English - 10

Tobias Scherbaum already blogged this, but only in german, so I'm writing this again for the Planet Gentoo readers.

A german webpage called jugendschutzprogramm.de provides filters for webpages potentially dangerous for children. Now some people noticed that this page considers quite a lot dangerous.

Both gentoo.de and gentoo.org are considered only suitable for people over 14. So if you ever thought about installing Gentoo on the PC of a kid, think again what you might do to that kid.

Beside, my blog is even more dangerous: It's blocked by default.

The page is supported by a couple of companies providing pornographic content. Interesting enough, it's also supported by a big german Newspaper (BILD) that regularly has pornographic images on their frontpage. However, their page is considered harmless.

But what's really frightening is that jugendschutzprogramm.de is part of ICRA, an international system by big content and internet providers. It's even supported by the european union.

Update: Page has XSS, maybe someone wants to play with it?

<form action="http://jugendschutzprogramm.de/webmaster/label-generator.php" method="post">
<input name="URL" value='"><script>alert(1)</script>' type="text">
<input name="submit" type="submit">
</form>

Before I start my review about the movie, I'd like to give some preface about my connection to Star Trek. Although I occasionally watched the series for a long time, I really started getting interested at the worst possible moment - shortly after it was announced that the last series »Enterprise« was stopped (although there were petitions and rallies - I just noted a bit too late to take part).
So with the last series stopped and the last film »Nemesis« being a flop, it was quite unlikely that Star Trek would continue at all in any way. So the only thing left was experiencing the vast majority of past series (which I'd suggest everyone to do - my favorite is Deep Space 9).

So the message that there should be a new film was surprising and promising. Though from the beginning, I was quite sceptical - the concept of a prequel to the original series with new actors for famous roles seemed difficult. It rarely happened in the past that different actors played the same person in the Star Trek universe and it was only the case for side roles (e. g. Ziyal in DS9, Zefram Cochrane in TOS/ST8). But what was even more disturbing was the director J. J. Abrams - with movies like Armageddon I didn't find him very predestined for this job. But as I read some quite positive reviews, I gave the movie a chance and went to the cinema on the first day.

To give a conclusion: I was absolutely right not to expect much from the film. It is a middle-class Hollywood action movie and has just nothing from the Star Trek spirit I liked so much.
The no-gos are countless. I mean, product placement is a pity in films any way, but in a Star Trek movie? And have you ever heard a pop song from the 90s in ST? (Oh, you remember that scene from ST4 in the bus? Has the guy inventing that scene with Kirk in the car ever seen that movie?)
The film introduces lot's of characters from other ST stories without any relation. Soval (was the name even mentioned?) has just nothing of the person known from TOS/TNG. Those Romulans - they look different, their ships look different, there's no connection to any previous Romulan story, it just seems like a randomly picked species name. And the old Spock - yeah, every real Trekkie likes to see Leonard Nimoy is still able to play his role. But if you remember the last time Spock appeared in the ST universe - a plot in TNG with an underground resistance movement on Romulus, where Spock stayed - a quite open end - it's just predestined to continue telling that story. ST11 doesn't do that.
Then there's this thing with the parallel time line - parallel time lines are a common story methodology in Star Trek, so the idea has potential. But it seems it's just there so there's no need to stick with the Star Trek story too much - every mistake can just be explained as something happening in the alternative time line. It didn't really make any sense to me beside that.

Well, maybe the buzz around the movie opens perspectives for new Star Trek material in the future - and hopefully with more talented directors behind the scenes. Till then, I'll watch some episodes of Hidden Frontier.

Update: Only german, but nice review (WOZ).

A common way to check the health state of a hard disk is SMART. It gives various informations about occuring errors. In Linux, there's the smartmontools package containing tools to read SMART data of hard drives (smartctl -a /dev/[hddevice] gives you a bunch of information).

I found it always frustrating that SMART didn't work with USB drives. It's a standard bound to IDE/ATA. Although common USB-drives are internally IDE/SATA, sending the SMART commands to the drive requires proprietary extensions. But now, the smartmontools-developers have included support for some USB drives. It worked with the USB HDs I had available for testing.

There's no release yet containing the USB-support. If you're on Gentoo, you can fetch a live-CVS ebuild here.

In the last weeks, I made a study research project at the EISS at the University of Karlsruhe. The subject was »Session Cookies and SSL«, investigating the problems that arise when trying to secure a web application with HTTPS and using session cookies.

I already wrote about this in the past, presenting vulnerabilities in various web applications.

One of the notable results is probably that ebay has just no measurements against those issues at all, so it's pretty trivial to hijack a session (and use that to do bids and even change the address of the hijacked account).

Download »Session Cookies and SSL« (PDF, 317 KB)

The free software projects for media playing did a good job in the past on supporting a wide variety of formats. From the common to many very obscure formats, current versions of the free software mediaplayers were usually able to play them. Today it's even common to suggest vlc for Windows users if they can't play unusual media formats.

Though there were a few exceptions, the most notable probably the long-time missing support for many of the Real formats. While these are rarely used today, many archived videos in the Internet still rely on it. For example, many german television stations provide real video files on their webpages.

Recently and without much public notion, ffmpeg first got support for RV40, some weeks later also for RV30. This fills a long time gap in free software support for video formats. ffmpeg is used by all major free software video players (vlc, xine, mplayer), so you should get the support within some time in all of them. For now, it's quite easy to checkout mplayer from subversion and build it on your own.

Want something to try out? Here's a video from Desert Planet in real format.

The only gap I know of a format that really got usage in the wild and that is not yet supported by free software is WMA3.

As an FSFE fellow, I got interviewed for their webpage.

You can read it here.

The 0a000h demoparty just started.

If you don't know what a demoparty is, it's kind of a digital art event about programming stuff that has no meaning beside »looking good«. The 0a000h is a small demoscene party where I'm part of the organizing.

Pictures here.

Just saw yesterday that there were advertisements for the new Ubuntu 8.10 release (two days ago) in the subway of Berlin.

Quite cool, they also were advertising for the Ubuntu release party in the C-Base tonight (though I'm no longer in Berlin at the moment).

I just arrived on the Alternative Party in Helsinki. The AltParty is a demoscene party in Finland and it's kind of the smaller splitoff from the Assembly. I was on the Assembly some times in the past.

By saying small, I must say that the AltParty still has about 1000 visitors.

I haven't visited any demoparties for quite a long time and thought it'd be time again as I'm currently involved in the organization of the 0a000h, which will happen again in december.

More pictures and reports will follow.

In a few days, on 11th October, there will be an international day of action against the growing surveillance.

Starting with 2009, the data retention law will become duty for everyone, also for internet providers (eMail, Dialup). The german constitutional court still has a big complaint running. It's important to set a sign now.

The main demonstration will be in Berlin, 14:00 at the Alexanderplatz.

freedom-not-fear.eu

Recently there were some News that Lenovo does not like Linux any more. This was supported by comments like this at Lenovoblogs (by a Lenovo engineer):

»Again, what’s the incentive for us to start providing all of this intellectual property for free to the Linux community? You may say it drives support for Linux on ThinkPads and people would buy more ThinkPads as a result. I think that’s a dubious assertion at best.«
(the subject was driver support for switchable graphics on modern thinkpads and brings up some common urban legends about linux and driver support)

Sadly, I experienced one more place where Lenovo seems to shift away from a Linux friendly viewpoint: I tried to return the windows license of my new Thinkpad with a pre-made form by Lenovo itself (I got this from someone else by eMail, not from Lenovo directly). In the net, you can find tons of reports that it was easy for people to get money back for their windows licenses by Lenovo.

Though what I got was this:
»Leider können wir Ihrem Wunsch nach Rückerstattung der Kosten für das auf Ihrem Lenovo Produkt vorinstallierte Microsoft-Betriebssystem nicht entsprechen, da das Betriebssystem aus unserer Sicht einen integralen Bestandteil des jeweiligen Lenovo Produkts darstellt.«
(rough translation: We won't refund your windows-license, because we think it's an integral part of the product)

I find it hard to understand why Lenovo makes this shift. When running around on linux conferences in recent months, the number of thinkpads is hughe. While many other vendors shift to a much more free software friendly behaviour (think of AMD/ATI), Lenovo seems to go the different direction. It's especially strange because Lenovo is probably one of the few vendors that has a notable market share in the linux community.

By the way, I welcome any hints how I should continue with the windows refunding. I'd prefer not to capitulate yet (like I did with my last laptop by Samsung), and I assume the law is clearly on my side.

Update: As some of you asked, here is the form by Lenovo, though you'll probably just get the same reply I got.

Probably interesting, here you can find all EULAs from Microsoft. They are quite clear on the subject and say that you MUST return the windows license to the vendor if you don't agree to the EULA.

In the meantime, I wrote several messages about the issue to various people and instutitions. The FSFE is also working on the subject.

Recently, two publications raised awareness of a problem with ssl secured websites.

If a website is configured to always forward traffic to ssl, one would assume that all traffic is safe and nothing can be sniffed. Though, if one is able to sniff network traffic and also has the ability to forward the victim to a crafted site (which can, e. g., be just sending him some »hey, read this, interesting text« message), he can then force the victim to open a http-connection. If the cookie has not set the secured flag, the attacker can sniff the cookie and take over the session of the user (assuming it's using some kind of cookie-based session, which is pretty standard on today's webapps).

The solution to this is that a webapp should always check if the connection is ssl and set the secured flag accordingly. For PHP, this could be something like this:

if ($_SERVER['HTTPS']) session_set_cookie_params( 0, '/', '', true, true );

I've recently investigated all web applications I'm using myself and reported the issue (Mantis / CVE-2008-3102, Drupal / CVE-2008-3661, Gallery / CVE-2008-3662, Squirrelmail / CVE-2008-3663). I have some more pending I want to investigate further.

I call security researchers to add this issue to their list of common things one has to look after. I find the firefox-extension CookieMonster very useful for this.

The result of my reports was quite mixed. While the gallery team took the issue very serious (and even payed me a bounty for my report, many thanks for that), the drupal team thinks there is no issue and did nothing. The others have not released updates yet, but fixed the issue in their code.

And for a final word, I want to share a mail with you I got after posting the gallery issue to full disclosure:
for fuck's sake dude! half of the planet, military, government, financial sites suffer from this and the best you could come up with is a fucking photo album no one uses! do everybody a favor and die you lame fuck!

If you didn't know it, today is Software Freedom Day.

Just noticed that, when you surf to http://cgi.softwarefreedomday.org/map.shtml to look if there's something happening around you on SFD, you'll get a proprietary google map.

It seems that the organizers of the SFD can't look beyond one's own nose. I often saw this behaviour in parts of the free software movement (being ignorant about proprietary stuff if it's not software), but found this example especially frightening, as we have a well working alternative.

Today my new IBM/Lenovo Thinkpad T61 8895WFJ laptop arrived. While my P30 did a good job, it really was time to replace it.

I'm currently in the phase of installing Gentoo and getting used to the device, but I think it was a very good choice.

Beside the fact that Lenovos are probably popular for a reason, the 1400x1050-resolution, the well Linux-supported Intel-graphics and a quite acceptable weight (2,4 kg) were reasons for this model. I'm still in favour of 4:3 screens, because if you wanna have a 16:10 one with a decent resolution (e. g. > 1000 pixels height) they become either very expensive or very heavy. I still wonder why no vendor seems to produce 4:3 screens any more (from my research, not a single Montevina laptop has 4:3).

Some time soon you'll probably find some documentation about Linux on the T61 8895WFJ at http://www.int21.de/t61/.

I recently played around with the possibilities of fuzzing. It's a simple way to find bugs in applications.

What you do: You have some application that parses some kind of file format. You create lots (thousands) of files which have small errors. The simplest approach is to just change random bits. If the app crashes, you've found a bug, it's quite likely that it's a security relevant one. This is especially crucial for apps like mail scanners (antivirus), but pretty much works for every app that parses foreign input. It works especially well on uncommon file formats, because their code is often not well maintained.

My fuzzing tool of choice is zzuf.

I am impressed and a bit shocked how easy it is to find crashers and potential overflows in common, security relevant applications. My last discovery was a crasher in the chm parser of clamav.