Profile

Cover photo
Sebastian “baboo” P.
Worked at T-Online
Attended Technische Universität Darmstadt
Lives in the middle of nowhere
1,464 followers|1,316,463 views
AboutPosts

Stream

Sebastian P.

Shared publicly  - 
 
 
Was ich an diesen ganzen BND Ausschüssen nicht verstehe: wieso sind ausgerechnet Politiker überrascht, dass sie angelogen werden?
 ·  Translate
3 comments on original post
1
Add a comment...

Sebastian P.

Shared publicly  - 
 
Lost in the US? No problem; here's a road-map for you.
Of all the streets.


(Download & open needed. PNG is close to 11 MB)
1
Add a comment...

Sebastian P.

Shared publicly  - 
 
 
Deprecating Old Crypto in a Linux Distro: A tale of something that looked obvious but .. there's a lesson in it somewhere.

While working on my Linux distro project at work, one of the things I recently wanted to do is phase out old crypto.

Yes we all read Bruce Schneider's text and how important it is, but nothing drives it home like reading The Guardian articles followed
by OpenSSL downgrade attacks in the last year or two.

Now, nothing should be defaulting to some of the antique crypto, but the only way to know 100% sure  that the algorithms in question aren't being used, is to just not compile them into the various crypto libraries of your distro.

So.. step 1 was to look at the algorithm list of openssl:

arjan@clr:~$ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA




A few things stand out immediately.

RC4. This like seriously predates MD5, and MD5 is already suspect.

DES. Yes really. DES. in 1995 I worked at a company as an intern that made DES chips that you could use to brute force DES. In 1995, when Twin Peaks was on TV  and you measured transistor sizes of a chip in micrometers not nanometers.

MD5. The general consensus seems to be that for crypto, you shouldn't use MD5 anymore. I'm not talking about SHA1, where one can argue that existing uses are still ok, but MD5.

I decided to draw my first line there, stick to the consensus and all that.

The good news is that OpenSSL is very configurable, and it's pretty easy to say

no-rc4 no-des no-md5

on the configure line (and for good measure, I added no-ssl2 and no-ssl3).

At this point, I thought I was on a roll, removing old crypto is easy, lets finish this 15 minute project before the project meeting starts.

So now on to the bad news. And sadly, there is plenty to be had.

openssl does not even compile with the no-md5 option:

make[1]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/ssl'
In file included from s3_srvr.c:171:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
In file included from s3_clnt.c:158:0:
../include/openssl/md5.h:70:4: error: #error MD5 is disabled.
 #  error MD5 is disabled.
    ^
....


Ok, so MD5 is technically not insane broken for small packets, and
it's just consensus not so much hard earned proof, so maybe deprecating md5 is a project for another day.

openssl does not even compile with the no-des option:

make[2]: Entering directory '/builddir/build/BUILD/openssl-1.0.2a/apps'
../libcrypto.so: undefined reference to `EVP_des_ede3_wrap'

or when you fix that, it does not pass its test suite (I'll spare you the details). 

Now here I had to draw a line. 20 years ago DES was not secure.. never mind today. I wouldn't  be surprised if someone will chime in and say that their smartwatch can brute force DES in realtime now.
So.. fixing it is.

I suppose the good news is that no-rc4 went just fine.

The success story then, with the list of crypto from openssl after no-rc4 and no-des:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA

no DES, no RC4.




But, as it was a Monday, the misery only started there (Dave Jones should have taught me that misery is like lawyers, it always comes in pairs).

I threw the no-rc4/no-des package into our build system, and in no time the world came apart on me. Half the distro broke!
Well not half, but several very important pieces.

It turns out that components like curl, libcurl (so anything speaking http), wget, openssh, mariadb, ...

all hard-code DES usage. Now, I'll give curl credit, with creative use of configure options, you can make it not compile DES in, but you can't then make it pass its testsuite.

There must be a lesson in here somewhere.

One, our team will be fixing these projects to not require DES (or RC4), and we'll send those patches to the upstream projects of course.

But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage.
The algorithm may be outdated at any time and might have to go away in a hurry. 
And if you have to use a very specific algorithm anyway (for compatibility or otherwise), at least be kind and make a
configure option for each algorithm in your project, so that when things go bad (be it in 5 or 20 years), its very feasible to disable the algorithm entirely. 
29 comments on original post
1
Add a comment...

Sebastian P.

Shared publicly  - 
 
Rolemodel skill 6W6+9000


via +Thomas Bindewald.
Jesse Nagy's 4-year-old niece Izzy really wanted to dress up as a princess to go see Disney's new Cinderella live action movie, but she was afraid that no one else would dress up. That's when the tattooed and muscular 26-year-old actor decided to dress up as a princess to make sure that Izzy would feel fine going to the movie dressed up! Now that's role-model material.
5
Add a comment...

Sebastian P.

Shared publicly  - 
4
Sven Reitis's profile photoJohannes Möckel's profile photosascha sarn's profile photo
3 comments
 
Sieht Nice aus Danke nochmal 👍hättest was gesagt wehre ich mal rüber gekommen 😁
 ·  Translate
Add a comment...

Sebastian P.

Shared publicly  - 
 
It's called 'tablet' for a reason.
16
Martin Sitte's profile photo
 
Got my tablets solely as a stand for my cold beers on the couch!
Add a comment...
Have them in circles
1,464 people
Ruba galline's profile photo
Christian Haußmann's profile photo
Thomas Rothe's profile photo
enrikito trejo's profile photo
Ja Na's profile photo
Sven “Tawen” Färber's profile photo
Ana Maria Rodriguez's profile photo
Nicole Britz's profile photo
xabi saenz's profile photo

Sebastian P.

Shared publicly  - 
 
 
Can we extinguish fire with sound waves?
It may seem outlandish, but George Mason University engineering students Seth Robertson and Viet Tran say they’ve developed a way to extinguish fire with sound waves.

How can this be?
Low-frequency sound waves in the 30 to 60 hertz range -- can apparently separate oxygen from fuel,” Tran said, in a GMU news release.
“The pressure wave is going back and forth, and that agitates where the air is. That specific space is enough to keep the fire from reigniting,” Tran told the Washington Post.

Article:
http://www.huffingtonpost.com/2015/03/26/fire-put-out-with-sound-seth-robertson-viet-tran_n_6945192.html?ncid=edlinkushpmg00000030

Reference:
http://www.wusa9.com/story/news/local/2015/03/24/george-mason-students-sound-extinguish-fire/70387578/

#fire   #science   #soundwaves   #research  
3 comments on original post
2
Robin L.'s profile photo
 
Frag mich ob das dann mit richtig tiefem dubstep funktioniert...
 ·  Translate
Add a comment...

Sebastian P.

Shared publicly  - 
 
"What could possibly go wrong?"
 
Sometimes you don't need Sense Wyrm to find wyrm sign. - Rodney
2 comments on original post
9
2
Jan Horneck's profile photoValentin Pletzer's profile photo
Add a comment...
 
 
Deutsche Telekom warnt vor "staatlich diktiertem Einheitsnetz"! Und meint Netzneutralität. Und will nur "wenige Prozent Umsatzbeteiligung" für eine Überholspur. Blöd, wenn sowas leakt.
 ·  Translate
Wie wirbt die Deutsche Telekom für die Abschaffung der Netzneutralität? Das ist in der Regel relativ intransparent und findet hinter verschlossenen Türen statt. Heute hatten wir ein schönes Beispiel im Briefkasten, was an eine andere Zielgruppe gerichtet war. Im Kundenmagazin der Weberbank, einer Privatbank für Vermögende, durfte der Telekom-Sprecher Philipp Blank einen Gastbeitrag schreiben. ...
7 comments on original post
2
1
Tobias Wolter's profile photo
Add a comment...

Sebastian P.

Shared publicly  - 
 
Noch jemand ohne hier?
 ·  Translate
12
4
Sue Denmark's profile photoKai Wirdemann's profile photoSascha Siegler's profile photoGregor Steinweg's profile photo
3 comments
 
Großartige Idee
Add a comment...

Sebastian P.

Shared publicly  - 
 
Deathray-Tower (http://www.bbc.com/news/magazine-23944679) isn't enough, nah, we need more lenselike-glasstowers in London, but this time, whe thought about it.

Like, yeah, go for it.
With downtown densification usually comes a lack of light in surrounding spaces, leading one architecture firm to develop the world's first algorithm-driven strategy to allow a tower to fully shed ...
1
Juergen Nieveler's profile photo
 
I suppose flying over central London isn't allowed anyway...
Add a comment...
People
Have them in circles
1,464 people
Ruba galline's profile photo
Christian Haußmann's profile photo
Thomas Rothe's profile photo
enrikito trejo's profile photo
Ja Na's profile photo
Sven “Tawen” Färber's profile photo
Ana Maria Rodriguez's profile photo
Nicole Britz's profile photo
xabi saenz's profile photo
Work
Employment
  • T-Online
    Network Specialist, 2002 - 2004
  • HRZ TU-Darmstadt
    Azubi FI-SI, 1998 - 2001
  • Transcom
    IT, 2001 - 2002
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
the middle of nowhere
Story
Tagline
Musing about corporate policies, "agile" and all kind of catcontent. Bring your own tin foil hat.
Introduction
"The trouble with quotes on the internet is that it’s difficult to discern whether or not they are genuine.” 
- Abraham Lincoln
Education
  • Technische Universität Darmstadt
    1998 - 2001