nion's blog

Just stumbled upon didtheyreadit a service which claims to be able to track sent email not depending on the mail client. You just set from which address you want to send mail from and send your email to user@host.didtheyreadit.com and then you can track the email via a web interface:



I was interested in how they do it and if it really works with every mail client which I couldn't believe.
If you send your mail to .didtheyreadit.com you of course lose your privacy and they resend the mail for you to the server attaching their "tracking".

So lets have a look at the email.
All they do is converting your mail into multi-part message adding an HTML part which includes an additional:

<div><img src="http://e-mail-servers.com/SOMESESSIONIDworker.jpg" nosend="1" name="dtri" width="1" height="1">

Your email client will then make an HTTP request to the 1x1 pixel big embedded image (well at least if you use a crappy one or webmail) which causes to update the status of the mail in the webinterface. So this is really a lame way of making money and use the fact that there are still enough stupid people out there enabling reading and writing of HTML mails
The "nosend" parameter is an invention by Microsoft Outlook which causes Outlook to not rewrite image URLs (it's not included in the standard).

So this is just a trivial web bug.

Interesting is also that if you encrypt your mail and send it to .idtheyreadit.com it will get lost

People often are not sure which characters they should escape to prevent for example common flaws in web applications.
Just stumbled over a list by the w3c in their web security FAQ.

&;`'\"|*?~<>^()[]{}$\n\r

you may also want to remove null bytes.

There is some new site dedicated to power saving on Linux which has some nice documentation and also links alot of interesting projects related to this topic (not only powertop).

Check it out on: http://www.lesswatts.org.

Today the country specific web sites of wikipedia like for example de.wikipedia.org were not available for some minutes.

First it looked like:


Then like:


So maybe a database problem when looking at the first screenshot. Anyone knows more? I never noticed something like this before as long as I use
wikipedia.

Just happy that it is running again now, wasn't sure if they decided that no article on wikipedia is relevant enough and shut the whole thing down ;-P

(No I am not interested in the Priapswurm this is just some random wikipedia article script I use as startpage

Just read this article about defeating comment spam and thought write about how we defeat trackback spam on modprobe.de pretty good for some time now.

fail2ban is usually used to prevent 1337 h4xX0rZ from brute forcing ssh logins on a server. But it can be very useful for other stuff too since it's not really more than a log analyzer.

nion.modprobe.de 207.67.117.173 - - [09/Sep/2007:22:59:03 +0200] "POST /blog/comment.php?type=trackback&entry_id=295 HTTP/1.1" 200 87 "-" "-"

This is how a typical trackback spam attempt looks in an apach2 log file.

If someone tries to place a trackback spam usually alot of log lines like this appear for every try of the spammer which is then causing a high load on your webserver (we had a load of 40) which is a real problem.

The first thing you have to do is to install fail2ban.
Then to prevent the trackback spam we create a filter file called blog.conf and place it under /etc/fail2ban/filter.d:

[Definition]
failregex = (nion.modprobe.de|deifl.modprobe.de) <HOST> - -.*"POST /blog/comment\.php\?type=trackback
ignoreregex =

This regex scans for log lines for nion.modprobe.de or deifl.modprobe.de (most problematic vhosts).
For this you need an apache log file which adds the virtual host at the beginning of the line
(LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined)

Then you have to adapt your /etc/fail2ban/jail.conf and add a section like this:

[apache-blog]
enabled = true
port = http
filter = blog
logpath = /var/log/apache2/all_access.log
bantime = 43200
maxretry = 3
ignoreip = SERVER

Fail2ban should now see if more than 3 log lines like the one in the regular expression appear from one host and DROP this host via iptables.

If you don't have a log file for all virtual hosts you can use * to scan multiple files too.
I think the variables are pretty much self explanatory, setting the ignoreip to your server is a good idea if you set the maxretry to 0 and won't lose the chance to trackback yourself.
If you have really alot of traffic and don't rotate logs very often it is a good idea to have a second log file you delete every n hours because fail2ban costs a lot of CPU power on big log files.

To test your regular expressions you may want to use fail2ban-regex 'REGEX' 'LOGLINE'. This shows if fail2ban will match for this log line and how the will provide some small benchmark information.

Opera released a 9.50 alpha version of their web browser.
It is available on: http://snapshot.opera.com/unix/9.50-Alpha-1/.
One of the most important changes is a complete rewrite of the rendering engine but there are also others.

Here is a small feature show:



I really like this new feature to reopen closed windows, not only tabs (I am sure the firefox guys will create an extension for this soon, if there is none yet )
The idea about having a menu to open a site in any other browser you have installed is also very nice and somehow shows that they are at least aware of possible rendering problems in some sites (even if I had no problems for a long time

To get a detailed list of changes have a look at: http://cybernetnews.com/2007/09/03/cybernotes-exclusive-opera-95-features-video/ and a 4 days old article in the dev blog: http://my.opera.com/desktopteam/blog/2007/08/31/focus-areas-during-kestrel-development.

Until now I didn't know that censorship is also a part of the web 2.0[tm]

Read: http://www.flickr.com/groups/againstcensorship/

With or without extensions?

Yes there are remote vulnerabilities caused by extensions and I am really laughing my ass off since I talked about this with people 2 years ago. Specifically I talked about these extensions as a broken security concept because a) everyone can upload them to mozdev even with malicious code with a fancy name (ok we have certificates now but that doesn't save you from bad code in extensions. Ok you can also have bugs in FF itself but I hope the code gets checked better than random extensions) and b) bugs introduced by extensions.

Q: Why is this attack possible?

A: The problem stems from design flaws, false assumptions, and a lack of solid developer documentation instructing extension authors on the best way to secure their code.

I am sorry if this sounds arrogant but in my opinion it was obvious that this will happen some time. And possible security flaws introduced by extensions really were just one reason for me in the past to not use Firefox.

Read more on: http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html.

The tele-lab made by the Hasso-Plattner-Institut was recently in the news because they announced their new online portal for teaching different aspects of security at the Cebit (Golem and many others reported about this).

Since I couldn't really imagine how they can teach realistic security scenarios completely via a website I thought I ask for a test account which I got today.
You can access a web front-end where you have tutorials for stuff like sniffing, MiTM, encryption, portscanning, WLAN and so on with some practical lessons.

Don't ask why but the first thing I usually do on a website where I can see POST parameters in the URL is to test for XSS. I am not really an expert in web security but I have spare time

Surprisingly one of the first parameters I tried is actually vulnerable as you can see in the following screenshot (sorry if you have no account you can not try):

.
I have to say that I am not an expert in web security but this also looks like a possible SQL injection.

Sorry tele-lab-guys but this is lame, if you teach security, at-least secure your website from basic attacks.

Again it is possible to do phishing via Google.

Click me. (found in my spam folder).

Let's see what the Month of search engine bugs will find.