"I hate mac adds" by Robert Winchester

“I hate mac adds” by Robert Winchester << Click me!

Made me chuckle ;)!

File seems clean BTW… just in case You are paranoid like me ;).

URL Analysis tool Result
Avira Clean site
BitDefender Unrated site
Dr.Web Clean site
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Additional information
Normalized URL: http://www.bobert-rob.com/animation/Standalone/MACads1.swf
URL MD5: 0c1782b0d26acd5b8980b4529786e7fa

Andy

Goodbye Dropbox. I am not going to need Your services anymore.

Hi all.

I am slightly pissed off and disappointed. Why? For some of You that may not know:

Dropbox is changing / changed their policy and usage terms. To comply with U.S. law they are now obliged to provide unencrypted access to Your private dropbox account content to any of the 3 letter agencies if they provide court order.

This is not my biggest concern. I don’t touch anything that’s illegal so I don’t store anything illegal in my dropbox. What I have realized is far more worse then that. If they can show decrypted content of the folder to the FBI or other authorities it means that they could take a sneak peak at Your files whenever they felt like it in the past even tho they were stating that all they can see is a sudo-random blob of encrypted data which they will not be able to decrypt and have a look at. This – due to my motto “Trust No1” is unacceptable. One bad apple in their crew basket… and all my files are viewable to him. I don’t keep any financial records / passwords / ~ folder content / other valuable data in the dropbox… but that’s because I would never place them somewhere where they can be accessed by a 3rd party…

Second thing is that if someone gains access to Your hard drive and copies 1 little file… gains access to Your dropbox account. No password needed. If You change password attacker still can connect.

But hey – don’t trust me. Listen to the episode 297 of SecurityNow where Steve Gibson – security guru explains it much better then I did.

I am thinking about getting rid of my dropbox accounts. Seriously… Security fail. Privacy fail. Trust fail.

Edit: Strike three… You’re out!

I have removed all my dropbox accounts… and cleaned up my hdd from any leftovers.

[root@wishmasbell andrzejl]# updatedb
[root@wishmasbell andrzejl]# locate dropbox
[root@wishmasbell andrzejl]#

There… I am dropbox free.

Thanks for reading.

Andy

Edit: For all those who don’t want to download 50 MB MP3 file just to search / listen for the dropbox comments:

Here is the transcript that can be found here:

LEO: Now, I wanted to ask you about this next topic because I use, as you know, I use Dropbox. And Miguel de Icaza, who is a great developer and a really important guy in the open source community, said, “What the hell?” Because apparently Dropbox has been assuring everybody that they use strong encryption that they can’t decrypt.

STEVE: Well, yeah. And there’s two things. There’s two issues. One is that Dropbox recently updated their terms of service to say explicitly what was always apparently implicit. Quoting from their new terms of service, they say: “As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

Now, this sums up more perfectly than I ever could why I chose Jungle Disk for my own remote cloud-based backup. And that is, I did a full security analysis of Jungle Disk and verified that all that is ever being put up to Amazon’s S3 cloud stuff is pre-encrypted data. That is, my Jungle Disk client has the key and everything it sends. So all Amazon gets is opaque pseudorandom noise that they have no ability to decrypt. I mean, it’s full TNO, Trust No One, as my acronym for this, which is the only way I would ever store something in the cloud. So here Dropbox has formally acknowledged that they have the ability to decrypt the contents of all of their users’ data, and that they will do so when ordered to by a court order from the United States.

LEO: So as Miguel points out, well, if they can do it by court order, then they’ve had that capability all along. So they essentially misrepresented the encryption capabilities.

STEVE: Well, and see..

LEO: And he says this is a larger issue, not so much government, but that means employees could do it. And even with a company that has very strong data policies like Google we see these things happen.

STEVE: Very, very good point. It means that keys could get compromised; keys could get lost. Or, as you say, you could have a bad apple employee who realizes, hey, we’re hosting a celebrity. I wonder what he’s storing in his Dropbox?

LEO: So I make sure I don’t put anything of a private nature in my Dropbox. But I’m going to make sure I don’t. And you’re right. I think if you’re going to do it, if you want to store something like financial records, use Jungle Disk.

STEVE: Well, and here’s another – well, or, and this works, too…

LEO: Pre-encrypt.

STEVE: Exactly. Only store stuff that you have encrypted up there, where you’re pre-encrypting that data. And this is why, when I see someone saying “industry standard AES 256-bit encryption,” it’s like, that means nothing. I mean, unfortunately it catches out people who don’t listen to this podcast, who assume that, if you’re using state-of-the-art encryption, then you must be safe. No. I mean, I would imagine that means that the link is encrypted. And it does sound like they’re storing it in an encrypted fashion. But they’re storing it with a key that they have. So that doesn’t really help.

LEO: Yeah. That’s the question, who has the key?

STEVE: Right. And the best solution is for no one but you to have the key. And the only way to do that is to pre-encrypt and only store encrypted stuff in the cloud. Now, the other issue that came up was a question of their authentication. Someone named Derek Newton, who is a security researcher, was poking around in Dropbox-like applications, and he just decided he would take a look and see what they left behind, what was left behind after they installed. What he found was that, specifically in the case of Dropbox, there is a single file called config.db, which is an SQLite database file, which contains the email address, the dropbox_path, that is, where the Dropbox folder is on your system, which is being synchronized to the Dropbox in the cloud, and the host_id. Any SQLite DB-compatible client is able to open this file and look at it.

And what he determined by experimentation is that the only thing that identifies you to Dropbox is the host_id. There is no other lockage of that file to a given system. And so what he posted – and again, I learned about this from people saying in Twitter, hey, Steve, what do you think about this? And this has been a constant flow for the last couple weeks. And I mentioned last week that I hadn’t had a chance to dig into this, but I would, to look into it and verify it. So I did want to follow up for everyone who’s been wondering.

So what this means is that, if you weren’t protecting this file, or if anything got onto your system which was able to grab this file through social engineering attack or spyware or malware, whatever, if you lost control of that file such that it was in any way exfiltrated from your control, then that file can be installed on any other system. And that provides the sole authentication of you, the instance of you, to Dropbox such that, with no other information, no username, password, no logon, anything, that authenticates that new system. And there is – it doesn’t appear as a new machine in the set of machines that you have authorized to use. It’s merely a clone of that first one, which then has full access, unencrypted access, to your Dropbox contents. Which to me says these guys aren’t really looking at security.

I mean, on one hand we know now that they can decrypt the contents of our Dropboxes. And this could clearly have been done in a way that was more secure. Even if you change, if the user changes his username and password, that doesn’t invalidate the host_id. It still functions. And so if somebody had it, their connectivity survives across a user changing his username and password. So it’s just they really could have easily done a much better job of hashing username and password into this, tying it in some fashion, for example, to the serial numbers of the hard drives on the system. I mean, just anything to make it more difficult than simply one file which you can put on any machine anywhere, and suddenly it’s authenticated just as solidly as the system it came from.

LEO: Yeah, that’s not good.

STEVE: So not good news over on the Dropbox side.

LEO: You know, there are alternatives. LaCie has a similar service to Dropbox that’s Java based. I don’t know if it’s more secure. But I think maybe it’s time to look and see what the other alter- I love Dropbox. And I hope they respond to this by making it more secure. That would make everybody happy.

STEVE: I think they can. I mean, one would imagine they will because it’s so trivial. I mean, all they have to do is listen to this podcast for a while.

LEO: Right, and add some encryption features. The other one to look at, I’ll take a look at, is from LaCie, it’s called Wuala. Randal Schwartz told me about it. It’s Wuala.com. Very similar to Dropbox. I’ll look and see if they say, when they say all files get encrypted – see, that’s the thing, is “get encrypted.” Well, what does that mean? Where, is the question.

STEVE: Yeah, exactly. And that’s just it. Unless there is a full security analysis available of how it works and what it does, you just can’t trust it.

LEO: Here’s what Wuala says. It says all files are directly encrypted on your desktop. Your password never leaves your computer. Not even we as a provider can access your files or your password.

STEVE: Well, that’s all good sounding.

LEO: That’s what you want – validated, of course.

STEVE: Yeah.

LEO: I’m going to take a look at them. Randal Schwartz recommended them. He likes them a lot, so I’m going to take a look at them as an alternative to Dropbox.

Copied the ~/.mozilla from one computer to another…

Hi Folks.

I have few machines here and I want to keep the settings and all other stuff (addons, plugins) synced between them. I am using LastPass for passwords and XMarks for bookmarks so this is not an issue. They are always synced. However the addons and settings… I didn’t wanted to redo them all. Wanted to have them cloned. Easiest way for me is to copy the ~/.mozilla folder from one computer to another… This time I ran into bit of a trouble. Settings came from a machine running KDE4. Black fonts over a grayish background. They were copied into the Gnome machine where the theme looks slightly different. Its a black textured background with a whiteish text on it.

When I copied the settings I got all the menu bar items messed up. Black font / black background. Not visible. I managed to fix it. I have opened Nautilus and I have maneuvered to the ~/.mozilla/firefox/123QWE89.default/chrome/ folder and I removed all the files from there.

Reopened the Firefox and it got adjusted to work with the Gnome theme. Fonts got whitish color and I could read “File“, “Edit” and other menus again.

Hope this helps somebody someday.

Andy

Enhancing GPU performance in Dell Latitude C610 lappy.

Hi all.

Was messing around with my oldish machine and noticed that adding few (embolden on purpose) options to the /etc/X11/xorg.conf (as root) greatly improves the performance.

Here is my xorg.conf file:

# File generated by XFdrake (rev )

# **********************************************************************
# Refer to the xorg.conf man page for details about the format of
# this file.
# **********************************************************************

Section “ServerFlags”
Option “DontZap” “False” # disable (server abort)
AllowMouseOpenFail # allows the server to start up even if the mouse does not work
#DontZoom # disable / (resolution switching)
EndSection

Section “Module”
Load “dbe” # Double-Buffering Extension
Load “v4l” # Video for Linux
Load “extmod”
Load “glx” # 3D layer
Load “dri” # direct rendering
EndSection

Section “Monitor”
Identifier “monitor1”
VendorName “Generic”
ModelName “Flat Panel 1024×768”
HorizSync 31.5-48.0
VertRefresh 56.0-65.0

# TV fullscreen mode or DVD fullscreen output.
# 768×576 @ 79 Hz, 50 kHz hsync
ModeLine “768×576” 50.00 768 832 846 1000 576 590 595 630

# 768×576 @ 100 Hz, 61.6 kHz hsync
ModeLine “768×576” 63.07 768 800 960 1024 576 578 590 616
EndSection

Section “Device”
Identifier “device1”
VendorName “ATI Technologies Inc”
BoardName “ATI Radeon X1950 and earlier”
Driver “ati”
Option “DPMS”
Option “AccelMethod” “exa”
Option “AGPMode” “4”
Option “FBTexPercent” “80”
Option “ScalerWidth” “2048”
Option “EXAOptimizeMigration” “true”
Option “DRI” “on”
Option “DynamicClocks” “on”
Option “MigrationHeuristic” “greedy”
Option “AccelDFS” “true”
Option “BackingStore” “true”
Option “ColorTiling” “on”
Option “ExaNoComposite” “false”
Option “BusType” “AGP”
Option “EnableDepthMoves” “on”

EndSection

Section “Screen”
Identifier “screen1”
Device “device1”
Monitor “monitor1”
DefaultColorDepth 24

Subsection “Display”
Depth 8
Modes “1024×768” “832×624” “800×600” “640×480” “480×360” “320×240”
EndSubsection

Subsection “Display”
Depth 15
Modes “1024×768” “832×624” “800×600” “640×480” “480×360” “320×240”
EndSubsection

Subsection “Display”
Depth 16
Modes “1024×768” “832×624” “800×600” “640×480” “480×360” “320×240”
EndSubsection

Subsection “Display”
Depth 24
Modes “1024×768” “832×624” “800×600” “640×480” “480×360” “320×240”
EndSubsection
EndSection

Section “ServerLayout”
Identifier “layout1”
Screen “screen1”
EndSection

Have fun!

Andy

Getting rid of the desktop icons in Gnome 2.x.x

Hi all.

Another thing I have learned. “Computer“, “Home” and “Trash” won’t go away from the Desktop unless You do this:

Open gnome-terminal and issue this command:

dbus-launch gconf-editor

Now click on the arrow on the left hand side of the Apps, it will expand it. Now find and click on the arrow on the left hand side of the Nautilus to expand it, now find and click on desktop. In the right pane of the gconf-editor window You will see few entries with the ticks.

Check out what happens if You untick them – so it looks like this:

Getting rid of the Gnome 2.x.x Desktop icons.

Have fun.

Andy

Alsa loosing it's memory (0ing volume after startup)?

Hi all.

Ok for some unknown reason alsamixer was setting volume of every single sound device to 0 and I found a solution to this for myself and I hope it will help others:

Open terminal and do this:

su

root password

service alsa force-stop

alsaconf

Follow the wizard – mostly just press [ENTER] when something pops up.

alsamixer

Set the volume at the wanted level by using left right up and down arrows and [m] button to mute or unmute certain devices and press [ESC] to leave the mixer.

alsactl store

and then add

alsactl restore

at the end of the

/etc/rc.local

file using Your favorite text editor (as root).

reboot – Your settings should be restored.

I am running fully updated Zen Mini 2010.10 with Kernel 38.3 BFS.

Hope this helps to somebody someday.

Andy

Adding and running Irssi perl scripts. [Nicklist.pl]

Hi all.

I am big SSH / screen / irssi fan. I really do love the way they work together. SSH to the remote machine, takeover the screen session with irssi running inside… You can do that from just about everywhere… – including mobile phone…

Nokia N73 - Putty - SSH - Screen - IRSSI

What would make it even better? Well… and what made Firefox even better? Addons. Perl script addons… BUT there are always BUTs… The scripts were not working for me. Each time I was trying to fire up the script I was getting this error:

Irssi: Unknown command: script

Irssi: Unknown command: script

After a long while of Googling I have realized I need to load perl when irssi starts. How would one accomplish that? I will show You using nicklist.pl as example.

Close irssi. Run these commands:

su -c "apt-get install irssi-perl"

followed by:

root's password

and then:

echo 'load perl' >> ~/.irssi/startup

Creating perl autoloading entry...

and start irssi…

Success! Perl modules perl/core and perl/fe are being loaded.

Success! Perl modules perl/core and perl/fe are being loaded.

Now close irssi and run this (You can copy and paste it) command:

mkdir -p ~/.irssi/scripts/autorun && cd ~/.irssi/scripts/ && wget -c http://scripts.irssi.org/scripts/nicklist.pl && cd ~/.irssi/scripts/autorun/ && ln -s ../nicklist.pl

Create directories, download script, create symlinks...

and start irssi again…

Now run this command (it’s a nicklist.pl specific command – find out more by reading the script itself) in irssi:

/set nicklist_automode SCREEN

Create automode procedure for the script

Create automode procedure for the script part 2

Final step: Close irssi. Start screen session. And re-run irssi. Join any channel of Your choice :).

Well done. Perl loaded. Script loaded. Screen mode of the script auto-loaded. Triple w00t!

See that pretty nick list on the right hand side? HA! πŸ˜€ I do :D.

You can use screen on a local (not necessarily remote) machine. And it makes sense for many reasons :).

Andy

PCLinuxOS and Gnome 3…

If You ever wondered what is the current status of Gnome 3 in PCLinuxOS then wonder no more…

Here is a Gnome 3 review by Texstar :D!

Trying is the key word here. So far Gnome 3 has me more confused than a fat kid with a salad.

This guy rocks :D! He is hilarious. His comments are just cracking me up…

Andy

Please reinstall skype… Wait WUT?

Edit: This fix soon becomes obsolete…

The following packages will be upgraded
prelink
1 upgraded, 0 newly installed, 0 removed and 0 not upgraded.
Need to get 1075kB of archives.
After unpacking 25.6kB of additional disk space will be used.

Thanks Texstar for such a quick upgrade! You ROCK!

Please reinstall skype…

Please reinstall Skype...

This was a message that I was greeted with after the last upgrade. I have decided to find the solution.

Turns out its a prelink that is messing stuff up.

How to fix it?

1. Open dolphin and type in /etc/ in the address bar.
2. Find file prelink.conf
3. Right click on prelink.conf file
4. Choose Root Menu > Edit As Root
5. Give root’s password when asked for
6. Wait for the kwrite to open
7. Add this line to the file:

-b /usr/bin/skype

so it looks somewhat like this (I have embolden the added line):

# This config file contains a list of directories both with binaries
# and libraries prelink should consider by default.
# If a directory name is prefixed with `-l ‘, the directory hierarchy
# will be walked as long as filesystem boundaries are not crossed.
# If a directory name is prefixed with `-h ‘, symbolic links in a
# directory hierarchy are followed.
# Directories or files with `-b ‘ prefix will be blacklisted.
# `-c ‘ is used to source additional config file snippets.
-c /etc/prelink.conf.d/*.conf
-b *.la
-b *.png
-b *.py
-b *.pl
-b *.pm
-b *.sh
-b *.xml
-b *.xslt
-b *.a
-b *.js
-b /lib/modules
-b /usr/lib/locale
-b /usr/lib{,64}/debug
-b /usr/lib/dropbox-dist
-b /usr/bin/skype
-l /bin
-l /usr/bin
-l /sbin
-l /usr/sbin
-l /usr/kerberos/bin
-l /usr/games
-l /usr/libexec
-l /var/ftp/bin
-l /lib{,64}
-l /usr/lib{,64}
-l /var/ftp/lib{,64}
-l /opt/*/lib{,64}
-l /opt/*/bin
-l /usr/lib/perl5/5.10.1/i386-linux-thread-multi
-l /usr/lib/perl5/vendor_perl/5.10.1/i386-linux-thread-multi
-l /usr/lib/perl5/5.10.1/i386-linux-thread-multi
-l /usr/lib/perl5/vendor_perl/5.10.1/i386-linux-thread-multi

Step by step...

8. Save the file.
9. Close Kwrite and Dolphin.

Now next thing.

1. Open konsole
2. Su Yourself to root
3. Use this command:

apt-get --yes install skype && /usr/sbin/prelink -avmR

Reinstall skype and re-run prelink.

This may take a while to finish depending on You machine power but its well worth it.

After this is done You can reboot Your machine but even without a reboot skype should start without a hiccup ;).

Thanks Texstar for such a wonderfull distro. I hope all the problems will be just as tiny and easy to fix as this one :D!

Andy