Category Archives: Software

IPv6 for the rest of us

Posted by Patrick Vande Walle on 30 May 2007 None comments

IPv6 deployment is in a chicken and egg situation. On the one hand, there is no willingness from ISPs and commodity DNS router manufacturers to include IPv6 support in their infrastructure or equipment because “there is no demand”. On the other hand, there is no demand because the average Joe Blow could not care less if he accesses a web site under IPv4 or IPv6. It should just work. The equipment and infrastructure should adapt transparently.

One of these days, when there will be IPv6-only web sites, Joe Blow will call his ISP to complain he cannot access them. This may happen sooner that you think. The North American Internet Registry (ARIN) has issued an advisory to alert the community that it will no more be in a position to allocate IPv4 addresses in the near future and strongly advises companies and ISPs to look at IPv6 instead.

What we users can do is to stop waiting for the industry to get its act together and work around its limitations.

Most consumer OSes these days support IPv6, either natively like MacOSX, Linux or Windows Vista or as an add-on, like Windows XP. If you have the traditional setup with a computer connected to the Internet through a DSL router, the latter is being assigned a dynamic IP address. Your computer in turn is being assigned an IP address by the router, typically out of a private address space (per RFC 1918).

What we need now is a way to tunnel trough the hostile IPv4 environment to connect to an IPv6 Internet. The specifications are defined in RFC 4380 and nicknamed Teredo. There is an implementation for Unix-like operating systems called Miredo. And for those of you who are uncomfortable editing Makefiles and compiling source code, the good news is that there are pre-packaged versions for MacOSX and Ubuntu Feisty (just type “apt-get install miredo”. You should have the universe repository active).

I tested both and they work out of the box. I am actually editing this post through an IPv6 tunnel over a straight IPv4 ADSL connection. Pretty amazing.

I did not test the MS Windows implementation. However, since Microsoft wrote the specs, I suppose it should be quite easy to set up there, too. Some tips are available at the IPv6 Task Force web site and Microsoft‘s own site.

What does that bring to you ? Well, first you will be considered a certified geek by your neighbourhood. More seriously, not much right now. What I notice is actually that my connection is slowing down. This may be due to the fact that tunnelling a protocol through another one is never efficient. Also, the peering agreements between backbone operators are not as optimal as they are in the IPv4 world. But at least, I am ready for the future.

IPv6 vulnerability in RHEL4/CentOS4

Posted by Patrick Vande Walle on 10 May 2007 None comments

I was reading this article this morning on IPv6 vulnerabilities and specifically the IPv6′s type 0 routing headers. The recommendation is to disable the routing of these headers, as they have no practical purpose anyway.

After doing some Googling, I read that this kind of header was disabled by default in Linux kernels starting with version 2.6.20.9. This server is running version 2.6.9-42. The workaround here is to filter out those packets at the firewall level. Fine, except for the fact that ip6tables on RHEL4 and CentOS4 does not include the plugin to filter out the routing headers. Hence, you need to recompile the iptables package with the ip6rt module enabled. That’s just a small Makefile editing.

To make life easier for you, here are my RPM and SRPM:

iptables-ipv6-1.2.11-3.1.isoc.i386.rpm
iptables-1.2.11-3.1.isoc.src.rpm

Once installed, do not forget to add the following lines at the top of the /etc/sysconfig/ip6tables file, near the top and before allowing anything else :

-A INPUT    -m rt --rt-type 0 -j DROP
-A FORWARD  -m rt --rt-type 0 -j DROP
-A OUTPUT   -m rt --rt-type 0 -j DROP

Of course, if you are not running IPv6 at all, this is not an issue for you. And if you are using another distribution, your mileage may vary, as they say.

MacOSX vs Linux vs MS Windows

Posted by Patrick Vande Walle on 27 April 2007 1 comments

I did some checks on the start-up time of the three operating systems I have on my MacBook. They are fairly equivalent in terms of functionalities. I could use either one to get the job done.

Comparision of start up times between different operating systems on same hardware
Operating System Startup time WLAN WPA Start up Total Shutdown time
MacOSX 20 sec 5 sec 25 sec 10 sec
MS Windows XP 54 sec 10 sec 64 sec 15 sec
Ubuntu Linux 7.04 70 sec 35 sec 105 sec 50 sec
Test conditions:
- MacBook Intel Core Duo 2 Ghz, 2 Gb RAM
- All operating systems set for automatic login with the user account

The job is not that difficult to handle. Mainly it consists of web browsing, e-mail and general documents. I have Firefox,Thunderbird and OpenOffice on all platforms. In the case of MacOS, I use NeoOffice instead. It nicely integrates with the Aqua GUI and does not require to load X11 to work, like the official OpenOffice version.

Further, with MacOS, I can close down the lid of my laptop and know it will work when I reopen it. With Ubuntu, I have a 50% chance (risk ?) to need to reboot and loose whatever work I was doing.

I guess I have a good reason to boot MacOSX more than the other two.

Bankers are “Flashers”

Posted by Patrick Vande Walle on 23 April 2007 None comments

A while ago, I pointed out the very bad decision taken by Dexia-BIL bank in Luxembourg to use a Macromedia Flash applet to defeat phishing attempts. Competition being what it is, the number one bank in Luxembourg, BCEE, could not afford to sit and watch. They just copied the idea.

As was pointed out in the case of Dexia-BIL, the system is very user-unfriendly. However, customer-friendliness does not seem to be part of the equation.

Somehow, banks feel responsible for the fact that their customers are clueless when it comes to Internet e-mail. Rather than educating them, they think it is smart to protect these poor souls against themselves and their naivety. Or it could be the legal department telling the IT guys they have to find a way for the bank not to be held liable in case a customer would sue them if he fell victim of a phising e-mail.

So, again let us remind the banks and their customers how to fight phishing attempts:

  • Use common sense. A reputable bank does not send e-mails asking for personal information they should already have. Actually, a bank does not use e-mail to communicate with customers. They are convinced you are always available to walk to their branch office during office hours, and that you have nothing better to do.
  • Ask your ISP to filter out phising attempts in incoming e-mail messages. The cost is low. Open source tools do a wonderful job at that. MailScanner and Amavis-new do it for free. If your ISP wants to spend a lot of money, there are commercial products, too. If it is unwilling to do that, there is still client-side software. But you should rather move to an ISP which cares about its customers. In the “ISP” acronym, “S” stands for “Service”. If there is no service, vote with your feet.
  • Avoid broken mail clients that display HTML by default.
  • Double check the hyperlink you are clicking on.

And if you are too dumb to do any of the above, avoid accessing your bank account through the Internet and go to the branch office for every transaction. At least, this will give additional work to the clerk behind the desk and maybe he will be able to keep his job, rather than being fired because “customers use the Internet anyway”.

Using Flash to defeat phishing^H^H^H^H^H Key loggers

Posted by Patrick Vande Walle on 1 March 2007 None comments

Update: 2nd March 2007: The bank confirmed they want to use Flash to defeat key loggers.

  1. Key loggers are a “feature” of MS Windows, mostly. Well conceived operating systems do not allow the installation of such malware. The choice of the operating system is up to the user. He is free to upgrade to a more secure one. If he does not, that is his problem not the bank’s.
  2. On the Windows platform, key loggers should be intercepted by the anti-virus program. If it does not, that is the user’s problem not the bank’s.
  3. While the Flash applet may help defeat the key loggers on the Windows platform for the specific use of the online banking service, it does not solve the general issue of the key logging malware on the Windows platform in general. In fact, this would give the false impression to the clueless user that he is protected against key loggers, while in fact he is only protected for a specific application and not when using his credit card on Amazon or elsewhere.

The only conclusion one can draw from the whole thing is that the bank wants to be legally covered in case a customer complains. Security has nothing to do with it. The bank could easily disclaim liability in case the user does not implement the right security tools on his computer. It could, for example, disclaim liability in case the browser allows the installation of malware, which is typical of Internet Explorer.

The original post is after the break

» Read more…