cYpherpunK.at

encrypt – protect – private – information

Smrender Presented at the Linuxwochen Vienna —

Originally, I intended to give this posting the title “Anything that can go wrong…” but I decided that Smrender and my talk is more important than Murphy’s law. But stay tuned! You will read what happend.

Yesterday I gave a talk about Smrender at the Linuxwochen 2012 in Vienna. Three things happened the first time. First, I was the first time at the FH Technikum Wien. Second, it was the first talk about Smrender in the public. And third, I had some troubles with Smrender during my talk which I never had before.

Regarding the university, in my opinion the arrangement of the student cafeteria is much better than at the FH St. Pölten . It is much more student like and they even sell draft beer :-) But there’s a big disadvantage: they do not sell Club Mate!

Outline of the Talk

I started the talk1 with an introduction of myself and the motivation of creating this new OSM rendering engine. I am software developer, yacht sailing trainer and instructor, and contributor to several open source projects, thus it is obvious that I am interested in computer aided marine mapping.

I quickly presented the OpenSeamap project, its goals and features.

The main advantage of Smrender is its ability to produce charts suitable for print-out. Furthermore it supports a flexible ruleset and several specific match operations. Additionally, Smrender supports a set of special features such as auto-rotation of captions and images, area-dependent caption sizes, closing of open polylines, polyline refinement, and many more.

Finally I described some internal details about memory structures, iterative rule processing, and so on.

Live Demonstration

Directly after the talk I intended to give a quick live demonstration of running Smrender. I am a practiced speaker, hence, I have had everything prepared before. I gave some explanations on the command line arguments and ran the program. Everything looks fine and then suddenly the program stuck with the CPU running at 100%. This never happend before. I’m serious. I terminated and restarted it and it successfully finished its run.

Debugging

Of course, I could not simply ignore the fact that my program stuck in an endless loop. But how to find such a bug? The debug output during the lecture showed that it stuck somewhere in a function of libsmfilter. I tried to reproduce it and started it over and over again. After about the 15th time it stuck again exactly at the same position. I attached gdb to the running process and retrieved a stack trace ;-) The following shows a snippet of it.

#0  __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S:1081
#1  0x00007f24366bc78f in vsector (o=0x30a46c0) at libsmfilter.c:273
#2  0x000000000040d9e5 in traverse (p=0x2dc5c70, rd=0x6154a0, dhandler=0x40d550 <apply_rules0>, idx=<optimized out>, d=16, nt=0x30a6d20) at smrender.c:353

It seems to loop in memcpy_ssse3() which is function somewhere in libc. Stack frame #1 shows that this function was called in line 273 of libsmfilter.c which is memcpy(). I had a closer look and it turns out that I misused the function because I copied an overlapping memory area. The man page is completely clear in that point: “The memory areas must not overlap.”. Actually, I knew that, of course. Nevertheless, I illegally used memcpy() instead of memmove(), although I do not know why. Probably, I partially rewrote that part of the code and the memory areas did not overlap in an earlier version. After replacing the function, the failure did not occur any more.

But there is still one question left: why didn’t this never every happen before?

Sometime ago I upgraded my system from Debian Squeeze (stable) to Wheezy (sid). The big differences in respect to development is the new Linux kernel (2.6.32 -> 3.2.0), a new version of libc (2.11 -> 2.13), and a much newer version of gcc (4.4 -> 4.6). Most probably there was an essential change in libc.

Another question is: why didn’t it happen just sometimes and not always?

I do not know but I guess it is a result of moving stack positions. The absolute address of the stack changes in contrast to most other memory locations if you rerun a program.

Lessons learned: even the best programmer may fail ;)

 

Share your thoughts

Debian Wheezy on Acer Aspire One Happy —

A few days ago I successfully installed Debian Wheezy 64 bit (currently sid) on an Acer Aspire One Happy notebook. Most of the built-in hardware seems to work out of the box. Display, touchpad, sound, and webcam works. Solely the SD card read is unable to reader my SD cards. This seems to be related to the kernel (3.2.0-2-amd64) and not the notebook because I can reproduce the same effect on a complete different system.

A little bit tricky was to run the installer itself. I tried to boot the netinst image with a USB stick which usually works without any troubles. For whatever reason the installer freezed immediately after displaying the boot screen. Unfortunately, I was unable to find the bug.

The notebook came with Windows 7 being installed. Thus, I ran then Debian setup.exe of the netinst image within Windows which installs a new boot loader and some parts of the installer. After reboot the installer came up fine. Probably it is a BIOS issue that it does not properly boot from USB directly.

During the setup it was necessary to provide the firmware files for the Wifi and the Ethernet adapter. All images and the firmware packages are found on the Debian installer page.

 

Share your thoughts

A not so trivial IPv6 tunnel setup —

History and blahblah

Since several years I am dealing with IPv6. To be more exact, this is since about 2007 when we started to talk about the DNS-leak-problem of Tor. At the end of 2008 way came up with Onioncat at the 25C3. Although it did not solve the original problem it still is a cool VPN solution and — much more important withing this context — it natively supports IPv6 (and IPv4 is just an add-on).

Of course I knew about IPv6 before. A kind of knowledge that share most people: it is some kind of new version of IP but basically it behaves the same. But since I intended to write code which creates L3 IPv6 packets and L2 frames a had to delve into details.

However, this is not the story I’m going to tell you. Nevertheless, then I decided to get a connectivity to the IPv6 Internet. Unfortunately, there was and still is merely no ISP in Austria (except ACO Net) which provides IPv6 but luckily there is such a thing like IPv6 tunnel brokers.

Configuration

In the following I describe a not so trivial IPv6 setup which means it is not just a tunnel and an Ethernet at its end. In this case I have various OSs, firewalls, NAT, remote locations, and VPNS.

Before I start I would like to explain the general network setup. Have a look at the network map. The cloud on the left top is the IPv4-based Internet. There is one central location connected through the OpenBSD firewall G and a remote location connected through the DSL router J. Behind both devices there are private RFC1918 networks and everything is setup correctly to allow hosts behind to access the Internet. On the central location there is a FreeBSD server (F) which terminates the tunnels and a Cisco router (I) which connects other networks. On the remote locaton there is the Linux server E.

The external IP address of G is 203.18.10.17,1 the IP address of the central server G is 192.168.10.10, and the IP address of the central router I is 192.168.10.5.

Register Tunnel

The first thing to do is register at a tunnel broker (in this case it is SIXXS) and request a tunnel. You have to supply the IP address your tunnel end point and the type of protocol you would like to run the tunnel. I chose protocol 41 which is 6-in-4 encapsulation. My tunnel end point IP address is 203.18.10.17. This is the official IP address as seen from the tunnel broker. Of course this is not very the tunnel really terminates. I run NAT on the firewall and the tunnel actually terminates on the server F.

You will get an email of the tunnel broker which contains the external tunnel IPv4 addresses (203.18.10.17 and 91.219.68.60) and the IPv6 address on the inner side of the tunnel (my side 2001:1234:5678:9abc::2/64, their side 2001:1234:5678:9abc::1/64). If you do not just want to supply IPv6 to a single network, you will have to register a subnet. I did so. In my case I reveived the subnet 2001:dead:beef::/48.

Configure Firewall

First add the following rules to the OpenBSD firewall G to let protocol 41 packets pass and redirect them.2

nat on $ext_if from 192.168.10.10 to any -> 203.18.10.17
rdr pass inet proto 41 to 203.18.10.17 -> 192.168.10.10
pass proto 41 to 192.168.10.10

Configure IPv6 Tunnel

Now configure the IPv6 tunnel on the central server. There is a good explanation in the Sixxs-FAQ. Additionally, I added the following two lines to my rc.conf because the local IPv6 address of the tunnel was not reachable because there was no entry in the routing table. I am not sure if this is a bug or it is by intenstion. However, I simply added the route.

ipv6_static_routes="ltun"
ipv6_route_ltun="2001:1234:5678:9abc::2 -prefixlen 128 -interface lo0"

After this the tunnel is set up. Test it. You should be able to ping6 the local and the remote IPv6 address.

Configure VPN Tunnel

Let’s configure the OpenVPN tunnel between the remote and the local server. Actually, there is a quick HOWTO found on the OpenVPN page but I want to point out that it may not work with IPv6. According to the OpenVPN page, IPv6 is not supported before version 2.2-RC2. But this is no problem! OpenVPN always supported IPv6 if used in TAP mode. This is because TAP mode forwards all L2 frames, hence, everything above layer two is transported. The following shows may server and client OpenSVPN configurations:

# OpenVPN server configuration (on FreeBSD)
dev tap
secret static.key
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
up /usr/local/etc/openvpn/if.up
script-security 2

# OpenVPN client configuration (on Linux)
remote 203.18.10.17
dev tap
secret static.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nogroup
daemon
up /etc/openvpn/if.up
script-security 2

The keepalive is used to avoid that the states of neither the DSL router nor the firewall will timeout. As you can see, I do not configure IP addresses. I use the external script if.up to bring up the interface and configure it for IPv6. In the following you find the two scripts.

#!/bin/sh
# server side if.up script
/sbin/ifconfig $dev up
/sbin/ifconfig $dev inet6 2001:dead:beef:f000::1/64
/sbin/route get -inet6 2001:dead:beef::/64 >/dev/null 2>&1
if test $? -ne 0 ; then
/sbin/route add -net -inet6 2001:dead:beef::/64 2001:dead:beef:f000::2
fi

#!/bin/sh
# client side if.up script
/sbin/ifconfig $dev up
/sbin/ifconfig $dev inet6 add 2001:dead:beef:f000::2/64
/bin/ip -6 route add ::/0 via 2001:dead:beef:f000::1

As you can see I add routes. In case of the server I route one /64 subnet down to the remote location and in case of the client I setup the default route ::/0 back to the server.

Run both OpenVPNs and it should immediately come up. If not, you might comment out the configuration line “daemon” and run it directly on the command line to see debugging output.

Provide IPv6 to the Remote Clients

Now we want to provide IPv6 to the clients on the LAN in the remote location. The IPv6 address of the Ethernet interface is configure statically in /etc/network/interfaces. Please note that the default gateway is setup dynamically in the if.up script by OpenVPN and not in the static network configuration. This is because the route cannot be set before the tunnel is up.

# /etc/network/interfaces [snippet]
iface eth0 inet6 static
address 2001:dead:beef::1
netmask 64

The next thing that we need is radvd. This daemon announces IPv6 adresses to the local network. Clients will then auto-configure IPv6 address. Install it with `aptitude install radvd` (on Debian or Ubuntu).

interface eth0
{
AdvSendAdvert on;
prefix 2001:dead:beef::/64
{
};
};

Run radvd (`/etc/init.d/radvd start`) and all IPv6-enabled clients on this Ethernet network should immediately receive an IPv6 address.

Configure Cisco

Now let’s configure routing between the central server and the Cisco router I. First, on the central server we have to add an IPv6 address to the Ethernet were the router is connected to and we addna route to the Cisco for the network which will be behind the router. The network between the server and the router will be 2001:dead:beef:1::/64 and the networks on the other interface of the router will be chosen from the subnet 2001:dead:beef:100::/56. In rc.conf I add it like this:

ipv6_static_routes="ltun fhnet"
ipv6_route_fhnet="2001:dead:beef:100:: -prefixlen 56 2001:dead:beef:1::1"
ipv6_ifconfig_em0="2001:dead:beef:1::2 prefixlen 64"

Please note that the variable ipv6_static_routes was already mentioned before! Now login to the Cisco router. First we have to enable IPv6 routing globally.

ipv6 unicast-routing

Now we set the IPv6 address on the Fastethernet 0/0 which is the link to the server. Further I disable router advertisements to avoid that other hosts on this network will receive an IPv6 address by the auto-configuration mechanism. Finally we set a default route back.

interface fast 0/0
ipv6 nd suppress-ra
ipv6 address 2001:dead:beef:1::1/64
ipv6 route ::/0 2001:dead:beef:1::2

Configuration of further Ethernets and routes is up to your personal needs and is not explained here.

I hope that there are hints for everybody. Please note that I did not deal with any security issues within this text. Of course you should take that into account for your setup!

Although it is not guaranteed, you should also note that the packets traveling through the tunnel will most probably not be captured by any data retention system as long as they are in the IPv6 tunnel. More specifically this means that if you are browsing IPv6-enabled sites and the servers reside outside your country no national ISP will “see” the traffic except the IPv4 tunnel packets. Of course, the traffic is neither invisible nor encrypted which means that if somebody in between sniffs your 6in4 tunnel packets, he can see everything very well!

  1. I changed all IP addresses and I took out just the relevant parts of the configuration because the real network setup is more complex than depicted here.
  2. As already mentioned, I assume that NAT and everything else for IPv4is properly configured.

Share your thoughts

Bei A1 ist Security noch nicht angekommen —

Bei A1 ist der Begriff Security noch nicht angekommen.

Durch Zufall kam ich kürzlich bei einem Kunden mit dem A1 Webspace Business in Berührung. Im Produktnamen ist der Begriff Business zu finden, was darauf schließen lässt, dass es sich eben um ein Profiprodukt handelt. Aber was genau zeichnet es aus? Gute Frage, denn der Webspace bietet alles was beinahe jeder Webspace heute kann. Der Grund ist vermutlich der, dass man mit ein bisschen klicksi-klicksi ein CMS2 installieren kann.

Erschreckend an der Sache ist, dass fürs Dateiupload lediglich FTP zur Verfügung steht, ein Protokoll aus den frühen 80ern das beinahe ohne Sicherheitsmechanismen ausgestattet ist, wie man sie heute, 30 Jahre später, kennt. Eine nicht ganz zu vernachlässigende Tatsache in Zeiten, wo jeder ISP per Gesetz zum Herumschnüffeln verpflichtet ist.

Liebe A1-Telekom! Nach stundenlanger Recherche habe ich folgende Links gefunden, die da evtl. weiterhelfen:

http://www.google.com/#q=sftp+ftps

http://www.google.com/#q=secure+ftp

 

  1. Auch mal bekannt gewesen unter dem Namen Telekom Austria und auch mal unter Jet2Web und noch ein paar andere Namen. Weiß sowieso kein Mensch mehr wie die heißen. Vermutlich ist das ganze eine gekonnte Verschleierungstakte, da man früher einfach “die Post” sagte und das etwas negativ behaftet war.
  2. Zur Auswahl stehen Worpress, Typo3, Joomla und noch ein paar andere.

Share your thoughts

RF_KILL sucks! —

This is not the first time that I have troubles with the RF-kill “feature” as reported on this blog.

Recently I set up an old notebook. I did a clean Linux network install of Debian Lenny. Everything worked fine, all hardware was detected properly.

But it took not long to find out that the wifi does not work although the card was detected correctly. `lspci` showed that it is a IPW2100 which is a pretty well-known wifi adapter. After unloading and loading the appropriate kernel module, it was reported that RF_KILL is enabled.

The notebook is an old Toshiba notebook. It has a wifi indicator LED and the symbols on the keyboard showed that Fn+F8 should enable it. But simply nothing happens. I made sure that the Fn key and the F8 key both work. I expected the kernel to report something but it didn’t.

I have seen various methods of enabling and disabling wifi: soft keys, hard keys, key combinations on the keyboard, simply just enabling/disabling it by software, and BIOS disable/enable. And of course combinations of those methods.

I restarted the Toshiba notebook to have a look at the BIOS setup. Unfortunately, its BIOS didn’t allow any settings. I tried to “reset to factory defaults” but it didn’t change anything. Then I tried to find a software enable option. Luckily I’m working on Linux, thus I have direct access to most hardware features. In this case the RF_KILL enable/disable option is found in the special file /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0a.0/rf_kill. Writing neither 0 nor 1 to it didn’t change anything. This indicated that there must be some other hardware enable/disable method.

I assumed to have found a BIOS bug…which would not be the first time. And flipped the notebook to gather the product specification and I found something…

 

Share your thoughts

Inder Hood hat wohl gelogen —

Mein erstes Handy erwarb ich 1997 — schon eine Zeit lang her. Den ersten Vertrag hatte ich bei der Mobilkom. Damals gab’s ja nichts anderes. Eine Marktbelebung war dann MaxMobil wohin ich dann auch gleich gewechselt bin. Irgendwann wurden die dann gekauft vom deutschen Riesen T-Mobile, was mein patriotisches Herz natürlich erschütterte, wodurch ich dann wieder zu irgend einem anderen Anbieter gewechselt bin.

In Österreich hatten wir einmal verhältnismäßig viele Anbieter. Die Mobilkom (heute Vodaphone) als Tochter der Telekom Austria, der Ex-Monopolist. MaxMobil (heute T-Mobile), ein österreichisches Startup. Dann gab’s One, heute (noch) Orange, und Hutchinson (3G). Ach ja und Telering auch noch.

Mobilkom war immer qualitativ gut, hatte in erster Linie Business-Kunden im Plan. MaxMobil war anfangs ein bastelndes Startup-Unternehmen, bat aber auch immer relativ hohe Qualitität. Das Programm war auch auf Business-Kunden ausgerichtet. One hat immer mit angeblich hoher Sprachqualität geworben, die Netzabdeckung war aber eher zurückhaltend. Hutchinson hat im Miniland Österreich experimentiert. War offenbar nur ein Rundungsfehler in deren Bordkassa. Und Telering war immer einfach nur billig. …und so hochwerti war auch das Produkt *lol*

gWie dem auch sei, bis heute habe ich immer fürs Telefonieren und SMSen gezahlt. Vor einem halben Jahr habe ich wieder einmal den Vertrag gewechselt. Muss so sein, bringt von Zeit zu Zeit Vorteile. Irgendwie habe ich mich zum ersten Mal in meinem Leben für Telering interessiert — aber auch nur deshalb, weil Telering seit ein paar Jahren in Wahrheit T-Mobile ist. Ein wesentlicher Inhalt deren Werbung sind “keine Versteckten Kosten”. Das kann man auch auf deren Website lesen.

 

Das Ganze soll nur 9 Euro im Monat kosten; wunderbar. Aber was lese ich dann auf der letzten Rechnung?

SMS Empfangsbestätigung   134   20%    5,58

Ich bekomme die Rechnungen immer per Email. ich habe also sogleich auf das Email geantwortet. Leider erfolglos. Ein Robot antwortete mir das man auf diese Emailadresse nicht antworten kann — *lol*

Auf der Homepage findet man den Link “Email senden”, hinter dem sich aber ein HTML-Formular verbirgt und keine Liste von Emailadressen. In dem Formular gibt es keine passende Auswahl um eine passende Frage zum Thema “Empfangsbestätigung” zu fragen. Ich habe die Sache getwitter, und — oh Wunder — @telering hat geantwortet ich solle mich doch per DM melden. Habe ich auch gemacht; naja, warte nun seit einem Monat auf eine Antwort.

Nun gut. Ich denke, dass ich genug Text geschrieben. Noch nie in meinem Leben, d.h. konkret seit 15 Jahren, habe ich etwas für SMS Empfangsbestätigungen bezahlt. Aber die Telekom-Branche ist sehr erfinderisch wenn es ums Abzocken von Kunden geht.

1 Comment

Kmail does not ask for PGP password —

A few days ago I fucked up my Debian installation. It ran properly for several years but because of mixing different repositories (squeeze, wheezy, backports,…) aptitude somehow lost track about packet versions. I spent several hours but was unable to fix it. It just got worse.

Thus, I decided to do a completely fresh installation of Debian/Wheezy. I always do a basic installation first without X11 desktop. If everything works then I add X11 and KDE being my favorite.

Of course I kept my home directory as usual to keep all settings, all emails, and all other stuff that hangs around in this directory.

Most things worked immediately but kmail did not ask for the password of my PGP key anymore, when trying to sign emails. I check its settings and everything looked fine. I also checked kgpg which continued to successfully sign/encrypt messages.

I found the following bug report which also contains some links:

https://bugs.kde.org/show_bug.cgi?id=167960

http://randomguy3.wordpress.com/2008/07/24/kmail-trunk-signing/

In my new installtion the gpg-agent is installed by default and it is running as can be simply verified. I then check for pinentry and I found out that pinentry-gtk2 was installed but pinentry-qt4 not. I don’t know if this is by intention or if there is a wrong dependency somewhere. I think the latter is the case because I installed KDE which is Qt-based but I did not install Gnome (which is GTK-based).

I simply installed pinentry-qt4 but kmail still did not ask for the password (just “signing error: illegal passphrase”). I looked at gpg-agent in more detail and found out that it creates an environment file in my ~/.gnupg directory. When looking into this directory I remembered that I had a similar problem several years ago. Therein is the configuration file gpg-agent.conf which is loaded by gpg-agent at startup. It contained the following line:

pinentry-program /usr/bin/pinentry-qt

I now tried to start pinentry-qt manually but the binary didn’t exist although I had installed the package. Apparently the binary was renamed to pinentry-qt4. I changed the corresponding line in gpg-agent.conf, restartet gpg-agent and the problem was solved.

Share your thoughts

Polyline Refinement with Smrender —

The latest version 1.1.r1230 of Smrender now implements a new feature which I call polyline refinement. It highly improves the appearance of the map specifically in such areas which are just “roughly” mapped. Ideally, it is applied to the coastline, for example.

Polyline refinement is invoked rule-based. It is an internal function. The following shows an example of how to call it.

<way>
<tag k='natural' v='coastline'/>
<tag k='_action_' v='func:refine_poly?deviation=500,iteration=5'/>
</way>

The function parameters deviation and iteration are optional.1

Have a look at the following two images to see the difference!

Rendering w/o polyline refinement

Rendering w/ polyline refinement

 

Download the most recent version at http://www.abenteuerland.at/download/smrender/.

Have fun!

Share your thoughts

Pdflatex does not compile Beamer class documents —

For several years now I use the Beamer class to create slides with Latex. For whatever reason pdflatex does not compile my Latex documents anymore. It stops with the following error message:

! Undefined control sequence.
\Gm@lmargin ->\Geom@lmargin

I found out that this seems to be caused by an update of the geometry package. The newer version breaks the Beamer class. The workaround is to insert the following code before the document class definion:

\makeatletter\let\ifGm@compatii\relax\makeatother

Actually, I found this solution in the following posting. I think it may help several other people, hence, I concluded it here again.

http://groups.google.com/group/comp.text.tex/browse_thread/thread/b3acfd525b7fcddb

Share your thoughts

C Source Code Analyzer for Graphviz —

I am currently working on a graph based visualization tool for the output of an i386 emulator. The basic idea is to do some kind of intelligent malware analysis and behavior prediction.

I experimented a little bit and suddenly got the idea to do some kind of source code graphing of some of my programs. Unfortunately, I did not found a suitable solution ready to use on the Internet although I admit that I didn’t search thoroughly. I proudly present my simple C source code analyzer which produces output that is suitable for Graphviz.

It reads C sources from stdin and identifies functions and all function calls from within those functions. The output can be directly fed into e.g. ‘dot’ for generating nice graphs. You may manually refine the output before rendering.

I call the tool simply just canalyze and it can be downloaded here: http://www.abenteuerland.at/download/proggies/canalyze

At the beginning I defined an array which contains function names that are ignored. Those functions are mainly typical library and system calls. You may adapt this to your needs.

To use it, simply pipe all your C sources to it:
$ cat *.c | canalyze > callgraph.dot
Now open the file 'callgraph.dot' in your favorite editor and edit it up to your needs and then run dot:
$ dot -Tpng callgraph.dot -o callgraph.png

The picture above is an example which shows the current version of Smrender. The call graph source may be downloaded from here:

http://www.abenteuerland.at/download/proggies/smrender.dot

Have fun playing with it, the output is really nice!

 

Share your thoughts