Normal things like weekend shopping still needed time,
but the family wasn't surprised I spent a lot of time behind the radio.
From a perspective of security research I only touched the surface of the
security research on the Corinex CXWC-HD200-WNeH and the
Cab.Link CLS-D4E2WX1
by finding default credentials for telnet.
To get a further insight I need to first enumerate the network attack surface
completely. What services are running, what programs run those services.
The ultimate step would be to build an emulation environment where I can run
the programs from the routers under my control and find out about the programs
and get a first few steps into reverse engineering. With qemu it is possible to
emulate MIPS systems on x86 hardware, so I can build a test environment.
It would need some work to get old enough versions of code and kernels to
create a compatible environment. The Corinex router mentions compilation in
2012 but with Linux kernel 2.6.21 which was released 25 april 2007. The
Cab.Link router mentions compilation in 2013 but uses Linux kernel 2.6.31 which
was released 9 september 2009.
After getting a good look at the
Cab.Link CLS-D4E2WX1
from the outside it was time to void the warranty and open the box. The
two screws are hiding under the little rubber feet at the front side and
after removing those two screws the case opens with a bit of jiggling.
This device has an external 12 volt 1 ampere power supply.
Chips found on the board:
Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable
to the wifi antenna starts. It has a few larger chips but those have a label
over them. I guess one of them must be the CPU because I haven't seen a chip
with that function yet.
The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins
labeled J30 (bottom left of the picture) which are a very obvious candidate for
being the uart port. Again the process for find GND, TX, RX and Vcc was done
and the right pins found. With the board in front and the J30 readable the pins
are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from
the view of the system, so I see data transmitted on TX and I send data to RX.
De echte phishing pagina! Eindelijk. Deze stuurt de ingevulde data naar
https://21989-4437.s1.webspace.re/KVK/tmg1.php
Daarna komt een redirect naar https://21989-4437.s1.webspace.re/KVK/2.php en die geeft uiteindelijk een redirect naar
een KVK pagina.
Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk
zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg.
Allemaal fraudepogingen, dus trap hier niet in!
I was planning to make some morse contacts this weekend but when I had time
to turn on the radio on Saturday afternoon there was a lot of contest traffic
on the morse parts of the bands. This turned out to be the
LZ-DX contest.
This was a chance to get some CW contest practise done. This is a CW and SSB
contest but I concentrate on CW contesting at the moment. I found out TLF the
contest logger supports the LZ-DX contest out of the box so I could start fast.
Propagation wasn't cooperating very well but I did get contacts in the log.
The final result:
The earlier Ethernet over Cable modem/router I poked at didn't come alone,
from the same source I also got a Cab.Link CLS-D4E2WX1 cable modem/router.
Doing a search for it finds actual listings for trying to order them
wholesale: Buy Wholesale China 7400-eoc Slave Modem, Separate Tv And Ethernet From One Cable, 4 Ethernet Ports Output & 7400-eoc Slave Modem at USD 127 | Global Sources
and Eoc Male Slave 4 Ethernet Port With Wifi - Buy Eoc Esclavo Product on Alibaba.com.
Both listings call it an EOC slave. Given the terminology I expected EOC
master devices to exist as well and I soon found out those exist and can be
pricey. So I'm not going to spend money on this subject, but I may be
interested in recycling an EOC master unit.
The unit has one external wifi antenna, 4 ethernet ports, external power
supply 12V and 9 leds. The cable connection is via 2 female F connectors with
one labeled 'Cable' and one labeled 'TV'. I do notice the case has a lot of
ventilation holes.
On the underside is a label with the manufacturer name, model name, a
default equipment management IP 10.10.1.250, a Wireless Network Name
'wifi' and the EOC and Wifi Mac addresses as numbers and barcodes, and
the serial number as number and barcode. The unit has four little rubber
feet (full LRF support) and two of those are hiding screws to open the unit.
On switching the Cab.Link router on I indeed see a wifi network appear with the
name 'wifi' which on connecting gives me an IPv4 address in the 192.168.1.x
range with the default gateway 192.168.1.1.
Cab.Link CLS-D4E2WX1 router underside
The Cab.Link router has a web interface listening on port 80. It directly asks
for http authorization but using admin/admin for username and
password gets me right in. Up until now I haven't found any reference to PLC or
EOC in the webinterface.
The Cab.Link also has a telnet server running on port 23. It greets me with
an OpenWRT banner but the first few attempts at finding username/password do
not let me in:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
WARNING: telnet is a security risk
OpenWrt login: admin
Password:
Login incorrect
OpenWrt login: root
Password:
Login incorrect
OpenWrt login:
A comment on irc made me have a look at the logs for my haproxy system to get
an idea whether any weird vulnerability scan came by. No special vulnerability
scan showed up, but my attention was drawn to a number of lines like:
If there is one of two of these lines from one address, it is a sign of a
client which can't finish the SSL negotiation. With my site that probably means
and old client which doesn't understand LetsEncrypt certificates without an
extra certification path.
But this is quote a number of SSL errors from the same IPv6 range in a short
time. I wondered what was behind this and did a bit of testing, until I found
it's simple to cause this by doing an SSL test. For example with the famous
Qualys SSL test
or with an ssl scan tool. This is logical: ssltest uses a lot of different
negotiations to test what actually works.
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH
with a confirmation from the vendor that this is a device completely out of
support. Which confirms the public information I found
when I started looking into this device.
This was all related to the course in hardware hacking I took and applying
the new knowledge.
So now I can look back on this experience and think about my future here.
Hardware hacking has serious links to my current job as technical security
specialist. In my work I regularly have to look at vulnerabilities and assess
the chance and impact of misuse of the vulnerability. With hardware hacking
I find vulnerabilities by researching hardware. This helps me understand the
chance and impact factor of other vulnerabilities.
There is also a link to my education: part of that was MTS electronics. I
learned how to solder, before SMD components were a thing and I think I got
some explanation about switching mode power supplies at the end. As I got into
computers I didn't do much with this education but the last years in amateur
radio have made me get out the soldering iron again.
There is a clear link to my hobby of amateur radio. My interest in amateur
radio is linked to wanting to know how things actually work. Hardware hacking
is also done with RF signals so I may get into more RF related hardware
hacking.
My current thought is that I want to continue in this subject. It's given me
joy: getting into a device in new and unexpected ways gives joy! I have learned
new things. I noticed I need to feed the brain regularly with new information
and actually learning something new is much better brainfood than browsing
social media. At the same time social media is the way to learn
more about this subject and interact with other people interested in this
subject. I ended up on /r/hardwarehacking on reddit
and already learned from others and shared some of my own insights!
There is the thing about RFID/NFC security. I have looked into this in the
past, mostly by getting the tools to peek into the MiFare classic cards. I am
considering going further with this area of hardware hacking. Prices of hacking
tools for this area like the proxmark3 or the flipper zero are above the 'nice
to try a few things' level. On the other hand I think I could have loads of fun
there, and the overlap with amateur radio is very clear.
At the end of this bit of writing: thanks to people who share their hardware
hacking experiences on-line! Thanks to Jilles
Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal,
@Flashback Team on youtube,
Make Me Hack on youtube,
and Boschko Security for sharing
their stories and knowledge.
Ik zag een phishing mail met daarin een qrcode om te volgen. Dat is natuurlijk
een manier om te voorkomen dat mailscanners direct de URL herkennen als
verdacht. Alleen wilde mijn mailclient die afbeelding niet zomaar inladen want
remote, want dat is allang verdacht.
Afbeelding: https://qr.de/code/ySVDbB.png
URL uit qrcode: https://qr.de/ySVDbB
Redirect https://lnkd.in/dqiBJCcD
Redirect http://bit.do/0214nl85479651
Redirect https://21981-4426.s3.webspace.re/
En daar is de phishing pagina die om allerlei persoonsgegevens vraagt.
Correctie: was. De pagina is al weg. Maar als een van de redirects bijgesteld
wordt door de crimineel gaat een en ander natuurlijk weer verder!
Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk
zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg.
Allemaal fraudepogingen, dus trap hier niet in!
Update:
De qr.de redirect is zelfs weg, dus de crimineel zal nieuwe spam
mails moeten versturen.
Since passing the morse
exam I have continued working on my morse skills. As one of the reasons for
wanting to learn morse was to be able to participate in morse radio contesting
I still want to increase my speed and accuracy in copying callsigns.
Exercising with tools like lcwo.net and
Morse Runner helps improve
these skills.
But I'm also working on these skills 'on-air'. At the radio club I've done
morse activations of special call PA900UTR
a few times and that went ok. I don't get all the calls right the first time
but it is a good experience and it's working out.
In the beginning of October I shut down the home server conway
and reseated the SATA cables in the hopes of having less problems with timeouts.
And started the whole system again to also fix other problems.
About a month later I think this worked, I've never seen a rcu_sched
message again since doing that reseating.
Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a
vulnerability. A combination of a misconfigured network filter and a default
account make it quite easy to get into the device and get full access.
I tried to report this vulnerability before publishing about it. Timeline:
24 September 2022 I mailed a general address at Corinex about this
29 September 2022 I mailed someone who wrote about Corinex devices in the
Netherlands
28 October 2022 I tried to contact @CorinexCorp on twitter via a mention
All this got exactly zero response.Update 2022-11-17: @CorinexCorp responded on twitter:
Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago.
Because this device is out-of-support for years now and should not be in
use anywhere anymore, I think I've invested enough effort in trying to
report this vulnerability to the right people and I can now publish this
and close this chapter.
On to the actual vulnerability. Like a lot of other vulnerabilities this is
a case of multiple things coming together.
All the news about twitter makes me wonder if I want to stay there in the long
run.
But changing a social network is always a negative experience, you lose
contacts. I still remember some several people who I haven't heard much from
since google+ and wonder how they are doing!
For amateur radio I'm having a look at mastodon as
@PE4KH@mastodon.radio.
One conclusion is that my own site is more permanent than any social media.
My own website survived the
rise and fall of google+ while importing my
posts so those are still available here.
But interaction on my own site is complex and needs constant maintenance to
avoid spam.
Usually I switch on the amateur radio setup, and the software surrounding
it just to get a feel for which amateur bands are active and what's happening
on those bands and maybe get a few contacts in the log.
Saturday evening was such a moment. But on the DX cluster
I saw a new country (for me) active: Djibouti. On the 20 meter band in FT8.
Recently Africa hasn't been too hard for me to get in the log so I joined the
loads of amateurs trying to work J28MD
and after a while I got the contact in the log with a good signal report.
The fun part is I assumed based on the website I would get a confirmation
via Logbook of the World months later or after paying for a card. But after
somewhat more than 24 hours this contact was already confirmed!
Another attempt at trying to understand the Ethernet over Cable stuff in the
Corinex CXWC-HD200-WNeH that I have been working on. I found this on the
device:
# /app/plcStatus
Socket creation success.
Socket binding to vlan1 success.
Send success (22).
Send success (22).
Node type: 01
Ip address: 0.0.0.0
Parent mac: 00:00:00:00:00:00
Up speed: 00
Down speed: 00
Child count: 00
#
The use of 'plc' (PowerLine Communications) and the way this works suggests
to me this is indeed an ethernet-over-coax device (so no docsis). But I can't
figure out where the ethernet-coax bridge is. I thought plcStatus
would use some ethernet protocol to communicate with the bridge (just as
the devolo dlan tools do) but I can't find any trace of the traffic on the
wifi interface.
Bijna 10 jaar geleden deed ik mee aan een CTF:
Ik heb meegedaan aan de hackcontest ter ere van 20 jaar SURFcert.
En daar won ik een Samsung tablet. Die is dus ondertussen ook 10 jaar oud,
bevat Android 4.2.2 met Linux kernel 3.0.31 en krijgt geen updates meer.
Recent bedacht ik me dat ik die tablet misschien nog als scherm zou kunnen
gebruiken voor mijn thuis grafana server. Maar die server is alleen bereikbaar
met https en daar heb ik een LetsEncrypt certificaat voor waarbij ik alleen
de chain gebruik vanaf de ISRG Root X1 en niet meer vanaf de
DST Root CA X3 omdat dat op andere plekken problemen geeft.
Daarmee werkt het gewoon niet. Ik heb nog pogingen gedaan om de ISRG Root in de
certificaten van de tablet te krijgen maar als .pem, .crt of
.cer file worden deze niet gezien als certificaat door de tablet.
De tablet is daarmee gewoon afgeschreven en niet meer bruikbaar. Ik heb deze
tablet een aantal jaar gebruikt en daarna is deze vooral gebruikt door mijn
zoon om spelletjes op te spelen en youtube filmpjes te kijken.
This weekend turns out to be a weekend for making radio contacts with
countries / entities I haven't contacted before. Or especially trying to get
more of those countries contacted in morse.
Friday evening I got Dodecanese contacted in morse, and already confirmed.
Dodecanese is part of Greece, but counts as a separate entity for amateur
radio. I have had contacts with Dodecanese before on all kinds of frequencies,
but it turned out I didn't have it in morse yet. Time to fix that, and I
managed to ge the contact.
Saturday I got the Comores in morse on the 12 and 17 meter amateur band. The
12 meter contact was easy with clear signals, the 17 meter contact was in
the noise and hard. So I'm not completely surprised the
logbook of the Comores dxpedition D60AE
only shows the 12 meter contact.
I also managed to get a contact with Guadeloupe, a French oversees department
in the Caribian. I had Guadeloupe before in digital modes but adding morse is
good. This contact took a lot of tries, I think I was trying to get this one
for nearly two hours. Other people probably are working longer at this, so I
am not complaining.
Sunday morning I saw the Russian DXpedition team in Benin TY0RU active on 17m FT8.
It also took a while of trying and paying attention to the radio to get this
contact in the log.
There were also other contacts to special event stations or other activities,
mostly in morse.
Radio contacts with dxpeditions can take a while to get through because a lot
of radio amateurs in the world want the special contact, and when the contact
finally happens it is ultra short. Exchanging callsigns and a default signal
report is enough, and the dxpedition wants to get on to the next contact!
I also don't have the ideal callsign for noisy morse contacts: it could be
shorter and the H at the end (in morse:
....) can be confused for an S (in
morse: ...). Yes, PE4KS is in a few
logs out there!
Yesterday I learned that ISC DHCP server
will be end of life at the end of this year. For a package I
started using around 1998 with one of the first versions I expected a bit more
announcement time. At the same time I'm so used to using ISC dhcp server in my
home network I never subscribed to any mailing list or other announcements
about ISC dhcp server, it's just there, I can configure it to do what I want
including supporting
pxe booting systems for
installation or diagnostics or supporting
special dhcp options
for APC AP7920 rackmount power distribution units. And all the virtual
lans of my home network.
ISC suggests using Kea DHCP server to replace it in most server
implementations. Kea DHCP server should be able to get a lot of configuration
data from databases and allow for dynamic updates of the configuration.
That is an improvement over ISC dhcp as it is at the moment, which needs a
full restart for every change.
So time to peek at Kea DHCP server. I don't think ISC dhcp server will be
unavailable after 31 December 2022 but I don't expect updates anymore and
when a good replacement is normalized I expect ISC dhcp server to slowly fall
away from linux distributions.
Currently it's not even available for Debian or Devuan stable or oldstable
strangely enough. I wonder what happened there. But there are distribution
packages for debian buster at Cloudsmith - Repositories - ISC - Internet Systems Consortium (isc) - kea-2-3 (kea-2-3) - Packages / format:deb.
Time to install the latest and let apt fix the dependencies:
koos@testrouter:~$ sudo dpkg -i isc-kea-dhcp4_2.3.1-isc20220928105532_amd64.deb isc-kea-dhcp6_2.3.1-isc20220928105532_amd64.deb isc-kea-common_2.3.1-isc20220928105532_amd64.deb
Selecting previously unselected package isc-kea-dhcp4.
(Reading database ... 46609 files and directories currently installed.)
Preparing to unpack isc-kea-dhcp4_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-dhcp4 (2.3.1-isc20220928105532) ...
Selecting previously unselected package isc-kea-dhcp6.
Preparing to unpack isc-kea-dhcp6_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-dhcp6 (2.3.1-isc20220928105532) ...
Selecting previously unselected package isc-kea-common.
Preparing to unpack isc-kea-common_2.3.1-isc20220928105532_amd64.deb ...
Unpacking isc-kea-common (2.3.1-isc20220928105532) ...
dpkg: dependency problems prevent configuration of isc-kea-dhcp4:
isc-kea-dhcp4 depends on libboost-system1.67.0; however:
Package libboost-system1.67.0 is not installed.
[..]
koos@testrouter:~$ sudo apt install -f
Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following additional packages will be installed:
libboost-system1.67.0 liblog4cplus-1.1-9 libmariadb3 libpq5 mariadb-common
mysql-common
The following NEW packages will be installed:
libboost-system1.67.0 liblog4cplus-1.1-9 libmariadb3 libpq5 mariadb-common
mysql-common
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
Need to get 760 kB of archives.
After this operation, 4,001 kB of additional disk space will be used.
[..]
Looking at the sample configuration makes me think I can do this with a
text-based configuration (it's actually JSON) and get it going fast. For my
home network that is probably the best solution. Kea does have options to use
MariaDB or PostgreSQL backends for storage which does look really nice for my
home network but at the same time adds a dependency and a layer of complexity.
I can see IPAM systems totally going to Kea DHCP and give a full interface
on managing the databases directly including APIs for adding/removing objects
as they are added in other systems.
After the problems with detaching and attaching the USB 1-wire interface from a kvm virtual machine to fix an interference issue
showed up again I decided to move the USB 1-wire interface to a different
machine, one where kvm virtualisation isn't in the mix. The closest available
machine that can deal with the 1-wire interface is a Raspberry Pi which also
has other monitoring tasks.
This move worked fine and the 1-wire temperatures are showing up again in
influxdb. I decided not to update the rrdtool temperature database. I will
have to find time to migrate the rrdtool history to influxdb. Ideally there
will be some aggregation for older measurements but I'd like an "infinite"
archive of a daily average.
My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH
I ordered similar gear as used in the hardware hacking course to do my own
hardware hacking. It arrived this week and today I had some time to play with
it.
Using the techniques from the course I found the serial console interface
again. The CPU board has 4 through-holes, that is a likely candidate. Next step
is finding which pin is which using a multimeter. Ground pin has continuity to
any other shield. One pin is at 0 volts without continuity to ground: the
receive data pin (from the viewpoint of the chip), another pin has a varying
voltage near the maximum voltage, this is the transmit data pin (again from
the viewpoint of the chip) and the fourth one has the constant maximum voltage,
which was 3.3 volts in this case.
I switched my USB to serial interface to 3.3 volts and connected the TX on the
system to the RX on the serial interface and the RX on the system to the TX on
the serial interface. I used Dupont cables to make this connection. With
minicom as communications program I opened the right interface:
minicom -D /dev/ttyUSB0.
After powering the router I got unreadable characters on the screen, I had
to adjust the serial port rate. This router has a serial console at 57600
bps, 8 bits, no parity, 1 stopbit.
And messages came out:
U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F
Past weekend was the 2022 version of the CQ World Wide RTTY DX Contest
and I participated. Not with any preparation: on Saturday after some other
tasks I sat behind radio and computer and looked up which set of macros would
work for this contest.
But propagation cooperated, especially on the 20 meter band. On Sunday evening
after dark I got a nice set of stations in the USA and Canada in the log. I
also saw a station from Brunei active but that station never managed to decode
my callsign while I tried for a quarter of an hour as this would have been a
new country in amateur radio for me.
I made 106 contacts in total: 70 on the 20 meter band and 36 on the 40 meter
band.
Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for
years and deployments should have migrated to newer solutions. That is the
reason I got my hands on one: it was replaced by a docsis-based modem.
For as far as I can tell these modems are based on homepna or homeplug, over
coax networks (the tools on the router don't tell what kind of standards the
coax side uses).
I'd like to know if any of these are still used in the wild. If you find this
post because you got bored and looked at the underside of the wifi box in your
holiday park, get in touch!
My e-mail address is at the bottom of this page and I'm on twitter as
@khoos.
I have a DS2490 USB 1-wire interface on the home server conway which is
rerouted to one of the virtual machines so that that virtual machine can read
the sensors on the 1-wire network. This rerouting works when the machine is
started, the DS2490 USB 1-wire shows up in the virtual machine fine. From time
to time this DS2490 USB 1-wire interface gets confused when I am transmitting
on the radio so the solution is to detach it from the virtual machine, unplug
it from the server, plug it in again and attach it to the virtual machine
again. Today this had to be done and I got an unexpected error message:
root@conway:~# virsh attach-device --live gosper /etc/onewire-for-gosper.xml
error: Failed to attach device from /etc/onewire-for-gosper.xml
error: internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
In logfile /var/log/libvirt/libvirtd.log:
2022-09-24 21:16:38.655+0000: 10923: error : qemuMonitorJSONCheckError:395 : internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
To be complete about it: usb device 2:8 is exactly the right one!
root@conway:~# lsusb | grep 2490
Bus 002 Device 008: ID 04fa:2490 Dallas Semiconductor DS1490F 2-in-1 Fob, 1-Wire adapter
This seems to be new since I upgraded the homeserver to Devuan beowulf giving
me versions:
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Descripti
+++-=====================================-===============-============-=========
ii libvirt-clients 5.0.0-4+deb10u1 amd64 Programs
ii libvirt-daemon 5.0.0-4+deb10u1 amd64 Virtualiz
un libvirt-daemon-driver-storage-gluster (no descr
un libvirt-daemon-driver-storage-rbd (no descr
un libvirt-daemon-driver-storage-zfs (no descr
ii libvirt-daemon-system 5.0.0-4+deb10u1 amd64 Libvirt d
ii libvirt-glib-1.0-0:amd64 1.0.0-1 amd64 libvirt G
ii libvirt0:amd64 5.0.0-4+deb10u1 amd64 library f
First idea: AppArmor
The first search result that came up was
Bug #1552241 “libvirt-bin apparmor settings for usb host device” : Bugs : libvirt package : Ubuntu.
So I tried changing the /etc/apparmor.d/abstractions/libvirt-qemu
file. After a few tries and reading the warnings in the rest of the file
I made sure the source was AppArmor by completely disabling it. The error
did not go away so I reverted the libvirt-qemu rules to the original settings,
restarted AppArmor and kept debugging.
Second idea: usb rights
Based on QEMU USB passthrough broken after Ubuntu 18.04 upgrade
I added udev rules to make sure group libvirt-qemu had read and write
rights on the usb device, with /lib/udev/rules.d/51-qemu-usb-passthrough.rules containing:
root@conway:~# udevadm test -a -p $(udevadm info -q path -n /dev/bus/usb/002/008)
calling: test
version 3.2.9
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.
[..]
GROUP 110 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
MODE 0664 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
handling device node '/dev/bus/usb/002/008', devnum=c189:135, mode=0664, uid=0, gid=110
[..]
Indeed the right groupid, but still the same error message when trying the
attach-device command.
Interesting find: it's specific to the virtual machine that had the device before
Small update: I can attach the USB device to a different host and detach it
from that host again. I just can't attach it to the 'original' host again.
I also posted this question on serverfault:
Can't live-attach a USB device to a kvm virtual host again after upgrades.
Update:
After a complete reboot of the homeserver the USB 1-wire interface worked
again (as I could imagine). But after another interference problem it's now in
the same state again. I did change the definition in both the virthost
configuration and the xml file from managed='no' to
managed='yes' before the reboot but that hasn't helped. Contents
of the /etc/onewire-for-gosper.xml file now:
Corinex CXWC-HD200-WNeH side with warrantylabel. The warranty was voided.
This week I was attending a course in hardware hacking: HackLab: Hardware Hacking
at the Deloitte office in Den Haag.
How to find the right pins to get a commandline on a router-like device was
part of this course, and the last day there was an option to Bring Your Own
Device, to hack it. So I brought this router as I thought it was an ideal
target to get access to it, since on the earlier try
I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.
Corinex CXWC-HD200-WNeH opened boards visible
So this time I took out the screwdriver, voided the warranty of the device by
breaking the little sticker on the side and opening it. It has a board with the
powersupply and cable interface parts. The powersupply is shielded with some
plastic.
There is a smaller board with the main chip which contains the processor,
ram, wifi module. The first task was to find the uart interface which should
give a serial console. That's a skill I learned in the hacklab: first find
out which pins have continuity to ground with the device switched off. With
a simple multimeter which has a beeping continuity meter this is simple.
The beep makes it possible to test the device without looking at the meter.
After that it's a matter of switching the multimeter to voltage and checking
other pins for voltage. Usually there are 4 pins on a uart port: ground
which is physically connected to the device ground, receive data and send
data and a reference voltage. On measuring the pins the reference voltage will
be at the steady maximum voltage, the data transmitting from the device will
be varying and the pin where the device expects data will be at 0 volt.
Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices.
5 and 3.3 volt are the most common. USB serial interfaces that support 5
and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are
somewhat more expensive (10 euro).
For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB
to serial interface available, so I was able to access the uart port. I
connected to the uart port, used a terminal program and searched for the right
serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.
After looking at all the boot messages I was greeted with a root prompt. No
more hacking, just full access. The system boots using the U-Boot bootloader.
The system runs linux with a 2.6.21 kernel. I looked around on the filesystem
and started looking for the configuration for the webserver hoping to find the
username/password. I found this in /flash/config so I could get into
that interface as well.
I also found it was running a telnet server, but not on the standard port. The
port was 32560. Without commands like netstat or ss I had to
learn this from /proc/net/tcp. Browsing the iptables listing shows
that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts
fine.
Chip found: Ralink RT3052F processor with embedded ram and flash and with
2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.
Things I'd still like to do: copy the entire filesystem to another computer
so I can research it and check around the web interface for security issues.
I have a "Corinex Detachable Wireless-N Cable Access" Corinex CXWC-HD200-WNeH
to play with. This has been used for Internet access over TV coax cable in a
bungalow park where it has been replaced.
So it is some sort of cable modem. According to the source it's not managed
network over cable (docsis) but more like ethernet over cable, a relative
of ethernet over powerline. Searching a bit finds hempro | JPK consulting
which seems to be the next generation and isn't compatible.
I also found
Docsis, EOC of Moca toegepast in kleine kabeltelevisienetwerken which mentions that Corinex products are ethernet over cable according
to the HomePNA (abbreviated HPNA) 3.1 standard.
The only mention of these devices are for Dutch bungalow parks or campsites,
for example woon op een camping, open wifi. geen internet.
The site at corinex.nl just lists why you
should stop relying on these devices and replace them with newer technologies
that are supported.
It's not clear to me whether I can simply set up a network with a bit of
coax and another HomePNA coax interface or whether I need some sort of headend.
Time to play with the device and see how far I can get!
Ik kreeg vandaag een phishing mailtje gericht aan:
Cher(ère) client(e) Maes-Swerts/A.,
Votre abonnement Proxumis a été suspendu, car vous avez fait opposition
à un règlement de dette. Tant que le problème n'a pas été résolu, vous
ne pouvez utiluser aucune de vos services proxumis.
De resulterende pagina wil een credit-card betaling. Dus verzamelt gewoon
credit-card gegevens. Ik zou me bijna afvragen hoe snel er fraude komt als
ik daar echte gegevens invullen. Ik denk dat het in de orde van minuten is,
maar dat wil ik niet testen.
De spam voor 'Maes-Swerts/A.' is nu al meer dan 10 jaar bezig!
Eerder,
eerder,
eerder,
eerder,
eerder,
eerder,
eerder de originele ontdekking in 2012.
Our child plays minecraft regularly. The start was with the Microsoft minecraft
edition but recently the java edition became available too without paying
again.
I have set up the bedrock server for the Microsoft minecraft edition to make
it possible to play with other people outside the house. So the most recent
request was to do this for the java edition too.
I don't know much about minecraft but I can do enough with just some
websearching and finding a howto. So I started with
How to Set Up a Dedicated Minecraft Server on Linux
which seems to be a way to try to sell dedicated servers but I have enough
server hardware here at home so I just used the same virtual machine which
ran the minecraft bedrock server.
It turned out the default-jdk resulted in openjdk-11 getting
installed and this resulted in not being able to run the latest minecraft java
server. I switched to openjdk-17-jre-headless because I only need
the runtime and I never want to run the graphical stuff, so that saved a lot
in needed libraries and other overhead.
The server started fine, but the minecraft java edition couldn't connect to it
when trying to connect by name, but gave no usable error message. That's a
different rant. I checked on the server side and saw the listening socket in
dual-stack mode.
With tcpdump I soon found out the minecraft java edition starts with
the IPv4 address and gives up when that fails. The solution was to remove the
IPv4 address (A record) from the name, flush the dns cache and after that it
worked. This does mean that when friends want to connect that are behind
ISPs that only support legacy Internet addresses they will have a different
problem.
There are always attacks in the logs, but this one caught my eye because
someone mentioned it, I saw it in logs and searching for a simple explanation
for what I saw gave no answers.
Those are the interesting ones. So here is the logline split into multiple
parts in an attempt to make it more readable:
Searching for timepro.cgi finds a2004ns-mod/timepro.cgi at master · hklcf/a2004ns-mod · GitHub
which seems to be compiled code:
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped.
Based on Honware: A virtual honeypot framework for capturing CPE and IoT zero days
my best guess is that requests to timepro.cgi attempt to reconfigure
a home router. And my next guess is that the attempt is to set the DNS resolvers
to 128.0.104.18 and 128.0.104.33. Further searching finds
another attempt from the same source IPv4 address which also looks a lot
like an attempt to reconfigure DNS settings:
The theory that this is an attempt to redirect DNS traffic is somewhat
confirmed by the fact that 128.0.104.18 indeed runs an open resolver
which will give me answers. For the few things I have tried those are valid
answers (no clear attempts to redirect traffic to other places). I get no
answers from 128.0.104.33 at the moment.
Update:
Searching for the string 128.0.104 finds more:
Since last Thursday the aprs server at aprs.pa4tw.nl is down. I
used that aprs server for the weather station and for the igate.
The change for the weather station was one word in a script, for the igate I
had to remember how to change this with the Arduino development environment set
up to support the esp32 board. The easiest way seemed to be from the computer,
but every time after the igate started the running process after the setup it
crashed and rebooted itself. I spent a lot of time looking for the answers,
added debug statements all over the code and ended up in the WiFi
initialization code as the place of crashing. And that was the hint, according
to
Crash when trying to connect to wifi - Issue #3935 - espressif/arduino-esp32
this is a sign of a power shortage.
This is purely my fault: the pi4raz igate design calls for an external power
supply feeding it.
The solution was to go back to the separate USB power supply and not use a
USB hub connected to the computer. Now the igate is started again and visible
on the APRS network: track PE4KH-10 on aprs.fi.
I wanted to use wapiti as scanner to check for other vulnerabilities in
The Virtual Bookcase after
receiving a report
about a cross-site scripting vulnerability. Wapiti is open source and
free, which is a fitting price for scanning a hobby project site.
I quickly ran into wapiti taking hours to scan because of the URL structure of
the site: all /book/detail/x/y URLs map to one handler that deals
with the X and Y parameters in SQL queries. Yes those queries are surrounded
by very defensive checking and I use positional parameters. Everything to
avoid SQL injection and becoming the next Little Bobby Tables.
Wapiti has no simple method that I can find to crawl for a list of URLs and
stop at that to allow for selecting the list of URLs to scan. But it has an
option to minimize crawling and import a list of additional URLs to scan so I
used that option to get at the same result.
Gathering URLs was done with wget:
After that I sorted the file with URLs and threw out a lot of them, making
sure all the scripts with several variants of input were still tested.
With that list I start wapiti with some special options. It still needs a
starting url at -u so I give it the root but I limit the crawling with
the depth parameter -d 1 and the max files parameter
--max-files-per-dir 50. Then I add the additional urls from the
earlier scan with the -s parameter. It's a lot of tweaking but it does
the trick.
No vulnerabilities were found. I found one PHP warning which only triggered
in the kind of corner case a web vulnerability scanner causes, or an
attacker. So I fixed that corner case too.
I received a responsible disclosure report of a vulnerability in
The Virtual Bookcase.
I will directly admit I haven't done a lot of maintenance on this site in the
past few years but I want to keep my sites secure.
The report came via openbugbounty.org and has no details about the
vulnerability, so I am not 100% sure where the reported vulnerability is. But
based on the report text XSS (Cross Site Scripting) and a peek in the
access-log looking for specific requests I found I made a beginner mistake in
dealing with a search query: displaying it as-is within an HTML context. I
immediately fixed that error in the site.
Now I wonder why it took so long for me to realize the error of my ways or for
someone to notice it!
Checking the logs some more finds huge amounts of attempts at SQL injection,
which is a vulnerability I am very aware of and where I put up standard
defenses. But this is the first time a security researcher made me aware of
the cross-site scripting vulnerability.
Update:
I contacted the reporter about the vulnerability who responded quickly
inquiring about the possible bounty for finding the bug. As this is a site
that hasn't delivered any income in years the best I can do is a mention
in the credits of the site or on a separate hall of fame.
Update:
I also started a vulnerability scanner on the site myself, to find any other
vulnerabilities I might have missed. This scanner is going through the
development site at the moment. Like many other scanners it doesn't see by
default how certain urls all map to the same PHP script.
I already committed a few minor updates to improve handling of corner cases
in not set variables and other things popping up in the scan.
Update 2022-09-23:
I realized the reporter has never responded with the actual bug information.
After digging into setting up radius and WPA Enterprise with an Asus WL300g accesspoint
the next step was to peek into the traffic on a client.
For that part I used a linux machine with a wired and wireless interface and
used tcpdump to try to capture the wireless authentication packets.
I configured /etc/network/interfaces
for wpa enterprise, based on the eduroam examples.
And this worked, starting the capture:
And I typed in another window 'ifup wlan0'. This resulted in a capture with
the right Extensible Authentication Protocol (EAP) packets included:
root@ritchie:~# tcpdump -nr wlanstart.pcap -v
reading from file wlanstart.pcap, link-type EN10MB (Ethernet)
16:47:39.658963 EAP packet (0) v2, len 5, Request (1), id 0, len 5
Type Identity (1)
16:47:39.660863 EAP packet (0) v1, len 25, Response (2), id 0, len 25
Type Identity (1), Identity: anonymous@idefix.net
16:47:39.662840 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff23:123 to_in, 0 source(s)] [gaddr ff02::1:ff84:afe0 to_ex, 0 source(s)]
16:47:39.668736 EAP packet (0) v2, len 6, Request (1), id 1, len 6
Type TTLS (21) TTLSv0 flags [Start bit] 0x20,
16:47:39.670420 EAP packet (0) v1, len 6, Response (2), id 1, len 6
Type Nak (3) unknown (25),
16:47:39.682125 EAP packet (0) v2, len 6, Request (1), id 2, len 6
Type unknown (25)
16:47:39.741150 EAP packet (0) v1, len 203, Response (2), id 2, len 203
Type unknown (25)
16:47:39.756343 EAP packet (0) v2, len 1004, Request (1), id 3, len 1004
Type unknown (25)
16:47:39.756598 EAP packet (0) v1, len 6, Response (2), id 3, len 6
Type unknown (25)
16:47:39.834920 EAP packet (0) v2, len 1000, Request (1), id 4, len 1000
Type unknown (25)
16:47:39.835159 EAP packet (0) v1, len 6, Response (2), id 4, len 6
Type unknown (25)
16:47:39.842070 EAP packet (0) v2, len 1000, Request (1), id 5, len 1000
Type unknown (25)
16:47:39.842318 EAP packet (0) v1, len 6, Response (2), id 5, len 6
Type unknown (25)
16:47:39.866174 EAP packet (0) v2, len 79, Request (1), id 6, len 79
Type unknown (25)
16:47:40.006260 EAP packet (0) v1, len 144, Response (2), id 6, len 144
Type unknown (25)
16:47:40.014338 EAP packet (0) v2, len 65, Request (1), id 7, len 65
Type unknown (25)
16:47:40.016467 EAP packet (0) v1, len 6, Response (2), id 7, len 6
Type unknown (25)
16:47:40.028765 EAP packet (0) v2, len 43, Request (1), id 8, len 43
Type unknown (25)
16:47:40.029290 EAP packet (0) v1, len 96, Response (2), id 8, len 96
Type unknown (25)
16:47:40.036381 EAP packet (0) v2, len 75, Request (1), id 9, len 75
Type unknown (25)
16:47:40.043383 EAP packet (0) v1, len 144, Response (2), id 9, len 144
Type unknown (25)
16:47:40.057720 EAP packet (0) v2, len 91, Request (1), id 10, len 91
Type unknown (25)
16:47:40.058739 EAP packet (0) v1, len 80, Response (2), id 10, len 80
Type unknown (25)
16:47:40.071176 EAP packet (0) v2, len 43, Request (1), id 11, len 43
Type unknown (25)
16:47:40.072087 EAP packet (0) v1, len 80, Response (2), id 11, len 80
Type unknown (25)
16:47:40.082689 EAP packet (0) v2, len 4, Success (3), id 11, len 4
16:47:40.082865 EAPOL key (3) v2, len 117
16:47:40.091607 EAPOL key (3) v1, len 117
16:47:40.107041 EAPOL key (3) v2, len 175
16:47:40.107839 EAPOL key (3) v1, len 95
At the same time I captured the radius traffic. Now time to correlate those
two traffic streams in wireshark.
For work I am looking into how Wi-Fi Protected Access (WPA)actually works down to the byte level, to be able to explain
what actually happens and where the security strenghts and weaknesses are.
To set this up I need a separation between the access-point and the
authentication server. I dug up an old Asus WL300g access-point and looked at
FreeRADIUS as authentication,
authorization and auditing (AAA) server. I followed the A very basic (but functional) eduroam configuration - FreeRADIUS wiki
guide to get to a working setup, but with different passwords.
Getting the access-point to talk to a radius server took a bit of searching
and trying: I assumed that "802.1x" which is extended to "Radius with 802.1x"
was the right mode to use a radius server in the background, but it turned out
this didn't do what I want. I saw no communication with the radius server and
I didn't see the SSID advertised.
The right mode is "WPA" and things started to work that way. It still needs a
few settings to talk to the radius server: IP address, port and shared secret.
I chose to go the 'eduroam' way because that is what I am used to from work.
This does mean I had to set a home domain idefix.net for
authentication. With eduroam I also get Extensible Authentication Protol
(EAP) extensions to handle with the real user data. The result is an
outer authentication layer visible to the first radius server in the path
and an inner authentication layer only visible to the final radius server in
the path. Although both the outer and the inner authentication servers run
on the same freeradius server they are separate configurations with a trust
relation between them.
The traffic to the inner authentication server is wrapped in TLS and needs a
certificate. I used LetsEncrypt to generate a trusted certificate. I noticed
I am at a point where generating a valid LetsEncrypt certificate was easier
for me than fiddling with self-signed certificates. So I could set up my
phone to require a valid certificate for radius.idefix.net.
All of this worked and I had a WPA Enterprise connection with the access-point
and a lot of debug logging in freeradius.
My next plan is to find some computer with a network card where I can run
wpa_supplicant while at the same time grabbing all the raw 802.11
frames and analyzing/understanding the traffic. I will also look at the
radius traffic between access-point and outer radius server, and the radius
traffic between outer and inner radius server.
Summertime is also time for some extortion scamming... this one just in:
Hi. How are you?
I know, it’s unpleasant to start the conversation with bad news, but I have no choice.
Few months ago, I have gained access to your devices that used by you for internet browsing.
Afterwards, I could track down all your internet activities.
Here is the history of how it could become possible:
At first, I purchased from hackers the access to multiple email accounts (nowadays, it is a really simple thing to do online).
As result, I could easily log in to your email account
One week later, I installed Trojan virus in Operating Systems of all devices of yours, which you use to open email.
Frankly speaking, it was rather straightforward (since you were opening the links from your inbox emails).
Everything ingenious is quite simple. (o_0)!
..
Here is my bitcoin wallet provided below: bc1q82tvkvmzjzyqf60guqpxhcn2tuapqup35a9ldr
You should complete the abovementioned transfer within 48 hours (2 days) after opening this email.
The following list contains actions you should avoid attempting:
#Do not try calling police as well as other security forces. In addition, abstain from sharing this story with your friends.
After I find out (be sure, I can easily do that, given that I keep complete control of all your devices) – your kinky video will end up being available to public right away.
#Do not try searching for me – there is absolutely no reason to do that. Moreover, all transactions in cryptocurrency are always anonymous.
#Do not try reinstalling the OS on your devices or throwing them away. It is pointless as well, since all your videos have already been uploaded to remote servers.
Someone reported to me my PGP key was expired and whether I was still using it
or I gave up on PGP/GPG.
I have an expiry date on my key, but I do update it from time to time when
expiry nears. I now notice just doing a gpg --refresh doesn't update
the expiry moment. The solution is to hard fetch the key. In the case of my
home pgp key:
This updates the expiry date(s) and the uids. If you have my key and it looks
expired and/or still has an old e-mail address with kzdoos in it
please do this now. Complete data at pgp.surf.nl: Search results for '0x5BA9368BE6F334E4'
where you can see all the details including the revoked bits. Those revoked
bits won't show up in normal use.
I know gpg and other pgp related software has to be designed to be really
really secure up to the last bit, but some attention to user friendlyness
could be a good idea if it's possible to confuse even experienced pgp users.
After I visited earlier Dutch hacker events HEU, HIP97, HAL2001, WTH2005 I
missed HAR2009, OHM2013 and SHA2017. I can only say 'life happened' because my
son was born in the interim and my interests changed.
In the beginning of this year I heard about the new planning for May Contain
Hackers as the original plan was for 2021 and it was postponed due to covid-19.
I started thinking about attending and when the opportunity to get a free
ticket arose due to my links with Surf I got serious.
Life is still happening so I coordinated with the rest of the family whether
I could be missed at home and for how long. The result was that I would go
Friday evening until Tuesday afternoon and I would go there by recumbent
bicycle with the luggage trailer so the rest of the family could use the car.
The people from Surf set up our own village Village:SMRF
next to Village:OS3.
I slept in my own tent because I really want my rest at night and I want that
rest at a somewhat normal schedule (not really a hacker schedule). I brought a
1-person tent, a sleeping bag, clothes, gear to make breakfast with tea and
coffee, a smartphone with charger and a handheld radio with charger. Having to
move all my luggage myself on the recumbent bicycle made me very selective in
what to bring.
Aerial picture of MCH2022, links to larger version
I went to several talks spoke a number of well-known people, got to know new
ones, saw people there I didn't expect and had a good time.
What I really enjoyed was the friendly atmosphere. One aspect of that caught my
attention: besides people with non-traditional clothing and hairstyles I saw
several people who looked like they were somewhere in a gender transitioning
process. They felt free at MCH to be themselves. One person responded to me
when I shared this observation: "I saw more LGTB flags here than at Pride in
Amsterdam".
Also MCH was really non-commercial. Mentions of the sponsors were minimal and
never in-your-face.
The weather cooperated a lot! It might have been quite different with bad
weather. There was some rain before Friday so I saw mentions of "Mud Contains
Hackers" on twitter. Saturday and Sunday were hot, Monday was cooler. Tuesday
started with rain and some more showers, so my tent wasn't completely dry
when I packed.
Cycling the 45 kilometers was fine. I used google maps for navigation (but with
the smartphone not visible, just the instructions on my earbuds). I had to stop
several times to check the screen to check the instructions and sometimes
google came up with weird things. I had it set up for cycle navigation but it
still said to take three-quarters of a roundabout to go left while the
roundabout allowed me to go from one cycling path on the left of the road to
the other. It took me about 2 hours 45 minutes including stops for navigating
and stops for drinking, eating and adding some water to nearby trees.
All in all I had a great time. I had my moment of "I am getting too old for
this" but that faded and I really enjoyed myself.
List of talks I attended, with links to the place to view it online:
My todo-list for hobby projects has had an entry 'redo maps in sites using
leaflet' for a while and on an otherwise calm evening I got around to it.
The first thing to upgrade was the
recent contact map for PE4KH
which shows an overview of places where I had the last 150 contacts plotted
on a map, with some details per contact.
I'm not good at javascript programming at all so I just look for examples that
come close to what I want and I adjust them until they do what I want.
Luckily I found some good geojson examples and I managed to get the points on
the map. After a bit of massaging, trying and reading I managed to add the
popup with the location. The next and harder bit was adding default and
non-default icons. Eventually I got my brain wrapped around the bits needed
for that too. After that the test version got deployed to production and you
can look at it now.
Documentation and code snippets used:
The main reasons for switching to leaflet are that google maps was limiting
free access to maps although they seem to have mostly reverted this plan and I
wanted to promote openstreetmap.
The general conclusion is that sites with maps do need regular maintenance, if
hosted leaflet goes away or stops this version, if the rules for using hosted
openstreetmap tiles change or if something else happens I have to adapt the
site, maybe even quite fast.
De laatste dagen was een deel van de tijd de VDSL weer instabiel en verbrak
soms om de 5 minuten. De kabel tussen ISRA punt en modem is wel de verdachte
op dit moment.
De standaard oplossing zou natuurlijk zijn om die kabel korter te maken, maar
het ISRA punt zit helaas in de kruipruimte en daar wil ik mijn VDSL modem echt
niet. Dus er is ongeveer 4 meter kabel nodig van ISRA punt naar meterkast. Op
een bepaald moment heb ik daarvoor het bruine aderpaar van een CAT5E kabel
gepakt, omdat ik ergens gelezen had dat de twist van dat aderpaar het dichtst
bij telefoonkabel komt. Deze kabel heeft wat last van oxidatie, ik heb eerder
er ook al een stukje afgehaald vanwege vergaande oxidatie.
Misschien moet de hele kabel vervangen worden door een echte KPN telefoonkabel.
Ik heb voor de test een keer even een platte kabel zonder twists gebruikt, maar
daar werd de uploadsnelheid lager van.
Als tijdelijke oplossing heb ik in de draytek vigor 130 ingesteld dat ik extra
'SNR margin' wil met vdsl snr 10.
Updates 2022-07-18:
De instabiliteit bleef vandaag en als we proberen thuis te werken is dat heel
gauw heel irritant. Een tijdelijke andere kabel tussen ISRA punt en modem
gaf ook geen verbetering, dus rond de lunch maar gebeld met de internet
provider Freedom Internet. Die als volgende stap aangaven om de firmware van
het modem te upgraden (er was inderdaad een nieuwere versie) en nog eens
een factory reset te doen. Bij een draytek Vigor 130 is dat laatste vrij
makkelijk door een firmware met .rst extensie te uploaden.
Helaas was de recovery procedure Draytek modems
weer eens nodig na de eerste upgrade via de webinterface. En het duurde even
voordat ik doorhad dat ik het belangrijke woordje binary in die
procedure vergat, en dat leverde geen startend modem op. Uiteindelijk gelukt
en weer verder...
Maar na een verdere set onderbrekingen was het duidelijk dat het niet
verbeterd was en heb ik weer teruggebeld naar Freedom Internet. Na veel
ruggespraak, nazoeken en overleg met collega's was de volgende stap dat er
nu een monteur gaat komen van KPN Wholesale Broadband Access. Eerste optie
op donderdag 21 juli.
Updates 2022-07-21:
De KPN monteur heeft uitgebreid gemeten en het ISRA punt vervangen omdat de
draadjes in het ISRA punt niet ideaal er in gezet waren. De monteur heeft
geprobeerd het ISRA punt te verplaatsen naar de meterkast maar daarvoor is de
grondkabel helaas net te kort. Na het vervangen heeft de monteur nog uitgebreid
gekeken naar alle lijnstatistieken, zag dat DLM niet aanstaat op deze lijn
terwijl hij dat wel verwachtte maar dat kan een keuze zijn van de provider.
Een van de dingen die de monteur zich nog afvroeg was wanneer er glasvezel zou
komen naar dit adres. Dat vraag ik me ook regelmatig af, maar ik hoor niets
over plannen. Open Dutch Fiber is aan de overkant van het spoor bezig in
Tuindorp. Maar geen van de fiber aanbieders laat iets weten over
toekomstplannen tot dat er een echt project is om een bepaalde wijk aan te gaan
sluiten.
Updates 2022-07-22:
De volgende ochtend blijken er toch weer vergelijkbare onderbrekingen te zijn.
Freedom mailde pro-actief dat ze van hun kant ook de problemen zagen. Een
optie is nog om het te proberen met een ander modem.
Updates 2022-07-28:
Terug van MCH2022 blijkt alles sinds de avond 22 juli stabiel en zonder
onderbrekingen te werken. De tellers voor fouten blijven sinds de 25e
stilstaan. Pas nu ik zelf actief ben op de radio is er weer een korte
onderbreking.
Friday I had the day off and a plan together with Kees PA5Z to visit the
location Trintelhaven again, just like we visited the location Trintelhaven in the summer of 2019.
This time the plan was to test some different antennas and make morse contacts.
Driving there wasn't too big of a problem although you really have to use
navigation to get through Lelystad, it's like through-traffic from the main
highway (A6) to Enkhuizen isn't really promoted.
We got there fine, looked for a nice spot, found all the work machines we saw
on the previous visit gone so there was a nice spot again. We selected a
secluded field not to close to someone working on a boat, far away from
everything else.
Endfed antenna set up at Trintelhaven
We set up my endfed antenna with one end up in the trees and the other end
supported by a metal pole. On testing this antenna worked fine again. I redid
all the soldered connections in it after it failed me a few weeks ago.
I called CQ in the 20 meter band in a spot where one can usually find slow
morse and got some contacts with nice people in the log. One with SM6RWJ in Sweden, one with
WB2YVY Kurt in
the state of New York in the US and one with LA9FG Nol in Norway near Aalesund.
Kees PA5Z en Koos PE4KH behind the radio
Kees also made some contacts. His nicest contact was with SK6SAQ the amateur radio station at the
World Heritage Grimeton radio station. After a few morse contacts the radio
Kees brought stopped working, it switched off and restarted when trying to
transmit morse. It wasn't very clear what caused this.
As planned we took turns on the antenna sending morse, while both listening for
answers and writing down the callsigns and the replies that came, including
first names and weather reports: it was cloudy in Norway.
A nice day out. Sending standard messages and writing down what was coming back
is getting easier after all our morse training!
I created a flickr album Iceland 2022 - Our trip to Iceland in April/May 2022
and linking to the pictures from the right report was still kind of hard
because it's a complicated bit of html with repetitions and chances of errors.
The solution: make the computer help me. The flickr API allows me to fetch
data about an album and about the pictures in that album, so I spent an
evening writing some perl to get links to all the pictures in the album with
thumbnails.
Now most days of Complete reports of our trip to Iceland
have been enhanced with pictures.
This weekend was the IARU HF World Championship
contest and I participated after fully planning this in advance. I made sure my
contest logger was set up and communicating with the remote radio and its morse
keyer in advance.
I participated on the 10, 15 and 20 meter bands. The original plan was to
also include 40 and maybe 80 but there was enough to contact on 10 and 15 on
Saturday evening, so I only got around to the 20 meter band on sunday.
In total 182 contacts: 20 in SSB (speech) and 162 in CW (morse).
I managed to make a few contacts outside Europe, not a lot of real DX.
Calculation when entering the log: Raw Score: 453 Qpts x 73 Mults = 33,069 (181 QSOs)
so there is a difference in opinion between TLF and the ARRL contest website.
The difference in number of contacts is due to one duplicate. The difference in
Qpts (QSO points) is due to a difference in the scoring rules. As the ARRL
contest website is up to date with the current rules I think they are right and
I need to have a look at the TLF ruleset.
Hearing and understanding the morse went ok, I don't think I have a high
number of errors.
The logic analyzer circuit I ordered
came in today with the test leads. Both the circuit and the test leads have
pins so I need something to connect those two. So the crate with PC cables was
ransacked and a floppy drive cable is now connecting the logic analyzer and the
test leads.
The logic analyzer shows up in linux as usb device:
Bus 002 Device 008: ID 1d50:608c OpenMoko, Inc. Fx2lafw
Finding software was quite easy: pulseview indeed works out of the box,
complete with support for this logic analyzer.
I had a look around for something to analyze and finally settled on the
ESP32 based NTP clock
because that's still on a breadboard and signals are available. I can see
the bits flowing between the ESP32 microcontroller and the display module.
I'm still seeing some bits come in on unconnected testleads so I'm not sure
I am doing everything right. But it's a start!
Checking the UPS statistics showed me the battery charge was dropping to about
7 % of the capacity while the mains power was available. Since the battery was
over 5 years old I ordered a new one to replace it.
This battery was scheduled to arrive Wednesday at the start of the afternoon
and I wanted to do an upgrade of the Linux distribution on the
main homeserver conway
anyway because devuan ascii is already 'oldoldstable' (but still getting
updates).
The homeserver uses 2 disks with the main lvm volume in a raid-1. The
/boot and /boot/efi filesystems are mirrored by hand with
the idea to end with a working boot even when 1 disk is missing.
After the shutdown and replacing the UPS battery I switched the server on
again and I was greeted by a grub prompt and nothing to boot. After a few
tries I got the system booting again, after that I went searching for what
went wrong. Eventually I found out the file /boot/efi/EFI/devuan/grub.cfg
pointed at a missing filesystem. I found out the best way to fix this is with
# dpkg-reconfigure grub-efi-amd64
both with /dev/sda and /dev/sdb filesystems on /boot
and /boot/efi.
For the first time in years I was staying in a hotel again for one night.
The key for the hotel was a creditcard sized plastic card so I assumed
immediately it was an RFID based card.
Years ago I would have needed my linux laptop and the touchatag NFC reader
to understand more about the keycard, but we're in some form of the future now,
so I used NFC taginfo by NXP
on my phone and held the keycard up to the phone.
The taginfo app made the happy noise and told me it was an NXP mifare classic
card. The app even told me most sectors had a default key of
FF:FF:FF:FF:FF:FF. One sector was not accessible due to a different
key but with mfoc (Mifare Classic offline cracker) or one of the other attacks
on the Mifare classic I could probably get access to that sector.
So in theory with something like the proxmark I could clone keycards of other
visitors. Or clone the keycard of the cleaning crew which gives a lot more
access.
Update:
A bit of searching finds this: Researchers Find Way to Create Master Keys to Hotels - F-Secure Blog.
I don't know if the lock I looked at is the same system as the system in this
article.
De regenton die we al jaren in de achtertuin hadden is een keer lek geraakt,
vermoedelijk door het bevriezen van het water er in. Sindsdien maak ik
regentonnen ergens in oktober leeg en sluit de toevoer af, en in maart sluit
ik de toevoer weer aan. Maar het gevolg van het lek was ook dat er steeds
een erg vochtige hoek was in de achtertuin.
Vanwege de goede ervaringen met de regenton aan de voorkant van het huis
en de gevolgen van de regelmatige lekkage wilde ik die aan de achterkant
ook vervangen. Op die plek is ruimte voor een grotere regenton, dus is
de keuze uiteindelijk gevallen op een
225 liter regenton groen Big Storm - voertonnen.nl
met een vulautomaat Harcostar.
Dus ook weer van voertonnen.nl want het aanbod daar is me prima
bevallen.
Na installatie was het wachten op regen. Het duurde een paar buien voor de ton
redelijk vol was, want het deel dak waar deze regenton op aangesloten is is
niet zo groot. Maar nu kunnen we de tuin weer water geven vanuit de regenton.
En de plantjes binnen water geven met regenwater.
Het uiteindelijke doel: minder regenwater in het riool en minder gebruik van
drinkwater in de tuin. Het werkt: sinds we de regenton aan de voorkant hebben
is de kraan aan de voorkant niet meer gebruikt.
Aanvulling:
Ondertussen is duidelijk dat een te kleine voet voor een regenton niet werkt.
De regenton was opgesteld op een stapel tegels en stak daar aan alle kanten
overheen. Nadat de ton helemaal gevuld was met water (circa 225 liter dus) ging
deze scheef hangen en op een bepaald moment zakte de ton omver en stroomde er
200 liter water door de tuin. Daarna zat er een deuk in de bodem van de ton met
duidelijk de afdruk van een hoek van een tegel. De deuk is gelijk weer
teruggeduwd. Er zit nu een plaat onder die de volledige bodem ondersteund.
Today I'm seeing bounces of bitcoin scam mail, with about the same text as in
the bitcoin extortion scam of about a week ago, but with a different bitcoin wallet.
In the body of the mail the claim is that the criminal hacked the mailbox of
the victim and can now send as the victim, but this criminal decided to 'get
even' with me at the same time and contradict himself by setting the sender
address to my e-mail address.
So I'm now browsing the bounces and see the bitcoin wallet for this scam is
1Mjt2xobFExdZBGfjTVDcgzJWQxRxoHBdA
which hasn't scammed anyone yet.
As always: don't fall for these scams.
Earlier items about bitcoin extortion scams:
Earlier,
earlier,
earlier,
earlier,
earlier,
earlier,
earlier,
earlier,
earlier
(although I think bitcoin is generally a really bad idea and a huge scam)
Recently I realized I am quite enjoy stories and videos of travel. As we had
our own travel adventure a month ago I decided to write about it extensively
as the memory was still fresh and I wanted to mentally relive that trip and
get some experience in writing about my travels.
With some help of the pictures, the list of hotel reservations and checking
the maps there is now a complete set of stories of this holiday. I backdated
the stories to the days they happened which was for me the logical choice.
The reports per day:
In general this was a really good vacation. Iceland has the kind of raw
nature and geology I enjoy visiting. The people are really friendly and
helpful. Compared to our earlier visits it is clear Iceland is more prepared
for visiting tourists without turning into a tourist trap.
Iceland has turned even more cashless than in earlier visits. With a credit
card and a debit card you can pay almost everything, even contactless
international payments work. We saw a problem with paying with Android pay
after a few days so we stopped doing that.
Mobile phone and mobile data coverage is near-perfect along the roads. It's
probably a good idea to not rely on mobile phone when you go on inland hiking
trails but as long as you are sticking to paved and gravel roads there is
lots of coverage.
The first pictures have been integrated, for some days I need to copy more
pictures from the camera to flickr to add these to the collection.
I hadn't seen these in my inbox in English for a while, but here we go again.
Hi! You can consider this message as the last warning. We've hacked your
system!
This information can destroy your reputation once and for all in a matter in
minutes. You have the opportunity to prevent irreversible consequences. To do
so you need to:
Transfer 1200 USD (US dollars) to our Bitcoin wallet.
Don't know how to make a transfer? Enter "Buy Bitcoin" into the search box.
Our Bitcoin wallet (BTC Wallet): bc1q4r05c7wdazh87ty9x9968e2r90w72rhtq5jl43
After you make the payment, your video and audio recordings will be
completely destroyed and you can be 100% sure that we won't bother you
again. You have time to think about it and make the transfer - 50 hours!
As always: don't fall for these scams.
Earlier items about bitcoin extortion scams:
Earlier,
earlier,
earlier,
earlier,
earlier,
earlier,
earlier,
earlier
(although I think bitcoin is generally a really bad idea and a huge scam)
I saw an upgrade of Grafana available, which turned out to be 9.0.0.
When upgrading to 9.0.0 I get...
An unexpected error happened
TypeError: Object(...) is not a function
t@[..]public/plugins/grafana-clock-panel/module.js:2:15615
WithTheme(undefined)
So maybe the grafana-clock-panel plugin isn't compatible with 9.0.0 somehow.
Downgrading to 8.5.6 and reloading everything makes it work again.
Update:
I checked the grafana-clock-panel plugin and noticed it hadn't been updated.
So I did that update and retried grafana 9.0.0, and that made everything run
smoothly again.
----- Transcript of session follows -----
... while talking to outlook-com.olc.protection.outlook.com.:
>>> MAIL From:<***** .at. idefix.net> SIZE=2035 BODY=7BIT
<<< 550 5.7.1 Unfortunately, messages from [45.83.232.134] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BN8NAM11FT026.eop-nam11.prod.protection.outlook.com]
554 5.0.0 Service unavailable
Aaargh. I thought it wasn't broken anymore. Utterly unreliable stuff at
Microsoft.
And I'm back to having to use SMS to explain to very non-technical people
why their mail isn't getting through: because they are using outlook.com.
Update 2022-06-13
As a workaround I am now using SMTP2GO
to send mail to outlook.com and hotmail.com. SMTP2GO does
interesting things (even in a free account) to get the mail delivered and keep
their mail 'reputation' in the plus.
I hate having to use such a service to get my mail delivered but this is one of
those signs that Internet e-mail has been demolished by spammers.
Today the updated registration documents and card arrived with the much
wanted "CW included". I passed the exam on 18 April 2022 and
informed Agentschap Telecom on Tuesday 19 April 2022 about passing the morse test.
In the autoreply from Agentschap Telecom there was a remark that changes in
existing certificates or registrations can take up to 8 weeks to process. At
almost 7 weeks they lived up to their promise.
One of the subject areas I'm interested in at work is hardware security and
hardware hacking. After doing things with rfid earlier I'm now looking at
low-level electric interfaces. With the earlier hardware challenges in
CTF contests in HackTheBox Cyber Apocalypse CTF 2022 - Intergalactic Chase
and The HackTheBox & CryptoHack Cyber Apocalypse 2021
I got interested in logic analyzers. Those sounded expensive (but I never
actually checked).
And then I read this bit: I recently got this 8ch cheap USB-C logic analyzer from AliExpress
and the price shown is 5.42 US dollar. That's really cheap!
For that price I can buy one and not be too dissapointed when it blows up or
fails to give me the joy I hope. So, ordered: one 8 channel logic analyzer and
a set of test leads so I can actually clip this to a circuit. The price for
me for the logic analyzer circuit is EUR 6.78 including delivery and taxes.
For software I learned about PulseView.
This hardware has limitations, but for simple decoding of hardware protocols
this is a nice start.
Recently I tried to contact someone with an outlook.com address and
it went fine. So it seems the
really annoying block I ran into earlier
is gone. I still get enough spam from/via outlook.com so I'm still not
convinced the spamfiltering at outlook is working very well but that's a
different rant. The incoming block is now gone.
I'm currently also doing some contacts with a special event station call and
I wanted to separate the wsjt-x history for my normal call from the history
for the special event station call, just like I split the log databases in
CQRLOG.
For the non-amateurradio persons: I have my own callsign,
PE4KH which is linked to me. It is also possible
to have one extra temporary callsign. Those are usually linked to an event or
some other reason for a 'special' callsign. Temporary callsigns in the
Netherlands have either the digit 6 or more than one digit.
There is an option for multiple profiles in wsjt-x but those are just for the
settings (including callsign) but not for the logging location. This means all
different profiles share the same history and will show the same countries as
'new' or 'already contacted'.
When I was looking at the options for starting wsjt-x with different
settings I noticed the
-r --rig-name <rig-name> Where is for multi-instance support.
option in the help. With this option, all the logging is in
~/.local/share/WSJT-X - <rig-name>/ which is what I want.
The next challenge is to start wsjt-x with the extra commandline paramater
from CQRLOG. It seems the 'path to wsjt-x' setting doesn't accept commandline
parameters. So I created a script ~/bin/ses-wsjtx with:
#!/bin/sh
/usr/bin/wsjtx -r ses
Changed the 'path to wsjt-x' setting to /home/koos/bin/ses-wsjtx
and now I get what I want.
Grolsch is one of my choices for 'standard' Pilsener beer. So I keep an eye
for the available special beers. This time I saw Grolsch Puur Weizen
available and decided to give it a try.
It's a slightly hoppy taste, and I can appreciate this. Nothing too strong in
the taste. Grolsch follows the German Weizen style including the
Reinheitsgebot. This beer does taste slightly different from what I would
expect from a German Weizen. Grolsch themselves name it clove, I agree to
the taste going in that direction. I wouldn't expect that in a German Weizen.
With a team of people from work we participated in this years HackTheBox
Cyber Apocalypse CTF 2022. And while my teammates managed to solve several
challenges, some of them with some thinking from me, I personally solved zero
challenges. Which was a bit dissapointing.
I was especially interested in the hardware hacking challenges because that
is a subject I am quite interested in.
Hardware / Space pulses
This challenge had a .sal file. After I learned about Salea Logic Analyzer in the 2021 HackTheBox Cyber Apocalypse
I opened the file in this logic analyzer and started trying to find out what
I was looking at.
It was a one-channel digital signal. It turned out to have a variable duty
cycle, with complete cycles being 255 and a bit milliseconds. I noticed the
maximum duty cycle was somewhat less than 50%.
I spent a lot of time trying to decode this, mostly thinking in the direction
of it being a pulse width encoded signal with probably 4 bits of information
per cycle to get 54 characters which seemed reasonable for a flag. But with
the assumption that the smallest pulse is the representation of 0000
and the widest pulse is the representation of 1111 I could not get
valid data from it, and it was nowhere near decoding a flag. I was sure I
was overthinking it somewhere, but couldn't find out where.
A while after the CTF I read Writeup] Cyber Apocalypse 2022 — Space Pulse [Hardware]
and I obviously made a big "D'Oh!" sound as I was getting to the solution,
but indeed overthinking it.
Hardware / Secret Codes
With this challenge I also downloaded a .sal file with two signals: a digital
one and an analog one. The digital one stops after the first 'databurst' while
the analog one is clearly the 'unpolished' version of the digital signal.
I first tried to decode the digital signal as an async serial signal and found
nothing. I also tried manchester encoding and also found nothing. Staring
and pondering never fixed this.
I found a writeup at HTB 2022 Cyber Apocalypse CTF - Hardware - Secret Codes
which made me go "D'Oh!" again: it was manchester encoding. BUT (big but)
Manchester encoding has 2 changes per bit and I left the bitrate at the same
as for the async serial decoder.
Last weekend was the CQ World Wide WPX Contest CW
organized by CQ Amateur Radio magazine. The term 'WPX' stands for 'Worked All Prefixes'.
The objective of this contest is to get contacts and exchange information
with as many different other radio amateurs using morse code. Points are
awarded for each contact, based on which amateur band and whether they are
in the same or different continents. Multipliers are calculated from the number
of different prefixes contacted. The prefix of my callsign PE4KH
is PE4 which is a different prefix from for example PE3.
This is a 48-hour contest.
A good reason for me to participate was to practise my morse in contesting
skills. Those skills still need work as I had trouble understanding the
serial numbers. But with a bit of asking for a retransmission or guessing from
the previous/next serial it sort of worked out for me. I felt like I had a lot
more trouble understanding the serial numbers compared to a week ago in the
King of Spain CW contest.
I guess my call PE4KH is now in the list(s) of
regular contest calls. When my callsign is repeated completely, it's never a
PE4KS. In morse, an H is four dots .... and an
S is three dots .... In the first few contests I had to
correct PE4KS a few times, or ended in the log with the wrong call, so this
feels to me like my call is now more familiair.
I got 102 contacts in the log. I operated Saturday afternoon and parts of the
evening, and late Sunday evening, wrapped around things like sleeping and
other things in the weekend. I got one new country in the log: Mongolia.
And I made my first morse contacts to Japan, China and Malta.
The score table:
Since I have been learning morse code and passed the morse exam
I notice I get more enjoyment out of contacts in morse code than out of
contacts in digital modes. In digital modes (FT8) it is the computer doing
hard work decoding and there isn't much variation, in morse I do the decoding
and contacts can be from very simple confirmations of callsigns to longer
chats about things.
This also means I like chances to make morse contacts. One of the simple ways
to make more morse contacts is to get involved in an amateur radio contest
with morse. Last weekend was the His Majesty The King of Spain CW Contest
and I participated. Before the contest I tried to build a contest scoring file
for TLF Linux contest software.
During the contest I found out the file wasn't correct as the score wasn't
calculated correctly but I will debug that later.
I participated Saturday evening and I made 41 contacts: 37 on the 20 meter
band, 3 on the 10 meter band and 1 on the 40 meter band.
That's 41 in total, which is not a lot: the minimum number to get a digital
certificate in PDF format is 50 or 100 contacts. But I'm not doing this to
win anything, I'm doing this to get more experience in morse and morse
contesting.
I still have trouble decoding morse at 'contest speed' so I use a morse decoder
on the computer. There are moments it's a lot better at decoding a callsign at
speed than I am, but sometimes I decode a serial number better than the
computer does.
This also mean I do all of this in 'search and pounce' mode, where I look for
stations calling CQ TEST at a signal quality where I can decode the callsign
with help from the computer, and I can hear whether they get my callsign
correctly.
Sinds donderdagochtend viel de VDSL een aantal keer uit. Dit begon vrijdag erg
opvallend te worden omdat we toen thuis werkten, en midden in een vergadering
met video valt het erg op als de Internet verbinding uitvalt, zelfs als het
maar heel even is.
Ik dacht even dat het aan het weer lag, maar het uitvallen is begonnen voordat
het heel slecht weer werd donderdagmiddag en vrijdagmiddag.
Sinds zondag heel erg vroeg is het weer stabiel, dus het probleem lijkt
zichzelf opgelost te hebben.
Alle instellingen om de verbinding zo snel mogelijk weer gestart te krijgen
werken wel, de onderbrekingen zijn vrij kort.
Update 2022-05-23:
De uitval is weer terug, na een stevige regenbui. Dit voorspelt vervelende
problemen.
Update 2022-05-30:
Zaterdag verbrak de verbinding ongeveer iedere 5 minuten. Dat leverde een
onbruikbare situatie op. Ik ben eens begonnen met de kabel tussen ISRA punt
en VDSL modem na te lopen en heb deze aan beide zijden eens opnieuw in de
RJ11 socket geduwd. Daarna was het een stuk beter, er zijn nu nog maar
een paar onderbrekingen per dag. Maar ik wil natuurlijk naar een verbinding
die wekenlang stabiel blijft.
Vanmiddag aan het begin van de middag trok er een gebied met regenbuien en
onweer over en dat zag ik echt terug aan de productie van de zonnepanelen. Het
werd ook zo donker op dat moment dat ik het licht aan gedaan heb. Maar de
zonnepanelen schakelden terug van productie naar slaapstand, wat ze normaal
alleen doen na zonsondergang.
Wat me ook opviel is dat de frequentie van de netspanning inzakte tijdens deze
periode, net alsof de productie in het net er ook even moeite mee had dat
overdag de zon wegviel.
De grap was dat ik de afwasmachine geprogrammeerd had met het idee dat deze
zou draaien op energie opgewekt door de zonnepanelen, door deze bewolking en
regenbuien is dat plan niet gelukt. De twee pieken in energiegebruik van de
afwasmachine vielen precies samen met donkere perioden.
Today when I had time to use the radio I noticed the 10 meter band was open.
I had some nice contacts and saw II3WRTC
on 10 meter FT8 and made the contact. II3WRTC is one of the
WRTC 2022 Award
stations and before today I had a lot of those in the log but none on the
10 meter band.
I changed this quickly with II3WRTC
on 10 meter SSB too, II9WRTC
on 10 meter CW and II3WRTC on 10 meter RTTY.
In my time at Utrecht University computer science I wrote a script to search
Cisco switches for a given ethernet address and respond with the port. This
could be used to trace things on the network, which helped on incidents in
progress.
This script was based on the typical things Cisco switches do with vlan CAM
table lookups and the best implementation. CAM stands for Content Addressable
Memory: memory optimized for doing lookups by certain content. In the case of a
network switch a 6-byte MAC address plus 2-byte vlan id will be used to do a
lookup of the 2-byte interface number where it was last seen, and this lookup
is done in hardware.
This CAM table is accessible via SNMP, and the funny part is the MAC address
for the lookup is also encoded as SNMP identifier. I could get the whole CAM
table via snmpwalk but as I only want to lookup 1 MAC address it is way faster
to go directly from MAC address to interface number. After that the interface
number is translated to an interface name and that name is usually something
recognizable to a network engineer.
When I started using managed switches at home from Netgear I adapted the script
at home and enhanced it for Netgear switches.
I recently added a third netgear switch when upgrading the fiber to the shed
and I updated the script to learn about the new switch.
I noticed the interface names are quite different over the generations
of netgear switches.
The oldest switch is a Netgear GSM7224. The interface name from a query is
"Unit: 1 Slot: 0 Port: 15 Gigabit - Level".
The second switch is a Netgear GS716Tv2. The interface name from a query is
"Slot: 0 Port: 11 Gigabit - Level".
The newest switch is a Netgear GS310TP. The interface name from a query is
"GigabitEthernet9".
The Unit: 1 in the GSM7224 suggests some option for stacking
multiple switches, but I can't find any mention of that option in the
on-line documentation.
The other fun part I notice is interface names never showing the fact that
they are actually an SFP interface with an SFP in them. The port status for
a port with an SFP is not different from the status for a copper cable at
gigabit.
$ ./sunspec-status -v se-schuur -m 0
INVERTER:
Model: SolarEdge SE2200
Firmware version: 3.2537
Serial Number: xxxxxxxx
Status: THROTTLING
Power Output (AC): 342 W
Power Input (DC): 348 W
Efficiency: 98.50 %
Total Production: 3964.313 kWh
Voltage (AC): 237.40 V (49.94 Hz)
Current (AC): 1.53 A
Voltage (DC): 378.80 V
Current (DC): 0.92 A
Temperature: 42.75 C (heatsink)
Ik kon niet vinden wat de reden was van het terugregelen van het
uitgangsvermogen. Ik log nu wel de statuswaarde van de inverters om te zien of
dit vaker voorkomt.
Update:
Achteraf denk ik dat dit gekomen is omdat ik de omvormer in de schuur gereboot
had om het juiste IPv4 adres te krijgen voor monitoring. Dit was op een best
wel zonnig moment. Na de reboot was ik snel aan het testen of de modbus/tcp
monitoring het deed naar het nieuwe adres, en de omvormer gaat niet in een klap
voluit electriciteit leveren maar brengt dat langzaam op gang.
I got around to doing the upgrade of the fiber to the shed network I had on my mind
today.
A friendly network layer 1 engineer had some leftover Cisco SFP modules and
the netgear GS310TP and netgear GS716Tv2 switches accepted these without
any issue. So the layer 1 network link came up fine.
The layer 2 link with vlan support took me a few hours, somehow I managed to
get confused with vlan tagging, vlan tagged only frames and the primary vlan
id. I haven't done this in a while and I sort of copied the configuration from
another port which may be less than optimal too. I had to run through the house
a number of times to get the configuration right, wireless devices can't access
the managed switches. At least I got the whole configuration working in the
end. I think I can add other vlans to the link too (I want the option of a
wireless access-point in the shed).
Putting the switch, the power supply for the switch, the raspberry Pi, the
power injector for the 1-wire measurement network and all network cables and
fiber in the plastic box I bought for this work was a bit of work, it just fits
(so a wireless access point will have to live outside that box..). But it's all
in there and the box is closed again. It's just not airtight anymore with the
new holes for power, fiber, network cable, gps antenna cable and 1-wire
network. I may need to stuff the holes with foam or something similar to keep
insects from crawling into the box.
Everything works now and the measurements from the solar inverter are
coming in!
After reverting to Grafana 8.4.7 for a while because alerts were failing in Grafana 8.5.0
I had a look at the available version today and saw version 8.5.2.
I assumed the problem with DataSourceNoData errors was fixed by now and
did the upgrade.
Indeed the alerts are seeing data fine now and I trust they will work when
needed.
Our flight was leaving Keflavik International airport at 07:40 so we wanted
to walk through the door of the airport at 05:40 and return our car before
that time. So the alarm went of at 05:00 and we put everything in the car and
drove to the airport rental return area.
Hertz has a huge parking area for returning rental cars so we parked in that
area and walked to the return office. The office was still closed so we
dropped the key in the key return box and walked to the main airport building.
There we used a luggage cart and went to the check-in for our flight back
home. The check-in was a bit of waiting but nothing really bad. After check-in
it was time to go through the security check and even with a bit of extra
checking of our luggage we were past that point fast. We found ourselves
in the main waiting area for departing flights with lots of time to spare,
so we finally had time to eat some breakfast and get an extra fresh juice.
The flight back was fine, I decided to watch the film 'Rush Hour' from the
entertainment system.
Back in the Netherlands temperatures were higher again! We took the train
from Schiphol airport back to our house.
After breakfast we left the apartments and walked towards the center of
the city and the main shopping street. Most of the shops were still closed
in the morning. We changed plans a bit and visited the Reykjavík Park and Zoo
which was more of a botanic garden.
We tried to hop on a bus to get there but that was the first time we actually
needed cash money. Trying to get the app for the Reykjavik bus working with
a Dutch credit card also did not work. So we had to get actual money from
an ATM to pay for bus trips.
My wife and son went swimming for a while and we went back to the city
center, now open.
We walked along Laugavegur, which is the main street of Reykjavik. We also
visited the Hallgrimskirkja which is a magnificent church building. Several
signs were there to remind the tourists that it was also a house of worship.
The only bit of train track in Iceland
We visited the harbour in Reykjavik. It has a bit of traintrack and a
locomotive which was used in building the harbour! I think that was the only
bit of train track in Iceland.
For an early dinner we found a nice pizza restaurant on Laugavegur.
After dinner we returned to Keflavik. We had arranged another night at the
Nupan de Luxe hotel. We set an early alarm because of our flight back the next
day. We also packed our bags again with being on an airplane in mind, or
rather going through the security check. It was also time to make sure the
fuel tank of our rental car was filled completely before returning it the
next morning.
We woke up in Eldhestar hotel and had breakfast. My wife and son had booked
a horse ride for the afternoon, so we had some hours before that started and
visited Hveragerði.
The area around Hveragerði has had several serious earthquakes. The library
and shops building had an exhibition on the 2008 earthquake with pictures
and stories from eyewitnesses. The building that this is all in has a scary
detail of its own: during construction a huge crack in the earth was found
right between the foundations. The decision was made to not build the 4 floor
tower nearby and adapt the building to deal with earthquakes. Still the 2008
earthquake caused damage.
To the north-east of Hveragerði is an area with lots of geothermal activity
which can be hiked easily.
Geothermal activity around Hveragerði
We also visited the geothermal park inside Hveragerði. According to the
descriptions some parts of this park have changed as a result of that 2008
earthquake.
In the afternoon was the horse ride. My son and wife had a great time with
very easygoing Icelandic horses. I decided to drive to the coast and have
a look there. It turned out this was a non-tourist area so the coast was
just some harbour areas and industrial fish handling.
After all that it was a relatively short drive to Reykjavik. We wanted to visit
the city the day after so we drove to our place to stay. We went from driving
on the 2-lane ring road near Hveragerði to huge highways near Reykjavik.
But with only 1 serious correction we managed to find our apartment:
Stay Apartments Bolholt where we made dinner and went to bed somewhat early.
We left from Lækjaborgir Guesthouse and started driving along the ring road
again.
We stopped in Vik for a visit to the local souvenir shop. When we visited
Vik in 2006 it was very rainy and cold so we were looking for warm gloves.
The gloves were found in a small shop. Between 2006 and 2022 this small
shop was replaced by a huge store with all kinds of Iceland souvenirs. And
they still had gloves, but we had brought our own.
Along the coast were some great views. The erosion of lava rocks is very
interesting.
We stopped at Skógafoss Waterfall which is so high the last 50 meters before
the fall you're already walking in a big spray. There is a path to climb to
the top but we decided against it as it's quite high up.
We stopped at the Lava centre in the afternoon. The Lava centre has exhibitions
around the very active volcanoes on Iceland including reports on the 'famous'
Eyjafjallajökull eruption in 2010. Outside of Iceland it mainly made the news
for causing massive disruption to air travel because of the ash that was in
the air which made flying impossible. The Lava centre had the Iceland side
of the experience which was with disruptions everywhere due to ash falling
down all over, and people who looked out the window to see if the rumbling
volcano had changed and seeing the first explosive eruptions.
The Lava centre has a lot of explanations on how volcanic eruptions work
and how certain influences can change them completely. And it turned out
the person behind the cash register in the entrance also had extensive
knowledge of volcanoes so we chatted with them about our views.
The Lava centre also has an observation deck where you can see a few of the
big volcanoes of Iceland in the distance. But due to rain and thick clouds
there was nothing interesting visible.
Electricity pylon near Hveragerði
In the afternoon we continued our drive and ended up at Eldhestar hotel.
Yes we visited that hotel before. We wanted to get back there so my wife
and son could go horseback riding the next day. The Eldhestar hotel is close
to the city of Hveragerði so we drove over there for a nice dinner and an
evening walk.
We had breakfast in the Framtíð Apartments cabin and got going again. The
Framtíð hotel wasn't staffed very well as there wasn't someone available to
return the cabin key. Eventually a cleaning person showed up and took our
key.
This day was again going to be a long drive. The Iceland ring road is quite
close to the Atlantic Ocean here in parts. The ring road is also close to the
mountains and glaciers, there just is not a lot of space for the road here.
The weather was warmer and with a lot more sun than the day before. We were
glad to have sunglasses while driving and on stops we could do with less
layers.
Bridge between Jökulsárlón Iceberg Lagoon and the ocean
Iceberg in Jökulsárlón Iceberg Lagoon
Ice from Jökulsárlón Iceberg Lagoon
Iceberg in Jökulsárlón Iceberg Lagoon
The main attraction for the day was a visit to Jökulsárlón Iceberg Lagoon
where we parked and got a ticket for a tour on the lake. After we got the
ticket we walked around looking at all the beauty from the side. This is
a lake filled with ice and water from glaciers on one side and the water
flows out to the ocean on the other side. This water flow is quite strong,
making me think about the amount of ice entering the lake. There are also
seals in the lake. The underwater ledge between the lake and the ocean
keeps all the predators out that hunt seals. That ledge is also the reason
the bridge in the ring road over the water flowing out to see is not
threatened by the ice. Icebergs with 90% of their volume under water first
have to break and melt to small sizes to leave the lake.
The tour on the lake was with an amphibious vehicle, first driving a bit
over land and entering the lake to continue as a boat. We had a guide who
seemed to make a set of standard jokes on the tour and they were a bit
predictable and not so funny. But the views were great and the information
we got was fine. Eventually global warming will put an end to this lake
as an attraction.
We also walked across the ring road to the 'diamond beach' which is a
black beach with lava sand where the smaller blocks of ice land on the
beach after floating through the Jökulsárlón channel.
Fjallsárlón glacier lake
After the tour we stopped at the Fjallsárlón glacier lake for coffee. That
lake also had tours, but in big rafts with people in survival gear.
We passed the Skeiðará Bridge Monument on the ring road, which is where
a glacier flood once took out the bridge in the ring road. When we visited
in 2006, we had to cross the new bridge. This time I was really surprised,
the whole Skeiðará one-lane Bridge has been replaced by the road next to the
side of it. I guess the increased traffic made the one-lane bridge delay
traffic too much and the cost of rebuilding the road when the glacier flood
happens is lower than the cost of rebuilding the bridge.
Our place for the evening was Lækjaborgir Guesthouse. Like other places we had
received an e-mail with a door code to get in after payment via booking.com and
we never saw a person handling things. This was a studio apartment so there
was one not too big room with table, a small kitchen and the beds.
For dinner we went to Fosshótel Núpar. In Iceland there are a lot of
'Fosshótel' places which doesn't mean they are using Free and Open Source
Software, but Foss is Icelandic for waterfall.
When we looked out the window to get from the building where our room was to
the building with the breakfast buffet we noted a fresh layer of snow had
fallen. Everything was covered in snow, including our rental car.
For days we saw weather reports stating that there would be precipitation
on this day, but we didn't expect it to be snow. Because of this weather
forecast we planned to drive for a large part of the day and get to the
eastern part of Iceland.
At breakfast it wasn't as busy as the day before, we saw only a few persons
in the guesthouse.
After breakfast we started driving. After a while the snow returned, sometimes
with hail. As the road got to higher elevations more snow started falling.
Heaps of snow started to form on the road and we saw a few plow trucks trying
to clear the road. Eventually snow dunes started to form and we had to slow
down seriously to keep driving safely. It was very cloudy but with the
completely white landscape due to the snow I used sunglasses while driving
to see as much detail as possible.
We stopped at Rjúkandafoss waterfall where the cold had turned a lot of the
spray into snow and ice. This helped for special views, but it was very cold
and we took extra layers of clothing outside.
At one of the higher mountain passes we saw a house on the map right next to
the road. We wondered who would build a house so far from the rest of
civilization so close to the road, since most houses in the remote areas are
far enough from the road, probably to reduce road noise. As we passed this
house it turned out to be a refugee shelter in case you got trapped in a
snowstorm or something, right on the edge of the road. We did not expect
such a shelter next to a major road. I guess the weather can be really bad!
In the afternoon we stopped at Fossardalur waterfall and took some pictures
there. This stop wasn't as cold as the earlier waterfall stop of the day.
Interesting (to me) was an old bridge next to the road which looked like
it was the original path of the ring road.
At the end of our drive we got into Djupivogur and we saw lots of caribou
grazing on the local sports field. They migrate from coastal areas in winter to
higher in the mountains in the summer, I guess the caribou thought winter was
just ending. I agree there after the snow and hail. It was a big herd, with
clearly a few large animals acting as leaders for the rest of them. We stayed
at a safe distance, we weren't sure they might get annoyed if we got to close.
Eventually they all moved on to other fields.
At the end of this drive we ended up at Framtíð Apartments, Djupivogur. This
turned out to be a wooden cabin near Framtíð hotel (we had to pick up the keys
at the hotel). The cabin wasn't isolated very well so I was glad there was
heating in the main area. It turned out the heater in the bathroom wasn't
working so it stayed very cold there. I reported this problem to the front desk
and they brought an electric heater to solved this problem. The cabin did have
a great view of the harbour at Djupivogur.
We had dinner at the Framtíð Hotel. Our cabin had a bedroom with two beds and
a sofa bed in the living room. But that did mean we had to 'build' the bed
in the evening and revert it to a sofa before breakfast the next day.
First we had breakfast at the guesthouse, which was included. It was reasonably
busy at the breakfast and we chatted with some tourists from the United States
of America who turned out to be from the city of Las Vegas in Nevada. When they
asked if I had ever been in Las Vegas I told of my red-eye flight in the US in
1997 between Michigan and San Fransisco where I had a stopover in Las Vegas in
the middle of the night and the daylight saving time in the US started during
walking around the airport in Las Vegas which was very weird. And even in the
Las Vegas airport you can gamble! It's fun to recall old travel stories.
We left for a daytrip from Eldá Guesthouse, Reykjahlið for a drive around
Myvatn, the mosquito lake, and surrounding areas. Beforehand we thought we
would maybe rent bicycles to get around Myvatn but with temperatures around 0
degrees Celcius it was too cold for that option so we stuck to the rental car.
Our first visit was to Krafla Power Plant which is a huge geothermal energy based power
plant. The use of geothermal energy means they do vent some sulfuric acid
gasses all the time. So we drove on the road through the powerplant with
the windows closed and the ventilation set close to the outside world and we
only stopped on a viewpoint high above the powerplant where you don't smell
it that much.
Icy rope in Krafla Lava Fields
Krafla Lava Fields
After that we stopped at the Krafla Lava Fields. Those were still partially
covered in snow. We saw areas with a thick layer of snow and areas with steam
coming out of small cracks close together, which looks strange when you're not
used to living in a geothermally active area. Some of the sand-coloured rocks
in the area had black surfaces, which is for as far as I know due to bacteria
living in the hot steam!
In the afternoon we walked in an area with very special volcanic rock
formations. This area had walking paths, including one for experienced walkers.
On the tourist scale we seemed to be experienced walkers with mountain shoes,
so we were able to leave the paved walking paths and walk the more interesting
paths.
In the evening we made dinner in the kitchen available in the guesthouse.
We left from Sunnuhlid houses apartments. There is a toll tunnel in the
ringroad from the Akureyri bay to the east but Sunnuhlid houses is so far
to the North it is easier to take the old route around the mountain. We
could see why the tunnel was built: the old route was a high and winding
route through the mountains, which could be difficult to keep open in winter
conditions.
Húsavík parking lot with Mylady Landy
We went along the roads to Húsavík and stopped there for some shopping.
In the parking lot of the supermarket I saw a Land Rover Defender with
Dutch license plates and had a look at it. A man showed up who turned out
to be with the Defender so I complimented him on the nice vehicle and we
had a chat. He was there on a longer visit to Iceland and had seen even
more types of weather than we had until that moment: from serious freezing
temperatures to sunny and hot days. They came over on the ferry to Iceland.
If you have more time the ferry Denmark / Faroe Islands / Iceland is the
way to get there, but the complete trip to these three places is about a
week of travel time.
The owners of the Land Rover Defender also maintain a website with stories,
pictures and videos of their trips: Milady Landy.
Northernmost point on our trip
On road 85 we came to the Northernmost place on our trip so we stopped
for a picture and a screenshot of the GPS. North 66 degree 12.0852 minutes
West 17 degrees 02.8633 minutes.
We drove to the Ásbyrgi Visitor Centre where we got an explanation about the
very special area there, now filled with waterfalls. This area looks like a
huge trench in the landscape, created by a massive flood from a glacier flood
event hundreds of years ago. People made rope bridges over big obstacles in the
landscape to get goods from one place to the other.
Low temperatures near Ásbyrgi
We drove to Ásbyrgi itself which is a park with some lakes and forested areas.
It was getting colder, we had to put on an extra layer and walk through snow.
We stopped for lunch on the way back out of Ásbyrgi and the road information
sign outside on the 85 road was showing -2 degrees Celcius temperature.
Lunch options were somewhat limited, the first of May is a holiday in Iceland.
We went South along road 862 and visited some of the waterfalls, Hafragilsfoss,
Dettifoss and Selfoss. Those are big waterfalls with large open areas and it
was windy, so it was really cold!
We arrived at Eldá Guesthouse, Reykjahlið in the afternoon where we booked
for two nights. For dinner we went to a nearby pizza restaurant: Daddi's Pizza
which had a nice selection of pizza. I drank a beer from Einstök Beer Co.
because I remembered that name from the Reykjavik grapevine youtube channel
we followed to see the latest on the eruption of the Fagradalsfjall volcano in 2021.
Weather conditions changed a lot during the day: we started with sunny
weather near Akureyri but we ended with freezing temperatures.
After breakfast we went on a lazy visit to Akureyri. We walked a bit around the
city and my wife and son went to the Akureyri Swimming Pool. I walked around
town a bit. I soon noticed a big antenna setup on a house suggesting I found
the home of a radio amateur. I later confirmed this.
Nice design for an electricity substation in Akureyri
It was a nice and sunny day so walking around Akureyri was really nice. I
walked a bit in the direction of the mountains and later along the harbour. It
was a bit too early in the season for lots of activity on the water. The flags
about the winter sport area in Akureyri were still up. When we asked about it
the tourist information told us the wintersport resort had just closed the
slopes one week earlier. Even with the sun and the nice temperatures we could
see lots of snow on the higher mountains. The end of the wintersport season
was also visible in another way: we saw quite a number of snowmobiles being
moved on trailers.
Evening over the bay at Akureyri
In the afternoon we picked up some groceries at a supermarket in Akureyri
and went back to the apartment at the other side of the bay and made and
had dinner in the apartment and enjoyed an evening with great views.
After a second night in the Sauðafell Guesthouse it was time for breakfast.
We talked a bit with Berglind around breakfast and she told us she has
several guests who returned after earlier visits. We immediately understood
why people want to return to Sauðafell Guesthouse, it is a wonderful place,
great views, nice location for several trips and a great hostess.
Sign einbreið brú
Einbreið brú (single lane bridge) with gravel road
We were planning to go to Akureyri this day. This was partly over unpaved
roads with gravel. We both had the idea to take a picture of a gravel road
with an 'einbreið brú' sign and bridge. People who drive in
Iceland will
soon learn about the 'einbreið brú' or one lane bridge. While driving on one
of the gravel roads we indeed saw this scene as expected and stopped to take
that picture. This is our idea of 'peak Iceland'.
Officially you are not allowed to stop on the road for pictures, you always
have to park in a safe spot and assume other traffic may show up. We saw no
other traffic at all.
Our place for the night was an apartment on the other side of the bay where
Akureyri is. So we had to drive through Akureyri and took our time to shop
for our evening meal and breakfast, and we walked around the city centre.
We found it very amusing there was a car with license plate 'MARIA' parked
near a church.
We even came to the town square we remembered from our visit in 2006. Back in
2006 we were on an evening walk in Akureyri and on that town square we saw the
way young people have fun on a Friday evening in Akureyri: they get a big
fourwheel drive car and drive in circles through the city while playing music
on the car stereo and looking at the other cars and the people in those cars.
As we went to our apartment at the end of the afternoon we weren't able to see
whether the local youth still does this.
We arrived in the Sunnuhlid houses apartments and after having dinner we
enjoyed a magnificent view over the bay near Akureyri. With the distance
from Akureyri it was good to have done shopping for dinner.
We woke up at the time arranged for breakfast and our friendly hostess
Berglind from Sauðafell Guesthouse
(booking.com link) was busy making breakfast available for us. When we told
her we wanted to visit the Snæfellsnes peninsula she explained about places
to visit and things to see on and around Snæfellsnes peninsula.
Birds nesting around Snæfellsnes peninsula
Parts of this peninsula have cliff coasts where birds nest in the cliff rocks
in the weirdest corners. We visited several of these cliffs which had
viewing platforms allowing safe viewing by visitors without disturbing the
birds. Although most of the birds seemed aggressive enough to fend for
themselves and capable of letting people know when they got too close.
This coast is also dangerous for ships so we saw several lighthouses and
remains of ships that got wrecked on this coast in the last century.
Driving along the coast of Snæfellsnes we passed the village of Hellissandur
where I noticed a huge tower, the Hellissandur longwave radio mast
which is the antenna for the RÚV program on 189 kHz. I'm the kind of person
to note things like this! The building for the transmitter had the RÚV name
in big letters on it.
At Svöðufoss waterfall drones are also forbidden
Svöðufoss waterfall
Snæfellsjökull with snow cover
Snæfellsnes is also known for having Snæfellsjökull, a glacier in a
national park. We didn't visit the glacier but we did stop at Svöðufoss
waterfall where we were able to take pictures of the Svöðufoss waterfall
with Snæfellsjökull behind it. It was great weather for pictures and
warm enough to be outside with just a jacket.
Kirkjufellsfoss waterfall
Kirkjufellsfoss waterfall
We went on and also stopped at Kirkjufellsfoss waterfall which was again
very nice to look at.
For dinner we went to Stykkishólmur where we found Narfeyrarstofa restaurant
which had really nice food and drinks.
After dinner we returned to the guesthouse and enjoyed the majestic view.
We woke up in the Hótel Laxárbakki and made breakfast. After breakfast we
packed our stuff and got going again.
Our main activity for the day was a visit to The Cave
which is an underground lava tunnel.
We read the description of how to get to the cave and this was 'follow route X
and follow signs to the cave'. The detail was that 'follow signs to the cave'
was over quite a length of winding and not very wide gravel road so we were
happy to have a four-wheel drive car. There were some steep grades in the
gravel road which made driving interesting, especially with an automatic
transmission. Thankfully this was an automatic transmission with an override so
we could keep it in the same gear on a steep downhill.
We were greeted at The Cave by our guide who was a geology student from
England. He was very good at explaining everything and answering questions
from the people in the group. His level of knowledge was clearly far above
the standard explanation of everything, but he was good at explaining things
at multiple levels. This made for a very interesting tour with lots of nice
details.
It was quite cold in the cave. There was snow in the opening and cold air from
outside flows in. The opening is a collapsed part of the lava with stairs to
get from the surface to inside the tunnel. If the collapse hadn't been there
or hadn't been in just one place this lava tunnel would not have been open
for visitors.
After the opening came a few turns and a part where the floor of the tunnel
rose to quite close to the ceiling. The effect was that all moisture in the
cold air formed interesting ice sculptures in this part, and there was almost
no ice after this point.
At the far end of our tour into the tunnel was a viewing platform. The tunnel
continues but without walkways and lighting, so the rest of the tunnel is
only available to researchers. Our guide turned off the light for a few
moments so we could see how dark it really is inside the earth.
On the return trip through the tunnel we saw the next group come in. The
two group guides keep contact via radio to make sure the groups pass in
a safe location.
After the tour we had a late lunch and went on. We visited Barnafossar falls
which are very special: due to the volcanic terrain an entire waterfall
grows out of the side of the mountain. The water gets into the lava easily
since lava is very porous and at the side of the lava near the river there
is just water flowing out of it at all levels, creating a wild river.
With the explanation how this is possible from our visit to The Cave this
was a nice place to visit and see for ourselves how nature and recent
geological history interact here.
Our place to stay for the evening was Sauðafell Guesthouse (booking.com link)
which is a renovated 19th century farm house. The house is in a valley with
one neighbouring house visible, but at a distance too far for walking. The
other neighbours are further away, one in the next valley and one across the
river.
This guesthouse is on an active sheep farm. So farm life continues during your
stay and it's a great way to experience daily life on a farm in Iceland.
We were greeted by the very friendly hostess Berglind and she directly assumed
we drove over the paved road to get to the guesthouse because our white car was
still white. The other nearby road is a gravel road and with some rain in the
air and dust from the road white cars don't stay white.
In the evening we cooked our own dinner in the kitchen and cleaned up
afterwards. The guesthouse has a nice kitchen and living room for all the
guests. We decided to stay two nights so we could drive around Snæfellsnes
peninsula the next day and return to the guesthouse the next evening.
For an evening walk we walked up the hill next to the guesthouse. Eventually
we ended up at a height of about 343 meters with a great view all around.
We woke up in the Eldhestar Hotel, had breakfast there and packed our
belongings to keep going.
Strokkur geyser
Geysir area
Our plans for this day were a few of the 'standard' tourist attractions
of Iceland: first the geysers at Geysir
where the 'original' geyser named Geysir isn't very active but the next one
Strokkur is active with
large eruptions of boiling water.
Strokkur erupts every 6 to 10 minutes, which is very tourist friendly. This is
all part of an area with high geothermal activity, so there are also other hot
springs and pools with boiling mud. Since this is a huge tourist attraction
there is also a gift shop and restaurant nearby. I was used to signs asking you
to not continue on outside shoes in Iceland, but the door to this gift shop and
restaurant had a request to not walk in with crampons. I would consider it a
very bad idea to walk anywhere without snow on crampons, but maybe other people
didn't consider this.
For lunch we stopped at a campsite that was officially closed. It was a field
with a small wooden building with a covered table. The only thing that made it
look 'closed' to us was the fact that the doors of the toilets on the other
side of the wooden building were locked. Otherwise it was a very minimalist
camping with just a field and a toilet building and a table. No power outlets,
no swimming pool. I assumed there was a place with clean drinking water but I
didn't see it.
Drones are forbidden at Gullfoss waterfall
Gullfoss waterfall
The other attraction in that area is Gullfoss
waterfall which is a very big waterfall. Being there in the month of April was
a bit early so it was quite chilly. The view at Gullfoss is amazing. To make
sure everybody gets to enjoy views like Gullfoss waterfall and Strokkur geyser
there were signs forbidding drones. I agree with forbidding drones at places
like this. First of all drones make a really annoying sound. There is a reason
drone video never has original sound: you don't want that sound, it's just a
high-pitch whine. And the second reason to forbid drones at a site like this:
there are lots of ways for drones to crash in a place like this. And having
the natural beauty of a place like a huge waterfall or a geyser spoiled by
heaps of drone remains would be annoying too.
Huge trucks in Iceland
Huge trucks in Iceland
The parking lot at Gullfoss had a number of big four-wheel drive or eight-wheel
drive cars with special installations for driving on rough terrain. Those
probably drive tourists around Iceland and mostly stay on roads!
Waterfall at Þingvellir
We also visited the Þingvellir
which is now a national park. It was the site where the parliament of Iceland
came together every year from 930 until 1798. It's a valley and it's directly
on the Mid-Atlantic Ridge so you can see Europe and North-America drift apart.
It's both a historic site and some beautiful nature. There is a path to walk
along the Mid-Atlantic Ridge and in some parts there are walkways over it
because the ground keeps subsiding.
After all this we drove on to our hotel for the evening:
Hótel Laxárbakki which is on the
ring road. This was more of an apartment with a small kitchen than a 'hotel'
room but we got used to this in Iceland. We had dinner in the hotel and had a
nice evening walk along the river that flows right besides the hotel. The ring
road was now two lanes over a bridge, but the old one lane bridge Einbreid
brú was still standing. But it looked too old and unmaintained to walk
over it so we just had a look at it.
We woke up in our nice hotel and my wife took the car to get things for
breakfast. This sounds completely strange for someone living in the Netherlands
but Iceland has a bit of urban sprawl so bigger supermarkets are located on the
outskirts of cities and the distance between our hotel and a reasonable
supermarket was a bit too far for walking. The hotel had no own breakfast
options, but they did have a room with a toaster, an electric kettle, plates,
cutlery so enough place to make our own breakfast.
There was a bit of shelf space with a sign 'leave something, take something'
which reminded me a lot of a hiker box
as described in the stories I have read about hiking on long-distance trails
like the Appalachian Trail.
This hiker box had one thing I was interested in: instant coffee.
I like some coffee after breakfast in the morning and this was my option
to get something resembling coffee.
After breakfast we packed our bags and left. We re-packed a few things because
we went from 'packing for in an airplane' to 'packing for day-trips' so the
pocket knife could be somewhere ready for use and the hiking poles were
unpacked and put in an easy to reach place in the car.
Our main plan for the day was
to visit the Fagradalsfjall volcano.
This volcano erupted during 2021 and this was one of our main reasons for
visiting Iceland again.
We wanted to visit this volcano either in the first few days or in the last
few days of our stay in Iceland. The weather forecast for this day was
really nice so we planned it this way. And the weather was indeed nice and
sunny.
Fagradalsfjall volcano
This is a very visitor-friendly volcano: it is about an
hour driving from the Reykjavik / Keflavik area, it has nearby car parking and
after that it is a relatively short walk to get to an area with volcanic
activity. We saw no hot lava streams but a very large area covered with lava
cooling down. Smoke plumes and some burning vegetation showed that the lava was
still warm and hot in some places. We hiked the main path along the lava flow
which went mostly up and gave great views of the lava field. Eventually we
reached a point with a good overview of the place where the eruption happened.
Somewhat further there was also a place where we could get to the edge of the
lava and touch it. The solidified lava still felt warmer than the surrounding
area.
Fresh lava has interesting qualities. It has very sharp edges and with the
lava exposed to the air solidifying first there are usually tunnels inside
fresh lava, leading to collapses. Two good reasons not to walk on the lava,
it can be dangerous.
Lava at the edge of the eruption of Fagradalsfjall volcano
The car park had paid parking. But in a very icelandic way: there were signs
with a QR code for a parking website where you just entered your license
plate details and the type of car and paid online with a creditcard. This
is not a problem at all because mobile coverage including data in Iceland
is very good and they are used to paying almost everything with debitcard
or creditcard.
While walking the path along the volcano I noticed I recognized certain
views from the videos we watched while following the news about the eruption.
It's funny to recognize a remote area from videos watched at home on the
couch. The views were amazing, especially with the nice weather and I came
to the conclusion that this kind of spectacular view of pure nature and
geology was exactly why I came to Iceland.
Hveradalir Geothermal Area
After the visit to the volcano we drove in the direction of our hotel for the
evening. We made a stop at Hveradalir Geothermal Area which is an area
where the geothermal activity is easy to visit. This includes the smell that
comes from hot sulfur exposed to water and air. This is the same as the
smell from rotten eggs so you have to endure this to get a good view of
this special area.
The hotel was
Hotel Eldhestar. The drive was partly
along the Iceland ring road (road number 1) which was in the process of being
upgraded to 4 lanes with a median in some areas. This was quite a change from
what we remembered from driving on the ring road in 2006.
At the hotel we also had dinner. One feature we liked about this hotel is the
hottub: we soaked in it for a while after dinner.
We filled the two week holiday in April/May with a trip to Iceland. My wife
and I have visited Iceland before, and this time our son visited Iceland for
the first time in his life.
The first day was filled with the interesting project of getting to Iceland.
Because we didn't want to add days of sitting on a ferry to the trip we booked
tickets with Iceland airways and rented a car to pick up and return at
Keflavik airport.
Our plans for Iceland were a general idea to drive the
ring road also known as route 1,
beginning with going North from the Keflavik/Reykjavik area and generally
keeping to the ring road in clockwise direction.
The easy way to get to Schiphol airport is by train. Our flight was leaving at
14:10. This Sunday was right after the first problems on Saturday with long
waiting times at Schiphol so we made sure to be really on time So we had
breakfast and left after that. Train connections worked as planned.
We just had to drag the luggage from the house to the station and in most other
places luggage carts were available. We had two duffel bags with us, and payed
the fee for the luggage with our booking.
At Schiphol we searched for our check-in desk and saw it behind a long line of
people. The mood in the line was positive and we slowly moved towards the
check-in desk where our luggage was accepted swiftly. The next line was for the
security checks (I could write a huge rant about this security theater) which
was long. It's almost an "Efteling" experience with "there is a waiting time of
40 minutes from here" signs. Eventually we made it through the checks and the
people manning the security checks weren't too grumpy this time. By the time
we were at the security checkpoint our water bottles were empty and we
refilled them after the checkpoint.
After the security check and long distances walking through hallways in Schiphol
we had about 20 minutes left before boarding the flight started.
Boarding was fine. We had seats really far in the back of the plane but I was
able to get my legs in the space available. The unexpected bit to me was that
the seatback in front of me had an entertainment screen. I expected those
screens to only be available on longer flights. So I came prepared for the
flight with new books on my e-reader but I also was able to watch some
episodes of The Muppets
a series I didn't know existed!
The flight was fine. The interesting change was from around 22 degrees Celcius
in the Netherlands to about 14 degrees Celcius in Keflavik! So it was chilly
when we got out of the plane. We picked up our luggage and .. took it easy. We
expected more delays in the airport so we had the pickup of our rental car
planned for later in the afternoon. This means we had some time left before we
wanted to get in line for the desk at the rental car company. We used that
time to sit down and get something from Joe & The Juice at
the airport.
Eventually the time came to get moving. We walked over to the Hertz rental
desk and everything was prepared for the car rental. We booked a "Skoda
Octavia with all-wheel-drive or comparable car" in advance and they had
a Toyota RAV-4 automatic with all-wheel-drive available for us. Which was
fine with us. Everything was organized perfect so we showed drivers licenses,
added the second driver and insurance against broken windows and got the
extended instructions on driving in Iceland. Keep the maximum speed, switch
on the headlights and taillights when driving and make sure to arrange payment
for the toll-tunnel on the Iceland ringroad beforehand because the rental
company adds a serious fee when they get billed.
We walked with our luggage to the car. It had one feature that took a bit
of getting used to: an automatic rear door which wanted to be opened and
closed with button presses.
We had a room arranged for the first night in Keflavik in the
Hotel Núpan Deluxe. It was easy
to find in Keflavik and we checked ourselves in. We found a nice restaurant
Kaffi Duus with a good view of the harbour
of Keflavik.
In the evening we walked along the main street of Keflavik to get an idea
of the place and see the options for getting something for breakfast the
next morning. Temperatures were really lower than we were used to in the
Netherlands so we made sure to wear extra layers!
A notable and rare country in the log today: Iran. I've seen Iranian calls on
the air a few times but it is rare. Today I saw EP2C
on the air in FT8 in the 17 meter band and got the contact.
Confirming it is the next step: they have a QSL manager so I'll have to pay
a few euros to get a paper card. Although the call seems active on Logbook
of The World.
I installed Grafana from their debian repository, so I get updates via the
normal apt update / apt dist-upgrade process. Since upgrading
to version 8.5.0 the alerts were all firing because of 'DatasourceNoData'
errors. According to Alert Rule returned no data (after upgrade to 8.5.0) #48128
other people are seeing this too.
For now I downgraded to version 8.4.7 where things work fine and I'll see if
a newer version shows up.
In October 2018 a morse course started at my local radio club under the
leadership of Ab PA5ABW. Around March 2020 the people still going strong
practising morse thought they had a chance of passing the morse exam in
Belgium. But that pandemic happened, borders closed and gatherings of
radio amateurs were impossible.
Why go to Belgium? The Dutch telecommunications authority does note whether you
have 'CW included' or 'CW not included' but there is no exam possibility in the
Netherlands. So in the past doing the exam in Belgium, presenting the
certificate to the Belgian telecommunications authorities to get it converted
to a certificate the Dutch authoritities accepted and converting that
certificate to a Dutch 'CW included' note was the way.
When there was an option of a Morse exam in April 2022 in Belgium again there
was a note the Belgian telecommunications authorities were not willing to
do the 'conversion' for foreign radio amateurs who weren't living in Belgium.
This seemed to kill the route to get the much coveted 'CW included'. After
writing an article about this
a suggestion came to 'skip' the Belgian telecommunications authorities and
present the Belgian certificate to the Dutch telecommunications authorities.
Later there was news from the Veron amateur club:
Morse examen doen in België voor een ‘CW included’ aantekening kan nog steeds
with a statement from Agentschap Telecom (Dutch telecommunications authorities)
stating they would accept the certificate from the UBA club in Belgium at
this time.
So when that became an option we registered for the exam in Belgium and kept
practising. Personally I had to change to using actual pen and paper and not
a keyboard because the exam would be using paper!
Between October 2018 and April 2022 we practised for about three and a half
years. That means I practised morse in one way or the other for almost every
day of the week.
The three of us went to Diest last Monday and all passed the test. On Tuesday
I sent scans of all the needed documents to Agentschap Telecom to get those
three letters removed from the amateur radio license document, going from
"CW not included" to "CW included".
Years and years after writing proposals to start doing something with IPv6
at work I noticed the first systems actually having IPv6 connectivity in
production networks.
Finally getting there! I wonder when workstations will start having IPv6
connectivity.
As noted before Brazil was a rare country for me on 10 meter until a few weeks ago
but it got easier to get those contacts with the 10 meter band getting better
due to the changing sunspot cycle.
I changed this even more yesterday with a morse contact with PY2ZEA
on the 10 meter band. I heard him calling and getting a lot of short contacts
into Europe. At first the signal started fading into the noise but about 20
minutes later it came back slowly and with more calling cq for new contacts.
I gave it a try and on the second attempt he got my call correctly and we
exchanged some messages. More than just a signal report and a call, I told
in morse that this was my first morse contact into Brazil.
Last weekend was the EA RTTY Contest
2022 edition. At the last moment I decided to participate because I appreciate
the contests organized by the Unión de
Radioaficionados Españoles.
Conditions were good: I made contacts on the 20 meter amateur band Saturday
afternoon, on the 40 meter amateur band Saturday evening and even got contacts
on the 10 meter amateur band on Sunday morning. Hasn't happened a lot in the
last few years: contest contacts on the 10 meter band. Including a contact with
a station in Brazil which was a bit remarkable: I had my first contact with
Brazil on the 10 meter band only 2 weeks earlier! For most Dutch amateurs
Brazil is 'easy' DX, but my antenna points mostly to the East / South.
In the end I made 135 contacts which is a nice score for this contest.
De enige gateway die dapper stand houdt is
PE4KH-10: nota bene een iGate naar ontwerp van onze club: een RAZ
iGate...
or translated: the only gateway still standing strong is PE4KH-10: notably an
igate made to the design from our club: a RAZ igate.
It's nice to get this mention! The hardware is in the corner of the shack
just doing its job and nothing else.
Gisteren en vandaag zijn dagen met sneeuw. Een van de gevolgen is dat er ook
sneeuw ligt op de zonnepanelen. En dat heeft duidelijke gevolgen voor de
opbrengst.
Wat als eerste opvalt is 31 maart, een enigzins donkere dag met wat natte
sneeuw in 's ochtends vroeg. De opbrengst van die dag is ongeveer net zo laag
als 1 maart. In de tussentijd zijn er in maart veel dagen geweest met een goede
opbrengst van de zonnepanelen.
En nu vandaag 1 april heeft het in de avond en nacht gesneeuwd en blijft die
sneeuw liggen op de panelen. Dan komt er erg weinig licht door! Pas om 12:00
begon er iets uit de omvormers te komen.
One of the founding forms of information exchange and community building on
the Internet is the mailing list. A subscriber sends mail to a central mail
address and the mail gets redistributed to all members.
As this mechanism has been abused by spammers in lots of ways there has been
a lot of work in stopping unwanted mail being distributed by mailing lists.
There has also been a lot of work in publishing the official way in which
outgoing mail from organizations is handled: Sender Policy Framework (SPF),
documenting the sources from which e-mail can be send, DomainKeys Identified
Mail (DKIM) for signing outgoing mail headers and body and Domain-based
Message Authentication, Reporting and Conformance (DMARC) for publishing the
policies for mails that fail SPF/DKIM and reporting on those.
The way mailing lists forward mail isn't really compatible with SPF and DKIM.
There is a 'new' source of mail from the original sender and some headers
are changed/added when forwarding it with mailing list software.
Yesterday I sent something to a mailing list from an idefix.net
address and this morning I see a number of dmarc reports with failures, because
the mailing list server isn't authorised to send on behalf of
idefix.net. So maybe some people on this mailing list haven't received
my reply. In the long run lots of SPF errors from this IP could also hurt its
'reputation score' for outgoing e-mail. Some mailing lists 'fix' this by not
allowing domains with strict spf/dmarc policies, others go through interesting
adjustments with 'sent on behalf of'.
I have no simple solution for this, I see an example of security measures
breaking an existing use case, for which adjustments may have to be made.
Update:
The general approach here seems to be 'sender rewriting'. Recently updated
mailing list software should support this. But it depends on the mailing list
owner to check the settings and update the software.
I've been playing with grafana for about a year since
starting with updating my statistics gathering
and I keep seeing new options and updates in grafana.
Grafana recently got some new options for alerting and I am trying a few of
those. Alerts for things that are a real problem and can cause other problems
are a good start. Based on some earlier problems I keep an eye on some
filesystems that are over 90% full.
Today I read Three DDoS attacks on my personal websitefound via Three DDoS attacks on my personal website : r/homelab reddit
and this made me wonder about overloads on my webserver. The easiest way to
detect problems with web serving I could think of is to look at the queue size
in haproxy
which is monitored in influxdb/grafana anyway for nice graphs of website
traffic.
I did have a time with too high queues for backend webservers. But that was
when the backend server was completely broken due to a filesystem problem
so that was a logical reason.
It would be nice if I could iterate alerts, like 'for the root filesystem of
every monitored system'. Or at least copy them changing only the system name
in the rules and alerts.
Mar 10 19:42:14 turing kernel: [ 0.181861] You have booted with nomodeset. This means your GPU drivers are DISABLED
Mar 10 19:42:14 turing kernel: [ 0.181862] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly
Mar 10 19:42:14 turing kernel: [ 0.181862] Unless you actually understand what nomodeset does, you should reboot without enabling it
It's a virtual machine which does server tasks. Anything more than 80x25 VGA
text mode is pure overkill. It's currently the default card in qemu (Cirrus
CLGD 5446 PCI VGA card), I could try the virtio VGA card to see if that saves
on memory/cpu.
In checking recent logs I noticed several tries to find SMTP authentication
credentials. Most notably is that anything that vaguely resembles something
that might be an SMTP account is tried. Including plussed e-mail addresses
and information from SIP urls.
I used the raspberry pi in the shed to do a wifi scan, to get an idea of
the usage of the 2.4 GHz wifi band as seen in the shed.
This finds 18 to 22 networks, with our own network not as the strongest
network. As you can imagine most channels have multiple networks on them.
And the overlap in wifi channels makes this worse: the networks on channel
2 see interference from those on channel 1.
From the list of networks, with names and address information removed, just
leaving signal strength and channel / frequency:
This is a right mess. If I ever want reliable wifi in the back garden/shed
I will have to have an extra access-point there. This option of having wireless
vlan(s) available in the shed has influenced the
choice in switch for the shed.
Hallo, hoe gaat het met jou? Ik weet het, het is vervelend om een gesprek
te beginnen met slecht nieuws, maar ik kan niet anders. Enkele maanden
geleden heb ik toegang gekregen tot je apparaten die je gebruikt om op het
internet te browsen. Vervolgens heb ik al je internet activiteiten kunnen
traceren. Hieronder kun je lezen hoe ik dit voor elkaar heb gekregen:
Allereerst heb ik van hackers de toegang tot meerdere e-mail accounts
gekocht (tegenwoordig is dat een fluitje van een cent om dat online te
doen). Daarna kon ik heel makkelijk op je e-mail account (xxxx@example.com)
inloggen. Een week later heb ik een Trojan virus geïnstalleerd in de
besturingssystemen van al de apparaten die je gebruikt om je mails te
openen en te lezen. Om eerlijk te zijn ging dat vrij simpel (want je
opent de links uit je inbox mails).
Het bitcoinadres waar 1790 euro heen mag is 1AJcoDsSGe9teEfzSMicXprJFae7729J5y.
Update 2022-02-26:
Nog een keer dezelfde spam gezien met bitcoinadres
1AJcoDsSGe9teEfzSMicXprJFae7729J5y en
1DfSBC5xbeswbXingkkf3i6VyQwYb8kYGh.
I want to know if something goes wrong but with the number of (virtual) servers
here at home it is not possible to check all logs constantly. So the main
machines use logcheck to find the interesting error messages and the rest gets
filtered out.
Ideally that leaves no messages, but I do want to know about patterns that
indicate attacks so I do get messages constantly about ssh attack attempts
and weird nameserver requests or misconfigured nameserver responses.
Recently I've been checking the resulting reports again carefully and noticed
some more patterns that could be filtered. And I found two misconfigurations
that I solved. Normally those misconfigurations would drown in the noise of the
log, only to be found if I was looking for something else. Now it started to
stand out after filtering out a lot of messages that are to be expected.
In the project to upgrade the connectivity to our shed
I ordered a switch with sfp slots: a netgear GS310TP. The choice is to have
the same brand as in other places in the network so I can select compatible
SFP modules easily. With this switch I also have vlan support so I can have
a wifi access point in the shed if I want.
As I'm trying to make more morse contacts the 'easy' way is to participate in
contests in morse. Last weekend was the ARRL DX CW contest and I heard quite a
bit of contest morse on the 20 meter band. I tried a few contacts and after two
contacts got the reply 'USA ONLY'. So I looked up the
ARRL DX contest rules and found out
that indeed for non-US/Canada stations only contacts with US/Canada are valid.
Since I didn't hear any stations from that area in the late afternoon I left it
at that. But in the early evening after the sun goes down but before the
propagation on 20 meters dies down completely it is possible to make contacts
with North America. So on Saturday and Sunday evening I used that 'window' to
get several stations in the log. If these get all confirmed I should get
several new US states in morse.
It was also a good practise in decoding callsigns and return information in
morse with noisy conditions.
Raw Score: 84 Qpts x 16 Mults = 1344.
The objective for this contest is to expand knowledge of DX propagation,
so I already met that objective with fine-tuning my operating window to have
a good opportunity to work US stations in morse.
Since November 2021 I have been running DKIM with sendmail.
First for a test domain, later also for the main domain sending e-mail.
I directly added a DMARC record with options to notify me of spf/dkim errors. I
have seen a few reports of fake mail injected but most reports were about
valid mail. For a long time google kept sending reports about dkim errors
but I couldn't find out why. After I added the option to receive debug
information this problem did not come back, so I'm not sure whether I fixed
this.
Today I sent something to a mailing list and got a debug report instantly.
Somewhere after the mailing list software had changed the body of my message
(it stripped the pgp signature and noted this) a mail server checked the
DKIM headers and found out the body signature was wrong. Indeed. Mailing
lists and DKIM/SPF are complicated.
Practising morse has happened! Just no exam yet, but that is mainly due
to the current circumstances
Satellite contacts: none.
Morse and phone in contest: yes!
New qsl cards ordered and in use
And the plans for 2022:
More and more morse, and that exam. There is an exam date now and it will
be possible to get the wanted 'CW included' on my radio amateur identification
Again satellites
In contests: try to get more morse and phone contacts.
Use the better propagation to get contacts on different bands
More detailed statistics over 2021
And I had to check my own notes again how I got these numbers last year, so I'm
adding the sql queries I typed at the mysql/mariadb client. With the database
behind cqrlog available I can make all kinds of queries.
By month
The influence of months with (digital) contests isn't as strong as in
previous years.
Today I tried to sign a key with my work PGP key, and after lots of tries the
conclusion was that my 2006 work pgp key was too infected with SHA1 signatures
that I couldn't remove, so I created a replacement work PGP key. Even a
signature for the new key with the old key was rejected.
So the new work key:
pub rsa4096/0x36FF19C6159C0262 2022-02-15 [SC] [expires: 2027-02-14]
Key fingerprint = 1401 EE9F 25AD 23F1 C299 FD07 36FF 19C6 159C 0262
uid [ultimate] Koos van den Hout <k.vandenhout(at)uu.nl>
uid [ultimate] Koos van den Hout <koos(at)surfcert.nl>
sub rsa4096/0x918F8E7A170EA93E 2022-02-15 [E] [expires: 2027-02-14]
I also signed it with my personal key, and I will try to get more signatures
for the new work key to make things work better. Available at
PGP key 0x36ff19c6159c0262.
There you will see I also signed it with my old work key 0x42216fe29ee949cf
but since that signature is also a SHA1 signature the new gpg implementation
immediately rejects it. So I should get some signatures from people who have
relatively new PGP keys. I've been using PGP since 1993 (29 years now!) and
I can see the developments in PGP over the years in my keys.
In the process I noticed one thunderbird installation insists on managing
PGP keys completely and the other doesn't. Searching for the reason
eventually found Use Thunderbird 78 with System GnuPG Keyring
and I made sure the option mail.openpgp.allow_external_gnupg was set
to true.
Last weekend was the same as in 2021: the PACC and the CQ WPX RTTY contest in one weekend.
Since the CQ WPX RTTY contest is 48 hours and the PACC contest is 24 hours
I participated in both. Not for 48 hours, I had a normal weekend otherwise.
In the end I made 106 contacts in the CQ WPX RTTY contest. 50 contacts on the
40 meter band and 56 contacts on the 20 meter band.
Last weekend was the weekend of the Dutch PACC contest,
'our' contest organized by the Veron. Open for radio amateurs from all over
the world, making contacts with Dutch radio amateurs especially interesting.
I decided to only do morse in the PACC this year, to get the practice with
contest-speed morse and maybe improve the number of countries with morse I
have in the logs. In the end I made 43 contacts. The report:
The current fiber to the shed network
is working fine but only gives the Raspberry Pi based NTP server network at a
speed of 100 mbit.
The link is working fine but the next device with network problems due to
unreliable wifi is showing up: the solarpanel inverter in the shed is sometimes
unreachable for my
solar inverter monitoring using modbus/tcp
and that means I 'miss' measurements. The propetairy monitoring that
solaredge does can deal with interruptions in reachability and upload older
data, but the modbus/tcp monitoring I use can only access real-time data.
My first plan was to look at industrial switches because of the extended
temperature and humidity ranges in the shed. But having both 'industrial' and
'sfp slot' costs a lot of money.
My next thought is to put all the possibly sensitive electronics in one case
and hope the temperature and humidity inside that case stay within a reasonable
range. This thought is based on the fact that the Raspberry Pi based NTP
server functions fine in a not very closed wooden box without being affected by
temperature or humidity.
There is a lot of special beer available in the Netherlands too. I checked
what was available in the local supermarket and found this one:
Brand krachtig blond.
By colour it is indeed a blonde beer, but by taste it was quite hoppy, almost
like an IPA.
I haven't done anything with NFC in ages. Almost three years ago I
dug up my knowledge again and learned about UID changeable cards
and before that the last real digging into RFID was 11 years ago:
Interesting development with the magna carta rfid card.
Anyway, my interest is renewed due to several factors, with "just looking for
something to learn about and enjoy the process" as main one. As a first step I
dug up my trusty touchatag reader and the collection of RFID tokens/cards. The
touchatag reader still doesn't see any of the collected ski passes so I guess
those are for other frequencies.
The collection of RFID tokens includes a number of one-use public transport
tickets. Those are based on Mifare Ultralight "MF0ICU1" according to NXP
TagInfo. The little bit that annoys me is that NXP TagInfo manages to list the
transport company and the transaction date/time while I can't find any listing
of the fields in a Mifare Ultralight for transport use online on a first
search. Later searches (see below) give a lot more!
So I have to do some digging myself. And maybe get a few more recent
one-time-use public transport tickets to get an idea.
As the UBA PSK63 is the first radiocontest I participated in after the start of
my HF career in 2015 I decided not to miss it this year and get some contacts
going. My first article about the UBA PSK63 contest:
Playing in a radio contest.
Last weekend was the 2022 edition of this contest and I participated on
Saturday and Sunday. The bands didn't seem as full with PSK63 signals as I
have seen them in other years. Most remarkably the PSK63 traffic seemed gone
late Saturday evening. When I tried again Sunday end of the morning the
traffic was back. Returned serial numbers suggested stations with more time
and/or better reception could get enough contacts in the log.
In the end I made 74 contacts. I started on the 20 meter band on Saturday
afternoon, switched to 40 meter after dark. Late in the evening I tried
to make a few more contacts but saw only a few other stations on 40 meter.
On Sunday I resumed in the 40 meter band and made a number of contacts there.
In the last hour of the contest I switched back to 20 meter in the hope of
finding a lot of new calls there but only one new call showed up, the rest was
in the log already. So I squeezed out a last few contacts on 40 meter before
the end of the contest. I may have switched back to 40 meters a bit too fast
according to the rules of the contest, I'll see what happens.
Anyway, a good contest. I see a few things to improve in how I participate in
digimode contests that aren't really huge: better timing, especially trying
to get more contacts during daylight hours on higher bands.
Ik ben al heel lang bezig met morse leren, en de nieuwste ontwikkelingen zijn
dat het niet gaat lukken om de 'CW not included' op het pasje van
Agentschap Telecom wat me identificeert als gelicenseerd zendamateur om te
laten zetten in een 'CW included'. Dat was even een zware tegenvaller,
maar ik heb die energie omgezet in een artikel met onze ervaringen. Misschien
dat het nog ergens tot gevolg heeft dat er toch een route komt om dit op te
lossen.
En daarnaast is het wel leuk om te schrijven merk ik. Misschien moet ik over
meer onderwerpen die me bezig houden schrijven.
De illustratie bij het artikel van de 'CW not included' en 'CW included' op
de pasjes heb ik zelf gemaakt (samenstelling van foto's van pasjes), de
illustratie met de certificaten heeft Frank van der Pol PE2A gemaakt.
Het artikel is verschenen op België-route voor “CW included” niet meer mogelijk - Veron A08 Centrum
en ook in sociale media gedeeld: België-route voor “CW included” niet meer mogelijk @pi4utr.
Ook op het zendamateur.com forum: Morse examen in België niet meer mogelijk.
Daar is een antwoord gekomen dat de stap via het Belgisch instituut voor
postdiensten en telecommunicatie (BIPT) overgeslagen kan worden, dus die
route gaan we proberen.