Posted on

iZettle is now contactless on Android

Update 6th October 2015:

What a difference a day makes! Yesterday I was trying to get iZettle 3.0.0 working on my Android 5.0 handset and failing miserably. Today, it’s all working just fine. The difference? Three things:

  1. Don’t have the handset and the reader too close together. Bluetooth was interfering with the WiFi. They’re on the same frequency, and Bluetooth doesn’t really play nice with 802.11n. While the Internet connection was being blocked by the reader, the App became unstable on loading.
  2. Either turn on the reader before you start the App, or afterwards. I’m not completely sure of the timing, but there seems to be a bad spot if they’re both starting up together where they fail to sync and both go funky deux. The photographs following the review show what I mean!
  3. When you turn on the reader, wait for the “Please wait….” to disappear before you considering it to be “on”. i.e. don’t start the App while it’s in that state, and don’t do anything to try to use it if the App is already running.

If you follow the rules above, everything else works like a charm. And like all rules, there are exceptions when it might work anyway.

Review

iZettle is a Swedish company, founded in 2010, offering a complete mobile card payment system for small businesses with Terms of Business and charges that should make the bankers blush. The deal is that they charge a straight ~1.5%-3% dependent on volume, with no minimum transaction fee. You can buy a reader from them, or if your volumes are high enough, they’ll give you a free Chip and Pin reader that connects to some smartphone/tablet hardware (iPhones and a few Android devices) using the microphone/speaker. My advice on the free reader is “don’t be cheap – pay for the bluetooth one”.

Today iZettle released its all-new Android App, version 3.0.0, which allows it to work with the  Card Reader Pro Contactless . When I say “released”, it appeared in the Google Play store without fanfare; not even a press release. Apple fanbois have been able to use contactless cards (and Apple Pray) for some time now, but the Android App has always lagged behind; odd, as 90% of smartphones run Android. Perhaps iZettle really likes Objective ‘C’?

The good news, apart from contactless support, is that the new Android App is much cleaner and nicer to use than the old one. On startup, it goes straight in to the screen where all you need do is enter the amount and optional description and add it to a cart (you can’t charge it immediately, for some reason). If you have pre-set items you can access them in grid or list from by swiping left; tapping an item adds it to the cart.

70D_04547c

To take a payment just tap on the cart icon. You get a chance to add a percentage or set value discount and when you’re done it just connects to the card reader and does the business. One very welcome feature is that the display on the reader now shows the amount being charged.

There are other good features lying about in the software. For example, a battery status indication is available in settings. But the main feature of 3.0 is its ease of use.

Teething problems connecting notwithstanding, there are a few possible improvements that spring to mind. It would be handy to be able to enter a number and select “Charge” immediately without going through the cart first. This may be a bug – before you enter an amount the there is a large button marked “Charge” that changes to “Add Item” (to the cart) as soon as you enter something. Also, there are pre-set discount rates of 5%, 10% and 15% and the ability to enter any percentage manually, but you can’t edit the pre-sets. More seriously, you can’t edit the VAT rate table or enter a manual rate. It has 0%, 5% and 20%, which are the current rates in the UK, but they’re going to change. It also makes no differentiation between Zero-rate an Exempt, which does matter for proper accounting.

But these are minor quibbles. iZettle 3.0 is a big improvement on the rather clunky 2.5 and I’ve no doubt the teething troubles with the connection will be fixed. In the mean time, just leave the reader enough time to warm up.

In view of the problems I did have, a means of rolling back updates is needed. iZettle says that they can’t do this at the moment, but given the difficulty of testing Apps – especially Android ones  – on the wide range of hardware and OS versions out there, relying on a compatibility list is a bad idea tactically. There’s a danger that people will seek to download older versions of the App if they encounter problems, and a bit of research this morning turned up a few .apk files on the Internet that had definitely been tampered with. I’m trying to persuade iZettle to implement a rollback option but no luck yet.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

 

 

Rogues gallery: iZettle 3.0.0 going mad yesterday. See update above.

If you get the timing wrong or something interferes with the Internet connection (e.g. it’s masked by bluetooth) you could be in for a world of pain.

70d_04521

Whenever I try to make a charge it either says that an “Unexpected error occurred – try again”, or it crashes out.

70D_04543

This is before it even gets to the “insert card” part. And it’s really flaky when it comes to keeping bluetooth contact with the reader.
70D_04533 70D_04542

It randomly freezes, in the case of the above while it was moving between screens – it appears to be when its thinking about bluetooth connections.

It even manages to crash the reader itself!

70D_04540

For what it’s worth, I’m using Android 5.0, and it worked just fine (albeit Chip and Pin) on the old version of the App.

Fortunately I don’t process a lot of payments, so can live without it but others may be having a really bad day as a result.

Posted on

Fake Received: used by spammers – new tactic

Actually, this isn’t a new tactic at all. There was a lot of this going on in the 1990s and early 2000s, but I haven’t seen such widespread use of fake Received headers for a while now. As mail is no longer relayed, what’s the point? And yet, it’s coming again. Take this recent example:

Received: from host101-187-static.229-95-b.business.telecomitalia.it (host101-187-static.229-95-b.business.telecomitalia.it [95.229.187.101])
by real-mail-server.example.com (8.14.4/8.14.4) with ESMTP id t8NAOpJS007947;
Wed, 23 Sep 2015 11:24:57 +0100 (BST)
(envelope-from name-up-name@a-genuine-domain.com)
Received: from remacdmzma03.rbs.com (mail09.rbs.com [155.136.80.33]) by mail.example.com (Postfix) with ESMTP id B849451943 for made-up-name@example.com; Wed, 23 Sep 2015 11:22:43 GMT)
Message-ID: <XZ95O517.6281609@rbs.co.uk>
Date: Wed, 23 Sep 2015 11:22:43 GMT
Thread-Topic: Emailing: bankfl.emt
Thread-Index: made-up-name@example.com
From: "RBS" <secure.message@rbs.co.uk>
To: made-up-name@example.com
MIME-Version: 1.0
To: made-up-name@example.com
Subject: Bankline ROI - Password Re-activation Form
Content-Type: multipart/mixed;
boundary="----------------_=_NextPart_001_01CF5EDB.A2094B20"
This is a multi-part message in MIME format.
------------------_=_NextPart_001_01CF5EDB.A2094B20
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.

… etc …

Obviously the above has been re-written to use example.com, and the made-up-name was something random. The rest of the header is as it was. They’re obviously trying to convince you that your mail servers have already seen this  this message, so it must be okay. This is such a dumb trick – does any spam filter bother to even look at earlier headers? Are they hoping that Bayesian analysis will score the incorrectly guessed mail server as particularly hammy?

But what’s doing this, and why? Is there a new spambot in town, or is there a new spam filter that’s susceptible to such a dumb trick?

As it stands, this was sent from a blacklisted IP address and the SPF fails for RBS anyway, and the English it was written by a virtual English illiterate. For what it’s worth, the payload was malware in a ZIP.

 

Posted on

Tomorrow, Apple will break iZettle ApplePay readers with iOS update

I just heard from iZettle about a rather unfortunate feature of the iOS 9.0 upgrade that Apple will be dumping on its fanbois tomorrow: it doesn’t work. No, I mean it really doesn’t work. There’s a bug that stops it pairing with some Bluetooth devices, including iZettle card readers.

If you’re the kind who has to have the latest iPhone or fondleslab then you’re going to have it set to auto-update. Bad luck. Will you take a cheque?

Posted on

Always download software updates. HM Government says.

image

I saw a poster on the tube. A cartoon cat held a smartphone showing a message “Your whole life is in here. Is it secure?” With a software update button below it. Interesting, I thought. Was someone selling protection from rogue software updates? As everyone knows, these have a habit of ruining your day. No. It was part of a government campaign. To back up your data, especially before updating software perhaps? No!
It was actually encouraging lusers to the install updated software over the Internet as often as possible. So you can now blame HMG for what Windows 10 has done to your PC or Apple does to your iPhone next week.
Don’t laugh, it’s your taxes paying the bill.

Posted on

GMail can’t send to sendmail

Gmail Fail

What’s happening with Google? Their Internet engineering used to be spot on. They’re generally a bunch of clever guys, and they follow standards and their stuff just works. Or did. Lately their halo has been getting a bit tarnished, and problems with GMail are a good case in point.

It all started quietly around a month ago on the 6th August. About a week later, people started complaining that users sending mail to them from GMail were getting bounce messages. It looks like Google had rolled out a broken software update, but they’re keeping a low profile on the subject.

After a great deal of investigation it appeared that their new MTA was attempting to make a STARTTLS connection when delivering mail on port 25. STARTTLS is a mechanism that allows encryption on a standard unencrypted channel. Basically, the sender tries a STARTTLS command and if the receiver supports it, returns a reply of “okay” and the remainder of the connection is encrypted using TLS. unfortunately Google’s implementation, which had been working for years, is now broken. The GMail lusers got a bounce back a week later that said it couldn’t negotiate a STARTTLS connection. No further explanation has been forthcoming. STARTTLS should work, and if it doesn’t GMail should try again without using it, but doesn’t.

On the servers I’ve examined there is no problem with STARTTLS. Other MTAs are continuing to use it. All certificate diagnostics pass. Presumably Google has changed the specification as to what kind of TLS/SSL its going to work with, as, presumably, it’s not happy working with all types. Not all servers have this problem. But Google isn’t telling anyone what they’ve done, at least not so far. Working out what’s wrong with their new specification using trial and error takes a while, and I have yet to find a combination that works. And besides, it’s not Google’s place to tell recipients what kind of encryption they should be using, especially when the default state is unencrypted.

Google does offer a troubleshooter but it doesn’t cover this eventuality. There is an option to report other problems, but to date I’ve had no response.

So what’s the solution? The only method I’ve found that works is to disable STARTTLS on Port 25. This means that Google can’t try and fail, and go in to sulk mode. And here’s the bit you’ve probably been waiting for: how to do it.

Assuming you have an access DB configured for sendmail, (the norm) you need to add an extra line somewhere and makemap it:


srv_features: S

On FreeBSD this file is /etc/mail/access and you can make it active using make run from the /etc/mail directory. But you probably knew that.

The srv_features stuff basically tells sendmail which services to advertise as being available. STARTTLS is option ‘S’, with a lower-case letter meaning “advertise it”, and an upper-case meaning “don’t advertise it”. This over-rides defaults, and all we want to do here is stop advertising STARTTLS. If it’s not advertised, Google doesn’t try using it (at least for now).

You might want to read this sendmail documentation for more information in the normal Sendmail easy-to-understand(!) format. If that doesn’t do it for you, look at section 5.1.4.15 of the manual, available in PDF here.

Now Google may defend this state of affairs by saying that they’re implementing something odd with STARTTLS for “security reasons”. There may even be some justification in this. If I knew what they’d changed I might be able to comment on that, but I can’t. However, even if this was the case, they’d be wrong in principle. Since the dawn of Internet email we’ve had RFCs telling us how things should work. You can’t just change the way you do things and expect everyone else to change to suit you, however large you are. And it’s possible that what Google has done is RFC compliant, even if it is bonkers. There are unspecified aspects in RFCs, and some grey areas. However, anyone who’s been around for long enough will know that Sendmail is the de-facto MTA. If you have an argument about the interpretation of an RFC, you can settle it by asking the question “Does it work with sendmail?” If it doesn’t, it’s your problem.

And while we’re at it, it’s really good of Google to stop anyone reading your email while it’s in transit (could they be thinking of the NSA here?) After all, you don’t want email sent through GMail to be readable by anyone until they’re delivered, do you? The only snag is that they are still being read and analysed, by Google. Of course. Email is never secure unless you have end-to-end encryption, and by definition, you can’t get this with a webmail service.

Posted on

Problems receiving mail from GMail – STARTTLS is a bad idea

Gmail Fail

Note: You may wish to read this follow-up article, which contains a solution.

A couple of weeks ago, users started complaining that people using GMAIL (and possibly iCloud) were having their emails bounced back to them from my servers. This is odd – most complaints on the Internet are from users of dodgy hosting companies having their mail rejected by GMail as likely spam. But I haven’t blacklisted Google, and all other mail is working, so they must have been mistaken.

But as soon as I could, I tried it for myself. And sure enough, a bounce came back. The relevent bit is:

Technical details of temporary failure:
TLS Negotiation failed: generic::failed_precondition:
               starttls error (0): protocol error

On fishing around in Sendmail logs, I found evidence that this has been going on all over the place:

sm-mta[84848]: STARTTLS=server, error: accept failed=-1, SSL_error=1, 
               errno=0, retry=-1, relay=mail-qg0-f50.google.com [209.85.192.50]
sm-mta[84848]: STARTTLS=server: 84848:error:1408A0C1:SSL
               routines:SSL3_GET_CLIENT_HELLO:no shared cipher:/usr/src/secure
               /lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:1073:
sm-mta[84848]: t7QJXCPI084848: mail-qg0-f50.google.com [209.85.192.50] did
               not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Oh my! The STARTTLS stuff isn’t working because there’s no shared cypher! Hang on a minute, there isn’t supposed to be. Who told Google they could use STARTTLS on port 25. It’d be neat if it worked, but it’s not configured – at least not with a certificate from a public CA. It actually works just fine if you are cool with self-signed (private) certificates. So what is Google playing at?

In the wake of Edward Snowden, people have started worrying about this kind of thing, so companies like Google are trying to be seen doing something about it, and encrypting mail might seem like a good idea. Unfortunately STARTTLS is a bad idea. The rationale behind STARTTLS was to add encryption to a previously unencrypted port’s traffic. If the sender issued a STARTTLS as part of the protocol it could switch in to TLS mode if it knew how; otherwise it would just work as normal. The IETF was very keen on this in the late 1990’s as an easy fix, citing all sorts of iffy reasons, generally to do with having two ports; one standard and one encrypted. They thought it would be confusing, requiring different URLs and not allow for opportunistic automatic encryption of the kind Google seems to be attempting.

As far as I’m concerned, this is rubbish. Having clearly defined encrypted and unencrypted ports means you know where you are. It either is or it isn’t. If you say something must be encrypted, turn off the unencrypted port. STARTTLS allows a fall-back to plain text if you specify the clear text port; and if you have a man-in-the-middle you’ll never know that the STARTTLS was stripped from the negotiations. It opens up a vulnerability that need not be there, all for the sake of saving a port. And time is on my side in this argument. Since 1999 the implementation of encrypted ports has really taken off, with https, smtps (in spite of 465 being rescinded), imaps – you name it – all servers and clients support it and you know where you are.

So what’s this sudden clamouring for the insecure STARTTLS? Naivety on the part of the large internet companies, or a plot to make people think their email traffic is now safe from snoopers when its not?

I’ve reported this problem and I await an answer from Google, but my best guess is that they’re speculatively using STARTTLS, and then barfing and throwing their toys from the pram when it doesn’t work because the verify can’t be done. Having thought about it, I’m okay with the idea of trying STARTTLS as long as you don’t mind about the CA used for the certificate; and if you can’t negotiate a TLS link, go back to plain text. In many ways it’d be better to use the well known port 465 for TLS, and if it can’t be opened, go to plain text on 25. Except there’s no guarantee that port 465 is on the same server as port 25, and it’s normally configured to require SASL authentication. As everyone knows, apart from Google it seems, assumption is the mother of all foul-ups.

Encryption is a good idea, but making assumptions about Port 25 being anything other that straight SMTP is asking for trouble.

 

Posted on

Spam from WH Smith?

Whoever next? We’ve intercepted a load of spam sent by French company EmailVision on behalf of WH Smith to honeypot addresses – i.e. definitely not opt-in and definitely not legal in the UK. EmailVision is getting quite a reputation for this kind of thing, with PayDay loan spam and suchlike. W H Smith – I’m surprised at you! Or perhaps I’m not.

Posted on

Stagefright on Android

This is a quick post as I’m a but busy at the moment, but it’s worth saying something about it this serious Android security flaw.

As I understand it, there is a buffer over run problem with the decoder for MMS messages. On receipt and decoding of a specially crafted MMS an attacker can get control of the process,
which on Android 4 or later means access to SD card data, your camera and microphone and other awkward stuff. On Android 2 they get the whole phone. I’ve yet to be convinced that this is a game over type problem on Android 4 but it bad enough. On earlier versions of Android, it’s a complete disaster.
The solution, of course, is to get a software update from your phone manufacturer. Good luck waiting for that to arrive.

My advice in the meantime is to disable MMS messages completely. I do this by default, because I think they are ridiculously overpriced and there are plenty of other alternatives such as email or even Instagram (so I’m told buy the teenagers hereabouts).

If you want to disable MMS, proceed as follows:

Go to phone settings. The last entry under Wireless and Networks will be More…

Here you will find “Mobile networks”, and under there will be ” Access point names”. On dual SIM phones you will now have to choose each SIM in turn, otherwise you’ll go straight to a list of profiles. This list may contain only one entry.
Choose the entry that is selected, i.e the one you are using. What you will find next depends on the version of Android you have. However somewhere down the list there will be an MMS service centre URL, beginning with HTTP and looking like a web address. Simply delete the contents of this field, and while you are at it, remove the entry for MMS proxy if you have one. This tends to be a dotted quad i.e. an IP address.

Just save this, and you will not be able to send or receive MMS messages from your phone.

Posted on

Problems with Thunderbird 38.0.1 and SSL

Dead Thunderbird
Version 38.0.1 of Thunderbird is an ex-mail client. It has ceased to be.

Thunderbird used to be my mail client of choice, but suddenly I’m not so sure! The latest update on the release channel (version 38.0.1) seems to have broken completely when using self-signed certificates for SSL.

A self-signed certificate makes sense when you know you can trust it; otherwise you get a signing authority you do trust to verify your certificate (for loadsamoney). If you’re talking to your own servers, there’s not point in doing this as there are other ways to check you’re talking to who you think you are. Thunderbird used to warn you that it didn’t recognise a self-signed certificate the first time it saw it, but if you told it to go ahead anyway it would add it to the trusted list and go on encrypting your data for you quite happily.

Since “upgrading” to version 38 it suddenly stopped working. No more email. No more sending email. It just failed silently (that’s bad, for a start), the only clue was that I couldn’t send an email or copy it to the drafts folder.

On examining the logs at the server end I found stuff like this:

Jul  7 23:17:54  dovecot: imap-login: Disconnected (no auth attempts):
    rip=###.###.###.###, lip=###.###.###.###, TLS handshaking: SSL_accept() 
    failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Suspicious! So I turned off SSL in Thunderbird and it all worked again. This is NOT a sensible solution. Unfortunately, I have yet to solve this one, other to simply not upgrade Thunderbird beyond 31.7.

Fortunately, you can still download the previous non-beta version from here, (assuming Mozilla don’t move it). You actually want 31.7.0, because the intervening releases were betas, and 31.7.0 is as recent as May 2015 so it’s not ancient. Just navigate around the site you don’t want the English version. Simply install it everything comes back the way it used to be, or at least it did for me.

 

Update 15-Jul-2015:

It appears that Thunderbird may have decided not to accept TLS with less that 1024-bit DH keys without telling anyone. Even if they had mentioned it, there’s not a lot users can do with it. This means that if you’re using a 512-bit key (which is considered export-grade) then it’s going to refuse to talk. Worse than that, it doesn’t pop up a message saying WHY it’s not going to talk. It’s just going to fail the connection. Presumably, as my friend Graham put it, this indicates that the Thunderbird open-source developers are hoping to get a job with Apple.

I hope this nonsense will be resolved in 38.1! In the mean time, turn off auto-update.

Update 30-Jul-2015:

I’ve now updated the server certificates being in-date (which doesn’t actually matter), and made sure they were 1024-bit (which they were) and apart from upsetting everyone who has had to accept the new certificate, Thunderbird still barfs.

Update 15-Aug-2015:

It get’s worse – there has been an update to the 31.x branch to 31.8.0, and this has the same problem. Use the link above and make sure you’re using 31.7.0

 

Posted on

Malware claiming to come from Transport for London

I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:

Received: from [80.122.72.234] ([80.122.72.234])
	by  (8.14.4/8.14.4) with ESMTP id t5QAj0ns002218
	for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST)
	(envelope-from noresponse@cclondon.com)
Date: Fri, 26 Jun 2015 12:45:04 +0200
From: 
Subject: Email from Transport for London
To: 
Message-ID: 
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: multipart/mixed;
 boundary="=_5557BCCC15D34570E10080000A82A3EC"
Envelope-To: 


--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: inline
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________
--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: attachment;
 filename="AP0210932630.doc"
Content-Type: application/doc;
 name="AP0210932630.doc"
Content-Transfer-Encoding: base64
Content-Description: AP0210932630.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAJwAAAAAA

The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.

If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!