Some evil nasty cold callers who want to sell us windows and doors have been on the phone for a third time. Previously they have been cagey and haven t given away any information that could identify them, except the name Status . They always claim to have made an appointment with the homeowner (that s me) to call (which is a lie) but can never say who arranged the appointment because it s not on the file (probably the only true thing in the conversation). We re listed at the Telephone Preference Service so this kind of call shouldn t be arriving in the first place. However, the TPS gives very little recourse to subscribers when companies ignore it and call anyway. Tonight I thought I d got somewhere by feigning interest and getting a phone number out of them while I have a think about whether to replace our windows. That s one piece of information I can access to make a start on finding out who they are. I was so surprised to get an answer straight away that I didn t bother to gather anything else. The number is for the regional branch of a well-known national children s charity.

---

Cold caller: 1, jmw: 0 is a post from: jwiltshire.org.uk Flattr

Charlie s birthday present this year, it being an important year: I chose Wickers World for the flight, since they have sites nearby and seemed the most professional. We were lucky enough to fly on the first attempt and had beautiful weather, although there was rain behind us.

---

Ballooning is a post from: jwiltshire.org.uk Flattr

From time to time it occurs that two people answer a mail in the same way where one would do closing an unblock request, for example. When this almost happened on debian-release the other day I amused myself by dreaming up an SMTP header that would prevent such embarrassment. I wasn t being serious in the slightest, but nevertheless X-RaceProtection was born (and it turns out at least one resident of a certain IRC channel thought I was).

X-RaceProtection can be a message identifier or the simple value yes and is intended to prevent duplicate replies to, for example, mailing lists. When set as a mail ID, list software should silently drop the message being delivered if the identified message has already received a reply that is, another message quoting that ID in In-Reply-To. If X-RaceProtection is simply yes , the mail ID of In-Reply-To for the message being delivered is used, providing a shortcut.

This means you can set X-RaceProtection when replying to a mail where there is a chance of collision. If someone beat you to it, there is no embarrassment at your mail arriving with a later timestamp. If someone fancies implementing this for smartlist/debbugs, please be my guest!

---

X-RaceProtection: yes is a post from: jwiltshire.org.uk Flattr

1. It is important to rehearse your space carefully. Find a quantity of friends equal to the attendees you expect, lay out the intended room, and check that everybody has free and easy access to their chair.
2. Invest in a decent access point and some power strips with a decent cord length.
3. Relax. I cannot stress enough the importance of this step!

---

Tips for a successful BSP is a post from: jwiltshire.org.uk Flattr

Building things is fun, but sometimes it s nice to have a little light relief with a sledgehammer. Saturday was one of those occasions; there is was a decorative wall in the corner of our lounge. It should have died about thirty years ago and I ve hated it ever since we moved in a year ago. First job was to remove the sockets and cable running up the side, which was a nice surprise in itself: Looks like whoever installed it believed that mastick and wallpaper is a suitable covering to stop drill bits. Hmm. Next we could take out the wall itself. In this case the wooden top was sealed down with more mastick and supported by piles of bricks, then the wall had been secured with concrete and not proper mortar. Fortunately a good sledgehammering soon took care of that: Those bricks truly were hideous, and they are all around the dodgy gas fire and another similar feature in the opposite corner of the room. Incidentally, the newly-revealed carpet in the void should also have died in the seventies (it went straight into the skip), but at least now we have some understanding of the mysterious wallpaper we found under the stairs. Finally we had enough room to work with surface trunking (a temporary housing until the gas pipe is removed and we can bury the cables properly): And the final result, with the sockets moved to a more sensible level and the cable properly protected, new LightwaveRF sockets in the corner and a shiny new aerial point ready for cabinets to go into the gap:

---

13/08: A couple of people pointed out that in the first photo, the offending cable is in a protected zone. This is true, but it wiggles half way round the room from the CU in a similar fashion first sometimes in trunking, sometimes clipped to the fireplace, and sometimes masticked and papered flush with the plaster surface.

---

From building to demolishing is a post from: jwiltshire.org.uk Flattr

When I first undertook the tracking of minor security fixes in point releases, I quickly out-scaled flat text files and a good memory. A Python library and sqlite database helped automate sending notifications and keeping tabs, but the manual work associated with tracking incoming bugs from the security team, applications to and responses from the release team, and the action or inaction of maintainers was still too time-consuming to be useful. This weekend I deployed pyprsc2, with a public view at http://prsc.debian.net/tracker/<bug>. I had planned to do this at Debconf12, but given the circumstances still, it needed doing anyway and what better time? Result: my work now involves adding tracks where required; keeping an eye on the notified list for manual prods; and after a point release, archiving the included bugs and updating the suite version numbers. Bliss. Features:

• automatic sync of metadata for new tracks
• automatic detection of bugs closed from unstable
• automatic notification (and unarchive if required)
• automatic, though manually triggered, prods
• automatic detection of stable/oldstable upload and RT acceptance
• public view of bug status, e.g. http://prsc.debian.net/tracker/660650

Todo:

• finish the views so that bug lists work, as well as detail
• add process documentation pages
• iron out the mailing so bugs.debian.org doesn t throttle back submissions
• add ways to permit more contributors
• refactor where required; this was a learning exercise too
• publish the code

Technical: prsc.debian.net leverages large parts of the Django MVC framework in fact, this was really a learning exercise in disguise since I want to use Django on some more complex projects later. BTS synchronisation is handled by python-debianbts, and synchronisation with proposed-updates is through XML and lxml/objectify (thanks to the release team s awesome XML queue viewer and Adam adding bug numbers to it). Since this was a learning exercise, some of the Python is probably questionable at best and downright wrong at worst, so it probably needs some work still.

---

Point Release Security, Reloaded is a post from: jwiltshire.org.uk Flattr

For two years I have been very fortunate indeed to be fully sponsored for travel and accommodation at DebConf once on the Newbies programme, and once from normal funds. However, considering the cost this year (at least $1,000 in travel expenses) and of personal circumstances, which are not favourable, I am reliant on sponsorship this year even more than others. However, although I have accommodation sponsorship this year I am still waiting to hear about travel. The local team have said they hope to provide details by 20th June, but it s really too late by then there is time off from work to arrange, flight tickets to purchase, vaccinations to have, and of course I could really do with not having to lay out that much money in the first place, even if it s to be reimbursed later. So at this stage at least, I am sad to say that I think it unlikely I will be there. I m looking forward to Switzerland though; this time there might be two of us.

---

I m probably not going to DebConf12 is a post from: jwiltshire.org.uk Flattr

---

Cambridge BSP is a post from: jwiltshire.org.uk Flattr

Recently I had need to re-purpose a server and for convenience, I decided to do a complete wipe and reinstall since it had previously been used for all sorts of package testing, experiments, dak debugging, the list goes on. I took a careful backup and then cooked up some USB installation media, but it took so long to boot (USB1.1, yay) I ran out of time before the building was locked. Since this box has two hard disks, and not being one to back down from a challenge, I eventually reinstalled it over the weekend with nothing no install media, no reinstall robot or intelligent hands just a reliable internet connection and a healthy dose of courage. Here s how. Target: reinstalled machine with the same network settings, ssh host keys, and other minor configuration ported. The disk layout is to be RAID-1 containing LVM, with separate /var volume and separate /boot partition, also RAID-1.

1. One disk in the box contained old data, so I cleared that out and wiped it (including the MBR for good measure) and partitioned it.
2. I set up a degraded RAID-1 array for a small /boot partition, a large RAID-1 array for the LVM and a swap partition.
3. I mounted the new partitions in the correct layout in /mnt and used debootstrap(8) to get a very basic root set up. I also bind-mounted /sys, /proc, /dev and /dev/pts for now, they can be done properly when the root is a bit more mature.
4. Next, I copied into the new root /etc/apt/sources.list and chroot(8)ed into it. Now I could apt-get update and tasksel install standard to get an almost fully-functional base system. At this point it is also sensible to install locales, tzdata and console-data and dpkg-reconfigure them, followed by mdadm and lvm2 if required and openssh-server so you can get back in after rebooting. Some or all of these may already be installed by tasksel.
5. Time to install a kernel before leaving the chroot: apt-get install linux-image-2.6, followed by grub-pc which should detect both installations and set up menu entries for them.
6. Back in the old system, I copied in the network, hosts, resolv and hostname configuration files, and set up /etc/fstab to my liking.
7. Install grub to both hard disks if it isn t already so (dpkg-reconfigure grub-pc) and again check that it detects both installations and creates the right menu entries. At this stage, booting from either hard disk will allow the loading of either the new or old installations, which is exactly what we want. It s now time to umount the new installation.
8. Now I followed the excellent guide for remote kernel upgrades at http://ariekanarie.nl, except in this case we are using the same method to try booting the new system and fall back to the old one if it s a disaster.
9. Reboot and hope!

At this point I rebooted to find myself back in the old kernel, which was disappointing this means the new kernel has panicked and rebooted, and grub has fallen back to the old system (exactly as planned). It turned out there was nothing in /dev at boot time, and udev doesn t start early enough to populate it before panic. That s easily solved by mounting the installation again and using MAKEDEV as a seed.

10. With a bit of luck, you re now in the new installation and can dpkg-reconfigure grub-pc again to install grub to both hard disks again. This isn t strictly necessary, but it records this choice in debconf so future upgrades will automatically upgrade the bootloader everywhere it s needed.
11. Now I could do some tidying up, mount the old installation and copy over all the data I wanted, and after careful checking wipe the first disk clean ready to be added into the RAID arrays.
12. Finally, add the old disk to the RAID arrays so they are fully redundant.

Sources:
http://www.michael-hammer.at/server_config/debootstrap/
http://d-i.alioth.debian.org/tmp/en.i386/apds03.html
http://www.debian.org/releases/stable/amd64/apds03.html.en
https://wiki.archlinux.org/index.php/Convert_a_single_drive_system_to_RAID
http://ariekanarie.nl/archives/211/remote-kernel-upgrade-with-debianubuntu-and-grub2

---

Reinstalling at arm s length is a post from: jwiltshire.org.uk Flattr

So, I got enough of the requisite sponsorship and finally booked some flights

---

DebConf 11 is a post from: jwiltshire.org.uk Flattr

Matt Brown writes about StartCom, the Israeli issuer providing basic SSL certificates for nothing. In fact I ve been using StartSSL certificates for about three years now, but I get them issued to Level 2 verification which incurs a fee. (It s more expensive now than when I was first validated, but still good value.) StartCom are the only issuer I ve ever dealt with who work like this. They validate the individual, using:

• two forms of government ID
• third-party background checks
• telephone verification at a number of their choosing, based on the checks

This makes me trust them far more than other issuers, who don t bother with any meaningful validation at all. Their approach is to establish identity, then allow you to:

• validate domains and issue as many certificates as you wish, valid for two years, including SAN and wildcard certificates
• validate email addresses and issue X.509 certificates in your name
• issue code signing and XMPP certificates
• undertake stringent Organisation Validation, and then issue certificates in a company name as well as an individual
• validate other individuals with a web-of-trust arrangement, like CACert
• undergo Extended Validation and issue EV certificates
• if you have an unspecified amount of money, become a private CA yourself

Although this doesn t make up for trust (the presence of an SSL certificate doesn t guarantee the data you send is safe upon arrival) it does make me much happier to see a CA taking proper verification measures instead of just handing out certificates at random and it s much cheaper for me too, being verified once and then issuing as many certificates as I need. Highly recommended. *that is, more trustworthy

---

StartSSL: finally, a trustworthy certifier* is a post from: jwiltshire.org.uk Flattr

For many months I ve wondered what would happen if one completed half a census return online and half on paper. Tonight, finally, I get to find out. (for international readers: it s the night of the U.K. census, which with a little imagination has the potential for all sorts of fun.)

---

A little civil disobedience is a post from: jwiltshire.org.uk Flattr

I ve had a very courteous email from one of the founders of ALLOW, following my analysis of their password reset procedure.

Thank you for your feedback regarding the security of our platform. We are constantly reviewing these processes and regard our members security as paramount, whilst ensuring our processes are navigable to the majority of the UK. We have had the platform professionally penetration tested but your email demonstrates an excellent understanding of the challenges and we would welcome your suggestions on our options of improving the password reset process. We will be extending our SSL certificate to the publicly accessible website and please be assured that this is held on a different architecture to that of the Member application.

This is very promising!

---

Response from ALLOW Ltd. is a post from: jwiltshire.org.uk Flattr

I was interested to hear about a company here in the UK called ALLOW Ltd., offering marketing database management under a we ll get you off lists, then pay you to go back on at your pleasure basis. That sounds a fair deal to me, so I decided to sign up for it.

Our technology is built using some of the best and most secure tools in the industry. We have partnered with infrastructure providers who handle some of the most sensitive data in the UK (such as medical and financial records). Both the digital and physical security measures we have implemented are amongst the strongest available anywhere. This includes full encryption of all data at all times, full implementation of secure socket layers, security certificates and physical restriction of access to the data, our servers and our offices. Our systems have been fully penetration tested (that means we ve asked people to try and break in).

(There are other suitable assertions in various places they even have a set of principles about safeguarding data.) Unfortunately, this promise is rather undermined in several ways after noticing the first couple, I did a little digging to see what else was exploitable. Here s the final part of the joining process, where you choose a username and password combination: The text I ve cropped too eagerly says Choosing a secure password is an essential part of protecting your personal information , or thereabouts. I duly chose a complex password that fitted the requirements, and to my surprise it was rejected. I tried another, and it was rejected; then a third and a fourth. By trial and error I worked out what was going on: 1. The password must contain only the listed special characters, not just include one of them. That s a bit of a problem, because even assuming a basic ASCII set, 15 characters are unavailable to users; 80 are left, so that s about a 15% fall in the available combinations*. Not a good start. More concerning is the presence of a security question field. It s used for resetting the password in the event losing it, but this technique for recovery has long been ridiculed the shared secret is often common knowledge amongst friends, and sometimes (as in this case) the available questions are fairly easy for an attacker to find the answer to in public records or solicit from the victim without arousing much suspicion: 2. The security questions available include First pet s name and worse, First school name . It s pretty pointless enforcing stringent password requirements, and then bypassing them with something so susceptible to a dictionary attack. I was pleased to find that failing to log in to an account more than a few times results in a temporary lockout, which should deter casual brute force attacks. But I wanted to know how that security question would be used, so I forgot my password and followed the links to reset it. Here s the form: Actually the first form, not shown here, initially just asks for a username, giving an error message if it isn t registered, and here s another problem: 3. The password reset process confirms the existence, or non-existence, of a given username half the credentials required to log in to any visitor. I d be prepared to take a bet that most users will choose What was the name of your first school? as a security question. The first pet you have is often at such a young age you can t remember it clearly; the name of the street you grew up on might change a couple of times if you moved house. But first school I attended? I ll never forget that, so it makes most sense to use as a backup password . It s also the best one for an attacker to try and find out from public sources. But that aside, as you can see the password is not generated at random and communicated to the real account holder out-of-band, in the manner of many other sites. Instead: 4. A new password is immediately set to a value already known by the attacker. Once inside, an attacker can also change the security question or answer, or both, so you can t even regain your account by telephoning the company unless you can convince them you re genuine, in which case the security question was a total waste of time anyway. I awarded some marks for notifying the user by email that the password has been changed, but immediately docked them again because bingo! You re now a victim of identity theft! Let s assume you ve been locked out, the security question has been changed and you want your account back. ALLOW don t let you telephone them; you either have to dig around and find an address to send an email, which we all know can be intercepted, or (and you re encouraged to) contact them through a form on the site. You ll probably include some personal details, because you want to convince them of your real identity; indeed, two of the options on the form are I ve got a question and Something doesn t work . I sent my findings through this very form, under the latter heading, and to my surprise: 5. Despite promises of full encryption of all data at all times, full implementation of secure socket layers , the contact form is transmitted to ALLOW in the clear, with no protection whatsoever. So now anyone listening in your connection knows all about you too: your ISP, any of the peers along the route, the deep packet inspection advertisers if your ISP is less than reputable, and the neighbour who connects to your wireless and slips you a fiver every month for the privilege. Nice work, privacy specialists. (For the record:

• I have sent these findings to ALLOW and await a response have a response.
• Yes, this scenario is unlikely, but it doesn t fill me with confidence about the rest of their business activities.)

* please feel free to correct my maths. It was never my strongest subject.

---

Privacy specialists should hire security specialists is a post from: jwiltshire.org.uk Flattr

In Bits from the Security Team a few weeks ago, Thijs Kinkhorst wrote:

Since a couple of years we ve been handing off security issues of minor or
theoretical impact but for which a fix would be desirable at some point, like
certain classes of denial-of-service attacks, off to stable point updates.
We re looking for a person that wants to coordinate this: monitor the Security
Tracker for issues classified as such by the Security Team, converse with
maintainers to get such updates done and coordinate with the stable release
managers on this.

I m happy to confirm, now that it s been announced, that I am that person: point release security co-ordinator. Affected packages If your package fulfils these criteria:

• it had a security problem reported in the past (that is, it was allocated a CVE number);
• it didn t get a Debian Security Advisory, but it wasn t marked unimportant in our tracker;
• it has been fixed in unstable, but the version in stable or oldstable is still vulnerable

it is a candidate for updating in stable or oldstable, and you ll probably receive a mail from me at some point asking you to do so. You can pre-empt this mail of course, by backporting your fix to the affected versions and contacting the release team to get your fix into stable, without waiting for me. In such a case, please drop me a note with the details so I can tick your off on my hit^W candidate list. Making a stable/oldstable upload This is documented in the Developer s Reference, but to summarise:

1. Prepare your fix, targetting stable or oldstable, and build it in an up-to-date chroot for that release
2. Send a diff of the new package to the release team, asking for permission to upload
3. Upload as normal, and wait for it to be included in the next point release. Meanwhile, notify the security team of your upload, if it fixes a CVE.

Tracking candidate packages I m going to start off tracking filed bugs for SPU candidates and OSPU candidates with usertags in the BTS, under my own address. In time that might be merged into an address used by the security team, but for now I m still finding a good workflow so it s much easier this way.

---

Point Release Security Co-ordinator is a post from: jwiltshire.org.uk Flattr

Just one this week: #609304 (pimd): backport the unstable fix for testing-proposed-updates (which nearly gave me heart failure when it FTBFS on mipsel, but it was an unrelated problem).

This week:

• #607958 (apt): replied and tagged moreinfo ; jmm later downgraded it to normal
• #606951 (nsca): agreed with the submitter and reverted the change, uploaded straight to unstable
• #605784 (nagios-statd): thanks to the great debugging work of the submitter, uploaded a fix to DELAYED/2 (giving the maintainer time to make his own planned upload)
• #598588 (json-glib): cannot reproduce; reduced severity and emailed the submitter

The remaining bugs are either removal candidates or no longer low-hanging-fruit, so I don t expect to keep squashing very many more before Squeeze is released.

The following developers got their Debian accounts in the last month:

• Jonathan Wiltshire (jmw)
• Michael Hanke (mih)
• Sebastian Reichel (sre)
• Siegfried-Angel Gevatter Pujals (sgevatter)
• K re Thor Olsen (kaare)
• Didier Raboud (odyx)
• Benjamin Drung (bdrung)

Congratulations!

The following developers have returned as Debian Developers after having retired at some time in the past:

• Matt Zimmerman (mdz)
• Jerome Marant (jerome)
• Scott James Remnant (keybuk)

Welcome back!

This week:

• #606151 (nordugrid-arc-nox): cherry-picked a patch from upstream and uploaded to DELAYED/1
• #606670 (minitube): removal bug filed at request of maintainer
• #607762 (dbus-glib): bumped the build-dependency and uploaded to DELAYED/7 (later pushed into DELAYED/0 at maintainer s request)
• #607427 (opensc): applied security fixes from upstream and uploaded immediately

Not quite one fix per day, as zack s campaign originally called for. But true to his word, neither have I started receiving hate mail, so I must be doing something right. (I also made my first sponsoring upload an RC fix (#598945), for extra brownie points <g>)

When I first started using Debian properly, I played with gpg-agent and pinentry but I didn t really understand the various bash initialisation scripts, and my botched setup annoyed me so much I disabled it again quite quickly (for example, if I left the machine logged in to GDM at home then logged in through SSH, pinentry dialogs stayed in GDM and had to be killed). Now I ve finally had time to get it sorted out, and this is part aide-memoire and part idiot check (hello, lazyweb). The brief:

• gpg-agent should take care of both GPG keys and SSH keys, transparently;
• pinentry should ask with pinentry-gtk2 at home, or at the current SSH session remotely;
• nothing should be left lying around after a session.

I assume appropriate packages are already installed at a minimum, gpg-agent and whichever pinentry you prefer. Installing gpg-agent drops a hook into /etc/X11/Xsession.d, but now there are both gpg-agent and ssh-agent running. Disable ssh-agent because we re going to let gpg-agent take care of everything: in /etc/X11/Xsession.options, comment out the line use-ssh-agent. In /etc/X11/Xsession.d/90gpg-agent, add the enable-ssh-support parameter so the STARTUP variable looks something like:

STARTUP="$GPGAGENT --daemon --sh --enable-ssh-support --write-env-file=$PID_FILE $STARTUP"

and also disable ssh in gnome-keyring:

$ gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false

Now (after restarting your X session) you can use ssh-add to import a key into gpg-agent, and you should see a pinentry dialog asking for a password. That takes care of X sessions, but it won t work for SSH. This is where the different bash login scripts matter: ~/.bashrc is run for all non-login shells (that is, ones spawned from e.g. gnome-terminal) but ~/.profile is only run for login shells (that is, ones where you have to authenticate, such as SSH connections). So, at the bottom of ~/.profile, we just start another gpg-agent who doesn t know about X:

eval $(gpg-agent --enable-ssh-support --daemon)

After restarting your SSH session and triggering a key operation, like signing a document, pinentry-curses should ask for your passphrase at the SSH shell and not leave dialogs stranded in the X session. Finally, that second agent shouldn t be left hanging around after we ve finished, or there ll be hundreds of them soon. Fortunately, the PID is recorded in the environment variable GPG_AGENT_INFO, but parsing that is a bit awkward when it s also recorded alone in SSH_AGENT_PID. So in ~/.bash_logout, we just

kill $SSH_AGENT_PID

(Most of the pointers for this setup came from http://wiki.kumina.nl/index.php/Managing_ssh_keys_with_gpg-agent and http://stefaanlippens.net/bashrc_and_others)