One of the things I’m sorry I didn’t do earlier is setup postfix on my Mac, such that I’ll be able to send quick emails (not to mention git patches) directly from command line.

As we all know, sending emails directly from your machine is a sure way to get yourself blacklisted as spam. So using an SMTP relay is pretty much required. But since my main email account is hosted on Gmail, and I want to be able to connect securely to Googles SMTP servers, this requires some configuration.

First thing’s first, add your authentication details to the relay. If you’re using Gmail, this goes like this, create a new file:

sudo vi /etc/postfix/relay_password

And add the auth details to it, just one line:

smtp.gmail.com:587 your_user_name@gmail.com:your_password

Next, we need to generate a lookup DB from these details:

sudo postmap /etc/postfix/relay_password

And make sure the relay_password.db file has been generated.

Now it’s time to update the main.cf configuration file. You might want to keep a backup before you add the following changes. First, check that the line

tls_random_source = dev:/dev/urandom

exists in the file and is not commented out, this should be the case by default. Now here’s the main logic which you can simply append to the end of the file:

relayhost = smtp.gmail.com:587

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_password
smtp_sasl_security_options = noanonymous

smtp_tls_security_level = may
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_loglevel = 1

The last thing we need to do is setup the root SSL certificate that Google uses, which is the Thawte Premium Server CA. First:

sudo mkdir /etc/postfix/certs && cd certs

Then, download the PEM file:

sudo wget https://www.thawte.com/roots/thawte_Premium_Server_CA.pem

Now we need to run a rehash on the PEM file:

sudo c_rehash /etc/postfix/certs/

And that’s it! Give it a test run, and hopefully you’ll receive an e-mail strongly authenticated and relayed from your Gmail account:

echo "Relay Test" | mail -s "Relay Testing" test_recipient@domain.com

As an extra added bonus, you might want to set your hostname to something more descriptive than mymachine.local by adding this line to the main.cf:

myhostname = some-domain-i-own.com

During 28C3, I was being over-paranoid about the security of my laptop, and I accidentally did something really really (really) stupid to my /etc/sudoers file, I commented out this line:

# User privilege specification
root    ALL=(ALL) ALL
# %admin  ALL=(ALL) ALL

See what I did there? No more sudo for my admin user. End of story. I thought I was doomed. The only way to resolve this situation, essentially, is to boot into some sort of safe mode with the Mac OS X installation disk. Needless to say I didn’t have it with me.

Luckily, Mac OS X is built in a way that allows resolving a corrupt sudoers, exploiting the way the OS manages permissions. This method was first described here, props to Astrails for the idea.

The idea is that the while the command line sudo works with the sudoers file, the UI authentication does not.

Exploiting this, you can change the file permissions on /etc/sudoers without needing sudo access. All you need to do is open a Finder window, Shift-Cmd-G and go to the /etc folder. From there, select the sudoers file and open its info pane (Cmd-I). Scroll down to the Sharing & Permissions panel, and unlock it using your admin password. You now can temporarily change the file permissions such that you’ll be able to edit it without sudo access.

Now all you need to do is fix the crap that you did to your sudoers file, reset the permissions back to 440 and you’re all set.

Next time, if you think you need to edit your sudoers file, DO NOT.

I recently started delving into the world of a new currency which you might have heard of - Bitcoin. I figured out I want to know more about it, and what applications it might have. As it turns out, the concepts behind Bitcoin are actually not that complicated, and I believe that if you are able to grasp the concept of money as we know it, in the form of the proverbial cold-hard-cash, you should have no problem understanding Bitcoin and how it works. I’ll simplify some concepts in order to make things understandable, but the concepts will absolutely remain true to form.

What is Bitcoin?

Bitcoin is the name of a currency that exists entirely in a network of computers, even your computer at home can be part of that network. There are no real, physical, coins or bills. Nothing other than data stored in various computers all over the world.

How does it work?

Bitcoin, at its core, is essentially a huge list of transactions, that anyone can have a copy of. A simple list might look like this:

A (10) -> B
B (4) -> A
B (3) -> A

In this simple list, we have two people, A and B. A sent B 10 bitcoins, after which B returned 4 bitcoins to A, and then decided to send 3 more bitcoins back to A. So this list is nothing more than a series of transaction details.

So assuming both A and B had 20 bitcoins to start with, after the three transactions, A now has 17 bitcoins left, while B has 23 bitcoins in his wallet. Easy stuff. Now, for an outsider to know how much money each party has, all he needs to do is know how many bitcoins each one had to begin with, and from there he can simply add and subtract the details of the transactions and find out who has how many Bitcoins. This is, in essence, the Bitcoin system.

How is this data saved?

This transaction list is shared between many computers all over the world. If A wants to send B 10 bitcoins, he would just issue that transaction on his computer, which would then, in turn, tell the whole world “Hey! A just sent B 10 bitcoins!”. Over time, that message would propagate all over the Internet to everyone running a Bitcoin client. That’s all there is to issuing a transaction.

Wait, so, I can fake transactions!

Not really, no. Transactions are secured using strong data encryption methods. These are the exact same methods that are in use to securely transfer your credit card details when making an online purchase, or when logging in to your e-mail account. These methods ensure that only the sending party is able to issue genuine transactions.

So who verifies the transactions?

Well, someone has to go over the list of transactions and approve them, otherwise the list has no value. Therefore, anyone who wants to can contribute to the system by reviewing the recent transactions, and doing some heavy calculations on the data, to ensure that they are all indeed valid.

Why would anyone do that?

Simple, because by donating computing power, you actually receive Bitcoins from the system! The process of verifying the transactions is called mining, and is rewarded with Bitcoins that the system generates just for you, out of thin air. This is how Bitcoins are “printed”.

Is there any other way to get Bitcoins?

Sure. If a friend of yours is willing to, he can give or sell you any amount of Bitcoins he wants, as long as he had some to start with. He will issue a transaction saying that he transfers some Bitcoins to your possession. He can either do that for free, but more likely that he’ll ask you for something in return, so you’ll probably be paying him back either in cash, or giving selling some product or service to him. In any case, that’s up to the two parties to solve between themselves.

So how is this different from the current cash system?

It’s not! Think about it, coins and bills are just pieces of metal and paper, with little significant value. The value they have is the one that we give them. By printing “100” on a piece of paper, we’re saying that it is worth 100 units of something. So when people start to accept Bitcoin as a valid currency, it is in not that different than any other currency in use around the world, other than that it has no physical existence.

I have 100 Bitcoins, what does that mean?

That means that over time, you have accumulated 100 Bitcoins, either from transactions with various people, or by mining them (and then it would be the ‘system’ that gave you the Bitcoins). Anyone going over the list of transaction and verifying its accuracy will end up with the same answer “yep, he really is the legit owner of 100 Bitcoins”. You are free to do whatever you want with these Bitcoins in your possession.

Review

In essence, this is all there is to the Bitcoin system. Of course, there are many more issues that derive from this system. In further posts I’ll talk about the exact monetary value of Bitcoins, how anonymous (if at all) the system is, and various interesting dilemmas that arise from the usage of such a currency.

The slides from my talk today at 28C3 are now online:

And so is the final version of the video:

So remember my previous post about how it’s possible to data mine the Israeli census database?

My proposal to give a talk about that at the upcoming 28th Chaos Communication Congress (28C3) has been officially accepted, and is now published in the Fahrplan.

Make sure you drop by if you plan on attending!

Need to copy some code from TextMate to Keynote and want to keep your cool syntax highlighting?

Suffer no more - https://github.com/drnic/copy-as-rtf-tmbundle

mkdir -p ~/Library/Application\ Support/TextMate/Bundles
cd ~/Library/Application\ Support/TextMate/Bundles
git clone git://github.com/drnic/copy-as-rtf-tmbundle.git "Copy as RTF.tmbundle"

After that just reload the TextMate Bundles: Bundles > Bundle Editor > Reload Bundles.

Copy any code with Cmd-Alt-Ctrl-R and paste into Keynote, your delicious syntax highlighting will be there!

Here’s a nice method to bypass any annoying wifi gateways, such as the ones you find at hotels and airports. A prerequisite is that the gateway allows DNS requests to be made.

Once we have that in the clear, we’ll need root access to a server with full access to its DNS records. We’ll be using iodine and iodined on both sides of the tunnel.

First of all, we’ll need to create the proper DNS records - we’re going to need two of those, one would be a NS record for the DNS lookup, the second is an A record to the server itself.

I’m using Amazon’s Route53 service with the most excellent boto command line tools, so I would do this:

$ route53 add_record ZXXXXXXXXXXXXX iodine.domain.com. NS tunnel.domain.com. 259200 some_comment
$ route53 add_record ZXXXXXXXXXXXXX tunnel.domain.com. A 111.222.33.4 900 some_comment

It obviously doesn’t matter what tools you use, you just want these two DNS records:

iodine      IN  NS  tunnel.mydomain.com.
tunnel      IN  A   111.222.33.4

So now we have the DNS records set up. Now it’s time to install iodined on the server. I’m using a standard Ubuntu server - and if it’s 11.04 and up, you’re lucky because iodine has an apt package:

sudo apt-get install iodine

By default, the service does not launch on startup, but that good since we still need to configure it. The service config file is located at /etc/defaults/iodine. Here you’ll want to set your iodined password and any command line args. If you want, you can always set iodined’s run level - to launch on startup - by using the runlevel tool.

Alternatively, you can always just run iodined from the command line in foreground mode:

iodined -f -P yourpassword 192.168.99.1 iodine.mydomain.com

The arguments you’re going to need are a password of your choice, an internal IP that is not in use, and the tunnel domain to listen to. Last thing, you’re going to want to make sure your firewall is open inbound to UDP requests on port 53.

Once you have that you can go on to http://code.kryo.se/iodine/check-it and test your setup with the iodine.mydomain.com domain. If all is good you can continue to install the client.

Last step, installing the client. I’m on a Mac with homebrew installed, so again installing it is kind of a breeze:

sudo brew install iodine

Once that’s installed, launch the client:

sudo iodine -P yourpassword iodine.mydomain.com

and if all is well you have just set up a fancy IP-over-DNS tunnel! For final testing try to ping your server via the IP you gave it: 192.168.99.1. Once you have the tunnel you can start routing traffic through it. For this you’ll probably want to establish a secure connection, preferably via SSH. Remember that all DNS requests are non-secure and very easy to sniff over the network.

For further reference you can (should) check out the iodine README.

Pitfalls

• Make sure you install the same iodine versions on both the client and the server. If you fail to do so you will get protocol errors. There is no backwards compatibility here.

I just finished installing the TL-WN722N TP-Link wiresless USB adapter on a Ubuntu 11.10 machine. I started off with the instructions on http://dwiel.net/blog/tp-link-tl-wn722n-on-ubuntu-10-04 and at least for me the steps were much more simple.

All I needed to do was:

$ wget http://www.orbit-lab.org/kernel/compat-wireless-2.6-stable/v2.6.38/compat-wireless-2.6.38.2-2.tar.bz2
$ tar xvf compat-wireless-2.6.38.2-2.tar.bz2
$ cd compat-wireless-2.6.38.2-2
$ ./scripts/driver-select ath9k_htc
$ sudo make
$ sudo make install

That’s pretty much it. I suspect other up-to-date versions of compat-wireless will also do the trick, but for now - this does just fine.

Django has a neat decorator called @login_required which - when attached to a view - ensures that request.user is logged in, and otherwise redirects the user to the login page (as defined in LOGIN_URL).

However, in AJAX calls this has no meaning. In most applications, AJAX calls should fail, preferably with a 403 (unauthorized) HTTP return code. Interestingly enough, Django has no such decorator.

So I just took the regular Django @login_required and modified it to immediately fail with 403 if the user is not authenticated. Enjoy -