Sunday, 23 October 2016

Should I hand over my account & card details?

While logging in to online banking...

Who can spot a sign I'm being phished?

(Other than being asked to enter the details we're told never to give out... complete account number/sort code, front & back card details etc.)

Friday, 3 June 2016

.uk domain transfers are scary

.uk transfers are a little different:
  • You instruct your old registrar to change the "IPS tag" to point the domain to your new registrar.
  • You tell your new registrar that the domain just assigned to them is yours.
The new registrar then dutifully updates all of Nominet's records. Even if the name... email... address... you provided them with bears no relation to the existing (private?) registration information. Who cares if you had 2 factor authentication enabled on the original Nominet account, your domain is gone.

Nominet says the onus is on the registrar to ensure they verify you're the owner when going through this process. But they don't?

What's to stop someone scraping whois records (that IPS tag is public) and racing to claim the domains you're transferring before you do?

Apparently nothing. A few weeks ago I ran a little test. I registered a new domain at one registrar and immediately asked they change the IPS tag to another. A coworker watched over my shoulder as I retrieved the whois details for my domain to see the tag change, but then I got distracted looking for cake/looking over their shoulder. They set up a new account at the second registrar and claimed the domain, using no secret information and without either registrar or Nominet gaining my consent.

What am I missing? Do some registrars I haven't tried put effort into verifying your ownership? Is it just a few bad actors?

UPDATE: One registrar I've contacted has now promised they've updated their systems to email the owner listed by Nominet for confirmation, before handing over the domain. Minor success...

Monday, 23 March 2015

Chromecasts, Netflix & UI-200

My Chromecast has regularly been refusing to play Netflix streams recently with error ui-200.

Ignoring the onscreen suggestion and initial Netflix support page, a quick search will teach you to factory reset the Chromecast.

It doesn't answer the "Why?" though... It turns out that hitting the "Sign out of all devices" button triggers the issue. I guess the Chromecast stores a token which isn't invalidated or replaced, even if you log in again through the Android app.

Until Netflix/Google fix the bug, it might be time to think about upgrading your Netflix plan or telling "someone" to get their own account!

Friday, 6 April 2012

identifying to the freenode testnet with certfp

freenode will be upgrading their services very soon. One of the major new features that this upgrade will bring is the ability to identify using ssl certificates. Here's a very quick guide on how to get started.

I used atoponce's guide for oftc when writing this up.

You can connect to freenode using ssl without using certfp to identify.

Generating your own certificate

You will need openssl installed. Check your operating systems documentation for this. Once done, the following commands will create a certificate and set sensible permissions:
mkdir -p ~/.irssi/certs
cd .irssi/certs/
openssl req -nodes -newkey rsa:2048 -keyout mynick.key -x509 -days 365 -out mynick.crt
cat mynick.crt mynick.key > mynick.pem
chmod 0400 mynick.key mynick.pem

Needless to say, don't give anyone these files!

Connecting with SSL

The testnet is available at irc:// on ssl so make sure you are connecting to that!

After starting irssi, that means something like:
/network add freenodetest
/server add -auto -ssl -ssl_cert ~/.irssi/certs/mynick.pem -network freenodetest 9003
/connect freenodetest

Or if modifying an existing server config:
use_ssl = "yes";
ssl_verify = "no";
ssl_cert = " ~/.irssi/certs/mynick.pem ";

Once you launch irssi, you should see that you are given usermode +Z:
13:41:49 -!- Mode change [+Z] for user Pricey

If you /whois yourself, you should also see your certificate fingerprint:
14:04:43 -!- Pricey [~pricey@]
14:04:43 -!- ircname : pricechilde
14:04:43 -!- server : [Paris, FR]
14:04:43 -!- : is using a secure connection
14:04:43 -!- : has client certificate fingerprint aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
14:04:43 -!- hostname :
14:04:43 -!- idle : 0 days 0 hours 0 mins 3 secs [signon: Fri Apr 6 14:04:40 2012]
14:04:43 -!- End of WHOIS

If you don't see the fingerprint line, you need to go back and figure out what you've done wrong.

Giving Services your certificate fingerprint

Finally, we need to tell services about our certificate fingerprint. (If you haven't specified your account password as your server password, sasl'd or had a script take care of it, identify first!)
/msg nickserv cert add aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbb0000
(using the fingerprint from your whois.)

One final thing of note is that the testnet is using a self signed certificate. You can not simply use the ssl_capath option to point to your distributions existing ssl certificates. Irssi will warn you that this is the case and not connect.