Profile

Cover photo
Jeroen Wiert Pluimers
Works at BeSharp.net
Attended Leiden University
Lives in Amsterdam
649 followers|1,089,624 views
AboutPostsPhotosYouTubeReviews

Stream

 
OS X Finder: viewing hidden paths

One of the most frustrating things on a Mac is that the OS X Finder does not allow you to browse all paths. Unlike Windows the Windows Explorer, where it is fairly easy to switch a preference for enabling/disabling showing the hidden files and folders,…
1
Add a comment...
 
 
Gopro clone with Wi-Fi for just $50 (for about 1 day more).
Normally costs $90.
KEECOO is yet another full HD action camera with Wi-Fi connectivity that provides most of GoPro functionalities, and while it normally sells for about $90 to $95 on sites like GeekBuying or GearBest, Focalprice is currently offering a steep discount by selling it for just $49.99 for a limited ...
1 comment on original post
1
Add a comment...
 
Dear +Google+​ I need share option to read this post later.
2 comments on original post
2
Add a comment...
 
 
Dies ist also jetzt schon der zweite Flugzeugabsturz, der durch dieses Sicherheitssystem erst ermöglicht wurde. Knapp 200 Menschen kamen dabei bisher ums Leben und es werden vermutlich nicht die letzten sein. Wieviele Leben durch den verbesserten Schutz vor Terroranschlägen gerettet wurden, bleibt Spekulation, möglicherweise kein einziges.
 ·  Translate
Bis zu den Anschlägen vom 11. September ließen sich Cockpit-Türen relativ einfach von außen öffnen. Seither wurden die Sicherheitsvorschriften erheblich verschärft - was aber auch zu Problemen führen kann.
2 comments on original post
1
Add a comment...

Jeroen Wiert Pluimers

Shared publicly  - 
 
Via +Köhntopp
 
Deprecating Old Crypto in a Linux Distro: A tale of something that looked obvious but .. there's a lesson in it somewhere.

While working on my Linux distro project at work, one of the things I recently wanted to do is phase out old crypto.

Yes we all read Bruce Schneider's text and how important it is, but nothing drives it home like reading The Guardian articles followed
by OpenSSL downgrade attacks in the last year or two.

Now, nothing should be defaulting to some of the antique crypto, but the only way to know 100% sure  that the algorithms in question aren't being used, is to just not compile them into the various crypto libraries of your distro.

So.. step 1 was to look at the algorithm list of openssl:

arjan@clr:~$ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA




A few things stand out immediately.

RC4. This like seriously predates MD5, and MD5 is already suspect.

DES. Yes really. DES. in 1995 I worked at a company as an intern that made DES chips that you could use to brute force DES. In 1995, when Twin Peaks was on TV  and you measured transistor sizes of a chip in micrometers not nanometers.

MD5. The general consensus seems to be that for crypto, you shouldn't use MD5 anymore. I'm not talking about SHA1, where one can argue that existing uses are still ok, but MD5.

I decided to draw my first line there, stick to the consensus and all that.

The good news is that OpenSSL is very configurable, and it's pretty easy to say

no-rc4 no-des no-md5

on the configure line (and for good measure, I added no-ssl2 and no-ssl3).

At this point, I thought I was on a roll, removing old crypto is easy, lets finish this 15 minute project before the project meeting starts.

So now on to the bad news. And sadly, there is plenty to be had.

openssl does not even compile with the no-md5 option:

make[1]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/ssl'
In file included from s3_srvr.c:171:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
In file included from s3_clnt.c:158:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
....


Ok, so MD5 is technically not insane broken for small packets, and
it's just consensus not so much hard earned proof, so maybe deprecating md5 is a project for another day.

openssl does not even compile with the no-des option:

make[2]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/apps'
../libcrypto.so: undefined reference to `EVP_des_ede3_wrap'

or when you fix that, it does not pass its test suite (I'll spare you the details). 

Now here I had to draw a line. 20 years ago DES was not secure.. never mind today. I wouldn't  be surprised if someone will chime in and say that their smartwatch can brute force DES in realtime now.
So.. fixing it is.

I suppose the good news is that no-rc4 went just fine.

The success story then, with the list of crypto from openssl after no-rc4 and no-des:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA

no DES, no RC4.




But, as it was a Monday, the misery only started there (Dave Jones should have taught me that misery is like lawyers, it always comes in pairs).

I threw the no-rc4/no-des package into our build system, and in no time the world came apart on me. Half the distro broke!
Well not half, but several very important pieces.

It turns out that components like curl, libcurl (so anything speaking http), wget, openssh, mariadb, ...

all hard-code DES usage. Now, I'll give curl credit, with creative use of configure options, you can make it not compile DES in, but you can't then make it pass its testsuite.

There must be a lesson in here somewhere.

One, our team will be fixing these projects to not require DES (or RC4), and we'll send those patches to the upstream projects of course.

But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage.
The algorithm may be outdated at any time and might have to go away in a hurry. 
And if you have to use a very specific algorithm anyway (for compatibility or otherwise), at least be kind and make a
configure option for each algorithm in your project, so that when things go bad (be it in 5 or 20 years), its very feasible to disable the algorithm entirely. 
27 comments on original post
1
Add a comment...

Jeroen Wiert Pluimers

Shared publicly  - 
 
 
An email I would live to send them!

I know two things: A script monkey would toss my email in the bitbucket, and rating transactions serves up the privacy of my purchases for all to see. Believe me Amazon, if the transaction is good, then you did your job, and I dont' give stars for "doing your job". If bad, you will hear from me. If you make up for a mistake, you did your job (and earned no stars). If you really mess up, you won't get any stars for that either. Do something really right and stop hounding me!
View original post
1
Add a comment...
In his circles
872 people
Have him in circles
649 people
Bang Fani's profile photo
Ahmad Chehre's profile photo
khalil shreateh's profile photo
David Moorhouse's profile photo
Martijn van Wijlen's profile photo
Wim van der Stokker's profile photo
Hanno Arens's profile photo
Simran Beyond Beauty's profile photo
John Kaster's profile photo

Jeroen Wiert Pluimers

Shared publicly  - 
 
 
[NL] U vroeg om bewijs dat opsporingsdiensten zich niet aan de wet houden (lees: niet met verantwoordelijkheid kunnen omgaan)? Voila.

Maar het lijkt dat je pas een geldig argument hebt als je geen bewijs kunt aanvoeren (zoals cijfers over het nut van de bewaarplicht, toch meneer v/d Steur?)

Zie ook https://plus.google.com/+RoderickGadellaa/posts/ZgNXBoMk4cT
 ·  Translate
View original post
1
Add a comment...
 
 
Good news, you can now enable Chrome Data Compression Proxy [1] on desktop, via the Data Saver (beta) extension! 

"When this extension is enabled, Chrome will use Google servers to compress pages you visit before downloading them. SSL and incognito pages will not be included."

[1] For what/why/how on Compression Proxy: http://bit.ly/1Cs39wN 
Reduces data usage by using Google servers to optimize pages you visit.
2 comments on original post
1
1
Ilya S's profile photo
Add a comment...
 
Next time I run into .NET and native threading issues: Main UI threads often have a correlation between managed and native thread IDs. But for other threads, you cannot be really sure. Some background articles on this: Threading deep dive – Day 9 – My…
1
Add a comment...
 
 
DeskSMS shutting down

Google Talk was finally shut off last month, as such, I'll be shutting down DeskSMS shortly. Orders have been disabled for a while, but if you want a refund, just post your order ID in the comments below, and I'll refund ya. It was a good run!

DeskSMS is open source, so if you wanna run your own app engine instance, go for it!

There's also a bunch of good alternatives out there now as well, so you may wanna check out MightyText and others.

I'm personally using Google Voice (Hangouts integration is great, on iOS and Android) now.
41 comments on original post
1
Add a comment...
People
In his circles
872 people
Have him in circles
649 people
Bang Fani's profile photo
Ahmad Chehre's profile photo
khalil shreateh's profile photo
David Moorhouse's profile photo
Martijn van Wijlen's profile photo
Wim van der Stokker's profile photo
Hanno Arens's profile photo
Simran Beyond Beauty's profile photo
John Kaster's profile photo
Education
  • Leiden University
    Propedeuse Chemistry, 1987 - 1991
Basic Information
Gender
Male
Apps with Google+ Sign-in
Story
Introduction
specialist in .NET, Win32, SQL, Visual Studio & Delphi
Bragging rights
frequent speaker on international Developer conferences. Frequent blog on .NET, Delphi, technology and LifeHacking
Work
Occupation
self employed consultant at BeSharp.net
Employment
  • BeSharp.net
    Owner, 2007 - present
  • Pluimers Software Ontwikkeling B.V.
    Owner, 1989 - 2007
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Amsterdam
Previously
Badhoevedorp - Sassenheim - Stolwijk - Geldrop
On a trip from Europe, we got some running gear here today. They were very helpful and pro-active with some great tips on using the gear, and better alternatives for what we were originally looking for. Since the NYC Half Marathon is our first half marathon ever, we got some great tips about that as well, especially since the first and toughest 10+k is inside Central Park so you need to make sure to strike a balance there. We're gonna meet some of the team at the NYC Half Marathon on St Patrick's day, and got invited to a "wind down" run in the week after the run. Highly recommended shop with enthusiast and knowledgeable people. Will certainly pay them a visit again in the future.
• • •
Quality: ExcellentAppeal: ExcellentService: Excellent
Public - 2 years ago
reviewed 2 years ago
1 review
Map
Map
Map