2016-04-19 00:48 fengling has joined #qi-hardware 2016-04-19 01:01 MistahDarcy has joined #qi-hardware 2016-04-19 01:15 azkay has joined #qi-hardware 2016-04-19 02:05 apropos server... how's your new one? living up to expectations? 2016-04-19 02:06 * DocScrutinizer05 also idly wonders why his own server stopped sending logwatch mails 2016-04-19 02:06 archang has joined #qi-hardware 2016-04-19 02:14 hmmm 181-171-244-190.fibertel.com.ar is bruteforcing my server 2016-04-19 02:35 sandeepkr has joined #qi-hardware 2016-04-19 02:37 DocScrutinizer51 has quit [Quit: ZNC - http://znc.sourceforge.net] 2016-04-19 02:47 mth has quit [Ping timeout: 276 seconds] 2016-04-19 02:51 kyak: huh, I was really wrong, it seems https://crypto.stackexchange.com/questions/3952/is-it-possible-to-obtain-aes-128-key-from-a-known-ciphertext-plaintext-pair 2016-04-19 02:54 DocScrutinizer51 has joined #qi-hardware 2016-04-19 03:14 DocScrutinizer05 has quit [Disconnected by services] 2016-04-19 03:14 DocScrutinizer05 has joined #qi-hardware 2016-04-19 03:22 Ended up getting a (blurry) trinket anyway; i.imgur.com/Cms2udy.jpg 2016-04-19 03:34 qi-bot has quit [Ping timeout: 260 seconds] 2016-04-19 03:35 qi-bot has joined #qi-hardware 2016-04-19 03:59 xiangfu has joined #qi-hardware 2016-04-19 03:59 DocScrutinizer05: server is working fine so far. i'm just missing some bits of config info from the old one before i can properly set it up. seems they forgot to complete the setup :( 2016-04-19 04:00 who forgot to setup? hetzner? 2016-04-19 04:00 DocScrutinizer05: (181-171-244-190.fibertel.com.ar) that doens't look like me :) 2016-04-19 04:00 no, amhosting 2016-04-19 04:00 no, that's not you 2016-04-19 04:00 :-) 2016-04-19 04:01 Hetzner vServers have the advantage that moving the VM to another working iron should be a matter of less than 5 seconds 2016-04-19 04:01 whitequark: that sounds a lot more in line with what i expected :) 2016-04-19 04:02 yeah, I'm not sure where I got that 2016-04-19 04:03 DocScrutinizer05: yup, the big feature of VMs :) 2016-04-19 04:04 xiangfu has quit [Ping timeout: 260 seconds] 2016-04-19 04:05 xiangfu has joined #qi-hardware 2016-04-19 04:05 well, the VMs which can do online migration, which is not all of them 2016-04-19 04:06 but yeah. online migration is very neat. 2016-04-19 04:08 I bet Hetzner using something commercial grade decent for their company virtualization solution 2016-04-19 04:09 and for sure you/they can start those snapshots you can do now, on any other iron 2016-04-19 04:09 also only takes a minute 2016-04-19 04:10 heck, it took less than 10 minutes (prolly even <5) from *ordering* that server to ready-for-login 2016-04-19 04:11 another 2 minutes for restore of a on-site "tape" backup 2016-04-19 04:11 done 2016-04-19 04:12 (if only there was a decent generic server migration restore script) 2016-04-19 04:13 all those nasty little files in /etc that are actaully iron-specific 2016-04-19 04:14 "iron", like IP addr etc pp 2016-04-19 04:15 I wish somebody had written a script to exclude them from getting overwritten during restore 2016-04-19 04:19 sandeepkr has quit [Ping timeout: 268 seconds] 2016-04-19 04:21 DocScrutinizer05: commercial grade? 2016-04-19 04:21 hah 2016-04-19 04:21 can you do `dmesg | grep -i xen` ? 2016-04-19 04:22 in a VM? 2016-04-19 04:22 yes 2016-04-19 04:23 would be surprised to find anything like that 2016-04-19 04:23 try it 2016-04-19 04:23 you may be surprised 2016-04-19 04:23 no, I'm not. Zilch 2016-04-19 04:24 ah 2016-04-19 04:24 it's KVM 2016-04-19 04:24 not Xen 2016-04-19 04:24 afaik Hetzner using vmware 2016-04-19 04:24 the enterbrise solution 2016-04-19 04:25 does kvm also not grep in dmesg? 2016-04-19 04:25 hmm, might be vmware, yeah. been a while since i cared about that host 2016-04-19 04:28 vsphere or similar stuff prolly 2016-04-19 04:33 xiangfu has quit [Ping timeout: 276 seconds] 2016-04-19 04:39 whitequark: yep, i've already read it yesterday.. There is one interesting thing though. It turns out that when knowing plaintext and being able to modify ciphertext, it is possible to inject arbitrary data into every second block of ciphertext 2016-04-19 04:40 this has nothing to do with what i originally asked, but just an interesting fact that i came across while reading 2016-04-19 04:40 i'm talking about AES-CBC 2016-04-19 04:40 and i also understand larsc's comment regarding pinguin :) 2016-04-19 04:41 it also turns out that IV doesn't really matter 2016-04-19 04:41 if you don't know IV, but know the key, you will loose just the first block 2016-04-19 04:42 and this first block is sometimes filled with random data, so that the IV doesn't matter anyway 2016-04-19 04:42 the main purpose of IV is to make the same plaintext look different every time you encrypt it (wasn't obvious for me) 2016-04-19 04:43 sb0 has joined #qi-hardware 2016-04-19 04:43 so "salt it!" doesn't help with encryption by itself 2016-04-19 04:43 it just makes pinguins go away :) 2016-04-19 04:46 * DocScrutinizer05 wants to see the pinguin too 2016-04-19 04:50 kyak: hmm, i wonder how these modes you're talking about work, if they really have the properties you describe 2016-04-19 04:52 one common pattern works as follows: you use the crypto algo to produce a "one-time pad", a unique bitstring. then you xor the plaintext with the OPT. that is you cyphertext. 2016-04-19 04:52 to reverse, you generate the same OPT, and XOR again. 2016-04-19 04:53 even if your algorithm works completely differently, you can always express it in such a way 2016-04-19 04:56 now, the interesting bit is thus how you generate that OTP. a common design pattern there would be a function that does some variation of hash(key, "salt", position) or hash(key, "salt", last_state) 2016-04-19 04:58 wpwrak: is your mail working again? 2016-04-19 04:58 only gmail 2016-04-19 04:58 kyak: yes, malleability 2016-04-19 04:59 that's why you need authenticated encryption 2016-04-19 04:59 and why you need to authenticate *after* encrypting 2016-04-19 05:04 ideally, you'd ensure key integrity right at the start, e.g., by including an (unencrypted) good hash (CRC or such, something efficient) of the key :) 2016-04-19 05:05 works best of keys come from a relatively small vocabulary, e.g., human-readable words, not random bits or hashed passphrases :) 2016-04-19 05:06 (this sort of things has actually been done ;-) 2016-04-19 05:15 wpwrak: yes, the key word is malleability as whitequark pointed out.. http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ 2016-04-19 05:16 there is a picture in the article in the wiki as well that explains how AES-CBC decryptions works and how this attack becomes possible 2016-04-19 05:20 DocScrutinizer05: the pinguin: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29 2016-04-19 05:23 hmm, i was hoping for whitequark to jump up and shout. but maybe he got a stroke instead :) just to be clear: the CRC stuff i described above would be rather horrible, for it would allow you to brute-force the password much more efficiently than by trying to decrypt the data and checking the integrity of the decrypted message 2016-04-19 05:24 likewise, it's a bad idea to have an unencrypted checksum of the plaintext 2016-04-19 05:43 wej has quit [Ping timeout: 268 seconds] 2016-04-19 05:43 mth has joined #qi-hardware 2016-04-19 06:05 wej has joined #qi-hardware 2016-04-19 06:41 xiangfu has joined #qi-hardware 2016-04-19 07:12 xiangfu_ has joined #qi-hardware 2016-04-19 07:17 xiangfu_ has quit [Ping timeout: 260 seconds] 2016-04-19 07:34 DocScrutinizer05: evil sysadmin idea of the day: for /etc file, create some FUSE config file processor that you mount on /etc very early during boot. then let that one make substitutions. e.g., /etc/hostname -> <$HOST$> /etc/hosts 127.0.0.1 <$HOST$>.<$DOMAIN$> localhost etc. 2016-04-19 07:34 then all you need is /evil-sysadmin.conf 2016-04-19 07:54 hmm, debugging TLS in postfix sucks. it has a nice logging option .. that seems to be far too familiar with the works of schroedinger 2016-04-19 08:02 wpwrak: I was afk 2016-04-19 08:38 archang has quit [Ping timeout: 260 seconds] 2016-04-19 08:48 pcercuei has joined #qi-hardware 2016-04-19 08:53 xiangfu_ has joined #qi-hardware 2016-04-19 08:55 jwhitmore has joined #qi-hardware 2016-04-19 09:04 jwhitmore has quit [Ping timeout: 268 seconds] 2016-04-19 09:19 DocScrutinizer05: bonus idea, for the evil sysadmin: make file names that expand as well. e.g., /etc/foo/<$HOST$>.conf 2016-04-19 09:21 access to /etc/foo/bar.conf would first try /etc/foo/bar.conf, then scan /etc/foo/ for expandable names and look for a match, then try /etc, etc. if it expands a dirname, add the remaining path and try again 2016-04-19 09:22 probably should allow climbing above the first expansion, though that may mess a bit with the user's head :) 2016-04-19 10:27 fengling has quit [Quit: WeeChat 1.4] 2016-04-19 10:55 xiangfu_ has quit [Ping timeout: 244 seconds] 2016-04-19 11:18 sb0 has quit [Quit: Leaving] 2016-04-19 11:49 azkay_ has joined #qi-hardware 2016-04-19 11:52 azkay has quit [Ping timeout: 246 seconds] 2016-04-19 11:54 xiangfu has quit [Remote host closed the connection] 2016-04-19 12:35 azkay__ has joined #qi-hardware 2016-04-19 12:38 azkay_ has quit [Ping timeout: 250 seconds] 2016-04-19 14:04 Nik05 has quit [Remote host closed the connection] 2016-04-19 14:07 Nik05 has joined #qi-hardware 2016-04-19 14:08 sb0 has joined #qi-hardware 2016-04-19 14:29 grrr. ssmtp proudly supports "AuthMethod" to set the SMTP authentication method. the server offers PLAIN and LOGIN. ssmtp always chooses LOGIN, no matter what i try. 2016-04-19 14:30 turns out it doesn't support PLAIN at all. plus, it doesn't check that AuthMethod has any value it actually supports. very funny :( 2016-04-19 15:41 azkay_ has joined #qi-hardware 2016-04-19 15:45 azkay__ has quit [Ping timeout: 246 seconds] 2016-04-19 15:49 rjeffries has quit [Ping timeout: 268 seconds] 2016-04-19 16:09 MistahDarcy has quit [Ping timeout: 244 seconds] 2016-04-19 16:44 azkay__ has joined #qi-hardware 2016-04-19 16:47 azkay_ has quit [Ping timeout: 250 seconds] 2016-04-19 16:59 sb0 has quit [Quit: Leaving] 2016-04-19 17:00 rjeffries has joined #qi-hardware 2016-04-19 17:02 pcercuei has quit [Quit: leaving] 2016-04-19 17:18 dandon has quit [Ping timeout: 244 seconds] 2016-04-19 17:42 jwhitmore has joined #qi-hardware 2016-04-19 17:47 rjeffries has quit [Ping timeout: 250 seconds] 2016-04-19 17:50 sandeepkr has joined #qi-hardware 2016-04-19 17:52 sandeepkr has quit [Max SendQ exceeded] 2016-04-19 17:52 sandeepkr has joined #qi-hardware 2016-04-19 18:03 rjeffries has joined #qi-hardware 2016-04-19 18:50 sandeepkr_ has joined #qi-hardware 2016-04-19 18:51 sandeepkr has quit [Ping timeout: 252 seconds] 2016-04-19 18:51 rjeffries has quit [Ping timeout: 276 seconds] 2016-04-19 19:31 jwhitmore has quit [Ping timeout: 250 seconds] 2016-04-19 19:43 jwhitmore has joined #qi-hardware 2016-04-19 19:54 jwhitmore has quit [Ping timeout: 276 seconds] 2016-04-19 22:42 MistahDarcy has joined #qi-hardware 2016-04-19 22:44 new server is processing mail :) so far, everything looks healthy 2016-04-19 22:58 azkay__ has quit [Ping timeout: 250 seconds] 2016-04-19 23:30 NanoNote 2, where are you?