SIDEBAR
»
S
I
D
E
B
A
R
«
Silent browser redirect on invalid certificate
Nov 15th, 2018 by miki

Hit an odd browser behaviour today.

Trawling through some of those nice and dandy terms for a service (no I won’t tell) I followed a link and suddenly hit an “insecure connection” message from Firefox.

Examining the certificate using the usual “openssl s_client” and “openssl x509” tools surely enough revealed that the served certificate didn’t include the second-level but only on the third-level www sub-domain. Strangely enough I discovered that when entering the same URL directly into the address bar of Firefox the connection was somehow redirected to the www sub-domain and loaded fine without any complaints from Firefox.

Looking into what was happening on the wire using wget directed to not check the certificate (–no-check-certificate) and displaying server responses (–server-response/-S) revealed that the server behind the misconfigured certificate was aiming to issue a HTTP 301 redirect to the valid www sub-domain of the site (actual site replaced by foo.bar and localhost ip);

$ wget –server-response –no-check-certificate –output-document=/dev/null https://foo.bar
–2018-11-15 18:59:14– https://foo.bar/
Resolving foo.bar (foo.bar)… 127.0.0.1
Connecting to foo.bar (foo.bar)|127.0.0.1|:443… connected.
WARNING: no certificate subject alternative name matches
requested host name ‘foo.bar’.
HTTP request sent, awaiting response…
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://www.foo.bar/
Date: Thu, 15 Nov 2018 17:59:13 GMT
Content-Length: 152
Location: https://www.foo.bar/ [following]

Apparently Firefox’s behaviour in this scenario differs depending on the method in which the user is supplying the URL, in some cases silently ignoring the TLS/SSL warning. A little more experimentation revealed that it was actually not the source of the URL, link followed versus one entered in address bar, that made any difference. Instead it is the presence of a trailing slash on the URL that triggers the silent suppression of the serious red flag that the second-level domain asked to be fetched is not present in the served certificate. I was fooled by the fact that when entering URLs in the address bar Firefox suggests ending the URL on a slash (‘/’) if it is not already present. Manually removing this when editing in the address bar also makes Firefox display the security warning. Alas, the link I originally followed was also missing the trailing slash and behaved as expected by throwing me into a security warning.

The whole “feature” of silently ignoring a security issue seemed very odd to me, but a bit of searching revealed that this was apparently championed by Google Chrome a couple of years ago. It is described in this servertastic post which also directs to a discussion on Twitter, with some key points replicated below, about its presence in Chrome and confirmation from a Chrome team member that the behaviour is intended.

The thread ends with a guy who had dug up the source code of the feature in Chromium (on which Chrome is based) known as “SSLCommonNameMismatchHandling” in file browser/ssl/common_name_mismatch_handler.cc (see all mentions across code base).

This has obviously also trickled down into Firefox, however, not much mention of that is to be found. Not even traces of it by some quick searches of the mozilla-central codebase. Some day I promise (really!) to dig through all source of Mozilla and hunt down the implementation, but for now I’ll revert to a bit of practical experimentation showing the behaviour in the different browsers and operating systems I happen to have access to at the moment;

  • Ubuntu 16.04
    • Firefox 62.0.3: warning, with trailing ‘/’: No warning
    • Chromium 69.0.3497.81: no warning, with trailing ‘/’: no warning
  • Windows Server 2016
    • Firefox 62.0.2: warning, with trailing ‘/’: no warning
    • Google Chrome 70.3538.102: no warning, with trailing ‘/’: no warning
    • Internet Explorer 11.2580.14393.0: warning, with trailing ‘/’: warning
  • Windows Server 2008
    • Firefox 59.0.3: warning, with trailing ‘/’: warning
    • Google Chrome 70.3538.102: no warning, with trailing ‘/’: no warning
    • Internet Explorer 11.0.9600.19080: warning, with trailing ‘/’: warning

So somewhere between 59.0.3 and 62.0.2 Firefox also implemented a policy of silently accepting invalid certificates when certain non-obvious criteria is met (is the redirect actually followed and certs checked, or is “www.” just prefixed?), but this happens only when the URL ends on a slash. Go figure…

Havfrue: A Googol-sized Mermaid Facing the Book
Oct 5th, 2018 by miki

Europe, Denmark and my local neighbourhood of Western Jutland is going to get its connectivity boosted by the Havfrue transatlantic cable system being built by a consortium consisting of Google, Facebook, Aqua Comms and Bulk Infrastructure. To quote the announcement done by Google;

To increase capacity and resiliency in our North Atlantic systems, we’re working with Facebook, Aqua Comms and Bulk Infrastructure to build a direct submarine cable system connecting the U.S. to Denmark and Ireland. This cable, called Havfrue (Danish for “mermaid”), will be built by TE SubCom and is expected to come online by the end of 2019.
Google blog post, 2018-01-16

Digging into the details first reveals the projected trench as illustrated in below by some of the stakeholders;

Havfrue cable, cloud.google.com

Projected trench of the Havfrue cable as illustrated by cloud.google.com.

Havfrue cable, te.com

Projected trench of the Havfrue cable as illustrated by TE SubCom.

Projected layout of the Havfru cable.

Projected trench of the Havfrue cable as illustrated by submarinecablemap.com.

 

 

More digging into the Danish parts reveals that most sources mention Blåbjerg (Blaabjerg) as the Danish landing point for Havfrue (just as TAT-14), although ComputerWorld DK (see Press Coverage below) relays the information that it will land at Endrup (where COBRAcable is terminated). However, a FCC application dated 2018-05-25 SCL-00214S (pdf) refers to it as the “Havfrue system” and specifically states that a new cable landing station will be constructed in Blaabjerg (as well as in Leckanvy, Ireland and Kristiansand, Norway);

The Havfrue system will consist of three segments. (1) The Main Trunk will connect the existing cable landing station at Wall, New Jersey with a new cable landing station to be constructed at Blaabjerg, Denmark. (2) The Ireland Branch will connect a new cable landing station to be constructed at Old Head Beach, Leckanvy, Ireland with a branching unit on the Main Trunk. (3) The Norway Branch will connect a new cable landing station at Kristiansand, Norway with a branching unit on the Main Trunk.
The application also reveals the following distribution of ownership and control of the main trunk (US<->DK);
  1. 33.333%
    • AEC2
    • Facebook (via Edge USA/Edge Network Services Limited)
  2. 16.667%
    • Google (via GU Holdings/Google Infrastructure Bermuda Ltd/affiliate)
    • Optibulk
Ownership of the Blaabjerg landing station will be jointly between the above via the corporations America Europe Connect 2 Denmark ApS (for AEC2) and Edge Denmark (for Facebook) but it will be operated by AEC2.
As a spin off of Aqua Comms’ involvment in the Havfrue system they are also connecting Esbjerg to the UK via a new cabled dubbed North Sea Connect.

Google is currently also projecting its own private subsea cables, some of the rationale behind their mixed private/consortium/lease approach are disclosed in blog post from 2018-07-17 announcing the Dunant cable, which is the first Google private transatlantic subsea cable projected to connect Virginia Beach and France.

Contractor/Supplier/Stakeholder Information

At Cable Map Sites

Danish Press Coverage

Other

 

Project Ember: name of a data center
Aug 20th, 2018 by miki

Taking a deeper look into the meta data of the document containing the Environmental Assessment (Danish: “miljøvurdering” shortened “MV”) and Environmental Impact Assessment (Danish: “miljøkonsekvensvurdering” or “vurdering af virkningerne på miljøet” shortened “VVM”) of the announced data center in Esbjerg reveals an interesting embedded title of the document which has not been carried out into other publicly used references.

The embedded PDF title of the document uses the “Project Ember” term which has not been indicated by other sources than articles in the JydskeVestkysten newspaper. The paper cite municipal sources but the municipality has not used the name directly in any of their communications.

The report authored by consultants COWI contains the following naming:

  • Official in text: “MILJØVURDERING (MV) OG MILJØKONSEKVENSVURDERING (VVM) – ERHVERVSOMRÅDE VED ESBJERG, AFGRÆNSNINGSRAPPORT
  • Filename of distributed PDF: “MV-VVM_afgrænsning.pdf
  • PDF meta data title: “Microsoft Word – Project_Ember_MV-VVM_afgrænsning_v.4.0.docx

Below a dump of the full meta data:

$ pdfinfo MV-VVM_afgr%c3%a6nsning.pdf
Title:          Microsoft Word – Project_Ember_MV-VVM_afgrænsning_v.4.0.docx
Author:         lojo
Creator:        PScript5.dll Version 5.2.2
Producer:       Acrobat Distiller 15.0 (Windows)
CreationDate:   Fri May 25 15:49:44 2018
ModDate:        Fri May 25 15:49:44 2018
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          25
Encrypted:      no
Page size:      595.22 x 842 pts (A4)
Page rot:       0
File size:      234728 bytes
Optimized:      yes
PDF version:    1.5

Hyperscale data center coming to Esbjerg
Jun 13th, 2018 by miki

2018-11-30 add a bunch of Local Press items, and archaeological section to Official Documentation
2018-10-04
add Local and National Press item about Amsterdam trip and announcing Facebook as the developer
2018-09-06
add Local Press item about downscaling and older national press, reorder press items (top=latest)
2018-08-19 add Local Press item and Official Documentation section about housing abandonment
2018-08-01
add Local Press item with letter to editor
2018-06-13
updated with 1 new local + 1 new national press, rewrite first paragraphs, mention project name, mention DDI trade association, mention investindk & havfrue cable
2018-06-12 initial commit

Project Ember?

The local media of Western Jutland, JydskeVestkysten, has spearheaded the coverage of an interesting technology related story over the last weeks. The Esbjerg municipality planning departments has started to reveal details of the preparations for the development of an industrial site on a large swath of land just outside of Esbjerg seemingly for the purpose of a hyperscale data center of the proportions employed by FANG sized (Facebook, Amazon, Netflix, Google) organizations. According to the media the project is by some municipal sources referred to as “Project Ember“. I have been unable to confirm this name from official documentation yet released or any other sources.

Neither the newly formed trade association named Danish Data Center Industry (DDI/DanishDCI) (in Danish: “Datacenter Industrien“) or the state’s Invest in Denmark office has brought any more light to the issue. The former has, however, tweeted a couple of times about it when it hit the national media and the latter has brought forward a vague hint that Western Denmark is an “attractive data centre hub“. I’m not in any doubt that this is partly driven by the announcement of the “HAVFRUE consortium“, which includes Facebook, that they intend to install a 108 Tb/s transatlantic cable crossing from New Jersey to Ireland and Esbjerg, as also announced by Invest in Denmark in January.

Below is an outline of the area in question (on an OpenStreetMap based map using the umap project) that I have drawn from the only geographical details yet leaked which is contained in the meeting agenda mentioned below. See also a visualisation of the area on a photo taken by local photographer Christer Holte.

I have collected links to all official documentation I have been able to locate and to press coverage below, and intend to keep updating this post as details is being revealed.

See full screen

Official Documentation

  • 2018-10-11: Sydvestjyske Museer (Museum of Southwest Jutland) has released an article about their preliminary findings (Google Translate’d) of the excavations done in the area.
    • Large parts is old heath without archaeological interest
    • In the eastern part remnants from Stone Age, Iron Age and WWII has been found
    • A complete predecessor of Andrup from around 0-200 AC has been found, parts of a later settlement from 200-800 AC has also been found, these are pending further investigations in 2019
  • 2018-05-28: Area mentioned in agenda/minutes for 2018-06-01 meeting in Municipal Technical & Construction committee (Teknik & Bygge-udvalg)
    • Details in item 7 “Closure of public and private roads in Andrup” (Danish: “Nedlæggelse af offentlige og private fællesveje ved Andrup”), p. 14-16 (case referred to as “Dok.nr.: 11186”, “Sagsid.: 18/12587”)
    • Area is referred to as “a contiguous area laid out for commercial purposes
    • Includes map with outline of area
    • Suggests public roads being closed for cars, new cycling paths being constructed passing North of area
    • Approved by the committee
  • 2018-06-01: Public hearing announced (Google Translate’d) (original) about changed use of the area
    • Hearing closes 2018-06-15 (14 day period)
    • Accompanying report about environmental impact (VVM) discloses even more details
      • Area referred to as used for “establishing of extraordinary space consuming commercial entity near Esbjerg in the form of a data center” (ch. 2, p. 8)
      • Total area: 250 ha = 2’500’000 m2 (1 hectare = 10’000 m2) (ch. 2.2, p. 8)
      • Building area: “Current project entails approx. 250’000 m2 under roof with 200’000 m2 data warehouses and  50’000 m2 administration, logistics and service buildings, in addition to one or two 150 kV high voltage substations, each of approx. 30’000 m2 and diesel emergency power facilities of 6’500 m2” (ch. 2.3, p. 9)
      • Heat surplus: “Planning will leave open the possibility of reusing surplus heat produced at the facility, however no such plan exist at the moment” (ch. 2.3, p. 9)
  • 2018-08-07: Area mentioned in agenda/minutes for 2018-08-07 meeting in Municipal Planning & Environment committee (Plan & Miljø-udvalg)
    • Details in item 9 “Demolition of housing – Nordre Tovrupvej 21 and 26, Esbjerg” (Danish: “Nedlæggelse af boliger – Nordre Tovrupvej 21 og 26, Esbjerg”), p. 21-22 (case referred to as “Dok.nr.: 11768”, “Sagsid.: 18/20401”)
    • Requests that the committee approve liquidation and demolition of two current municipality owned rental houses in the area for the possible sale of the area for commercial purposes
    • Current inhabitants are willing to agree to voluntarily leave the rentals, but such formal agreements have not yet been established
    • Technical & Construction Committee assesses that the liquidation and subsequent sale of the aree will have a positive impact and is not outside current statutes
    • Approved by the committee

Local Press

National Press

International Press

HOWTO: restore an iPad using only Free Software
Feb 14th, 2018 by miki

Thanks to the fine people at the libimobiledevice project, who bothers to reverse engineer Apple products, I recently succeeded in resurrecting a relative’s iPad stuck in a boot loop (something with jailbreaking, running Sydia, missing an iOS update and attempted Sydia removal) without any use of proprietary tools.

This is a brief recipe of the procedure done using Ubuntu 16.04.

As the required tool from libimobiledevice, idevicerestore, is not packaged in the Ubuntu libimobiledevice package we need to build this from scratch from the sources.

iPad during recovery

iPad in recovery mode during firmware download using libimobiledevice

  1. Install build dependencies
    sudo apt install libusbmuxd-dev libplist-dev libplist++-dev libzip-dev
  2. fetch and build libimobiledevice main library
    cd
    git clone https://git.libimobiledevice.org/libimobiledevice.git
    cd libimobiledevice/
    ./autogen.sh
    make
  3. fetch and build libirecovery library
    cd
    git clone https://git.libimobiledevice.org/libirecovery.git
    cd libirecovery
    ./autogen.sh
    make
  4. fetch and build idevicerestore tool, using the homebuilt libraries
    cd
    git clone https://git.libimobiledevice.org/idevicerestore.git
    cd idevicerestore
    CFLAGS="-I$HOME/libirecovery/include -I$HOME/libimobiledevice/include" LDFLAGS="-L$HOME/libirecovery/src/.libs \
    -L$HOME/libimobiledevice/src/.libs" PKG_CONFIG_PATH=~/libirecovery:~/libimobiledevice/src ./autogen.sh
    make
  5. put the iDevice in recovery mode (iPad = press power+home until screen with “iTunes+cable” symbol appear, see image above and check Apple support for details), make sure it has adequate charge or it will refuse (red battery flashing)
  6. perform the actual restore, asking for flashing of latest firmware (~2.5GiB automatically downloaded), this will probably get you in trouble if you desire to jailbreak the device. I noticed while writing this post that the below actually doesn’t run the tool using the libraries built above, but I’m leaving it as it was done because it “worked for me” (TM) and I can’t experiment further because I haven’t got access to any iDevices (and desire to keep it that way):
    sudo $HOME/idevicerestore/src/idevicerestore --latest
    NOTE: using cached version data
    Found device in Recovery mode
    Identified device as j71ap, iPad4,1
    Latest firmware is iPad_64bit_11.2_15C114_Restore.ipsw
    Verifying 'iPad_64bit_11.2_15C114_Restore.ipsw'...
    Checksum matches.
    Extracting BuildManifest from IPSW
    Product Version: 11.2
    Product Build: 15C114 Major: 15
    INFO: device serial number is DMPM4V3SFK15
    Device supports Image4: true
    Variant: Customer Upgrade Install (IPSW)
    This restore will update your device without losing data.
    Using cached filesystem from 'iPad_64bit_11.2_15C114_Restore/058-86080-124.dmg'
    Found ECID 6653578882512
    Getting ApNonce in recovery mode... 03 6b cc ac 57 8a b4 29 29 c1 a9 fe e4 97 54 3b a8 36 59 5a 
    Trying to fetch new SHSH blob
    Getting SepNonce in recovery mode... df 5c ad 67 48 bd 38 b4 6f 72 0a 5c b0 81 87 c3 95 37 4a da 
    WARNING: Unable to find BbChipID node
    WARNING: Unable to find BbSkeyId node
    Request URL set to https://gs.apple.com/TSS/controller?action=2
    Sending TSS request attempt 1... response successfully received
    Received SHSH blobs
    Extracting iBEC.ipad4.RELEASE.im4p...
    Personalizing IMG4 component iBEC...
    Sending iBEC (710360 bytes)...
    Recovery Mode Environment:
    iBoot build-version=iBoot-4076.30.43
    iBoot build-style=RELEASE
    Sending AppleLogo...
    Extracting applelogo@2x~ipad.im4p...
    Personalizing IMG4 component AppleLogo...
    Sending AppleLogo (22709 bytes)...
    ramdisk-size=0x10000000
    Extracting 058-85997-124.dmg...
    Personalizing IMG4 component RestoreRamDisk...
    Sending RestoreRamDisk (59978774 bytes)...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component RestoreDeviceTree...
    Sending RestoreDeviceTree (101420 bytes)...
    Extracting kernelcache.release.ipad4...
    Personalizing IMG4 component RestoreKernelCache...
    Sending RestoreKernelCache (13226783 bytes)...
    About to restore device... 
    Waiting for device...
    Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 is now connected in restore mode...
    Connecting now...
    Connected to com.apple.mobile.restored, version 15
    Device 3fb0f5cc97b83c61c85d4b8333796d9e536a4c83 has successfully entered restore mode
    Hardware Information:
    BoardID: 16
    ChipID: 35168
    UniqueChipID: 6653578882512
    ProductionMode: true
    Starting FDR listener thread
    About to send NORData...
    Found firmware path Firmware/all_flash
    Getting firmware manifest from build identity
    Extracting LLB.ipad4.RELEASE.im4p...
    Personalizing IMG4 component LLB...
    Extracting applelogo@2x~ipad.im4p...
    Personalizing IMG4 component AppleLogo...
    Extracting batterycharging0@2x~ipad.im4p...
    Personalizing IMG4 component BatteryCharging0...
    Extracting batterycharging1@2x~ipad.im4p...
    Personalizing IMG4 component BatteryCharging1...
    Extracting batteryfull@2x~ipad.im4p...
    Personalizing IMG4 component BatteryFull...
    Extracting batterylow0@2x~ipad.im4p...
    Personalizing IMG4 component BatteryLow0...
    Extracting batterylow1@2x~ipad.im4p...
    Personalizing IMG4 component BatteryLow1...
    Extracting glyphplugin@2x~ipad-lightning.im4p...
    Personalizing IMG4 component BatteryPlugin...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component DeviceTree...
    Extracting recoverymode@2x~ipad-lightning.im4p...
    Personalizing IMG4 component RecoveryMode...
    Extracting iBoot.ipad4.RELEASE.im4p...
    Personalizing IMG4 component iBoot...
    Extracting sep-firmware.j71.RELEASE.im4p...
    Personalizing IMG4 component RestoreSEP...
    Extracting sep-firmware.j71.RELEASE.im4p...
    Personalizing IMG4 component SEP...
    Sending NORData now...
    Done sending NORData
    About to send RootTicket...
    Sending RootTicket now...
    Done sending RootTicket
    Waiting for NAND (28)
    Checking filesystems (15)
    Checking filesystems (15)
    Unmounting filesystems (29)
    Unmounting filesystems (29)
    Creating filesystem (12)
    About to send filesystem...
    Connected to ASR
    Validating the filesystem
    Filesystem validated
    Sending filesystem now...
    [==================================================] 100.0%
    Done sending filesystem
    Verifying restore (14)
    [==================================================] 100.0%
    Checking filesystems (15)
    Checking filesystems (15)
    Mounting filesystems (16)
    Mounting filesystems (16)
    About to send KernelCache...
    Extracting kernelcache.release.ipad4...
    Personalizing IMG4 component KernelCache...
    Sending KernelCache now...
    Done sending KernelCache
    Installing kernelcache (27)
    About to send DeviceTree...
    Extracting DeviceTree.j71ap.im4p...
    Personalizing IMG4 component DeviceTree...
    Sending DeviceTree now...
    Done sending DeviceTree
    Certifying Savage (61)
    Flashing firmware (18)
    [==================================================] 100.0%
    Updating gas gauge software (47)
    Updating gas gauge software (47)
    Updating Stockholm (55)
    About to send FUD data...
    Sending FUD data now...
    Done sending FUD data
    About to send FUD data...
    Sending FUD data now...
    Done sending FUD data
    Fixing up /var (17)
    Modifying persistent boot-args (25)
    Unmounting filesystems (29)
    Unmounting filesystems (29)
    Got status message
    Status: Restore Finished
    Cleaning up...
    DONE
  7. The iDevice should reset and boot into the new firmware.
iPad during firmware flashing using libimobiledevice

iPad during firmware flashing using libimobiledevice

If you want to interact with iDevices from within Ubuntu during ordinary use, you could also install some utils and plugins for that. Below will fx. add a context menu in nautilus with info about the iDevice and install the ideviceinstaller command line utility which can be used to administer installed applications on the device.

sudo apt install libimobiledevice-utils nautilus-ideviceinfo ideviceinstaller

Setting free a Google Authenticator TOTP secret
Nov 7th, 2017 by miki

Below you’ll find an illustrated guide for freeing the authentication mechanism used by the Google Authenticator app for Android or iPhone for use on your favorite device (anywhere an implementation is available). In fact the Authenticator is using a standards based 2FA (two factor authentication) scheme defined by OATH (Initiative for Open Authentication) and published in RFC6238 dubbed TOTP – Time-Based One-Time Password Algorithm (more Authenticator background and it’s basis HOTP).

This is a rather fine contraption but Google doesn’t advertise it very loudly being a standard instead locking the generated TOTP secret into a QR code that they will only imply are for use by their own Google Authenticator. That is not true as a host of alternative Android OTP apps are compatible and can read the QR codes as they are based upon the Authenticator’s legacy as an open source application which Google took private.

Retrieve Google Account QR Code

Login to your Google Account (maybe using the authenticator?) and go to Account -> Security -> Signin -> 2-step verification.

Locate the “Authenticator app” section and Click “CHANGE PHONE” (really “CHANGE TOTP SECRET”).

Screenshot from 2017-11-06 22-32-05

In my country’s locale, Danish, this is BTW mistranslated as “SKIFT TELEFONNUMMER” = change phone number);

Screenshot from 2017-11-07 00-50-06

You’ll now get a choice between either iPhone or Android, this will only affect the link to the app store shown on next screen which also contains the QR code, the one we are really after:

Screenshot from 2017-11-06 23-03-44

Right click the QR code image, select to save it and put it somewhere you can find it (~/Google_TOTP_QR.png might be sensible).

Get your tools right

Install the QR-code decoder zbar for extracting the TOTP secet from the image and the OATH toolkit oathtool for generating future TOTP passwords using it. On Debian/Ubuntu this can be done by installing the packages zbar-tools and oathtool.

 

$ sudo apt install zbar-tools oathtool

 

Now extract the otpauth URI (seems to be a Google thing) by passing the image file to zbarimg;

 

$ zbarimg ~/Google_TOTP_QR.png
 QR-Code:otpauth://totp/Google%3Auser%40domain.com?secret=pca7uyfht7f6mfs7oiec4aeavxaevish&issuer=Google
 scanned 1 barcode symbols from 1 images in 0.02 seconds

 

The URI contains all parameters to input into the TOTP algorithm for generating a password usable for 2FA authentication, notably the secret key in base32 format. Defaults are not mentioned in the URI and are not necessary to specify explicitly for oathtool. So for the above URI specifying only a secret, a password can be generated as such;

$ oathtool --totp --base32 pca7uyfht7f6mfs7oiec4aeavxaevish
 491293

“491293” being the password, having a default validity of 30 seconds (called step size because of the counter based nature of the HOTP behind it).

If your are interested in the defaults assumed by oathtool they can be viewed by supplying -v to it (not showing TOTP mode=SHA512, I later added this feature in my oath-toolkit fork, and opened a MR) ;

$ oathtool --totp --base32 pca7uyfht7f6mfs7oiec4aeavxaevish -v
Hex secret: 7881fa60a79fcbe6165f72082e0080adc04aa247
Base32 secret: PCA7UYFHT7F6MFS7OIEC4AEAVXAEVISH
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2017-11-06 23:23:31 UTC (1510010611)
Counter: 0x30007F7 (50333687)

133339

 

Use & Behold

Enjoy having cut your reliance on the Google Autenticator, and opened up for your own choice of client:

Also see the dongleauth.info website for a list of other sites supporting TOTP and U2F.

Clean Up & Secure

Be sure to delete the QR code image when finished, and seek out a suitably secure place to store your TOTP secret. One solution could be using PGP encryption, maybe even through some clever management system such as pass.

Also educate yourself of the shortcomings of TOTP/HOTP and consider studying and using the FIDO U2F standard and related devices.

When email in a .msg file is not ASCII
Sep 18th, 2017 by miki

Got myself an exported message from (apparently) Exchange/Outlook in a file with .msg extension. My initial thought was that this was just a plain ASCII email (seem to remember having handled .msg files as such at some point), but looking at it as text exposed a load of binary and the “file” utility reported it being of type “Composite Document File V2 Document, Cannot read section info”.

What is it?

Some searching reveals .msg is in a proprietary format called “Outlook Item (.msg) File Format” (or formally, MS-OXMSG, find the specification  in the MSDN document entitled “[MS-OXMSG]: Outlook Item (.msg) File Format“). This format is related to the CFBF ([MS-CFB]: Compound File Binary File Format).

Check out what Library of Congress has to say about .msg files.

Interpreting it

libgsf

The GNOME project has developed an open source library and some tools for interacting with files of this type, check out libgsf documentation at developer.gnome.org/gsf/ and source code at github.com/GNOME/libgsf. Or install the package named libgsf-bin in Debian/Ubuntu for access to the “gsf” binary (man page) that can inspect and dump contents from a .msg file. This is quite rudimentary if you just want to read the content.

MSGViewer (java)

MSGViewer is a stand alone java application that can display/convert different mail-format, including .msg. On GitHub I found a fork which claims to provide further features than the original.

msgconv (perl)

msgconv (github source) is a perl script that converts a .msg file into standard RFC822/2822/5322 format .eml (email) format. Install as package “libemail-outlook-message-perl” on Debian/Ubuntu.

$ file test.msg
test.msg: Composite Document File V2 Document, Cannot read section info
$ msgconvert test.msg
$ file test.eml
test.eml: UTF-8 Unicode text, with very long lines, with CRLF line terminators

I prefer the approach of using a standard format for storing data, so I ended up accepting the .eml from msgconv which I propagated to other recipients of the file.

ToS humor: Tagalog speakers at Meetup.com
Jul 4th, 2017 by miki

A little humor is possible even when filtered through the eyes of lawyers. I’ll try to make a write-up on the ones I stumble across when reading ToS’es in the future.

The first is from the event site meetup.com which has embedded a sentence in the Tagalog language in the “Translation” section of their most recent edition of the site’s Terms of Service agreement (I was prompted to agree today even though the last update was on March 28, more than 3 months ago).

The text is “Umaasa kami na maintindihan mo” which according to Google Translate translated to “We hope you understand it“.

Even though they provide the previous editions for reference (it ought be illegal not to) I haven’t yet agreed to it as there is not an easy way to compare, it is a rather long read and there are non-trivial changes. I’d rather not use any service than to just agree carelessly to ToS updates (no, that is not a personality flaw).

 

Teknologi-danskere: Finn Hendil – Prøvebilledet
Apr 6th, 2017 by miki

Hvis du har mere end 15 leveår på bagen, har du nok set dette billede før:

Farveprøvebillede fra Phillips PM5544

Måske ved du også at en dansker har designet dette tidligere så berømmede prøvebillede? Det var ukendt for mig, før jeg læste dette Facebook opslag fra Universe Science Park (tidligere Danfoss Universe).

Men den danske ingeniør Finn Hendil, som arbejdede for Phillips i Danmark, var ham der i 1966 konstruerede grundlaget for dette mønster til test af farvefjernsyn, som i de følgende mange år blev solgt i apparaterne PM5540 og PM5544. De anvendtes til generering af prøvebilleder til udsendelse direkte fra TV-kanaler og som testudstyr hos fjernsynsproducenter.

Historien som fortalt af Erling Madsen i publikationen “Fjernsynets historie fra 1926 til 2012 – og lidt efter …“.

I Jenagade på Amager havde Philips en udviklingsafdeling og en produktion, som siden 1930’erne havde skiftet mellem bl.a. radioer, dyremad (under 2. verdenskrig), barbermaskiner, kanal-
vælgere til fjernsyn og radionavigation til lystsejlere samt mobiltelefoner. Ingeniør Finn Hendil ledede udviklingsafdelingen, og i 1966 fik han opgaven med at lave et prøvebillede, såteknikerne kunne se om farverne på farvefjernsynet stod rigtigt. Det blev siden dét farveprøvebille de, som blev standarden verden over og stadig bruges. Det er endda også udkommet på puder og t-shirt – og det var med i dødsannoncen, da Finn Hendil døde i januar 2011; en måned før han ville være fyldt 72 år.

 

Monokromt prøvebillede fra forløberen Phillips PM5540

Stallman in 2012: Denmark supposedly a free country, still valid
Mar 3rd, 2017 by miki

Stumbled upon this slightly dated talk by Richard M. Stallman (aka. RMS) of GNU and FSF fame, in which my home country of Denmark is sadly referenced as only a “supposedly free country”.

Transcript

“But censorship is wrong, of course, whether it is done on the internet or not. We used to think that the internet would protect us from censorship because it was too hard to censor the internet. But thanks to the effort of various companies in the US, The UK, France and so on, it is now possible for governments to censor the internet and also surveil it completely, they just need to put enough effort in. And this is not limited to obvious tyrannies such as China and Iran. We see a lot of supposedly free countries imposing censorship on the internet.

For instance, Denmark several years ago imposed filtering on the internet blocking a secret list of sites. The list was leaked and posted on WikiLeaks. Hooray for WikiLeaks! Whereupon Denmark blocked access to that page too. So everyone else could know what internet users in Denmark were blocked from seeing except those people.”

Sadly since this time it has not gotten any better. Most of the points RMS makes (the whole talk is worth a listen) are still valid and a grave concern from my perspective. The Danish internet (really DNS) blocking system has been broadened and the slippage that was feared has become a reality. Even though this issue has gotten some attention in the IT and rights communities the general public just doesn’t care.

The actual block is technically done through DNS blacklists that Danish ISP are legally required to implement. The list of blocked sites is available from the telecom trade organization “Telekommunikationsindustrien i Danmark” (English: Telecommunication’s Industry Association in Denmark) at teleindu.dk/brancheholdninger/blokeringer-pa-nettet/ and currently has 111 sites (csv) on active block.

As it being DNS based if you are impacted, workarounds do exist. However, my guess is that they will soon be able to actively shut down services physically located in Denmark.

Full talk

(starting at point of above transcript)

 

»  Substance:WordPress   »  Style:Ahren Ahimsa
© 2016 Mikini Services