Category Archives: Software

I’ve Been Looking for This!

Google search link fix:

This extension prevents Google, Yahoo and Yandex search pages from modifying search result links when you click them. This is useful when copying links but it also helps privacy by preventing the search engines from recording your clicks.

In other words, when I get google search results and right-click on them, instead of getting useless garbage, I get a link I can use in blog post or a footnote — especially handy for linking to .pdf files where the URL doesn’t show up in the program that pops up to display the document.

Most folks won’t need this extension. But those who do will love it.

Posted in Software | 5 Comments

DETEKT

EFF and other fine groups announce DETEKT, a spyware detection tool. It’s a joint project with Amnesty International, Digitale Gesellschaft, and Privacy International. Read the disclaimers and instructions carefully.

Note also that they seem to be on a very short release cycle: I downloaded version 1.1 at work yesterday (nothing detected), and just downloaded version 1.3 at home today.

Disclosure: I’m a proud member of the Electronic Frontier Foundation Advisory Board.

Posted in Software, Surveillance | Leave a comment

Shellshock Still Kicking

arghOh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot

Posted in Internet, Software | Leave a comment

Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server

arghAnd all your linux-embeded devices with any Internet access. From the sound of it, that’s about how bad the “shellshock” bug in Bash is:

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

— Slashdot, Remote Exploit Vulnerability Found In Bash.

Shellshock name spotted on Errata Security (good blog BTW), and the faithful INQ, which shares the cheerful fact that the NIST vulnerability database “rates the flaw 10 out of 10 in terms of severity.”

Update: It looks as if patching severs will be easy – mine is already done. The real problem will be patching devices with embedded linux. To achieve that the consumer needs (1) to know the device exists, is connected to the internet, and is under your control — all sometimes much less obvious than one might imagine; (2) the device has to be patchable; (3) there has to be a patch; (4) the consumer has to know where to go to get the patch; (5) the consumer has to be able to apply it.

Internet of Things considered dangerous?

Update2: This is a nice test for the Shell Shock / shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns something like

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

You are fine. But if it says,

vulnerable
this is a test

Then you have the bash bug.

Posted in Software, Sufficiently Advanced Technology | Leave a comment

Gripe (Small)

WordPress released a new version of its TwentyTen theme.  Would it kill them to include a changelog?

Posted in Software | 2 Comments

Iodine – Could be Handy

Meet Iodine:

iodine by Kryo

iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows and needs a TUN/TAP device. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.

Compared to other DNS tunnel implementations, iodine offers:

Higher performance
iodine uses the NULL type that allows the downstream data to be sent without encoding. Each DNS reply can contain over a kilobyte of compressed payload data.
Portability
iodine runs on many different UNIX-like systems as well as on Win32. Tunnels can be set up between two hosts no matter their endianness or operating system.
Security
iodine uses challenge-response login secured by MD5 hash. It also filters out any packets not coming from the IP used when logging in.
Less setup
iodine handles setting IP number on interfaces automatically, and up to 16 users can share one server at the same time. Packet size is automatically probed for maximum downstream throughput.

See the README, the CHANGELOG and the man page

Wiki, bug tracker, source browser and more is available at our trac page. iodine is released under the ISC license.

Test your DNS setup here: http://code.kryo.se/iodine/check-it/

Free wifi in hostile environments like some other universities? And airports and cafes?

Posted in Software | Leave a comment