Less than fun server times

So it looks like my host pulled the plug on my server on the morning of the 27nth. There appears to be some mix up with finding my account, which could be anything from a mix-up to "oops we wiped that server". Since its been awhile I've decided that the server probably isn't coming back online anytime soon, so I've got a VPS set up. Most of the stuff is backed up, sadly back in Waterloo. Fortunately I learnt from my more recent laptop failures and the most important bits (namely my delicious code) is in a variety of locations (three cheers for git :) ).
On the plus side I've lost a lot of cruft of configuration that had built up over the years, but on the downside I've got a lot of configuration and sys admin work to do for the next couple of days.

Almost done with interviews

Interviewing for full-time is quite different than what my Co-Op interviews have prepared me for. For one thing, companies are much more interested in having you come on site, which is pretty cool in that I've gotten to see a lot of different work environments, but also has the downside of keeping me busy flying all over. Fortunately, I've managed to get the remaining 2 west coast companies I'm interviewing with to co-ordinate so I don't have to make separate trips out :) I was a little worried with job hunting during this economic slump, but it seems like most technology companies are still hiring (albeit maybe not as many people as before). Having the Amazon offer has made the whole process much less stress-full in some ways, but in other ways its made my schedule a lot more packed since the deadline is the end of this month.

Random beer

Oddly enough a lot of people from Ottawa end up going to the University of Waterloo (or at least they seem to, in the Math/CS segment). Apparently, I am so far out of touch with Ottawa that I didn't know about the creation of a new brewery (called beaus) (complete with blog). Kevin was kind enough to bring down a big (~2L) jug of "Lug Tread" which was surprisingly good. So that this isn't a total non-sequenter with the rest of what I write, I wonder what sort of challenges they faced doing a startup and how those compare to tech startups? And now back to that free beer....

Update Yahoo! Zimbra Desktop vulneraible to Man in the Middle

Once again, Yahoo! has made a slight mis-step with protecting their users' information. In my attempt to enable interoperability between pcfspam & Yahoo! Mail, I uncovered another problem with the most recent Yahoo! Zimbra Desktop. The new Zimbra Desktop (build 1344) uses the same login methodology as the web login, which is already known to be replayable. Unfortunately, unlike the web login, it doesn't notify the user in the event of an SSL certificate mismatch. This makes Yahoo! Zimbra vulnerable to a man-in-the-middle attack, exposing both usernames and passwords.

To reproduce this bug, simply download Zimbra desktop & set your host file (/etc/hosts) for login.yahoo.com to point to your local machine (127.0.0.1) by adding:

127.0.0.1 login.yahoo.com

Alternatively, you can configure bind and add the Yahoo! zone:

;
; BIND data file for the fake yahoo zone
;
$TTL 604800
yahoo.com. IN SOA localhost. root.localhost. (
;@ IN SOA localhost. root.localhost. (
         2  ; Serial
    604800  ; Refresh
     86400  ; Retry
   2419200  ; Expire
    604800 ) ; Negative Cache TTL
;
yahoo.com. IN NS ns1.yahoo.yahoo.com.
login.yahoo.com. IN A 127.0.0.1
login.yahoo.yahoo.com. IN A 127.0.0.1
ns1.yahoo.yahoo.com. IN A 127.0.0.1

. Then start an SSL webserver (I used apache) on port 443 and take a look at the access log to see the request:

127.0.0.1 - - [21/Nov/2008:00:27:39 -0500] "GET /WSLogin/V1/get_auth_token?appid=0YbgbonAkY2iNypMZQOONB8mNDSJkrfBlr3wgxc-&login=albertsanchezo&passwd=kingof HTTP/1.1" 404 401 "-" "Jakarta Commons-HttpClient/3.0"

You can clearly see the variables login & passwd contain the username and password. It should be noted that no warning message was shown to user and this was done with a self-signed cert for a localhost.localdomain. A malicious attacker would have to exploit only one of the many DNS poisoning vulnerabilities and pass the authentication information through to be able to capture the usernames & passwords of a large number of Yahoo! users. While you can see that I didn't bother passing the information through, you could also get a similar effect with squid (or another proxy) and still allow authentication to complete.

The impact of this is much lower than the previous vulnerability with Yahoo! Zimbra desktop, but is still serious as it exposes usernames & passwords with only a trivial amount of effort.

At the time of the writing Yahoo! security has been notified.
p.s.
For anyone from Yahoo! reading this, I'm still waiting for the shirt I was promised from the first time I reported a vulnerability, but its all good :)

Blog comment spam

I seem to be getting a reasonable amount of blog comment spam (especially on the older posts). I've allready enabled captchas, but that apparently isn't enough. Since there aren't many comments I'm turning on comment moderation. I will let anything through which isn't spam.

Upgrading to 8.10 & random

So I upgraded my main laptop to Ubuntu 8.10 (). The initial estimated upgrade was approximately 8 hours, so I headed into campus (where the main csclub & Canadian ubuntu mirror server is) and did my update in about 30 minutes instead.
This rest of this month is incredibly busy with trying to finish up interviews before the Amazon deadline.
After this weekend I'm hoping to have a working CLI port with login functionality for Device Scape on the OpenMoko.

tastey tasey wireless bits

In what came as a bit of a surprise my latest device scape build seems to be working pretty well. It successfully selected the correct network, and did the automatic login at a Starbucks in NYC. I've got another round of code cleanups to do, and there is only a CLI interface at present, but I'm hoping to have some ipkgs ready for testing soon. If you're interested in taking them for a spin, send me an e-mail ( holden@pigscanfly.ca ) and I can send you the freshest bits :)

More Yahoo! funtimes, this time with the iPhone

iPhone Sends Yahoo! Mail
Originally uploaded by dmcopernicus

You may remember, my previous blog post Another security diversion, Yahoo! Zimbra client exposes passwords in the clear over the wire (also yahoo IMAP access now available with some fudging). It turns out that more than just Yahoo! Zimbra Desktop is effected by this security oversight, although not to quite the same degree. After reading a post to the Zimbra forums suggesting Yahoo!'s iPhone applications use the same servers, I became worried that Yahoo!'s iPhone application might be affected by this.

I decided to enlist the help of my friend, Jerry (who has an iPhone), to confirm my suspicions. It turns out that Yahoo!'s One Connect application is secure. Sadly, it turned out that the iPhone mail application (with its pre-sets for Yahoo!) also fails to use encryption for everything but authentication. This means that, on the iPhone your username & password is secure. However, every e-mail (which is automatically downloaded) is transmitted over wireless (remember iPhone guys) in plaintext. In addition, doing a bit sleuthing reveals that Yahoo! is sending the outgoing mail over HTTP (you read that correctly, HTTP), and is in plaintext as well. This caught me by surprise, as I was expecting SMTP traffic. You can see the two captures of it sending & receiving here

Any e-mails from your bank, employer, girl/boy friend, is now visible to anybody with a laptop sitting in the same Starbucks as you. You are much safer if you only check the mail over the cell networks, but for those of us in countries without unlimited data plans, that isn't much consolation. In the opinion of this author, this is a phisher's wet dream.

Yahoo!'s security contact has been informed of these issues and I'm told there are no present plans to add encryption, however it is something which they would like to do at some point. Maybe if enough people point out that they don't like people snooping on their e-mail we could see this changing.

Another security diversion, Yahoo! Zimbra client exposes passwords in the clear over the wire (also yahoo IMAP access now available with some fudging)

Capture of Yahoo! Desktop transmitting auth information
Originally uploaded by dmcopernicus

I've never really intended for this blog to be about security, but sometimes it just lands in your lap.

Taking a break from my regular coding and school work, I went to the Yahoo "hacku" day in Waterloo. I wrote a basic system to help me deal with the problem of false negatives in e-mail spam which I'm planning on improving on. Since, like the majority of students I know, I use Gmail I initially made my program work with gmail. However, since the food was being purchased by Yahoo, I figured I should try and make my system work with Yahoo as well.

At first glance, it didn't seem possible. Yahoo! doesn't presently offer IMAP support, and all the cool parts of there mail API require a pro account (which I later got, but didn't have at the time). Doing some digging, suggested that Yahoo did syncing for the new Yahoo Zimbra desktop product over IMAP, which wasn't available to others. So I downloaded the Linux binary and with a bit of help from my good friend netstat found the imap host (not surprisingly imap.mail.yahoo.com ). If it had worked, all would have ended there without digging my nose around any further. Sadly, the server didn't want to talk to my client.

I figured I would look at the difference between what my client was sending and what the Zimbra client was sending. Launching wireshark and looking at port 143 quickly lead to two important discoveries.

1) The Yahoo! imap server's require that you announce you are Zimbra (just send [ID (guid 1 os "Linux" "os-version" "2.6" "vendor" "Zimbra")]) before auth :P
2) The Yahoo! imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text

Since it was about 5am at this point, the implications of #2 didn't really hit home until after taking my pre-class nap.

What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless).

P.S.

Sadly, my hack didn't end up placing. In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient. I did however get some free pizza out of it (although not enough to have leftovers :( ). The hackday brought forward a lot of interest people into writing interesting code, I certainly hope to see more of these (sponsored by Yahoo or otherwise) in the future.

I'm planning on adding a number of additional features and rolling out my anti-spam code slowly. If you're interested in hearing more about my not exactly a spam filter you can sign up for a mailing list at pcfspam.com or just subscribe to my blog since I will likely post updates here as time goes on.

I'm super excited to begin work on this project [porting DeviceScape to the OpenMoko]

You may remember awhile back I wrote about hopefully being able to announce an interesting project I was working on. Well it took a bit longer to sort out all the details than I originally thought it would, but everything looks good to go :)

I'm super excited to begin work on porting Devicescape to the OpenMoko. Devicescape is one of the applications which I used heavily on my previous Windows-Mobile phones. It automatically sign on to Wi-Fi systems (such as FON,Starbucks, and more importantly for me Waterloo). Since I'm too cheap to have a big (or really any) data-plan this is how I plan to be getting my e-mail and pretty much everything on my OpenMoko. For now I'm going to be targeting the OM2008 image since it seems to provide the right mixture of bleeding edge while still being functional.

To the best of my knowledge this is the first (or one of the first) non-FIC commercial applications being ported/developed for the OpenMoko/FreeRunner stack.

Thinking of neat things to do with this, it looks like it might even be possible to trigger wake up from wi-fi so that the phone could wake up, log on, grab data intensive stuff (like say e-mail attachments or maps) and then go back to sleep. Although I'm not sure how much power would be drawn during this, it might be a bit too high to be feasible.

I'm still going to continue to work on my other side projects, including my spam filtering work, but there are only so many hours in the day (even with coffee) so they will probably slow down a bit.

Updated parallel blacklist lookup

I've expanded the blacklists quiried and added a few more tests. I've also re-factored some of the code so doing matching with masks is much cleaner. You can grab the latest version of dnsrbl from hackage Sadly I lost the comments that I got on irc from an untimely combination of server reboot (with my screen session) and laptop hoboing. If you have any comments on how I can improve this drop me a line at holden@pigscanfly.ca .

For the next bit of my spam filter funtimes I'm planning on playing around with some python code, which should be a fun learning experience (although I feel I'm a bit late to the python party).

Dodgy facebook application now finished!

I took a nice diversion from writing C good to write a facebook application with my room-mate Jerry. It integrates Amazon wishlists into your profile. Its un-imaginatively called wishlist. Life is incredibly busy this week so I probably won't get anything else done until next week.

Its back!

I've got my computer back. The repair job was done in the back of a land rover. With two 20 something guys standing around the back of a truck the police decided to take a quick look, but once they saw the computer all was well. This is one of the odder places I've had my computer repaired, but the new component seems to be working well. Now I can get back to fun coding times :)

Hardware failures for the loose

My Dell laptop (which is my primary computer while I'm in the states) has died today. I'm typing this on a Asus EEE PC I bought the last time I had to send my regular computer in for service. Hopefully all goes well, but this means I've probably lost a weeks worth of code :(

Wireless Spectrum bidding ends, new Wireless Carrier for Canada

If your not Canadian, this probably isn't a lot of interest to you. However for Canadians this is excellent news. Yak Communications announced today that they have won spectrum across all of Canada (with the expected and notable exclusion of Quebec) and are intent on providing cellular access. There press release alludes to the current high prices and lack of service on existing Canadian wireless carriers. Sadly the spectrum they own won't work with any of my existing phones, but maybe for the next openmoko :P Anyways more competition is good, and certainly needed.
The full text of the press release since doesn't seem to be on the wire services yet:

GLOBALIVE READY TO USHER IN A NEW ERA
OF WIRELESS CHOICE FOR CANADIANS

Globalive set to become a major wireless carrier in Canada

TORONTO – July 21, 2008 Globalive Wireless Management Corp. is pleased to announce that it has provisionally won spectrum in Industry Canada’s Advanced Wireless Services Spectrum Auction across Canada (excluding Quebec) with an investment of over $442 million. With this victory, Globalive has set the stage to become a major presence in the Canadian telecom market.

“This is an historic event for wireless users across the country,” said Anthony Lacavera, Chairman and Chief Executive Officer of Globalive Communications Corp. “It marks a new era of choice in Canada’s wireless world. At Globalive, we have earned a track record of innovation; that’s exactly what Canadians can expect from us when we announce our wireless offerings.”

The auction, which began May 27, 2008 and concluded earlier today, was initiated by the federal government to increase competition in Canada’s wireless market. The reasons that led to the auction include:

* Higher prices- Canadians pay an average of 60% more for mobile wireless services than Americans according to the Telecommunications Policy Review Panel (Final Report, March 22, 2006).

* Fewer services – Canadians are missing out on high-tech mobile services. These services are becoming an integral part of modern business life (such as lightning fast internet connections, video-conferencing, video and TV streaming, and interactive application sharing) are not being introduced in Canada at the same rate as the rest of the world.
* Low penetration - Only 58% of Canadians have a wireless device, such as a mobile phone, compared to the United States where more than 77% have a wireless device. Other industrialized countries, such as the United Kingdom and Hong Kong, have wireless device penetration of over 100% (The Economist’s Pocket World in Figures, 2007 edition).

Globalive Wireless Management Corp., which was formed to participate in the auction, includes a leading international wireless operator in Orascom Telecom Holding S.A.E.

“The domestic knowledge of Globalive, combined with the worldwide wireless expertise of Orascom Telecom, will allow us to bring the best practices in wireless to Canada,” said Michael O’Connor, Vice-President, Globalive Wireless Management Corp.

Three cheers for (hopefully) lower cell phone (and more importantly data) costs :)
Update: The end of the spectrum auction announcement has now hit the news wires
Update 2:A friend of mine pointed out this story about Orascom (one of the Globalive partners) possibly being involved in rebuilding the North Korean Hotel.

My start with the OpenMoko/FreeRunner

Now that I have my OpenMoko its time to get started developing for it. I have a number of personal itches that I want to scratch, but like with learning any new language or platform I find it best to start with the smallest useful project possible.

With that in mind I decided I'd create a small opkg (openmoko's package format) to sync the time from the gsm tower. After doing some digging in the gsm daemon it turns out that there are two separate parsing functions, one of which is never called (which is good because it does nothing), and the other which rejects the value reported by both AT&T and T-Mobile [it assumes a range of -48 to 48] and the networks report 138 for GMT-8. Reading GSM 02.42 didn't help much, except specifying that the time resolution must be at least 15 minutes. There seems to be very little, documentation about gsm network time. If you've got an FreeRunner or Neo and some free time and could add:

gsmd_log(GSMD_ERROR,"starting ctzv_parse parse param=%s in unsol\n",param);

to the ctzv_parse function in unsolicited.c file in the gsm module & recompile and let me what get puts in the GSM log along with your location & network information I'd be greatly appreciative :)

In the mean time, my plan for tomorrow is a auto-sensing gprs dialer, because setting up internet by hand on your phone is not fun-times.

I'm hoping to be able to announce and get started on an interesting project for the OpenMoko later on this week, so stay tuned :)