**** BEGIN LOGGING AT Thu Dec 17 02:59:58 2015
Dec 17 07:46:03 <jonwil> hi
Dec 17 08:27:06 <zGrr> moin :)
Dec 17 10:22:50 <ceene> hi
Dec 17 10:22:55 <ceene> anyone uses car2go?
Dec 17 10:23:16 <ceene> there's this app on extras, getmewheels, but i think the api it uses is deprecated now
Dec 17 10:23:32 <ceene> I don't even know how to login with it
Dec 17 10:31:51 <Sicelo> what does car2go do by the way?
Dec 17 10:33:26 <Sicelo> i see now. :)
Dec 17 10:38:59 <ceene> i think the problem lies somewhere on the oauth code
Dec 17 10:39:04 <ceene> but i don't know much about oauth
Dec 17 10:39:19 <ceene> i'm testing with python-oauth to see if I can get a token from car2go but I'm unable
Dec 17 10:39:39 <ceene> maybe it's because they deprecated getmewheels key
Dec 17 12:09:09 <ceene> i think it could happen due to the sslv3 deprecation
Dec 17 12:09:32 <ceene> sslv3 should be removed from maemo's qt
Dec 17 12:09:37 <ceene> that happened on qt5
Dec 17 12:11:35 <jonwil> We should modify OpenSSL, QT, NSS (in microb) and any other SSL implementations on the N900 so that they use the latest best practice and dont do things that are insecure
Dec 17 12:11:43 <ceene> yep
Dec 17 12:11:56 <ceene> on yappari I had to manually disable sslv3
Dec 17 12:11:56 <ceene> +    // Avoid SSlV3 as it is unsecure and most servers now refuse to use it
Dec 17 12:11:57 <ceene> +    socket->setProtocol(QSsl::TlsV1);
Dec 17 12:12:00 <jonwil> If I knew more about NSS I would have a go at that (since its the most important to fix IMO)
Dec 17 12:12:40 <ceene> i don't know if there's a simple fix in the way of a configuration file or whatever that could override that for all qt applications at least
Dec 17 12:13:24 <jonwil> The fix is probably to modify QT source code
Dec 17 12:13:40 <jonwil> completly remove SSLv3 code in there
Dec 17 12:13:49 <jonwil> and TLS1.0 as well seems to be bad too
Dec 17 12:14:22 <ceene> how doable is that?
Dec 17 12:14:27 <jonwil> No idea
Dec 17 12:14:41 <jonwil> But CSSU already has QT source (in a repo at least) so I am sure they can ship a more secure QT
Dec 17 12:28:48 <KotCzarny> you know guys, one of the features i love in oscp is remembering path/time, so restarting after changing source just continues when it left off
Dec 17 12:29:34 <foo`> account gtalk on
Dec 17 12:29:37 <foo`> foo
Dec 17 12:29:40 <foo`> help
Dec 17 12:30:02 <KotCzarny> try using / at the beginning
Dec 17 12:30:07 <henkjan> foo`: this is not your bitlbee command channel ;)
Dec 17 12:30:40 <ceene> i've just patched a little libqoauth
Dec 17 12:30:48 <ceene>     config.setProtocol(QSsl::TlsV1);
Dec 17 12:30:51 <ceene> to use tlsv1
Dec 17 12:30:54 <ceene> i don't know if that's secure
Dec 17 12:30:58 <KotCzarny> nope
Dec 17 12:31:01 <ceene> lol
Dec 17 12:31:02 <ceene> anyway
Dec 17 12:31:04 <ceene> at least
Dec 17 12:31:04 <KotCzarny> tlsv1 is also unsecure
Dec 17 12:31:08 <ceene> car2go servers support tlsv1
Dec 17 12:31:15 <ceene> and now registration seems to work
Dec 17 12:31:21 <ceene> or at least it progresses further
Dec 17 12:31:32 <ceene> so it definitely was an ssl protocol issue here
Dec 17 12:31:46 <ceene> car2go servers don't support sslv3 but they do admite tlsv1
Dec 17 12:32:24 <ceene> or so it seems
Dec 17 12:32:52 <ceene> i'm not completely sure yet, to be honest
Dec 17 12:34:06 <ceene> http://doc.qt.io/qt-4.8/qssl.html#SslProtocol-enum
Dec 17 12:34:09 <ceene> which should be used?
Dec 17 12:34:58 <KotCzarny> does it mean sslv2 is unsecure too?
Dec 17 12:35:10 <ceene> dunno
Dec 17 12:35:11 <KotCzarny> because its not in QSsl::SecureProtocols
Dec 17 12:35:33 <KotCzarny> if yes, then it doesnt matter and QSsl::AnyProtocol should be best
Dec 17 12:36:08 <KotCzarny> but it depends on application
Dec 17 12:36:24 <ceene> the thing is
Dec 17 12:36:32 <ceene> most servers now refuse to use sslv3
Dec 17 12:37:09 <ceene> i had to disable that on yappari and turn to tlsv1
Dec 17 12:37:14 <ceene> which i thought to be secure
Dec 17 12:40:57 <ceene> by the way
Dec 17 12:41:00 <ceene> is this behaviour known?
Dec 17 12:41:10 <ceene> ~ $ rm file
Dec 17 12:41:10 <ceene> rm: ??borrar el fichero regular vac??o ??file??? (s/n) s
Dec 17 12:41:10 <ceene> rm: no se puede borrar ??0\321\001??: No such file or directory
Dec 17 12:41:27 <ceene> ~ $ rm file
Dec 17 12:41:27 <ceene> rm: remove regular empty file `file'? y
Dec 17 12:41:27 <ceene> rm: cannot remove `\b\305\001': No such file or directory
Dec 17 12:41:36 <ceene> that's with LC_ALL=C
Dec 17 12:41:56 <KotCzarny> i think you have installed something weird
Dec 17 12:42:07 <KotCzarny> and this behavior looks like buffer overflow somewhere
Dec 17 12:42:32 <ceene> ~ $ which rm
Dec 17 12:42:32 <ceene> /usr/bin/gnu/rm
Dec 17 12:42:32 <ceene> ~ $ ls -al /usr/bin/gnu/rm
Dec 17 12:42:32 <ceene> lrwxrwxrwx 1 root root 25 Jun 22  2014 /usr/bin/gnu/rm -> /opt/maemo/usr/bin/gnu/rm
Dec 17 12:42:35 <ceene> ~ $ dpkg -S /usr/bin/gnu/rm
Dec 17 12:42:37 <ceene> coreutils-gnu: /usr/bin/gnu/rm
Dec 17 12:42:40 <ceene> i guess i installed that sometime?
Dec 17 12:43:03 <KotCzarny> btw. busybox could be using builtins
Dec 17 12:43:08 <KotCzarny> try /usr/bin/gnu/rm file
Dec 17 12:43:12 <KotCzarny> and see if its different
Dec 17 12:43:34 <ceene> that succeeded
Dec 17 12:43:36 <ceene> so...
Dec 17 12:43:40 <ceene> it may be due to an alias file i have
Dec 17 12:43:46 <ceene> rm='rm -i'
Dec 17 12:43:46 <KotCzarny> then your busybox is f*cked
Dec 17 12:44:00 <ceene> no, i'm thinking there could be some character wrong there
Dec 17 12:44:16 <ceene> nop
Dec 17 12:44:19 <ceene> ~ $ /usr/bin/gnu/rm -i file
Dec 17 12:44:20 <ceene> /usr/bin/gnu/rm: remove regular empty file `file'? y
Dec 17 12:44:20 <ceene> /usr/bin/gnu/rm: cannot remove `\b\305\001': No such file or directory
Dec 17 12:44:22 <ceene> that's gnu's rm
Dec 17 12:44:47 <ceene> should i just remove coreutils-gnu?
Dec 17 12:44:59 <KotCzarny> might be miscompiled
Dec 17 12:45:10 <ceene> i think i got that from the repos
Dec 17 12:45:11 <KotCzarny> you should contact the maintainer (maemo's one)
Dec 17 12:45:14 <ceene> i don't even remember installing it
Dec 17 12:45:24 <ceene> After this operation, 12.0MB disk space will be freed.
Dec 17 12:45:25 <ceene> lol
Dec 17 12:45:46 <ceene> there
Dec 17 12:45:47 <ceene> fixed
Dec 17 12:45:49 <KotCzarny> :)
Dec 17 12:58:51 <KotCzarny> hmm, hardfloat needs kernel/libs support or just compatible cpu?
Dec 17 13:09:14 <ceene> i think you can have a single hf binary on your system
Dec 17 13:42:16 <bencoh> sslv2 has been considered insecure for a long time
Dec 17 13:43:13 <bencoh> tlsv1 isnt "that bad" (compared to the other two)
Dec 17 14:02:39 <KotCzarny> bencoh, so is there any secure protocol?
Dec 17 14:03:04 <bencoh> tlsv1+ afaict
Dec 17 14:03:11 <bencoh> tlsv1 is considered "okay" thus far
Dec 17 14:05:19 <kerio> lol no
Dec 17 14:05:34 <kerio> tls 1 is not bad enough to drop backwards compatibility
Dec 17 14:05:40 <kerio> but it's pretty bad
Dec 17 14:06:33 <kerio> as adam langley said, "anything less than tls 1.2 with an AEAD cipher is cryptographically broken"
Dec 17 14:12:52 <bencoh> :]
Dec 17 14:19:39 <kerio> :[
Dec 17 14:19:48 <kerio> feels bad man
Dec 17 19:57:38 <jonwil> hi
**** ENDING LOGGING AT Fri Dec 18 02:59:59 2015