Feb 252016
 

SlySoft logoIt’s over – after 13 years of being almost constantly under pressure by US-based companies, SlySoft finally had to close its doors. Most notably known for software such as CloneCD or AnyDVD, the Antiguan-based company has provided people all over the world with ways to quickly and easily circumvent disc-based copy protection mechanisms such as Sony ArcCos, CSS, ACSS or BD+ and many others for years.

The companys’ founder, a certain Mr. Giancarla Bettini had already been sued – and successfully so – before an Antiguan court. While it was strictly up to Antiguan Authorities to actually sue SlySoft (because the AACS-LA could not do so themselves due to some legal constraints), this did finally happen in 2012, fining Mr. Bettini for a sum of USD $30.000. That didn’t result in SlySoft closing down however.

What it was that happened exactly a few days ago is unclear, as SlySoft seems to be under NDA or maybe legal pressure as to not release any statement regarding the reasons for the shutdown, quote, “We were not allowed to respond to any request nor to post any statement”. The only thing that we have besides a forum thread with next to zero information is the statement on the official website, which is rather concise as well:

“Due to recent regulatory requirements we have had to cease all activities relating to SlySoft Inc.
We wish to thank our loyal customers/clients for their patronage over the years.”

It should be relatively clear however, that this has to have something to do with the AACS-LA and several movie studios as well as software and hardware companies “reminding” the United States government of SlySofts illicit activities just recently. This would’ve resulted in Antigua being put onto the US priority [watchlist] of countries violating US/international copyright laws. Ultimately, being put onto that list can result in trade barriers being put up within a short time, hurting a countrys’ economy, thus escalating the whole SlySoft thing to an international incident. More information [here].

AnyDVD HD

This little program and its little brothers made it all the way to the top and became an international incident! Quite the career…

It seems – and here is where my pure speculations start – that there was some kind of agreement found between SlySofts’ founder and the AACS-LA and/or the Antiguan and US governments resulting in the immediate shutdown of SlySoft without further consequences for either its founder or other members of the company. If true then SlySoft will surely also have to break their promise of releasing a “final” version of AnyDVD HD including all the decryption keys from the online database in case they have to close their doors forever. This is, what “[…] we have had to cease all activities relating to SlySoft Inc. […]” means after all.

So what are the consequences, technically?

I can only say for AnyDVD HD as according to the forums over at SlySoft, but the latest version 7.6.9.0 supposedly includes some 130.000 AACS keys and should still be able to decrypt a lot of Blu-Rays, even if not all of them.

In the end however, the situation can only deteriorate as time passes and new versions of AACS keys and BD+ certificates are being released, even if you bypass the removed DNS A-Records of key.slysoft.com and access one of the key servers by resolving the IP address locally (via your hosts file). Thing is, nobody can tell when SlySoft will be forced to implement more effective methods of making their services inaccessible, like by just switching off the machines themselves.

But even if they stay online for years to come, no new keys or certificates are going to be added, so it’s probably safe to say that the red fox is truly dead.

AddendumJust to be clear for those of you who are scared of even accessing any SlySoft machines with their real IPs any longer; According to a SlySoft employee (you can read it in their forums), all of the servers are still 100% under SlySofts physical control, and their storage backends are encrypted. They were not raided or anything. So it seems you do not have to fear “somebody else listening” on SlySofts key servers.

PS.: A sad day if you ask me, a victorious one if you ask the movie industry. Maybe somebody should just walk over and tell them, that cheaper, DRM-free media actually work a lot better on the market, when compared to jailing users into some “trusted” (by them) black boxes with forced software updates and closed software. Yeah, I actually want to play my BD movies on the PC (legally!!), and on systems based on free software like Linux and BSD UNIX as well, not on some blackboxed HW player, so go suck it down, Hollywood. I mean, I’m even BUYING your shit, for Christs’ sake…

Oh, by the way, China is actually sitting on that copyright watchlist (I mean, obviously), and they gave us DVDFab. Also, there are MakeMKV and [others as well]. We’ll see whether the AACS-LA can hunt them all down… And even if they can… Will it really make them more money? Debatable at best…

Red Fox logoUpdate: Those guys work fast! While SlySoft is gone, several of the developers have grabbed the software and moved the servers to Belize, the discussion forums have already been migrated and a new version 7.6.9.1 of AnyDVD HD has been released, including new keys and reconfigured to access the new key servers as well. The company is now called “Red Fox” and the forums can be accessed via [forum.redfox.bz].

By now, AnyDVD HD respects the old licenses as well, and this will stay this way for the transition period. Ultimately however, according to posts on the forums, people will have to buy new licenses, even if they had a lifetime license before. They also said they’ll cook up “something nice” for people who bought licenses just recently. Probably some kind of discount I presume.

Still, if I may quote one of the developers: “SlySoft is dead, long live RedFox!”

Jul 292014
 

JustitiaI thought it impossible, but it is indeed happening. As reported [here]German flag, the Austrian [Supreme Court of Justice] (not the same thing as the constitutional court) ruled that in case of massive copyright infringements, enforcement of a nation-wide ban of certain servers is justifiable. If such a ban is being decided upon, every Internet provider receives a written court order and of course has to obey such an order immediately and put in place effective mechanisms to block access to a certain host – nation wide! As far as I know that means an IP ban currently, not a host name ban.

The first round of active bans starts with 1st of August 2014, where [The Piratebay], [Kinox.to] and [Movie4k.to] will effectively have to be banned in Austria. This resembles Internet bans as seen in “The great firewall” of China or in more extreme cases in North Korea. Naturally, this is not good, as it represents a growing encroachment on our Internet freedoms.

I remember, when I was in China, I kept an SSH2 server and HTTP proxy open at home, so I could tunnel home through my SSH2 connection and then use the local HTTP proxy via that encrypted connection to access all of the Internet, because I knew access would be free and untampered with here. Now it seems people are getting ready to do the same thing and use encrypted virtual private networks (VPNs) or the Tor network to reach such sites using foreign exit nodes.

This is madness!

Austria was supposed to be a (relatively) free country where Internet services can not be banned simply for certain potentials they may offer.

Naturally, Internet Service Providers – even the largest ones – have protested sharply against this and even sued for having this insanity thwarted, but unfortunately they lost their case. It seems that despite several achieved victories on the front lines of a free Internet we’re heading into stormy waters now. ISPs also said that they’d be wrongfully pushed into the roles of judges because it would be them to decide, whether a web sites principal purpose is copyright infringement, thus justifying the ban (that’s the weird part).

Naturally, driving users towards using anonymization networks and VPNs only serves to further criminalize the use of those services too, giving them a bad name and making the problem worse.

Soon, we will be witnessing the first stones being set to form the fundament of a Great Firewall of Austria. The 1st of August will not be a good day, not at all.

Update: It seems that the matter is being discussed and renegotiated at the moment. As a result, the requested bans have been pushed back to an undefined point in time. So for now, all three sites I mentioned remain reachable within Austria. I will keep you updated as soon as any news about this surface.

Update 2, 2014-10-08: And here we go, the VAP (“Verein für Anti-Piraterie”, or anti-piracy association) did it. There are now DNS blockades in place for the domains kino.to and also movie4k.to. Querying any DNS server of the providers A1, Drei, Tele2 or UPC for those domain names will result in the IP address “0.0.0.0”, thus rendering the web sites inaccessible for any “normal” user. The VAP has now even been asking for an IP ban, which could easily affect multi-service machines – think email servers using the same IP – and also virtual hosts, where multiple websites/domains are hosted on a single machine or any high availability cluster of machines that does not use DNS-level clustering (well, you wouldn’t be able to resolve the DNS name anymore anyway).

Users have reacted by simply using other, free DNS servers on the web, and the site operators have reacted by using alternate top-level domain names, like movie4k.tv for instance. It seems the war is on. Providers like UPC have stated in public interviews, that this process is ethically questionable, as soon people in power may learn what kind of a tool such censorship could be to them – potentially eliminating criticism or any publication that they’d rather see gone.

I would like to add – once again – that I find it highly disturbing that a supposedly free country like Austria would implement measures reminiscent of things that happen in Turkey, China or North Korea…

Oh and The Pirate Bay is next it seems.

Jun 272014
 

JustitiaThis just in: A very important battle has been won! The [Austrian Constitutional Court] has decided just this morning that the data retention laws are unconstitutional and illegal, following a similar decision made by the [European Court of Justice]. The Austrian government is thus required to repair the laws to re-establish an environment that respects personal privacy and data security. For those of you who can read German, here is the corresponding [news report]German flag!

The Constitutional Court – highest and most significant in the country – has decided that the laws we currently have are disproportional when it comes to what we have to sacrifice for gaining what seems to be very little. They stated, that the possibility of linking meta data together (to create profiles of persons and networks of persons) is especially problematic. Several paragraphs of the laws have been declared outright unconstitutional!

On top of that it was said that baseless surveillance is dangerous and the risk of abuse is high due to many people having access to the data collected (think: Internet Service Providers). Plus, the laws have never actually been used for their prime purpose, fighting terrorism. Not even once. They have been used in cases of theft and stalking though, which does not justify such a deep cut into the privacy of every single citizen of Austria.

The current Austrian government (including the minister of justice!) had still defended data retention and declared to want to keep it as-is. However, now they have to back off from that stance, no matter what.

A very important battle has been won, while the war rages on. So, while this is one of the most significant victories in terms of freedom in a long time, never forget:

“The price of freedom is eternal vigilance”.

Now that we are sensitized for the matter, and mechanisms to defend against further attacks are firmly in place, we are in a good position to defend against the next attempt to undercut our society. Just need to stay vigilant!

One can only hope that this will serve as a guiding light for countries that still have data retention in place… This really needs to go for good, not just in Austria!

Jun 052014
 

JustitiaIn battling the previously legalized data retention policy of the European Union, the European Court of Justice ([EuGH]) has now declared data retention as illegitimate, it seemingly being incompatible with the EU charter as it violates fundamental laws regarding privacy. Also, the original purpose of data retention in the fight against terrorism and organized crime in Austria has in practice been extended to much more mundane things like [theft or stalking]German flag as well as hunting down people who produced counterfeit cigarettes and stuff like this.

Our own Federal Chancellery has now stated that it will [not abandon data retention]German flag for reasons hardly understood, as Doris Bures, former minister of innovation and technology had stated that “[we do not need data retention]”German flag before.

AKVorrat logoIt may not be possible for them to keep it though, as on the coming 12th of July June, the issue will be brought before the Constitutional Court of Austria ([VfGH]) by more than 11.000 plaintiffs including myself, suing for data retention being unconstitutional, violating the basic rights of privacy in this country, represented by the organization AKVorrat and their lawyers, an organization which was founded for this very purpose. It still feels strange though, that our beloved rulers should have changed their minds about this so quickly. Or maybe individual opinions do differ greatly amongst members of the government, partly maybe due to lack of information and proper expert guidance.

The now-public statement that has been submitted to the Constitutional Court can be read in PDF form [here]German flag.

If the VfGH decides that data retention is unconstitutional (which it pretty damn well should!), this would mean a major victory for freedom and privacy on both a European as well as national level. Of course, new proposals for data retention – slightly changed and renamed – are already looming on the horizon, ready to be smuggled through European parliament. But this time around, resistance is already forming beforehand, as the proper anti-data-retention organizations like AKVorrat are already in place and actively working against any such rule in multiple European nations.

Still, the price of freedom is eternal vigilance. No war can be one by winning just one major battle. But still, if the VfGH decides in favor of freedom and privacy here, this may turn the tide!

I will continue to report about this as soon as new information or the actual ruling by the VfGH become available!

May 282014
 

YaCy logoJust recently I have published my [vision for our networked society], claiming that freedom, self-determination and independence can be reached through decentralization, putting control over our services and data back into the hand of the users. My idea was to use distributed hash tables on a lower level to power search engines or social networks, distributed across a wide field of user-operated home servers. I thought my idea was pure utopia. Something we’d need to work hard for years to accomplish.

After I published it, users approached me via various channels, pointing out already existing software that deals with the centralization problems and dangers of today, like for instance the decentralized social network [Diaspora*] or more significantly even, [YaCy], which is a DHT-based search engine just like I envisioned it.

Let me show you the simple way the YaCy developers chose to show us, what they’re doing exactly. If you’ve read my article about decentralization linked at the beginning, you’ll immediately recognize what’s going on here (Images taken from YaCy):

So you can see, where this is going? In the right direction is where! And how is it implemented? Basically a Java server built on top of the [Apache Solr] / [Lucene] full text search engine well known in certain enterprises with a web interface on top. The web interface can be used for administration and as a simple web search, like we know it already. The Java code works with both Oracle Java 1.7 (Windows, MacOS X) as well as OpenJDK 1.7, which is preferred on Linux. I haven’t tested it, but I presume it might also work on BSD UNIX, as some BSD systems do support OpenJDK 1.7 too. Could also work on OpenSolaris I guess, and it can run with user privileges.

If you want to go the Oracle route on Linux, this also seems to work, at least for me, despite the YaCy developers asking for OpenJDK. But then again, if you wanna stay clear of any even remotely fishy software licenses, just go with OpenJDK!

In case you haven’t noticed yet, I have already joined the YaCy DHT network as a node, and the search using my node as an entry point into the DHT superstructure is embedded in this weblog already, look at the top right and you’ll find it! Mind you, it ain’t the fastest thing on the track, and the quality of its results won’t yet match Google or anything, but we’re getting there! I may also choose to embed it at [http://www.xin.at], not just here. But we’ll see about that.

Also, the web interface has a few nice monitoring gadgets, let’s have a look at those for my own fresh node, too:

Now, YaCy doesn’t provide data all by itself. Like in my original idea, the network needs to pull in data from outside the superstructure, from the regular Internet and make it searchable. For that, YaCys administration web features a simple crawler that you can send off to index everything on a certain domain via HTTP/HTTPS, like “http://wp.xin.at/”, or from a Samba/Windows share server, or from local files, or FTP etc. There is also a more complex, extremely configurable and powerful crawler, but I’ve only used the simple one so far. And it also visualizes what it does, look here:

So the web interface is pretty cool, and it actually works, too! The Crawler also has parsers for tons of file types, like PDF, Office documents (Microsoft and Open-/LibreOffice), media files, ZIP files etc., so it can index the contents and/or meta data of such files too, full text!

While I do not need it, you may actually also disconnect YaCy from the “freeworld” network entirely and use it as an intranet search engine. There is even professional support for that if you’d like to use it in that context within your company.

So there we go, a free, decentralized search engine, that lies not in the hand of some opaque megacorporation, but in our very own hands. How could I’ve missed this?! I have no idea. But it seems even I have walked the world in blindness too, for the three pillars of my vision are more real than I’d have thought; Independence, Self-determination, Freedom. It’s all right there!

And you don’t even need a home server for that. You can just run it on your desktop or laptop too. Not perfect, but this works due to the massively fail-proof nature of the DHT network, as described in my earlier publication.

Seriously, this is pretty damn awesome! We’re far closer to my “stage II” than I would’ve believed just 2 weeks ago. All we need to do now is to solve the social problem and make people actually migrate to freedom! Yeah, it’s the hardest of problems, but at least we have the tech sitting there, ready to be used.

So now it’s your turn (and mine actually): Let’s inform people, lets educate whomever we can, and help ourselves lose the chains!!

Dec 112013
 

The Pirate Bay logoTorrent tracker / magnet link host The Pirate Bay has now used the domain name thepiratebay.sx for quite some time. Being quasi-illegal in a wide range of countries, they’ve been moving to different top level domains in the past, and now their TLD name has been seized again. It is not entirely clear who’s responsible, but some people seem to assume it was the Dutch authorities, as the .sx domain was hosted in the southern half of the Caribbean island Saint Martin, which in turn goes by the name of [Sint Maarten] (The northern half was colonized by the French back in the old days). When the DNS servers were removed from the domain, the site became unreachable all over the world in an instant. The web servers however remain completely unaffected by this.

It seems there is no new permanent refuge yet, but for now the website has gotten a new domain name, [thepiratebay.ac], hosted on the volcanic [Ascension Island], which happens to be UK territory. That means that this won’t go on for long though, as some collecting society is sure to press charges soon enough.

Now The Pirate Bay had Sweden (.se), Greenland (.gl), Iceland (.is), Sint Maarten (.sx, Dutch) and Ascension Island (.ac, UK) in use, and that’s in 2013 alone! The next step could be the Peruvian TLD .pe, where The Pirate Bay could find another domain name harbor for a longer period of time. And if that doesn’t work out, there are quite a lot of other options left according to insiders.

Source: [torrentfreak.com].

So the war of the “content mafia” against the “pirates” seems to never come to an end!

Edit: And a day later, it’s already [thepiratebay.pe]…

Edit 2: And we’re back to Sweden with [thepiratebay.se]. Plus, it seems that their .org domain is now always pointing at the current domain, so .org should always get you there, no matter what domain name The Pirate Bay is currently using.

Sep 302013
 

Austrian national coat of armsSo it was Germanys big election day last week, and ours in Austria yesterday. And besides some postal votes which have not yet been counted the results are pretty much set in stone.

Now most of you will not be interested in this political article, so you may just skip that. But on the off chance that you actually are, here is what I think about what just happened here;

Some people called this election quite uninteresting, but I’d say it was quite the opposite. Never before did we have so much choice. The left liberals (LIF) came back after vanishing into thin air a few years back, now joined with the liberal NEOS party. Then there was our old “friend” Frank Stronach – emigrant to Canada and self-made Tycoon as well as the Pirates, a party focusing on freedom and rights of privacy with the Internet in its core interests, for the first time in nationwide candidacy. Plus some smaller parties like the weird Christian hardliners or the anti EU guys.

So, what happened? Typically, we have two major strong parties since after the end of the second world war and before that, the red Social Democrats (SPÖ, “workers party”) and the black Christian Democrats (ÖVP, “businessmans and farmers party”) with the right-wing blue FPÖ party in a strong third position. For the last legislative period the two big ones ruled the country together, which mostly means tons of corruption and stagnation. After yesterday, the Austrian political map looks like this:

Party distribution map 2013

Party distribution map

And if you want a more detailed version, here you go (the zoomed out part is our capital, Vienna):

Detailed party distribution map 2013

Detailed party distribution map

We remember – The workers party is red, the businessmans party black, and the right wing people blue. Somewhat sad to say that I live in the blue part right there. Now don’t get me wrong, I’m not against some strict right-wing policies in certain areas if they are not unfair and purely driven by hatred. But what they’re pulling off right now with their ultra populist campaign makes them unelectable for me. And still they grew in power all over Austria, just short of second place actually.

On the bright side, tycoon Frank Stronach made it into parliament despite his blooper about death penalties for contract killers. His party platform is quite good though, mostly for more efficiency, less waste of tax money and far less corruption. Also, the liberal NEOS party made it in in a surprisingly successful rush to power, also a power advertising fairness and a strong anti-corruption path.

To my disappointment, the Pirates who could’ve used the NSA scandal for their freedom-on-the-internet campaign failed to do so entirely. There was no palpable presence on the media or anywhere actually. No posters, nothing. So they failed to enter parliament as did the center right BZÖ party, a former spin-off from the right-wing FPÖ.

So, to sum things up:

Election results

Election results (german)

The big ones lost a bit – not enough to break their coalition to pieces though – the right wing grew significantly stronger, the green ultra left wing did so too, but quite a bit less. While Frankie boy and the liberal NEOS enter parliament (a good thing!), the Pirates and the old Communist party (KPÖ) failed to achieve that goal. The rest are parties which did not enter election nationwide anyway, so everything including and below the Christian hardliners (CPÖ) you can mostly forget about, like the mens party for instance (M).

I wouldn’t call this a total disaster, but it’s nowhere near a good result either. It’s cool that we got some fresh wind in the opposition, but the right wing FPÖ (which is actually also quite corrupt and not as purely idealistic as one might think) grew a bit too much in my opinion. There should be a line drawn between a healthy strictness in fighting the exploitation of our countrys rules and laws by foreigners and an all-out hate campaign without any actual political foundation.

Also: Pirates, where art though? You just missed the best chance you could’ve hoped for! There won’t be another Edward Snowden ready for your campaign on the next election day I fear… That is, if you manage to actually mount a campaign the next time around. For now, all hope must reside on what we’ve got – Frank and NEOS.

Some images taken from and © by [ORF], original source is the [Ministry of the Interior].

Sep 102013
 

NSA logoWith all that talk about the [National Security Agency] stealing our stuff (especially our most basic freedoms), it was time to look at a few things that Mr. Snowden and others before him have found out about how the NSA actually attempts to break certain encryption ciphers that are present in OpenSSLs and GnuTLSs cipher suites. Now that it has been clearly determined that a NSA listening post has been established in Vienna, Austria (protestors are on the scene), it may seem a good thing to look over a few details here. Especially now that the vulnerabilities are widely known and potentially exploitable by other perpetrators.

I am no cryptologist, so I won’t try to convince you that I understand this stuff. But from what I do understand, there is a side-channel attack vulnerability in certain block ciphers like for instance AES256-CBC-SHA or RSA-DES-CBC-SHA. I don’t know what it is exactly that’s vulnerable, but whoever may listen closely on one of the endpoints (client or server) of such a connection may determine crucial information by looking at the connections timing information, which is the side channel. Plus, there is another vulnerability concerning the Deflate protocol compression in TLS, which you shouldn’t confuse with stuff like mod_deflate in Apache, as this “Deflate” exists within the TLS protocol itself.

As most client systems – especially mobile operating systems like Android, iOS or Blackberry OS – are compromised and backdoored, it is quite possible that somebody is listening. I’m not saying “likely”, but possible. By hardening the server, the possibility of negotiating a vulnerable encrypted connection becomes zero – hopefully at least. :roll:

Ok, I’m not going to say “this is going to protect you from the NSA completely”, as nobody can truly know what they’re capable of. But it will make you more secure, as some vulnerable connections will no longer be allowed, and compromised/vulnerable clients are secure as long as they connect to a properly configured server. Of course you may also lock down the client by updating your browser for instance, as Firefox and Chrome have been known to be affected. But for now, the server-side.

I am going to discuss this for the Apache web server specifically, but it’s equally valid for other servers, as long as they’re appropriately configurable.Big Apache web server logoFirst, make sure your Apache is compatible with the SSL/TLS compression option SSLCompression [on|off]. Apache web servers starting from 2.2.24 or 2.4.3 should have this directive. Also, you should use [OpenSSL >=1.0] (link goes to the Win32 version, for *nix check your distributions package sources) to be able to use SSLCompression and also more modern TLSv1.1 and TLSv1.2 versions. If your server is new enough and properly SSL-enabled, please check your SSL configuration either in httpd.conf or in a separate ssl.conf included in httpd.conf, which is what some installers use as a default. You will need to change the SSLCipherSuite directive to not allow any vulnerable block ciphers, disable SSL/TLS protocol compression, and a few things more. Also make sure NOT to load mod_deflate, as this opens up similar loopholes as the default for the SSL/TLS protocols themselves do!

Edit: Please note that mixing Win32 versions of OpenSSL >=1.0 with the standard Apache version from www.apache.org will cause trouble, so a drop-in replacement is not recommended for several reasons, two being that that Apache version is linked against OpenSSL 0.9.8* (breaking TLS v1.1/1.2) and also built with a VC6 compiler, where OpenSSL >=1.0 is built with at least a VC9 compiler. Trying to run all VC9 binaries (Apache+PHP+SSL) only works on NT 5.1+ (Windows XP/2003 or newer), so if you’re on Win2000 you’ll be stuck with older binaries or you’ll need to accept stability and performance issues.

Edit 2: I now found out that the latest version of OpenSSL 0.9.8, namely 0.9.8y also supports switching off SSL/TLS deflate compression. That means you can somewhat safely use 0.9.8y which is bundled with the latest Apache 2.2 release too. It won’t give you TLS v1.1/1.2, but leaves you with a few safe ciphers at least!

See here:

SSLEngine On
SSLCertificateFile <path to your certificate>
SSLCertificateKeyFile <path to your private key>
ServerName <your server name:ssl port>
SSLCompression off
SSLHonorCipherOrder on
SSLProtocol All -SSLv2
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!DHE-RSA-AES256-SHA:!AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!DHE-RSA-AES128-SHA:!DES-CBC3-SHA:!AES128-SHA:RC4-SHA:RC4-MD5:ALL

This could even make you eligible for a VISA/Mastercard PCI certification if need be. This disables all known vulnerable block ciphers and said compression. On top of that, make sure that you comment out the loading of mod_deflate if not already done:

# LoadModule mod_deflate modules/mod_deflate.so

Now restart your webserver and enjoy!

The same thing can of course be done for mail servers, FTP servers, IRC servers and so on. All that is required is a proper configurability and compatibility with secure libraries like OpenSSL >=1.0 or at least 0.9.8y. If your server can do that, it can also be secured against these modern side channel attacks!

If you wish to verify the safety specifically against BEAST/CRIME attack vectors, you may want to check out [this tool right here]. It’s available as a Java program, .Net/C# program and source code. For the Java version, just run it like this:

java -jar TestSSLServer.jar <server host name> <server port>

This will tell you whether your server supports deflate, which cipher suites it supports and whether it’s BEAST or CRIME vulnerable. A nice point to start! For the client side, a similar cipher suite configuration may be possible to ensure the client won’t allow the negotiation of a vulnerable connection. Just updating your software may be an easier way in certain situations of course. A good looking output of that tool might appear somewhat like this:

Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_IDEA_CBC_SHA
     RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
     RSA_WITH_CAMELLIA_256_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
     TLS_RSA_WITH_SEED_CBC_SHA
     TLS_DHE_RSA_WITH_SEED_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_IDEA_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     RSA_WITH_AES_256_CBC_SHA256
     RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_256_CBC_SHA256
     RSA_WITH_CAMELLIA_256_CBC_SHA
     DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
     TLS_RSA_WITH_SEED_CBC_SHA
     TLS_DHE_RSA_WITH_SEED_CBC_SHA
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_RSA_WITH_AES_256_GCM_SHA384
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
  2a2bf5d7cdd54df648e074343450e2942770ab6ff0: EMAILADDRESS=me@myserver.com, CN=www.myserver.com, OU=MYSERVER, O=MYSERVER.com, L=My City, ST=My County, C=COM
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected

Plus, as always: Using open source software may give you an advantage here, as you can at least reduce the chances of inviting a backdoor eavesdropping on your connections onto your system. As for smartphones: Better downgrade to Symbian or just throw them away altogether, just like your tablets (yeah, that’s not the most useful piece of advice, I know…).

Update: And here a little something for your SSL-enabled UnrealIRCD IRC server.

UnrealIRCD logoThis IRC server has a directive called server-cipher-list in the context set::ssl, so it’s set::ssl::server-cipher-list. Here an example configuration, all the non-SSL specific stuff has been removed:

set {
  ssl { 
    trusted-ca-file "your-ca-cert.crt";
    certificate "your-server-cert.pem";
    key "your-server-key.pem";
    renegotiate-bytes "64m";
    renegotiate-time "10h";
    server-cipher-list "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA";
  };    
};

Update 2: And some more from the Gene6 FTP server, which is not open source, but still extremely configurable. Just drop in OpenSSL >=1.0 (libeay32.dll, ssleay32.dll, libssl32.dll) as a replacement, and add the following line to your settings.ini files for SSL-enabled FTP domains, you can find the files in the Accounts\yourdomainname subfolders of your G6 FTP installation:

Gene6 FTP server logo

SSLCipherList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA

With that and those OpenSSL >=1.0 libraries, your G6 FTP server is now fully TLSv1.2 compliant and will use only safe ciphers!

Finally: As I am not the most competent user in the field of connection-oriented encryption, please just post a comment if you find some incorrect or missing information, thank you!

Sep 062013
 

Postal² logoSo Uwe Boll has run out of [Nazi gold]. This had to happen some day, right? Once I was a serious enemy of all of Uwe Bolls creations, because frankly, all his game-based movies were massive trash. Mostly. And then he somehow managed (Nazi gold it must’ve been ;) ) to raise the money for a [Postal movie]. And he casted a blonde guy named [Zack Ward] as the Postal Dude, how the HELL can you hire a blonde guy to play the Postal Dude?

I thought he was about to destroy what was one of the most awesome and controversial games ever to exist; Pissing on people, using cats as guns suppressors, Muslims vs. Christians, parents with assault rifles raiding a video game company for their “violent” games etc., an extremely black satire filled with tons of stereotypes.

So, as I was a big fan of the Postal² game, I had to get that movie just to see how much Uwe would’ve raped Postal. I did so illegally actually, as I was convinced no Uwe Boll trash can be worth hard cash. And then I watched it.

Boy was I wrong! For me, Uwe Boll shot from 0% to 100% credibility in this niche market, all due to Postal. And Zack Ward? He actually did fine! You got stupid Muslim extremist terrorists, Osama, Bush, monkeys raping a midget, and Uwe Boll himself getting killed in the movie. Even the cat suppressor from the Postal² game is there!

Cat suppressor

Just… don’t think about it too much, or your head will hurt!

Like the games, this is not for the faint of heart of course. As a satire it sits at the absolute maximum level of violence and political incorrectness, making fun of religious groups, celebrities, even the retarded if I recall correctly. Even kids die! And there are nukes! It is VERY easy to be offended by at least some of the scenes shown. Which is ok, the Postal and Postal² games were all the same. And a big bonus: The ending is the most awesome I have ever seen in a movie. And the ending is always the most important thing, you cannot mess that up, cause that’s what the viewer will remember most. And Postals ending in my opinion was just beyond great!

The Postal Dude

The Postal Dude – he tried to be peaceful! But at some point, they just pissed him off too much!

So I had decided to buy the [Blu-Ray] after its release and also got the [Postal Soundtrack] because I wanted Mark Polaks “The magic sound” that plays during the awesome ending.

Mind you, the movie is still massive trash. The dialogues are shit, the plot is – while existant – absolutely stupid, but frankly, I wouldn’t LIKE that movie if it was of high quality. It being so crappy perfectly fits the bill here, as it’s even greater fun that way.

Good pals!

Good pals!

And now, to the point: Uwe Boll wants to do a Postal 2 movie. And since the Nazi gold has been used up, and nobody else wants this shit, it seems we have to help him. Yes, the most-hated movie director of all time – at least amongst gamers – is asking for our help. And he does so on [Kickstarter]! Amongst the crazy, borderline insane videos Uwe Boll is posting there, there is also a more sincere one, see this:

Well, if he is going to make fun of the NSA, Celebrities, all possible religious factions and the general political situation at the moment, call me an idiot, but I’m all for it, which is why I am supporting this piece of trash!

Years ago, I would’ve hated somebody supporting Uwe Boll so much, I probably would’ve caused a shitstorm deluxe at any Blog asking for support for that guy. But Postal changed my mind. And I think Postal 2 could really be awesome. He said that he would bring in around $1 million himself, but needs another half million to be able to pull it off. So far, support has been slowly growing, but I hope there are more people out there who enjoyed Postal. If so, here’s your chance to get another piece of super ultra trash from Uwe Boll!

So yeah, I am actually really saying this.

[Go Support Postal 2]!

Jul 242013
 

Western Digital logoMost people who had to tackle the problem I was confronted with probably know all about what I’m going to say now anyway. But still: Recently a hard drive in our NAS box at work failed, and the only locally available replacement drive was a Western Digital Greenpower 2TB, exact model WDC WD20EARX-00PASB0. And all of these drives, including the more “professional” series like RE4-GP or WD Blacks have a really serious problem with their firmware.

What the drive is trying to do is to park its read-/write-heads very quickly. In the case of my drive, it attempted to do that every 8 seconds. What it managed to do in the end was to park the heads every 27 seconds. That meant that over a runtime of 327 hours the drive had accumulated more than 43.000 load-/unload cycles. That’s in slightly less than 2 weeks. At >200.000 it gets really unhealthy, as you’re then marching towards mechanical failure. See here:

root@TS-XLC62:~# echo && smartctl -d marvell -a /dev/sda | grep -i -e power_on -e load_cycle

  9 Power_On_Hours          0x0032   100   100   000    Old_age   Always       -       327
193 Load_Cycle_Count        0x0032   186   186   000    Old_age   Always       -       43450

Now WD support told me, that there is no software or firmware update for my product and that everything had been manufactured to highest quality standards blah blah blah. Turns out not to be true. For the WD RE4-GP they’re offering a tool called [wdidle3], that can change the so-called “Idle3” timer in the firmware of ALL modern Western Digital drives, not just RE4-GP. You can set it to a maximum of 300 seconds or 5 minutes, or disable it entirely, after which the heads will only be parked on power cycle or when requested by the operating system. The way it should be.

You can do that by creating a [boot disk] or [bootable USB pendrive] with DOS on it, put wdidle3.exe on that drive, boot from it and you can do stuff like:

  • wdidle3.exe /R (Report the current Idle3 Setting, typically 8.000 or eight seconds)
  • wdidle3.exe /S300 (Sets the Idle3 timer to its maximum of 300 seconds.  This will create ~288 load-/unload-cycles per day in 24/7)
  • wdidle3.exe /D (This sets the timer to 3720 seconds or 62 minutes, which seems to be interpreted as “disabled”. No more parking)

Obviously, the “disabled” Option (“/D”) is what one would want to go for. In that mode, the heads can still be parked by the OS itself, but otherwise they’ll just hold still as all other hard drives do it. After the next reboot the drive should behave normally.

I find it quite sad and frankly pathetic that WD is trying to sell us a “Green IT” hard drive, that actually wastes more resources than it saves. Even in normal desktop usage, these drives often die prematurely because of this artificially designed parking crap-feature! This wastes metals / rare earths, plastics and energy required to build replacement drives, and far more so than the little bit of energy you’re saving by having your heads parked. One might argue that the feature is designed in such a way, that drives typically fail right after the end of the warranty period for the largest target audience, the common desktop PC user.

For anything not “RAID Edition” WD doesn’t even give you the solution, even though it would work! Regular WD GP disks can be configured by wdidle3 just fine. They all seem to use the same firmware anyway. And yet WD says “there is no tool for your drive and nothing wrong here”. They also did not comment on my SMART statistics and my simple math showing my lifetime predictions.

A hard drive that would just work for 10 years out of the box would save a lot more resources and energy. By simply NOT dying or artificially killing itself. Now how about that for Green IT?

I hate it when companies are lying to people like that and then even trying to deny them knowledge about the clearly existing possibilities to fix the problem. You could have made it right, WD. But you didn’t. FU!