Categories
English Usability Web Browsers WTF

Firefox 29 “Sync” nightmare

The — as I later found out — completely revamped “Sync” feature in Firefox 29 caused me a lot of grief yesterday, and I wasted more than 3 hours due to it. :-(

The issue started after I had to set the system time back on one of my Macs which I hadn’t used for a couple of weeks, so the Firefox data on that machine was outdated and not in-sync with the other machines synced to the same Firefox Sync account. Not sure whether setting the date back was the root cause, but anyway… I suddenly noticed that I had old passwords on another machine, too. Obviously it had received them via Firefox “Sync” from said Mac.

So, what to do?

I first cleared the data stored in my Firefox Sync account by logging on to the old account management (https://account.services.mozilla.com/), to make sure that the outdated passwords do not propagate to more machines.

I then disassociated the machines that had already received the outdated passwords from Firefox Sync.

Afterwards I wanted to add the device back the same way I did when adding a new machine in the past. But it didn’t work as it used to work. No way I could display the sync code I needed to enter on the “master” machine. :-(

Categories
English Mac WTF

“MacX DVD Ripper Pro Halloween Edition” expires and lies to you

Halloween 2012 MacXDVD Software, Inc. gave away free copies of their “MacX DVD Ripper Pro” as a special “Halloween Edition”. This was a very generous gesture which I would like to explicitly recognize and thank them for.

When I recently wanted to reinstall that piece of software on my new MacBook Pro Retina and tried to enter the serial number I noticed that you can’t — the software said that it had expired. I was very disappointed. I didn’t remember that you had to activate the software before the end of the promotion. So I set back my system clock to November 2012, and presto, I could install the software again. 🙂

After I ripped a DVD I set back the date to the current date, only to notice later when I wanted to rip another DVD that the software had expired(!). It does not explicitly say so, but it “lies” to you as follows:

MacX DVD Ripper Pro Halloween Edition lying to you

This message appears regardless of which DVD is in the drive (even very old ones that were released well before “MacX DVD Ripper Pro” itself was released), and even if no DVD at all is in the drive. So it is obvious that the above is not the truth, but a lame excuse for not telling you the truth that the software was time-limited from the very beginning.

Mind you, I’m not complaining about the fact that the software is time-limited as such. Even a software that is free only for a year or something is still a nice gift. What I’m complaining about is that MacXDVD Software, Inc. is lying to me. Why did they not originally include the notice that this is a time-limited copy of the software only?

The solution to this problem of course is to again set back your system time. This is not very convenient, but if you only occassionally rip a DVD it should not be a big problem.

Categories
Cell Phones Communications Networking WTF

OpenWRT Quality-of-Service module caveat: speed limit

As I still have “issues” with my DSL line being extremely slow during certain times (especially between 18:30 and 23:00), I wanted to use USB tethering from my OpenWRT router to my Android LTE phone to enjoy the massive speed I have in our area (up to 90 MBit/s downlink and 70 MBit/s uplink, according to the Ookla Speedtest.Net).

So I configured the router according to the OpenWRT wiki. The internet connection did not come up immediately, and I couldn’t find out why, so as a last resort I rebooted the router. After I switched on USB tethering again on my mobile phone (which seems to be required each time you reboot the router since the mobile phone then loses the USB tethering connection), I suddenly had a working Internet connection.

However, for some reason the Internet speeds I was seeing in Ookla’s web browser-based speed test (which is a Flash applet) were very disappointing, around the same speeds I’m used to with my DSL line (14 MBit/s downlink, about 0.8 MBit/s uplink). I thought it might be an issue with USB tethering not working well in my build of OpenWRT (still r39582), so I tried USB tethering with my Mac (using HoRNDIS). I got the full speed I expected. So back to OpenWRT…

Then suddenly I suspected what might be going on: Since I had more or less exactly the same speed as my DSL connection (with the uplink of less 1 MBit/s being dramatically slower than what I should get via LTE) I thought about what could possibly limit the speed. And then I remembered that in the “Quality of Service” (QoS) module I configured the speeds of my DSL line (at the top of the page, in the Download speed (kbit/s) and Upload speed (kbit/s) fields). Could it be that these settings actually limit your speed to these values?!

I disabled QoS, and immediately thereafter I got the full LTE speed I expected.

So, another thing learnt.

I hope this helps people who might be in a similar situation…

Categories
Security

Outlook.com breaks DKIM signatures

I’m currently implementing DKIM support for my Exim mail server, and due to this I’m sending a lot of test messages to all major freemail providers in Europe and the USA.

I noticed that Outlook.com breaks DKIM signatures since they modify one header as follows:

The original header I sent is

Content-Type: text/plain; charset=ISO-8859-1; format=flowed

while the header which I see when I fetch the received message with IMAP is the following:

Content-Type: text/plain; charset="ISO-8859-1"; format=flowed

Noe the extra “double quotes” around the charset which are not transparent to “relaxed” Header Canonicalization. This causes Thunderbird’s “DKIM Verifier” extension to fail on this message.

What’s strange is that Outlook itself succeeds internally to verify the DKIM signature, so the modification to said header probably occurs after checking the original header. See below for what the header of the received message says about authentication:

Authentication-Results: ... dkim=pass (identity alignment result is pass and alignment mode is strict) header.d=example.org;

To solve this small issue I modified Exim’s list of headers to be signed as follows. Original set is

Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID

while I now only sign the following (which I consider to be sufficient):

Subject:To:From:Date:Message-ID

Let me know if you have any comments or suggestions.

Categories
Computers Security

Insecure self-updates via plain HTTP

Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain HTTP so that attackers can modify downloads and thereby introduce malicious code.

Immediately I got in touch with the manufacturer of the application, and only 9 hours later they came back to me with the below response:

Right now <unnamed product> download server supports only HTTP and not HTTPS, so we don't have any immediate solution to offer. However we are keeping notes of this concern and we will address it.

Is this not simply unbelievable?!

Remember we’re not talking about someone who does this for a hobby, who may not have the money or time or even knowledge to implement SSL on their server. But we’re talking about one of the largest IT companies in the world… 🙁

I will now wait for a while, and if they haven’t fixed the issue by then I will disclose it on my blog anyway to put pressure on them… But maybe they do it intentionally in order to aid the NSA?! :-/

Categories
Computers Networking

How to properly benchmark your broadband connection

Since a while my broadband connection gets slow frequently, so I wanted to perform regular benchmarking probes and create a graph to illustrate the actual uplink and downlink speed.

Your first approach to this might be to download and upload a payload, measure the time this took, and divide the sizes of the files you downloaded and uploaded by the times it took. But this approach is seriously flawed… Why? Simple. In a usual scenario you have a router that terminates your internet connection, so eventually other LAN clients will cause traffic at the same time you’re performing your probe. This would “limit” the bandwidth you have for your probe, and thus artificially reduce the speed you calculate.

So how to do it properly? You should ask your internet gateway (your router) for the traffic it sees.

Categories
Networking Routers

Arcor bzw. Vodafone EasyBox 803A: Verwendung nur als “Modem”

Bisher habe ich an meinem Arcor- bzw. nunmehr Vodafone-ISDN/DSL-Anschluss noch separate Komponenten verwendet: Splitter, ISDN NTBA und Speed-Modem 200. Aus aktuellem Anlass (plötzlich drastische Einbrüche bei der Internet-Geschwindigkeit von normal 16 MBit/s auf teilweise nur 1-3 MBit/s) habe ich diese jedoch gegen eine Vodafone EasyBox 803A ausgetauscht, weil ich einen Defekt des Modems oder Splitters vermutet hatte.

Die EasyBox ist recht clever konstruiert, sie kann nämlich selbständig feststellen, ob sie an einem Analog-/ISDN-Anschluss betrieben wird, wo der Splitter benötigt wird (um das UK0-Signal für den NTBA abzutrennen), oder an einem reinen DSL-Anschluss (NGN), wo er nicht benötigt wird, weil dort Sprache per VoIP über DSL übertragen wird. Je nachdem wird also der Splitter und NTBA in den Signalweg eingeschliffen oder nicht. Das ist das Klickgeräusch beim Einschalten der Box! Man sollte bei Verwendung der EasyBox einen evtl. noch vorhandenen separaten Splitter aus dem Signalweg entfernen und die EasyBox direkt an die “erste” TAE-Dose (früher “Monopoldose” genannt) anschließen, um die Dämpfung (“Leitungsqualität”) zu verbessern (und damit ggf. noch ein wenig zusätzliche Geschwindigkeit aus dem DSL-Anschluss “herauszukitzeln”).

Categories
Computers Mac Security

iTunes app downloads are unsafe…

I recently bought Little Snitch because it was on sale, and just found something strange…

I launched iTunes to download an app that’s currently available for free (ok, so I am a cheapskate… ;-)), and when the actual download was about to start Little Snitch asked for confirmation to allow iTunes to connect to phobos.apple.com on port 80, meaning that the download is not protected by SSL…

IMHO this is a big security risk since it allows attackers to manipulate your download and replace the original app by another one (e. g. one that contains malicious code).

I can’t see any reason why Apple would intentionally not protect downloads by SSL — it just seems to be very bad, careless design… 🙁

What do you think?

Categories
Computers Networking

OpenWRT: Easy and secure guest WLAN access

I use OpenWRT on my TP-Link TL-WDR3500, and I have a guest WLAN defined on each of the two radios (2.4 and 5 GHz). The guest WLANs are isolated from my LAN, i. e. guest WLAN stations can’t talk to any of my own hosts (either on the WLAN, or in the LAN, i. e. hosts connected via Ethernet). Guest WLAN stations also can’t talk to each other. The actual OpenWRT configuration (apart from passwords, of course ;-)) is not a secret, I will publish an article about that soon.

For security reasons I didn’t want a static guest WLAN password, but one that changes daily, so that I don’t have to manually revoke the right to use my WLAN by changing the password all the time. So I created two tiny scripts, one that actually changes the active WLAN password every day, and one CGI script that displays the password so that I can give it to my guests.

Here’s the first one that sets the password. I run it from cron at 00:01 every day:

 #!/bin/ash
 SALT="theSalt"
 DATE=`date -I`
 PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`
 CHANGE=0

 if [ `uci get wireless.@wifi-iface[2].network`x = guestlanx ]; then
   uci set wireless.@wifi-iface[2].key=$PWD
   CHANGE=1
 fi
 if [ `uci get wireless.@wifi-iface[3].network`x = guestlan2x ]; then
   uci set wireless.@wifi-iface[3].key=$PWD
   CHANGE=1
 fi
 if [ $CHANGE -eq 1 ]; then
   uci commit wireless
   wifi
 fi

And here’s the CGI script that needs to go to /www/cgi-bin to show the current password:

#!/bin/ash
SALT="theSalt"
SSID="Guest-WLAN"
DATE=`date -I`
PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`

echo "Content-Type: text/plain"
echo ""
echo "Today's Guest Password for $SSID is $PWD"

Don’t forget to make the scripts executable by running “chmod +x <script>“.

If you find this helpful I would appreciate your feedback.

Categories
Communications Computers Networking

Windows 7 PPPoE-Protokoll schlecht implementiert?

Anläßlich eines Problems mit meinem Vodafone 16 MBit/s-DSL-Anschluss — Geschwindigkeit ging plötzlich dramatisch in die Knie, ca. 1-2 MBit/s nur noch! — habe ich testweise die PPPoE-Verbindung direkt vom Laptop unter Windows 7 über das Arcor-DSL Speed-Modem 200 zum Konzentrator bei Vodafone aufgebaut. Auf diese Weise wurde das Modem als “Schuldiger” ausgemacht: Ein baugleiches Ersatzmodem lieferte sofort über 14 MBit/s!.

Nachdem ich dann wieder das DSL-Modem mit dem TP-Link TL-WDR3500-Router (mit OpenWRT als Firmware) verkabelt hatte, stellte ich plötzlich erstaunt Folgendes fest: Die Ping-Round-Trip-Zeiten gingen von 31-32 ms (unter Windows 7 als PPPoE-Client) deutlich herunter auf 21 ms (mit OpenWRT Barrier Breaker r39582 als PPPoE-Client). Das ist insofern sehr erstaunlich, da ja nun eine 802.11an-WLAN-Strecke und der Router als zusätzliche Latenz erzeugende “Komponenten” hinzu kamen!

Ich interpretiere das so, dass die PPPoE-Implementierung unter OpenWRT der von Windows 7 deutlich überlegen ist, da sie offensichtlich “schneller” bzw. “effizienter” ist. Bevor jetzt jemand sagt “Vielleicht hast Du einen krötenlangsamen Laptop verwendet?” — nein, das ist nicht der Fall, es war ein Lenovo X220 mit einem Core i5-Prozessor mit 2.5 GHz…. Und der Laptop war dauernd “idle”… 🙂

Eure Meinung zu dieser Interpretation würde mich sehr interessieren, daher würde ich mich über Kommentare freuen.