IMAPS

echo | \
openssl s_client -connect imap.example.com:993 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

IMAP with STARTTLS

echo | \
openssl s_client -starttls imap -connect imap.example.com:143 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

POP3S

echo | \
openssl s_client -connect pop3.example.com:995 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

POP3 with STARTTLS

echo | \
openssl s_client -starttls pop3 -connect pop3.example.com:110 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

SMTPS

echo | \
openssl s_client -connect smtp.example.com:465 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

SMTP with STARTTLS

echo | \
openssl s_client -starttls smtp -connect smtp.example.com:587 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

Once you’ve got the certificate (the above commands will store it in a file named cert in the current working directory) use the following command to extract the expiry date:

openssl x509 -in cert -noout -enddate

Sample output

notAfter=May 13 21:22:55 2012 GMT

Simple as that…

I don’t ask a lot of a registrar. Just make sure the TLD publishes NS records for my domain along with any necessary glue records. And of course a way to modify said records. Sounds simple enough…

Sadly something has gone terribly wrong at GoDaddy since the last time I had to deal with them. Have a look at their web site. Where one would hope to find helpful technical information, you get pictures of b-list celebrities. Where one would hope to find tools for domain registration management, you get “special offers”, discounts and deals. Where one would hope to find customer support contact information, you get the always present, never ending drivel of “Bob Parsons, CEO”.

All I wanted to do was change the NS records for botnegaten.org. Not a lot to ask of a domain name registrar I thought. How wrong I was…

From: bob@db.org
To: support@godaddy.com
Subject: Setting nameservers for domain
Date: 2009-12-21 09:05 +0100

I'm trying to set:

a.ns.db.org
b.ns.db.org

as nameservers for botnegaten.org, but I keep getting the following
error message for both nameservers:

"Nameserver not registered."

What am i doing wrong?

From: donotreply@godaddy.com
To: bob@db.org
Subject: Request Received - Incident ID 8026729
Date: 2009-12-21 09:07 +0100

Your question has been received. You should expect a response
within 24 hours.

This is your Incident ID: 8026729

Huh; the form where I filed the incident promised me a reply within 4 hours. Clever trick really; as they sent me the above auto-reply in just a few minutes, they have technically upheld their promise of a response within 4 hours…

From: support@godaddy.com
To: bob@db.org
Subject: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-21 14:00 +0100

Dear B. Johannessen,
Thank you for contacting online support.

You are not required to register hosts, but if you intend to set up
your own Domain Name Server (DNS) service, you can register
your own hosts. You can enter up to 13 hosts, depending on the
maximum number of hosts the top-level domain (TLD) registry
allows.

WARNING: Unless you have a thorough understanding of this
process, we recommend that you do not use this feature.

To Register Your Own Hosts
Log in to your Account Manager.
In the My Products section, click Domain Manager.
Click the domain for which you want to create a host.
In the Host Summary section, click the add hyperlink in the header.
In the Host name field, enter the host name you want to register.
NOTE: Do not enter "www" as part of your host name.

In the Host IP fields, enter the IP address(es) you want to add to
the host.
Click OK.
It takes 4 to 8 hours to register hosts for .COM and .NET domains
and 24 to 48 hours for all other domain extensions.

Thank you,
Jennifer T.
Online Support

Thanks “Jennifer”, I’m sure you’re right, but that’s not what I asked. Apparently support@godaddy.com is manned by the trained monkey squad, and the monkey training leaves a bit to be desired! Let’s see if we can get this escalated to someone with above room-temperature IQ (or a least a basic understanding of the DNS).

From: bob@db.org
To: support@godaddy.com
Subject: Re: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-21 14:22 +0100

Please, please, PLEASE escalate this to someone qualified to do
something other then return a pre-written reply!

I'm trying to set the nameservers for botnegaten.org to A.NS.DB.ORG
and B.NS.DB.ORG, but when I do so, I get an error message saying
"Nameserver not registered." for both values.

My father always says you should hope in one hand, spit in the other and check to see what hand ends up the fullest (sounds a lot better in Norwegian, but you get the idea). So; at this point I’m sitting back hoping for intelligent life at GoDaddy support…

From: donotreply@godaddy.com
To: bob@db.org
Subject: Request Received - Incident ID 8026729
Date: 2009-12-21 14:23 +0100

Your question has been received. You should expect a response within
24 hours.

This is your Incident ID: 8026729

Good to know…

From: support@godaddy.com
To: bob@db.org
Subject: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-21 19:13 +0100

Dear Bob,

We will need to see the exact error that you receiving when trying
to change the nameservers. The term screen shot refers to
"grabbing" a still image of the contents of your computer monitor
that can be saved as a graphic file and printed, faxed, or emailed.

Screen shots are very helpful in explaining what you are seeing on
your computer when working with customer support. It is often
easier for you and for the support representative if you take a
screen shot of what you are seeing and simply send it in.

Here is a quick step by step on how to do it:

...
...
...

Regards,
Alfonso P.
Online Support

I’ve heard a picture is worth a thousand words, but this is ridiculous. Guess I was mistaken about who’s manning support@godaddy.com. The untrained monkey squad is clearly taking over!

From: bob@db.org
To: support@godaddy.com
Subject: Re: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-21 20:54 +0100

I've told you what "the exact error" is two times already, but if
you find pictures easier to understand I guess that's my problem.

Please find attached a screenshot showing the "Nameserver not
registered." message in question.

Problem description: I'm getting this message when trying to
change the nameservers for botnegaten.org to A.NS.DB.ORG
and B.NS.DB.ORG.

Is it acceptable to include the problem description in plain text,
or would you prefer I make a screenshot of that too?

Attachment: godaddy.jpg

Wait for it…

From: donotreply@godaddy.com
To: bob@db.org
Subject: Request Received - Incident ID 8026729
Date: 2009-12-21 20:54 +0100

Your question has been received. You should expect a response
within 24 hours.

This is your Incident ID: 8026729

Another fine answer. To bad it’s not an answer to anything I’ve asked..

From: support@godaddy.com
To: bob@db.org
Subject: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-22 04:24 +0100

Dear Bob,

Upon review, neither of the nameservers given are
registered at this time. You would need to register them
and then add them to your domain in order for it to work.

You can setup custom nameservers for your domain
name by using the following instructions.

* Select "Domain Manager" from the gray "My Products"
drop down menu on the left side of the page.
* From the domain name list click the blue link that is
the domain name in question.
* Click the "Edit" link under "Host Summary" on the
lower left hand side of the screen.
* Enter the appropriate Host Names and IP Addresses
for the nameservers you wish to create.
* Click the Orange "OK" link to save the changes.

Note that you must still change the domain name's
nameservers to point a domain name to any custom
nameservers that you create.

To change the nameservers for a domain:

* Check the box to the left of any domain names that you
wish to change the nameservers for.
* Click on the "Nameservers" button in the row of buttons
just above the list of domain names.
* Under the "Custom Nameservers" tab you will be able to
enter the necessary nameservers for the domain name(s).
* Click the orange "OK" button on the right hand side of the
page to save the changes.

Please allow up to 24-48 hours for the changes made to
the domain name(s) to take effect.

Please let us know if we can assist you in any other way.

Sincerely,

Stacey P.
Online Support Team

I’ve heard that given enough monkeys and enough typewriters, eventually one of those monkeys is bound to type out something useful. Clearly this is the strategy used in the GoDaddy support department. Hey guys! You need more monkeys!

From: bob@db.org
To: support@godaddy.com
Subject: Re: Update [Incident ID: 8026729] - Support Question
Date: 2009-12-22 04:47 +0100

I ask once again that you escalate this to someone with a
clue. The procedure you're suggesting will only allow me
to register namservers in the botnegaten.org domain. I'm
trying to use nameservers in a *different* domain.

Once again; I'm trying to use a.ns.db.org and b.ns.db.org
as nameservers for the domain botnegaten.org. Using the
procedure you suggested would allow me to register
a.ns.botnegaten.org and b.ns.botnegaten.org for use as
nameservers, but this is *not* what I'm trying to do!

Either I'm missing some essential peace of information,
or it's not currently possible to preform this operation
using your web-interface.

Please see that this is escalated to someone capable of
understanding the problem!

    Bob

Back to watching paint dry…

http://cc.bingj.com/cache.aspx?d=4879267570255838&mkt=en-CA&setlang=en-US&w=90157511,9ea4ebc5

Update: Microsoft removed it from Bing cache

Just in case they should grow a clue, here’s the description of the technical problem that Microsoft, in its infinite wisdom, decided to correct with lawyers instead of software engineers:

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=$ORDERID&jfmid=$MERCHANTID&m[0]=
$ITEMID&p[0]=$PRICE&q[0]=$QUANTITY

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^db\.org$ [NC]
RewriteRule ^(.*)$ http://db.org/$1 [R=301,L]

The [NC] flag makes the condition case insensitive. I don’t think I’ve ever seen a HTTP client send the Host: header in anything except lower case, but the relevant standards certainly allow for it.

The R=301 flag tells Apache to make this a permanent redirect. This allows clients to update the links at their end. The L flags tells Apache to stop the rewriting process here and don’t apply any more rewrite rules. This is probably needed if you have additional rewrite rules in your .htaccess file.

The second thing bugging me is the way WordPress does paging. You get a predefined number of posts on the front page, and links to /page/2/, /page/3/ and so on. This holds true for archive, category, tag-cloud and probably others pages as well. The problem with this is that the content on these pages are not stable (it shifts as you post new content) and it duplicates content. I’m still pondering a solution to this…

Denne gangen blir det nok også en lett blanding av Norsk og Engelsk. Norsk for ting som stort sett bare er interessant for de som snakker norsk allikevel, og Engelsk for resten.

Links:

http://db.org/2004/01/11/property-and-technology/
http://english.kakeboksen.org/archives/000310.html

Funny how technology changes things. First you could count your things, and if something was missing, someone had stolen it. Simple.

Later, you could count other peoples things, and if they had something that was exactly what you had, then they had stolen it.

Now you look at peoples things, and if they have a map to where your stuff is, they have stolen it.

“Each item in the following list was suggested by the words or actions of people who presented themselves to the IETF or elsewhere as having discovered the FUSSP. Some of the items may seem obscure to those who have not dealt with the IETF.”

http://www.rhyolite.com/anti-spam/you-might-be.html

This list should be required reading for anyone who think they have the “final solution” to spam.

The db.org mail server at 195.159.29.203 and 195.159.29.204 has been used as a spam relay from approximately 2003/11/25 19:00 UTC until approximately 2003/11/26 03:45 UTC (a total of a little under 9 hours). The problem has now been corrected, and no further spam should originate from this server. This page will be continuously updated as more information about the attack is uncovered. I (Bob Johannessen, postmaster@db.org) would like to apologise for any inconvenience this has caused.

The problem

The problem seems to have been with the password checker used for SMTP AUTH. The password checker used a different protocol from the SMTP daemon, and the brain dead password checker defaulted to “allow” when it didn’t understand its input data. This resulted in anyone trying to authenticate with AUTH LOGIN, using any combination of username and password, was allowed to relay mail.

The volume

Based on the queue sequence number of the first undeliverable message and that of the the last message, the total volume is estimated at about 14.000 messages. Of these 11.000 was already delivered when the problem was identified. The remaining 3.000 messages was removed from the queue. Total damage is therefore approximately 11.000 messages.

The attacker

The approximately 3.000 messages in the queue when the attack was identified originated from the following addresses.

• 200.141.157.222 (RN141157222.user.veloxzone.com.br)
• 200.141.161.171 (PE161171.user.veloxzone.com.br)
• 200.158.237.63 (200-158-237-63.dsl.telesp.net.br)
• 200.164.136.170 (CE136170.user.veloxzone.com.br)
• 200.164.143.239 (CE143239.user.veloxzone.com.br)
• 200.164.143.5 (CE143005.user.veloxzone.com.br)
• 200.164.144.148 (CE144148.user.veloxzone.com.br)
• 200.164.144.236 (CE144236.user.veloxzone.com.br)
• 200.164.18.239 (BA018239.user.veloxzone.com.br)
• 200.164.244.135 (PE244135.user.veloxzone.com.br)
• 200.164.244.69 (PE244069.user.veloxzone.com.br)
• 200.165.112.248 (AL165112248.user.veloxzone.com.br)
• 200.165.16.151 (MG016151.user.veloxzone.com.br)
• 200.165.172.202 (172202.telemar.net.br)
• 200.165.193.64 (RJ193064.user.veloxzone.com.br)
• 200.95.11.213 (dsl-200-95-11-213.prod-infinitum.com.mx)
• 200.95.117.1 (dsl-200-95-117-1.prod-infinitum.com.mx)
• 200.95.119.11 (dsl-200-95-119-11.prod-infinitum.com.mx)
• 200.95.124.65 (dup-200-95-124-65.prod-infinitum.com.mx)
• 200.95.127.124 (dup-200-95-127-124.prod-infinitum.com.mx)
• 200.95.17.208 (dsl-200-95-17-208.prod-infinitum.com.mx)
• 200.95.46.247 (dsl-200-95-46-247.prod-infinitum.com.mx)
• 200.95.48.215 (dsl-200-95-48-215.prod-infinitum.com.mx)
• 200.95.72.214 (dsl-200-95-72-214.prod-infinitum.com.mx)
• 200.95.72.49 (dsl-200-95-72-49.prod-infinitum.com.mx)
• 200.95.73.201 (dsl-200-95-73-201.prod-infinitum.com.mx)
• 200.95.77.157 (dsl-200-95-77-157.prod-infinitum.com.mx)
• 200.95.82.253 (dsl-200-95-82-253.prod-infinitum.com.mx)
• 200.95.90.251 (dsl-200-95-90-251.prod-infinitum.com.mx)
• 218.72.11.98 (no reverse, whois@apnic.net points to chinanet.cn.net)
• 61.11.35.180 (no reverse, whois@apnic.net points to ddsl.net and directs abuse complaints to abuse@eth.net)

A US tourist’s trip through Bavaria ended with an unexpected visit to a supermarket when his car’s navigation system led him straight through the store’s doors. He depended entirely on the navigation system and did not notice approaching the supermarket until entering it.

Am I the only one who think the car’s navigation system is totally irrelevant to this story? I mean, if you think you can drive through a city without looking out the window, should you really be allowed to drive at all?