My 50 most popular blog posts from 2018

This time I omitted any posts earlier than 2017, since there were still a few perennial favorites in the list.

Previously.

Tags: , , ,

Never post photos of your keys

A hacker might do something untoward with them.

Previously.

Tags: , , , , ,

Webshit Weekly

Who Are My Investors?

The Saudis are being assholes in public again, so some people are starting to wonder if they're willing to be picky about where their money comes from. Hackernews isn't, for the most part, but they seem attracted to the idea that it's probably okay to take money from assholes if you think nobody will notice. Failing that, try to get some other people between you and the assholes. A few Hackernews just declare that there's no such thing as an asshole. I rarely* recommend reading "Hacker" "News" comments, but if you want to see the inner strugglings of people who just aren't sure if they should, through their labor, enrich murderers, this is the place to do it.

* never.

Previously, previously, previously, previously.

Tags: , ,

Today in Ono-Sendai News

A traveling executive receives messages from his office electronic mail system by means of a hand-held computer and modem at a public telephone.

Also, today is the 23rd anniversary of Hackers.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , ,

Today in Ono-Sendai News

D10D3 Cyberdeck64 v3


Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

A webshit shits webshit about webshit

This week's n-gate:

  • A parasite compiles buzzwords into a Google Docs text file. In response, a Hackernews apostate suggests that perhaps building a lasting business at a sustainable pace is within the realm of possibility. The Hackernews Re-education Squad parachutes into the resulting panic to firmly explain that hockey-stick growth followed by acquisition or IPO is the only acceptable path forward, and that making a low-six-figure income in an affordable community is a dangerous myth. The real question is: during your normal, necessary, not-excessive twelve-hour work day, are you more productive before dawn or after dusk? [...]

  • An Internet has a hobby. Hackernews likes to watch. The hobby involves Lisp, whose evangelists are so ancient and terrifying that the Rust Evangelism Strike Force declares the entire comment thread a no-fly zone and produces new maps marking the area as lost territory, impenetrable to the faithful.

Previously, previously, previously, previously, previously.

Tags: , ,

STARTTLS Everywhere

Similar to Let's Encrypt, the project providing free SSL certificates for web servers along with tools to auto-renew them, STARTTLS Everywhere is trying to build some tools to make it easier to configure your mail server to encrypt mail in transit, and do so with properly signed certificates.

What I only just realized is that it's pretty easy to use Let's Encrypt certs as SMTP TLS certs, if you have already been using self-signed certs: you just need to add your MX to the list of domains in the cert and install that cert into Postfix:

smtpd_tls_cert_file = /etc/letsencrypt/live/dnalounge.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/dnalounge.com/privkey.pem
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file

They have a page that tests your server, but it's terrible, don't bother. If it detects a single problem it just says "Nope!" without telling you what the problem is. A better tester is at checktls.com which will actually tell you what it thinks went wrong.

Wow, Everything's So Messed Up. How Is STARTTLS Everywhere Going to Help?

We have three primary goals for STARTTLS Everywhere:

Improve STARTTLS adoption.
We want to make it easy to deploy STARTTLS with valid certificates on mailservers. We're developing Certbot plugins for popular MTA software, starting with Postfix, to make this a reality. [...]

Prevent STARTTLS downgrade attacks.
In order to detect downgrade attacks, we're hosting a policy list of mailservers that we know support STARTTLS. This list acts essentially as a preload list of MTA-STS security policies. [...]

Lower the barriers to entry for running a secure mailserver.
Email was designed as a federated and decentralized communication protocol. Since then, the ecosystem has centralized dramatically, and it has become exponentially more difficult to run your own mailserver. The complexity of running an email service is compounded by the anti-spam arms race that small mail operators are thrust into. At the very least, we'd like to lower the barriers to entry for running a functional, secure mailserver.

Yeah, see, that last part is the kicker. Only crazy people like me run their own mail server, because Google has managed to almost completely de-federate the world's email infrastructure. "Google has most of my email because it has all of yours".

Why would anyone run their own mail server?

"As an act of defiance against the Google hegemony" is probably not a selling point that resonates with very many people.

Nor is, "I really enjoy reading my logs and seeing Error 421: To protect our users from spam, mail sent from your IP address has been temporarily rate limited."

So, you know, maybe some day everyone who still runs their own email server will have certificates installed, and maybe enough of those certificates will be signed by a CA that validating the cert before exchanging mail might be a practical thing to do. But it's more likely that by then, email will have been killed as a concept. All it would take would be for Google to decide, "Fuck it, we're just not going to federate with anyone any more."

You know, like they did with GChat, single-handedly killing Jabber / XMPP.

They don't quite have the market share on the email side to get away with that right now, but maybe they will someday. But even today, they could probably get away with saying "We're no longer accepting SMTP connections, period": they'd just have to bully Outlook, Yahoo and iCloud into peering in some new way that locks everyone else out. They'd do this under the guise of "solving spam", which it wouldn't.

In summary, everything is terrible.

Previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

Because we are in the Stupidest Timeline, this was the plot of Charlie's Angels.

Cops Can Find the Location of Any Phone in the Country in Seconds, and a Senator Wants to Know Why:

"I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government," a May 8 letter sent from Wyden to the President and Chief Executive Officer of AT&T reads. [...]

In his letter to AT&T, which has similar text to letters sent to other carriers, Wyden writes that this check amounts of "nothing more than the legal equivalent of a pinky promise."

"The fact that Securus provides this service at all suggests that AT&T does not sufficiently control access to your customers' private information," the letter adds.

In Shocking Drop of Second Shoe:

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US:

Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren't explicitly linked to a particular government department. [...]

"Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat. [...]

"Track mobile devices even when GPS is turned off," the Securus website reads. "Call detail records providing call origination and call termination geo-location data," it adds.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

90s Police Car Dashboard Computer now runs XScreenSaver

Trammell Hudson: MDT9100:

The original system had an i386SX running Windows 3.1 in a locked-down kiosk mode that would only allow the radio application to run. [...] The BIOS setup screen can be reached with the "HOME" key during the boot and is a nostalgia trip. "Boot Sector Virus Protection" is such a throw back.

Security issues:

Although Motorola advertised the MDT-9100 as suitable for secure data communication, the standard version was in fact highly insecure. [...]

According to Motorola, a 'special code' was used, but the code appeared to be nothing more than plain ASCII. The data protcol was known as the MDT-4800 protocol and used bit-interleaving as a means to correct transmission errors, and to obscure the data stream. When hackers discovered the properties of the protocol, several PC programs appeared that allowed the general public to monitor police conversations with nothing more than a scanner, a PC and a simple interface.

In the US, the problem was 'solved' by making it illegal to publish and use the PC-based hacking software.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

My 50 most popular blog posts from 2017. "Number 15 might surprise you!"

(Actually, a lot of it surprises me.)

42: Tentacle heart
(from 2014!)
41: WordPress migration mostly complete
(from 2010! So obsolete!)
9: Poetica Vaginal
(from 2010!)
Tags: , , ,

  • Previously