Les modems BBOX2 qu’utilisent une majorité de clients de Belgacom TV comportent des failles de sécurité importantes. Belgacom revendiquait 589.000 clients pour sa plate-forme TV l’été dernier. Une majorité d’entre eux utilise ce fameux modem. Une combinaison de facteurs ouvre la porte à des actes malveillants, pouvant être commis par des personnes sans connaissances informatiques particulières et pas seulement des ‘hackers’.

1. Les modems BBOX2 sont tous livrés avec le même mot de passe d’administration. On peut très facilement le trouver via un moteur de recherche: http://www.google.com/search?hl=en&q=BGCVDSL2
2. Belgacom prétend bloquer l’accès à distance de ces modems via Internet. C’est partiellement exact. Cependant, ces modems sont livrés d’origine avec une connexion WIFI active et non protégée. N’importe qui passant dans la rue peut donc se connecter à une BBOX2 non protégée.
3. Muni de cet accès administratif, on peut télécharger le fichier de configuration du modem et décrypter les mots de passe qui s’y trouvent. Là aussi, on trouve le nécessaire sur Internet: http://www.webalice.it/zibri/Deobfuscate.html

Après avoir récupéré les identifiants d’un abonné  à Belgacom TV (identifiants de la connexion PPPoE, pour être précis), un pirate peut utiliser ces informations pour perpétrer des actes malveillants en se faisant passer pour cet abonné.

Toutes les informations ci-dessus sont en possession de Belgacom depuis longtemps. J’ai moi-même interrogé l’opérateur, qui n’a pas daigné accuser réception, et encore moins répondu ou proposé des solutions.

Notons également que si cela s’applique aux clients de Belgacom TV, certains abonnés Internet, chez Belgacom comme chez les opérateurs alternatifs qui utilisent le réseau VDSL2 de Belgacom sont également concernés. Le propriétaire du réseau impose en effet aux autres FAI l’utilisation d’un modem semblable au sien, également pourvu d’un mot de passe identique pour tous les abonnés.

Read more…

Santa has been kind to me. I just switched to a new ISP.  The results below speak for themselves.

2009-12-25

2009-07-20

That’s the good news. The less good one is that this whole VDSL2 infrastructure deployed by the incumbent telecom operator has some major security holes, on which I will post later, once I have finished my research.

Une fois de plus, vous manquez à vos plus élémentaires obligations contractuelles en me fournissant le service ADSL le plus merdique de Belgique. Je n’ai pas l’habitude d’utiliser des gros mots en public. C’est vous dire combien je suis exaspéré.

Vous m’avez reproché auparavant, et avec une mauvaise foi certaine, que je vous avais pas informé de la piètre qualité de vos services. Non seulement, je l’ai fait, mais d’autres aussi. Il y en a plein les forums de discussion. Mais puisque vous me prenez au mot, je vais effectivement me plaindre. Et que cela se sache. Read more…

Some ISPs would do anything to gain a new customer.

Last December, I switched ISPs. Although  my previous one, Dommel, provided a good and stable internet connection, their customer service staff was totally broken. They   seemed totally unwilling to answer any written question, be it in French, English or Dutch.  Further, they used the oldish ADSL infrastructure from the incumbent, Belgacom, and thus could only provide a 4 Mbit/sec connection. With 6 computers at home, this proved to be slow at times.

Hence, I took the opportunity to move to another ISP, Scarlet, which promised 20 Mbit/sec.  I was aware that theorical speeds may not always be reached due to different factors like copper line length, etc.

Much to my surprise, I was informed after the contract was signed that I would only get 6Mbit. Scarlet’s tech support confirmed today that the local phone exchange to which I am connected has not been upgraded to ADSL2+.  This ISP knew at the time they presented the electronic contract to me  that they were unable to deliver what they promised.

Their sign-in form stated “Congratulations, you can be connected to the ADSL20 network [...] The maximum download speed is dependent on the distance  from the local exchange, your computer configuration and its cabling “. Nowhere does it state that it is dependent on the exchange infrastructure.

The tech support guy was not able either to tell me when they expect the local exchange to be upgraded. This looks like ultra confidential information. Actually, we know more about battle plans in the Middle East, Iraq or Afganisthan than about an ISP’s infrastructure upgrade strategy.

Belgium once prided itself to be at the forefront of broadband deployment. If only it could be done by professionals who care about customers …

The next step will be to file a complaint to the telecom ombudsman. I do not expect much of a improvement, though.

In-flight magazines offered by airlines are usually the sort of thing one reads occasionally on boring long flights. So did I on my way from Vienna to Cairo last week.

Just like any other airlines, Austrian Airlines gives names to its airplanes. Contrary to other airlines, Austrian tries to make an effort to innovate. They have a range of Boeing B737-800 named Frank Zappa, Freddie Mercury, George Harrison, Gregory Peck, Kurt Cobain and Miles Davis . This is refreshing and much more original than using city names. Can I suggest the next plane be called The Dead Pop Stars ?

But above all, it is good to see an airline mentioning in bold letters on page 3 of its “Skylines” magazine that it will not tolerate that passengers be offended by others because of ethnicity, religion or gender. It encourages to ask the cabin crew to intervene. It is good to see a company that places ethical values before commercial considerations.  They may have lost a few racist passengers because of this policy, but they have now gained a new customer.

Last year, I started signing the DNS records for this domain (and isoc.lu). At the time, it was what is called an ‘island of trust’ in DNSSEC-speak. Being a firm believer that one should eat his own dogfood, I took this now one step further. Both domains vande-walle.eu and isoc.lu are now added to ISC’s DLV registry. In addition, they are also in UCLA’s Secspider DLV repository. DLV stands for Domain Lookaside Validation, it “is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain”, according to RFC 5074.

There are a few lessons to be learned from this experience. First and foremost, the tools are now not yet ready for a general audience. If the dnssec-signzone man page is your favourite late night reading and if you like Unix shell scripting, you will have plenty of fun. On the other hand, if you are an overworked system administrator being told by the boss to ‘By the way, please switch on DNSSEC before your leave this afternoon’ , you are out of luck.  The best tool I found to make it a bit easier is ZKT.  However, this is not the friendly Graphical User Interface you would expect.

Lesson 2 is ‘check you secondaries’. I had secondaries with Xname.org. Although these nice folks provide good and free DNS service, their machines do not answer DNSSEC queries. Hence, I had to switch to new secondaries.

Lesson 3 is that few DNS resolvers currently support DLV. Bind does. Unbound will in the next release (the current development code already does).

Lesson 4 is that the current system to register a domain in the DLV does not seem to scale and looks more like a proof of concept. It would need to be seriously industrialized to be helpful for a bigger deployment.

Lesson 5 stems from 4 above. The whole thing would be a bit easier to deploy if the root zone was signed. But this is another debate.

Many thanks to the folks at NLNet Labs and the RESTENA Foundation for providing DNS secondary service, and ISC for running the DLV registry.

I got my mobile phone bill in the mail the other day and, again, I nearly got a heart attack.   It has been like this for over the last 10 years. Whatever I do, this bill is always way higher than expected.

I tried everything from switching operators to  spending hours figuring out the optimal subscription plan. I do not place calls from my mobile if I can avoid it, especially abroad. I avoid SMS when e-mail is possible. I do not even dare to use the data services, although I have a 3G phone.  Still no luck. The main issue is that I work in a small country, live in the country nearby and often go to a two other countries for shopping and leisure. I am roaming on other networks than my home one 75% of the time. While this may sound unusual, actually this is what the whole European Union construction is all about: abolish borders.

I decided last year to subcribe to Transatel, a MNVO (Mobile Network Virtual Operator). In short, they do not have a network on their own, but buy capacity from other operators. It looked attractive because they cover several countries. They give you a local phone number in each country you choose. This makes it cheaper for the people calling you.  I can receive calls on my Luxembourg number while in Belgium and no roaming charges will apply. Sort of. Because, actually, you only get a limited number of minutes each month for call transfers across countries. Once you have reached the threshold, you are billed for the call transfers. This is just roaming charges by another name. At the time of subscription, they promised my monthly bill would be 50% lower. It looks like my usage profile was not part of their statistical sample…

The European mobile market is very fragmented. Each country has 3 or 4 mobile operators. Even those self labelled paneuropean networks like Vodaphone or Orange are actually alliances of different national operators, loosely tied by a similar logo.  All the rest of their offerings is different: subscription plans, services, phone numbers and roaming charges.  As for roaming charges, I noticed on several occasions in the past that if your home network operator is a Vodaphone partner, it may sometimes be cheaper to select a non-Vodaphone network abroad.

Those alliances are another way to make the offers more opaque to better fool the customer. On the economics of the mobile market, there is this interesting post from Kurtis Linqvist (thanks to Patrik Fältström for the link) . Just like Kurtis, I agree that there is no such thing as free and open mobile markets  in Europe.  I, too, hope the European Commission will continue to regulate the market until such time that it will cost the same price to call a mobile in Stockholm from Madrid that it is to place call from Los Angeles to Washington.  At&T in the US has a subscription plan for unlimited voice calls throughout the US for USD99.99/month. Unfortunately, given the current market conditions, I do not see a similar paneuropean offer any time soon.

Gartner, the well known IT consulting company, has published a report on the new top level domains that will appear some time next year.

The report totally misses the mark. In a pure US centric vision, it focuses on “.com” as the must-have TLD, totally overlooking the fact that a “.com” is mostly worthless e.g. in Germany, where “.de” is the TLD one must have to succeed locally. There are many countries where the local TLD has much more value than a “.com”.

The report is also clueless in that it states that “proposals previously rejected by ICANN, such as the creation of “.xxx” for adult-oriented sites, are also likely to be commercially successful“, when everybody but Gartner knows that the newly adopted rules were designed to precisely avoid the “.xxx” debacle to happen again.

Going further down the path of ignorance, Gartner also states that : “we would expect that an extension such as “.movie” would have similar value“. I am afraid “.movie”, just like “.travel” or “.name” will only have modest success, because they are focused on the English speaking market, and have little value outside North America. In this specific case, my British colleagues usually use the word “film” rather than “movie”. Looks like “.movie” will not even be able to cross the Atlantic.

How much credit you give to this report depends on the credit you give to Gartner, of course. I am afraid this one is not going to help the company’s track record. Sometimes, silence is better.

I recently switched to a new position in my day job. I moved to another campus and office, where I found on my desk a computer with the default standard configuration. The default browser in this configuration is Internet Explorer 6.

I am still in a state of shock. Over the last four years in my previous position, I had been using Firefox as my main browser, mostly because of AdblockPlus, a remarkably efficient advertisement blocker.

With IE6, I have rediscovered how advertising on web sites can be distracting and invading. Suddenly, the pop-up windows, Flash animations and other nasties are there again. Unlike a paper magazine, when you only need to turn the page to ignore them, advertisements on web sites really prevent you to work until you close the pop-up window, stop the animation, turn off the volume, etc.

I guess one could say that Wladimir Palant, the developer of Adblock Plus, is one of the greatest benefactors to computer productivity over the last few years. Thanks, mate. Great job. I am forever grateful.

Found in an office of the Luxembourg Ministry of Finance:

For those who do not read French, it says: “The seat opening is 29 X 23 cm wide. If you miss the hole, please use the brush to clean. This brush is not a toothbrush”