Archive for the ‘Technology’ Category

« Older Entries

FBI VoIP system conference call intercepted by Anonymous?

Friday, February 3rd, 2012

Major embarrassment today as Anonymous intercepts a conference call between several European and American law enforcement agencies, according to something I’ve just seen on the BBC. It’s on YouTube right now if you want to hear it for yourself, click here.

It got my attention – someone breaking into a VoIP system would. But on further investigation it’s pretty obvious to me that it wasn’t an intercept at all. The clues are in the intercepted email  and the start of the recording – Anonymous read an email circular inviting people to the conference call, where the access number and password were given.

This makes the authorities concerned seem even more incompetent that if they’d had their VoIP service compromised.

 

Posted in Technology | No Comments »

Certificate “Errors” on Internet Explorer 9 – and how to stop them

Sunday, January 29th, 2012

Like recent versions of Internet Explorer, Version 9 has a Microsoft-style way of handling SSL certificates. It won’t let lusers access anything over a secure connection if there’s anything wrong with the certificate the remote end has presented. On the face of it, this is all very reasonable, as you don’t want the lusers being tricked by nasty criminals. But in reality it’s not as simple as that.

A bit of background, because everyone should make an informed choice about this…

SSL (or TLS) has two purposes – authentication and encryption. When you send data over SSL then it’s only readable by the receiving computer (i.e. it’s encrypted), and you know you’re talking to the right one (the link is authenticated). The computers don’t exactly exchange passwords, but they have a way of recognising each other’s SSL certificate. Put simply, if two computers need to talk they have a copy of each other’s certificate stored on their disk  and they use these to recognise each other (gross over-simplification, but it’s a paradigm that works). Should a computer not have the certificate needed to authenticate the other end ti will be supplied, and this is checked to see if its “signed” by a certificate it already has – in other words, the unknown remote certificate arrives and the comptuer checks with a “signing authority” certificate to see if it’s been signed, and is therefore to be trusted. If it’s okay, it’s stored and used.

Now here’s where it breaks in Microsoft-land: For your computer’s certificate (the one it sends) to be signed by a “signing authority”, money has to change hands. Quite a lot of money, in fact.

In he rest of the world (where SSL came from), on receipt of an unknown certificate,  you’d see a message saying that the remote computer says it can be recognised using the supplied certificate, but we’ve never seen it before: Do we trust it? In most cases the answer would be “yes” and the two comptuers become known to each other on subsequent connections. It’s okay to do this – it’s normal. Something like this happens on Windows with Firefox and other browsers, but not, apparently, Internet Explorer. Actually, Internet Explorer 9 can be made to recognise unsigned securty certificates, and here’s how.

First off, we really need to know what we’re about to do. What are the symptoms? The address bar goes red and you get a page saying there’s a problem with the certificate every time you visit a “site”. You can click on somethign to proceed anyway. The “error” is normally for on of three reasons, and it’ll tell you which. On a bad day you might get all three! But taking them in turn:

“The security certificate presented by this website was not issued by a trusted certificate authority.”

This just means that no one has paid to have this certificate signed by anyone of Microsoft’s likeing. It may be a private company-wide certificate, or that belonging to a peice of network equipment such as a router. If it’s a web site belonging to your bank or an on-line shop, worry! Otherwise, if there’s a reason why someone isn’t paying to have their certificate approved by (indirectly) by Microsoft, make your own decision as to whether you trust it.

So how do you get around it? Actually it’s pretty simple but Microsoft aren’t gibing out any clues! The trick is to run Internet Explorer as Administrator (not just when logged in as Administrator). If you don’t, the following won’t work.

Go to the site who’s certificate you wish to import, and proceed to view the site in spite of the warnings. Then in the address bar you’ll see “Certificate error”. Click on this and you’ll see an option to “View Certificate”, and (assuming you’re in Administrator mode) there’s be a button the “General” tab to “Install Certificate”. Follow the prompts. For maximum effectiveness(!) choose the option to “Place all certificates in…” and browse to the “Trusted Root Certification Authorities”. This probably isn’t necessary in most cases, but if you do this it’ll cover you for pretty much every use. Your PC will happily accept anything from the remote machine hereafter; make sure you’re importing the right certificate!

“The security certificate presented by this website has expired or is not yet valid.”

This means the certificate is out-of-date, or exceptionally, too new. In most cases encountering a certificate that isn’t valid suggests that your comptuer’s clock has gone back to the 1980′s! If this sounds plausible, just proceed to use the certificate anyway (there’s a clear option on the screen to do this). You’ll still get a scary red address bar, but the server operator should fix this.

“The security certificate presented by this website was issued for a different website’s address”.

This third case is a bit more tricky. Basically the name of the comptuer is embedded into the certificate, but you might be calling it by another name. Or it could be using a pinched certificate. If you’re talking to a network router like a Draytek 2820 and it’s giving you a built-in certificate, it would have no way of knowing what name or address the router is ultimately going to be installed as. The certificate is bound to be wrong in this respect. However, fishing around in the Internet Explorer options, under Advanced (and right down near the bottom) there’s a check-box – “Warn about certificate name mismatches”. Un-check it and it’ll stop sqwarking. Unfortunately it’s either on or off; you can’t set it to ignore a mis-match for particular names only. Because of the risk that someone might be impersonating your bank, you’d probably be best to leave this one checked and put up with the red.

Final word of warning

Some people reading this will reckon this advice is reckless. Why circumvent a security feature? Simple – if the authentication part of SSL isn’t working you still want it for the encryption. In an ideal world everyone would have signed certificates so you can verify everything you talk to is what it claims to be (the first time you meet it) but in the real world you probably want your data encrypted, and it’s also good to know you’re talking to the same comptuer on subsequent visits.

Hassling everyone over security certificates, as Microsoft is doing, may be justifyable on some levels, but as far as I’m concerned, anything that makes the use of encrypted data paths more difficult or expensive is a bad thing. They’re throwiing the baby out with the bathwater.

 

Tags: , , ,
Posted in Technology | No Comments »

VoIP socket pinout on newer Draytek routers (2820Vn etc)

Monday, January 16th, 2012

I’ve just spent over a day trying to get this piece of information out of Draytek, so appreciate it!

On the newer Draytek routers with VoIP capabilities (Vigor 2820 and some of the later ones) you no longer connect the handset (or PABX) to a standard RJ11. Instead both analogue lines come out on a single RJ11/RJ12, and you get an adapter so you can plug two standard BT handsets in to it. I assume this only applies to UK models. Anyway, if you’re wiring to a PABX, BT jacks are a complete pain in the rear, so if you want to connect an RJ11 to a twin-pair cable and go directly to a krone block the pin-out is (officially):

  • Line 1 – pins 2 and 5 (centre two)
  • Line 2 – pins 3 and 4 (one out from centre, or outer on RJ11)

That is to say the middle two pins and the two straddling – and numbering as if it was an RJ12 with six positions, even though the contacts may be missing from an RJ11. Heck, if you don’t know how to number an RJ12 you’re probably better off with the BT jacks.

This is logical and probably most telecoms people’s first guess, but it’s nice not to have to go for trial an error or smash their adapter apart (assuming you can’t connect an AVO into a BT-style socket conveniently).

For what it’s worth, I’ve been using Draytek VoIP kit for about eight years now – some of the best going in the market it serves, and I’ve got rather a lot to compare with. It’s a pity the company is so hard to get hold of for technical support as they won’t answer a general question straddling the product range – only individual serial-numbered units. Therefore I can’t get a list of kit for which this applies – I need to ask them one at a time giving the serial number of an extant unit. I suspect they don’t want too many dumb questions swamping them, but not  so brilliant for professional users though – if it’s not in their FAQ you’re left to trial-and-error.

Tags: , ,
Posted in Technology | No Comments »

HP Microserver and WOL

Thursday, January 12th, 2012

 They just don’t seem to work. I’ve spent an annoying hour or so trying to get WOL to work with an HP Microserver – no joy whatsoever. I assumed it must be my code until I tried it on a few other machines but they worked just fine.

Now most of my machines are Realtek whereas HP are using Broadcom (as do the Dells). I’m not saying there’s anything wrong with Broadcom, but whenever I have a weird network problem they have a habit of being at the heart of it. Is it my magic packet? As far as I know it’s supposed to be 48-bits of ’1′ followed by sixteen copies of the MAC address. Does it need a secure-on password? If so, how come you can’t set one in the BIOS.

I’ve asked an HP server expert – update the BIOS. Perhaps, but these are brand new machines of an old design. They either turn on when they receive the packet, or they don’t work and I can’t believe HP didn’t test them. Then again…

I’m told that these do support WOL on Windows, but not if you’re running anything else. On the face of it this is bonkers. Why should the OS the powered-off drive affect anything. The machine is off; the OS isn’t running. Well here’s a theory – before Windows shuts off it puts something in a register on the Broadcom chip to leave it in a WOL state. With the wrong drivers this doesn’t happen. Setting it in the BIOS doesn’t help, because it’s erased by the OS driver. The BIOS doesn’t restore it as the power is killed, but Windows hits the registers differently.

Unfortunately Broadcom doesn’t seem keen on releasing the documentation needed to write proper drivers to anyone other than Microsoft. Is this my imagination? Everyone else publishes the reference material, but Broadcom – can’t find it.

If anyone can throw light on this one, please do. I’m still looking.

Tags: , , , , ,
Posted in Technology | 1 Comment »

Hard Disk shortage. Yeah, right!

Monday, December 5th, 2011

Haven’t hard disk drives suddenly become expensive? It’s a world-wide shortage caused by flooding in Thailand, apparently. Yeah yeah, we’ve been here before: Fire in the jungle somewhere causing a loss of chip production, and so on. The problem is that when you looked for a fire in a fab, there never was one – and there aren’t that many fabs around.

Actually, it is true that floods in Thailand have affected some drive production. There are blogs all around the place predicting doom, gloom and providing figures as to what the shortfall might be. People are wringing their hands and predicting even worse supply problems and price rises after Christmas.

I say phooey.

I’m sceptical that the lost production is as high as claimed, and given the rising price of drives, all the HD makers will be ramping up at other facilities in double-quick time. This will lead to over-production pretty soon. The short-term supply shortfall shouldn’t even be seen as there are always lots of drive sitting in warehouses.

But you’re wrong, I hear the cries. If you were right, why is everything out of stock in spite of inflated prices. Panic buying might have an effect on that. If the channel thinks prices are going to rise, they will. It’s a self-fulfilling prophecy if ever there was one. But it has a use-by date. Sooner or later everyone will be sitting on their expensive stock pile and wondering why supplies haven’t run out – and when they do the over-supply will come through the system.

The suppliers aren’t going to quash the rumours, of course. Why should they when everyone further down the chain is paying double for everything in their warehouse.

How do I know all this? I’ve seen it all before.

Warning: Just because this happened in the past, doesn’t mean it will happen in the future. If you lose money based on the above prediction, it’s entirely down to you.

Tags:
Posted in Technology | No Comments »

« Older Entries