News items for tag rant - Koos van den Hout

Vandaag kwam ik een artikel tegen Generaals b.d. Van Uhm en De Kruif beginnen podcast over oorlog en het leek me wel leuk om deze podcast eens te beluisteren.

Alleen geeft het artikel daar bijzonder weinig informatie over. Het enige wat er te vinden is:

De eerste aflevering van Veldheren wordt vrijdag op Spotify en Apple Podcast gelanceerd.

Maar ik wil allebei niet gebruiken om de podcast te beluisteren, ik wil deze podcast gewoon beluisteren in mijn podcast speler, te weten op dit moment 'Pocket Casts'. Zoals Dave Winer aangeeft in Podcasts are feeds - Dave Winer Scripting News is iets pas een podcast als het een RSS feed heeft. Dus ik zoek een URL van de RSS feed van deze podcast, dan kan ik de podcast toevoegen.

Diverse zoekopdrachten geprobeerd, en uiteindelijk kom ik terecht op Veldheren bij podcast24.nl / podcast24.co.uk waar nog steeds geen feed informatie staat. Maar de URL van de feed is wel uit de source te halen, omdat de podcast24.nl site ook gewoon op de feed gebaseerd is, maar dat zelf niet laat zien. In de source van de pagina zit nog informatie uit de feed en iets wat op een gemangelde url lijkt:

url:"https:\u002F\u002Frss.art19.com\u002Fveldheren"

En als ik daar eens aan snuffel lijkt het er wel op te gaan lijken:

$ curl -kI https://rss.art19.com/veldheren
HTTP/2 200 
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
last-modified: Thu, 23 Feb 2023 14:50:22 GMT
cache-control: max-age=45, public
content-type: application/rss+xml; charset=utf-8
content-md5: NpD8EsLUoeqYLrvKp3UmZQ==
via: 1.1 haproxy, 1.1 varnish, 1.1 varnish
fastly-restarts: 1
accept-ranges: bytes
date: Thu, 23 Feb 2023 19:55:49 GMT
age: 0
x-served-by: cache-ams12743-AMS, cache-ams21063-AMS
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1677182149.621644,VS0,VE843
vary: Accept, Accept-Encoding, Accept-Language, Authorization,User-Agent,Origin
server: Fastly
strict-transport-security: max-age=300
content-length: 7164

application/rss+xml is het gewenste mime-type! En inderdaad als ik het bestand ophaal en inkijk:

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:art19="https://art19.com/xmlns/rss-extensions/1.0" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0/" version="2.0">
  <channel>
    <title>Veldheren</title>
    <description>
      <![CDATA[<p>Veldheren is een podcast waarin twee ..

Het zou toch prettig zijn als het vinden van een podcast buiten spotify of apple om niet een halve hack is.

Verder weggestopt in de zoekresultaten, achter allerlei nieuwsartikelen die braaf hetzelfde herhalen kom ik uiteindelijk terecht op Veldheren podcast - Part of Corti Media Network waar wel verwijzingen naar de RSS feed staan, zowel in de pagina als in de metadata. Het kan wel, het is alleen nogal ondergesneeuwd.

I run a desktop and a laptop with Ubuntu and both were at Ubuntu 20.04. The desktop is mostly used for things with amateur radio so I wanted to check whether anything broke on that upgrade. With the 18.04 to 20.04 upgrade I had to do some recovery to get the databases behind cqrlog working again,

Time to upgrade the laptop first with the same amateur radio software installed, configured and tested: cqrlog, wsjt-x, fldigi.

The whole do-release-upgrade took more than an hour. And it's still possible that somewhere during the upgrade process the user gets prompted whether or not to change a configuration file, so I came back after a few hours to a system with a prompt and not finished with the upgrade.

The upgrade told me firefox would be changed from an installed package to a 'snap'. The downside for me was that after the first start firefox thought it was a completely new browser with no history/bookmarks/settings. Maybe this was because the start of firefox was triggered by thunderbird starting and wanting to show me a page about donating. Restarting firefox didn't make the old profile show up again. With a bit of searching I found that firefox should import old non-snap settings when started as a 'snap' for the first time. So I stopped firefox, threw out the whole ~/snap/firefox directory and started it again. This time settings/bookmarks/cookies/history were imported.

Next step was to test cqrlog. There is no cqrlog build for ubuntu 22.04 yet, but the build for 20.04 works. All previously logged data was available fine. The upgrade of ubuntu has upgraded hamlib which means the radio IDs got renumbered, I had to update the settings to the new radio ID.

Silencing Ubuntu Pro adverts

In regular maintenance I noticed this gem:

$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  libimage-magick-perl imagemagick libjs-jquery-ui libopenexr25
  libmagick++-6.q16-8 libmagickcore-6.q16-6-extra libimage-magick-q16-perl
  libmagickwand-6.q16-6 imagemagick-6.q16 libmagickcore-6.q16-6
  imagemagick-6-common
Learn more about Ubuntu Pro at https://ubuntu.com/pro
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

which is no better than an advertisment for Ubuntu Pro. Which is a new service by Canonical offering longer term support (10 years) and support for not just "Main" (which is what you got with Ubuntu before) but "Main" and "Universe". Ubuntu Pro costs a registration for private use at the moment. So 'The following security updates require Ubuntu Pro' isn't completely honest. But then again, it's advertising.

Anyway, I don't want to see this every time I check for updates. I searched for a solution, The following security updates require Ubuntu Pro with 'esm-apps' enabled - reddit.com r/linux

$ cd /etc/apt/conf.d
$ sudo mv 20apt-esm-hook.conf 20apt-esm-hook.conf.disabled
$ sudo touch 20apt-esm-hook.conf
$ sudo chattr +i 20apt-esm-hook.conf

I noticed lots of kernel modules for filesystem support were loaded after running update-grub. This was caused by running os-prober which searches for possible operating system installations on all partitions of the system.

On virtual and physical machines that only run linux and will never run anything else unless I am really changing something this only takes time and uses resources, so I searched for how to disable this. So now there is a line in /etc/default/grub:

# don't look high and low for other operating systems
GRUB_DISABLE_OS_PROBER=true

But now update-grub thinks it is necessary to warn me every time...

# update-grub
Generating grub configuration file ...
[..]
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done

I know it will not be executed, I added it on purpose. It's not very likely I added GRUB_DISABLE_OS_PROBER=true by accident not knowing what I was doing. Stop nagging me about it. If I didn't know what I was doing on a computer I wouldn't be configuring linux distributions.

Recently I wanted to have the option to install ubuntu on a PC so I created a USB stick with dd. It worked fine and in the end the existing ubuntu on the PC worked ok and could be upgraded and made available again.

So I wanted to revert this USB stick to the normal filesystem that both Windows and Linux can read and write. This turned out to be more difficult than I expected! First I thought Windows could revert the USB stick to a usable state but this turned out to be impossible. I tried on three Windows 10 systems with admin accounts, but none of them were able to create a usable partition and filesystem! The best result I could get was an error something couldn't be started to format the partition, but without any explanation what couldn't be started. Things that were once perfectly doable under MS-DOS are now impossible.

Back to linux to try and find the right partition type and filesystem options to get access again. I could do a lot of things in linux, but I failed to find the right settings that Windows would see as usable storage.

I shared my problems on irc and someone there had the following list of commands to fix this problem:

dd if=/dev/zero of=/dev/sdd bs=1M count=1
parted /dev/sdd mklabel msdos
parted /dev/sdd mkpart primary fat32 1 100%
mkdosfs /dev/sdd1

Which needs to be adjusted for the right device node. Use at your own risk! But indeed after these commands both Windows and Linux were perfectly capable of writing and reading the USB stick.

If you're bored enough to look at the sources for my webpages you'll notice I make a lot of use of

<base href="https://idefix.net/~koos/">

This changes the base for all relative urls from https://idefix.net/ to https://idefix.net/~koos/ because my whole site is based on being in my userdir, but https://idefix.net/ is the easy url.

I use a lot of relative urls for local things because why make them longer. And this eases developing and debugging on the developer site.

All browsers support the 'base href' meta tag, but some bots ignore it. And there has been a case a few years ago where a bug in one script made all urls seem 'below' other urls. The net result is that my logs are currently filled with entries like:

[11/Jan/2023:17:09:34 +0100] "GET /~koos/irregular.php/morenews.cgi/2022/newstag.cgi/morenews.cgi/draadloosnetwerk/morenews.cgi/newsitem.cgi/morenews.cgi/morenews.cgi/newstag.cgi/asterisk/morenews.cgi/morenews.cgi/morenews.cgi/morenews.cgi/morenews.cgi/morenews.cgi/morenews.cgi/morenews.cgi/newstag.cgi/newstag.cgi/kismet/morenews.cgi/newstag.cgi/newsitem.cgi/morenews.cgi/morenews.cgi/2023 HTTP/1.1" 410

all those entries seem for http:// versions of the urls so I now adjusted the http to https redirect function to stop at urls that look like ^\/~koos/irregular.php\/.+\.cgi to give a status 410 immediately.

This 'saves' a bit of traffic because it never gets the redirect to the https version.

While checking this I see multiple stupid bots, like:

35.209.99.100 - - [11/Jan/2023:17:02:14 +0100] "GET /homeserver.html HTTP/1.1" 404 972 "-" "Buck/2.3.2; (+https://app.hypefactors.com/media-monitoring/about.html)"

This one clearly doesn't parse the base href tag.

In August 2022 I received a report of a cross-site scripting vulnerability in The Virtual Bookcase and the reporter of the vulnerability never replied after I told him there was no financial reward for reporting bugs.

In November the bug report became public at openbugbounty: virtualbookcase.com Cross Site Scripting Vulnerability Report ID: OBB-2858037 - Open Bug Bounty so this confirms my theory of what the vulnerability was. Which I have fixed, but this isn't visible at openbugbounty.

In this case the vulnerability wasn't severe and with the little amount of information I had from the report plus the access logs I was able to fix it. But in other cases the vulnerability may be more complex and the site-owner who deals with a report like this can't just analyze the logfiles to get an idea of where the vulnerability might be.

I don't think the world becomes a safer place if information about vulnerabilities is only available if you pay for it.

The About the Project of the Open Bug Bounty project seems to promote actual 'bounty':

A website owner can express a gratitude to a researcher for reporting vulnerability in a way s/he considers the most appropriate and proportional to the researcher's efforts and help.

As a matter of example, Google pays from $7,500 to $100 per XSS vulnerability submitted by security researchers. But Google is Google, you may adjust your remuneration range to any amounts comfortable for you.

At the same time demanding a bounty before disclosing the bug is not ok on this platform. From the same 'About' page:

We always encourage the researchers to be respectful, responsive and polite, to provide website owners with all reasonable help and assistance.

If a researcher violates the enacted standards of ethics and good faith including but not limited to:

• demanding remuneration to delete a submission
• demanding remuneration to disclose vulnerability details

such submissions will be immediately deleted from our platform.

I hope the next vulnerability disclosure causes less irritation.

Ik kreeg vandaag een phishing mailtje gericht aan:

Cher(ère) client(e) Maes-Swerts/A.,

Votre abonnement Proxumis a été suspendu, car vous avez fait opposition à un règlement de dette. Tant que le problème n'a pas été résolu, vous ne pouvez utiluser aucune de vos services proxumis.

De resulterende pagina wil een credit-card betaling. Dus verzamelt gewoon credit-card gegevens. Ik zou me bijna afvragen hoe snel er fraude komt als ik daar echte gegevens invullen. Ik denk dat het in de orde van minuten is, maar dat wil ik niet testen.

De spam voor 'Maes-Swerts/A.' is nu al meer dan 10 jaar bezig!

Eerder, eerder, eerder, eerder, eerder, eerder, eerder de originele ontdekking in 2012.

Our child plays minecraft regularly. The start was with the Microsoft minecraft edition but recently the java edition became available too without paying again.

I have set up the bedrock server for the Microsoft minecraft edition to make it possible to play with other people outside the house. So the most recent request was to do this for the java edition too.

I don't know much about minecraft but I can do enough with just some websearching and finding a howto. So I started with How to Set Up a Dedicated Minecraft Server on Linux which seems to be a way to try to sell dedicated servers but I have enough server hardware here at home so I just used the same virtual machine which ran the minecraft bedrock server.

It turned out the default-jdk resulted in openjdk-11 getting installed and this resulted in not being able to run the latest minecraft java server. I switched to openjdk-17-jre-headless because I only need the runtime and I never want to run the graphical stuff, so that saved a lot in needed libraries and other overhead.

The server started fine, but the minecraft java edition couldn't connect to it when trying to connect by name, but gave no usable error message. That's a different rant. I checked on the server side and saw the listening socket in dual-stack mode.

With tcpdump I soon found out the minecraft java edition starts with the IPv4 address and gives up when that fails. The solution was to remove the IPv4 address (A record) from the name, flush the dns cache and after that it worked. This does mean that when friends want to connect that are behind ISPs that only support legacy Internet addresses they will have a different problem.

After receiving another mail in the mail exchange that made me note Microsoft outlook.com wasn't blocking my mailserver anymore we're back right in the same spot:

   ----- Transcript of session follows -----
... while talking to outlook-com.olc.protection.outlook.com.:
>>> MAIL From:<***** .at. idefix.net> SIZE=2035 BODY=7BIT
<<< 550 5.7.1 Unfortunately, messages from [45.83.232.134] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BN8NAM11FT026.eop-nam11.prod.protection.outlook.com]
554 5.0.0 Service unavailable

Aaargh. I thought it wasn't broken anymore. Utterly unreliable stuff at Microsoft.

And I'm back to having to use SMS to explain to very non-technical people why their mail isn't getting through: because they are using outlook.com.

Update 2022-06-13
As a workaround I am now using SMTP2GO to send mail to outlook.com and hotmail.com. SMTP2GO does interesting things (even in a free account) to get the mail delivered and keep their mail 'reputation' in the plus. I hate having to use such a service to get my mail delivered but this is one of those signs that Internet e-mail has been demolished by spammers.

Recently I tried to contact someone with an outlook.com address and it went fine. So it seems the really annoying block I ran into earlier is gone. I still get enough spam from/via outlook.com so I'm still not convinced the spamfiltering at outlook is working very well but that's a different rant. The incoming block is now gone.