not really a blog

Gmane: how all mailing lists should work

Recently I discovered Gmane, a mailing-lists to NNTP gateway. It turned out to be the solution to several of the biggest annoyances I've had with mailing lists so far.

Gmane allows all mailing lists to be accessed using a standard protocol, NNTP, which provides a consistent interface instead of having to deal with five different web-based management and archive sites (Mailman, Pipermail, MHonArc, etc., etc.). I can tell my newsreader to kill uninteresting threads and highlight others, and even post replies to the "newsgroup".

Over NNTP, it's also easy to access archived messages, even those sent before subscribing to the list, in their original RFC*822 format instead of pipermail's heavily-filtered HTML archive. With my newsreader (Thunderbird), I can even make copies by dragging & dropping interesting messages to an IMAP folder, with their original headers and everything. Very few (in fact, close to none) web-based list archives offer "raw" or "mbox" versions.

The only downside is that Gmane mangles email addresses in the majority of lists, causing PGP signatures to be broken. But I suppose that's the cost of having publicly accessible a giant archive of email messages.

Massive internet connection weirdness

SSL is flaky. Attempting to connect to twitter.com returns "ssl_error_rx_record_too_long". Other sites give occassional "ssl_error_bad_mac_read".

Kerberos is flaky; two out of three realms are rejecting my password – although AS-REP and TGS-REP's are returned, all I get is "Decrypt integrity check failed".

SSH is flaky; pubkey auth gives "Corrupted MAC on input." – strangely, even over Tunnelbroker.

DRM continued

There has been some discussion about a recently released e-textbook, due to it being distributed with a Windows-only DRM layer despite lacking copyrighted content. I've no need for this textbook, but the descriptions of the DRM seemed familiar, so I decided to take a look – for educational purposes, of course. It turned out to be the same tux_XFS DRM I've described earlier, with the same annoyances (no copy, no printing, ancient Adobe Reader; breaks clipboard for the entire session while open), but with no apparent protection of any kind – distributed publicly over the Internet, and no serial number.

The publisher's website did have a form asking for my name and email, though, but the download did not have any identifying information (unlike some shareware programs I've seen, which would embed the user's name into the installer). However, the ebook's installer silently runs the tux_XFS online activator.

Overall, the protection looked the same as in previous ebooks – except this time, the .exe swap trick didn't work; the new .exe just wouldn't load XFS.dll. It could be that there is some secret handshake to be done with the launcher in this version. So I went for a different approach.

The overlay still used the same container format and the same method of encrypting Reader's temporary files; I successfully decrypted the latter with the key I found from the previous ebook. However, Reader keeps an exclusive lock on the files while running, and deletes them afterwards, so this is not a very convenient method, as well as still requiring Windows.

Finally I attacked the XFS container files directly. The format of 001.dat turned out to be rather simple, and even though I still don't know the purpose of some data ranges (especially in the container header), most of them correspond neatly to various Windows file APIs (filename, DOS attributes, timestamp) or to metadata about the container item (start position, raw size). Soon I had written a cross-platform script for extracting and decrypting these containers. It does not handle the "no copy"/"no print" bits in the .pdf files, though, and I'm still searching for a reliable tool to remove those.

Related note: The container files store files in 64 kB blocks, padded with null bytes. At the end of each file, there will be several kB worth of null bytes, XORed with a 256-byte key. Hello known-plaintext attack...

Reprogramming USB drives

The prestigio USB pendrive my mother had suddenly started throwing out various I/O errors when adding or removing files; it would refuse to update the first few blocks where the FAT lies, becoming more-or-less useless. An obvious solution was to buy a second identical pendrive and copy all data to it.

...however, the new drive turned out to be "enhanced" (read: "fucked up") with a second read-only partition of some sorts, with 500 MB reserved but only a tenth of it actually used (by an outdated AVG Free and a dozen fucking JPEGs). "Hey, how about we waste 6% of the drives we sell for absolutely no reason?" In addition, the disk was not divided using MBR partitions but instead appeared as two distinct LUNs.

Browsing the internets, I found a tool for re-programming UT165 flash chips, which prestigio pendrives are built upon. I was able to merge both LUNs of the new drive – and not only that, but I could also low-level reformat the old drive, skipping the bad blocks (which left me with a perfectly working 3.3 GB drive out of 4 GB).

Async Kerberos logins

My computers have Kerberos set up, which is practically useless (the "machines" are only one, not counting Cluenet boxen) but still somewhat cool. Using pam_krb5 to obtain Kerberos tickets on login, however, can result in really slow logins when the connection is unreliable. Since the accounts are primarily kept locally (/etc/passwd), I have switched to pam_exec running a background script that obtains tickets using PKINIT (since apparently I cannot pipe passwords to kinit).

Note to self: PKINIT requires krb5-pkinit to be installed on the server. As obvious as it may look, I already forgot it twice, being used to Arch's "everything in one package" philosophy.

In which I incriminate myself

I'm occassionally asked to crack proprietary DRMs of ebooks by an unnamed publisher. Although their ebooks themselves are just PDFs displayed in a packaged Adobe Reader 7, they must be opened through a "launcher" program, which attempts to prevent the book from being copied.

Some books were distributed on USB pendrives and simply checked Registry for a specific storage device ID – which could be bypassed by simply writing a launcher-launcher which adds the necessary values. I had to do this for one book since the PDF file communicated with the launcher in some way. (There was also some sort of "drive type = removable" check, where I went old-skool with w32dasm and hiew.) Other launchers were done away with entirely, keeping just a batch script to start the packaged Reader.

The last few releases were easier. Some books used online activation, others still checked hardware IDs; however, the PDF files were static, without dependencies on the launcher or the packaged version of Reader. Extracting them was easy – three ebooks had simple password protection, and the launcher would "type in" the password. They went down against Asterisk Logger. Other two were encrypted using simple XOR, but %TEMP% had the decrypted files for me to grab, and this allowed me to find the XOR key too.

The latest book was quite interesting: temp files were encrypted, and Process Explorer showed nonexistent executables running. As its own debug log revealed, a special DLL loaded into AcroRd32 would hook such Windows calls as ZwOpenFile, essentially setting up an overlay file system which contained the protected files and was only visible to AcroRd32. The trick was to make it run cmd.exe instead, and use that to copy files. (As it turned out, the overlay would also automagically decrypt Acr*.tmp with yet another XOR key. Figuring out what happens when you XOR-decrypt a series of null bytes is left as an exercise to the reader.)

An interesting thing to note: The filesystem overlay was also used for sending messages from the PDF to the launcher, by attempting to open nonexistent documents named #I, #Ofilename, and so on.

VirtualBox bridged network and WLAN

Bridging wlan0 is a pain. You normally cannot add it to a bridge interface (brctl returns "Operation not permitted"), and using VirtualBox "bridged" filter results in a big mess of ARP and DHCP conflicts. The cause of this is that 802.11 frames contain only three addresses by default: the MAC addresses of both wireless devices (laptop and AP) and of the final recipient (as in Ethernet). It is always assumed that there is only one possible originator.

802.11 can carry the fourth, originator's MAC address, and this is used in WDS mode by repeaters. This feature can be enabled on Linux too, using iw dev wlan0 set 4addr on, and enabling this mode will allow wlan0 to be used in bridge interfaces, as well as with VirtualBox bridged networking.

iw dev wlan0 set 4addr on

However, with 4addr enabled, you're likely to get completely ignored by the AP: association succeeds but all data frames disappear into the ether. This could be for security reasons (because it's damn hard to spoof the source MAC address. Yeah.) In my router (running OpenRG), it's necessary to enable "WDS" mode for the wireless AP interface, add a WDS device restricted to my laptop's MAC address, and add it to the LAN bridge. 4addr packets now work.

There's another problem with this, though – the router now rejects three-address packets from the laptop, which can be rather inconvenient (having to toggle 4addr every time the WLAN network is changed). The workaround is to add, on the laptop, a second wireless interface linked to the same device, but with a different MAC address:

# undo the earlier configuration
iw dev wlan0 set 4addr off
# add a second interface
iw dev wlan0 interface add wds.wlan0 type managed 4addr on
ip link set dev wds.wlan0 addr $ADDR
ip link set dev wds.wlan0 up

Here $ADDR must match the WDS device address configured in the router; other than that, it can be any valid MAC address. The original MAC of wlan0 then remains for "normal" usage.

It's possible to use both wlan0 and wds.wlan0 at the same time – although I've only tested associating to the same AP twice, not to different APs.

Kerberos on Windows XP

After joining Windows XP to an external Kerberos realm with ksetup /setrealm and then unjoining it, Windows completely loses the ability to log in as a Kerberos account. Instead of looking up a Kerberos KDC (registry configuration or _kerberos._udp.REALM SRV records), it attempts to find an Active Directory domain with the same name, by looking up _kerberos._tcp.dc._msdcs.REALM and attempting to make a CLDAP lookup on it for (&(&(DnsDomain=NULLROUTE.EU.ORG)(Host=HAILSTORM))(NtVer=0x20000006)).

Why? I have no idea, yet. Registry accesses by LSASS as shown by ProcMon remain the same.

After a realm join and unjoin using ksetup followed by a standard workgroup join and reboot, it started working. After second reboot, it stopped. Now it works again.

<fahadsadah> grawity: generally, don't attempt to make Windows do non-Windows things.

Disappearing AutoPlay items

Sometimes the AutoPlay action window in Windows XP stops displaying such built-in actions as "Open folder" or "Take no action".This is usually caused by a misconfigured event handler. (I'm not sure yet how the handler gets misconfigured, though.)

1. Run regedit.
2. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers.
3. Find the offending value and delete it. Often problems are caused by Picasa2ImportPicturesOnArrival.

ntpasswd, chntpw and group membership

After promoting a user to Administrators with chntpw or ntpasswd, the Administrators group becomes impossible to access (returning "Invalid argument"). This is caused by chntpw incrementing the member count in SAM, but failing to actually append the SID of the new member. (Similarly, the Users group has its member count decremented, but the old SID is still there. This does not result in an error because Windows just ignores the rest.) Fixing this requires some dark magic.

1. Run regedit as LocalSystem.
2. Navigate to HKLM\SAM\SAM\Domains\Builtin\Alias.
3. Fix Administrators: In 00000220\C, decrement dword at 0030h.
4. Fix Users: In 00000221\C, increment dword at 0030h.
5. Fix user groups: Change Members\authority\relative\@ to 21 02 00 00 (Users).

ConsoleKit and local sessions

After upgrading an Arch system that has been untouched for two months, ConsoleKit sessions created by startx were no longer marked as active. Apparently, pam_loginuid.so is now needed in order for ConsoleKit to consider the session to be "local".

# from /etc/pam.d/login:
session		optional	pam_loginuid.so
-session	optional	pam_ck_connector.so

Inserting processes into a pipeline

Window one: Whoops, forgot pv...

$ tar c foo | gzip > foo.tgz

Window two: Create two named pipes.

$ mkfifo /tmp/{in,out}
$ pv /tmp/in > /tmp/out

Window three: Run gdb on the writer.

$ gdb -p `pgrep -x tar`
; close stdout (fd 1)
(gdb) p close(1)
$1 = 0
; open a fifo for writing (1 == O_WRONLY)
(gdb) p open("/tmp/in", 1)
$2 = 1
; we got lucky and received fd 1 again
; in some cases, it would be necessary to do `p dup2(x, 1)`

Window four ...and on the reader.

$ gdb -p `pgrep -x gzip`
; close stdin (fd 0)
(gdb) p close(0)
$1 = 0 ; 0 == O_RDONLY
(gdb) p open("/tmp/out", 0)
$2 = 0
; see above note regarding fds
(gdb) detach
Detaching from program: /bin/gzip, process 1900
(gdb) q

Back to window three.

(gdb) detach
Detaching from program: /bin/tar, process 1899
(gdb) q

Sharing Bluetooth link keys between Windows and Linux

Post moved to bluetooth-key-sharing.

ConsoleKit

Just spent three days getting the {Console,Device,Policy}Kit fuckery allow me to mount disks from Nautilus.

Apparently this is needed:

1. session optional pam_ck_connector.so in PAM config (more specifically, /etc/pam.d/login) to create the first ConsoleKit session;
2. ck-launch-session in ~/.xinitrc to create the second session, with X11 attached;
3. DBus running, with both system and session buses;
4. dbus-launch inside the second (X11) ConsoleKit session because it starts the gvfs-gdu-volume-monitor daemon used by Nautilus;
5. ...and an authentication agent (such as /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1) running.

Finding out which part is missing:

# Two sessions with your tty as 'display_device', with one being active
ck-list-sessions
# PolicyKit works
pkcheck --action-id org.freedesktop.udisks.filesystem-mount -u --process $$
pkcheck --action-id org.freedesktop.udisks.filesystem-mount -u \
  --process $(pidof gvfs-gdu-volume-monitor)
# udisks/DevKit works
udisks --enumerate
udisks --mount /dev/sdXY

Having this in ~/.xinitrc makes things easier: Updated for my new configuration, in which startup programs are launched by GNOME or wmiirc (depending on $session).

#!/bin/bash

# xrdb and xsetroot can go here
# Applets, agents, other shit is handled by $session

stack=(
	ck-launch-session
	dbus-launch --exit-with-session
)

[[ $SSH_AUTH_SOCK ]] ||
	stack+=(ssh-agent)

exec "${stack[@]}" ${session:-gnome-session}

GNOME_KEYRING_DIE_IN_A_FIRE

I'm back on Lunix. Installed Arch Linux yesterday, and still trying to make it work just like I'm used to - recreating configs lost a year ago turned out to be easier than expected. Except for some things...

...such as GNOME Keyring, which now doesn't work at all if started from PAM. Apparently, having $GNOME_KEYRING_CONTROL is not enough anymore - the libgnome-keyring library only uses DBus for contacting the Keyring daemon, which doesn't really work when the daemon is started before DBus. Putting gnome-keyring-daemon --start in xinitrc is now needed.

On the other hand, it's actually quite nice to have an easy way to start a daemon like that without having to care about multiple processes, stale environment variables, and such things. Well, at least the problem is reduced to one DBus daemon... If only running ssh-agent were that simple.

Hack the Gibson.freenode.net

On the Freenode IRC network, users can get "cloaks" (called "vhosts" elsewhere) signifying their status, group affiliation — or just to hide their real hostname. To avoid clashes with actual hostnames, Freenode's cloaks use slashes / as delimiters: such as freenode/staff/tomaw or archlinux/developer/wonder or unaffiliated/tan. Since you cannot have slashes in your real hostname, cloaks often are used to implement "groups" in access lists (*!*@freenode/staff/* +votsriRfAF is a common sight).

Except you can have slashes in your real hostname.

If you run your DNS server yourself, all it takes is check-names master ignore; in named's options to make it accept un-hostname characters in hostnames. (Apparently, the difference between a "hostname" DNS entry and a "non-hostname" one is the presence of an A or AAAA record. Hostnames are only allowed to have a-z 0-9 -.) The rest is as simple as:

$ORIGIN example.com.
DNS/is/fun AAAA 2001:db8::1337

$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0 PTR DNS/is/fun.example.com.

Go chkdsk yourself, NTFS

So I'm stuck with Windows XP for a (long) while. (Pepsi and laptop harddrives do not mix.)

Several days ago, Windows started prompting for a filesystem check of C: during boot. Every single tiem I accepted, it would quickly jump to stage 2 (index check) and proceded with printing a fuckton of lines exactly like this one:

Deleting an index entry from index $O of file 25.

It never finished cleaning up those index entries (I would always interrupt it after 50 or so minutes), and apparently those deletions it had made weren't written to disk either.

After several hours of googling and reading many pages of NTFS documentation (95% of the sites I found were exact copies of "Visual Basic NTFS Programmer's Guide" or the documentation from linux-ntfs), I found out that "file 25" was a NTFS metadata file, \$Extend\$ObjId, used for "open by unique ID" NTFS functionality. Checking with ntfsinfo showed $O being over 80 MB (the same index in another partition was about 12 megs).

So I did an experiment. I booted a Linux CD and removed $ObjId, sacrificing ~160 GB of music, movies and porn. When I returned to Windows, all files were still there and readable. chkdsk did complain about missing indexes, but it happily recreated them in several minutes.

On GVFS

Disclaimer: I have never used KDE. I'm currently writing this on Windows XP. My preferred WM is wmii. I also never participiate in any holy wars, be they OS-related or not.

GNOME has many components which some consider "bloat" and others just plain hate without any reason. Such as gnome-keyring, which many dislike mostly because NetworkManager requires it. But many of those components are a necessary evil.

Such as GVFS, for example. I really prefer a single, consistent interface that handles FTP and SFTP and SMB/CIFS and WebDAV to a bunch of separate mostly-fuse-based {ftp,ssh,smb,dav}fs things of varying reliability. Some of them are no longer maintained, others are buggy. Samba apparently has in-kernel CIFS support - but I have to use mount which requires either r00tness or editing fstab for every damn share. Sure, there's mount.cifs, which can work setuid-root, and which I have to manually chmod u+s everytime I upgrade.

Compare this to GNOME's GVFS, or KDE's Kio. I can open, say, smb://windozebox/music or sftp://nullroute.eu.org/~/.bashrc or even obex://[01:23:45:67:89:ab]/ in any GVFS-compatible program and it works. The filesystem is automatically mounted, using credentials stored in gnome-keyring. To the user there's no difference (other than speed) from a local file. Sure, it's like in Windows, where you open \\box\share\file.txt and it Just Works™. But does that automatically make it bad?

Similar is gnome-keyring. It's the only place, besides the rarely used ~/.netrc, that is actually a working centralized password store. It can even be used for X.509 certs, with any app that supports PKCS#11 (though it's still very beta). I'm tired of having to separately configure each program where to look for my SSL and S/MIME keys.

(Unfortunately, many programs carry that problem to Windows - Pidgin, for example - and even though Windows has a central store for SSL keys and root CAs, they cheerfuly ignore it and use C:\Program Files\FooApp\ca-certs\. I would be less angry if native Windows programs didn't do the same...)

What I do consider bloat: GNOME integrating Avahi into Seahorse and Epiphany. (Those actually depend on Avahi, not just recommend it.) Opera adding widgets and BitTorrent and IRC into a web browser (and very poor implementations at that). Twitter in iTunes. MSN "nudges" in Pidgin. GConf XML hell. The fuckton of X11 startup scripts. And so on...

(And here I got bored.)

dovecot --exec-mail and dotlock

To speed up mail checks, I access Dovecot imapd at my server through a SSH tunnel, which executes dovecot --exec-mail imap over the (multiplexed) SSH connection.

Being launched like this, Dovecot doesn't have the necessary access to create dotlock files in /var/mail, where my inbox is stored. (Usually Dovecot's imap-login process would start imap as root, and then it would switch itself to the group set in mail_privileged_group when necessary.) So I get a ton of messages like this:

Dec 28 21:18:33 wind IMAP(grawity): : file_dotlock_create(/var/mail/grawity) failed: Permission denied (euid=1000(grawity) egid=100(users) missing +w perm: /var/mail) (set mail_privileged_group=mail)

...resulting in Mutt: Mailbox readonly warnings every time I try to delete something.

It would be possible to change the permissions of /var/mail to 01777 (sticky, read/write/execute for everyone), but this feels a little insecure compared to the default 02775 root:mail.

The solution is to give /usr/lib/dovecot/imap access to the mail group using the setgid bit:

chown :mail /usr/lib/dovecot/imap
chmod g+s !!

If you're using a Debian-based distro:

dpkg-statoverride --update --add root mail 2755 /usr/lib/dovecot/imap

unbreaking Calibri.ttf

Calibri, one of Microsoft's ClearType fonts, has a few sets of bitmaps embedded into it, to make it look better when font smoothing is off. Which results in Calibri looking just plain ugly in X11/Freetype when you enable hinting.

To disable embedded bitmaps, put this into your ~/.fonts.conf:

<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
    <match target="font">
        <test name="family" compare="eq">
            <string>Calibri</string>
            <string>Cambria</string>
        </test>
        <edit name="embeddedbitmap" mode="assign">
            <bool>false</bool>
        </edit>
    </match>
</fontconfig>

Installing Flash Player for Firefox

In, uhh, 13 easy steps.

Previously:

1. Open Firefox.
2. Click http://get.adobe.com/flashplayer/ in Google.
3. Click "Download", download a small .exe (which is a self-installing .zip)
4. Run the .exe

Now:

1. Open Firefox.
2. Click http://get.adobe.com/flashplayer/ in Google.
3. Uncheck "Free McAffee Security Crap"
4. Click "Download", get nothing.
5. Notice the Firefox info bar, approve adobe.com for installing software.
6. Install the "Adobe DLM" extension.
7. Click "Restart Firefox", wait for Firefox to restart.
8. Wait while DLM installs itself.
9. Wait for DLM to download the Flash Player installer.
10. Uninstall Adobe DLM from Firefox.
11. Uninstall Adobe DLM from "Add/Remove Programs"
12. Notice that about:plugins still lists "getPlusPlus for Adobe", find the goddamn .dll file, and burn it in a fire.
13. Notice that you could have avoided all of this if you clicked the "If it does not start, click here to download" link.

Dear Adobe, you call this convenient?!