Poor man’s ssh launcher (CLI)

Problem: just wanted an easy way to add my hosts to the ssh config file and connect to each host through the easiest way possible using normal bash command-line.

Solution: configure your .ssh/config like you normally would, with the following:

Host myapache
Hostname myapache.host.com
User fred

Host myapache2
Hostname myapache2.host.com
User fred

Add the following to your .bashrc or .bash_profile (Mac OS X):

shosts=`grep ‘Host ‘ ~/.ssh/config | awk ‘{print $2}’`
for h in $shosts ; do alias $h=”ssh $h” ; done
alias ssh-hosts=’echo -e $shosts | tr ” ” “n”‘

And voilá, if you want to connect to any host, just type the name of the host, for example ‘myapache’. If you want to get a list of ssh hosts, type ‘ssh-hosts’. Keep it simple, stupid.

Eye-Fi for Security

This is fun. Really.

Alison DeLauzon, Reuters reports, had her camera stolen when left an equipment bag in a restaurant in Florida. The folks who allegedly took the bag also took pictures of themselves, which isn’t unusual. But DeLauzon had an Eye-Fi wireless Secure Digital (SD) card in her camera, received as a gift. The thieves apparently wandered by an open access point with the same SSID as one that DeLauzon had configured for use, and pictures of her baby and the thieves were uploaded to her picture-sharing account. Nifty.

Security? What matters is the name

Não posso deixar de rir com o que o Bruno nos diz sobre esta notícia no Público. Tão verdade, tão português. É a caricatura de um governo que constantemente apregoa o choque tecnológico e da inovação, mas que esqueceu-se de referir que antes disso precisamos de um choque de mentalidades.

De acordo com esta notícia do Público, no Min. dos Negócios Estrangeiros os diplomatas estão todos chocados com o facto de passarem todos a usar um endereço @foreignministry.pt.

O que é absolutamente surreal, é perceber que os diplomatas portugueses actualmente usam endereços de mail no yahoo.fr, wannadoo.fr, tin.it, e free.fr. Ou seja, as mensagens de email dos diplomatas portugueses estão alojadas em servidores de terceiros, incluindo de empresas que não oferecem quaisquer garantias de confidencialidade, que nem sequer obedecem à Lei Portuguesa

Agora pensando bem, se calhar estamos a inovar com a chamada Open Diplomacy.

ssh over http proxy mini-mini howto

So, you’re behind the almighty corporate proxy and you have to work. You love ssh. You have deadlines. You don’t have time to loose. So, you go and install corkscrew. Then, create or edit your ~/.ssh/config with:

Host *
ProxyCommand /path/to/corkscrew big.corporate.fw 8080 %h %p

And life is good.

The Almighty Proxies

I really think that maybe there’s a reason behind corporate firewalls. To keep people away from doing real work. Oh well, running ssh over corkscrew over the almighty http proxy is not enough. Tomorrow I’ll go for OpenVPN over http and tunnel every piece of packet on top of it. Long live open source.

ClickandBuy lousy service

clickandbuy.jpg
paypal.jpg

I always thought that, in this life we learn a lot more from bad experiences, not just the good ones! Yesterday I bought some goods from a known online shop. I’d always payed the bills through Paypal and never had any problems whatsoever. Always fast, always reliable, smooth service. Due to a problem with spanish vat not being charged to me, portuguese citizen (EU laws, oblige) I received an email saying that I had to pay for it and the merchant, gently, giving me an URL saying that I could just click on it, follow the instructions and the process would come to an end. Ok, nice, happy, happy, joy! Clicked on the ClickandBuy link, it got me to a page where I had to fill a registration form to complete the process. Ok, name, address, phone and credit card number. Allright, no big deal, very reasonable. Filled up all the information and clicked on the ‘Register’ button. After some seconds, bang! ClickandBuy registration service says that something is not right with my credit card information (the same one that in the same day I used to pay for other services) and to check my inbox for some instructions regarding this authorization process and approval of my ‘on hold’ account. This was the mail I received:

Dear Mr. Marques,

You are already using the clever and secure payment ClickandBuy – thank you very much for relying on this intelligent solution for payments on the Internet.

Unfortunately, we had to temporarily bar you from the use of ClickandBuy. This could be for several reasons, e.g., we might ask you to contact us regarding the address, bank or credit card data you entered.

So, please contact our service team at

[email protected]

or call

+351 707 781 718

for information about the reason for this temporary barring.

We would be happy to activate you again as soon as possible for the use of ClickandBuy and hope for your understanding.

Hmm. I’m already using the clever and secure payment ClickandBuy. No, I’m not. Actually, I can’t register with you because you’re saying that I have “some” problem that is causing this and I have to reply to this mail or call a 707 number (not a 800) to just follow your instructions. Ok, I’m in a hurry, you even have a number in Portugal to call from, let’s see. Phoned ClickandBuy and the nice lady answers the phone with a perfect spanish accent. Oh, and no portuguese talking. English will do, no problem. After some minutes I realized that I had to send a copy of my passport (yes, my passport) and my credit card by e-mail or fax to ClickandBuy just to authorize and authenticate my account. Hello? Are you nuts? Send my passport data and the credit card to a fax number or even an email to you, in clear text? I couldn’t believe this, so I asked if they could send me another e-mail with the instructions that I had to follow. So, here it is:

Dear Mr Marques,

Thank you for contacting ClickandBuy and for your message.

Unfortunately the only way to unblock your ClickandBuy account is by filling
out and signing the attached form. Please send it back to us either via email
or fax with a copy of your passport or drivers licence and credit card (front-
& backside)

ClickandBuy fax#: +49 (0)221 – 26 01 189

Please understand that this is a security measure intended to protect you and
your account from fraudulent use. We apologize for the inconvenience caused by
this matter.

This is pure nonsense. This is bloody stupid. ClickandBuy is worried with the fraudulent use of my account and they ask me to send all my personal details *and* credit card information via email in “clear”? Or fax it to a German Number, from Portugal, at my expenses? No, thanks. See, ClickandBuy, you have to learn a lot with Paypal. Say, for example, their method of authentication of new user accounts. After the registration, you just have to click an email to authenticate a new account. If you want to upgrade your account to a verified one, depending on your country, Paypal charge your credit card or make some transfer to your bank account. Along with the transaction description saying something like PAYPAL you have a code that if you access your bank account records, you can just c&p on paypal and bingo, you have a verified account. Very smart, very easy. Secure. This is one of the million reasons that Paypal is the king of online payment and has about 100 million accounts.

So, after burning 30 precious minutes of my time I sent an e-mail to the merchant asking if it was ok to pay this by Paypal, because I didn’t want to deal with burocratic ClickandBuy again. The answer was: yes, of course, no problem. So, after that, it took me no more than a few seconds to send the money to the merchant.

Anedota do ano

Desculpem, importam-se de repetir?

A Polícia Judiciária (PJ) e a multinacional Microsoft assinaram hoje um protocolo de cooperação na luta contra o crime informático e a promoção da segurança na Internet.

O quê?

Via pfig. Ler o resto aqui.

OpenSSL Hell

From Netcraft, OpenSSL Vulnerable to Forged Signatures:

Security researchers have demonstrated a way to forge digital signatures that can fool the OpenSSL software used in many secure web servers and virtual private networks (VPN). The OpenSSL Project has issued patches to address the weakness, and is urging users to upgrade or install the patches.

The signature forgery technique was first demonstrated by Daniel Bleichenbacher, a cryptographer at Bell Labs, at the CRYPTO 2006 conference last month. While the forgery only works on specific keys (known as PKCS #1 v1.), these keys are used by some certificate authorities in SSL server certificates.

“All software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5,” OpenSSL said in its advisory. “This includes software that uses OpenSSL for SSL or TLS.” OpenSSL versions up to 0.9.7j and 0.9.8b are affected.

Well, long life to yum & apt-get.

Update: important quote from the original post:

Implementors should review their RSA signature verification carefully to make sure that they are not being sloppy here. Remember the maxim that in cryptography, verification checks should err on the side of thoroughness. This is no place for laxity or permissiveness.

Daniel also recommends that people stop using RSA keys with exponents of 3. Even if your own implementation is not vulnerable to this attack, there’s no telling what the other guy’s code may do. And he is the one relying on your signature.

So, we cannot say for sure that other PKI/RSA implementations are not vulnerable. Think NSS/Mozilla.