Archiv

Software

I recently ran into this bug (or maybe just „weird, undocumented behavior“) of mc(1) when setting it up on FreeBSD. Even after saving the „Verbose operation“ option in the „Configuration“ menu, it was always disabled after the next startup of mc. I could confirm that verbose=true got set in the $HOME/.config/mc/ini file (probably $HOME/.mc/ini on Linux), but was ignored (or reset) on startup.

Now, „Verbose operation“ makes all those nice progress bar windows pop up, and without it there’s no point in using mc! So what’s going on here? Apparently, mc checks your terminal’s reaction speed in terms of „baud“, like it’s 1997 and we’re running stuff on serial cables or something. If mc finds that your terminal is too slow, you don’t get any progress bars (awww), because your terminal apparently can’t handle it.

Now, under some circumstances, some terminals don’t report a proper baud speed – maybe because it’s not 1997, and we’re not running stuff on serial cables. In these cases, the function tty_baudrate() returns -1, which I guess should alert programs that the value is useless. But Midnight Commanders just asserts that this value is smaller than 9600 (duh!) and always sets verbose=FALSE; on startup, because your serial cable is too thin. Gotcha!

The bug has been known and ignored for 6 years (mc Trac ticket #2452), but I can confirm that the patch proposed in comment #15 does the trick. I’ve submitted it to the maintainer of the mc port in FreeBSD, and maybe you want to go and bug mc people to fix it or get your distro to incorporate the patch – because who on earth would want to to use Midnight Commander without those progress bars, am I right?!

If you have LUKS partitions on gpt-partitioned drives, you might have noticed that cryptsetup doesn’t handle PARTUUID=[…] entries in /etc/crypttab, even though it does understand the traditional UUID=[…]. There’s an Ubuntu bug for this (since 2010, because that’s how much Ubuntu cares about bug reports), and apparently Arch is patching cryptsetup to make it work.

But it turns out there’s an elegant workround for everyone, as inspired by this Debian mailing list post, where a user has /dev/disk/by-id/[…] entries in their /etc/crypttab. /dev/disk is just the most delightful symlink squaredance! If you don’t know about it yet, just ls -lR /dev/disk and prepare to be amazed 🙂

So, to make cryptsetup correctly parse the gpt partuuid of your drives, just use /dev/disk/by-partuuid/[…] symlinks in /etc/crypttab. Here’s an example of such a setup:

root                     UUID=00000000-[…]-444444444444 none luks
backup0 /dev/disk/by-partuuid/55555555-[…]-999999999999 none luks
backup1 /dev/disk/by-partuuid/aaaaaaaa-[…]-eeeeeeeeeeee none luks

Have fun!

German freemail heavyweights web.de and gmx.net (several millions of users combined) are using deceptive techniques in order to manipulate Firefox and Chrome users into removing AdBlock and its variants. This message is displayed for people with the respective setup:

web_deThe yellow bar is part of the website (it even scrolls with the site). It says:

The security of your computer is compromised by a Firefox Add-On. [Restore Security]

Clicking the fake button or the „Further information“ link takes the user to a shady-looking website charmingly named browsersicherheit.info (browser security dot info).

This site imitates the look of Chrome’s browser settings and uses a seemingly objective and caring tone, explaining how „content manipulating browser add-ons“ pose an enormous security risk. It also contains a surprisingly short list of allegedly „known malicious browser add-ons“:

plugins2Note how AdBlock and several variants of it are shown at the top of this list, described as „filters page contents“. Every user of AdBlock is aware that it filters contents—that’s its purpose. Still, this list is obviously supposed to cause insecurity and fear, especially since the same list contains obscure and dubious sounding add-ons. Many of them are described as „inserting external elements like advertising“. One, ironically, is accused of „creating false security alerts“.

Otherwise, the page purports to be a well-meaning security initiative. Only the legally-mandated and well-hidden Contacts page shows that 1&1 Mail & Media is behind it. The 1&1 DSL and hosting franchise is part of the German United Internet company, which in turn owns web.de and gmx.net. A press release at gmx.net praises it, but gmx.net is not named as part of this „program“ anywhere on the site. However, in the ridiculously short „press comments“ section, gmx.net and web.de appear as two out of three sources (the third being a nasty tabloid’s computer spinoff magazine).

This practice is all the more more malicious, as it has taken years to establish that browsers show meaningful security notifications, and to get everyone’s parents to actually read and follow them.

Apparently, the Mozilla security team is looking at the situation, which I’m very grateful for.

Find a short English summary of this article here:
German freemail sites trick Firefox & Chrome users into removing AdBlock

Diese Meldung zeigen GMX und web.de derzeit Nutzern, die AdBlock installiert haben:

web_deEin Klick auf „Weitere Informationen“ führt auf die enorm unseriös wirkende Seite browsersicherheit.info. Dort wird anhand von Screenshots erklärt, wie Nutzer von Firefox und Chrome auf verschiedenen Betriebssystemen vor allem AdBlock in verschiedenen Varianten deinstallieren können. Insbesondere wird diese „schwarze Liste“ angezeigt:

plugins2Im Impressum der Seite bekennt sich die „1&1 Mail & Media GmbH, Zweigniederlassung Karlsruhe“ zur Autorenschaft. In der Tat gehört 1&1 dem deutschen Konzern United Internet, wie auch web.de und GMX.

Diese ganze Nummer ist eine gezielte Manipulation unbedarfter und vertrauensseliger Internetnutzer, um sie dazu zu bringen, Adblocker zu löschen und ungestört Werbeanzeigen verkaufen zu können.

Erstens: Die Meldung erweckt den Eindruck, vom Browser selbst angezeigt zu werden. Eine gelbe Leiste oberhalb der angezeigten Seite assoziieren Nutzer mit Browser-Benachrichtigungen, zumal beispielsweise auf der Seite von GMX die Farbe gelb völlig fremd wirkt. Insofern täuschen GMX und web.de dem Nutzer eine Browser-Meldung vor, die sie selbst erzeugen. Die Meldung hat außerdem einen objektiv-sachlichen Ton und lässt keinen Hinweis darauf zu, bloß eine Empfehlung – einen Wunsch! – der Seitenbetreiber wiederzugeben. Auch insofern werden Browser-eigene Benachrichtigungen in täuschender Absicht nachgeahmt. Die Seite browsersicherheit.info lässt ebenfalls (außer hinter dem gut versteckten „Impressum“-Link) nicht durchblicken, von United Internet erstellt worden zu sein, sondern zitiert noch scheinheilig GMX und web.de als zwei von drei „Pressestimmen“.

Zweitens: Welche Erweiterungen werden auf’s Korn genommen? Angeblich „seitenmanipulierende“ Addons. Das stimmt, AdBlock manipuliert tatsächlich die Seiten, die mir mein Browser anzeigt, nämlich indem die nervige Werbung ausgeblendet wird. Das ist seine Aufgabe. Klingt natürlich trotzdem erstmal böse. Alibihaft werden dann auch noch ein paar echte Adware-Erweiterungen genannt, darunter so obskure, unbekannte Kandidaten wie „JollyWallet Bar“ und „SuperFish“, sowie – oh, the irony! – „getSavin“, welches „falsche Sicherheitshinweise erzeugt“! So denkt der Nutzer: Aha, diese Plugins blenden also ungefragt Werbung ein, und das eine da manipuliert mich sogar – wie böse! Dann werden die „seitenmanipulierenden Addons“ am Anfang der Liste bestimmt genauso böse sein. Ich deinstalliere besser AdBlock – und zack, wird ihm wieder ungebetene Werbung angezeigt, aber diesmal wieder von web.de und GMX.

Drittens: Wem nützt dieser Zirkus? Ganz klar in erster Linie United Internet, deren Anzeigenverkäufe offenbar schwinden, weil mündige Internetnutzer die Werbung ausblenden lassen. Nützt es auch den Surfern? Nun – dass es Sicherheitsprobleme im Bereich von Browserplugins gibt, stimmt durchaus. Aber warum werden von den tausenden „seitenmanipulierenden Addons“ da draußen (neben ein paar Alibi-Kandidaten) ausgerechnet die bekämpft, die:

  1. in Deutschland weit verbreitet sind,
  2. großes Vertrauen genießen, und
  3. United Internet die Werbeeinahmen madig machen?

Was ist mit anderen verbreiteten, seitenmanipulierenden Addons wie NoScript, Ghostery, DownloadHelper, Firebug usw.? Sind die alle von United Internet einzeln getestet worden und machen irgendetwas richtiger als AdBlock, oder sind sie bloß im Kampf um Werbeanzeigen egal?

Fazit: Diese Aktion „zugunsten der Sicherheit“, für die sich United Internet auch noch selbst feiert, ist ein schlecht getarnter Angriff auf die Mündigkeit von Internetnutzern, sich von Anzeigenwerbung zu befreien. Es wird manipulativ vorgegangen und das Vertrauen von Nutzern missbraucht, die sich auf das verlassen, was ihnen (vermeintlich!) ihr Browser empfiehlt. Das ist insofern besonders perfide, als sich erst in den vergangenen Jahren Nutzer daran gewöhnt haben, einfach formulierte Sicherheitshinweise ihrer Browser zu beachten, die meist auch tatsächlich einen Sicherheitsgewinn bringen.

Und wahrscheinlich wird United Internet mit dieser hinterlistigen Strategie Erfolg haben und der Nutzung von AdBlock (zumindest unter ihren eigenen Besuchern) einen spürbaren Dämpfer verpassen. Wir können uns schonmal auf Anrufe unserer Eltern freuen: „Da kam so ’ne Meldung, mein Browser wäre unsicher!“

Updated 2017-03-06: Now properly handles oldmail files to avoid multiple downloads of old mail when calling different sets.

Faced with a growing number of mailboxes to fetch messages from, I devised a little script to help me easily manage lots of accounts with getmail. It was inspired by this post from Charles Cazabon, the developer of getmail.

The advantage of this solution is that you need to create, name and manage getmail’s rcfiles for different mailboxes in one place only, without modfying other scripts, crontabs or whatever.

First off, this is the folder structure I created. It may remind you of the old /etc/rc.d/ folder structures that were common for system start scripts before we had upstart and all this modern whoop-de-do:

.getmailsets
├── set-all
│   ├── rc.blog
│   ├── rc.freemail
│   ├── rc.provider
│   ├── rc.uni
│   └── rc.work
├── set-often
│   ├── rc.provider -> ../set-all/rc.provider
│   ├── rc.uni -> ../set-all/rc.uni
│   └── rc.work -> ../set-all/rc.work
├── set-rare
│   ├── rc.freemail -> ../set-all/rc.freemail
│   └── rc.blog -> ../set-all/rc.blog
└── set-important
    ├── rc.uni -> ../set-all/rc.uni
    └── rc.work -> ../set-all/rc.work

.getmail/ -> .getmailsets/set-all/

All the getmail-typical rcfiles live in the .getmailsets/set-all/ folder, which is symlinked to .getmail/. This ensures that things will work like any normal getmail setup whenever you don’t use the sets.

Specific sets of rcfiles are defined by folders with a corresponding name and contain links to the actual rcfiles in the „all“ set.

This is the script that puts this structure to use. I call it checkmail:

#!/bin/bash

RCARGS=""
RCPATH=/home/myself/.getmailsets
RCSET=$1  # first argument names the set,
shift     # then gets deleted

for F in $RCPATH/set-$RCSET/rc.*; do
  RCARGS="$RCARGS --rcfile $(basename $F)"  # prepares --rcfile args
done

exec getmail $@ --getmaildir $RCPATH/set-all/ $RCARGS
                # make sure getmail always uses same oldmail-*
           # $@ holds all the (remaining) arguments to the script.

You use checkmail by calling it with the set name as the first argument, and any arguments you want to pass on to getmail, like in these examples:

$ checkmail all -q
$ checkmail important -v
$ checkmail rare -q -d

And these calls, of course, are what you want to place in your scripts, shortcuts and whatnot. You can then manage the set contents or rename the rcfiles in your .getmailsets without changing any of the scripts. How about, for example, a button on your desktop that runs:

$ ssh mailserver "checkmail important -v"

The script is also ideal, of course, for your crontabs. Here’s an example of my configuration:

*/5  0-3,9-23  * * * checkmail often -q
  0      8-23  * * * checkmail rare -q

Since $HOME/.getmail/ is symlinked to .getmailsets/set-all/, you can also call getmail for any single mailbox like your ordinarily would:

$ getmail -r rc.work
$ getmail -vr rc.uni

In my university’s research group, there’s a traditional weekly seminar known as „Kaffee und Technik“, where people will show each other tricks and methods they learned in the course of their research. Recently having taught myself a working knowledge of simple binary data storage and readout with Python, I compiled a little lecture on the subject.

Hoping that someone out there might also find this useful, I’m posting my slides here:

In case you’re wondering: The editor I am using is wxHexEditor. I found it to be a very good hex editor, with many more capabilities than most others out there. It is actively being developed and works equally well on Windows and Linux. It even compiled without any dependency hassle on an oldish system of mine.

So, if you’re looking for a good hex editor, try wxHexEditor. The project’s homepage is somewhat of a hassle to navigate around, but it’s definitely worth it.

28c3 was my first Chaos Communication Congress, and it was an awesome experience. I loved the atmosphere, dominated by what might be called the hacker way of life. Stuff didn’t start before 11 AM, and few people went to sleep before 4 AM. There was plenty of Mate for everyone, and I slept in a frickin‘ ball pit! I also got to know a bunch of cool people, took my first steps in the sport of lockpicking and made an acquaintance that may prove very fruitful for my university studies. Also, I got to play in both the Pentanews Game Show and Hacker Jeopardy, and I gave a Lightning Talk!

I called the Lightning Talk Life Hacking: Personal Finance Logging for Fun and Profit, and in it I talked about how I have been keeping track of all my private incomes and spendings for five years. Boring as it may sound, this actually produces a lot of useful data over the course of time, and being a physicist, I love to play around with data and statistics. The amazing video crew of 28c3 has uploaded separate videos of all the Lightning Talks to Youtube, and here’s mine (I also have the slides right here):


As for KMyMoney, the software I used: You can visit their project site to download it, but you will probably also find it in most distributions‘ repositories. As @Scheneiderlein42 has reported on Twitter, it will also run on Mac OS X using Macports. As for Windows, there is no sure way, but there seem to be several possible avenues: a) Downright installing KDE on Windows: see this guide, b) using a lightweight Linux for use with Windows running as described here, and then there’s an Australian guy pledging to build a Windows port, and you can sign up for notifivations on his progress here.

If you’ve done interesting stuff with KMyMoney, or your favorite personal finance software, or if you know a way to use them on other platforms than described, or how to use them efficiently and with even more fun, post a comment!