Posted on

Docker on FreeBSD

Docker is available on FreeBSD. Yeah! Er. Hang on a minute – what’s the point.

People are talking about Docker a lot in the Linux world. It’s a system that allows a configured piece of software, together with all its ancillaries, to be in its own closed environment on any machine you choose. It’s not a VM – no emulation required. Well not much. It’s much more efficient that running multiple kernels on a hypervisor (as VirtualBox or VMWare).

But isn’t this one of the things Jails are for? Well, yes. It’s a kind of poor-man’s jail system for the poor deprived Linux users. Solaris and FreeBSD have been doing this kind of things for years with kernel support (i.e. out-of-the box and lot more efficiently).

So why should anyone be interested that FreeBSD also has Docker? Well, one of the things the Docker community has together is preconfigured applications you can just download and run. Given what a PITA it can be getting something running on a Linux box, which lacks a UNIX-like base system you can rely on, this does make sense. And running these pre-configured server applications on FreeBSD may be of interest, especially if you lack the in-house expertise to set them up yourself. But it won’t be all plain sailing. You need FreeBSD 11 (not yet released) to do it, together with the 64-bit Linux emulation library.

This does kind-of make sense. Stuff that’s currently Linux-only may be easier to deal with – I’m thinking Oracle here.

Posted on

Spam from WH Smith?

Whoever next? We’ve intercepted a load of spam sent by French company EmailVision on behalf of WH Smith to honeypot addresses – i.e. definitely not opt-in and definitely not legal in the UK. EmailVision is getting quite a reputation for this kind of thing, with PayDay loan spam and suchlike. W H Smith – I’m surprised at you! Or perhaps I’m not.

Posted on

Windows 10 – just say no

I’ve had a lot of people ask me about Windows 10. Here’s the simple answer: No thanks.

Apparently it’s a bit faster than Windows 7 on the same hardware, although I’m not convinced people who say this have tested it scientifically. In other words, it may have been faster as a clean install compared with a crufty old Windows 7 installation, and in theory it could have been written to be fundamentally faster, but actually writing code that’s more efficient that previous versions isn’t really Microsoft’s style. Although the new web browser (Edge) is promising. But will it still be faster when it fully functional (i.e. supports HTML5 and suchlike properly).

That’s the good bit. Everything else is bad compared to Windows 7. Compared to Windows 8, yes, it’s better. That’s from a user’s perspective. From my perspective, it’s a big “no thanks” to the added spyware, telling Redmond exactly what you’re up to all the time and the enforced software updates, that I have an nasty suspicion are going to end up mandatory even on the business (Pro) version. Basically I don’t see what Microsoft has done to restore any trust I once had in them.

If you’ve got Windows 7, stick with it. If you’re on Windows 8 it’s swings and roundabouts but you might want to take a serious look at a Linux instead.

Unfortunately, because this is Microsoft, there’s a good chance that we’ll all be forced to use Windows 10 whether we like it or not. They had the sense to keep Windows 7 for serious users when they rebelled against Windows 8; I somehow see them fighting hard to force the issue when it comes to Windows 10.

Posted on

Stagefright on Android

This is a quick post as I’m a but busy at the moment, but it’s worth saying something about it this serious Android security flaw.

As I understand it, there is a buffer over run problem with the decoder for MMS messages. On receipt and decoding of a specially crafted MMS an attacker can get control of the process,
which on Android 4 or later means access to SD card data, your camera and microphone and other awkward stuff. On Android 2 they get the whole phone. I’ve yet to be convinced that this is a game over type problem on Android 4 but it bad enough. On earlier versions of Android, it’s a complete disaster.
The solution, of course, is to get a software update from your phone manufacturer. Good luck waiting for that to arrive.

My advice in the meantime is to disable MMS messages completely. I do this by default, because I think they are ridiculously overpriced and there are plenty of other alternatives such as email or even Instagram (so I’m told buy the teenagers hereabouts).

If you want to disable MMS, proceed as follows:

Go to phone settings. The last entry under Wireless and Networks will be More…

Here you will find “Mobile networks”, and under there will be ” Access point names”. On dual SIM phones you will now have to choose each SIM in turn, otherwise you’ll go straight to a list of profiles. This list may contain only one entry.
Choose the entry that is selected, i.e the one you are using. What you will find next depends on the version of Android you have. However somewhere down the list there will be an MMS service centre URL, beginning with HTTP and looking like a web address. Simply delete the contents of this field, and while you are at it, remove the entry for MMS proxy if you have one. This tends to be a dotted quad i.e. an IP address.

Just save this, and you will not be able to send or receive MMS messages from your phone.

Posted on

Problems with Thunderbird 38.0.1 and SSL

Dead Thunderbird
Version 38.0.1 of Thunderbird is an ex-mail client. It has ceased to be.

Thunderbird used to be my mail client of choice, but suddenly I’m not so sure! The latest update on the release channel (version 38.0.1) seems to have broken completely when using self-signed certificates for SSL.

A self-signed certificate makes sense when you know you can trust it; otherwise you get a signing authority you do trust to verify your certificate (for loadsamoney). If you’re talking to your own servers, there’s not point in doing this as there are other ways to check you’re talking to who you think you are. Thunderbird used to warn you that it didn’t recognise a self-signed certificate the first time it saw it, but if you told it to go ahead anyway it would add it to the trusted list and go on encrypting your data for you quite happily.

Since “upgrading” to version 38 it suddenly stopped working. No more email. No more sending email. It just failed silently (that’s bad, for a start), the only clue was that I couldn’t send an email or copy it to the drafts folder.

On examining the logs at the server end I found stuff like this:

Jul  7 23:17:54  dovecot: imap-login: Disconnected (no auth attempts):
    rip=###.###.###.###, lip=###.###.###.###, TLS handshaking: SSL_accept() 
    failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Suspicious! So I turned off SSL in Thunderbird and it all worked again. This is NOT a sensible solution. Unfortunately, I have yet to solve this one, other to simply not upgrade Thunderbird beyond 31.7.

Fortunately, you can still download the previous non-beta version from here, (assuming Mozilla don’t move it). You actually want 31.7.0, because the intervening releases were betas, and 31.7.0 is as recent as May 2015 so it’s not ancient. Just navigate around the site you don’t want the English version. Simply install it everything comes back the way it used to be, or at least it did for me.

 

Update 15-Jul-2015:

It appears that Thunderbird may have decided not to accept TLS with less that 1024-bit DH keys without telling anyone. Even if they had mentioned it, there’s not a lot users can do with it. This means that if you’re using a 512-bit key (which is considered export-grade) then it’s going to refuse to talk. Worse than that, it doesn’t pop up a message saying WHY it’s not going to talk. It’s just going to fail the connection. Presumably, as my friend Graham put it, this indicates that the Thunderbird open-source developers are hoping to get a job with Apple.

I hope this nonsense will be resolved in 38.1! In the mean time, turn off auto-update.

Update 30-Jul-2015:

I’ve now updated the server certificates being in-date (which doesn’t actually matter), and made sure they were 1024-bit (which they were) and apart from upsetting everyone who has had to accept the new certificate, Thunderbird still barfs.

Update 15-Aug-2015:

It get’s worse – there has been an update to the 31.x branch to 31.8.0, and this has the same problem. Use the link above and make sure you’re using 31.7.0

 

Posted on

Does the iZettle card reader work on Android 5.0 (Lollipop)?

The iZettle card payment system is well worth a look. The company is very SME friendly, unlike the traditional card handlers. There’s no standing charge or transaction charge and the their percentage cut is fair.

Unfortunately they’re all Apple Fanbois, in spite of Android having 90% of the mobile market, and functionality on the most important platform lags. Everyone complains about it. But they’re such nice people when I speak to them on the phone, I still like them.

One case in point is that iZettle have finally launched a contactless reader. Yeah! Unfortunately the contactless feature only works on Apple, although my sources say that an Android upgrade is in development.

The contactless reader replaces the bluetooth-connected Pro version. In fact it’s the Pro version with a NFC reader built in, and it costs an extra £10, at £80+VAT (bargain).

If you’re a real tightwad there’s the £30+VAT (or free) blue keypad, which is actually quite a solid piece of kit, but it connects to the device using the headphone connector and modulating it’s data with burst of audio carrier (from listening to it). What could possibly go wrong?

Well, having tried it with Android 5.0 (Lollipop) I can tell you that it’s not going to work beyond Android 4.x until they fix the App. Version 2.5.1 of the iZettle App was supposed to support Lollipop, but take it from me, the support is far from complete.

Bluetooth Reader does work

I gave up and ordered the Reader Pro Contactless, the current bluetooth-connected unit, and I’m happy to report that seems to work perfectly. I was up and running within a minute; just pair it and off you go. For what it’s worth, this was with a Doogee DG700 with Android 5.0. iZettle is planning to release an update so it will make contactless payments, and (in theory), this will work.

Note that iZettle replaced the Reader Pro with the Reader Pro Contactless recently. They look the same. I have a hunch the older one will also work.

 

Posted on

Web developerz

Another in my occasional series of desperate sales pitches:

A friend said his company web site looked a bit sad. It is a bit dull. There’s not much in the way of product photos, only soothing words. I’m not one for the pictures with everything craze, but in this case an illustration would be worth a bit thousand words.

“Get some proper photography done, and I don’t mean iPhone snaps. That’s all you need.”, I said.

A few days later, after talking to his prospective web developer, he came back with the following:

“…I have told that using iphone pictures is good internationally since the pixel number is lower [which means web pages] loading quicker”

Posted on

Malware claiming to come from Transport for London

I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:

Received: from [80.122.72.234] ([80.122.72.234])
	by  (8.14.4/8.14.4) with ESMTP id t5QAj0ns002218
	for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST)
	(envelope-from noresponse@cclondon.com)
Date: Fri, 26 Jun 2015 12:45:04 +0200
From: 
Subject: Email from Transport for London
To: 
Message-ID: 
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: multipart/mixed;
 boundary="=_5557BCCC15D34570E10080000A82A3EC"
Envelope-To: 


--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: inline
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________
--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: attachment;
 filename="AP0210932630.doc"
Content-Type: application/doc;
 name="AP0210932630.doc"
Content-Transfer-Encoding: base64
Content-Description: AP0210932630.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAJwAAAAAA

The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.

If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!

Posted on

Spam From Amazon SES

Spam has always been a problem with Amazon’s email service (SES). They make an effort to filter the outgoing missives transmitted by their customers, but it’s not perfect. And Amazon is no respecter of laws outside the good ‘ol US of A, where the right to free speech is a license to spam any kind of junk you like; whether the recipient asked for it or not.

Here’s a case in point:

Received: from a8-55.smtp-out.amazonses.com (a8-55.smtp-out.amazonses.com [54.240.8.55])
	by xxx.xxx.xxx.uk (8.14.4/8.14.4) with ESMTP id t5NHpefn075543
	for <spambait@xxx.xxx.uk>; Tue, 23 Jun 2015 18:51:40 +0100 (BST)
	(envelope-from 0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@amazonses.com)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type:Feedback-ID;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=cNIs7cNe5LzyxYvGWw/LdIeA7epknAFAoeQYjiyf9b5mTKRYLAW9KLvUTSGtlsr7
	WWy52wd3Tz9o9vQryvK/Q5l5okAFxgZCZa5uSbXMor7sa/1dU02kwjCyACnb7viR1np
	BlEytfbGEBUlAfBBrrJueagmdzwa+IXNZsBo4w2Y=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=lfgclj2zbjygv5i5rirpal2v2zj3dquy; d=uebaps.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=bZZSEICBkHU8HkdFtiYg9fp+qxzmxJlfNj6UclS3B4dtaKBMTf1oSCSQR5jm0XXE
	0JxmIdNWKsgumLUcf8XnZGZFVfwe2f7cVOCiA1EcHX7oHn0weHQjoce+nxwVClgCQYz
	m0OlXn/YvNBE1MwSvpQR3PfoSCyTVQQpBWjgD8dQ=
From: Ray-Ban Sale <enews@uebaps.com>
Date: Tue, 23 Jun 2015 17:51:38 +0000
To: "spambait@xxx.xx.uk" <spambait@xxx.xx.uk>
X-MessageID: OXx8fHwxMzY3MXx8fHxmcmFuazJAZmpsLmNvLnVrfHx8fDEwfHx8fDF8fHx8MA%3D%3D MIME-Version: 1.0
Message-ID: <0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@email.amazonses.com>
X-Priority: 3
Reply-to: Ray-Ban Sale <enews@uebaps.com>
Subject: Spambait: Keep Calm and Get 80% Off Ray-Ban!
Content-Type: multipart/alternative; boundary="b1_b18fea4f74280e521923210f4d5c61eb"
X-SES-Outgoing: 2015.06.23-54.240.8.55
Feedback-ID: 1.us-east-1.E00ipiLUCdDBKP1kTeYjtCc2E2c3DbfGjCtoi1emL2E=:AmazonSES 
--b1_b18fea4f74280e521923210f4d5c61eb
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: base64
SGksRnJhbmsgTGVvbmhhcmR0OiAjUl9Ub3BfVGl0bGUjLg0KQm9ybiBmcm9tIGEgbWVzaCBiZXR3
ZWVuIHR3byBvZiBSYXktQmFuJ3MgbW9zdCBpY29uaWMgYW5kIHBvcHVsYXIgc3VuZ2xhc3NlcyAt
IHRoZSBDbHVibWFzdGVyIGFuZCBXYXlmYXJlciAtIFJheS1CYW5DbHVibWFzdGVyIE92ZXJzaXpl

As you can see (if you’re used to reading email headers), this looks very legitimate – send from a correctly configured server. However. these characters are as guilty has hell. The email body, once decoded, claims that the spambait email address belonged to a past customer of theirs, and was used for placing an order (in the USA). This is, of course, physically impossible.

If this had been sent in Europe they’d have been breaking the local law that implemented  the EU Privacy and Electronic Communications Directive, 2002.  But they’re sending it from the USA. Other text in the email suggests it’s not from an English-speaking country (not even the USA), and it’s probably a scam. But Amazon doesn’t t seem to mind – they don’t even have an abuse reporting system for ISPs plagued by this stuff.

It’s tempting to simply block all Amazon SES IP addresses, but this will cause collateral damage. Spam filtering isn’t likely to detect it any other way, as the sending server is set up correctly, with SPF records and so on, so the Bayesian filter in a spam classifier will be over-ruled. However, this correctness can be used against it…

Let’s be clear here – it’s easy enough to block the whole of SES. You can get its address range just by looking at it’s SPF records:

%nslookup
> set type=TXT
> amazonses.com
Server: 127.0.0.1
Address: 127.0.0.1#53
amazonses.com text = "v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

I suspect this may cover more than SES, but SES is certainly covered by it. However, blocking it will, as I mentioned earlier, block some innocent stuff that you do want. This is a job for Spamassassin.

I’m experimenting by adding the following to SA’s local.cf file:

header AMAZON_SES Received =~ /amazonses.com/
score AMAZON_SES 3.5
describe AMAZON_SES Sent from Amazon SES - often used by spammers

The the appropriate score to weight it by is an interesting question. By default good SPF records are ignored anyway; if they were not then it would obviously be a good idea to negate a positive score here. So I’ve picked 3.5 as this matches a clear Bayesian score rather than for any good statistical reason. Check back later to see how well it works.