Value of two-factor authentication in MMOs

Posted by towo on July 27, 2010 · Leave a Comment 

Cypher­punks ever­y­where know that using two-factor authen­ti­ca­tion, when done right, is inher­ently more secure.

Not­hing can be said against the secu­rity of wisely-used one-factor authen­ti­ca­tion, but care must be taken to ensure the ongo­ing secu­rity of that fac­tor. If you use a pass­word, you need to choose a secure one — and if you don’t change it regu­larly, it logi­cally gets wea­ker, too.

I know of at least one WoW player who is posi­tively para­noid about expo­sing their pass­words to someone, even though they don’t exhi­bit that beha­viour elsewhere.

And then, of course, there’s the people who com­plain about having their accounts hacked, even though they used a secure pass­word like their birth­day. Or abcde.

A miti­ga­ting fac­tor against people being too stu­pid to use pass­words secu­rely, then, is nee­ded. And that’s where two-factor authen­ti­ca­tion comes along.

Two-factor authen­ti­ca­tion, in essence, means that there you need to prove your own iden­tity by two dif­fe­rent means. This isn’t like using two dif­fe­rent pass­words. The com­mon exam­ples for fac­tors include “things the user knows” — like a pass­word, PIN, etc, “things the user has”, like some form of phy­si­cal secu­rity token, and “things the user is”, i.e. bio­me­tric veri­fi­ca­tion methods.

Bio­me­tric veri­fi­ca­tion is more “com­for­ta­ble” to use, but does have two major drawbacks:

  1. it requi­res spe­cia­li­zed equip­ment (in most cases)
  2. it is vul­nera­ble to replay attacks

So, mainly for rea­sons of prac­tica­lity, owning an authen­ti­ca­tion token is the best method of get­ting a second fac­tor into the mix.

But why would a com­pany like Bliz­zard, for example, cough up the effort to actually enable some­thing like authen­ti­ca­tors — not only via device, but by mobile phone, too — and then go ahead and reward play­ers (in the form of an in-game pet, but nevert­he­l­ess) for using an authen­ti­ca­tor — merely to save people from their own stupidity?

Sim­ple enough: to help battle against “eco­no­mic” abuse, and to help pro­tect their own inte­rests by having to deal with less “hacked account” cases.

Even though the lat­ter rea­son might just be enough to imple­ment it, the for­mer is actually the most import­ant one. Gold far­ming is a serious pro­blem for online gaming com­pa­nies, and even under­de­ve­l­o­ped eco­no­mies like that of WoW can suf­fer greatly from such manipulation.

If you want to read a fic­tio­nal example of a near-future vision on the import­ance and con­cepts of gold far­ming, you should read up on Cory Doctorow’s “For The Win”. Even though it’s a bit over the top com­pa­red to the cur­rent state of the game, it might very well be simi­lar in the years to come.

Of course, the battle.net authen­ti­ca­tion token Bliz­zard dis­tri­bu­tes does seem to have relia­bi­lity pro­blems, the mobile authen­ti­ca­tor — a Java app­li­ca­tion — seems to work fairly well, and, com­pa­red to the DIGI­PASS Go 6 authen­ti­ca­tors used by Bliz­zard, actually has a reverse-engineered spec avail­able.

Even though the DIGI­PASS algo­rithm was, to the author’s know­ledge, not bro­ken so far, the fact that the deve­lo­ping com­pany does not dis­close the DIGI­PASS source code to non-customers, along with a rather cheeky atti­tude, should serve as suf­fi­ci­ent indi­ca­tors to avoid their products.

Filed under Articles · Tagged with

Using grub2 to recover your system

Posted by towo on June 17, 2010 · Leave a Comment 

grub2 is hai­led as the all new, super modu­lar cure-all remedy for all boo­ting pro­blem you’ve had, have and will have. At least that’s the way the deve­l­o­pers and some enthu­si­asts see it, whe­reas most blo­kes who’ve actually had to use it with more than arrow keys and enter will paint a slightly dif­fe­rent picture.

The thing with grub2 is that even though in theory it sounds like the end of all things boo­ting, it’s about as well-documented as the ques­tion for life, the uni­verse, and everything.

And as I today had to try to fight my way through goog­ling for necessary infor­ma­tion again, I’d thought I’d create a quick step-by-step refe­rence with all the most inte­res­ting bits you’ll ever need alre­ady there.

Thusly, the ingre­dients nee­ded to resur­rect your com­pu­ter with grub2. The gist is that you have the goal of boo­ting one spe­ci­fic ope­ra­ting sys­tem on your com­pu­ter, from wher­ein which you’ll use wha­te­ver methods you deem necessary to update your grub in the “right way” — usually a down­grade to an older ver­sion and wait­ing for the dust to blow over.

  1. A boo­ting grub2. If your grub2 alre­ady fails to boot because of some ran­dom error, you need to get a grub in smel­ling dis­tance of your BIOS. One of the most pro­ven methods is to
    1. Down­load a USB res­cue image like grml (usually from Your Other Com­pu­ter or that of some­body else)
    2. Put it on an USB stick (dd if=grml-variant_version.iso of=/dev/sdx in most cases, with appro­pria­tely cho­sen variables)
    3. (Re)boot, even­tually adjus­ting the prio­rity for your USB HDD/USB key

    And that’s it, you’re in a grub. Also note that it’s recom­men­da­ble to have an USB stick with a res­cue image lying around for the times when you can’t just easily down­load it.

  2. Enter the com­mand line/shell mode by pres­sing ‘c’.
  3. Do an ‘ls’, which will give you a lis­ting of reco­gnized devices. Doing an ‘ls device’, e.g. ls (hd0,1) will give you more infor­ma­tion about that device.
  4. If the infor­ma­tion by your ls isn’t com­plete, you will have to load some modu­les (by using insmod modulename). Here’s a checklist:
    1. If you do not see any other devices which look like your hard drive(s), e.g. you only have an (hd0) device from your USB medium, then load a device dri­ver. They will allow you to find the actual devices. Exam­ples include:
      • bios­disk
      • scsi
      • fs_uuid
      • pci
      • raid
      • mdraid
      • dm_nv
    2. If you have devices, but no par­ti­ti­ons, you’ll need a par­ti­tion dri­ver. It seems the default grub con­fig does not load any par­ti­tion dri­ver, and debug­ging this is just a bit annoy­ing. But there’s two easy choices for most people:
      • Load the module “part_msdos”.
      • If this doesn’t help, try “part_gpt”.

      These are the two most com­mon par­ti­tion tables (at least for next to ever­yone rea­ding this guide in need) and should help your grub find its par­ti­ti­ons again.

    3. Even­tually, you will also have to load your file­sys­tem dri­vers. I pre­sume you alre­ady know which those are, but for the sake of completion:
      • Almost all Linux use ext2
      • Most cur­rent Win­dows will use ntfs, but fat is also an option.
      • Mac users will use hfsplus for newer sys­tems, hfs for older ones.

      4. The next step depends on exactly what you want to do. There’s a fork in the road — if you just want to load your pre­viously unboo­ta­ble grub, you will try to load its con­fi­gu­ra­tion file, else you’ll try to boot your ope­ra­ting sys­tem kernel.

    4. To search for a file, you use the search -f filename com­mand, which will give you results on where files of that name are stored. Use root device to set the resul­tant device as the root device for your fur­ther ope­ra­ti­ons. If you only want to load your old grub con­fig, type in configfile filename, whe­reas filename will usually be some­thing like /grub/grub.cfg or /boot/grub/grub.cfg.
    5. Should this fail to resolve your pro­blem, or not be what you’re aiming for, you’ll need to find the ope­ra­ting sys­tem. For most Linu­xens, you’ll pro­bably have a file cal­led /vmlinuz or /boot/vmlinuz to search for. For Win­dows ope­ra­ting sys­tems, look for /Windows/win.ini. For Mac: no clue. When found, set your root device (with root device).
    6. Now methods will become diver­gent, as ope­ra­ting sys­tems dif­fer in the way of boo­ting them.
      Linux
      1. kernel kernel_filename
      2. initrd initrd_filename [most cur­rent ker­nels come with an “initial ram­disk” hol­ding modu­les etc.]
      3. boot — if all goes well, you’re set.
      Win­dows
      1. chainloader +1
      2. boot
      MacOS
      Pro­bably the same as Win­dows, using the chainloader.

    And that’s it. It should cover most cases you’d need to res­tore your capa­bi­lity of boo­ting your ope­ra­ting sys­tem. You’ll pro­bably want to fix/install your boot­loa­der after this, though.

    A hel­pful tool for debug­ging your cur­rent grub state is probe, which will allow you to check what dri­vers are assi­gned to devices.

    Filed under FAQs, Publications · Tagged with , ,

vimium mapping for Dvorak layouts

Posted by towo on April 21, 2010 · 3 Comments 

I recently stum­bled upon the rather neat vimium exten­sion for Chrom(e|ium), which does much the same as the vim­pe­ra­tor exten­sion for Fire­fox. The pro­blem, though, as with vim­pe­ra­tor and vim its­elf, is that the default key­board map­pings are a bit of a pain in the arse for Dvorak users, as hjkl isn’t on the home row any­more, much less next to each other.

The­re­fore, it needs some remap­ping to get in a half­way fami­liar and Dvorak-compatible lay­out, which would look like this:

unmapAll

map r reload
map e removeTab
map u restoreTab
map h scrollDown
map t scrollUp
map d scrollLeft
map n scrollRight
map <c-h> scrollPageDown
map <c-t> scrollPageUp
map <c-u> scrollFullPageDown
map D goBack
map N goForward
map T nextTab
map H previousTab
map <c-y> createTab
map gg scrollToTop
map G scrollToBottom
map gf toggleViewSource
map zi zoomIn
map zo zoomOut
map yy copyCurrentUrl
map i enterInsertMode
map f activateLinkHintsMode
map F activateLinkHintsModeToOpenInNewTab
map / enterFindMode
map . performFind
map , performBackwardsFind

Just paste it in the remap field of the extension’s “advan­ced opti­ons” menu.

Filed under Code · Tagged with , , , , , ,

D&D rules lawyering: cover and stealth

Posted by towo on March 19, 2010 · 3 Comments 

I was recently rea­ding up on the ste­alth and cover mecha­nics, and even though I was fairly cer­tain about what is and what is not pos­si­ble, I found out that one edge case isn’t par­ti­cu­larly well-documented.

The rules, to be exact the Ste­alth rules cor­rec­tion from Player’s Hand­book 2, state:

Beco­m­ing Hid­den: You can make a Ste­alth check against an enemy only if you have supe­rior cover or total con­ceal­ment against the enemy or if you’re outs­ide the enemy’s line of sight. Outs­ide com­bat, the DM can allow you to make a Ste­alth check against a dis­trac­ted enemy, even if you don’t have supe­rior cover or total con­ceal­ment and aren’t outs­ide the enemy’s line of sight. The dis­trac­ted enemy might be focu­sed on some­thing in a dif­fe­rent direc­tion, allo­wing you to sneak up.

So, what it espe­cially says is that “supe­rior cover” works as a basis to get hid­den behind. Accor­ding to the Dun­geon Master’s Guide on deter­mi­ning cover for ran­ged attacks:

Choose a Cor­ner: The atta­cker choo­ses one cor­ner of a square he occu­p­ies, and draws ima­gi­nary lines from that cor­ner to every cor­ner of any one square the defen­der occu­p­ies. If none of those lines are blo­cked by a solid object or an enemy crea­ture, the atta­cker has a clear shot. The defen­der doesn’t have cover. (A line that runs par­al­lel right along a wall isn’t blo­cked.)
Supe­rior Cover: The defen­der has supe­rior cover if no mat­ter which cor­ner in your space you choose and no mat­ter which square of the target’s space you choose, three or four lines are blo­cked. If four lines are blo­cked from every cor­ner, you can’t tar­get the defender.

So, in theory, if you’d have a situa­tion where you’d have supe­rior cover from an enemy, e.g.
Illustration with a player behind two allies, and lines of sight to an enemy.
you’d be able to ste­alth your­self and gain com­bat advantage.

The only thing that really denies this pos­si­bi­lity are, again, the Ste­alth updates from Player’s Hand­book 2, this time the “Remai­ning Hid­den” sec­tion [empha­sis mine]:

Keep Out of Sight: If you no lon­ger have any cover or con­ceal­ment against an enemy, you don’t remain hid­den from that enemy. You don’t need supe­rior cover, total con­ceal­ment, or to stay outs­ide line of sight, but you do need some degree of cover or con­ceal­ment to remain hid­den. You can’t use ano­ther crea­ture as cover to remain hid­den.

Many thanks to @Milambus for loo­king up that pas­sage. [And making me feel stu­pid for not having found it mys­elf, by the way.]

And that’s the only pro­blem. So, you could gain ste­alth moving behind enemies, but imme­dia­tely lose ste­alth sta­tus again by being only behind a creature.

In a sense, this is balan­ced, since your rogue strikers could then just con­ti­nue to camp behind your own figh­ters and shoot sneak attacks at enemies from just behind their bud­dies (since they don’t block for the player), which would make com­bat encoun­ters quick enough, but also a bit boring.

Then again, as my player rogue poin­ted out, when there’s two huge dra­gon­born war­ri­ors poun­ding away at an enemy, how are they not sup­po­sed to be able to hide behind them? They aren’t 5′ wide, surely, but cer­tainly big­ger than a half-elf in every other dimension.

I just think that with a fur­ther update (yuck), we might be able to get a bit of cla­ri­fi­ca­tion on the fact how allies grant cover, but can­not grant supe­rior cover.

Filed under Articles · Tagged with , , , ,

D&D Characters: Shamorn Fallenheart, Tiefling Bard

Posted by towo on March 18, 2010 · Leave a Comment 

As a bit of a side occupa­tion, I like to engage in some cha­rac­ter design for role-playing games, as it just comes as a natu­ral exten­sion of being a hobby-ish wri­ter person.

Thus, I pre­sent: Shamorn Fal­len­he­art, a tief­ling bard from High Imaskar.

Birth — and over misgivings

Shamorn was born in Gheld­an­eth, the fading Mula­nian metro­po­lis of High Imas­kar, and his par­ents belie­ved in the pro­phe­cies sta­ting Shamorn to bring forth bet­ter times for the tief­ling folk of the Gheld­an­eth slums. Being rai­sed in a com­mu­nity of hired hands to accom­pany adven­tu­rers on dan­ge­rous tre­a­sure hunts through the depths of the sun­ken city, hopes were laid on him, and him alone, to libe­rate them from this life of unof­fi­cial slavery.

Early life

Our young tief­ling was always a bit pam­pe­red. The male role models of the com­mu­nity were often too busy get­ting kil­led on a foolish quest, as was Shamorn’s own father — shortly before his fourth birth­day. As it were, there was none of the usual goading and tes­ting a tief­ling endu­res as part of gro­wing up. The con­se­quen­ces of this, as well as the pam­pe­ring he recei­ved by his mother and other “faith­fuls”, would be dire indeed.

Thus Shamorn grew to be a young adult, hel­ping out ever­y­where in the com­mu­nity, wit­hout ever taking up a real job. He had many on and off teachers, ver­sing him in skills as @skills and the heri­tage of the tief­ling race, trai­ning him in the use of wea­pons and tel­ling sto­ries of heroic deeds throug­hout time.

Con­stantly sur­roun­ded by an app­re­cia­tion for life, for hero­ism, the history and cul­ture of his people and a will to bring good to them, it came as a great sur­prise to many that Shamorn Fal­len­he­art, Pro­phe­sied Saviour of the Gheld­an­eth Tief­lings, came to start trai­ning to be…

a bard.

There was a wan­de­ring Elven Bard in Gheld­an­eth at the time, and Shamorn choose to app­ren­tice him­self to him, belie­ving that beco­m­ing a bard, a herald of their people, would be worth much more than sim­ply slaugh­te­ring any would-be opp­res­sors or being a lea­der to guide the people to their Pro­mi­sed Land.

As was to be expec­ted, his deci­sion did not sit well with some, if not most, of his elders. His mother came just short of disin­heri­t­ing him, and he was fore­ver bran­ded as a wimp by most others. Still, there were some people who still belie­ved in him, and he mana­ged to stay in the com­mu­nity, even though ever­yone tried to for­get about any kind of pro­phesy laid upon him.

The turning point

His app­ren­ti­ce­ship was going well, all things con­side­red. But his teacher, unbe­kno­west to him, was a bit of a brag­gart and igno­rant, that is to say: not a very good bard. Still, Shamorn mana­ged to mas­ter his natu­ral graps of the Arcane under his tutor­ship, even though the social values might have been slightly distorted.

Sadly, this dis­tor­tion and the infu­sion of heroic tales led to an unfor­t­u­nate inci­dent. A rough band of tre­a­sure hun­ters, with a fierce repu­ta­tion for their harsh effec­tiv­en­ess and rumours of a bru­tal and unrelen­ting man­ner towards oppo­si­tion, sought out their enclave to hire some of their men for help. So, after a few minu­tes of shouting, waving of wea­pons and dragging people out of their hovels, Shamorn thought it was time to act.

Bra­vely step­ping for­ward, he con­fron­ted the lea­der of the sca­ven­gers, deman­ding of him to cease these des­pica­ble acts and appealing to his good sense, as a man, to respect his people’s wishes.

The screams as the leader’s mini­ons star­ted slaugh­te­ring the women and child­ren are still stuck in Shamorn’s head. He still only has vague memo­ries of that moment, but there is one thing he is quite con­fi­dent of:

As his mother’s life­l­ess body was thrown in front of him, crump­led up in a heap, he snap­ped. Shamorn went into a rage, slamming into the mini­ons and fight­ing them fier­cely. It see­med the demon in him had taken con­trol, for he was full of laugh­ter at the slaugh­ter he was cau­sing, taun­ting his enemies as he smas­hed their faces in with his $wea­pon or embed­ded his dag­gers into their hearts, even just rip­ping into them with his claws and bit­ing as he went along.

It did not take long for him to cut through the mini­ons, emer­ging bathed in blood, eldritch powers abound and fla­mes crack­ling around his body. His Elven mas­ter bard was asto­nis­hed at the dis­play, and reco­gnized the poten­tial of a war­lock in him should he have even been trai­ned thusly. As it was, the teacher pre­fer­red to cower in fear and observe what hap­pened next.

Shamorn con­fron­ted the lea­der of the sca­ven­gers who was just stan­ding there, sho­cked to his core.

“This is what hap­pens when you try to com­pel my folk, human!” the bard sta­ted in an almost neu­tral voice, only a hint of a burning dark­fire notica­ble in the voice. And with that, he slew the lea­der of the group that brought death to his kin.

And as if by mira­cle, Shamorn imme­dia­tely cal­med down to his usual, naive self. The only hint at his mons­tro­sity was the fact that he sur­veyed the slaugh­ter he had cau­sed wit­hout fear, shame or dis­gust. Loo­king around him, he found few people left alive. Some were cower­ing inside their hovels, eit­her hiding their faces or sta­ring out at him with fear. Others seem to have run a way, and it was eerily silent.

Shamorn clea­red his throat. “My mas­ter, I will be lea­ving now. Do you wish to accom­pany me?”

His mas­ter, still shaking slightly, replied “No, my app­ren­tice. I do not think that you need me any fur­ther. Con­sider your trai­ning complete.”

And with these short words, the recently orpha­ned Shamorn Fal­len­he­art set out into the Realms, ven­tu­ring forth to herald his people — and to leave this bligh­ted home which has been cur­sed by his deeds.

The cha­rac­ter sta­tistics will fol­low as soon as I have access to the rele­vant docu­ments again. I might also write a short story or two detailing the back­ground or later adventures.

Filed under Publications · Tagged with , , ,

pisg: patch to irssi parser for euIRC ‘admin’ user mode

Posted by towo on March 16, 2010 · Leave a Comment 

As pisg is ill-equipped to handle sup­port for ‘admin’ users in the stan­dard con­fi­gu­ra­tion, I went on a quick code hunt to find the bit of code responsi­ble for strip­ping nick modes from a log line. A bit counter-intuitively, this func­tion is cal­led normalline, and not some­thing like normalize or strip_mode.

Anyhow, here’s a small patch to fix the pro­blem for the Irssi par­ser module:

--- modules/Pisg/Parser/Format/irssi.pm.old	2008-02-13 21:40:25.000000000 +0100
+++ modules/Pisg/Parser/Format/irssi.pm	2010-03-16 02:29:42.000000000 +0100
@@ -10,7 +10,7 @@
     my ($type, %args) = @_;
     my $self = {
         cfg => $args{cfg},
-        normalline => '^(\d+):\d+[^<*^!]+<[@%+~& ]?([^>]+)> (.*)',
+        normalline => '^(\d+):\d+[^<*^!]+<[@%+~&! ]?([^>]+)> (.*)',
         actionline => '^(\d+):\d+[^ ]+ +\* (\S+) (.*)',
         thirdline  => '^(\d+):(\d+)[^-]+-\!- (\S+) (\S+) (\S+) (\S+) (\S+)(.*)',
     };

Or you could just down­load the diff directly.

Filed under Code · Tagged with , , , ,

A new reason for leaving Ubuntu

Posted by towo on February 26, 2010 · 1 Comment 

So, if you’re won­de­ring your­self: “Why, Ubuntu is in the pro­cess of making ever­y­thing quite a bit more annoy­ing and fucking things up”, yet still think “that might just be mis­jud­ged opi­nion”, then fret no more. There’s an easy way to now know that Cano­ni­cal has offi­ci­ally gone bonkers.

The Ubuntu One Music Store.

After instal­ling an annoy­ing App Market-like “Soft­ware cen­ter” by default, swit­ching users over to a IM cli­ent that’s only remo­tely usa­ble, try­ing to sell you a cloud-based sto­rage solu­tion and swit­ching to Yahoo as the default search engine, you really have to won­der what the guys responsi­ble are up to.

So.

In short, Cano­ni­cal is on the verge of going Apple. Just bail boat while you still can.

Filed under Articles · Tagged with

D&D item: Martyr’s Collar

Posted by towo on February 1, 2010 · 1 Comment 

See­ing how ever­yone else is cur­rently crea­ting inte­res­ting items, I thought that I should throw one of my ideas into the mix. And after a bit of tin­ke­ring with how it should work, I present:

Martyr’s Col­lar Level 5

Res­ting tight against the throat, the wea­rer is always remin­ded of the price of sacrifice.

Lv 5   1.000 gp

Item slot:
Neck
Pro­perty:
This item can mean instant death for the cha­rac­ter. To wield it, the cha­rac­ter must suc­ceed at a hard will­power check. After three failu­res, the cha­rac­ter needs to take an exten­ded rest before try­ing again.
Power (At-Will ♦ Necrotic):
Stan­dard action. A con­scious and wil­ling cha­rac­ter may activate the col­lar while it is around their throat. The col­lar magi­cally con­stricts, seve­r­ing the user’s head from their body. The user’s life energy ser­ves as a power source for the col­lar and sends every attu­ned ally in range (burst 10) to the point defined by the attu­ning pro­cess.
Being able to sur­vive the deca­pi­ta­tion does not save the user, as all of their life energy is used up to power the collar’s magic.
The allies do not need to be wil­ling, con­scious, or even alive. If, for wha­te­ver rea­son, the desti­na­tion is not reachable, the col­lar will not activate. After the tele­por­ta­tion, the col­lar expands to its nor­mal pro­por­ti­ons and loses any attunement.
Power (Daily):
Stan­dard action. Every wil­ling ally in a burst 5 are attu­ned to the col­lar, and the item its­elf is attu­ned to the loca­tion. When the at-will power is used, all allies attu­ned and in range are trans­por­ted back to the cur­rent loca­tion. The col­lar does not need to be worn to be attu­ned; any cha­rac­ter tou­ch­ing the item can initiate the pro­cess. When pas­sing bet­ween owners, the item does not lose con­nec­tion to any attu­ned user or the attu­ned location.

Nobody really knows how these devices ever came to be, but they seem to have been used by devout and loyal war­ri­ors throug­hout time to save com­ra­des from cer­tain death by using their own life to shield them. The ulti­mate heroic sacri­fice, most souls sacri­fi­cing their bodies this way ascend to the Astral Sea.

Filed under Articles · Tagged with , , ,

Trusting self-signed certificates with Google Chrome on Linux

Posted by towo on January 25, 2010 · Leave a Comment 

Update: added the “C” flag to SSL attri­bu­tes which I acci­den­tally for­got to include.
Also chan­ged $HOST to $host, as $HOST is the shell para­me­ter for the cur­rent hostname…

If you’re not really sure about how you can stop Chrome from per­man­ently remin­ding you that the ser­ver you’re con­nec­ting to is a bad boy (read: using a self-signed cer­ti­fi­cate), you’ll pro­bably end up loo­king at CACert’s Brow­ser Cli­ent page by way of Google. With a bit of rea­ding docu­men­ta­tion, you can pro­bably find out how to import a self-signed cer­ti­fi­cate and mark it as trus­ted, but since you’re pro­bably lazy, you’d rather just copy and paste a few instructions.

First, I have to stress is that blindly trus­ting a cer­ti­fi­cate you down­load off the inter­net is a Bad Idea. But expres­sing a cer­tain laissez-faire atti­tude: if you’re stu­pid enough to copy and paste blindly, you deserve it.

Second, sim­ple copy and paste instructions:

openssl s_client -connect $host:443 -showcerts > temporary_file
certutil -d sql:$HOME/.pki/nssdb -A -t CP,,C -n "$host" -i temporary_file

Third, expla­na­ti­ons:

  • s_client just con­nects to the given host­name, 443 being, as you should know, the (default) HTTP SSL port.
  • –show­certs shows all kinds of infor­ma­tion about the cer­ti­fi­cate, inclu­ding the cer­ti­fi­cate its­elf. You will pro­bably have to hit ^C/^D to stop s_client.
  • If you get mul­ti­ple (and dif­fe­rent) cer­ti­fi­ca­tes, first one will be the ser­ver cer­ti­fi­cate, and second one the CA certificate.
  • cer­tu­til (package hint: libnss3-tools can be used to manage your local «Net­work Secu­rity Ser­vices» SQLite database.
  • The spe­ci­fied argu­ment for cer­tu­til are:
    1. The data­base to use (in this case, the user-specific NSS database).
    2. The flag to add some­thing to the data­base (-A).
    3. The “trust types” for the cer­ti­fi­cate, in “SSL, S/MIME, CA” noti­fi­ca­tion: “P” for a trus­ted peer, and “C” for a cer­ti­fi­cate aut­ho­rity that may issue ser­ver certificates.
    4. A short­name to iden­tify the cer­ti­fi­cate in the data­base. The host­name works well and is fairly obvious.

Filed under Articles · Tagged with , , , ,

A records on top level domains

Posted by towo on January 8, 2010 · 5 Comments 

After I stum­bled upon the won­der­ful URL shor­te­ner http://to/ today and imme­dia­tely began pos­ting it on IRC, I recei­ved a com­ment that someone didn’t even know that is was pos­si­ble to do so. I, of course, could only com­ment “of course it’s pos­si­ble”. But in the same train of thought, I just had to have a look at who else has a valid A record on their top level domain. So I fet­ched the IANA TLD list and, after being baff­led by the puny­code TLDs, threw some sh at the pro­blem:
(for domain in $(grep -v '^#' tlds-alpha-by-domain.txt); do host -t A "${domain}."; done) | grep -v 'has no A record'

For the sake of enjoy­a­bi­lity, I thus offer the results in table form, along with what kind of site is run­ning on port 80. Data time­stamp is 2010–01-08T16:05:00+0100, loca­tion for rou­ting is DTAG-DIAL26 / AS3320.

TLD IP con­tent (port 80)
AC 193.223.78.210 “Always con­nec­ted” (NIC.AC)
AI 209.59.119.34 “Off­shore Infor­ma­tion Services”
BI 196.2.8.205 “It works!”
CM 195.24.205.60 cm [195.24.205.60] 80 (www) : Connection refused
DK 193.163.102.23 “DK Host­mas­ter” (NIC.DK)
GG 87.117.196.80 Chan­nel Isles Domain Registration
HK 203.119.2.28 hk [203.119.2.28] 80 (www) : No route to host
IO 193.223.78.212 NIC.IO
JE 87.117.196.80 Chan­nel Isles Domain Registration
PH 203.119.4.7 HTTP 500.100 via bro­ken Micro­soft IIS
PN 80.68.93.100 Apa­che default home page
PW 203.199.114.33 pw [203.199.114.33] 80 (www) : No route to host
SH 64.251.31.234 sh [64.251.31.234] 80 (www) : No route to host
TK 217.119.57.22 “TK your long URL”, free .tk domain name registry
TM 193.223.78.213 NIC.TM
TO 216.74.32.107 TO./ URL shortener
UZ 91.212.89.8 some WAP page I can’d decipher
WS 63.101.245.10 ws [63.101.245.10] 80 (www) : Connection timed out

So, in short, 5 of 18 (27%) are down­right bro­ken, one is being autistic, and a fur­ther 2 (11%) are not con­fi­gu­red to do anything mea­ningful, lea­ding to a total of 8 — or 44% — of TLD A records being use­l­ess. Bonus: none of the sites have AAAA records and, thus, no IPv6 availability.

Filed under Articles · Tagged with

Next Page »