ydal

At the U23 yes­ter­day, we inclu­ded a sim­ple prac­tice les­son on how net­works work. We have a ser­ver on our net­work cal­led fiep.labor.koeln.ccc.de. fiep only has a sin­gle address, 192.168.23.240/25 accor­ding to the local DNS ser­ver, as oppo­sed to the rest of the net­work, 172.23.23.0/24.

The rou­ter did not announce any route for 192.168.23.128/25, but fiep still had addres­ses in other net­works (172.23.23.23 as well as an address in 2001:6f8:100c:1::/48), but they weren’t announ­ced anywhere.

The task, as given, was “to con­nect to http://fiep/hacking4pizza/”. In essence, this redu­ced the task at hand to eit­her just giving your­self an IP in the 192.168.23.128/25 net­work or just set­ting a route for said net­work, and then opening up your brow­ser. Along with other work­a­rounds, of course, that do require know­ledge not easily available.

We had an inte­res­ting case, though: one sin­gle Mac user could con­nect to the host wit­hout pro­blem, just typ­ing in http://fiep/ and everything’s good.

Con­fu­sion was amongst us. We couldn’t quite explain how the Mac mana­ged to just access the site. We assu­med it was IPv6, blo­cked it, and voilà, it didn’t work anymore.

Vague theo­ries were ram­ped up. Mine was the sca­riest, and also rather possible:

1. The cli­ent looks up the host­name, as usual.
2. It gets the IP, sees that it has no route to go there.
3. Next, an ARP request is pus­hed out for the IP.
4. The switch comes yap­ping along and says “got it!”, along with the MAC address.
5. The cli­ent then gene­ra­tes an IPv6 address from the MAC address.
6. Voila, con­nec­tivity.

There’s just two points where this would have went wrong:

1. Usually, the default route cat­ches any stragglers.
2. Why gene­rate a v6 address when it gets a con­nec­tion to the v4 address? Of course, it doesn’t know whe­ther the rou­ter will actually for­ward anything at all.

In the end, though, it was some­thing way more sim­ple: we still had an exter­nal DNS ser­ver which pro­pa­ga­ted the public IPv6 address, and the cli­ent was using an exter­nal DNS server.

But try­ing to find out what actually hap­pened did prove quite entertaining.

At the U23 yesterday, we included a simple practice lesson on how networks work. We have a server on our network called fiep.labor.koeln.ccc.de. fiep only has a single address, 192.168.23.240/25 according to the local DNS server, as opposed to the rest of the network, 172.23.23.0/24. The router did not announce any route for 192.168.23.128/25, but ...

See­ing how DNS pre­fet­ching is the new fad with brow­sers, I reckon there’s an easy way to con­firm valid addres­ses of web­mail ser­vice users:

1. Con­trol a DNS to assign uni­que has­hed hostnames.
2. Inte­grate links to has­hed host­na­mes in spam mails.
3. If the reci­pi­ent uses cur­rent Chrome, Fire­fox, etc:
   1. The DNS pre­fet­cher will resolve the host name,
   2. Giving you a con­fir­med hit for the address in your log­files, since your uni­que host­name gets resolved.

Kind of remi­nis­cent of the whole “oh, we can have e-Mails with HTML, let’s put in images!” affair. The only thing that might be a bit of a pro­blem for a spam­mer is get­ting a domain with DNS ser­ver control.

Simple way to use DNS prefetching for spam.

There is always a bit of metho­lo­gi­cal slow­ness when it comes to the first per­son shoo­ter genre of com­pu­ter games: deve­l­o­pers are lazy to try­ing some­thing new, lest they fall flat on their faces. This is sort of true when it comes to advan­ces in level design and gra­phics, where there’s a bit of ten­dency to move along, but only on known lines — next to nobody really adopts open levels. If they do, they are eit­her of (next to) no impact at all (I’m loo­king at you, Front­lines: Fuel of War), or they change the whole game into some­thing that gra­vi­ta­tes around cer­tain hot spots, as in S.T.A.L.K.E.R.: Shadows of Cher­no­byl, for example, or the first actual FPS doing this, Strife. And some­thing so open like Ope­ra­tion Flash­point, even though sporting quite impres­sive gra­phics, was never as suc­cess­ful as a rehash like Cry­sis which just slap­ped supreme gra­phics on old and pro­ven FPS concepts.

Then, there was the other extreme, wer some­thing radi­cally new was tried. Games like Tre­spas­ser, which was a game set in the Juras­sic Park uni­verse with some rather nice gra­phics, and a very fre­aky con­trol sys­tem. In this, you directly con­trol­led the arms of your cha­rac­ter, moving them around, rota­ting hands and clen­ching fists manu­ally to grab levers or push buttons.

It was horrible.

But the thing which hasn’t chan­ged at all for quite some time is how your cha­rac­ter inter­acts with the world at large. The big chan­ges in this category:

1. Doom star­ted out with using your key­board arrows to move you along, and PgUp and PgDn for aiming up and down.
2. Quake intro­du­ced the mouse into the mix, which still took some time to get adop­ted, though.
3. Then, Half-Life intro­du­ced the WASD key lay­out to accom­pany its ple­thora of spe­cial keys, which also popu­la­ri­zed the “use” but­ton to inter­act with environ­ment objects, instead of just run­ning into or shoo­ting them.
4. Recently, game­pad con­trol­lers are often used, and there’s a shift in lay­out map­ping to con­form with the limited amounts of but­ton avail­able on a controller.

And that’s very much it. For eons, you run around using your use but­ton to make stuff do other stuff. Besi­des just activat­ing swit­ches, you have your use key trig­ge­ring dia­lo­gues, opening doors, picking up things, and just about ever­y­thing you can ima­gine. If you do anything that bor­ders on com­ple­xity, you’d pro­bably get a pop-up dia­lo­gue explai­ning your opti­ons to you, totally brea­king game immer­sion and, in a few sorry cases, actually kicking in the fourth wall with a vengeance.

This was the case even with my beloved com­plex games like Sys­tem Shock, even if they tried to be some­what immer­sive in their inter­face. But then, there came the least likely can­di­date for reform ever: Doom III. Nobody expec­ted D3 to be anything but a new “shoo­ting demons” thingy; yet not only did it come along and intro­du­ced story to id Soft­ware games (which Quake IV con­ti­nued to flesh out), but it also intro­du­ced a revo­lu­tio­nary immer­sive way of using com­pu­ter con­so­les: instead of activat­ing them with your use key and then cli­cking around on the screen, D3 just chan­ged the cross­hair into an arrow when you viewed at the con­trols of a ter­mi­nal and allo­wed you to push and mani­pu­late but­tons wit­hout ever brea­king immer­sion into the universe.

An example (just the first few seconds, really):

Example screen­shot, bla­tantly sto­len from the site in my post scriptum:

But it didn’t last. And I won­der: why? Was it too com­plex? Did it alie­nate the tra­di­tio­na­list that he had to do more than push ‘e’ to use a com­pu­ter? It’s just so good, yet nobody seems pre­pa­red to adopt it to their games. Bioware’s Mass Effect is quite good at try­ing to keep immer­sion high and making the player expe­ri­ence the game, rather than just play it — but they, too, resort to brea­king immer­sion when it comes to com­pu­ter ter­mi­nals, using a com­bi­ned inventory/data sto­rage sys­tem on a sepa­rate screen.

The ques­tion remains: Why? It’s good, it works, it’s not hard to learn — so why avoid it?

P.S.: While sear­ching for good screen­shots, I found an arti­cle cal­led Through The Loo­king Glass — Fully Inter­ac­tive Sur­faces In DOOM3 by Bernd Krei­meier, which explains things in a bit grea­ter detail.

A small rant about the lack of good interaction in First Person Shooters.

Since I can pro­bably declare my Nokia N810 dead after a rather unde­li­be­rate expo­sure to not really fresh water, I’m on the look­out for a wor­ka­ble repla­ce­ment. See­ing that Apple, des­pite all its glos­si­ness, is quite a pile of crap when it comes to soft­ware deve­l­o­pe­ment and free stan­dards, I thought there was only one choice: Android.

That was, until I found out that the next Maemo device from Nokia, the N900, also dub­bed “Rover”. There’s also real pic­tures avail­able, not mockups.

The N900 would then, of course, be pit­ted against the HTC Hero.

Now, first, hard­ware. A quick comparision:

So in essence, the Rover trumps the Hero in sto­rage capa­city and screen reso­lu­tion, has a slight advan­tage in CPU, suc­cumbs in RAM and weighs more. But of course nobody has yet been able to touch the Rover from a reviewer’s point of per­spec­tive, and if it is anything simi­lar to the N810, the sli­ding key­board will wiggle all the time and annoy you.

The main ques­tion would pro­bably the choice of ope­ra­ting sys­tem: Do you want Google’s shiny Android mobile phone ope­ra­ting sys­tem? Or do you want Nokia’s Maemo 5/Fremantle, a Debian port initi­ally desi­gned for mobile devices wit­hout phone connectivity?

From a nerd or hacker point of view, maemo is very inte­res­ting, since it’s basi­cally an embed­ded Debian, with all its advan­ta­ges and disad­van­ta­ges. But you have to ask your­self: so far, the other Nokia Inter­net Tablets have been good secon­dary devices. You have your mobile phone for your RL con­nec­tivity, and the NIT, pro­bably con­nec­ting to the Inter­net via your phone, hand­les the CPU-churning Inter­net activi­ties. The ques­tion ari­ses whe­ther the new gene­ra­tion of smart­pho­nes actually requi­res this kind of distinction.

On the other hand, you have the Android ope­ra­ting sys­tem, spe­ci­fi­cally desi­gned for smart mobile pho­nes. This alone gives it the advan­tage of being more stream­lined to mobile phone needs, which helps quite a bit in usability.

The great advan­tage of the Maemo sys­tem, as oppo­sed to anything around at its time of incep­tion, was it being almost com­ple­tely open source, and based on Debian. So, with a fair bit of luck, you could just com­pile a Debian package in the right build environ­ment, and it would pro­bably run on your maemo device. And since you had GTK as your win­do­wing basis, well, deve­lo­ping your own apps was easy, too.

But with Fre­mantle, Nokia’s chan­ging to Qt to keep up the splif­fy­ness with iPhone OS and Android, which will make all the old GTK app­li­ca­ti­ons look a bit out of date. While this may be a ‘good’ move to go towards mobile pho­nen­ess, it will pro­bably alie­nate the fan­base to no end to sudd­denly have to do Qt. I’m gues­sing this will end bad.

On the other hand, people claim about Android being from evil evil Google, and thus not trust­wor­sty. What I’m asking mys­elf, espe­cially after wri­t­ing down why I’m more inclined towards the Android OS, and, thus, the Hero: is it worth wait­ing for the Rover, being ‘redu­ced’ to my S60r3 phone until I can decide whe­ther it is bet­ter or not?

Since I can probably declare my Nokia N810 dead after a rather undeliberate exposure to not really fresh water, I'm on the lookout for a workable replacement. Seeing that Apple, despite all its glossiness, is quite a pile of crap when it comes to software developement and free standards, I thought there was only ...

After a ran­dom act of shower­ing epi­phany this morning, I star­ted thin­king about imple­men­ting a glo­bal repu­ta­tion sys­tem simi­lar to Whuf­fie, as seen in Cory Doctorow’s “Down and Out in the Magic King­dom”.

A quick bout of goog­ling revea­led that there’s actually a sys­tem cal­led Per­son­Ra­tings, but it’s run­ning on some­thing that does not slot up with what I was expec­ting of such a service.

Where PR goes forth and takes a real per­son which can be reviewed ela­bo­ra­tely accor­ding to pre-defined cate­go­ries, I was thin­king of some­thing much more simple:

Sketch to illus­trate the design idea of the repu­ta­tion system.

Essen­ti­ally, you wouldn’t need to go for ela­bo­rate reviews — most people can’t be bothe­red with anything like that at all. When you force a dif­fi­cult inter­face on people, the only guys giving rep will be people who eit­her think the repu­tee [sorry] to be the next incar­na­tion of their favou­rite mes­siah or the shai­tan him­self. Thus the need for an easy interface.

The gene­ral direc­tion of what should be jud­ged in my vision is not the repu­tee them­self, but the actions they do: if they do some­thing you con­sider good, funny, inte­res­ting, enligh­te­n­ing or other­wise posi­tive, vote up. If they do anything bad, mali­cious, annoy­ing or pro­foundly dis­tur­bing, vote down. The votes shouldn’t be “they’re a good per­son, I like them” or “I think they’re an evil per­son”, but rather “they just made me laugh :)” or “they just kicked a baby across the street :(“.

Of course, per­so­nal stan­dards dif­fer and some people might think that kicking a baby across the street is actually jolly good fun and quite posi­tive. The way to coun­ter this would be some sort of deri­va­tive score, allo­wing you to ignore cer­tain kinds of people. Pro­blems with this:

1. It’s quite hard to define fil­ter rules for this. This would need con­stant user review, and pro­bably lead to very pro­ble­ma­tic exclu­sion lists.
2. It could lead into a posi­tive feed­back loop, where two par­ties just start hate-voting each other all the time due to dif­fe­ren­ces in opinion.

So I’m not sure whe­ther this is some­thing that should be imple­men­ted — or could be imple­men­ted in a bet­ter way. You pro­bably don’t want to have poli­ti­cal groups on your repu­ta­tion system.

In a rela­ted thought, one of the main pro­blem one will have to face is repu­ta­tion trol­ling. The sys­tem would need to make it impos­si­ble for someone to bump their own repu­ta­tion, which seems to be nigh impos­si­ble. I can’t see any valid and usa­ble way of assu­ring iden­tity integrity:

Login for each user, can’t vote for self

Just create a fake login. The sys­tem could pro­bably be arran­ged with some fuzzy matching to kill the most com­mon exploiters:

• People up-voting only one person.
• People giving a sin­gle up-vote to a per­son and then cea­sing activity. Doing this with mul­ti­ple accounts leads to rep spam.

The pro­blem would be that there is no relia­ble way to ensure a bijec­tive (1:1) rela­ti­onship bet­ween accounts and real people, as they could just use regis­ter mul­ti­ple accounts with dif­fe­ring e-Mail addres­ses, from dif­fe­rent IPs, and so on.

Glo­bal identification

If you can’t allow local iden­ti­fi­ca­tion, you need some sort of uni­que glo­bal iden­ti­fi­ca­tion. Since using just some ran­dom inter­net site as an iden­ti­fier, or using dele­ga­ted aut­ho­rity, is not an option in most cases¹, you’d have to resort to a cen­tral which just hands out tokens for pro­ven iden­ti­ties — in other words, your local govern­ment. Since you seriously do not want to include any govern­ment in such an endea­vour, this is not an option either.

Thus I can’t fathom any ware to ensure uni­quen­ess, except by a peer to peer review sys­tem which allows peers to decide who’s a spam­mer. And in a repu­ta­tion sys­tem, that’s just a no-go, eit­her, since you don’t want people jud­ging you a spam­mer just because a signi­fi­cant group of them hates your guts.

But beside deli­be­rate exploit­ing for per­so­nal gain, you have to con­sider other cases of people that just work con­trary to the system:

Shot­gun accounts just ran­domly voting around.

A pro­bably deli­be­rate attack to under­mine the vali­dity of the sys­tem. Depen­ding on the sophisti­ca­tion of the shot­gun, it would be quite hard to detect by way of sim­ple fuzzy logic.

Exces­sive up-voters/down-voters

On every rating site, there’s always the haters and the lovers who rate mini­mal or maxi­mal score just for the heck of it. They vote one on every movie because they hate the whole genre, or they vote ten on every song by an artist because they’re infa­tua­ted up to their sternum.

People voting due to the votes of others

I men­tio­ned this posi­tive feed­back loop a bit fur­ther up, but this could become a real pro­blem in this cate­gory, too. Some people just don’t like other people thin­king differently.

Some of these pro­blems could be alle­via­ted by the advent of ubi­qui­tous com­pu­ting and using just the local machine address of anyone as a vote tar­get iden­ti­fier as well as a self-vote fil­ter. This would help with anything having to do with real-life — you’d have to ensure the device ID being visi­ble in online com­mu­ni­ca­tion, though, too — and that nobody has the chance of get­ting a second device, which in my opi­nion can only be achie­ved with total device surveillance.

There are still some minor aspects to be dis­cus­sed, like how to imple­ment iden­tity con­so­li­da­tion and so an, but these are mostly minu­tiae, and would break the scope of this text.

I’d be happy if some people would feel obli­ged to rant about my ideas in the com­ment fields below, offe­ring sug­ges­ti­ons, cri­ti­que and just some good old dose of plain flaming.

A few thoughts on implementing a reputation system.

[Update: edi­ted link to Aller font.]

So, there’s a new field I, being a rather techy nerd, am so far not very know­led­gable at all in: typo­gra­phy.

That being said, I recently tried to find some fonts to nicen up my blog a bit. After a bit of sear­ching, I hap­pened upon these two fonts:

Aller

Aller is a free font pre­sen­ted by the Dan­marks Medie– og Jour­na­lis­thØjs­ko­les. I have used it for my new theme at the blog.

Serif Beta

Serif Beta is a sort of work­print release of a font being deve­l­o­ped by Chris­tian Robert­son. I use it to ren­der the title of the blog.

Lacuna

This is a font desi­gned by Peter Hoff­man. It has no inte­gra­ted bold type­set, but the regu­lar font has a nice quirk to it.

Of course, every font needs sample pic­tures, so peruse these, if you will — but don’t be sca­red because Word­Press does some fugly scaling:

So, there's a new field I, being a rather techy nerd, am so far not very knowledgable at all in: typography. That being said, I recently tried to find some fonts to nicen up my blog a bit. After a bit of searching, I happened upon these two fonts: Aller ...

Are you a new user of Nokia’s N810 and have you ever won­de­red why after a bit of use, your inter­nal memory card seems to behave a bit oddly, like not allo­wing some things, e.g.:

mimir:/media/mmc2$ ls
ls: Cannot stat 'My downloads': Input/output error

If you have, you should check the disk par­ti­tio­ning on your device:

mimir:/media/mmc2$ sudo sfdisk -l
Disk /dev/mmcblk0: 61440 cylinders, 4 heads, 16 sectors/track
Units = cylinders of 32768 bytes, blocks of 1024 bytes, counting from 9

Device           Boot   Start    End     #cyls      #blocks      Id     System
/dev/mmcblk0p1          0+       62719   62720-     200732       b      W95 FAT32
[...]

As you (might) see: the par­ti­tion is actually lar­ger than the drive pro­per. So, to fix this:

1. Back up your data. Just mount the device and copy ever­y­thing off it. Some files might give pro­blems because they’re alre­ady in the wrong part of the drive. Tough luck.
2. Assu­ming you haven’t alre­ady con­nec­ted in via USB to do the backup, con­nect it.
3. Throw a par­ti­tio­ning tool of your choice at the USB Mass Sto­rage device that rep­res­ents your N810’s memory card.
4. Delete the old par­ti­tion, and create a new one in the free space.
5. If your par­ti­tio­ner barks around say­ing some­thing about the bad par­ti­tion, go ahead and zero the first 512 of the device:
   sudo dd if=/dev/zero of=/dev/sdX bs=512 count=1
   (X being the appro­priate cha­rac­ter for your drive — check dmesg if unsure)
6. Create a new file sys­tem on the par­ti­tion:
   mkfs -f vfat /dev/sdX1
   (Take not of the “1” (num­ber one) after sdX — you need to spe­cify it.)
7. Copy back your backup.
8. Power cycle the N810.

Should help.

Kudos to KotCzarny of #maemo fame.

The Nokia N810 has a nasty bug with the disk partitioning that might start annoying you after using it for a while. Here's how to fix it.

Recently, I stum­bled upon a site cal­led “soup”. Which, in essence, is some­thing like a collec­tive dump for things people find on the Intertu­bes. You can post texts, quo­tes, images, music and videos, with a handy book­marklet that redu­ces the time bet­ween fin­ding things on the Intar­web and them showing up on your soup page to a couple of seconds. And the intra-soup per­for­mance is also remar­ka­bly: every user can repost ano­ther user’s con­tent with the sim­ple click of a but­ton. Cou­pled with a sim­ple subscription/“friends” sys­tem which allows you to view a uni­fied stream of your friends’/friends of a friend’s con­tent, you can lite­r­ally see con­tent explode over soup in wave­forms (tracking of which is aided by soup regis­te­ring who repos­ted from whom and who repos­ted an item you put into the stream).

Of course there’s a few chinks here and there, but all in all, it works remar­ka­bly well. There’s fea­tures like end­less scrol­ling on the fri­ends pages, and even some sta­tistics for you ana­lysts out there. On a side note, I’m wait­ing for con­tent pro­pa­ga­tion stu­dies con­cerning this site, it’s bound to be only a mat­ter of time.

I star­ted won­de­ring what you could call the con­cept, this “soup prin­ciple”. And in a fit of minor mad­ness yes­ter­day, reve­la­tion struck me: soup is viral blog­ging. And “blog” refer­ring in the direc­tion of what ear­lier web­logs were about — a sort of drop box for con­tent you found on the Inter­net and wan­ted to share (which was rather import­ant when you didn’t just google ever­y­thing), not the heaps of self-centered con­tent crea­tion these days, bar­ring exceptions.

Blogs usually come in two major forms, when regar­ding the con­tent. There’s the topic-centered ones (like, for example, the Ger­man Netz­po­li­tik (“net poli­tics”) — I’m not really into the whole blog thin­gie cul­ture that deve­l­o­ped yon­der the pond, so just think of your own exam­ples), which occupy them­sel­ves with mainly a sin­gle topic, which can be broad. Jour­na­listic styles are often used, esta­blis­hing reports of infor­ma­tion scra­pable from the Inter­net, occa­sio­nally inclu­ding genuine (and poten­ti­ally off­line) “ori­gi­nal” infor­ma­tion. The other kind of blog would be the person-specific ones, with topics ran­ging from per­so­nal expe­ri­en­ces in life, like com­plai­ning about the crafts­men who just fucked up their kit­chen or what size of load they put in the crap­per that day, to dis­co­ve­ries they made on the Inter­net. But, mostly, they con­cern them­sel­ves with crea­tion of con­tent, not repetition.

Soup picks up some­where there, but in con­trast it focus­ses mainly on repe­ti­tion; you put things in the soup, and others stir it. You can add ori­gi­nal con­tent, which gives the soup a bet­ter (or, well, dif­fe­rent) fla­vour, but it’s mostly about see­ing what others pos­ted and repos­ting it. And in that sense, it’s viral: you inject some­thing into the loop, and it just gets pro­pa­ga­ted from per­son to per­son, sit­ting in their soups.

The effect is noti­ce­able in nor­mal blogs, too, but the ori­gi­na­lity fac­tor people try to intro­duce mudd­les the effect — blogs are a highly sub­jec­tive mat­ter, as oppo­sed to news sites and simi­lar, and usually don’t try to fuzz about it. But some­thing like soup, which just by its for­mat (you can add files and a descrip­tion — and actual text is a dif­fe­rent item from e.g. images) sug­gests you not to blow things out of pro­por­ti­ons, and just be the one who noti­ces and shares.

This can be seen as good, and also bad, but it leads to new ways of what you might define as sub­jec­tive: in being choosy about what you repost. Since you’re limited to small mor­sels of data, except the heaps of noise con­cea­ling data, you have to express your­self in a mosaic way of things — if you want to express your­self at all. But, nevert­he­l­ess, it allows you to put your own stamp on things in a decep­tively easy way, and thus, can be con­side­red blog­ging.

It’s get­ting exciting.

An explanation on the soup principle.

It was a quickly coo­ling night after an unex­pec­ted sunny day at the end of Sep­tem­bre when I was rea­ding my e-mail inbox for my CCCC address. Rea­ding the last mail, I was con­fron­ted with a mail from category@paypal.com refe­ren­cing the sub­ject of a recently sent mail of mine. This made me won­der — scam­mers try­ing to mask their phis­hing attempts or UBE as mes­sa­ges see­ming to ori­gi­nate from Pay­Pal is old news to someone who bothe­red che­cking his inbox or spam fil­ters the last decade or so, but what rai­sed my atten­tion me was that I the sub­ject was from a mail I sent to a mai­ling list. This did not seem all too unli­kely, see­ing how I regu­larly get spam­med on all user IDs of my GPG public key­ring, but it was (and still is, actually) rather odd. So I che­cked the mail.

From category@paypal.com Sun Sep 23 01:17:52 2007
Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 01:17:52 +0200
Recei­ved: from mx1.phx.paypal.com ([66.211.168.231]
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZEES-00010K-K9 for towo@koeln.ccc.de; Sun, 23 Sep 2007 01:17:52
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=Zid/bPlpxsC2tL+3bTApCi+VUjUI6UMQK+BMSEhAqE9x/CUu2r3fY
sDpPMVCTs5WnFhPmlg0gEqN46IJOMI6Yq9MFnzWqaXYX9dPAE9Z4g
VGwq2wtmHUCfZ3P0JR2uuzWvEbfY7e7P30nT3TZyYEo9TjT2zJpu/ +GU52FkQTxC0=;
Thread-Topic: War­nung vor cacert.org (KMM3385442I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Recei­ved: from oma-kaaas-005 ([10.248.144.75]) by
usa-entot-002.corp.ebay.com with Micro­soft SMTPSVC(5.0.2195.6713); Sat, 22
Sep 2007 18:20:47 –0500
Message-ID: <30057323.1190503245854.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Pro­du­ced By Micro­soft MimeOLE V6.00.2800.1896
Date: Sat, 22 Sep 2007 18:20:46 –0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wol­ter” <towo@koeln.ccc.de>
Sub­ject: Re: War­nung vor cacert.org (KMM3385442I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859–1″
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 22 Sep 2007 23:20:47.0312 (UTC)
FILETIME=[34D80D00:01C7FD6F]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAExim­Run­Cond expan­ded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/
Content-Transfer-Encoding: 8bit

Dear Tobias Wolter,

Thank you for con­ta­c­ting PayPal.

Unfor­t­u­na­tely, we are unable to deter­mine the nature of your inquiry. In
order to bet­ter assist you, we need you to pro­vide us with the buyer
/seller’s email address, along with a case num­ber or other per­ti­nent
infor­ma­tion per­tai­ning to this case. We do apo­lo­gize for any
inconvenience.

Thank you for your coope­ra­tion and we look for­ward to your reply.

If you have any fur­ther ques­ti­ons, please feel free to con­tact us again.

Sin­ce­rely,
Cyn­thia
Pay­Pal Reso­lu­tion Ser­vices
Pay­Pal, an eBay Company

Ori­gi­nal Mes­sage Fol­lows:
————————
Am Sonn­tag, den ##.##.####, ##:## +#### schrieb Stef­fen Dett­mer:
> Nun will man anschei­nend im nachtrC$glich (!) Sicher­heits­richt­li­nien
> fest­le­gen, um in Fire­fox zu kom­men. Wie bitte soll das im NACH­HIN­EIN
> gehen — oder gibt es ein neues root-Zertifikat?
>
> Wei­ter­hin gibt es Zer­ti­fi­kate, die in den Subject-Informationen
> ledig­lich einen Host­na­men beinhal­ten, aber kei­nen Ver­weis auf eine
> jurs­tisch fass­bare Ein­rich­tung.
>
> Das alles ist for­mal und sicher­heits­tech­nisch untrag­bar.
Das kom­plette Kon­zept von X.###-Zertifikaten ist aber von die­sem gro­ben
Ent­wick­lungs­pro­blem betrof­fen. Der Unter­schied zwi­schen CAcert und jeder
ande­ren belie­bi­gen CA ist nur, daC? CAcert nichts kos­tet. Man C<bergibt
in
jedem Falle das Ver­trauen an einen ande­ren, und ab da beginnt der Punkt,
wo Sicher­heit per Defi­ni­ton nur noch bedingt her­stell­bar ist.
–towo
[ Attach­ment # Type: application/pgp-signature Name: signature.asc]
[ Attach­ment #.# Type: application/pgp-signature]

[ Attach­ment # Type: application/pgp-signature Name: signature.asc]

And what do you know… It seems to be rather authen­tic. The Recei­ved: lines check out — or are well-faked — and even the num­be­ring scheme seems to stem from PayPal’s request tra­cker. Also note that there are no spel­ling mis­ta­kes in the boi­ler­plate text, and a script that seems to thought­fully replace poten­ti­ally incri­mi­na­ting digits (those little bas­tards, always snea­king into mails!) with aes­the­ti­cally plea­sing hash marks.

Strange shit. I replied; let’s see what happens.

Sep­tem­ber 23^rd: Lo and behold, there was a reply:

Return-path: <category@paypal.com>
Envelope-to: towo@koeln.ccc.de
Delivery-date: Sun, 23 Sep 2007 16:56:54 +0200
Recei­ved: from mx1.phx.paypal.com ([66.211.168.231]
helo=phx01imail03.phx.paypal.com) by eternity.koeln.ccc.de with esmtp (Exim
4.50) id 1IZStC-00074y-1H for towo@koeln.ccc.de; Sun, 23 Sep 2007 16:56:54
+0200
DomainKey-Signature: s=dkim; d=paypal.com; c=nofws; q=dns;
h=Thread-Topic:Content-Class:Received:Message-ID:
X-MimeOLE:Date:From:To:Subject:MIME-Version:
Content-Type:Content-Transfer-Encoding:X-Mailer:
Return-Path:X-OriginalArrivalTime;
b=oHyWWASLC9BdnFKCIoYuhdAvrIzwNLwSqeLKlmdtsblKs/7q44RTj
4U6syRHlPPe3hNgXEUlhmp2ZCJM4+oh7UTr4M3/H0+CEEnm47d4K2
PKXOl4ZnKHFGEZx0oHFlibru3zNGlADolPbHwH0hxTcp0ffcCw7MN Sk/CbeOFmkME=;
Thread-Topic: War­nung vor cacert.org (KMM3505931I96L0KM) :ppk1
Content-Class: urn:content-classes:message
Recei­ved: from oma-kaaas-005 ([10.248.144.75]) by
usa-entot-002.corp.ebay.com with Micro­soft SMTPSVC(5.0.2195.6713); Sun, 23
Sep 2007 09:59:42 –0500
Message-ID: <996629.1190559582213.JavaMail.kanauser@oma-kaaas-005>
X-MimeOLE: Pro­du­ced By Micro­soft MimeOLE V6.00.2800.1896
Date: Sun, 23 Sep 2007 09:59:42 –0500 (CDT)
From: <category@paypal.com>
To: “Tobias Wol­ter” <towo@koeln.ccc.de>
Sub­ject: Re: War­nung vor cacert.org (KMM3505931I96L0KM) :ppk1
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859–1″
Content-Transfer-Encoding: quoted-printable
X-Mailer: KANA Response 9.5.0.31
X-OriginalArrivalTime: 23 Sep 2007 14:59:42.0319 (UTC)
FILETIME=[5F1FEFF0:01C7FDF2]
X-SA-Do-Not-Run: Yes
X-Verified-Sender: Yes
X-SA-Exim-Connect-IP: 66.211.168.231
X-SA-Exim-Mail-From: category@paypal.com
X-SA-Exim-Scanned: No (on eternity.koeln.ccc.de); SAExim­Run­Cond expan­ded to
false
X-Evolution-Source: imap://towo@eternity.koeln.ccc.de/

Dear Tobias Wolter,

Thanks for wri­t­ing to us. I app­re­ciate the oppor­tu­nity to assist you=20
with your questions.

Busi­ness and Pre­mier account hol­ders receive Pre­mium Cust­o­mer Service,=20
seven days a week from our Busi­ness and Pre­mier account spe­cia­lists. Our
team is spe­ci­fi­cally trai­ned to accom­mo­date the needs of pre­mium account
mem­bers. There are a num­ber of ways to con­tact specialists:=20

=B7 By phone: 08707 307 191=20

=B7 By Email:=20

1. Log in to your account at https://www.paypal.co.uk/

2. Click the ‘Help’ link in the upper right-hand cor­ner of any=20
Pay­Pal page=20

3. Click the ‘Con­tact Us’ link=20

4. Select ‘Con­tact Cust­o­mer Ser­vice’ for help by email or=20
’Ser­vice Centre’ for help by phone=20

=B7 By post:=20
Pay­Pal Europe
P.O. Box 9473
Dub­lin 15
Ireland=20
For future refe­rence, this infor­ma­tion is also loca­ted in the Help=20
Centre. To locate the Pay­Pal Help Centre please fol­low these=20
instructions:

1. Click https://www.paypal.co.uk/help

2. Go to ‘Con­tact Us’ under Cate­go­ries on the Help Centre page=20

Thank you for using Pay­Pal for your online pay­ment needs.

Sin­ce­rely,
Scott
Pay­Pal, an eBay Company

Copy­right =A9 1999–2007 Pay­Pal. All rights reserved.=20
Pay­Pal (Europe) S.=E0 r.l. & Cie, S.C.A.
Soci=E9t=E9 en Com­man­dite par Actions
Regis­te­red Office: 5^th Floor 22–24 Bou­le­vard Royal L-2449, Luxem­bourg
RCS Luxem­bourg B 118 349

Ori­gi­nal Mes­sage Fol­lows:
————————
Am Sams­tag, den ##.##.####, ##:## -#### schrieb category@paypal.com:
> Unfor­t­u­na­tely, we are unable to deter­mine the nature of your inquiry.=20
In
> order to bet­ter assist you, we need you to pro­vide us with the buyer=20
> /seller’s email address, along with a case num­ber or other pertinent=20
> infor­ma­tion per­tai­ning to this case. We do apo­lo­gize for any=20
> inconvenience.=20
>=20
> Thank you for your coope­ra­tion and we look for­ward to your reply.=20
>=20
> If you have any fur­ther ques­ti­ons, please feel free to con­tact us=20
again.

Yeah, I’m really inte­res­ted to know why you boi­ler­plate (since my Ger­man
obviously didn’t faze you in any regard) me with a mai­ling list pos­ting
that seems to have somehow found a way into your request tracker.

Care to explain?

For com­ple­ten­ess, my sup­po­sed ori­gi­nal mes­sage fol­lows…
> Ori­gi­nal Mes­sage Fol­lows:
> ————————
> Am Sonn­tag, den ##.##.####, ##:## +#### schrieb Stef­fen Dett­mer:
> > Nun will man anschei­nend im nachtrC$glich (!) Sicher­heits­richt­li­nien
> > fest­le­gen, um in Fire­fox zu kom­men. Wie bitte soll das im NACH­HIN­EIN
> > gehen — oder gibt es ein neues root-Zertifikat?
> >=20
> > Wei­ter­hin gibt es Zer­ti­fi­kate, die in den Subject-Informationen
> > ledig­lich einen Host­na­men beinhal­ten, aber kei­nen Ver­weis auf eine
> > jurs­tisch fass­bare Ein­rich­tung.
> >=20
> > Das alles ist for­mal und sicher­heits­tech­nisch untrag­bar.
> Das kom­plette Kon­zept von X.###-Zertifikaten ist aber von diesem=20
gro­ben
> Ent­wick­lungs­pro­blem betrof­fen. Der Unter­schied zwi­schen CAcert und=20
jeder
> ande­ren belie­bi­gen CA ist nur, daC? CAcert nichts kos­tet. Man=20
C<bergibt=20
> in
> jedem Falle das Ver­trauen an einen ande­ren, und ab da beginnt der=20
Punkt,
> wo Sicher­heit per Defi­ni­ton nur noch bedingt her­stell­bar ist.
> –towo
> [ Attach­ment # Type: application/pgp-signature Name: signature.asc]
> [ Attach­ment #.# Type: application/pgp-signature]
>=20
> [ Attach­ment # Type: application/pgp-signature Name: signature.asc]

–towo

P.S.: category@paypal.com sounds like a serious mail sys­tem char­lie
fox­trot for a sup­port address.

[ Attach­ment # Type: application/pgp-signature Name: signature.asc]

Seems like no-one there is keen on being sup­por­tive in the least.

PayPal sends me strange email, and I am confused.