**** BEGIN LOGGING AT Sat Apr 09 02:59:58 2016 Apr 09 05:11:21 Can someone explain why every site uses OAuth instead of just the usual username/password? I mean, I understand why it works and all, but it adds sooooo many steps to anything that actually wants to use the site Apr 09 05:12:21 eg; To login to a site its one http request, and you're in. To get the OAuth bearer token its 5 http requests Apr 09 05:13:25 never looked into it Apr 09 05:13:53 I recommend you don't :P Apr 09 05:14:23 seems like currently there's a general trend to complicate internet in hope of spoiling NSA's day a 5 minutes Apr 09 05:14:43 futile efforts Apr 09 05:16:03 particularly HTTPS encryption on every cheesy public website doesn't make much sense to me Apr 09 05:18:26 I mean, everybody sees you connect to that IP. Does anybody really think some TLAs feel pissed when they need to decrypt SSL to know which particular page on that site you read? (if they even need to do that and can't simply tell from size and sequence of the packets which page you requested and downloaded) Apr 09 05:20:11 The best are the sites that don't even have a login Apr 09 05:20:29 Then they get all happy and post news on the site "We've updated to HTTPS guys!" Apr 09 05:20:31 but sure, we suffered heartbleed and fixed the vuln in SSL for a reason, we don't want to let this brilliant piece of software bitrot now. Harrr, use it wherever you can!! Apr 09 05:20:55 azkay: exactly what I'm speaking about Apr 09 05:22:53 It's the same sort of thinking that goes behind software/games today Apr 09 05:23:05 "No need to have small files, or optimise the game. We have hardware!" Apr 09 05:23:39 Instead of having something small and quick, they rather have something bloated and terrible, just because todays hardware is good enough to bruteforce through the code Apr 09 05:25:32 I suspect it's because they don't see the economic benefit to making it small and quick. Apr 09 05:28:22 look, I just edited a wiki page on wmo, now even when I did all this via HTTPS, I still downloaded a certain number of chars of content, then uploaded a different particular number of chars. Does anybody really believe it would be any difficult to find the page I edited, when you got a complete mirror of the site before and after my edit? Apr 09 05:29:02 You wouldn't need the sizes. The history has dates in it. Apr 09 05:31:05 you don't even need a complete mirror from after edit, the usage pattern alone would tell a sniffer of my traffic which wikipage I edited Apr 09 05:32:09 I think HTTPS is probably better at preventing MitM attacks than preventing authorities from reading your data afterwards. Apr 09 05:32:37 let's_encrypt... the higher rationale completely eludes me Apr 09 05:34:37 but I don't think even the latter thing is particularly easy. Apr 09 05:35:24 as for heartbleed, lots of software at a similar level has similarly destructive bugs. Apr 09 05:35:52 the OpenSSL-related attacks would be things like the Dual EC DRBG thing. Apr 09 05:36:28 and even with that, people had been publishing that it was potentially insecure before it was standardised. Apr 09 05:37:10 the reason it was popularised was probably political, not technical. Apr 09 05:38:23 the NSA paid some guys that implemented SSL some money to make it their default DRBG .. how did it get standardised in the first place, even when people were pointing out that it was flawed? Apr 09 05:38:38 the first two bullets alone make me wonder what's the purpose of such paradox thing >> * Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. * Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.<< I don't think a certificate that can get by anybody free Apr 09 05:38:39 of cost and without any decent checks other than "yes that's actually my site, I can place a ascii file there" makes for a particularly *trustworthy* cert Apr 09 05:38:47 https://letsencrypt.org/about/ Apr 09 05:40:08 I haven't looked too much into letsencrypt, but it just seems like a thing to give slight (time-dependent) assurance over who you're talking to. Apr 09 05:40:16 SSL is a crock design to give people a false sense of security Apr 09 05:40:23 but it doesn't deride the security provided by people using something else. Apr 09 05:40:38 Google isn't going to start using something like letsencrypt. Apr 09 05:40:40 ds3: absolutely Apr 09 05:41:23 You can say that about anything. Many things, including SSL, ssh, etc provide legitimate security. Apr 09 05:41:37 Neiher of those things magically fix security issues. Apr 09 05:42:23 You need to consider what they do to understand what security they provide. Apr 09 05:43:33 You can potentially use SSL like you do ssh (where you normally store a fingerprint you're meant to have read and manually verified at some point). Apr 09 05:44:01 If you don't do that, you're delegating that check to root certificates and naming authorities. Apr 09 05:45:52 In the absense of software bugs (which are not specific to SSL), you can still be fairly sure that the guy you're talking to is the one with the private key for the public one you found at the beginning of your session. Apr 09 05:46:07 unless that guy has accidentally released his private key. Apr 09 05:49:27 Why lock your door when someone can just your window? Apr 09 05:49:33 s/just/just break/ Apr 09 05:49:34 Maxdamantus meant: Why lock your door when someone can just break your window? Apr 09 06:09:22 https://botbot.me/freenode/devuan/2016-04-03/?msg=63441021&page=2 Apr 09 06:13:35 https://botbot.me/freenode/devuan/2016-04-03/?msg=63441323&page=3 Apr 09 07:04:03 DocScrutinizer05: if you want some harder security, you can do certificate pinning in various forms for https at this point Apr 09 07:04:09 well ok, two forms Apr 09 07:04:24 pin on your own end-entity key, or pin on the CAs that you trust Apr 09 07:05:34 Maxdamantus: more like "why lock your door when SWAT can still get in" Apr 09 07:08:45 that's not the threat https protects you from Apr 09 07:09:00 i mean, don't get me wrong, with proper pinning and very conservative settings it can actually help Apr 09 07:09:16 but confidentiality is not necessarily the main thing Apr 09 07:09:31 integrity is also a huge deal Apr 09 07:13:03 guys Apr 09 07:13:17 maybe some of you can help, at least philosophically :) Apr 09 07:14:39 on one hand i've got yappari, which implements whatsapp protocol in an module that i want to replace with coderus' library Apr 09 07:15:00 the api of my module and his library don't match Apr 09 07:15:12 so it's not simply a matter of changing one thing with the other Apr 09 07:15:42 so the question is... how should I proceed? Apr 09 07:16:07 ditch my module once and for all and start porting my code to use the new api all at once Apr 09 07:16:44 or should i try to make my module's api match that of coderus, little by little, while updating the rest of thecode to the this new api? Apr 09 07:18:28 or make a module that provides your API but just interacts with coderus. Apr 09 07:19:10 a "façade" or something. Apr 09 07:19:21 uhm, didn't thought about that Apr 09 07:21:32 which would you go for? Apr 09 07:27:07 Depends. Apr 09 07:27:20 All of them seem sensible in different circumstances. Apr 09 07:28:02 unless it's particularly large an API, I'd probably either go for the first one (ditch it) or the last one (emulate it). Apr 09 07:28:27 afk Apr 09 07:44:09 DocScrutinizer05: using HTTPS on all websites is important. who said that is has to be openssl? there are plenty of alternatives (libressl, mbedtls, ...) Apr 09 07:44:47 even better, on the state of the onion talk at CCC it was suggested that the next step would be for every site to be a tor hidden service Apr 09 07:45:33 yeah sure¡ that scales excellent ;-P Apr 09 07:45:47 looks like it does Apr 09 07:45:54 if the tor developers suggest it? Apr 09 07:45:57 prolly been suggested by server manufacturers Apr 09 07:46:30 the developers of tor actually suggested it. Apr 09 07:47:15 I don't care who suggests to put double the number of ricecorns on each next square of the checkerboard Apr 09 07:48:48 what do you mean? the additional code running on the server (tor) or the additional network bandwith? Apr 09 07:50:14 fwiw, *google* said that when they forcibly enabled TLS for gmail they barely felt the increased load Apr 09 07:50:23 and they have a fuckton of connections Apr 09 07:51:15 * Maxdamantus thought SSL was making the `curl` command really slow for a while. Apr 09 07:51:38 turned out it was actually the fact that it spent so much time mmapping certificate files. Apr 09 07:52:42 Even with -k Apr 09 07:54:43 Maxdamantus: which curl? Apr 09 07:54:45 on the n900? Apr 09 07:54:49 our openssl is shit Apr 09 07:54:56 No. Just whatever's in Debian. Apr 09 07:55:26 it wasn't on the N900. On some Xeon machine. Apr 09 07:55:44 always spends something like 100 ms mmapping certificates. Apr 09 07:56:35 Will probably just start automating things using wget if it involves SSL. Apr 09 08:30:11 * DocScrutinizer05 wants to hear one sound argument _why_ >>using HTTPS on all websites is important<< Apr 09 08:30:54 Because it effectively prevents attacks across LANs. Apr 09 08:31:16 that's one. Apr 09 08:31:25 ever used a LAN? Apr 09 08:31:43 all your packets are belong to me. Apr 09 08:34:58 DocScrutinizer05: great! (serial console) Apr 09 08:35:07 :-) Apr 09 08:35:20 what was the problem with garbage chars? Apr 09 08:36:15 minicom Apr 09 08:36:23 ah :) Apr 09 08:37:38 "amazingly" it works with a 1V8 adapter though the N900 indeed has 2.8V LV-RS232 Apr 09 08:38:19 well, the adapter doesn't mind, at least. didn't check inbound towards N900 Apr 09 08:38:36 DocScrutinizer05: to prevent dragnet surveillance and to prevent content injection Apr 09 08:38:52 and possibly even more importantly, to prevent encryption from becoming a signal of important data Apr 09 08:39:05 kerio: how would HTTPS protect me against dragnet? Apr 09 08:39:54 I mean, the sender and destination IPs are inevitably "plaintext" Apr 09 08:39:57 because grepping for "GET" or "Host" is incredibly super ultra duper easier than trying to match sizes with content and relying on SNI Apr 09 08:40:43 and how ould I care if somebody knows the content I fetch from a public website? Apr 09 08:41:20 everybody can fetch same content themselves Apr 09 08:41:26 You're free to publish your browser history if you want. Apr 09 08:41:50 I'd rather not personally. Apr 09 08:43:46 I don't need to try and >> match sizes with content and relying on SNI<< I know when you're on porntube simply by your TCP traffic Apr 09 08:44:14 yeah because nobody has been blackmailed because of his preference for trannies before Apr 09 08:44:22 do you really think I care which video you prefer to watch? Apr 09 08:44:37 do you really think i give a shit about what YOU care about? Apr 09 08:45:09 btw you'll give that away as soon as you visit a similar site Apr 09 08:45:20 if i were living in a theocracy where homosexuality is punishable by death i would care A WHOLE INSANE AMOUNT about the fact that you don't know which videos i prefer to watch Apr 09 08:45:20 why won't you use something like whatsapp then, DocScrutinizer05? Apr 09 08:45:38 ok, kerio, you made it on my ignore list again Apr 09 08:46:09 Be careful ceene, doc is extremely sensitive about his opinions. Apr 09 08:46:12 wew, DocScrutinizer05 doesn't know how to answer and decides to ignore again Apr 09 08:47:10 ds3: you're so damn right Apr 09 08:49:02 people think they better use HTTPS when they visit a site that has dangerous and normal content next to each other ;-P Apr 09 08:49:28 and that should protect them from any evil Apr 09 08:49:46 I don't think most people actually think that. Apr 09 08:49:56 * DocScrutinizer05 wonders how many such sites actually exist at all Apr 09 08:50:07 https at this point is the very bare minimum Apr 09 08:50:08 but ok Apr 09 08:50:25 keep building strawmen and taking them down Apr 09 08:50:32 this is literally the same as anti-vaxxers Apr 09 08:50:35 Most people won't know what HTTPS is and are probably already pessimistic about computer security. Apr 09 08:51:16 and my question why that justifies "HTTPS in *everything*" is still unanswered Apr 09 08:51:38 Why not? Apr 09 08:51:47 thank fuck the browser makers are smarter than this Apr 09 08:52:28 yeah, even if https is not the best thing, it's still better sending letters inside closed envelopes rather than postcards Apr 09 08:52:55 ahhyes, and I get my newspaper in a closed envelope too Apr 09 08:53:09 It's not like it's any extra effort on the users' parts. Apr 09 08:53:14 ceene: except that instead of "closed envelope" it's more like "titanium safe with biometric locks and stamps" Apr 09 08:53:51 and I don't even know who's the one who closed the envelope Apr 09 08:54:07 i concur with Maxdamantus, most of the time the answer to "why?" is "why not?" Apr 09 08:54:21 yes you do, authentication and integrity is part of the protocol Apr 09 08:54:43 because people think it's a security that it actually isn't Apr 09 08:54:51 Like locking your doors? Apr 09 08:55:21 Do you not lock them? Apr 09 08:55:39 or if you do? Why? People can probably get in anyway. Apr 09 08:55:40 letsencrypt rendered HTTPS even more useless than it been before Apr 09 08:55:55 holy shit that's a new low Apr 09 08:56:15 since now you must asume a cert has no meaning at all anymore Apr 09 08:56:38 No. Only letsencrypt certs, which are easily identifiable. Apr 09 08:57:06 Maxdamantus: LE does the same domain verification that's in the baseline requirements Apr 09 08:57:08 that literally every CA does Apr 09 08:57:40 https://botbot.me/freenode/devuan/2016-04-03/?msg=63441587&page=3 Apr 09 08:58:28 kerio: well, there's another group to trust. Apr 09 08:58:33 yeah, let's base our authentication on pinnings that rely on 1024 bit rsa Apr 09 08:58:45 you know your data is encryped but you stuill don't know who's the server Apr 09 08:59:16 that's still better than nothing, isn't it? Apr 09 08:59:28 Maxdamantus: they're FAR from being the most untrustworthy group in the CA business Apr 09 08:59:37 at least only one data robber at a time Apr 09 08:59:40 ceene: arguably, no. But what he said isn't really true. Apr 09 08:59:59 it's ok, he can keep building more and more strawmen Apr 09 09:00:24 let's face it: when a rougue software injects a /etc/hosts to point my online banking to another IP, no friggin SSL will warn or help me, unless I do cert pinning Apr 09 09:00:29 i know, but just for the sake of the argument, i'd rather only one non authorized person has access to my data Apr 09 09:00:46 So how does it verify things? By doing DNS lookups and requests from lots of places or something? Apr 09 09:00:47 rogue software can alter your pins Apr 09 09:01:01 (letsencrypt, that is) Apr 09 09:01:03 nice try Apr 09 09:01:46 Maxdamantus: they rely on their own recursive resolver for dns verification, and i think that at this point they only check from one of a handful of servers for http/sni verification Apr 09 09:02:31 >>one robber at a time<< ? You a) lost me and b) that doesn't sound like any known approach to security Apr 09 09:03:08 you may be talking to a server you're not sure is the one you intended Apr 09 09:03:16 but at least the data is encrypted Apr 09 09:03:21 wow Apr 09 09:03:25 :P Apr 09 09:03:39 so you're only given your data to one bad guy at a time Apr 09 09:03:51 exactly my point, no use at all, and many people fall for a flase sense of security from it Apr 09 09:03:56 not that it's very good, but is still better than announcing it all in the paper Apr 09 09:03:56 ceene: please stop enabling his echo chamber Apr 09 09:04:51 nah, i should get going with this whatsapp thing, but even the registrartion api is so much different Apr 09 09:04:52 brainless hype Apr 09 09:05:08 i hate it all Apr 09 09:07:27 so far I had maybe 3 or 4 sites where I knew I need to have an eye on the certs. Now they start to shit my roof with certs and managing them in a reasonable way becomes absolutely impossible Apr 09 09:07:54 if only there was a way to automate that Apr 09 09:09:46 >>Privacy and anonymity depend in the same way on common sense and experience as other elements of life. If you want to protect yourself you need to educate yourself. << https://www.ipredator.se/page/about Apr 09 09:11:08 try to convey this message to a HTTPS fanboy who got no clue but "hey, every site I visit is encrypted now!" Apr 09 09:14:19 before letsencrypt you hardly found a site URL like www.DeutscheBank.bla.service.894374179651785610786.roguehacker.com with a valid cert Apr 09 09:14:54 oh god he's even believing the shit that namecheap posted Apr 09 09:15:09 ceene: what was that FOSS library for whatsapp ecryption? Apr 09 09:15:51 since no decent certification instance would have accepted the obviously fake part DeutscheBank, and a wildcard cert is expensive and not THAT easy to get Apr 09 09:15:56 ceene: isn't it implement the protocol as well? Apr 09 09:16:04 *implementing Apr 09 09:16:44 a wildcard cert costs 45$, you get one by answering a single email, and it doesn't work with multiple . parts anyway Apr 09 09:17:09 btw cert instances usually don't accept bitcoins Apr 09 09:19:56 so yeah, automated SSL certs for everybody sure are a huuuuge step ahead for global internet security Apr 09 09:20:13 they are, yes Apr 09 09:21:30 DocScrutinizer05: re n900 serial console - could you reconsider your stance about europa and remote access to the device? Apr 09 09:21:41 as a side effect decent certs will become more expensive Apr 09 09:21:51 or you still think it is better to send it to me? Apr 09 09:21:53 sure Apr 09 09:22:20 I can install Europa again and connect it there Apr 09 09:22:22 np Apr 09 09:22:43 great, that way Pali could have be given access as well Apr 09 09:22:50 you'll have access a 2 to 5 days earlier this way, even Apr 09 09:22:57 * freemangordon needs moar coffee Apr 09 09:22:59 yep, also np Apr 09 09:23:04 yes Apr 09 09:23:50 DocScrutinizer05: but we shall discuss it before doing so, as there might be some problems we didn;t think of Apr 09 09:24:09 and I'll install a LE on Europa.... wait, I don't run a webserver on it at all Apr 09 09:24:15 like - how to flash it remotely without pesering you every time Apr 09 09:24:29 how to choose which kernel to boot Apr 09 09:24:37 hmm... Apr 09 09:24:39 umm, I guess I can manage that Apr 09 09:24:40 whatsapp have own encryption implementation if good heared... Apr 09 09:24:52 drathir: yep Apr 09 09:25:44 freemangordon: using my proven relaycard for battery should do, no? Apr 09 09:25:44 Pali: is nfsboot the only sane option for booting n900 without having physical access to it? Apr 09 09:26:08 freemangordon: probably yes Apr 09 09:26:21 btw nice ovh gettin new 100G line us-uk ^^ Apr 09 09:26:26 DocScrutinizer05: it should when it comes to reset, but I can't imagine how we can choose options in u-boot menu remotely Apr 09 09:26:38 you can set up device in a way so it powers up always Apr 09 09:26:59 oooh, that might be a tad harder to solve, yes Apr 09 09:27:04 yeah Apr 09 09:27:12 or even impossible Apr 09 09:27:19 you'd need a special uboot hack for that Apr 09 09:27:39 one that simply uses USB instead touchscreen, or whatever Apr 09 09:27:55 and that'll may things way more complicated than simply sending the device to me :( Apr 09 09:28:18 then otoh why do you need uBoot? Apr 09 09:28:24 well, lets proceed as planned initially, if Pali needs something done I will do it for him Apr 09 09:28:28 and remember to get rid of that start screen in case power cut... Apr 09 09:29:03 drathir: at that point the interesting stuff already happened ;-) Apr 09 09:29:10 that one where language date time typing... Apr 09 09:29:15 DocScrutinizer05: because if mainline gets unbootable, it is way easier to boot stock (or KP) and fix whatever needs to be fixed Apr 09 09:29:36 rescueOS? Apr 09 09:30:00 see, all this is possible, but very complicated Apr 09 09:30:10 possibly, yes Apr 09 09:30:32 so instead of focusing on bugfixing we'll have to waste time solving boot issues Apr 09 09:30:38 well, think about it a while, I'll not send it before monday anyway Apr 09 09:30:58 Pali: ^^^ Apr 09 09:31:56 DocScrutinizer05: will do, but the more I am thinking about it, the more it becomes obvious remote access is not a viable option for complicated stuff Apr 09 09:32:25 another example - how one is supposed to understand what happens with kbd leds? Apr 09 09:32:38 flashing really is a lightweight process, and I guess you could do a simple little hack with kernel cmdline by flasher too, to choose what shall get booted Apr 09 09:32:55 how to open or close the keyboard? Apr 09 09:32:57 that all remembered me i need soon setup grub/boot ssh acces to be able remotely unlock home srver ;p Apr 09 09:33:18 DocScrutinizer05: keep in mind we have maemo booted, not some simple rootfs Apr 09 09:33:36 well, when you want to do stuff like that, it's prolly easier to send the device than to build a robot arm here Apr 09 09:33:43 exactly Apr 09 09:34:25 not that I couldn't operate the hall sensors with simple electromagnets instead slider... Apr 09 09:34:53 but when it comes to touchscreen and LED inspection, I pass Apr 09 09:35:27 DocScrutinizer05: live led stream with camera ;p Apr 09 09:35:37 sure, you can, but it doesn't worth it Apr 09 09:35:40 * DocScrutinizer05 idly wonders how Nokia implemented their Remote Device Access Apr 09 09:35:53 hmm, yeah Apr 09 09:36:07 but rouchscreen is a mystery for me... Apr 09 09:36:20 touchscreen* Apr 09 09:37:52 drathir: I *could* emulate touchscreen with two potentiometers and a switch for pen-down/up Apr 09 09:38:28 but I don't feel eager to set up such test rig Apr 09 09:39:53 DocScrutinizer05: oh that interesting... Apr 09 09:42:58 drathir: one line touchscreen crashcourse: 4wire-ts means it has 4 pins: L, R, U, D. internally that 4wire-ts is L--resistor-A-resistor--R and U--resistor-B-resistor--D, A and B connect on pen-down and the 4 resistors depend in size upon the point on screen you touch Apr 09 09:44:02 very very simple Apr 09 09:46:47 to give more detail: the 2 resistors between L and R are actually just one long resistor and the only thing that changes is the position of the touchpoint A. Same for Up and Down Apr 09 09:48:37 freemangordon: encryption is based on libaxolotl (recently renamed to libsignal). Coderus wrote libwa which implements whatsapp protocol using libaxolotl Apr 09 09:48:40 so you have two long (and wide) transparent resistor films and when you push the upper film down then the two touch in A-B Apr 09 09:48:48 so the work to be done is making yappari use this library Apr 09 09:49:29 drathir: tell me when you find a shorter easier explanation of a resistive 4wire touchscreen :-) Apr 09 09:50:51 ceene: is the library still working fine? asking because the N9/SFOS guys seem to be stuck if tmo is anything to go by Apr 09 09:55:16 DocScrutinizer05: remote device access: it may have worked through or same way as in SB Apr 09 09:55:23 freemangordon: how hard would it be to patch uBoot so it takes kernel cmdline options and acts accordingly? We can alter cmdline by flasher Apr 09 09:55:39 the thing is coderus has decided not to continue anymore Apr 09 09:55:47 if anything changes, his app won't follow Apr 09 09:55:54 Sicelo: yep, good point indeed Apr 09 09:55:58 the library, at the moment, should work just fine Apr 09 09:57:33 i think i read problems with registration for example Apr 09 09:58:14 DocScrutinizer05: no ide, it is Pali that should answer that question Apr 09 09:59:51 registrartion doesn't work? Apr 09 10:00:00 bah, i just dont know if it is all worth the effort Apr 09 10:00:06 i seem to have read so. ..let me check Apr 09 10:00:50 once no more s40 versions are released it will be much harder to RE the protocol Apr 09 10:01:43 I wonder why they don't support FOSS implemetations, that's insane Apr 09 10:02:49 ceene: http://talk.maemo.org/showthread.php?t=94689&page=95 .. or that application not using coderus lib? Apr 09 10:02:53 I mean, the whole watsabi thing is server based anyway, so they wouldn't lose control Apr 09 10:04:20 I don't think you'd need to modify u-boot. Apr 09 10:05:20 They should be in RAM, right? u-boot should have commands to read RAM into variables. Apr 09 10:05:35 whatsup for jolla is from cepiperez Apr 09 10:05:43 i think his codebase differs from that of coderus Apr 09 10:05:47 ah :) Apr 09 10:06:07 i think it's more similar to mine, in fact Apr 09 10:06:24 i don't quite get why they don't make devlopment public, as I do Apr 09 10:06:29 it'd help us all Apr 09 10:06:53 Jolla? Apr 09 10:07:05 or watsup Apr 09 10:07:19 whatsup Apr 09 10:07:24 well, jolla too Apr 09 10:09:49 ooooh there's *one* thing and that's their insane coupling to smartphone number for PC client which would get rendered hackable with open source implementation Apr 09 10:10:44 so far you need a phoennumber (no matter how little sense that makes) Apr 09 10:11:45 it makes sense if you think about who it was created for :) Apr 09 10:11:50 even if they'd allow open clients they could still enforce that Apr 09 10:12:15 hardly, unless they send SMS with auth code Apr 09 10:12:28 and that's exactly what they do Apr 09 10:12:34 o.O Apr 09 10:12:51 hehe Apr 09 10:12:51 whatsapp is organized in such a way that a person never had to add contacts/friends. phone number is the easiest way to do that Apr 09 10:12:56 to register you tell them your phone number and they send an sms to that phone number Apr 09 10:13:26 ok Apr 09 10:14:29 cya Apr 09 10:14:32 o/ Apr 09 10:17:15 best course of action would be helping with kernel upgrade, i guess Apr 09 10:17:26 there are several alternatives that require a modern glibc Apr 09 10:42:48 DocScrutinizer05: im sre im dont find that one ^^ Apr 09 10:45:38 DocScrutinizer05: but yea its sounds even trivially easy in theory but in practice why thats probably of one from the most expensive parts in phone...? Apr 09 10:59:03 i may end up buying a cheap android Apr 09 10:59:12 not only because of whatsapp Apr 09 10:59:21 the lack of applications, nice browser, etc Apr 09 11:01:43 Let's all sell our souls and work for Satan because it's more convenient that way. Apr 09 11:09:15 i could also live in a cave or in the forest Apr 09 11:09:39 but it's a hell of a lot more inconvenient Apr 09 11:43:17 DocScrutinizer05: hrrrm that numer copulping gets worse... Apr 09 11:43:34 DocScrutinizer05: with a sip2sim attached toan aasip number, you can have a geographic number working on mobile no problems Apr 09 11:43:39 DocScrutinizer05: sms both ways etc. Apr 09 11:52:45 DocScrutinizer05: but the silly whatsapp etc refuse to accept the number Apr 09 13:06:59 Hi! Do not forget: today is qualification round for Code Jam! https://code.google.com/codejam Apr 09 17:40:57 freemangordon: ah ... well, I guess I'm a bit late :/ Apr 09 17:53:35 well, yeah :) Apr 09 18:41:52 completely unrelated ranting: since 2 or 3 years or more, I suffer from randomly appearing - for weeks - massive delay when opening konqueror in local filebrowser mode (cwd: ~). Now it suddenly occurs to me that's caused by gvfs Apr 09 18:42:21 massive delay = upto 120s until window opens Apr 09 18:42:45 another useless g* piece of software Apr 09 18:59:15 enyc: yep, of course. A SIP client is not 'real phone' Apr 09 19:00:47 I guess not even on Android apps are built in a way so the accept arbitrary IM as GSM SMS text message (SMS via SIP is basically IM) Apr 09 19:02:04 also any possible API for query of own number will fail epically when that number is not SIM based but SIP Apr 09 19:11:29 DocScrutinizer05: no, this is not a sip client, it is acutal mobile sim card getting actual mobile calls on the sip2sim phone number Apr 09 19:11:56 ooh Apr 09 19:12:02 DocScrutinizer05: if you have both a sip2sim and a mobile from aaisp they will bind them together natively/internally Apr 09 19:12:25 DocScrutinizer05: though you _can_ have the sip2sim service register on an 'external' sip account if you wish Apr 09 19:12:31 now is aaisp aka aasip a N900 typo or meant like that? Apr 09 19:12:33 DocScrutinizer05: but its' not done by sip client on the phone Apr 09 19:12:55 DocScrutinizer05: aaisp is a company Andrews & Arnold ISP Apr 09 19:13:08 aaah ok Apr 09 19:13:11 DocScrutinizer05: AASIP -- Andrews and Arnold SIP phone number, i think i meant Apr 09 19:13:22 DocScrutinizer05: i.e. aaisp run aasip service ;p Apr 09 19:13:49 DocScrutinizer05: their irc.z.je #a&a channel is a good community / place to find interesting/technical people Apr 09 19:14:36 thanks for this new (to me) info :-) Apr 09 19:15:30 DocScrutinizer05: they provide sim-cards for data-only service, static ipv4 address + ipv6 over 6in4 tunnel Apr 09 19:16:13 DocScrutinizer05: also, 'sip2sim' roaming mobile voice sim, that connects either directly to an aasip number, OR, to a sip account of your choice, but NOT using sip client built into phone, it uses the GSM voice. Apr 09 19:16:22 DocScrutinizer05: or 3g voice or whatever but you get the idea Apr 09 19:17:06 unified-services has many funny options and variants :-) Apr 09 19:17:21 anyway, it does work with SMS to/from geographic number of the phone Apr 09 19:17:29 but apparently whatsapp don't like that Apr 09 19:17:34 the differences between connection classes vanish more and more Apr 09 19:17:58 I wonder if my mobile SMS dispatch would like it Apr 09 19:18:27 I always wondered how they decide to either send ascii SMS or voice SMS Apr 09 19:18:59 orange/ee seem to voice-dispatch, wheresa three, vodafone, at least deliver normally/fine Apr 09 19:19:17 odds are for anything that looks to them like a landline geo-phonenumber they will send text2speech voice SMS anyway Apr 09 19:19:34 i never saw the need for mobile to 'voice dispatch' -- seemingly at least bt openreach landlines, have their own locally generated text2speech Apr 09 19:19:46 i.e. its' not needed at the sending provider network at all Apr 09 19:20:33 well, that's what you get when there's no globbaly accepted standard and no unambiguous 'right way' to implement a service Apr 09 19:21:45 the more creative and innovative your service, the higher the odds you competitor will come up with something even more nifty which is incompatible for sure Apr 09 19:24:58 in the nineties we had a phone exchane system called EWS here in germany, which had all sorts of nifty functions like wake call setup via DTMF (sort of *42*0715#), Then came SS7 and those nice functions all were gone again Apr 09 19:27:43 https://de.wikipedia.org/wiki/Signalling_System_7 https://de.wikipedia.org/wiki/EWSD Apr 09 19:36:25 robotanarchy: ((what do you mean? the additional code running on the server (tor) or the additional network bandwith?)) basically what I mean is the Erlang (Erl) explosion you get from using a randomized routing like in TOR Apr 09 19:38:45 ? Apr 09 19:39:24 if *every* (web-)server in the internet was a TOR-only server, you'd not only need twice to three times the amount of router/server hardware to establish the needed TOR network, you also need a probably factor 16 beefed up internet, particularly backbones down to the datacenters of this world Apr 09 19:42:19 you're aware that even today where TOR is mostly unknown to Joe AverageUser and massively supported for free with TOR nodes run by enthusiasts, it's not possible to watch TV via TOR Apr 09 19:43:10 TOR simply doesn't scale Apr 09 19:43:28 that's not really a backbone issue, more a last-mile thing (and people setting bw limits to their TOR servers) Apr 09 19:43:39 at this scale at least Apr 09 19:45:23 well, yes, but we still have *A*DSL in post parts of this world as best you can get. So you can't run any sort of P2P-TOR that would faintly get near to what's your downstream bandwidth. You can't even get average upstream bandwidth with your P2P-TOR downstream Apr 09 19:45:47 s/ post / most / Apr 09 19:45:48 DocScrutinizer05 meant: well, yes, but we still have *A*DSL in most parts of this world as best you can get. So you can't run any sort of P2P-TOR that would faintly get near to what's your downstream bandwidth. You can't even get average upstream bandwidth with your P2P-TOR down... Apr 09 19:46:16 DocScrutinizer05: that's why I'm saying it's a last-mile issue, not a backbone one ... for now. Apr 09 19:46:27 for now yes Apr 09 19:46:42 for a "everything is TOR" wprld this changes Apr 09 19:47:28 since as I said you need twice the amount of webservers existing on this globe to establish the TOR layer on a semi-commercial level Apr 09 19:47:46 as for "later", ie the day ISP stop being stupid and eventually move to symetric uplinks (which might never come as it stands ...) ... we'd just get less bw :) Apr 09 19:48:03 you need twice the amount of TOR than what we got for web servers Apr 09 19:48:49 I'm pretty the webserver vs users ratio is more than that ;) Apr 09 19:49:25 (users vs webservers rather) Apr 09 19:55:32 yes, but also many users can use one TOR server (actually they use several servers then, depending on the number of hops) Apr 09 19:56:53 the factor 2 was a guestimate tradeoff between lower load for TOR compared to the stuff a webserver does, vs the fact that a TOR connection involves multiple such TOR nodes for one client of a webserver Apr 09 19:57:10 yeah but you've got the idea Apr 09 19:57:16 sure Apr 09 19:57:18 :-) Apr 09 20:01:10 anyway even when you'd assume *every* user runs a P2P TOR node on their (A)DSL, the available netto bandwidth is bruto DSL min(up,down) bandwith / average number of TOR hops * 1/percentage-nettoload-over-time-per-user-DSL Apr 09 20:02:13 actually s/average number of TOR hops /(2 * average number of TOR hops) / Apr 09 20:03:52 with an averahe hop count of 5, and every user running full bandwidth downloads, they all get 1/10 of their up/down bandwith whatever is lower, for both down and up Apr 09 20:10:14 +-2, my math sucks Apr 09 20:10:37 1/8 - 1/12 Apr 09 20:27:54 DocScrutinizer05: I didn't say: everyone should use tor for everything, but I like the idea that every page provides a tor hidden service, if the user requests it. and streaming content over tor is not a good idea at all, unless really necessary Apr 09 20:29:13 also about your argument that you can decode whatever users were doing on a webserver by the download size - consider wikipedia or search engines, reddit, ... you can't easily say from the traffic which site they have visited. and it *does* make a difference whether you're reading about big bang theory or about making explosives Apr 09 20:29:22 just as an example Apr 09 20:29:45 robotanarchy: (every server *provides*) completely on your page Apr 09 20:30:56 also agree on content being relevant for some usecases like search engines and huge wikipedias Apr 09 20:31:14 in such cases encryption makes sense Apr 09 20:31:52 and maybe you do not want to get javascript 0days inserted into your plain HTTP xkcd.com connection when surfing in open hotel wifi ;) Apr 09 20:33:50 yeah, or let's sign js code :* Apr 09 20:34:26 just kidding ... but I strongly believe the real issue here is allowing code to run in the browser :) Apr 09 20:34:48 it absolutely is Apr 09 20:37:22 robotanarchy: what in a hotel WLAN situation would make a fake DNS attack that points xkcd.com to my rogue server to download the 0day via HTTPS less feasible than a MITM that tries to insert the 0day into plain unencrpted HTTP from original xkcd.com? Apr 09 20:38:16 the fact that xkcd.com has HSTS Apr 09 20:38:18 there we are again - false assumptions about security Apr 09 20:38:28 DocScrutinizer05: hmm? Apr 09 20:38:47 DocScrutinizer05: you'd need to be able to sign a cert for xkcd.com Apr 09 20:39:04 (which might be possible depending on who you are, but's that another story) Apr 09 20:39:06 bencoh: when I'm in a hotel WLAN I usually get my DNS IPs via DHCP Apr 09 20:39:31 DocScrutinizer05: still doesn't change the ssl cert thing Apr 09 20:39:44 so I don't sign a cert for xkcd, I simply use my own Apr 09 20:39:57 as bencoh says, you still need the cert. and if xkcd has used certificate pinning, you can't even use a fake cert (which isn't that easy to get in the first place) Apr 09 20:40:10 DocScrutinizer05: with a self signed cert, the user would see the big red warning screen Apr 09 20:40:30 LE doesn't issue self signed certs Apr 09 20:41:08 DocScrutinizer05: how would you make lets encrypt sign *you* a cert for xkcd.com Apr 09 20:41:10 ? Apr 09 20:41:21 and I'm actually tired of that discussion. It constantly mixes things, encryption is NOT authentication Apr 09 20:42:06 certs are useless for automated authentication, by design Apr 09 20:42:17 actually the recently used infra is Apr 09 20:42:20 DocScrutinizer05: ssl certificate exchange provides server "authentification", client-wise (?) Apr 09 20:42:57 considering the attacker doesn't have control over a truster cert authority Apr 09 20:43:58 I don't really get your point here, let's say you do push your DNS IPs to the dhcp client Apr 09 20:44:11 watch out, or he's going to ignore you Apr 09 20:44:19 then you'd redirect web traffic to your server. ... then which cert would you present? Apr 09 20:44:46 kerio: what makes you think I he gives a *fuck* about your warnings? Apr 09 20:45:02 kerio: maybe you got a deja vu Apr 09 20:46:15 but indeed I don't feel like continuing this discussion, maybe we can agree on you all thinking I'm wrong and I insist on my dislike of this LE thing Apr 09 20:47:03 DocScrutinizer05: I recommend fefe's rant on let's encrypt if you have not already read it. pure gold :D Apr 09 20:47:34 I never read fefe Apr 09 20:48:16 DocScrutinizer05: I dislike LE as well but I feel I missed part of the discussion, I didn't gather LE was at stake here actually Apr 09 20:48:17 got my own brain to build my own notion Apr 09 20:49:07 bencoh: the discussion was about LE massively improving glovbal internet security Apr 09 20:49:49 I disagree and think it rather conveys a wrong sense of security to Joe Noob Apr 09 20:50:23 and massively complicates things that actually would help in my very private security management Apr 09 20:52:16 everyone is free to have their own idea about that, I'm not even any sort of expert with security Apr 09 20:53:05 at least not on sw level Apr 09 20:56:15 I just get angry about sw devels particularly of browsers etc when I read stuff like https://botbot.me/freenode/devuan/2016-04-03/?msg=63439141&page=2 Apr 09 20:56:56 and https://botbot.me/freenode/devuan/2016-04-03/?msg=63440909&page=2 Apr 09 20:58:37 doesn't sound like improved security Apr 09 20:58:46 raher like additional trouble Apr 09 21:00:40 my take on that particular issue and what's relevant for my perceived security in it: https://botbot.me/freenode/devuan/2016-04-04/?msg=63443153&page=1 Apr 09 21:09:34 Package lists should definitely be encrypted. Packages themselves should at least have to match hashes from the package list. Apr 09 21:10:03 Otherwise I could easily do something like make it so people grab my evil package list when they do `apt-get update` on a LAN I happen to also be on. Apr 09 21:10:27 then when they upgrade any package it will get my modified version that includes something malicious in it. Apr 09 21:11:18 Well, when I say "encrypted", signed would also suffice, but I don't think Debian normally has an inherent mechanism for that. Apr 09 21:11:49 yeah sure, as happened thousands of times in maemo's apt-get already, partucularly as long as Nokia had valid *signature* keys on plain text packages.lst Apr 09 21:11:57 * DocScrutinizer05 fixes damn ignore list Apr 09 21:25:56 * DocScrutinizer05 desparately searches for source of the magical tools that allow at least *snooping* of traffic from other LAN clients in any arbitrary LAN built from switches instead of hubs, and a marginally decent-configured router that doesn't FORWARD ALL ALL Apr 09 21:26:33 Do you know what ARP is? Apr 09 21:27:41 ARP requests are normally broadcast to everyone on the .. broadcast domain. Apr 09 21:27:57 There isn't any way to validate the responses you get back from them. Apr 09 21:28:19 and that's how you know what addresses to send to at the level you're talking about. Apr 09 21:29:13 You can also make false responses to DHCP requests. Apr 09 21:29:41 Using switches instead of hubs doesn't really improve security. Apr 09 21:34:28 You can probably also come up with attacks involving STP if that's running on the broadcast domain. Apr 09 21:35:16 I'm sure there are countless others. Apr 09 21:38:19 btw, these attacks don't have to be intended by the people using the LAN. Apr 09 21:38:32 they could be performed by malware already running on other people's computers on the LAN. Apr 09 22:09:57 btw, the "magical tools" are just a standard build of dnsmasq and the standard Linux networking tools. Apr 09 22:11:11 with those you can set up a DHCP server that tells (some) people making DHCP requests to use your IP address as a gateway and as a DNS server. Apr 09 22:12:47 then you just need to do NAT to forward connections on through the real gateway and everything will appear to be working as normal, it just happens that half of the network users are forwarding all their traffic through your machine. Apr 10 00:19:39 maybe interesting for some here: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html Apr 10 00:23:15 large LANs may use this class of routers instead mere switches, home LAN is not supposed to see much ARP spoofing usually, also since you generally have a router-modem with a number of separate ethernet jacks which can form separated physical branches that don't necessarily boradcast from one to another, and particularly not ARP requests that have the own (gateway's) IP in them Apr 10 00:28:50 even less ARP *answers* that have the own (gateway's) IP in them Apr 10 00:31:05 adding more (non-routermodem) switches to the homeLAN makes stuff a tad tricky to evaluate, simply since there are so many differently working types of switches out there and usually none of them has any specs available Apr 10 00:32:44 anyway in a LAN large enough to worry about rogue clients among them, you're better off with a decent router rather than silly switches Apr 10 00:35:22 same rationale applies to DHCP spoofing in analogy Apr 10 00:36:39 your typical homeLAN modemrouter regularly is the only DHCP server of the netwerk Apr 10 00:37:26 so when it is gateway and DHCP server, why should it forward obviously bogus DHCP/ARP replies from one client to all others? Apr 10 00:38:11 even less unsolicited ones Apr 10 00:44:52 and don't get me sttarted about Rendezvous/Bonjour/Avahi which needs to get killed with fire Apr 10 00:45:21 Zeroconf Apr 10 00:45:45 mDSNS Apr 10 00:45:51 DNS even Apr 10 00:49:37 Because people only ever use "large LANs" and "home LANs". Apr 10 00:50:12 and when you really want to run your own DNS server, you damn sure better run a detection system on same machine as well, for any spoofing found in the network. I mean it's simple enough Apr 10 00:50:32 When you connect to a WiFi network, it's sure to use only CISCO equipment and configured by people who understand how to mitigate ARP and DHCP spoofing. Apr 10 00:51:12 not that those are the only possible attacks, but they're some of the many that have pretty much no effect on SSL. Apr 10 00:51:47 however neither of all that crap is needed since ages, since the devices you usually get are preconfigured to do all that stuff automatically Apr 10 00:52:34 so no Zeroconf, neither any DNS config or firewall messing around Apr 10 00:53:26 * DocScrutinizer05 never seen a company LAN with zeroconf Apr 10 00:54:34 * DocScrutinizer05 actually also never seen a home LAN where it was needed and used Apr 10 00:54:35 * Maxdamantus should see if he can respond to DHCP requests on his LAN at work. Apr 10 00:54:49 * Maxdamantus suspects he can, even though it's using fancy CISCO switches. Apr 10 01:02:01 I suspect if people were able to design networking again, they'd use something more secure than IP. Apr 10 01:02:23 and 802.11 Apr 10 01:04:15 There are ways of properly enforcing what you seem to envision these "large LANs" as doing, but IP/ethernet doesn't enforce these things and the closest you can get is through doing things like blacklisting DHCP frames being transmitted by anyone except devices with certain MAC addresses. Apr 10 01:04:37 which also relies on verifying MAC addresses, which can be done with additional static configuration. Apr 10 01:05:46 With something other than IP/802.11, it could all happen automatically, but it's difficult replacing those things for non-technical reasons. Apr 10 01:06:36 er, s/802\.11/802/ Apr 10 01:11:36 if the cisco whitepaper is tl;dr, here one of the key quotes: >>The DAI verification consists primarily of intercepting each ARP packet and comparing its MAC address and IP address information against the MAC-IP bindings contained in a trusted binding table. DAI discards any ARP packets that are inconsistent with the information contained in the binding table. The trusted binding table is dynamically populated by DHCP snooping when this Apr 10 01:11:38 feature is enabled<< Apr 10 01:12:32 for a SOHO-modemrouter, this gets even simpler since no snooping needed, all is done onboard locally Apr 10 01:14:26 Wait, so this doesn't even prevent the DHCP spoofing. Apr 10 01:14:57 So they have another thing to check that, right? Apr 10 01:15:04 so a very simple netfiler rule that filters out all packets with source "any external IF" and type "ARP" and "IP.src || IP.dst == $own-gateway-IP" Apr 10 01:16:24 ARP? IP src? IP dst? Apr 10 01:17:10 ARP is layer 2. Apr 10 01:17:14 and the modemrouter does communicate with own DHCPd to fill/update the "trusted binding table", instead of snooping Apr 10 01:17:25 It's used to resolve local IP addresses to MAC addresses. Apr 10 01:18:41 *if* you want to allow any other ARP at all, which usually isn't needed Apr 10 01:19:40 implementations may change from modemrouter to modemrouter Apr 10 01:21:09 (allow any other ARP) I meant instead of routermodem answering all ARP requests from own local cache Apr 10 01:22:05 the DHCP table already knows MAC of all devices that 'registered' to gateway in LAN Apr 10 01:23:01 fwiw, home routers are unlikely to do this. Apr 10 01:23:18 those with fixed IP _not_ assigned by a DHCPd option in modemrouter are a special case you need to deal with Apr 10 01:23:59 I've accidentally run an additional DHCP server at the same time as my modem-router-switch. Apr 10 01:24:13 which one responded first was just chance. Apr 10 01:24:30 I doubt it's any different on virtually every other modem-router-switch. Apr 10 01:26:42 I have a suspicion that the switch functionality is also usually independent of the router functionality. Apr 10 01:27:28 ie, the switch is just a separate device on the board that knows how to do ethernet switching, so not all frames go through Linux. Apr 10 01:28:16 That would mean to implement DHCP spoofing protection, the switch needs to be programmed to block DHCP responses that come from anywhere but the router "port". Apr 10 01:29:26 it would need to be configurable, because people (eg, me) often reuse these devices as normal switches. Apr 10 02:54:05 it's a pity that fritzbox (7490) needs to disbale the hw booster to allow netfilters. Then OTOH as long as you don't need Gbit-ethernet, it prolly makes no difference Apr 10 02:57:03 well, when you want a 8-port Gbit router with firewall aka netfilers and up to 2 mio packets per second, you have to pay the price for such thing (which is 1.5 times the price for a 7490) **** ENDING LOGGING AT Sun Apr 10 02:59:58 2016