Entries by admin

Today I woke up very early (4:30am). And what do you do when you wake up early? Watch TV. And what type of program is in the early morning? Right, TV shopping. Today, they sold an operating system called "Zeta". Well, what is Zeta? It is a BeOS successor developed by YellowTAB. The TV shopping show was really funny, because they praised Zeta as some kind of ultimate relief for all computer users, "so easy to use", "with so many applications", "you can play videos and music", blablabla. When one of the presentators explained that it contains "a complete development environment", and didn't even know how to pronounce "development", I knew that he has absolutely no clue what he's talking about.



But what I did find interesting was the drag'n'drop stuff they showed. They showed some spreadsheet application (they called it "excel table", of course there's no Excel port for Zeta), and dragged some picture into it. Then they set it transparent, and put it into the background. That was quite impressive. But still, I wouldn't buy it, as EUR 99,95 are pretty expensive for Zeta Release Candidate 3 (the CD they showed in the camera said "Zeta RC3").

Florian Laubner pointed me to this article. Another example of lingo rape. Some people are just too stupid to understand the basic principles of their own native language. I think the very next thing I will do is writing them a letter that this doesn't make any sense from the linguistic point of view.



Update: now in Vienna, too. grr

Live concerts are great. Especially when they're. On Friday, there was Summerbreak Festival in Linz, with the German band Mia. playing as headliners. I saw Mia. once before, at Aerodrome festival. But this time, I managed to actually get close to the stage, and so the whole concert was just amazing compared to Aerodrome. The music is so much full of energy, it's absolutely wonderful. Their choreography (yes, you won't believe it, there are "normal" bands who have choreography!) is just wonderful to look at, and I really enjoyed the unusual, weird, amazing, powerful moves and jumps done by the band's singer, Mieze.



Unfortunately, they didn't play their song "Was es ist". At Aerodrome, they played it in an extra-long extended Samba-like version that was much cooler than the song on the album. And they didn't play any encore, either. But still, I really enjoyed the whole concert.

I just stumbled across a pretty cool algorithm to compute Fibonacci number algorithm. So, I guess everybody knows the traditional recursive definition

fib(n) = fib(n-1) + fib(n-2)

fib(1) = 1

fib(0) = 1

Well, the disadvantage of this algorithm is that you can only compute fib(n) when you've computed fib(n-1) and fib(n-2) before. Well, with Binet's formula, you can compute the nth Fibonacci number without knowing any other Fibonacci number. The following C sample code shows how:

#include <math.h>

#include <stdio.h>



float fib(unsigned int n) {

  double a, b;

  a = (1.0/2.0)*(1.0+sqrt(5));

  b = (1.0/2.0)*(1.0-sqrt(5));

  return ((1.0/sqrt(5))*(pow(a,n+1)-pow(b,n+1)));

}





int main(void) {

  unsigned int n;

  for (n=0;n<100;++n) {

    printf("%f\n",fib(n));

  }

  return 0;

}

A few days ago, Clifford Wolf and I released trapdoor2. trapdoor2 allows remote users to execute local commands by sending 'magic cookies'. This is meant to be used to temporarily alter firewall rules, i.e. to open some kind of trapdoor so that users can access a service like ssh on a machine only from their current machine for a short period.



But trapdoor2 can be used for more than just that. Another ideas would be restarting services. For this use case, the WAP/WML (Wireless Application Protocol/Wireless Markup Language) support comes in handy: all you need is a mobile phone with GPRS to do important system administration tasks. Of course, trapdoor2 also support "traditional" HTML. For security reasons, trapdoor2 is HTTPS only. It even supports several SSL/TLS libraries, i.e. OpenSSL and GNU TLS. So you will be left in the rain when yet another vulnerability in OpenSSL is being found.

Some of my five readers might remember my little hack ContraPolice. Well, today, I did some little research out of pure boredom, and look where it is being referenced:

• The Annvix Project uses ContraPolice for hardening dietlibc.


• ContraPolice is in the bibliography to a vulnerability analysis seminar at the University of California in Santa Barbara.

This is just great. I never expected this little hack to spread so widely. But still, I'm happy that my code is being adopted, actually being used an probably making the (security) world a better place.

That's what the Danish "security" company Secunia asserts. Since I already had to do with Secunia, I can tell you one thing: Secunia is trying to make as much publicity as possible, with as many security advisories as possible. In my case, they asked me about a minor fault in MySQL authentication of akpop3d that could have probably led to an incorrect login (an SQL injection that would have led to another record returned than desired, but the attacker still would have to know the other record's password) which I mentioned in akpop3d's change log. I told them what the actual problem was, and that the vulnerability is verytheoretical.



A few days later, they issued a security advisory. And it contained exactly the information that I gave to them! And they make money off this service, by informing people about this "security hole". My case is only an example, but most of their advisories look this way. I wonder whether they counted this advisory as "Linux" security hole in one of their statistics, solely because akpop3d runs on Linux (and FreeBSD, and OSX, and a few more).



This is so ridiculous. What is even more ridiculous are all the trolls in the ORF FutureZone forum. ts Kiddies. All the losers complaining that OS/400, z/OS, Trusted Solaris (muhahahaha) and whatnot were all soooo much more secure than Windows, Linux, OSX and everything have no f*cking clue.

Mate is really a -- legal -- drug. Today, I was again drinking Mate. The usual effects that I experienced before appeared again, but this time, I started listening to music. And well, the music sounds more intensive, rounder, just better than before. If it wasn't that nice and enjoyable, it would be really scary. And yesterday, I found a source for (relatively) cheap Mate, directly imported from Argentina, which is www.productos-argentinos.at. They do not only import Mate, but lots of other Argentinian products, too, like beef, sweets, beer, and wine.

Mate is heavy. It's at least as strong as coffee, if not stronger (at least the brand that I have, "Nobleza Gaucha"). Yesterday I had "only" two gourds of it, the last one at around 7 pm, and I'm still kinda doped (around 11 am). This is really the first time that I experience caffeine as such a heavy drug.

Mate rocks. No, I don't refer to the iced tea version of it. I mean real Yerba Mate. Yesterday I got a wonderful mate (the gourd where you drink the mate out of), a bombilla (the metal straw) and a package of yerba mate, straight out of Argentina. Drinking mate is really a great pleasure, as it's tasty (even while you don't add any sugar like you do with normal tea here), it makes you awake and less hungry, and it got all the positive effects of coffee without the negative side effects of it (my heartbeat rapidly increases when I drink coffee, and I get a bit shaky and nervous - not so with mate).

Yesterday I started learning Spanish, using the book "Spanisch lernen in 30 Tagen" by Langenscheidt (does anybody remind this of "Brain surgery in 20 easy steps"? . I already completed the first lection, and so far, it's not yet difficult. But today I encountered one big issue when trying to write Spanish text with a German keyboard layout: some characters such as Ñ, ñ, ¡ or ¿ can't be typed on a German keyboard layout. That's why I created a custom keyboard layout using the Microsoft Keyboard Layout Creator (as you can see, I'm currently bound to Windows :-/), so that ñ can be typed using AltGr-n, Ñ can be typed using AltGr-Shift-n, ¡ can be typed using AltGr-Shift-1 (i.e. AltGr-!) and ¿ can be typed using AltGr-Shift-ß (i.e. AltGr-?). If you're also in desparate need of this keyboard layout, you can find the msi installer for Windows here. And below you can see a screenshot of the keyboard layout.

Ladies and gentlemen, I proudly present the successor to the infamous Pretty Good Privacy (PGP) software: Pretty Good Double ROT13 Privacy, or short, PG2ROT13P. It is based on the latest research from the #mum cryptolabs, and will revolutionize the world of IT security. A demo version that both support encryption and decryption can be downloaded from here.



Propz go out to oli`, psychoKen, mik, f1r3, nulpie, herp, terrorgrl and all the other 24/7 hardcore idlers of the #mum cryptolab crew.

Today I ported an OpenSSL-based application over to GNU TLS (which implements SSL 3.0 and TLS 1.0), just to see how easily it can be done and how GNU TLS is different from OpenSSL. Well, first of all, GNU TLS is a bit simpler to program than OpenSSL. While you still need a lot of function calls to get SSL established, it's a lot less than in OpenSSL, and - most importantly - all library calls are lower case. Regarding key and certificate files, GNU TLS is perfectly compatible with OpenSSL. So applications that already have some kind of abstraction layer to make it easier to use OpenSSL or to make the use of SSL optional can be ported within an hour.



But still, GNU TLS has some issues: what is most annoying is that the SSL handshake takes almost infinitely long (around 5 to 10 seconds), while OpenSSL does that within a second (in my test scenario, it was always OpenSSL on the client side and OpenSSL and GNU TLS on the server side). When a had a look at GNU TLS using strace(1), I immediately saw what the problem was: GNU TLS continously polls the PID, the current time and some resource usage stuff. This is absolutely not necessary, and should be improved.



Another annoying thing was that GNU TLS has major issues with certain rlimits set. For example, when you limit the maximum CPU time using setrlimit(2), the SSL handshake is likely to fail with too few CPU time set (with OpenSSL, I experienced no problems so far). GNU TLS also gets problems when you set the maximum number of open files too low. The symptom: SSL handshake issues. GNU TLS needs to have more than 32 open files at the same time. I don't exactly know how many, but 64 work. On the contrary, OpenSSL works with less than 16 open files.

First of all, the performances themselves at Aerodrome were really great, and I really enjoyed the concert part of this festival. But nevertheless there were many things that made Aerodrome festival just mediocre.



One problem that I recognized when I arrived was that there was hardly any information what was exactly going on, what to do, how everything's organized, etc. The only way to get useful information was to ask the security personal standing in front of the entry gates. But not even they were fully informed. Then, after some asking, I found out what actually the caravan area and what the camping area is, and that we'd have to get into the camping area by trading in our ticket for wristbands. After we did that, we were checked at the entrance. Then, I immediately realized what would be one of the main problems at Aerodrome: garbage. It was only the second day on which camping was allowed, and the first day where concerts took place, and everything was already totally full of garbage - everywhere. Afterwards we also had big issues to find our way to the tents of our friends who went to Aerodrome the day before. We didn't even know whether we entered through the south gate or the north gate (it was the south gate, as we learned later). So, orientation in the camping area was really difficult.



The next thing I have to criticize was the totally unregulated "music" and noise everywhere. It was impossible to find a place where to rest for just a few hours and to have a silent a calm place. Absolutely no chance. And that is especially annoying in the night, i.e. after 12 pm. And it is even more annoying when the music goes until around 5 in the morning, when everybody wants to sleep. Fortunately, I was able to put some tissues into my ears, and so I fell asleep around 3:30, but I woke up again at 5:22. That was really horrible! The first day was already exhausting enough (travelling from Linz to Wr. Neustadt, attending several concerts, standing around all the time), and so I just wanted to sleep and rest my legs which were extremely hurting.



Another thing I strongly have to criticize is the food and water supply: the normal water was hardly drinkable (IMHO), and more drinkable mineral or soda water was extremely expensive: a 1.5 liter bottle of Voeslauer mineral water was as much as EUR 4,50! These prices reminded me of Woodstock 1999, where a bottle of water was US-$ 5, and where riots started because of this. The food supply was also really bad: all the food you could buy on the area was totally overpriced (who wants to pay EUR 5 for a Kebab, or EUR 3,50 for a slice of pizza?!). Another thing, and that was the worst thing of the whole food and water supply issue, was that you were not allowed to bring your own drinks from the camping area to the concert area! That means you have 3 options when you're getting thirsty:

• stay thirsty
• go back to the camping area, drink something, and return to the concert area, which would take you at least 15 minutes
• buy the totally overpriced drinks at the booths in the concert area, with high prices like EUR 3 for 0.4 liter of Coke, beer, Sprite or Almdudler and EUR 2 for a mere 0.3 liter of soda water!

Totally unacceptable was also the sanitary situation: the toilets were ugly, dirty, stinky and mostly unusable. Not only that, but the stinky smell was over huge parts of the camp several times, especially on the second day. Fortunately, it was quite windy, and so we weren't annoyed for too long. The showers were unusable, too: first of all, you cannot really take a shower when there are way too few showers around. Second, you cannot get clean when you are being welcomed by 10 centimeters of dirty water. And third, nobody really wants to take a shower with cold water only. Actually, cold showers are only good for torturing prisoners and for keeping people away from taking a shower.



So I hope that Aerodrome was a total disaster for the organizers, and that it won't repeat. Interestingly enough, the organizers of Aerodrome are the same who also organize festivals like Forestglade, so they should actually know how to do festivals. As I showed above, they don't.

Yesterday, there was the second day of Linzfest, an annual kind of festival with lots of international bands playing. I took the time to go there with Paula, and listened to some really interesting music. It started with Skamp, a Lithuanian (thx2spellchecker band, which was pretty boring.


Then "Les Babacools" were playing, a German band playing Reggae, Ska, Hip-Hop, and similar stuff. That music was really nice, and it was the only act this day where most of the people in the crowd directly in front of the stage were mostly young people. Everybody was dancing, and it was really relaxed, a few even started smoking their spliffs, so the air was filled with this typical smell. Directly after the concert, I bought a CD from "Les Babacools", which is not as great as the concert was, but still really nice to listen to.


After that, some Hungarian band was playing some Dub thing, so we started wandering around and saw Günther Paal (aka Gunkl) during his sound-check twenty minutes before his show started. So we went around a bit more in the Donaupark, where most of these things were going on, and met some of Paula's friends that she knows from her German course. Then, at 21:30, Bauchklang was performing (man, they're bad...), and we stayed until the end of the concert. Then we went to the (overcrowded) Cafe Strom to have a beer, and then home.