Posted on

Spam From Amazon SES

Spam has always been a problem with Amazon’s email service (SES). They make an effort to filter the outgoing missives transmitted by their customers, but it’s not perfect. And Amazon is no respecter of laws outside the good ‘ol US of A, where the right to free speech is a license to spam any kind of junk you like; whether the recipient asked for it or not.

Here’s a case in point:

Received: from a8-55.smtp-out.amazonses.com (a8-55.smtp-out.amazonses.com [54.240.8.55])
	by xxx.xxx.xxx.uk (8.14.4/8.14.4) with ESMTP id t5NHpefn075543
	for <spambait@xxx.xxx.uk>; Tue, 23 Jun 2015 18:51:40 +0100 (BST)
	(envelope-from 0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@amazonses.com)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type:Feedback-ID;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=cNIs7cNe5LzyxYvGWw/LdIeA7epknAFAoeQYjiyf9b5mTKRYLAW9KLvUTSGtlsr7
	WWy52wd3Tz9o9vQryvK/Q5l5okAFxgZCZa5uSbXMor7sa/1dU02kwjCyACnb7viR1np
	BlEytfbGEBUlAfBBrrJueagmdzwa+IXNZsBo4w2Y=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=lfgclj2zbjygv5i5rirpal2v2zj3dquy; d=uebaps.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=bZZSEICBkHU8HkdFtiYg9fp+qxzmxJlfNj6UclS3B4dtaKBMTf1oSCSQR5jm0XXE
	0JxmIdNWKsgumLUcf8XnZGZFVfwe2f7cVOCiA1EcHX7oHn0weHQjoce+nxwVClgCQYz
	m0OlXn/YvNBE1MwSvpQR3PfoSCyTVQQpBWjgD8dQ=
From: Ray-Ban Sale <enews@uebaps.com>
Date: Tue, 23 Jun 2015 17:51:38 +0000
To: "spambait@xxx.xx.uk" <spambait@xxx.xx.uk>
X-MessageID: OXx8fHwxMzY3MXx8fHxmcmFuazJAZmpsLmNvLnVrfHx8fDEwfHx8fDF8fHx8MA%3D%3D MIME-Version: 1.0
Message-ID: <0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@email.amazonses.com>
X-Priority: 3
Reply-to: Ray-Ban Sale <enews@uebaps.com>
Subject: Spambait: Keep Calm and Get 80% Off Ray-Ban!
Content-Type: multipart/alternative; boundary="b1_b18fea4f74280e521923210f4d5c61eb"
X-SES-Outgoing: 2015.06.23-54.240.8.55
Feedback-ID: 1.us-east-1.E00ipiLUCdDBKP1kTeYjtCc2E2c3DbfGjCtoi1emL2E=:AmazonSES 
--b1_b18fea4f74280e521923210f4d5c61eb
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: base64
SGksRnJhbmsgTGVvbmhhcmR0OiAjUl9Ub3BfVGl0bGUjLg0KQm9ybiBmcm9tIGEgbWVzaCBiZXR3
ZWVuIHR3byBvZiBSYXktQmFuJ3MgbW9zdCBpY29uaWMgYW5kIHBvcHVsYXIgc3VuZ2xhc3NlcyAt
IHRoZSBDbHVibWFzdGVyIGFuZCBXYXlmYXJlciAtIFJheS1CYW5DbHVibWFzdGVyIE92ZXJzaXpl

As you can see (if you’re used to reading email headers), this looks very legitimate – send from a correctly configured server. However. these characters are as guilty has hell. The email body, once decoded, claims that the spambait email address belonged to a past customer of theirs, and was used for placing an order (in the USA). This is, of course, physically impossible.

If this had been sent in Europe they’d have been breaking the local law that implemented  the EU Privacy and Electronic Communications Directive, 2002.  But they’re sending it from the USA. Other text in the email suggests it’s not from an English-speaking country (not even the USA), and it’s probably a scam. But Amazon doesn’t t seem to mind – they don’t even have an abuse reporting system for ISPs plagued by this stuff.

It’s tempting to simply block all Amazon SES IP addresses, but this will cause collateral damage. Spam filtering isn’t likely to detect it any other way, as the sending server is set up correctly, with SPF records and so on, so the Bayesian filter in a spam classifier will be over-ruled. However, this correctness can be used against it…

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Let’s be clear here – it’s easy enough to block the whole of SES. You can get its address range just by looking at it’s SPF records:

%nslookup
> set type=TXT
> amazonses.com
Server: 127.0.0.1
Address: 127.0.0.1#53
amazonses.com text = "v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

I suspect this may cover more than SES, but SES is certainly covered by it. However, blocking it will, as I mentioned earlier, block some innocent stuff that you do want. This is a job for Spamassassin.

I’m experimenting by adding the following to SA’s local.cf file:

header AMAZON_SES Received =~ /amazonses.com/
score AMAZON_SES 3.5
describe AMAZON_SES Sent from Amazon SES - often used by spammers

The the appropriate score to weight it by is an interesting question. By default good SPF records are ignored anyway; if they were not then it would obviously be a good idea to negate a positive score here. So I’ve picked 3.5 as this matches a clear Bayesian score rather than for any good statistical reason. Check back later to see how well it works.

Posted on

Infosec 2015 – first thoughts.

This is my customary personal blog post on the Infosec Europe show. Specific articles may, or may not appear here later.

This year the show has moved to Olympia from the defunct Earls Court, which is is probably the best choice available. It’s made me nostalgic for the old Personal Computer World shows of the 1980’s. Except there’s not a lot of interesting technology here. The theme of the show seems to be governance and the IT Security industry – governance and compliance rather than solutions to real problems. It’s been the way things have been moving over the last few years, with the modern IT professional being hard pressed to know which end of a soldering iron to hold it by.

There were a few interesting new(-ish) ideas, and the bleedin’ obvious stuff being packed with a GUI and monetised.

Libra Esva is a good case in point. They’ve taken Linux, spamassassin, Clam-AV (and optional commercial AV products),together with extra filtering and firewall functionality of the kind an old-style UNIX admin would customise their rigs with, and created a virtual appliance with a good looking and easy-to-use front end for users to deploy on VMware and so on. Sure, it takes the fun out of it but it looked good.

ActiveDefence were on hand, offering to launch a DDoS attack on your infrastructure to see how good it was. What, how do you launch a realistic DdoS attack without a botnet? “We have our own, they said.” And they were serious. The service may not be unique, but it’s very rare (unless you hire a bunch of crims, of course – I’ll have to see how prices compare).

KnowBe4’s PR has been bombarding me with their name for a few weeks now; I had to see why. They’re a company after my own heart – they’re launching cyber-security awareness training and consultancy in the UK, at a level appropriate to users and at a price point where SMEs really have no excuse for not doing something about what I (and KnowB4, obviously) regard as one of the greatest threats. Call it spear phishing or human engineering attacks – the weak link is employees being duped. And the criminals are very sophisticated, so awareness is about the old defence.

I’m off to see some more people who seem to have re-invented the obvious, and put it on the market. They’re using honey-pots to capture IP addresses to dynamically configure firewalls, it appears. Quite what their angle is remains to be seen, but it’s presumably a better honey-pot than we’ve all be writing for years now.

Posted on

The Future of Nominet (AGM report)

Nominet, the not-for-profit company that manages most of the .uk domain space, has been worrying me of late. It replaced a naming committee in 1996 as the volunteers that run it started to become overwhelmed by the workload, and was set up be self-sustaining by charging for domain name registrations. Based in Oxford, it now employs 140 people.

They’re worried. Anyone who wants a domain name pretty much has it – or it’s being sat on by a cybersquatter. Either way, Nominet’s getting the residual income from having registered it in the first place, and this is now fixed. Or worse, as the enthusiasm for registering names in the hope of making money from it later wanes, their income may fall as people unload their speculative “investments”.

As well as Nominet employees no longer being kept in the manner to which they’re accustomed, this presents a problem for those dealing in domain names commercially. Call them cybersquatters, domainers or parasites as you wish – domain dealers are making money out of buying and selling domain names. Their portfolio losing value as the bubble bursts could be problematic for them. With new top-level-domains now available, and the importance of a particular domain name falling, this is inevitable.

So, unsurprisingly, Nominet has been talking about expanding in other ways. At today’s AGM, new CEO Russel Harworth, was taking about expanding in to adjacent markets. What could this mean? As well as providing domain names, the obvious answer is hosting or other Internet services. Nominet members are going to have a problem with that: Nominet has a monopoly position issuing domain names, a big pile of cash and no way would it be good for anyone if they started competing with UK Internet businesses.

I pushed Russell Haworth on his choice of words. “I have no intention of competing with the channel”, was the emphatic reply. He explicitly rejected the idea of hosting: “It’s not our core business and never will be. The margins are very tight anyway.” This will be a relief to the hosting companies, who know all about tough margins. He continued “I’d like to see us add value to the channel. For example, we sit on a lot of data. We can aggregate that data. There is an opportunity to look at big data. [and derive value from it]”.

Basically, the plan seems to be to analyse domain registration data and DNS traffic, and use it to target areas such as SMEs with a view to selling them something. Quite what they were selling wasn’t spelled out exactly, but domain name registrations seemed to be the only example.

It seems that the current thinking is to sell DNS products, which won’t compete with anyone much (apart from anyone selling DNS products). Why anyone should pay for DNS products is beyond me; but if you can’t manage your own DNS I suppose its possible for companies to outsource it. But I really don’t see this replacing the revenue stream, as new domain name registration income stops rising.

Rob Golding from Astutium asked what many of us were thinking – what’s so wrong with the status quo? Why not stick with one revenue stream. Nominet isn’t supposed to be a business and has no need to expand; it’d be okay to contract. Unsurprisingly, Nominet’s view was similar to that of turkeys towards Christmas. “It would be foolish not to look at opportunities to diversify”. Speaking about the saturation of the .uk namespace and future projections, Haworth continued “It’s Darwinian – we’ re not going to sit and watch things fall apart. If we see domains trending downwards, Nominet can add value to adjacent markets.”

This is an interesting situation, especially when you see who controls Nominet. Things are voted on, ultimately, by its members. This is weighted to the number of names they have registered. It’s pretty obvious that the large domain name registration businesses are going to have a far greater say than the majority of small members; those that represent the general Internet industry and general public. The big domain dealers will have millions of votes; a normal small ISP might have a few dozen. To counteract this, Nominet limits the votes of any one member to 3%, and has mechanisms in place to stop the big companies simply joining once and splitting their domain portfolios to get multiple 3% blocks. However, one still suspects that, although there appears to be no evidence that the domain dealers don’t collude in their voting, they’re all going to have the same interests and will naturally vote together – this effectively tending to control Nominet towards policies that support their business model.

Unfortunately there’s no easy way around this. Even if it was one-member-one-vote, large organisations could swamp the membership with their friends. So what keeps Nominet working in the public interest? Ultimately, scrutiny. If it went too far, an outcry could get the Government involved.

It’s also hard to see what Nominet can do in other fields. Their charter requires them to engage only in worthy projects. But according to Haworth, “This doesn’t mean yo can’t be commercial.” However, given that Nominet has a huge, secure revenue stream for investment, it clearly does have a commercial advantage over anyone else who has to raise funding through normal channels. We’ve heard this before – Bill Gates famously said that Microsoft was about making the world a better place. Whether that’s his personal philosophy or not, from a corporate perspective it has a hollow ring.

In the mean time, Nominet is intent on expanding its revenue streams. The supposed block votes of the domain dealers (all those 3%s added together) is going to limit Nominet’s ability to compete with them. 123-Reg is never going to allow Nominet to start hosting web sites and damage their own business. So what next? I, for one, will be keeping a close eye on it. I was very much heartened to see that was the general consensus of those present, including Trustees and the board.

Posted on

Kids can review Kindle books in their parents’ names

Occasionally I write the odd review on Amazon products directly on Amazon. This is normally information I wish I had when I was looking for an item or book. Then, today, I was clicking about and came upon a list of things I’d written about:

AmazonReviews

Now I don’t remember reviewing E. Nesbit’s classic, and I prefer her Barnstable series anyway (although I doubt it’d be PC enough to make in to a film, so its merits are less widely appreciated).

So what’s going on here? And I certainly don’t remember reading “The Ugly Duckling”, illustrated or otherwise.

And then I realised – this was my daughter using a Kindle attached to my account. It appears that it’s possible to rate books from it directly, and this she has obviously done. In my name.

Her pronouncements as to their literary merit  may be valid, especially for someone her age, but this needs to be made clear.

I’ve sent some pointed feedback to Amazon on this point, and will wait to see what happens.

 

Posted on

Microsoft’s Windows 10 Security Update Plan

The headlines on luser news media are all about Windows 10 being the last ever release of Windows. Apparently Microsoft’s plan is to issue incremental updates thereafter. As those in the know, know, this has always been the way. Microsoft only releases a new version when it wants to flog it to the punters as the next great thing, and it does this by giving the latest snapshot of the code a new name (e.g. Windows 7, Windows Vista). Okay, there have been major step-ups; for example Window 2000 was the marketing name for Windows NT 5.0 (ditching some of the disastrous code in Windows NT 4.x), then came 5.1 – sold to the public as XP. Windows Vista was the next re-write; technically it was Windows 6.0. Confusingly to the punters, 6.1 was flogged as 7 and Windows 8.0 and 8.1 were 6.2 and 6.3 respectively. The reality is that OEM versions of Windows appear frequently, to track the new hardware as it turns up in production machines. It’s only the retail customers that believe in these retail versions. So what is Microsoft really doing?

Well, one effect of having a retail version of Windows is that every three years the punters stop buying new PCs, waiting for the next “version”. As Microsoft actually makes a lot more of its revenue from selling OEM licenses (bundled with PCs) than the retail versions, keeping the hardware manufacturers happy by killing off the boom/bust cycle is probably A Good Thing.

Is Microsoft getting a bit humble, acknowledging that hardware makers have a choice and Windows isn’t the only game in town? I don’t believe they do; the punters want Windows on their desktop PCs, and that’s that. So what is in it for Microsoft?

The clue is in what Terry Myerson was saying at Ignite 2015 in Chicago last week. The new version of Windows will feature greatly enhanced on-line update capabilities, with peer-to-peer patch distribution and a lot more. Patch Tuesday is to be abolished, with updates rolled out on a continuous basis. And all in the name of security.

Let’s play devil’s advocate here, and pretend that Microsoft has other reasons. First off, Patch Tuesday, the monthly release of non-critical Windows updates in an ordered manner, will become obsolete. The policy was originally formulated to avoid patches coming out willy-nilly at odd times in the month and catching IT departments off-guard; and now they’re going back to the old chaotic system. A broken update can knock your IT systems out at any time of the day or night. If this sounds like a recipe for disaster, don’t despair – according to Terry Myerson, patches will be rolled out to the lucky home users first, which means that it can be pulled and business won’t be affected if an update screws up. Enterprise customers will still be given the choice as to which updates they install; it would have been a hard sell to knowledgable IT people otherwise.

Is this actually going to improve Windows security? Peer-to-peer patch distribution? 24/7 patches coming from Redmond as soon as they’re presumed ready? What could possibly go wrong?

Rather than looking at this as a security fix, I think the policy should be taken in to consideration alongside Microsoft’s move towards licensing, rather than selling, software. They want a continual revenue stream and they don’t like their software pirated. Who does? By moving to an OS model that requires the host to be Internet connected and constantly patching itself, it becomes much harder for cracked versions of the OS or applications to exist. (Microsoft’s own applications, that is). Peer-to-peer updates will make updates harder to block. If a crack turns up in the wild, the next day a patch to kill it can appear from Redmond. And if your stop paying the license fee, your copy of Windows stops working. This last aspect isn’t being talked about openly. I’m just guessing here. But considering Microsoft’s penchant for licensed/rented software of recent years, Windows 10 being released with a mechanism that appears ideal for licence enforcement should they ever decide to move to the rental business model, I think it’s a good guess.

Or it could simply be that Microsoft is panicking over the less-than-warm reception the world gave Windows 8/8.1 and had decided that releasing new retail versions frightens the horses.

Posted on

Obama to end cyber-attacks

American president Barack Obama is so hacked off with cyber-attacks on US companies (and other interests) that he’s taken a step sure to send the perpetrators running for cover. In an executive order on the 1st of April, he created a new sanctions authority to have a go at anyone attacking the USA. In the statement announcing it he is quoted as saying “Cyber threats pose one of the most serious economic and national security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them”, describing it as a “national emergency”

Basically it gives the US Treasury Department to freeze the assets of any hackers suspected of attacking the US, in much the same way as it brings peace to places the Middle East and Ukraine. The criminals behind these attacks are no doubt quaking in their sneakers.

The decision to blame North Korea for the Sony attack told the world that the administration was getting tough, never mind the facts. And the Chinese, of course, deny state-sponsored naughtiness on an apparently daily basis.

The problem is, of course, that it’s somewhat difficult to actually figure out who’s behind an attack. Working out where an attack comes from is possible, and it’s usually from some hijacked computers used to obfuscate the origin. China and various other countries have a higher installed base of pirated software, which often comes with a built-in botnet, so of course attacks come from these places.

Initial opinion in the USA is divided between the law-makers, politicians and the non-technical cyber-security industry heralding it as the beginning of the end for international espionage gangs, and those of us who know now it works wondering if this is an April Fool.

One point I find intriguing, however, is whether this will have an effect on patent disputes. Apparently they’re worried about, and plan to apply these powers to, intellectual property theft. It seems to me that if some technology turned up in a competitor’s product and the American company went crying to the authorities they could have sanctions imposed on the foreign company, without any reasonable way of proving that any theft had taken place – or even who had it first. It could get messy.

 

 

Posted on

Security certificates broken on Google Chrome 41

Don’t install the latest release of Google Chrome (41), released on Thursday (Friday UK time). They’ve messed up. Twice.

Broken SSL when talking to routers etc.

The first problem comes when accessing the web interface on a device such as a router over SSL (encrypted). Unfortunately, because the software in theses is embedded, the security certificate it uses isn’t going to match the name of the device you use to access it. This would be impossible – when it leaves the factory it hasn’t had its IP address assigned on your site; never mind the DNS entry. Previously browsers have allowed you to ignore this mis-match; the encryption works as long as you’re comfortable that you’re really talking what you think you are using some other check, and once the exception has been stored, this should be the end of the matter.

But not with Chrome release 41. Now it will show you the screen below:

ChromeMessedUp

If you ask for more details it doesn’t really give you much:

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
This comes from a DrayTek 2820 modem/router, but the problem seems to exist on other networking kit.

More adverts too – and a malware backdoor

(Please see update below – there may be an innocent explanation for this)
As an extra surprise, those nice people seem to have found a way of blocking URL keyword filters used to keep adverts out from objectionable sources, circumventing methods of blocking Google’s syndicated advertising. I’m still researching this, but the way they appear to have done it means that embedded content from other sources than the site you’re looking at is extremely difficult to block.
It appears Google has done this to protect its revenue stream from adverts, with little regard from the site policies that may exist for reasons Google may not realise. But that’s not the worst of it: how long will it be before this feature of Chrome is used for drive-by downloads. If you’re firewall isn’t able to cross-check the source of the content on a page, it can be coming from anywhere.
Unfortunately there is no way of rolling back a bad version of Chrome. They really don’t like you doing that, however dangerous a release might be.
I have, of course, made urgent representations to the Chrome project but we will have to wait and see. In the mean time, all I can suggest is that you prevent Chrome from updating beyond version 40.

Update 2015-03-23
On further investigation, the updated Chrome isn’t doing a DNS lookup to find the Google ad-server. I’m unsure whether this is because it somehow cached the DNS results internally or whether its hard-wired. It certainly wasn’t using the system cache, but I know Chrome has kept its own cache in the past. If it is from an internal cache, the mechanism used to get the IP address in there in the first place is a mystery, however Google’s ad servers change from time to time and it’s not impossible that the perimeter firewall simply hadn’t kept up and allowed some through.

My next research will be looking more closely at the DNS traffic.

Posted on

FreeBSD hr utility – human readable number filter (man page)

Several years ago I wrote a utility to convert numeric output into human readable format – you know the kind of thing – 12345678 becomes 12M and so on. Although it was very clever in the way it dealt with really big numbers (Zetabytes), and in spite of ZFS having really big numbers as a possibility, no really big numbers have actually come my way.

It was always a dilemma as to whether I should use the same humanize_number() function as most of the FreeBSD utilities, which is limited to 64-bit numbers as its input, or stick with my own rolling conversion. In this release, actually written a couple of years ago, I’ve decided to go for standardisation.

You can download it from  here. I’ve moved it (24-10-2021) and it’s not on a prettified page yet, but the file you’re looking for is “hr.tar”.

This should work on most current BSD releases, and quite a few Linux distributions. If you want binaries, leave a note in comments and I’ll see what I can do. Otherwise just download, extract and run make && make install

Extracted from the man page:

NAME

hr — Format numbers in human-readable form

SYNOPSIS

hr [-b] [-p] [-ffield] [-sbits] [-wwidth] [file ...]

DESCRIPTION
The hr utility formats numbers taken from the input stream and sends them
to stdout in a format that’s human readable. Specifically, it scales the
number and adds an appropriate suffix (e.g. 1073741824 becomes 1.0M)

The options are as follows:

-b      Put a ‘B’ suffix on a number that hasn’t been scaled (for Bytes).

-p     Attempt to deal with input fields that have been padded with spaces for formatting purposes.

-wwidth      Set the field width to field characters. The default is four
(three digits and a suffix). Widths less than four are not normally useful.

-sbits  Shift the number being processed right by bits bits. i.e. multi-
ply by 2^bits. This is useful if the number has already been scaled in to units. For example, if the number is in 512-byte
blocks then -s9 will multiply the output number by 512 before scaling it. If the number was already in Kb use -s10 and so on.
In addition to specifying the number of bits to shift as a number you may also use one of the SI suffixes B, K, M, G, T, P, E
(upper or lower case).

k-ffield      Process the number in the numbered field , with fields being numbered from 0 upwards and separated by whitespace.

The hr utility currently uses the humanize() function in System Utilities Library (libutil, -lutil) to format the numbers.  This will repeatedly divide the input number by 1024 until it fits in to a width of three digits (plus suffix), unless the width is modified by the -w option. Depending on the number of divisions required it will append a k, M, G, T, P or E suffix as appropriate. If the -b option is specified it will append a ‘B’ if no division is required.

If no file names are specified, hr will get its input from stdin. If ‘-‘ is specified as one of the file names hr will read from stdin at this point.

If you wish to convert more than one field, simply pipe the output from one hr command into another.

By default the first field (i.e. field 0) is converted, if possible, and the output will be four characters wide including the suffix.

If the field being converted contains non-numeral characters they will be passed through unchanged.

Command line options may appear at any point in the line, and will only take effect from that point onwards. This allows different options to apply to different input files. You may cancel an option by prepending it with a ‘-‘. For consistency, you can also set an option explicitly with a ‘+’.  Options may also be combined in a string. For example:

hr -b file1 -b- file2

Will add a ‘B’ suffix when processing file1 but cancel it for file2.

hr -bw5f4p file1

Will set the B suffix option, set the output width to 5 characters, process field 4 and remove excess padding from in front of the original  digits.

EXAMPLES
To format the output of an ls -l command’s file size use:

ls -l | hr -p -b -f4

This output will be very similar to the output of “ls -lh” using these options. However the -h option isn’t available with the -ls option on the “find” command. You can use this to achieve it:

find. -ls | hr -p -f6

Finally, if you wish to produce a sorted list of directories by size in human format, try:

du -d1 | sort -n | hr -s10

This assumes that the output of du is the disk usage in kilobytes, hence the need for the -s10

DIAGNOSTICS
The hr utility exits 0 on success, and >0 if an error occurs.

Posted on

Yahoo plans to give up passwords

The latest scheme from Yahoo’s Crazy Ideas Department is to dispense with login passwords. Are they going to replace them with a certificate login or something more secure? Nope! The security-gaff prone outfit from Sunnyvale California has had the genius idea of sending a four-character one-time password to your mobile phone, according to an announcement they made at SXSW yesterday (or possibly today if you’re reading this in the USA).

According to Chris Stoned Stoner, their Product Development Director, the bright idea is to avoid the need to memorise difficult passwords by simply sending a new one, each time, to your registered mobile phone.

At first glance, this sounds a bit like the sensible two-factor authentication you find already: Log in using your password and an additional verification code is sent to your mobile. However, Yahoo has dispensed with the first part – logging in with your normal password. This means that anyone that has physical control of your mobile phone can now hijack your Yahoo account too. If your phone is locked, no matter – just retrieve the SMS using the SIM alone. No need to pwn Yahoo accounts the traditional way.

With an estimated 800,000 mobile phones nicked per year in the UK alone (Source inferred from ONS report) and about 6M handsets a year going AWOL in the USA, you’ve got to wonder what Yahoo was thinking.

Apart from the security risk, what are the chances of being locked out of your email simply because you’re out of mobile range (or if you’re phone has gone missing). Double whammy!