kyak changed the topic of #qi-hardware to: Copyleft hardware - http://qi-hardware.com | hardware hackers join here to discuss Ben NanoNote, atben/atusb 802.15.4 wireless, anelok and other community driven hw projects | public logging at http://en.qi-hardware.com/irclogs and http://irclog.whitequark.org/qi-hardware
fengling has joined #qi-hardware
MistahDarcy has joined #qi-hardware
azkay has joined #qi-hardware
<DocScrutinizer05> apropos server... how's your new one? living up to expectations?
* DocScrutinizer05 also idly wonders why his own server stopped sending logwatch mails
archang has joined #qi-hardware
<DocScrutinizer05> hmmm 181-171-244-190.fibertel.com.ar is bruteforcing my server
sandeepkr has joined #qi-hardware
DocScrutinizer51 has quit [Quit: ZNC - http://znc.sourceforge.net]
mth has quit [Ping timeout: 276 seconds]
DocScrutinizer51 has joined #qi-hardware
DocScrutinizer05 has quit [Disconnected by services]
DocScrutinizer05 has joined #qi-hardware
<azkay> Ended up getting a (blurry) trinket anyway; i.imgur.com/Cms2udy.jpg
qi-bot has quit [Ping timeout: 260 seconds]
qi-bot has joined #qi-hardware
xiangfu has joined #qi-hardware
<wpwrak> DocScrutinizer05: server is working fine so far. i'm just missing some bits of config info from the old one before i can properly set it up. seems they forgot to complete the setup :(
<DocScrutinizer05> who forgot to setup? hetzner?
<wpwrak> DocScrutinizer05: (181-171-244-190.fibertel.com.ar) that doens't look like me :)
<wpwrak> no, amhosting
<DocScrutinizer05> no, that's not you
<DocScrutinizer05> :-)
<DocScrutinizer05> Hetzner vServers have the advantage that moving the VM to another working iron should be a matter of less than 5 seconds
<wpwrak> whitequark: that sounds a lot more in line with what i expected :)
<whitequark> yeah, I'm not sure where I got that
<wpwrak> DocScrutinizer05: yup, the big feature of VMs :)
xiangfu has quit [Ping timeout: 260 seconds]
xiangfu has joined #qi-hardware
<whitequark> well, the VMs which can do online migration, which is not all of them
<whitequark> but yeah. online migration is very neat.
<DocScrutinizer05> I bet Hetzner using something commercial grade decent for their company virtualization solution
<DocScrutinizer05> and for sure you/they can start those snapshots you can do now, on any other iron
<DocScrutinizer05> also only takes a minute
<DocScrutinizer05> heck, it took less than 10 minutes (prolly even <5) from *ordering* that server to ready-for-login
<DocScrutinizer05> another 2 minutes for restore of a on-site "tape" backup
<DocScrutinizer05> done
<DocScrutinizer05> (if only there was a decent generic server migration restore script)
<DocScrutinizer05> all those nasty little files in /etc that are actaully iron-specific
<DocScrutinizer05> "iron", like IP addr etc pp
<DocScrutinizer05> I wish somebody had written a script to exclude them from getting overwritten during restore
sandeepkr has quit [Ping timeout: 268 seconds]
<whitequark> DocScrutinizer05: commercial grade?
<whitequark> hah
<whitequark> can you do `dmesg | grep -i xen` ?
<DocScrutinizer05> in a VM?
<whitequark> yes
<DocScrutinizer05> would be surprised to find anything like that
<whitequark> try it
<whitequark> you may be surprised
<DocScrutinizer05> no, I'm not. Zilch
<whitequark> ah
<whitequark> it's KVM
<whitequark> not Xen
<DocScrutinizer05> afaik Hetzner using vmware
<DocScrutinizer05> the enterbrise solution
<whitequark> does kvm also not grep in dmesg?
<whitequark> hmm, might be vmware, yeah. been a while since i cared about that host
<DocScrutinizer05> vsphere or similar stuff prolly
xiangfu has quit [Ping timeout: 276 seconds]
<kyak> whitequark: yep, i've already read it yesterday.. There is one interesting thing though. It turns out that when knowing plaintext and being able to modify ciphertext, it is possible to inject arbitrary data into every second block of ciphertext
<kyak> this has nothing to do with what i originally asked, but just an interesting fact that i came across while reading
<kyak> i'm talking about AES-CBC
<kyak> and i also understand larsc's comment regarding pinguin :)
<kyak> it also turns out that IV doesn't really matter
<kyak> if you don't know IV, but know the key, you will loose just the first block
<kyak> and this first block is sometimes filled with random data, so that the IV doesn't matter anyway
<kyak> the main purpose of IV is to make the same plaintext look different every time you encrypt it (wasn't obvious for me)
sb0 has joined #qi-hardware
<kyak> so "salt it!" doesn't help with encryption by itself
<kyak> it just makes pinguins go away :)
* DocScrutinizer05 wants to see the pinguin too
<wpwrak> kyak: hmm, i wonder how these modes you're talking about work, if they really have the properties you describe
<wpwrak> one common pattern works as follows: you use the crypto algo to produce a "one-time pad", a unique bitstring. then you xor the plaintext with the OPT. that is you cyphertext.
<wpwrak> to reverse, you generate the same OPT, and XOR again.
<wpwrak> even if your algorithm works completely differently, you can always express it in such a way
<wpwrak> now, the interesting bit is thus how you generate that OTP. a common design pattern there would be a function that does some variation of hash(key, "salt", position) or hash(key, "salt", last_state)
<DocScrutinizer05> wpwrak: is your mail working again?
<wpwrak> only gmail
<whitequark> kyak: yes, malleability
<whitequark> that's why you need authenticated encryption
<whitequark> and why you need to authenticate *after* encrypting
<wpwrak> ideally, you'd ensure key integrity right at the start, e.g., by including an (unencrypted) good hash (CRC or such, something efficient) of the key :)
<wpwrak> works best of keys come from a relatively small vocabulary, e.g., human-readable words, not random bits or hashed passphrases :)
<wpwrak> (this sort of things has actually been done ;-)
<kyak> wpwrak: yes, the key word is malleability as whitequark pointed out.. http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/
<kyak> there is a picture in the article in the wiki as well that explains how AES-CBC decryptions works and how this attack becomes possible
<wpwrak> hmm, i was hoping for whitequark to jump up and shout. but maybe he got a stroke instead :) just to be clear: the CRC stuff i described above would be rather horrible, for it would allow you to brute-force the password much more efficiently than by trying to decrypt the data and checking the integrity of the decrypted message
<wpwrak> likewise, it's a bad idea to have an unencrypted checksum of the plaintext
wej has quit [Ping timeout: 268 seconds]
mth has joined #qi-hardware
wej has joined #qi-hardware
xiangfu has joined #qi-hardware
xiangfu_ has joined #qi-hardware
xiangfu_ has quit [Ping timeout: 260 seconds]
<wpwrak> DocScrutinizer05: evil sysadmin idea of the day: for /etc file, create some FUSE config file processor that you mount on /etc very early during boot. then let that one make substitutions. e.g., /etc/hostname -> <$HOST$> /etc/hosts 127.0.0.1 <$HOST$>.<$DOMAIN$> localhost etc.
<wpwrak> then all you need is /evil-sysadmin.conf
<wpwrak> hmm, debugging TLS in postfix sucks. it has a nice logging option .. that seems to be far too familiar with the works of schroedinger
<whitequark> wpwrak: I was afk
archang has quit [Ping timeout: 260 seconds]
pcercuei has joined #qi-hardware
xiangfu_ has joined #qi-hardware
jwhitmore has joined #qi-hardware
jwhitmore has quit [Ping timeout: 268 seconds]
<wpwrak> DocScrutinizer05: bonus idea, for the evil sysadmin: make file names that expand as well. e.g., /etc/foo/<$HOST$>.conf
<wpwrak> access to /etc/foo/bar.conf would first try /etc/foo/bar.conf, then scan /etc/foo/ for expandable names and look for a match, then try /etc, etc. if it expands a dirname, add the remaining path and try again
<wpwrak> probably should allow climbing above the first expansion, though that may mess a bit with the user's head :)
fengling has quit [Quit: WeeChat 1.4]
xiangfu_ has quit [Ping timeout: 244 seconds]
sb0 has quit [Quit: Leaving]
azkay_ has joined #qi-hardware
azkay has quit [Ping timeout: 246 seconds]
xiangfu has quit [Remote host closed the connection]
azkay__ has joined #qi-hardware
azkay_ has quit [Ping timeout: 250 seconds]
Nik05 has quit [Remote host closed the connection]
Nik05 has joined #qi-hardware
sb0 has joined #qi-hardware
<wpwrak> grrr. ssmtp proudly supports "AuthMethod" to set the SMTP authentication method. the server offers PLAIN and LOGIN. ssmtp always chooses LOGIN, no matter what i try.
<wpwrak> turns out it doesn't support PLAIN at all. plus, it doesn't check that AuthMethod has any value it actually supports. very funny :(
azkay_ has joined #qi-hardware
azkay__ has quit [Ping timeout: 246 seconds]
rjeffries has quit [Ping timeout: 268 seconds]
MistahDarcy has quit [Ping timeout: 244 seconds]
azkay__ has joined #qi-hardware
azkay_ has quit [Ping timeout: 250 seconds]
sb0 has quit [Quit: Leaving]
rjeffries has joined #qi-hardware
pcercuei has quit [Quit: leaving]
dandon has quit [Ping timeout: 244 seconds]
jwhitmore has joined #qi-hardware
rjeffries has quit [Ping timeout: 250 seconds]
sandeepkr has joined #qi-hardware
sandeepkr has quit [Max SendQ exceeded]
sandeepkr has joined #qi-hardware
rjeffries has joined #qi-hardware
sandeepkr_ has joined #qi-hardware
sandeepkr has quit [Ping timeout: 252 seconds]
rjeffries has quit [Ping timeout: 276 seconds]
jwhitmore has quit [Ping timeout: 250 seconds]
jwhitmore has joined #qi-hardware
jwhitmore has quit [Ping timeout: 276 seconds]
MistahDarcy has joined #qi-hardware
<wpwrak> new server is processing mail :) so far, everything looks healthy
azkay__ has quit [Ping timeout: 250 seconds]
<MistahDarcy> NanoNote 2, where are you?