ACTA on the edge in Europe? Poland suspends ratification, Greece gets hacked

Anger at last month’s decision by the European Union and 22 of its member states to sign the Anti-Counterfeiting Trade Agreement (ACTA) has led to widespread protests, hacked Web sites, and legislators backing away from the treaty.

The anti-ACTA protests that saw Polish politicians don Guy Fawkes masks in parliament have borne fruit. After experiencing a considerable backlash in Poland, Prime Minister Donald Tusk has suspended ratification of the controversial agreement, acknowledging that the consultation surrounding it was inadequate and that he approached it from a “20th century perspective.”

Read the rest of this article...

Read the comments on this post

Error'd: amp, #039 and a0B30000004la04EAA&

"I saw this on my way home from work," Daniel Moore writes, "thank goodness CVS is doing something about Maryland's crippling shortage of whooping cough!"


"While trying to learn Open Bravo," writes Otmane Malih, "I learned that there are countries I've never heard of."


"My university has a site license of Mathematica for all Mathematics and Physics students," Simon Hollingshead wrote, "when trying to view some information about the license key, I got this message. Not to worry, it can go in my binder named 'Error messages from various websites'."


"Woah, bad password," wrote Micah, "that's cool man."


"Now that's a lot of readme," writes Frank de Weger.


"I was filling out a satisfaction survey after buying a new car," writes Jeremy Hutchinson, "even the optional questions required an answer."


"This is from a well-known vendor of libraries," writes Adrian Edmonds, "what to do next is a bit of a puzzle."


"This Mongolian ATM had a rather unique way to notify that it could not print a receipt," writes Matthew Asquith.


Antonio Terceiro: A visual cheat sheet for ANSI color codes

Now and then I want to output some ANSI color escape codes from software I write, and I always end up doing some trial-and-error to figure out the exact codes I want. Sometimes it’s overkill to add a dependency on an existing library that already deals with it, or the language I am using does not have one.

There are a lot of listings of the ANSI color codes out there, but I couldn’t find one that matches the actual codes with the resulting effect in a visual way. Even the Wikipedia article has a colored table with the actual colors, but I have to lookup manually which code combination produces which color.

So I spent a few minutes to write a shell script that prints all useful combinations, formatted with themselves. This way I can quickly figure out which exact code I want to achieve the desired effect.

The code for now is very simple:

#!/bin/sh -e

for attr in $(seq 0 1); do
  for fg in $(seq 30 37); do
    for bg in $(seq 40 47); do
      echo -n "33[$attr;${bg};${fg}m$attr;$fg;$bg33[m " 

Is there a package in Debian that already does that? Would people find it useful to have this packaged?

update: it turns out you can find some similar stuff on google images. It was a quick and fun hack, though.

Error’d: 19999 Below

"Mac OS X has an odd definition of gigabyte," writes Kevin Kelly.


"I saw this when on holiday to Barcelona," writes Greig Hamilton, "it was a huge screen on La Rambla, the busiest street in Barcelona"


Drake wonders, "just what would I be saying 'Yes' or 'No' to?"


"Well, apparently it actually is possible to get colder than 0 Kelvin," Dorian H, "and of course I'm right there."


"In the end," Mark wrote, "I just ended up spelling out 'thirteen'."


Bryan Scott writes "at least it doesn't charge me when they give me thanks for choosing Dell."


"I tried to resolve a simple bug submitted to our tracker," writes Michael, "and it clearly didn't appreciate the ease with which this bug was quashed."


Uwe Hermann: HOWTO: Using OpenVPN on Debian GNU/Linux

Here’s a quick HOWTO for setting up an OpenVPN server and client on any (Debian, in this case) Linux machine of your choice. I’m running an OpenVPN server on a box at home, and a client on my laptop, so I can securely route all my laptop traffic through my OpenVPN server, no matter where I am.

I highly recommend reading the official OpenVPN HOWTO from top to bottom, at least once. But here’s a short, condensed HOWTO (specifically geared towards my needs, yours might be different):

On the server:

Install OpenVPN (apt-get install openvpn), then copy the “easy-rsa” files to /etc/openvpn/easy-rsa from where we’ll use them to create our keys and certificates:

  $ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
  $ cd /etc/openvpn/easy-rsa

In the vars file change the KEY_SIZE variable from 1024 to 4096 for good measure:

  export KEY_SIZE=4096

Then, read in the vars file, clean old keys and certificates (if any) and create new ones:

  $ . ./vars
  $ ./clean-all
  $ ./build-ca

You’ll now have the chance to enter some data such as country code (e.g. “DE”), state/province, locality, organization name, organizational unit name, common name, name, and email address. The values you choose don’t really matter much (except for commonName, maybe, which could be your hostname or domain or such). Finally, the ca.key (root CA key) and ca.crt (root CA certificate) files will be created.

Next, we’ll create the server key:

  $ ./build-key-server server

You’ll have to enter lots of info again (see above), commonName could be “server” or such this time. Upon “Sign the certificate? [y/n]” say y, as well as upon “1 out of 1 certificate requests certified, commit? [y/n]”. Finally, the server.key and server.crt files will be created.

Same procedure for creating a client key (I used “client1” as filename and commonName here):

  $ ./build-key client1

Next up we’ll generate Diffie Hellman parameters (this will take a shitload of time due to keysize=4096, go drink some coffee):

  $ ./build-dh

When this step is done, you’ll have a dh4096.pem file.

As we want to use OpenVPN’s “tls-auth” feature for perfect forward secrecy (it “adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification”), we’ll have to generate a shared secret:

  $ openvpn --genkey --secret ta.key
  $ mv ta.key keys

So much for creating keys. Now, we’ll have to configure OpenVPN. Copy the default server config file and edit it:

  $ cd /etc/openvpn
  $ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
  $ gunzip server.conf.gz

The most important change in my setup is that I use port 443/TCP instead of the usual OpenVPN default of 1194/UDP. This increases the chances that you’ll be able to use OpenVPN in almost all places, even in environments which firewall/block lots of stuff. Port 443/TCP (for https) will almost always be usable. I also uncommented the following line, which tells the client to use the VPN interface (usually tun0) per default, so that all the client’s traffic (web browsing, DNS, and so on) goes over the VPN:

  push "redirect-gateway def1 bypass-dhcp"

Here’s my server config file (comments and commented out lines stripped):

  port 443
  proto tcp
  dev tun
  ca /etc/openvpn/easy-rsa/keys/ca.crt
  cert /etc/openvpn/easy-rsa/keys/server.crt
  key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
  dh /etc/openvpn/easy-rsa/keys/dh4096.pem
  ifconfig-pool-persist ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  keepalive 10 120
  tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
  user nobody
  group nogroup
  status openvpn-status.log
  log-append openvpn.log
  verb 3

You can now start the OpenVPN server, e.g. via

  $ /etc/init.d/openvpn restart

Server firewall setup/changes:

I’m running a custom iptables script on pretty much all of my boxes. Here’s the relevant changes needed to allow the OpenVPN server to work properly. Basically, you need to enable IP forwarding, accept/forward tun0 traffic and setup masquerading (change “eth0” below, if needed):

  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptables -A INPUT -i tun+ -j ACCEPT
  iptables -A FORWARD -i tun+ -j ACCEPT
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -t nat -F POSTROUTING
  iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

My firewall script gets run upon every reboot. If you don’t use such a script, you could add the above stuff to your /etc/rc.local file.

On the client:

Install OpenVPN (apt-get install openvpn), then copy the default client config file and edit it:

  $ cd /etc/openvpn
  $ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .

Change the parameters to match the server config (port 443/TCP, and so on) and use “tls-auth /etc/openvpn/ta.key 1” (note the “1” on the client, and the “0” on the server!). Replace with the public IP address of your OpenVPN server. If it doesn’t have a public, static IP address already, you can use services such as DynDNS, or (my preferred method), my ssh-based DIY poor man’s dynamic DNS setup.

Here’s my full client config:

  dev tun
  proto tcp
  remote 443
  resolv-retry infinite
  user nobody
  group nogroup
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/client1.crt
  key /etc/openvpn/client1.key
  ns-cert-type server
  tls-auth /etc/openvpn/ta.key 1
  verb 3

Now you only need to copy the required certificates and keys to the client (into /etc/openvpn): ca.crt, and ta.key. Do not copy the other, server-specific private keys and such to the client(s)! Also, the root CA key (ca.key) should not even be left on the server, but rather moved to some offline storage/box, so that it cannot fall into the wrong hands, e.g. in the case of a server compromise.

I prefer to manually start the client on my laptop when needed, so I use AUTOSTART=”none” in /etc/default/openvpn and then start the client via:

  $ openvpn /etc/openvpn/client.conf

That’s it. Comments and suggestions for improving the setup and/or the security aspects of it are highly welcome!

Exploiter une injection SQL les doigts dans le nez

Si au petit-déj, vous aimez manger des injections SQL, voici un petit outil qui va vous permettre de tester votre site afin de voir si celui-ci est vulnérable.

Cet outil, c’est The Mole. C’est tout en ligne de commande pour les barbus et ça permet simplement à partir d’une URL contenant une chaine de caractère valide, de voir s’il est possible d’y injecter du SQL.

Mole3 Exploiter une injection SQL les doigts dans le nez

C’est pratique, car tout automatique et ça gère aussi bien MySQL, SQL Server, Postgres et Oracle.

The Mole est téléchargeable ici et pour apprendre à vous en servir, il y a un très bon tuto ici.

A utiliser sur votre propre machine, car sur les machines des autres, c’est illégal.

flattr this!