Author Archives: Jeroen

Route NNTP traffic via specific ISP with iptables

Posted on by
1

I use a newsgroup provider for exchanging content with the Usenet newsgroup. My newsgroup provider restricts connections to be originating from the same IP for a specific account. I have a machine in my network that is always on and therefore perfectly suited to be serving as a download machine. The problem however is that this machine is providing other services (shell, webserver, mail) via the slower, but more stable ISP connection with a static IP. My preference is to keep it connected this way for obvious reasons.

I can use ISP1′ connection for downloading via the newsgroup, bu the newsgroup provider does not allow traffic to its servers from more then one IP. If violated this results in the following message:

1
Failed login for server [482 You are already connected from a different host]

Besides I also use the ISP with the fast connection to download from the newsgroups, and when using both ISPs at the same time it causes the above ‘failed login’ message.

Network diagram with multiple gateways

My situation summed up:

  • Server running Ubuntu 10.04 LTS running my favorite newsgroup download tool SABNZBD
  • Two ISP’s on my local network.
    ISP1: slow but stable connection with static IP
    ISP2: fast, but less reliable connection with dynamic IP
  • Server connected to the Internet via ISP1 (default gateway)
  • Both gateways are on the same local network (192.168.2.0/24)

The solution
I want traffic that is using 119 as destination port to be routed via ISP2, while other traffic should be routed via ISP1, which is the default gateway for the server. To accomplish this, I created a script that allows you to redirect specific traffic to a specific port to be redirected via a different gateway then the default gateway:

1
2
3
4
5
6
7
8
9
10
11
#!/bin/sh
ISP2_GATEWAY=192.168.2.253
PORT_TO_REDIRECT=119

#Create a table
ip route del table webtraffic
ip route add default table webtraffic via $ISP2_GATEWAY
ip rule add fwmark 1 table webtraffic

#Redirect all traffic outgoing to the specified port to be routed via the above specified gateway
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport $PORT_TO_REDIRECT -j MARK --set-mark 1

Just adapt this script to your needs and execute it on the server machine.

This solution can be used for other ports and other kinds of traffic as well that is going outward from your local unix machine, for example secure nntp traffic via port 563.

References
These sources have inspired me to find this solution:

Hope this helps anyone.

Comparison between Garmin GPSMAP 60CSx and 62s

Posted on by
35

Garmin GPSMAP 62s I bought a new Garmin GPSMAP 62s (currently running firmware 2.40). I already own a Garmin GPSMAP 60CSx so I will use that device as a reference for my evaluation of the 62s. I hereby post my findings with the device and silently hope that they will help improve the 62-serie so it can become the generally acknowledged follow-up to the 60-series.

Why I choose the 62s (and not the 62 or 62st)
There are three types of 62-serie devices: the 62, 62s and 62st. I chose the 62s instead of the 62 because I want a barometric altitude meter and a 3-axis tilt-compensated compass which the 62 lacks. Furthermore I choose the 62s above the 62st because the 62st (European model) has a ‘built-in’ topographic map of Western Europe scale 1:100.000, where I strongly prefer the 1:50.000 scaled maps. Besides I like to have the in-device memory of 1,7 GB at my own disposal (which is only 400MB for the 62st with Western Europe map).

Tracks archive
The 62-serie devices allows you to keep your tracks on the device, and load them back when you want. I like this feature because it would allow me to put all my tracks on the device so I can always get them back and-rewalk a route, or at least that’s what I would think. So when I copied all my walking tracks (more then 100 files) to the device’ \Garmin\GPX\Archive folder, it froze indefinitely (on/off button not working any more).
I almost submitted my device for RMA, but luckily I found a working solution on this forum (Dutch).

Since that moment I placed my tracks on the external SD-card (in the \Garmin\GPX\Archive folder), so if it failed loading, I could easily remove the card and continue to use the GPS. This idea worked, but the result was not very satisfying. Because, when looking at the tracks menu, it showed me all the tracks from all the GPX files I put on the card, but all my track names (formatted as “YYYYMMDD”) and the GPX files on the filesystem named likewise, were in a random order. Besides, the folder structure I use (a folder for each type of activity and a subfolder for each year) was not honored and browsing through the long list of tracks is very slow (page up/down would have been nice). And on top of that, when I archive a file located on the external SD-card, it is automatically moved to the internal memory? Why Garmin?

Switch to USB-transfer mode
If your 62-device won’t boot any more just like mine did, you can enter usb-mass-storage-device-mode by pressing the “arrow down”-key before connection the usb-cable (which is connected to a running computer). After holding the button for approximately 30-seconds the internal memory becomes visible as drive and you can modify it again.

BirdsEye™ satellite imagery
After registering my device and entering my device’ serial number (and not the unit ID, common mistake), I was able to subscribe for a one-year subscription to BirdsEye for only € 25. After payment by creditcard Garmin Basecamp immediately allowed me to download imagery.
I found out the image quality (I selected high) was indeed very high, but downloading the imagery was very slow. I understand the servers with the imagery are located in the US, and I’m in the Netherlands, but still its too slow for a service you have to pay money for!

Another  problem is the proces you need to go through to download large sums of imagery that are nicely connected to each other. What I want is to be able to specify a block of any size, which is then downloaded with high speed. After downloading I would like to select in one action what part of the image I want to send to the GPS. This is not possible. When selecting multiple blocks for download, I could not easily align them to each other.

Also, Garmin BaseCamp forces you to use their wizard which starts of by checking your subscription which of course can by just as well done once when the application is started. Besides, a block of imagery you can select to download is limited to only 75 MB per block!
Why not make it more friendly Garmin?

Comparing tracks
Another interesting comparison experiment would be turning the devices on at them same time, move them around together and compare the resulting GPX-files. I have to admin it wasn’t the most professional comparison, but it does show some unexpected differences. I used Garmin’s MapSource to calculate the properties. I did no calibration when I turned the devices on.

60CSx 62s
Firmware version 4.00 2.40
GPX tracklog-file tracklog_60csx.gpx tracklog_62s.gpx
GPX filesize (bytes) 173.141 256.228
Record method Auto Auto
Record interval Most Often Most Often
Auto calibration On On
Barometer mode Variable Elevation Variable Elevation
Recorded trackpoints 1085 1591
Distance 8.1 Km 7.6 Km
Start time 2010-09-04 15:57:32 2010-09-04 15:57:27
Moving time 4:00:59 4:00:54
Avg speed (km/h) 2 2
Area (sq km) 1.7 1.7
Height graph 20100905_60csx_height_autocalibration_variableelevation 20100905_62_height_autocalibration_variableelevation

What really makes me wonder what went wrong here is the difference in measured distance and the spikes en holes in the height graph for the 62s. I really can’t explain it, expect for the fact that the 62s is giving me results that scare me. Did I cause this with a setting? Or is it already fixed with 2.44 beta that says it “Fixed issues with inconsistent altimeter readings”? I just hope this is buggy firmware and not some buggy hardware, so it can be fixed by Garmin.

Heart rate monitor and cadence sensor
According to its manual the Garmin 62s is capable of connecting to a heart rate monitor and cadence sensor. I recently bought the Speed/Cadence Bike Sensor and a Heart Rate Monitor.

What I want with these sensors is simple: log my heart rate and cadence together with time, location and elevation data, so I can keep track of my progress with cycling. Sadly, Garmin doesn’t make it that simple. Garmin has its Garmin Training Center which is well suited for analysing all the data captured with my 62s. Getting the data there is not very easy.

In short, these are my findings:

  • Mounting the cadence sensor to my bike was quite easy.
  • Pairing the heart rate monitor and the cadence sensor with the 62s was also very easy.
  • The first 10 minutes after turning my 62s on, my heart rate was around 254 bpm. After 10 minutes the heart rate became stable and seemed to work quite flawlesly for the rest of the logging period, except for two spikes at 42 and 45 minutes that were probably too high: heartrateproblems
  • Garmin Training Center running on Windows 7 64-bit cannot read from my 62s directly, giving me this error: Garmin 62 lacks necessary capabilities
  • Garmin Connect fails at reading data directly from the 62s using Google Chrome.
  • The only way I could get a GPX file containing the heartrate and cadence sensor values was by manually copying the Current.gpx file from the device.
    Garmin MapSource and Garmin Basecamp do not read the heart rate and cadence values from the 62s. I was however able to upload the Current.gpx file manually to Garmin Connect and analyse it.

Pros compared to GPSMAP 60 CSx:

  • Quicker fix due to the ‘HotFix® satellite prediction’ (though not thoroughly tested)
  • Maps look better and render a lot faster.
  • Map groups can now be individually enabled or disabled.
  • BirdsEye™ Satellite imagery can now be loaded onto the device
  • Support for heart rate and cadance sensors (buy as seperate accessories, already ordered them).
  • The ‘Trip computer’ page has a dashboard view, that can include for example an elevation graph.
  • The elevation plot of each (archived) track can now be viewed on the device itself.
  • The external MicroSD card can be more then 2GB (up to 16GB has been tested), however I have not verified that myself. There are forum posts about using these memory cards (Dutch). It seems that bigger sized MicroSD (SDHC?) cards  did already function in the 60CSx, but Garmin has never officially confirmed that and I did not verify it.

Cons:

  • The device squeaks as can be seen in this YouTube video. They say the device is robust, but it doesn’t feel that way.
  • Special mount needed for bicyle (different from 60-series).
  • A different clipping system used for mounting the device onto something or someone.
  • When switching page, there is a 1-second delay before the selected page is opened. You can force the opening of a page by pressing ‘enter’, but that implies 2 actions. Not funny when you want to quickly switch pages as I prefer.
    Garmin 62s menu-switch
  • Browsing tracks is not very flexible and friendly. Scrolling through long pages with only tracknames (why not the GPX filenames?) without the possibility to quickly page through the tracklists. Furthermore no directory-based track-browsing.
  • No datafield for temperature. The device has a temperate sensor (which can be read when in a special diagnostic mode), but you are not allowed to add it to the ‘Trip computer’.
  • The sunset/sunrise time at DST changing dates bug is still present.
  • Cannot connect in the ‘Garmin Training Center’ application because the 62st ‘does not have the necessary capabilities’. Why is that? The device supports a cadence and heart rate sensor!
    Garmin 62 lacks necessary capabilities
  • There are no more games on the device! I miss IRL snake! :cry:
  • The device is prone to crashing when you add too much files to the GPX folder.
  • Custom maps created as kmz files saved to an external SD-card as explained here does not seem to work.
  • BirdsEye™ Satellite imagery downloading is slow (measured with high speed broadband ISP-connection from the Netherlands) and the proces for selecting and downloading imagery with Garmin BaseCamp can definitely be improved.
  • The resulting GPX files read with Garmin’ MapSource have some scary differences that I cannot yet explain. 62s has buggy firmware?
  • I find it to be a bug that I cannot seem to reset my odometer (distance meter) to zero using the tripmeter’ ‘reset’-menu.
  • Readings from the heart rate monitor are always wrong (too high) the first 5-10 minutes after connecting to the 62s.
  • Getting the heart rate and cadence sensor readings from the device is possible, but not too friendly.

Conclusion
Looking at the long list of cons you might think I feel sorry for buying the device. Though I find some issues need to be addressed to increase my user experience with the 62s, I am still happy with the device. Nevertheless, most issues I have with the device are hopefully within the software and therefore the current firmware needs improvements before the 62-serie devices can be seen as a good replacement to the very successful 60-series.

Update:

  • Thanks to a comment from ’60CSx con 62s’ I omitted an error in the article claiming the 62s has better GPS reception then the 60Csx. What I wanted to say is that it can get a quicker fix.
  • According to user comments from ’60CSx con 62s’ “16GB Cards are also possible on the 60CSx (V4.00)“.
  • Added my experience with BirdsEye™ imagery.
  • Added a GPX-comparison to the article.
  • Added my experience with the heart rate monitor and cadence sensor.

Dutch GGD claims survey to be anonymous, but it’s not

Posted on by
Reply

The Dutch healthcare organisation (GGD) is an organisation funded by the Dutch government that is concerned with the health of people in the Netherlands. They want to know about the health of people in the province of Gelderland, so they decided to start a survey.
I agree, statistics, like from the Dutch statistics bureau need to come from somewhere, and in this case it is important they get it from a very diverse an relatively large population.

How it works
So how does the GGD do that? Well, they first they send you a letter with login data. You can login on their website (not using SSL!) using a predefined code and you are ready to fill in the survey. And to be certain you didn’t forget, they send you the survey on paper, so people with no access or know how of the Internet can complete the survey as well.

Sensitive information
The questions they ask you are about your birth year, marital status, education, health, alcohol use, smoking, drug use, eating habits, social environment, violence at home and your work. A lot of sensitive information, some of which you probably don’t even voluntarily tell to your doctor, unless absolutely necessary.

Anonymity
Of course, you don’t have to be afraid that the data you fill in is connected to you as a person, because they offer you to conduct the survey anonymously. So, the GGD offers you a way to keep your privacy. They intent to do this by allowing you to rip off the first paper of the survey before sending it to them. Well ok, I ripp off the first page and my privacy is guaranteed. But then I started wondering what all the the bar codes and identification numbers are doing on each of the pages? (take a look at the first survey page snapshot below)

Anonymous or not anonymous, that’s the question
The thing that really scares me about this survey is the fact that they lie to the participants. This is not an anonymous survey, at least not to my definition of “anonymous”.
They GGD even mistakenly proofs to you that their survey is not really anonymous. How? Because they recently sent me a letter asking why I didn’t fill in the survey. Err wait, I could have submitted it to them anonymously (remember), so how could they possibly know I didn’t sent it to them or filled it in online already..? That’s the point. If it was really anonymous, they shouldn’t have known whether I sent them the survey!

My opinion
I think the GGD screwed up. Not because their survey was bad, nor is their intention to conduct this survey, but solely because they claim that it is anonymous, which it is certainly not! If they ever want to gain my trust again, or even receive sensitive information about myself, they should define what they mean by “anonymous” and provide a proper and clear privacy policy. Lying is not a good basis for gaining consumer trust.

References (the letters)

Vodafone voicemail uses caller ID for authentication

Posted on by
2

This article is about a security risk that I found while using Skype and Vodafone voicemail. In this article I will dive into a specific situation concerning the security of one’s Vodafone voicemail (Netherlands) in combination with Skype‘s ability to spoof the caller ID. Besides that I look at the main concern: trusting a caller ID for authentication purposes.

Vodafone voicemail and Skype

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication.
Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

Other services at risk?

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN).
Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance?
By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing by dhanjani.com, but for the sake of simplicity I will not go into that right now.

Questions and conclusion

So what do you think?

  • Do you think this is a security risk or not?
  • Is the caller ID something that is easy to fake?
  • Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
  • Should service providers be allowed to trust the caller ID for authentication purposes?
  • Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposes a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can! ;-)

Update 24-03-2011: I merely used the examples of the ABN Amro and the Rabo Bankieren application as an example to think deeper about security and privacy concerning the use of these (very handy!) financial applications, but its clear that they do not rely (and probably also not even send) the caller ID to the bank’ server, so a probable risk with using the caller ID as authentication for these applications is irrelevant.

‘cab3.cab has an invalid digital signature’ when installing Team Foundation Server 2010 beta2

Posted on by
3

I just started installing Team Foundation Server 2010 beta 2 from an ISO file, using MagicDisc to mount it in my Windows 2007 running in Virtual PC, while i stumbled upon this error:

1
cab3.cab has an invalid digital signature

You can solve this error by explicitly trusting the certificate that the cab3.cab file was signed with, following these steps:

  1. Lookup up the file in explorer
  2. Go the file’ properties
  3. Go to the tab ‘Digital Signatures’
  4. Click the one item in the list en click ‘Details’
  5. Click ‘View Certificate’ in the openen window
  6. Install the certificate in the ‘Trusted Root Certificate Authorities’ store
  7. Re-run the setup, the cab3 exception should not occur any more

It complained about other cab files as well, but the installer would continue after just clicking ‘Ok’, otherwise you should repeat the steps for the other cab files as well.