2010-04-27

Free OpenBSD shell accounts at devio.us

The nice guys at devio.us are offering free (or cheap premium) shell accounts on openbsd servers.

Free linux shells are everywhere, but I haven't seen OpenBSD shell accounts offered, at least for free, in recent memory. I manage an OpenBSD shell/tunneling/irc/whatever server for members of CCCKC, but it's not "free" so much as it's one of the many benefits and shared resources that come with being a paid member of our hackerspace.

Their policy is pretty straight-forward. If you pay $2 or $3 per month, you get a premium account that allows you to background a couple of processes, gives you a larger file quota, and the ability to create more databases. Regular accounts may not background processes or run a detached screen after logging off, only get one mysql database, and 100MB of storage space. Oh heck, just grok the services page.

In the FAQ, the devio.us team says they're OpenBSD advocates. That makes them cool in my book. Be sure to check out their manifesto, as well.

2010-04-19

Book Review: For The Win

I was excited to be able to do an official HiR book review, especially for an internationally acclaimed author. Really, I was happy to read a thick tome of investigation into the social interactions of modern teenagers and the digital economy. Cory Doctorow has skills as an author that I enjoy, especially his ability to take concepts and event of real life, shake them up into a story and present us with a very plausible near future, a-la Little Brother.


For The Win began in just such a fashion and I worked my way through the nearly 500 page volume in under a week. Well researched, check. Developed characters with believable interactions, check. Locations, real and virtual, check and check. An interesting story line and plot, well, sorta check. You see, For The Win fell apart for me because I couldn't get into the importance of the overall plot. Unioinizing the distributed workers of virtual worlds through the virtual world is a great concept but I just couldn't make it work out in my head. Maybe it's because I am beyond the idealistic stage that the book targets in it's YA market. Maybe my very centrist politics couldn't be suspended in disbelief enough to get into that aspect of the story.

In my view Doctorow wrote the story from the angle that oppressed workers need a union to emerge from under the thumb of their oppressors. I can agree with that, to a point - the "need" point. Doctorow danced with the issue in the plot, trying to make the heirarchy of the unions into a community driven grass-roots effort and I've spent time since finishing the book contemplating if the SPOILER ALERT!!!!!111!!!one1!! failure of the union effort was an example for the failure of such a organisation or if it was merely an attempt to provoke thought as to how the idea of a union needs updating for a modern hyper-communication driven society by showing a possible mode of failure.

I finished the book with a profound sense of meh. And, I didn't want to. In the end I felt the story ran a good 200 pages more than it needed to, even though the book didn't feel padded. The story just seemed that it could fit into the confines of a shorter book and be even more though provoking and relevant to a YA reader. Having been a young reader back in my, well, younger, days I know just the size of this novel would have been off putting for many. I know a good number of young readers can handle novels of this length but there is always that nag in the back of a teenage mind that there is something important that might take precedence over knocking out hundreds of pages. I can easily see the novel being applied to a political or economical theory course and and can hear the goans of much of the class as the instructor hands out stacks of thick paperbacks.

2010-04-09

Clever phishing attempt

My phone just rang. It was a call from +1-817-688-7853. The other end was an Interactive Voice Response script.


Me: "Hello?"

IVR: "Hello. For security purposes, your Visa debit card has been deactivated for debit and ATM use..."

First reaction on my end was "oh, great. Somewhere, someone got my details..."
I listened through the prompts and there was no option to speak to a real human. I tried "0" "*" and "#" multiple times, to no avail. It just kept playing the short prompt menu over and over again. I chose option 1, to "re-activate" my card, suspecting a ruse. On cue, it asked me for my 16-digit card number, followed by #. I entered "00#" figuring it would error out. But it asked me if that was correct. It prompted me for my expiration date (0000) and CVV code (000) as well. Then, it came back:

IVR: "Thank you. Your Visa card has been re-activated. Goodbye."

Me: "F*** you." *click*

Calling the number back got me some boilerplate error message.

Be careful out there, folks. Banks will de-activate your card if they suspect it has been compromised, but they will never give you the option to re-activate it over the phone like this, especially with an automated IVR system. Typically, they issue you a new card, sometimes with the exact same account number and expiration date, but with a different CVV code.

2010-04-06

Is Firefox shipping with a Rogue SSL CA?

This discussion came across my radar this morning via Hacker News.


Details are still being hashed out, but the fact remains that there is a Root CA shipping with Firefox that no one can account for. I recommend removing "RSA Security 1024 V3", but not "RSA Security 2048 V3" (which actually shows up on RSA's Audit Statement [PDF warning])

Hopefully, this is just one that's fallen into disuse over the last 8 years, and not a case where someone slipped a CA into the distribution and attempted to camouflage it by making it look similar to an existing CA.


Update from Kathleen Wilson (thanks to gregms):
I have received email from official representatives of RSA confirming
that RSA did indeed create the "RSA Security 1024 V3" root certificate
that is currently included in NSS (Netscape/Mozilla) and also in Apple's
root cert store.

2010-04-02

OpenBSD Patch-O-Rama

March was a relatively heavy month for OpenBSD's errata page. On the 12th, patches were released for OpenSSL and ftpd. Then, on the 31st, another one for kerberos.

While the somewhat arduous patching process on OpenBSD is one of my few complaints, it's a relatively infrequent affair.

Download the entire patch set (001 - 008) here.

Also, it appears that the most recent kerberos patch will need to be applied to your brand new OpenBSD 4.7 install, which is due to be released on May 19th, 2010. I guess the ISOs have already made their way to press.