OK, I've finally lost my patience, both with Google's bug-ridden, feature-lacking IMAP implementation (which stops mbsync working correctly), and with one of the more well-known mail clients, which seems of incapable of restraining itself from periodically crapping all over its mailbox files (yes, if I wanted my messages copy and pasted collage-style inside each other, I'd do it myself - probably using vi!)

I don't want to change email addresses or lose my remotely-accessible Gmail archive (the web interface is fine). The obvious alternative is to pull the stuff out and deal with it locally, and my immediate thought was to go back to what I used to do in the dim and distant past: fetchmail and mutt. Now, mutt's default keystrokes are still hardwired into my peripheral nervous system, and probably will be until I die, but fetchmail's configuration syntax isn't, and it seems have grown even more bloated than it was when I last used it. Plus it means running a local MTA, and exim seems to follow the fetchmail approach to configuration: very flexible, lots of reference documentation, not much chance of getting a working configuration going within an aging hacker's attention span. (I've done battle with exim, and am actually old enough to have worked with smail as well, for my sins. Understanding sendmail, m4 gibberish and all, was actually easier, trust me.)

Of course, after all that's working, I'll probably want to filter as well, which means bolting on procmail, though that at least was reasonably sane last time I used it, and more to the point came with a big manpage full of example recipes.

In my meanderings tonight, though, I've come across fdm, and while it looks like it might have a small learning curve, the ability to eliminate fetchmail, exim and procmail in one fell swoop seems like a good one. I shall report back..

(Really, why is mail so damn complicated four decades after it was invented?)

I can feel myself reaching for the KoolAid. Resist .. must resist ..





Update: Unlike Harry Palmer, I failed miserably. I drank installed. I ran (on XP in VBox I hasten to add.). I rather liked. Very minimalist. Very usable. I will be waiting impatiently for the Linux release ..

 --------------------- Fortune Begin ------------------------ 

 Your depth of comprehension may tend to make you lax in worldly ways.
 
 
 ---------------------- Fortune End ------------------------- 

Dear God.

Trying to read diffs of diffs is a very quick way to turn your brain inside out.

I've been doing it for several hours. You could probably write a very interesting PhD thesis on the current topology of my mind.

It's quite depressing really.

Last night I switched on logging on my router. I thought it might make me feel more relaxed to know that I was in touch with what was happening to the public side of my equipment.

In a little under 24 hours, I've been probed about 1200 times (if you'll excuse the expression.) This is a router offering no services / open ports to the net, on a dynamic IP (ish - the router is up all the time, and so keeps its lease renewed. I guess the only time my IP changes is when I go on holiday.)

That seemed a little excessive for what I'd been thinking of as a quiet little backwater of the internet. Then it occurred to me that actually, I'm connected to one of the biggest ISPs in the UK. I grepped the logs. Yes, it turns out that most of the probes are from the "neighbourhood", other $ISP customers. I'm guessing there are still plenty of worms out there zombifying Windows machines, and that they preferentially seek out nearby victims.

The next step might just have to be to install honeytrap and see what the probes are trying to achieve. Most of them seem to be for Microsoft services, SMB/NMB, DCOM, MS-SQL (is Slammer still out there?) and the like.

Trying to edit iptables firewall rules while drunk .... EPIC FAIL!

I have a feeling I'm going to be forced to give up on online shopping. My bank seems intent on forcing me to use Mastercard Securecode (their version of 3-D Secure) this month or next, which I will not because it's a scarily unverifiable heap of shit. Worse, they're switching my debit card from Maestro/Switch (Maestro in the UK isn't really Maestro, just to confuse things) to Visa Delta^W Debit, which presumably means I'll be forced to use Verified by Visa (also 3-D Secure) for debit card transactions as well.

$BIG_UK_BANK, read my lips: I will not type usernames, passwords, or other personal information into pages or iframes that are not hosted on the vendor's or my bank's website. Never, ever. Not however much you tell me it's "more secure." It isn't. One attack on a large vendor's site and we're all fucked. I will not make myself vulnerable.

Anybody want to go back to bartering?

Note to web designers:

You are beginning to lose quite a lot of page views — and goodwill — from me, simply because your crappy coding means that your pages often will not render any readable content at all if one your unsavoury webbugs or statistics-collecting scripts can't be loaded from dodgily named unreachable third party server. I'm not prepared to sit around waiting for several minutes for the connections to time out and the browser to finally get around to parsing the rest of your HTML. I have other things to be doing. (Not better things, necessarily, but hey, it's my life <g>)

Foo!

104/104. More than just wrinkles. Lucky, we were ..

Google Docs online version of Dan Kaminsky's PPT slides from BlackHat. Yes, that presentation, finally. So far, I'm at 28/104. There are some interesting new wrinkles ..

I missed this news; looks like Jobs sent in his heavies to beat up the hymn-project.org guys, and QTFairUse is gone.

Of course, I'm a paranoid back-up freak, so I still have a copy. If anybody wants it, shout.

Bear in mind that it doesn't work with iTunes >= 7.6, so you might want to hold off upgrading until you've got all your music ripped into a reasonably open format.

Another one down: Solzhenitsyn is dead.

Dan Kaminsky spoke. I doubt there is much more to come than this.

I still think there needs to be more checking in resolvers, even once source port randomization is rolled out (seven years too late.)

This is the scenario Kaminsky paints:

"But [the attacker] can run as many races as he wants. And eventually, he’ll win one of them. And when he does win — when the bad guys [sic] guesses the secret number from 0 to 65536 — he won’t just provide an answer for the random name that won. He’ll simply feign ignorance: '83.foobar.com? I don’t know, ask www.foobar.com, here’s its address. Oh, and remember this for the next week.'"

Let's consider this:

1. For this attack to work, we're almost certainly querying what (we think is) the authoritative server for foobar.com. Yes, people do sometimes chain forwarding resolvers, but it's not common. 1 stub, 1 recursive resolver, and then the cloud of authoritative servers, is the common scenario.
2. If we're asking (what we think is) the authoritative server for foobar.com for the address of 83.foobar.com, we should damn well expect it to know the answer, unless this is a sub-zone. For example, ucl.ac.uk used to (and probably still does) do DNS for all of ucl.ac.uk except cs.ucl.ac.uk, which was trusted as competent enough to run its own DNS (the Comp. Sci. guys at UCL are pretty practical. It is generally safe to let them near functioning computer systems <g>)
3. If it is a sub-zone, it wouldn't be utterly unreasonable to expect the servers for the sub-zone to be within that sub-zone, or to do a further verification query if not. This way, Kaminsky-like attacks can only pollute cache records in the (non-existent) subdomain.

I don't expect this sort of checking to actually happen. It may or may not cause breakage (I suspect not that much), but people are notoriously conservative about meddling with critical bits of the infrastructure, however sensible it might in reality be to knuckle down, make the changes (and deal with the inevitable cock-ups) now, instead of ignoring the problem for another couple of years, and then panicking wildly when the next "unpredictable" real-world crisis comes up — after all, sensible humans would by now have implemented Kyoto, and probably also IPv6 ;-).

It is of course just possible I'm talking (and thinking) utter crap, but the fact that the few people who bother to engage me at all on this one go silent after a couple exchanges, rather than coming back with a withering one line explanation of what I've misunderstood, rather suggests to me that they're not "getting it."

This evening my car audio system locked me out. No play/plause, no volume control, not even "off."

The volume you want when you're doing 60 on a straight country road with the windows down is less than ideal five minutes later when negotiating the town centre with its standard assortment of crappily laid out mini-roadabouts, illegally parked cars, and the usual contingent of suicidally reckless pedestrians, cyclists, and other drivers.

Turning the ignition off while the car was moving didn't seem like a sensible option.

My hearing is now beginning to recover.

I hate hardware.

The last joke mentioned is actually rather funny.

For the others, I suspect you had to be there .. that, or they've lost something in translation.

steved@xubuntu:~$ ssh root@router
root@router's password: 


BusyBox v1.4.2 (2007-09-29 09:01:24 CEST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.09) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:~# 

.. that isn't going to happen in (or around) 2012?

Exhibit 1:

http://news.bbc.co.uk/1/hi/technology/7528396.stm

Exhibit 2:

http://entne.jp/tool/toollist/index_en.html

Posted with the power of PPPoA -> PPTP relay ...

.. or to put it in other words:

"Fuck me .. it works!"