amazon's stuff!

Volete leggere Ziogianni sui cellulari nokia?
do you read this blog on your nokia ?
my Amazon wish list

mysql and deprecated “things”

Hi, i was performing an update on a “centos” test bed machine.

I was not happy to discover that an old php site was no more operational. So I was puzzled, and unhappy. The first thing that i have done was to read the log and verify that the upgrade operations gave no errors.
I upgraded to: mysql-server-5.5.

No errors. So what? I asked to google and so i learnt that mysql dropped and changed some things.

“find” and “send” was very good friends to fix the problem.

The “changed” things that have affected my poor old php scripts:

  • TYPE=MyISAM must change in ENGINE=MyISAM
  • TIMESTAMP(14) must change in TIMESTAMP

An example: sed -i.bak '1,$ s/TYPE=MyISAM/ENGINE=MyISAM/g' .

So now i have to check if the new behaviour of timestamp impacts on other points of my scripts…

I will see, but it is evident that my approach to test on a “test bed” before to implement in a production system is correct.

I suggest you to copy my approach.

October 31st, 2013 | Category: scripts | Comments are closed

privacy and messages… (mala tempora currunt? )

Seems that in this period, a lot of people is involved in “eavesdropping” the people’s communication. Seems that both data and voice communications are involved.

So just now I bring you some links to some app that maybe can help you to maintain a ‘bit’ of privacy:
(I will just enumerate these app… if possible i will give you the link on wikipedia, and please remember that i prefer open source applications when possible)

So seems that YOU CAN DO SOMETHING TO PROTECT YOUR PRIVACY…

October 28th, 2013 | Tags: , | Category: IT security, mobile | Comments are closed

About otp tokens

In these economically troubled times (or, at least are trouble times for the country where I live: Italy) I am involved in some projects themed on otp/totp. So I have to inform myself about pros and cons of this interesting technology.

‘OTP Token’ seems a technoloy far away from our day-by-day life. It seems far away from us in every aspect of our life. But if you start to think about “scratch card” maybe otp tokens technologies may appear quite near. If you have an on-line bank account, maybe you are already accustomed to this technology.

Maybe you want to know some of the “technicality” behind these fancy tokens:

Maybe now, you knows everything and, maybe not. However i am not a crypto-analyst, nor a “mathemagician” but I am a mere it worker. I was interested in the physical thing also. Incidentally in the proceding of my study, I have developed some (interesting?) code in php that you can find here and, here) .

I found this interesting page from a (former?) otp token seller: www.gooze.eu. It is an interesting text. The important things (from my point of view) are their statements about the “seed” security. Seems to me that they are not trusting anymore the whole seed management system. Maybe they know something that we don’t know (yet) ?

However, from my point of view, this not sufficient to make obsolete this technology. But is sufficient to make me think that open techonolgies/open proceedings does it better. Maybe it is sufficient to use a “seed configurable” software otp token”. Can we trust our mobile phone sufficiently to install one of these software apps?

Sorry to make you unhappy, but “only paranoid will survive”… Or not?

October 20th, 2013 | Tags: , , | Category: IT security | Comments are closed

Identification? (Identification in a networked reality: some simple words)

Identification in a networked world is not so simple… in the real world we can count on both our sense and the “ring of trust” of friend/”trusted” persons. Into the net we can only check the provenience of the incoming requests, the omniprerent couple: “username” and “password”, the public key, and finally the callback (tipically implented sendind a “token” by sms or e-mail).

Seems that the majority of peoples and web sites are still relying on username/password… The same method used by roman legions for their nightwatch.

However, there are other way to identify someone/something that is web request on internet today. The above mentioned method to identify someone rely on the assumption that the identifying part have all the informations (and resources) necessary to perform the identification procedure in a correct and secure way.

From this point will identify “the client” as the someone/something that is making web requests on internet, and “the server” as the computer that answers (hopefully correctly!) to these questions.

So what if the server demands the identification of a client to third party ? Is it useful ? Have we some useful tools/standard ready to use?

The answers:

  • we can semplify the identification procedures and we are no more bothered by personal data and e-mail of our beloved users!
  • yessssss! it is really nice
  • yess and you find some of them already selected and ready to be used!

Standards (i am using the word in a quite incorrect way making confusion between standard and set of api… ) :

In brief: I like the first two. OpenID is about authentication and OAuth is about authorization… But for this post I will treat both as the same thing :-) .
So now we konw that we can authenticate/identify a client using a third-party service.

(I used the third one too but it is not relevant in this post)

A step back:
we can identify a client if the informations given by a device in its own possession coincides with the data that we aspect… This is a quite involute way to introduce the OTP (One Time Password) and the TOTP (Time-based OTP).

Can we have (T)OTP on OATH/OpenID? my answer is yes.

Now remain on (T)OTP: these nice things were my food in the last two months… I loved the following links:

So I am happy to inform you, that if you are interested to these things, in next few days i will write other posts on these things, I will publish some free code implementing a test TOTP solution, and I will try to convince some business partners to give me the permission to publish info about some nice info crypto device.

Stay tuned!

September 29th, 2013 | Tags: , , , , | Category: free software, IT security | Comments are closed

no encryption in ssh?

Hi to everybody… sorry for the “latency” between the latests posts… But i was very busy on some crypto/net/social things… I really hope to show something really soon.
For now this information: if you love ssh and use it for connection/s, file/data transfer, vpn to solve some (inexistent) routing problems, you will be aware of the computational costs of both data compression and data encryption. In some cases i have to transfer a lot of data on already secure connections using scripts referering some tools of openssh family. I really miss the ‘-e none’ switch. Good that oday i have found that i am not alone, and, that some guy implemented a set of patch to give us back this lovable switch.
The url of this lovable thing is: http://www.psc.edu/index.php/hpn-ssh.

I relly hope thatyou will enjoy these patch (btw i am still compiling … )

September 26th, 2013 | Tags: , | Category: free software, scripts | Comments are closed

linux usb devices problem: solved! or at least patched….

Today i have found this article: https://plus.google.com/u/0/116960357493251979546/posts/RZpndv4BCCD… She had found a possible explanation for the issue on xHCI devices… We will see but the article seems really interesting to me … I suggest to read comments too…

August 23rd, 2013 | Category: Uncategorized | Comments are closed

slide on the web

Recently i have spent some time to search and choose a free slide service on the web.

I have evaluated a lot of services, some of these services had a license too much complex for my needs, some other had an user interface that simply do not like to me. ..

So the shortlist follow:

You can find other interesting site from: http://www.webuildlink.com/presentation-sharing-sites-list/.

Some words about my criteria:
- i want a place where i can put my technical slides (some presentations, some projects some it-related-courses-slide)
- i want a place where people can easily find it
- i want a place compatible with both fdl and cc license
- i want a really simple user interface

Just now i have put the first slides on speakerdeck.. if you are interested in router “reconfiguration” and are able to understand italian: https://speakerdeck.com/gvieri/mie-slide-x-linux-day-2012 .

I am testing the service… So we will see! :-)

August 11th, 2013 | Tags: | Category: Uncategorized | Comments are closed

Floating-Point (arithmetic) and its real-life impact. =UPDATED=

I am well aware that the “A” word (arithmetic) in title it is not a good idea… Normally it is a really bad idea. But this post seems interesting and important to me, so important that i have to put the “A” word in title…

Before to start please make some “common ground” please read:

So now we know that the “same” program with the same data can give different results. These difference can be related not to the programs but, to the underlying “math library”, operating systems, and different hardware.

But these programs are really complex… how can these (interesting?) facts impact our daily lives?
Try to imagine what happens if the simulation of your real-estate mortgage run on these affected systems. Try to imagine if one of the chemical simulation software used to verify the new drugs is affected by these problems…

Try to imagine too if some of software used to recognize suspect’s faces are running on these systems…

Now you can put a stop to your imagination, and maybe you can start to love bcd math libraries.

I confess that i started to love bcd math hardware 25 years ago… I still love it. Maybe, you should love it, too! :-)

And now a citation: “Contemplate this on the tree of woe” …

Now after that you contenplate enough start to read this: https://randomascii.wordpress.com/2013/07/16/floating-point-determinism/

…. This article probably contains both the best explanation of the problem, and contains some part of solution too.

July 28th, 2013 | Tags: , , | Category: IT security, Uncategorized | Comments are closed

brain controlled devices

I am interested to new technologies so, when i read about a quadcopter entirely controlled by “brainwaves” i was excited. At this point i “googled” to find other informations. I was thinking that this techology use costly sensors… This was wrong:

There is a guy that wrote an open source software for a “brainwave interface”:
http://daeken.com/2010-09-13_Emokit__Hacking_the_Emotiv_EPOC_Brain-Computer_Interface.html

If you are interested to other open source project on this theme:
http://openeeg.sourceforge.net/doc/sw/

EEG devices for a few Euro… amazing…

June 7th, 2013 | Tags: , , | Category: free software, tech news | Comments are closed

game cheating/process memory hacking

Hi! I like strategy games and on-line games. So i am a fan of WarCommander (a facebook game). In this game a lot of players talks about “cheat” or “hacking” and so on. Two words on this game: it is a flash game, it is a tactical war game, it is multiplayer. So evidently it has a server where the informations related to the players are stored and managed. I am involved in IT security field. So i was really curious about all these “hacking”. I started to search about cheating and i have found two useful tools:

These two tools are both open source….
The first one runs on Microsoft os, and the second one run on linux …
These due programs are much more that simply patch/patcher program… Both of these program are valuable tools for everybody (skilled in the “IT arts”) .
Some features:

  • can “attach” itself to other programs
  • can patch code/data of the selected process
  • can search/show/watch selected memory location/s

The second one can be used with or without gui. So you can make script to automate operations…

Now: what we can do with these tools?

  • games cheating…
  • debugging programs
  • hacking programs

Games Cheating:
The most obvious application for these tools. If you “google” you will find a lot of tutorials on game cheating using scanmem. The most simple is http://eryanbot.com/jtp/2012/06/26/game-hacking-basics-memory-editing-linux/…. If you are going to be a linux game cheater, i suggest to try this program: http://code.google.com/p/scanmem/wiki/GameConqueror… Enjoy your preferred game!

Debugging/Hacking programs:
We have two tools that are both simply to use and very powerful, that consent to us to “attach” to a process (you have to own the proper “rights” to do so…) and then to monitor. show, dump modify both data and code… You can look for a string, or a double value, than set a watch on this/these memory area/s. After that you are sure you can easily test every single branch in you own application, or you can verify that the new application installed on you server have not obvious security hole.
A simple example: do you now that a well-know linux browser store the security certificate in process memory and, retains it, after that you have closed any tab referring to the site that needs the certificate?
I am able to make all of these things using gdb and other tools, but scanmem have really impressed me. It is simple and fast to use…

June 3rd, 2013 | Tags: , , | Category: free software, IT security | Comments are closed
 
  Older Entries »