Whitehats make money off FUDing you out. That's the reality of it. Let's take an exact look at why UPnP doesn't help anything, to do this, I must put myself in the position of the attacker.
So, I'm all skiddie now, I've sent out my mass-mail worm to millions of machines and there are not-so-bright people out there running 1000-pictures.jpg.exe or the like. They run the worm. Now, it attempts to punch a whole in UPnP... if you've got it enabled. If you don't, it just opens a port uselessly inside your lan. What fun. I can only really connect to the people who now either had directly internet exposed machines or are running UPnP. This is obviously not the best solution as everyone's already FUDed out of running UPnP by whitehats. There must be a better way to do this... Oh yes, reverse connections.
Instead of having me connect to them... let's have them connect to me. This means that, no matter how deeply NAT'd they are, if they can get an internet connection, I can control them because from inside the NAT, it's all just going outbound. Once they're connected to me, the operation can be as normal. And, this means that they don't have to have UPnP enabled at all.
So, now, which of these should I choose? UPnP? or a reverse connection? I think the choice for any skiddie should be a reverse connection. Hell, just grab the latest version of BO2K, there's reverse connection support built right in. That's how easy it is. So, exactly why would I even bother closing UPnP and losing myself the nice, quick setup of my P2P clients to do what?
In conclusion, there is little reason to disable UPnP, it's hardly a threat. I've personally never seen a trojan that uses UPnP, though I have no doubts they exist, I don't consider it a big threat, whereas in order to prevent a reverse connection, one would need to use a software firewall, significantly more painful. Save yourself the pain of manually forwarding your bittorrent client, turn UPnP on.
Oh, and whitehats, next time you start telling people to kill their features to gain security, make sure the security gain can be 100% guaranteed.
While working on a recent coding project, we were using freemind to get all the basic ideas down. Well, I was quite amazed at it's feature set, and thought it would make a nearly perfect categorized-GTD solution. It has. I've come up with a quick category arrangement , including: School, Blog, Games, Leech and Setup/Configure along with a private, encrypted category. Freemind has prioritization symbols and all sorts of fun little icons to make your todo list look even better. Once you get used to the keyboard shortcuts, which took me about 30 seconds, you'll work very quick at getting your ideas down for everything you plan on doing at some point. I just wish I could think of more things to put on here. At this rate I'll have nothing left to do soon enough. Ah well, there's always StumbleUpon.
Well, I had recently came up with a little PHP code (10 minute hack) to add a "knocking authentication" to anything. How does this work? Well, let's see! First, I go to a protected page, say, for example:
http://ultra.iblogger.org/protected.php
Boom! The web server spits back a 404 error. Because I haven't knocked. Let's see what to do now. The first knock is 10, so, hit:
http://ultra.iblogger.org/protected.php?knock=10
Ok, it'll still spit back 404, but, we've actually done something good here! Let's send the next knock, 20.
http://ultra.iblogger.org/protected.php?knock=20
Again, 404. One more knock.
http://ultra.iblogger.org/protected.php?knock=30
Tada, as soon as you've hit that URL, the content appears. What makes this system so great? Well, it's completely stealthy. Anyone who doesn't know the knock can't even begin to get in, all they'll get are 404s. The knock can be infinite length even. Well, I've implemented this knock as a plugin for Nucleus CMS (which is running this very blog). So, for people like me who want to blog some things for the public to read, but, still have things they want to keep private, KnockAuth offers a very stealthy way to do it. Remember, next time you get thrown a 404, is it really a 404? :) The nucleus plugin is available as usual from the sources dump on this blog. It's AGPL'd. So, if you change/improve it, remember, PUBLISH YOUR CHANGES! I will however make an exception for people who simply want to change the GET variable from "knock" to something else. If you've accepted the terms of this license, let's install the plugin :)
1) To start, upload the NP_KnockAuth.php into your nucleus/plugins directory on your blog.
2) Now, Pull up the Nucleus admin interface
3) Press install on KnockAuth
4) Go to the settings for the blog you want to turn on knocking for
5) Turn on knocking
6) Change default knock to a space seperated anything :) For the above example, I used: "10 20 30"
Tada, enjoy your new secure, deniable authentication system :)
From Windows Vista Ultimate to Ubuntu 7.10 Gutsy Gibbon
Well, I decided it was time to checkup on where ubuntu was now. Wow. Very impressive. Last week I was running stripped down vista on my box, just to prove a point, in order to make it work with all my hardware on my only 6 year old machine, I had to go through living hell. My graphics card is an old Nvidia Geforce 2 piece, and guess what? Nvidia decide not to make any vista drivers for my old-ass card. So, I had to google around for hours till I found a forum post telling me to use a 72.xx version of the XP/2000 driver. This worked, however, I still couldn't use Aero with it. Also, for my soundcard to work, I had to disable vista's UAC and fuck with device manager myself after digging up a driver off some spyware-ridden site. Now, let's compare that to ubuntu: I put in the CD, boot off it, sound works, no effort there at all. Install. Now, to get my graphics card working, I click the "New restricted drivers available" and check off nvidia. Wait. Press ctrl-alt-backspace to restart X (thought they still told me to reboot). And tada, nvidia driver works and Compiz Fusion works right off the bat on my old ass card, I didn't even expect that. Another big change from vista is that, with vista, I would have noticable slowness when doing any window management task (ex: dragging or resizing a window). With compiz, this actually feels faster then with just X11 (due to XGL being faster in the first place). Wobbly windows are quite possibly the most fucking addictive thing ever. There's a great amount of amusement in such a simple thing. It never really seems to get too boring, also, it's amusingly fast, even on my ancient graphics card. In any case, congrats to the ubuntu team on this fine release. In my book, you're now ahead of windows on ease-of-use. I think I'll be switching back to Crux or Gentoo soon though, I've been using this ubuntu for 2 full weeks :)
EDIT: Just because I find vista slow doesn't mean I think that about all of windows in general. Windows Server 2003 runs quite snappy even in a VM.
Well, I was shocked to see my post on Arch Linux had 85 comments. Guess what? They're all from spambots. How nice of them to think of me. Well, I personally refuse to add captchas, they're painful for humans to waste brainpower on, so, that leaves me with few options, it seems the best of these so far is to limit the # of occurences of "http://" in comments to 2 using PHYFS. Failing that, PUT UP WITH THE SPAM! Guess what? I don't really care that much. Another option is to use a bayesian filter like SpamBayes. Should be interesting, let's see if we can kill the basic random spam I get without much effort.... not like I'm tagetted by custom spambots yet... well, when that day comes, I might rethink recaptcha.
UPDATE: I've implemented PHYFS, if that fails, I'll add a bayesian filter, all auld spam has been deleted XD
I'm sick and tired of hearing about how wonderful hushmail is. Having some big company with your encryption keys means that YOU ARE NOT SECURE! It's like telling someone to store your house key, then expecting there's still no way they can get in. Even though the encryption is done by a java applet on your computer, the actual key has to be passed to the applet by what? Hushmail's server! Never depend on a third party to store your encryption keys, especially a big company which will certainly fall victim to a subpoena, cause guess what? If someone else HAS YOUR KEY you should _never_ expect security. Hushmail is 100% useless for this exact reason, I see no reason why anyone's excited over it, the entire service is pointless. Give Gmail's new IMAP access with Thunderbird and enigmail a try. It offers actual security. On the otherhand, for just a quick, extremely secure IM conversation, I'll use this opportunity to recommend OTR. For file encryption, with little question, use truecrypt.
You gave people the option to license the icons under the LGPL or a CC license, so, guess what, people do! Stop bitching about it, suck it up and get used to it. Your fault you picked a license you apparently don't like so, DEAL WITH IT. Not someone else's problem that you picked a license that let 'em use your icons whatever way they please. Get OVER IT! MOVE ON!
My reply to Why Firefox is Blocked (http://whyfirefoxisblocked.com)
This is obviously a very stupid campaign. You're blocking users of a single browser, because many of them use adblock? Opera supports an adblock like system too! and there are many extensions that even add these features to IE! So, why don't you just block everyone? Look. The web is a pull system. Users pick what they download. Not web developers. In addition to this, you're trying to overpower the person who is in possession of the computer system! I own my CPU, I own my hard disk, I choose what executes, I choose what I want my computer to do. Not the developers. Me. You can't take control away from someone in physical possession of it. Don't try, you'll just be invading their rights and your system will be broken quickly. By the way, I can easily walk around your detection using User Agent Switcher. Broken. So, if we build adblock with a randomly switching user agent, it'd be even more fun. :)
Well, I'll assume you've already heard the bad news and read the slyck article, if you haven't, go check it out now. I'm finally feeling rant-y about something again, so, it's time for a blog post. I've been using Bittorrent since back in the day when this was written by Bram Cohen: "Bittorrent is a free speech tool". Look how far we've come. Bittorrent is now responsible for arguably over 1/3 of internet traffic. But most people never even touch the mainline bittorrent client that truly started it all, swearing by Azureus or uTorrent.
Well, let's go back for a little while. Back to bittorrent's infancy. The original bittorrent client, with it's ugly UI and everything. A new file sharing method using a custom http server to find peer, thus creating a very rapid p2p system. The mainline client was the only option for bittorrent clients for a while. Different people had different ideas for bittorrent. Pirates saw it as an amazing new way to distribute their warez, Linux distro vendors saw it as the savior of killer server load, whatever your goal, bittorrent was cool.But it wasn't long before other clients started to fork off. Bittornado, a still existing client forked off fairly early, I used bittorrnado for a while myself, it was basically the mainline client, with a few UI tweaks and some better network power. But a Java client soon became the most popular, Azureus. Now, let's stop for a second. At this time, just about every client in existence was open source, and it looked good for staying that way. Azureus had a long streak of being the most popular client, but it's competition would come.
uTorrent arrived. It's a C++ windows only GUI client, with a very important difference. No source code. uTorrent, in all it's fast starting glory had no source avaliable. By this time, the Bittorrent name had grown much beyond the initial group of enthusiasts, who often became interested in Bittorrent soley because it was open source. uTorrent quickly ate up market share. Azureus now is probably the second most popular bittorrent client even, and that's a hard thing for me to say.
In the mean time, well everyone was arguing about Azureus vs uTorrent, something critical happened. Bittorrent Inc was created. It turned the Bittorrent.com website to a legal movie download web site. Now, I'm not quite sure how paying money and free speech or open source are related, but apparently, they made this poor move. Everyone dropped Azureus vs uTorrent wars (almost) and went to yell at Bittorrent Inc for making this stupid decision. Bittorrent Inc grew, sucking in money, until, they bought up uTorrent. This left many people shocked, scared some away from uTorrent and had trackers banning uTorrent 1.6.1 and onwards. To many people's surprise, the uTorrent source was not quickly spat out like the original Bittorrent idea would have said, but instead Bittorrent Inc has now killed the mainline client and replaced it with a uTorrent based one, saying they did this to prevent malicious productions as their best excuse. Wow. How stupid. Give me _any_ closed source program and I can reverse engineer and hex edit it to say whatever I want instead of what the developer wanted. Closed source does not provide any form of security again here, as I've said before. This has left many people, including myself, angered at the Bittorrent team... is there even a team left? It seems bittorrent has been killed. Totally killed. Mainline has died. Well, here's what I have to say to Bittorrent Inc: Hey, you've still got a chance left to go back to your original goal, stick to free speech over some fucked up corporation.
I don't think I'll be touching uTorrent again, and I recommend other people do the same... SVN LH-ABC seems quite nice :)
I've been officially up at my country house for a week now doing random things to pass the time such as: Reading Stealing the Network books, learning C++, and using the crap out of my Dialup internet access.
I've been excited for the new Harry Potter book for some time now, and I've arranged to do nothing but read until I finish the book :)
This is probably the last you'll hear from me for a little bit... So long for now!
Well, I recently decided I'd give you all some nice screenshots to look at. I didn't want some big photo gallery tool like Gallery or Coppermine so, a little googling and I ran across uPhoto, which I'm using to run http://ultra.iblogger.org/images/. I think I'll have to hackup an upload script for it, but hey, it's working for now. Anyways, check that out. I've got screenies of Gnome, Flux, KDE and XFCE running my current little bunch of tools. When using flux, I also found I needed some tool to execute commands... lots of commands. I quickly hacked fbrun into shape. The diff file for it is available in the sources repository
Well, I've tried nearly every GTD solution and they all failed. Nothing could be right in my grasp wherever I go. But, I've finally found the solution to all this shit: todotxt. I found out about this solution while reading a friend's blog, and it seems he was right, todotxt pwns. Plain text based todo lists, with a nice manager bash script (http://todotxt.com). It seems quite effective, considering I'm writing this blog post before I even thought of stumbling. But just todotxt itself was not nearly enough for me. I needed it in quick immediate reach, so, I hacked up a conky config so I can see it on my desktop, then used Gnome Deskbar's command execution for quick and easy control. Now, there was the portability problem. I couldn't get todotxt on any machine... not yet atleast. I opened up the shell script and added a few commands of my own, one to tar up the todo directory can copy it to my router for backup, the other to download it and untar. Using this I can download my todolists wherever I am. I'll publish a diff file for you all soon, once I do some nice documentation. I might also hack in subversion support, but scp seems good enough for now. I also found a pretty awesome rss reader called yarssr which will hopefully keep me from hitting new sites all the time. yarssr runs in your tray and turns green when there's new news, at which point you can just click it and read. Another great time saver. Oh, and, as for a paper implementation, I'm thinking pocketmod addon.
ultra@fortytwo:~$ t do 02
blog about todotxt
EDIT: Here's my viral video :)
Sources for my modification are available in the source dump
Arch Linux is a binary based distro based on LFS. It has many of the same traits as Crux under the hood, except it has a different package manager; pacman.
The other day I decided to ditch debian for a little bit and try a different Linux distro. I didn't want to use a source-based distro like Gentoo or Crux because of the long compile times, and I didn't want to use a binary-based distro based on Debian because that would destroy the whole point of my wanting to switch distros! So I looked around, and I found Arch Linux.
When I booted off the FTP ISO I was greeted with a bash shell and a message leading me to the installation executable. The setup went fine, though it installed a fairly dated kernel which I wasn't so happy about, but everything works and it booted fine when everything was done.
Pacman is a very easy-to-use package manager, much like apt. It has a bunch of packages, as well as a community-based repository known as AUR. The Wiki at the Arch Linux site has a lot of good info, and it's got howtos to set up a lot of things like ALSA, and Wireless internet access. Once I had installed Xorg and the Nvidia Drivers, I got my patched FVWM from CVS up and running very quickly.
I'm really pleased with Arch Linux for the most part, and I'm glad that I didn't have any problems installing and using it thus far!
If you like simple and clean designs this skin could be something for you. Itīs easy to ad some more colors to it. As an example you can change the background image of the navigation. A couple of templates are included in the zip file. Just change a line in the .css file.