Recent blog entries

24 Jun 2016 pabs3   » (Master)

DebCamp16 day 1

Hating jetlag based headache. Disturbed to see the Brexit result. Review wiki RecentChanges. Answer some questions about Launchpad on #debian-mentors. Whitelisted one user in the wiki anti-spam system. Reviewed and sponsored yamllint 1.2.2-1 upload. Noted OFSET repo is broken and updated Freeduc info. Noted the Epidemic-Linux website is having database issues. Noted that Facebook finally completely dropped their RSS feeds, dropped Facebook RSS feed URL generation from the Debian derivatives census scripts and notified the affected derivatives. Cleared up Tanglu hash sum mismatches again. Minor changes to Planet Debian derivatives. Enjoyed the photos from Valessio. Hazy city away from the mountain and tablecloth clouds flowing over the mountain on the way to a pub lunch. Jet lag headaches seem to be subsiding thankfully. Ping someone generating a bounce when changing their SSH key. Mention autorevision and other suggestions in an IRC discussion about mesa & reproducible builds. Review some DebConf16 announcements and add minor fix. Push out some TODO items to check-all-the-things. Ask for a dd-list for the GCC 6 transition. Usual spam reporting throughout the day via manual List-Archive copy-paste, feeding mboxen to my report-spam-debian-lists and report-spam-debian-bugs scripts and manual BTS clicks. Usual wondering why there isn't an RFC for MUA spam reporting. Disturbed by the sudden appearance of an astronautess in the orga room but placated by a plentiful supply of crisps. Ask x32 folks about vs x32 on ports.d.o. Glad to just avoid the room shuffle dance. Finish mime support for check-all-the-things. Disappointed that does not actually resolve. Amused by pollito's virtual tour of UTC. Completely stuffed full of Butleritos.

Syndicated 2016-06-24 17:46:11 from Advogato

24 Jun 2016 marnanel   » (Journeyer)

strip-lighted paradise

I was reading this two days ago. It needs saying today.

“Men use up their lives in heart-breaking political struggles… not in order to establish some central-heated, air-conditioned, strip-lighted Paradise, but because they want a world in which human beings love one another instead of swindling and murdering one another.” - George Orwell, 1943.
This entry was originally posted at Please comment there using OpenID.

Syndicated 2016-06-24 13:04:01 from Monument

23 Jun 2016 pabs3   » (Master)

DebCamp16 day 0

Today is officially the first day of DebCamp 2016. The night wasn't as cold as I had feared. Woke at 5am for some reason. Noted the network still blocks port 6697 and 7000, worked around in IRC client configuration using 9999. Reply to network discussion to point that out. Minor changes to the empathy Debian RTC wiki page. Answer support@mentors.d.n bug email about shared company OpenPGP keys and suggest moving to individual keys. Review wiki RecentChanges. Comment on NetworkManager upstream bug #705545 that MAC address privacy is a complicated feature with many use cases. Warn another person that reporting Alioth to SpamCop does nothing and link to the unsubscription URL. Talk to Brown about IP address conflict sparc64 porters found with the setup of notker (sparc64 build machine). Filed Debian wishlist bug #827944 against at asking for support for using an editor to write at jobs. Woke up properly, discussed spam over breakfast. Notice Point Linux in the Distrowatch feed and invite them to the derivatives census. Point out reproducible builds in a discussion about source-only uploads. Commented that I encountered evolution upstream crash bug #680471 again. Reported gnome-shell upstream crash bug #767969. Joined the tour around the campus, enjoyed the view from the outdoor hacklab at the top of the hill. Confirmed that "Monkey Gland" from the pub menu is not in fact derived from monkeys in any way. Noted that Pollito did not eat chicken from the buffet. Beat head against VPN/SIP/WebRTC for a while but oncoming jetlag put me out of business for some hours. Pointed out the future Packages.gz removal in favour of Packages.xz to the popcon developers.

Syndicated 2016-06-23 21:16:41 from Advogato

23 Jun 2016 marnanel   » (Journeyer)

the Holy Spirit versus cardboard

A story I was told at St Mark’s, a “high” Anglican church:

St Mark’s has a rather large contingent of de jure Roman Catholics in its congregation, who argued with the local parish priest or the Vatican and just decamped down the road. Many times this only gets discovered when they die and ask for their ashes to be interred in St Mark’s columbarium, whereupon the local RC priest turns up and objects.

So after this had happened a few times, they agreed that a small part of the columbarium would be dedicated as a RC burial place. And so that God wouldn’t get confused, they put a cardboard divider between them.

The person telling me this story concluded, “So apparently cardboard can block the Holy Spirit, just like alpha particles… wait. Don’t mitres have cardboard inside to keep the shape? I think we’ve discovered something here…”

This entry was originally posted at Please comment there using OpenID.

Syndicated 2016-06-23 18:11:42 from Monument

22 Jun 2016 pabs3   » (Master)

DebCamp16 day -1

Landed late due to technical delays. Mountains! Mountains are everywhere! Beautiful sunny day with clear blue skies. Ran into Valessio as I was shown to my room. Wandered around the campus for a bunch of hours. Ate an all you can eat yum buffet lunch at the pub. Wandered down the hill and ended up on the train and wandering around a lake with lilies in a park. Arriving back at UCT we ran into a beer mission along with some wonderful arriving folks. The warm DebConf nervous centre was quite inviting and soon had plentiful beer, pizza and discussion.

Syndicated 2016-06-22 16:34:18 from Advogato

22 Jun 2016 mjg59   » (Master)

I've bought some more awful IoT stuff

I bought some awful WiFi lightbulbs a few months ago. The short version: they introduced terrible vulnerabilities on your network, they violated the GPL and they were also just bad at being lightbulbs. Since then I've bought some other Internet of Things devices, and since people seem to have a bizarre level of fascination with figuring out just what kind of fractal of poor design choices these things frequently embody, I thought I'd oblige.

Today we're going to be talking about the KanKun SP3, a plug that's been around for a while. The idea here is pretty simple - there's lots of devices that you'd like to be able to turn on and off in a programmatic way, and rather than rewiring them the simplest thing to do is just to insert a control device in between the wall and the device andn ow you can turn your foot bath on and off from your phone. Most vendors go further and also allow you to program timers and even provide some sort of remote tunneling protocol so you can turn off your lights from the comfort of somebody else's home.

The KanKun has all of these features and a bunch more, although when I say "features" I kind of mean the opposite. I plugged mine in and followed the install instructions. As is pretty typical, this took the form of the plug bringing up its own Wifi access point, the app on the phone connecting to it and sending configuration data, and the plug then using that data to join your network. Except it didn't work. I connected to the plug's network, gave it my SSID and password and waited. Nothing happened. No useful diagnostic data. Eventually I plugged my phone into my laptop and ran adb logcat, and the Android debug logs told me that the app was trying to modify a network that it hadn't created. Apparently this isn't permitted as of Android 6, but the app was handling this denial by just trying again. I deleted the network from the system settings, restarted the app, and this time the app created the network record and could modify it. It still didn't work, but that's because it let me give it a 5GHz network and it only has a 2.4GHz radio, so one reset later and I finally had it online.

The first thing I normally do to one of these things is run nmap with the -O argument, which gives you an indication of what OS it's running. I didn't really need to in this case, because if I just telnetted to port 22 I got a dropbear ssh banner. Googling turned up the root password ("p9z34c") and I was logged into a lightly hacked (and fairly obsolete) OpenWRT environment.

It turns out that here's a whole community of people playing with these plugs, and it's common for people to install CGI scripts on them so they can turn them on and off via an API. At first this sounds somewhat confusing, because if the phone app can control the plug then there clearly is some kind of API, right? Well ha yeah ok that's a great question and oh good lord do things start getting bad quickly at this point.

I'd grabbed the apk for the app and a copy of jadx, an incredibly useful piece of code that's surprisingly good at turning compiled Android apps into something resembling Java source. I dug through that for a while before figuring out that before packets were being sent, they were being handed off to some sort of encryption code. I couldn't find that in the app, but there was a native ARM library shipped with it. Running strings on that showed functions with names matching the calls in the Java code, so that made sense. There were also references to AES, which explained why when I ran tcpdump I only saw bizarre garbage packets.

But what was surprising was that most of these packets were substantially similar. There were a load that were identical other than a 16-byte chunk in the middle. That plus the fact that every payload length was a multiple of 16 bytes strongly indicated that AES was being used in ECB mode. In ECB mode each plaintext is split up into 16-byte chunks and encrypted with the same key. The same plaintext will always result in the same encrypted output. This implied that the packets were substantially similar and that the encryption key was static.

Some more digging showed that someone had figured out the encryption key last year, and that someone else had written some tools to control the plug without needing to modify it. The protocol is basically ascii and consists mostly of the MAC address of the target device, a password and a command. This is then encrypted and sent to the device's IP address. The device then sends a challenge packet containing a random number. The app has to decrypt this, obtain the random number, create a response, encrypt that and send it before the command takes effect. This avoids the most obvious weakness around using ECB - since the same plaintext always encrypts to the same ciphertext, you could just watch encrypted packets go past and replay them to get the same effect, even if you didn't have the encryption key. Using a random number in a challenge forces you to prove that you actually have the key.

At least, it would do if the numbers were actually random. It turns out that the plug is just calling rand(). Further, it turns out that it never calls srand(). This means that the plug will always generate the same sequence of challenges after a reboot, which means you can still carry out replay attacks if you can reboot the plug. Strong work.

But there was still the question of how the remote control works, since the code on github only worked locally. tcpdumping the traffic from the server and trying to decrypt it in the same way as local packets worked fine, and showed that the only difference was that the packet started "wan" rather than "lan". The server decrypts the packet, looks at the MAC address, re-encrypts it and sends it over the tunnel to the plug that registered with that address.

That's not really a great deal of authentication. The protocol permits a password, but the app doesn't insist on it - some quick playing suggests that about 90% of these devices still use the default password. And the devices are all based on the same wifi module, so the MAC addresses are all in the same range. The process of sending status check packets to the server with every MAC address wouldn't take that long and would tell you how many of these devices are out there. If they're using the default password, that's enough to have full control over them.

There's some other failings. The github repo mentioned earlier includes a script that allows arbitrary command execution - the wifi configuration information is passed to the system() command, so leaving a semicolon in the middle of it will result in your own commands being executed. Thankfully this doesn't seem to be true of the daemon that's listening for the remote control packets, which seems to restrict its use of system() to data entirely under its control. But even if you change the default root password, anyone on your local network can get root on the plug. So that's a thing. It also downloads firmware updates over http and doesn't appear to check signatures on them, so there's the potential for MITM attacks on the plug itself. The remote control server is on AWS unless your timezone is GMT+8, in which case it's in China. Sorry, Western Australia.

It's running Linux and includes Busybox and dnsmasq, so plenty of GPLed code. I emailed the manufacturer asking for a copy and got told that they wouldn't give it to me, which is unsurprising but still disappointing.

The use of AES is still somewhat confusing, given the relatively small amount of security it provides. One thing I've wondered is whether it's not actually intended to provide security at all. The remote servers need to accept connections from anywhere and funnel decent amounts of traffic around from phones to switches. If that weren't restricted in any way, competitors would be able to use existing servers rather than setting up their own. Using AES at least provides a minor obstacle that might encourage them to set up their own server.

Overall: the hardware seems fine, the software is shoddy and the security is terrible. If you have one of these, set a strong password. There's no rate-limiting on the server, so a weak password will be broken pretty quickly. It's also infringing my copyright, so I'd recommend against it on that point alone.

comment count unavailable comments

Syndicated 2016-06-21 23:11:54 from Matthew Garrett

20 Jun 2016 marnanel   » (Journeyer)

Why I'm voting Remain

If I had to choose either Strasbourg or Westminster to run this country, I'd choose Strasbourg. It has a better separation of powers. Someone asked what I mean by that, so I'll explain more fully.

A bit of civics background-- sorry if you know this already: There are three branches to every government: the legislature which makes laws, the executive which implements those laws, and the judiciary which deals with people who break them. In a carefully-designed system such as the American federal government, the three branches act as checks on one another's power. (In the US, executive=President, legislature=Congress, judiciary=federal courts.) This means that it's much more difficult for one or two people to fuck up the system.

But in the UK and the EU we don't have a complete separation of powers. In particular in the EU we have the executive (the Commission) having the sole power to propose bills to the legislature (the Parliament). This is undemocratic, and it's a problem. The legislature can veto bills, so it acts as a check on the power of the executive. But it cannot act alone.

In the UK, however, the problem is even worse. In our case executive=Downing Street, legislature=Parliament, judiciary=courts. Parliament was originally a check on the power of the King (when the King was the executive). But for the last few centuries, the Crown's ministers have effectively been the executive, and these ministers are always drawn from Parliament. A PM must necessarily almost always be able to order Parliament to do anything they wish, because they must belong to the majority party in the Commons, and MPs almost always vote as the whips tell them to.

So if for example we happened to get someone as PM who was determined to starve the poor and destroy the NHS, there's nobody at all who can stand up to him. In the US or in France it's routine for the legislature to say no to the executive (and vice versa). But it's near-impossible in the UK.


...there is, at present, one organisation which can say no to the PM.

That organisation is the EU.

That is why I'm voting Remain.


This entry was originally posted at Please comment there using OpenID.

Syndicated 2016-06-20 19:36:10 (Updated 2016-06-20 19:38:42) from Monument

19 Jun 2016 sye   » (Journeyer)

to translate:














(最初刊载于《华侨日报 文艺副刊》 第二期,1944年2月6日)




诗︰ 以文字来表现的情绪的和谐。


他曾译了数量巨大的外国文学名著,其中主要有:(西班牙)伊巴涅思《良夜幽情曲》(上海光华书局,1928年初版),《伊巴涅思短篇小说选》(新文艺出版社,1956年),(法)夏多勃里昂《少女之誓》(上海开明书店,1928年), (法)贝洛尔《鹅妈妈的故事》(上海开明书店,1928年),(法)穆杭《天女玉丽》(上海尚志书店,1929年),(法)古弹词《屋卡珊和尼谷莱特》(上海光华书局,1929年),(法)陀尔诺伊《青色鸟》(上海开明书店,1933年),(法)陀尔诺伊《美人和野兽》(上海开明书店,1933年),《法兰西现代短篇集》(上海天马书店,1934年),(法)梅里美《高龙芭》(上海中华书局,1935年),(法)高莱特《紫恋》(上海光明书店,1935年),(法)蒲尔惹《弟子》(上海中华书局,1936年),(法)波特莱尔《恶之华掇英》(上海怀正文化社,1947年),(苏)里特进斯基《一周间》(上海水沫书店,1930年初版;上海作家书屋,1946重印;人民文学出版社,1958年新版),(苏)伊可维支《唯物史观的文学论》(上海水沫书店,1930年初版;上海作家书屋,1946年重印),(苏)伊凡诺夫《铁甲车》(上海现代书局,1932年初版),(苏)本约明·高力里《苏联诗坛逸话》(上海杂志公司,1936年),《西班牙短篇小说选》(上海商务印书馆,1936年),《意大利短篇小说集》(上海商务印书馆,1935年),《比利时短篇小说集》(上海商务印书馆,1935年),[英]莎士比亚《麦克倍斯》(上海金马书店)等。


18 Jun 2016 marnanel   » (Journeyer)

please do not press this button again

I was once in a psychiatrist's waiting room and they had a coffee machine with enough buttons to belong to Captain Picard. You know the sort of thing-- buttons for white coffee, black coffee, cappucino, hot chocolate, and so on and on. But one of them was unlabelled, and THAT was the one I wanted.

It took a while to brew me a cup. When it had cooled, I took a sip. The stuff was utterly foul-- like a sort of hot instant coffee made with lemons and ammonia. I can still taste it in memory.

Just then, the psychiatrist arrived, and asked what I was grimacing about. I explained the story and showed him the button. "Right," he said. "That's the self-cleaning function."

This entry was originally posted at Please comment there using OpenID.

Syndicated 2016-06-18 20:56:42 from Monument

15 Jun 2016 elwell   » (Journeyer)

The Physical Web. Yeah, thats a good idea.

In the last week I've discovered the Physical Web from google, and I'm sold on the idea. Apart from the "what's around here" geeky stuff, it's a great idea for sensible 'distant' digital signage. For example, $dayjob is at the Pawsey Supercomputing Centre, but we don't plaster our URL over the visitor area - what if guests could be gently prompted to the right URL by beacon?

Again tonight (while watching WASO play the Indiana Jones score) I noticed a set of three A3 posters explaining to users of another part of the conference centre how to connect to wifi and download <exhibit> app. This isn't even Scott Jensen's complaint of a 'dos prompt on the browser' - it's more a dig out the index card from the library, then go to the dos prompt...