Planet 2014-09-02 11:00 UTC

helping out with VC4 via Planet FreeBSD | 2014-09-02 00:19 UTC

I've had a couple of questions about whether there's a way for others to contribute to the VC4 driver project.  There is!  I haven't posted about it before because things aren't as ready as I'd like for others to do development (it has a tendency to lock up, and the X implementation isn't really ready yet so you don't get to see your results), but that shouldn't actually stop anyone.

To get your environment set up, build the kernel ( vc4 branch), Mesa (git:// with --with-gallium-drivers=vc4, and piglit (git://  For working on the Pi, I highly recommend having a serial cable and doing NFS root so that you don't have to write things to slow, unreliable SD cards.

You can run an existing piglit test that should work, to check your environment: env PIGLIT_PLATFORM=gbm VC4_DEBUG=qir ./bin/shader_runner tests/shaders/glsl-algebraic-add-add-1.shader_test -auto -fbo -- you should see a dump of the IR for this shader, and a pass report.  The kernel will make some noise about how it's rendered a frame.

Now the actual work:  I've left some of the TGSI opcodes unfinished (SCS, DST, DPH, and XPD, for example), so the driver just aborts when a shader tries to use them.  How they work is described in src/gallium/docs/source/tgsi.rst. The TGSI-to_QIR code is in vc4_program.c (where you'll find all the opcodes that are implemented currently), and vc4_qir.h has all the opcodes that are available to you and helpers for generating them.  Once it's in QIR (which I think should have all the opcodes you need for this work), vc4_qpu_emit.c will turn the QIR into actual QPU code like you find described in the chip specs.

You can dump the shaders being generated by the driver using VC4_DEBUG=tgsi,qir,qpu in the environment (that gets you 3/4 stages of code dumped -- at times you might want some subset of that just to quiet things down).

Since we've still got a lot of GPU hangs, and I don't have reset wokring, you can't even complete a piglit run to find all the problems or to test your changes to see if your changes are good.  What I can offer currently is that you could run PIGLIT_PLATFORM=gbm VC4_DEBUG=norast ./ tests/ results/vc4-norast; --overwrite summary/mysum results/vc4-norast will get you a list of all the tests (which mostly failed, since we didn't render anything), some of which will have assertion failed.  Now that you have which tests were assertion failing from the opcode you worked on, you can run them manually, like PIGLIT_PLATFORM=gbm /home/anholt/src/piglit/bin/shader_runner /home/anholt/src/piglit/generated_tests/spec/glsl-1.10/execution/built-in-functions/vs-asin-vec4.shader_test -auto (copy-and-pasted from the results) or PIGLIT_PLATFORM=gbm PIGLIT_TEST="XPD test 2 (same src and dst arg)" ./bin/glean -o -v -v -v -t +vertProg1 --quick (also copy and pasted from the results, but note that you need the other env var for glean to pick out the subtest to run).

Other things you might want eventually: I do my development using cross-builds instead of on the Pi, install to a prefix in my homedir, then rsync that into my NFS root and use LD_LIBRARY_PATH/LIBGL_DRIVERS_PATH on the Pi to point my tests at the driver in the homedir prefix.  Cross-builds were a *huge* pain to set up (debian's multiarch doesn't ship the .so symlink with the libary, and the -dev packages that do install them don't install simultaneously for multiple arches), but it's worth it in the end.  If you look into cross-build, what I'm using is rpi-tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin/arm-linux-gnueabihf-gcc and you'll want --enable-malloc0returnsnull if you cross-build a bunch of X-related packages.

Fun With Funny Money Brian Krebs | 2014-09-01 23:00 UTC

Readers or “fans” of this blog have sent some pretty crazy stuff to my front door over the past few years, including a gram of heroin, a giant bag of feces, an enormous cross-shaped funeral arrangement, and a heavily armed police force. Last week, someone sent me a far less menacing package: an envelope full of cash. Granted, all of the cash turned out to be counterfeit money, but hey it’s the thought that counts, right?

Counterfeit $100s and $50s

Counterfeit $100s and $50s

This latest “donation” to Krebs On Security arrived via USPS Priority Mail, just days after I’d written about counterfeit cash sold online by a shadowy figure known only as “MrMouse.” These counterfeits had previously been offered on “dark web” — sites only accessible using special software such as Tor — but I wrote about MrMouse’s funny money because he’d started selling it openly on Reddit, as well as on a half-dozen hacker forums that are quite reachable on the regular Internet.

Sure enough, the package contained the minimum order that MrMouse allows: $500, split up into four fake $100s and two phony $50 bills — all with different serial numbers. I have no idea who sent the bogus bills; perhaps it was MrMouse himself, hoping I’d write a review of his offering. After all, since my story about his service was picked up by multiple media outlets, he’s changed his sales thread on several crime forums to read, “As seen on KrebsOnSecurity, Business Insider and Ars Technica…”

Anyhow, it’s not every day that I get a firsthand look at counterfeit cash, so for better for worse, I decided it would be a shame not to write about it. Since I was preparing to turn the entire package over to the local cops, I was careful to handle the cash sparingly and only with gloves. At first glance, the cash does look and feel like the real thing. Closer inspection, however, reveals that these bills are fakes.

In the video below, I run the fake bills through two basic tests designed to determine the authenticity of U.S. currency: The counterfeit pen test, and ultraviolet light. As we’ll see in the video, the $50 bills shipped in this package sort of failed the pen test (the fake $100 more or less passed). However, both the $50s and $100s completely flopped on the ultraviolet test. It’s too bad more businesses don’t check bills with a cheapo ultraviolet light: the pen test apparently can be defeated easily (by using acid-free paper or by bleaching real bills and using them as a starting point).

Let’s check out the bogus Benjamins. In the image below, we can see a pretty big difference in the watermarks on both bills. The legitimate $100 bill — shown at the bottom of the picture — has a very defined image of Benjamin Franklin as a watermark. In contrast, the fake $100 up top has a much less detailed watermark. Still, without comparing the fake and the real $100 side by side, this deficiency probably would be difficult to spot for the untrained eye.

The fake $100 (above) has a much less defined Ben Franklin as a watermark.

The fake $100 (top) has a much less defined Ben Franklin for a watermark. The color difference between these two bills is negligible, but the legitimate $100 appears darker here because it was closer to  the light source behind the bills when this photo was taken.

Granted, hardly any merchants are going to put a customer’s cash under a microscope before deciding whether to accept it as legal tender, but I wanted to have a look because I wasn’t sure when I’d have the opportunity to do so again. One security feature of the $20s, $50s and $100s is the use of “color shifting” ink, which makes the denomination noted in the lower right corner of the bill appear to shift in color from green to black when the bill is tilted at different angles. The fake cash pictured here does a so-so job mimicking that color-shifting feature, but upon closer inspection using a cheap $50 Celestron handheld digital microscope, we can see distinct differences.

Again, using a microscope to inspect cash for counterfeits is impractical for regular businesses in detecting bogus bills, but it nevertheless reveals interesting dissimilarities  between real and fake money. Most of those differences come down to the definition and clarity of markings and lettering. For instance, embedded in the bottom of the portraits of Grant and Franklin on the $50 and $100 bills, respectively, is the same message in super-fine print: “The United States of America.” As we can see in the video below, that message also is present in the counterfeits, but it’s quite a bit less clear in the funny money.

In some cases, entire areas of the real bills are completely absent in the counterfeits. Take a close look at the area of the $50 just to the left of Gen. Grant’s ear and you will see a blob of text that repeats the phrase “USA FIFTY” several times. The image on the left shows a closeup of the legitimate $50, while the snapshot on the right reveals how the phony bill completely lacks this feature.



Similarly, the “100″ in the lower left hand corner of the $100 bill is filled in with the words “USA 100,” as we can see in the close-up of a real $100, pictured below left. Magnification of the same area on the phony $100 note (right) shows that this area is filled with nothing more than dots.



Like most counterfeit currency, these bills look and feel fairly real on casual inspection, but they’d quickly be revealed as fakes to anyone with a $9 ultraviolet pen light or a simple magnifying glass.

If someone sticks you with a counterfeit bill, don’t try and pass it off on someone else; the penalties for passing counterfeit currency with intent to defraud are severe (steep fines and up to 15 years in prison). Instead, contact your local police department or the nearest U.S. Secret Service field office and hand it over to them.

The ports tree has been modified to only support pkg(8) as package management system for all supported version of FreeBSD.

if you were still using pkg_install (pkg_* tools) you will have to upgrade your system.

The simplest way is

cd /usr/ports/ports-mgmt/pkg
make install

then run


You will have lots of warning, don’t be scared, they are expected, pkg_*  databases used to get easily mangled. pkg2ng is most of the time able to deal
with it.

If however you encounter a problem then please report to

A tag has been applied to the ports tree if you need to get the latest ports tree before the EOL of pkg_install:

A branch has been created if some committers want to provides updates on the for pkg_install users:

Please note that this branch is not officially maintained and that we strongly recommend that you do migrate to pkg(8)

The ports tree is now fully staged (only 2% has been left unstaged, marked as broken and will be removed from the ports tree if no PR to stage them are pending in bugzilla).

I would like to thank every committer and maintainers for their work on staging!
It allowed us to convert more than 23k packages to support stage in only 11 months!

Staging is a very important state, it allows us to right now be able to run quality testing scripts on the packages (which already allowed to fix tons of hidden problems) and it allows use to be able to build packages as a regular user!

It also opens the gates to new features that users have been requesting for many years:

  • flavors
  • multiple packages

Expect those features to happen in the near future.

Ab und zu erschrecke ich doch was Cisco-Mitarbeiter so verzapfen. Jetzt hat gerade einer in der Cisco Support-Community ein Dokument zur Konfiguration von SSH auf der ASA veröffentlicht. Und da liest man z.B., dass die Keysize von 1024 Bit benutzen werden soll. Und nichts weiter zu heutigen “Best Practices” der SSH-Konfig. Grund genug eine in meinen Augen “anständige” SSH-Konfig für IOS-Geräte und die ASA zu zeigen:

Cisco IOS
Es geht damit los, ein RSA-Keypair zu generieren, das nur für den SSH-Prozess verwendet wird. Dafür wird dem Keypair ein Label mitgegeben:

crypto key generate rsa label SSH-KEY modulus 4096

Etwas Gedanken sollte man sich über die Keylänge machen. Länger bedeutet zum einen sicherer, aber auch langsamer. Allerdings nicht so langsam, dass es nicht benutzbar wäre. Eigentlich wäre die Entscheidung damit einfach. Jetzt wurde mir berichtet, dass die aktuelle Version von Putty mit 4096 Bit Keys nicht klar kommt. Sowohl SecureCRT, als auch SSH unter Mac OS und Linux klappt aber.

Das RSA-Keypair wird der SSH-Konfig zugewiesen:

ip ssh rsa keypair-name SSH-KEY

Nur SSHv2 erlauben:

ip ssh version 2

Beim Verbindungsaufbau werden die Session-Keys per Diffie-Helman erzeugt. Das läuft standardmäßig mit der Gruppe 1 (768 Bit), was nicht mehr state-of-the-art ist. Daher wird eine höhere DH-Gruppe konfiguriert. Aus Kompatibilitätsgründen könnte man hier auch wieder mit 2048 Bit arbeiten.

ip ssh dh min size 4096

Login-Vorgänge sollten protokolliert werden:

ip ssh logging events

Als letztes wird auf der VTY-Line nur SSH erlaubt. Telnet ist damit abgeschaltet.

line vty 0 4
  transport input ssh

Was könnte man sonst noch für SSH konfigurieren: Ab und an kommt der Wunsch auf, für SSH nicht den Port TCP/22 zu verwenden. Das erhöht zwar nicht unbedingt die Sicherheit, sorgt aber dafür, dass die Logs etwas kleiner bleiben wenn SSH vom Internet aus erreichbar ist:

ip ssh port 7890 rotary 1
line vty 0 4
  rotary 1

Wenn der Zugriff über ein Interface erfolgt, auf dem eine eingehende ACL konfiguriert ist, dann muss in dieser die Kommunikation natürlich auch erlaubt werden.

Weitere Schutzmechanismen über die nachgedacht werden können sind Control-Plane-Protection und Management-Plane-Protection wenn out-of-band Management verwendet wird. Wenn der SSH-Zugriff nicht von “any” benötigt wird, dann sollte für die Lines natürlich auch eine Access-Class konfiguriert werden. Aber auch das ist nicht SSH-spezifisch.

Cisco ASA
Für die ASA gilt so ziemlich das oben genannte, nur das die SSH-Konfiguration nicht so umfangreich angepasst werden kann. Weiterhin ist die Syntax teilweise anders:

crypto key generate rsa modulus 4096
ssh version 2
ssh key-exchange group dh-group14-sha1

Auch muss der SSH-Zugriff auf der ASA explizit für die Management-IPs erlaubt werden:

ssh inside
ssh outside

If you do daily management on Unix/Linux systems, then checking the return code of a command is something you’ll do often. If you do SELinux development, you might not even notice that a command has failed without checking its return code, as policies might prevent the application from showing any output.

To make sure I don’t miss out on application failures, I wanted to add the return code of the last executed command to my PS1 (i.e. the prompt displayed on my terminal).
I wasn’t able to add it to the prompt easily – in fact, I had to use a bash feature called the prompt command.

When the PROMPT_COMMMAND variable is defined, then bash will execute its content (which I declare as a function) to generate the prompt. Inside the function, I obtain the return code of the last command ($?) and then add it to the PS1 variable. This results in the following code snippet inside my ~/.bashrc:

export PROMPT_COMMAND=__gen_ps1
function __gen_ps1() {
  local EXITCODE="$?";
  # Enable colors for ls, etc.  Prefer ~/.dir_colors #64489
  if type -P dircolors >/dev/null ; then
    if [[ -f ~/.dir_colors ]] ; then
      eval $(dircolors -b ~/.dir_colors)
    elif [[ -f /etc/DIR_COLORS ]] ; then
      eval $(dircolors -b /etc/DIR_COLORS)
  if [[ ${EUID} == 0 ]] ; then
    PS1="RC=${EXITCODE} \[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] "
    PS1="RC=${EXITCODE} \[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] "

With it, my prompt now nicely shows the return code of the last executed command. Neat.

Edit: Sean Patrick Santos showed me my utter failure in that this can be accomplished with the PS1 variable immediately, without using the overhead of the PROMPT_COMMAND. Just make sure to properly escape the $ sign which I of course forgot in my late-night experiments :-(.

Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

Update, Aug. 28, 12:08 p.m. ET: A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions. Dairy Queen says it is still investigating and working with authorities, and does not yet know how many stores may be impacted.

Original story:

dqI first began hearing reports of a possible card breach at Dairy Queen at least two weeks ago, but could find no corroborating signs of it — either by lurking in shadowy online “card shops” or from talking with sources in the banking industry. Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states. There are also indications that these same cards are being sold in the cybercrime underground.

The latest report in the trenches came from a credit union in the Midwestern United States. The person in charge of fraud prevention at this credit union reached out wanting to know if I’d heard of a breach at Dairy Queen, stating that the financial institution had detected fraud on cards that had all been recently used at a half-dozen Dairy Queen locations in and around its home state.

According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014.

“We’re getting slammed today,” the fraud manager said Tuesday morning of fraud activity tracing back to member cards used at various Dairy Queen locations in the past three weeks. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Other financial institutions contacted by this reporter have seen recent fraud on cards that were all used at Dairy Queen locations in Florida and several other states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas.

On Friday, Aug. 22, KrebsOnSecurity spoke with Dean Peters, director of communications for the Minneapolis-based fast food chain. Peters said the company had heard no reports of card fraud at individual DQ locations, but he stressed that nearly all of Dairy Queen stores were independently owned and operated. When asked whether DQ had any sort of requirement that its franchisees notify the company in the event of a security breach or problem with their card processing systems, Peters said no.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach.”

Julie Conroy, research director at the advisory firm Aite Group, said nationwide companies like Dairy Queen should absolutely have breach notification policies in place for franchisees, if for no other reason than to protect the integrity of the company’s brand and public image.

“Without question this is a brand protection issue,” Conroy said. “This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”


The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

The DHS/Secret Service advisory.

The DHS/Secret Service advisory.

Rumblings of a card breach involving at least some fraction of Dairy Queen’s 4,500 domestic, independently-run stores come amid increasingly vocal warnings from the U.S. Department of Homeland Security and the Secret Service, which last week said that more than 1,000 American businesses had been hit by malicious software designed to steal credit card data from cash register systems.

In that alert, the agencies warned that hackers have been scanning networks for point-of-sale systems with remote access capabilities (think LogMeIn and pcAnywhere), and then installing malware on POS devices protected by weak and easily guessed passwords.  The alert noted that at least seven point-of-sale vendors/providers confirmed they have had multiple clients affected.

Around the time that the Secret Service alert went out, UPS Stores, a subsidiary of the United Parcel Service, said that it scanned its systems for signs of the malware described in the alert and found security breaches that may have led to the theft of customer credit and debit data at 51 UPS franchises across the United States (about 1 percent of its 4,470 franchised center locations throughout the United States). Incidentally, the way UPS handled that breach disclosure — clearly calling out the individual stores affected — should stand as a model for other companies struggling with similar breaches.

In June, I wrote about a rash of card breaches involving car washes around the nation. The investigators I spoke with in reporting that story said all of the breached locations had one thing in common: They were all relying on point-of-sale systems that had remote access with weak passwords enabled.

My guess is that some Dairy Queen locations owned and operated by a particular franchisee group that runs multiple stores has experienced a breach, and that this incident is limited to a fraction of the total Dairy Queen locations nationwide. Unfortunately, without better and more timely reporting from individual franchises to the DQ HQ, it may be a while yet before we find out the whole story. In the meantime, DQ franchises that haven’t experienced a card breach may see their sales suffer as a result.


geodumpsLast week, this publication received a tip that a well-established fraud shop in the cybercrime underground had begun offering a new batch of stolen cards that was indexed for sale by U.S. state. The type of card data primarily sold by this shop — known as “dumps” — allows buyers to create counterfeit copies of the cards so that they can be used to buy goods (gift cards and other easily-resold merchandise) from big box retailers, dollar stores and grocers.

Increasingly, fraudsters who purchase stolen card data are demanding that cards for sale be “geolocated” or geographically indexed according to the U.S. state in which the compromised business is located. Many banks will block suspicious out-of-state card-present transactions (especially if this is unusual activity for the cardholder in question). As a result, fraudsters tend to prefer purchasing cards that were stolen from people who live near them.

This was an innovation made popular by the core group of cybercrooks responsible for selling cards stolen in the Dec. 2013 breach at Target Corp, which involved some 40 million compromised credit and debit cards. The same fraudsters would repeat and refine that innovation in selling tens of thousands of cards stolen in February 2014 from nationwide beauty products chain Sally Beauty.

This particular dumps shop pictured to the right appears to be run by a completely separate fraud group than the gang that hit Target and Sally Beauty. Nevertheless, just this month it added its first new batch of cards that is searchable by U.S. state. Two different financial institutions contacted by KrebsOnSecurity said the cards they acquired from this shop under this new “geo” batch name all had been used recently at different Dairy Queen locations.

The first batch of state-searchable cards at this particular card shop appears to have first gone on sale on Aug. 11, and included slightly more than 1,000 cards. The second batch debuted a week later and introduced more than twice as many stolen cards. A third bunch of more than 5,000 cards from this batch went up for sale early this morning.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.

The Internet Protocol Security (IPsec) suite is used to implement virtual private networks on FreeBSD and other operating systems. As the networking world continues its transition from 1 to 10, to 40 gigabit per second speeds, and faster, improvements in IPsec’s cryptographic building blocks are necessary to keep pace. The FreeBSD Foundation is pleased to announce that long-time FreeBSD developer John-Mark Gurney is adding modern AES modes to FreeBSD’s cryptographic framework and IPsec. This project is co-sponsored by the FreeBSD Foundation and Netgate, a leading vendor of BSD-based firewalls and networking gear.

The project adds new encryption modes while also importing infrastructure updates from OpenBSD giving FreeBSD users unprecedented support for high performance, encrypted communications.  New modes include AES-CTR and AES-GCM with hardware acceleration using Intel’s AES-NI instructions. According to John-Mark, “on a modern 64-bit x86 CPU one core can process about 1 gigabyte per second of data” using the new AES-GCM mode.

Concurrent with this project, FreeBSD committer and pfSense employee Ermal Luçi will update the FreeBSD IPsec stack to take advantage of the new cryptographic modes.

Jim Thompson, a co-owner of both Netgate and ESF (the company behind pfSense), said “We are pleased to contribute to this project.  Our interest in high-performance IPsec is obvious, however we also recognize the importance of contributing this capability to the FreeBSD project. Not only because our own software is based on FreeBSD, but for the benefit it brings to the entire community.  We plan to have AES-GCM support for IPsec with AES-NI acceleration available in the 2.2 release of pfSense software.”

The project is currently in progress, with a planned completion at the end of September 2014.

Another month has passed, so we had another online meeting to discuss the progress within Gentoo Hardened.

Lead elections

The yearly lead elections within Gentoo Hardened were up again. Zorry (Magnus Granberg) was re-elected as project lead so doesn’t need to update his LinkedIn profile yet ;-)


blueness (Anthony G. Basile) has been working on the uclibc stages for some time. Due to the configurable nature of these setups, many /etc/portage files were provided as part of the stages, which shouldn’t happen. Work is on the way to update this accordingly.

For the musl setup, blueness is also rebuilding the stages to use a symbolic link to the dynamic linker (/lib/ as recommended by the musl maintainers.

Kernel and grsecurity with PaX

A bug has been submitted which shows that large binary files (in the bug, a chrome binary with debug information is shown to be more than 2 Gb in size) cannot be pax-mark’ed, with paxctl informing the user that the file is too big. The problem is when the PAX marks are in ELF (as the application mmaps the binary) – users of extended attributes based PaX markings do not have this problem. blueness is working on making things a bit more intelligent, and to fix this.


I have been making a few changes to the SELinux setup:

  • The live ebuilds (those with version 9999 which use the repository policy rather than snapshots of the policies) are now being used as “master” in case of releases: the ebuilds can just be copied to the right version to support the releases. The release script inside the repository is adjusted to reflect this as well.
  • The SELinux eclass now supports two variables, SELINUX_GIT_REPO and SELINUX_GIT_BRANCH, which allows users to use their own repository, and developers to work in specific branches together. By setting the right value in the users’ make.conf switching policy repositories or branches is now a breeze.
  • Another change in the SELinux eclass is that, after the installation of SELinux policies, we will check the reverse dependencies of the policy package and relabel the files of these packages. This allows us to only have RDEPEND dependencies towards the SELinux policy packages (if the application itself does not otherwise link with libselinux), making the dependency tree within the package manager more correct. We still need to update these packages to drop the DEPEND dependency, which is something we will focus on in the next few months.
  • In order to support improved cooperation between SELinux developers in the Gentoo Hardened team – perfinion (Jason Zaman) is in the queue for becoming a new developer in our mids – a coding style for SELinux policies is being drafted up. This is of course based on the coding style of the reference policy, but with some Gentoo specific improvements and more clarifications.
  • perfinion has been working on improving the SELinux support in OpenRC (release 0.13 and higher), making some of the additions that we had to make in the past – such as the selinux_gentoo init script – obsolete.

The meeting also discussed a few bugs in more detail, but if you really want to know, just hang on and wait for the IRC logs ;-) Other usual sections (system integrity and profiles) did not have any notable topics to describe.

Some time ago I discovered the video series "Tropes vs Women in Video Games" created by Anita Sarkeesian. I found these videos very interesting as they show in an entertaining way how women are depicted in pop culture in general and in video games specifically.

Unfortunately, Anita has faced online harassments since the start of the Kickstarter campaign for Tropes vs Women in Video Games. It seems like some persons feel threatened by someone who just wants to expose how the entertainment industry presents women in movies and video games (the "damsel in distress" trope is the most common trope, that probably everyone has seen in a movie or game). To make it very clear: Anita does not campaign for any video games to be abolished. She just shows, how many (or even most) video games present a distorted image of women. Obviously, the gaming industry suffers itself from this fact, because many gamers (regardless of gender) are annoyed by the lack of strong female characters in most video games. In acknowledgement of her work, Anita has received the 2014 Game Developers Choice Ambassador Award.

During the last days, a yet unknown person harassed Anita on Twitter in an unprecedented way: The person not just insulted her but actually threatened to murder her and her family. The reactions to these threats are nearly as disturbing as the threats themselves: In the discussion boards of Heise Online (German only), many people argue that there is no systematic discrimination of women in the IT industry. However, even if one ignores the current example (and argues that Anita is not part of this industry), women are obviously discriminated in our industry: I recommend reading an interesting article written by the founder of a Silicon Valley based startup trying to find investors: Many of those investors are more interested in her than in her business and it is more routine than exception that they hit on her - even when she shows clearly that she is not interested.

We should all reflect on how we treat women in our industry and people like Anita Sarkeesian help us in doing so. Therefore, today I donated some money to her project "Feminist Frequency". I had already planned this for a long time, but the most recent events made sure that I did not wait any longer. When, if not in this troubling times, is the right time to show support? I can only ask everyone in the IT industry to also think about how we treat women and to support those that are courageous and speak up.

Will Backman has just posted his interview with Ken Moore about the new Lumina desktop environment on the bsdtalk website.  The podcast is only 28 minutes long and goes into some of the history/motivation/philosophy of the project.

Wegen der anfänglichen Internetfixiertheit (frühe Firmware spielte nur Medien ab, deren URLs im Internet zugänglich waren) hält sich hartnäckig das Gerücht, dass die Chromecast nicht fürs lokale Medienstreaming geeignet ist. Des Gegenteils kann man sich leicht überzeugen. Einfach eine MKV-Datei mit h.264 Video und MP3 auf dem heimischen Webserver ablegen, dafür sorgen, dass diese Datei mit dem Mime-Type “video/mp4″ ausgeliefert wird, dann die minimale Demo-App auf dem Webserver ausrollen und die Seite in Chrome ansteuern. Nun können “Big Buck Bunny” und Co. auf die Chromecast gestreamt werden. Netterweise hat die Demo-App ein Eingabefeld, in das man die URL des oben erwähnten MKV eintragen kann – et voilá: Chromecast spielt lokale Dateien!

Um das ganze etwas komfortabler zu machen habe ich auf Basis der zweiten Demo-App, die einen Player mitbringt, etwas gescriptet: Zunächst ein Ruby-Script, welches eine Verzeichnisstruktur nach .mkv und .mp4 durchsucht und daraus ein (statisches) HTML baut. Dazu den Javascript-Code so angepasst, dass er geklickte Links ausliest und fertig ist das simple Webfrontend um Videos von NAS oder Heimserver zur Chromecast zu schicken.

Wer sich für die Scripte interessiert, findet sie hier:

Wer helfen möchte: Am meisten würde ich mich über durchdachte Mockups für die Überarbeitung der Oberfläche freuen!

PS: Nach Schmökern in der Doku ist klar, dass auch MPEG2-TS geht. Damit muss ich mal schauen, wie ich Live-Streams des TVheadend zur Chromecast bekomme.

Erfahrene Geeks werden es kennen, Schmalspur-Geeks, wie ich es einer bin, vielleicht nicht.

Was macht man da?

Wenn man es gefunden hat, dokumentieren zum wiederfinden im eigenen Blog :-)

Worum geht es?

Eigentlich ein verbreitetes Problem beim scripten mit bash.

Man hat einen String, Dateinamen, Pfadnamen oder ähnlich und muss ihn verändern, durchsuchen, splitten usw.

Dass das mit Builtin Funktionen mit Bash geht, zeige ich im Beispiel Script.

Da der Syntax Highlighter (aber auch das nackte pre Tag nicht mit dem << Here Dokument) klar kommt,

habe ich das kleine Beispiel Script mal hochgeladen.

An interview with Ken Moore about the Lumina Desktop Environment.

File Info: 28Min, 14MB.

Ogg Link:

This is why I don’t need Google:

“I don’t need Google, my wife knows everything!” T-Shirt

I found this T-Shirt in the old part of Rhodos city, while descending the Socrates road. I bought it off course. :-)


As we are getting ready for PC-BSD 10.0.3, I wanted to share a little preview of what to expect with the Lumina desktop environment as you move from version 0.4.0 to 0.6.2.

To give you a quick summary, pretty much everything has been updated/refined, with several new utilities written specifically for Lumina. The major new utility is the “Insight” file manager: with ZFS snapshot integration, multimedia player, and image slideshow viewer capabilities built right in by default. It also has a new snapshot utility and the desktop configuration utility has been completely rewritten. I am going to be listing more details about all the updates between the versions below, but for those of you who are not interested in the details, you can just take a look at some screenshots instead.…  :-)










(Moving from 0.4.0 to 0.6.2)

- A desktop plugin system has been implemented, with two plugins available at the moment (a calandar plugin, and an application launcher plugin).
– The panel plugin system has been refined quite a bit, with transparency support for the panel itself and automatic plugin resizing for example.
– A new panel plugin has been added: the system dashboard. This plugin allows control over the audio volume, screen brightness, and current workspace, while also displaying the current battery status (if applicable) and containing a button to let the user log out (or shutdown/restart the system).
– The user button panel plugin has been re-implemented as well, and incorporating the functionality of the desktopbar plugin. Now the user has quick access to files/application in the ~/Desktop folder, as well as the ability to add/remove shortcuts to system applications in the desktop folder with one click.
– New backgrounds wallpapers and project logo (courtesy of iXsystems).

NOTE: Users of the older versions of the Lumina desktop will have their configuration files returned to the defaults after logging in to the new version for the first time.

The new file manager (lumina-fm, also called “Insight”):
– Browse the system and allow the bookmarking of favorite directories
– Simple multimedia player to allow playing/previewing multimedia files
– Image slideshow viewer for previewing image files
– Full ZFS file/directory restore functionality if ZFS snapshots are available
– Menu shortcuts to quickly browse attached/mounted devices
– Tabbing support for browsing multiple directories at once
– Standard file/directory management (copy/paste/delete/create)
– Supported multimedia and image formats are auto-detected on start, so if a particular file is not recognized, you just need to install the appropriate library or plugin on your system to provide support (none required by default).

The new screenshot utility (lumina-screenshot):
– Simple utility to create/save screenshots on the system.
– Can capture the entire system, or individual windows.
– Can delay the image capture for a few seconds as necessary
– Automatically assigned to the “Print Screen” keyboard shortcut by default, but also listed in the application registry under utilities.

The configuration utility (lumina-config):
– Competely new implementation
– Configure desktop appearance (background image, add desktop plugins)
– Configure panels (location, color/transparency, size, manage plugins, up to 2 panels supported per screen)
– Configure right-click menu plugins
– Manage/set global keyboard shortcuts (including shortcuts for adjusting audio volume or screen brightness)
– Manage/set default applications for the system by categories or individually
– Manage session options (enable numlock on log in, play audio chimes)
– Manage/set applications/files to be launched on log in
– Manage window system options (appearance, mouse focus policy, window placement policy, number of workspaces)

The application/file opener utility (lumina-open):
– Update the overall appearance of the application selector window.
– Fully support registered mime-types on the system now, and recommend those applications as appropriate.

An upcoming release of libvirt, 1.2.8 that should be released early September, will include an initial support of managing ZFS volumes.

That means that it's possible to boot VMs and use ZFS volumes as disks. Additionally, it allows to control volumes using the libvirt API. Currently, supported operations are:

  • list volumes in a pool
  • create and delete volumes
  • upload and download volumes

It's not possible to create and delete pools yet, hope to implement that in the next release.

Defining a pool

Assume we have some pools and want to use one of them in libvirt:

# zpool list
filepool 1,98G 56,5K 1,98G 0% - 0% 1.00x ONLINE -
test 186G 7,81G 178G 0% - 4% 1.00x ONLINE -

Let's take filepool and define it with libvirt. This could be done using this virsh command:

virsh # pool-define-as --name zfsfilepool --source-name filepool --type zfs
Pool zfsfilepool defined

virsh # pool-start zfsfilepool
Pool zfsfilepool started

virsh # pool-info zfsfilepool
Name: zfsfilepool
UUID: 5d1a33a9-d8b5-43d8-bebe-c585e9450176
State: running
Persistent: yes
Autostart: no
Capacity: 1,98 GiB
Allocation: 56,50 KiB
Available: 1,98 GiB

virsh #

As you can see, we specify a type of the pool, its source name, such as seen in zpool list output and a name for it in libvirt. We also need to start it using the pool-start command.

Managing volumes

Let's create a couple of volumes in our new pool.

virsh # vol-create-as --pool zfsfilepool --name vol1 --capacity 1G
Vol vol1 created

virsh # vol-create-as --pool zfsfilepool --name vol2 --capacity 700M
Vol vol2 created

virsh # vol-list zfsfilepool
Name Path
vol1 /dev/zvol/filepool/vol1
vol2 /dev/zvol/filepool/vol2

virsh #

Dropping a volume is also easy:

virsh # vol-delete --pool zfsfilepool vol2
Vol vol2 deleted

Uploading and downloading data

Let's upload an image to our new volume:

virsh # vol-upload --pool zfsfilepool --vol vol1 --file /home/novel/FreeBSD-10.0-RELEASE-amd64-memstick.img 

... and download

virsh # vol-download --pool zfsfilepool --vol vol1 --file /home/novel/zfsfilepool_vol1.img

Note: if you would check e.g. md5 sum of the downloaded files, the result would be different as downloaded file will be of the same size as a volume. However, if you trim zeros, it'll be the same.

$ md5 FreeBSD-10.0-RELEASE-amd64-memstick.img zfsfilepool_vol1.img 
MD5 (FreeBSD-10.0-RELEASE-amd64-memstick.img) = e8e7cbd41b80457957bd7981452ecf5c
MD5 (zfsfilepool_vol1.img) = a77c3b434b01a57ec091826f81ebbb97
$ truncate -r FreeBSD-10.0-RELEASE-amd64-memstick.img zfsfilepool_vol1.img
$ md5 FreeBSD-10.0-RELEASE-amd64-memstick.img zfsfilepool_vol1.img
MD5 (FreeBSD-10.0-RELEASE-amd64-memstick.img) = e8e7cbd41b80457957bd7981452ecf5c
MD5 (zfsfilepool_vol1.img) = e8e7cbd41b80457957bd7981452ecf5c

Booting a VM from volume

Finally got to the most important part. In use a volume as disk device for VM 'devices' section of the domain XML should be updated with something like this:

<disk type='volume' device='disk'>
<source pool='zfsfilepool' volume='vol1'/>
<target dev='vdb' bus='virtio'/>

Few notes

Note #1: this code is just a few weeks old, so quite likely there are some rough edges. Feel free to report problems to if you spot any problems.

Note #2: this code is FreeBSD-only for now. However, it should not be hard to make it work on Linux with Its developers were kind enough to add some useful missing flags in some of the CLI tools. However, these changes are not available in any released version so far. There are some more minor differences between zfs on Linux and FreeBSD, but that should not be hard to address. I was planning to get to it as soon as a new version of zfs on linux with the necessary flags is available. However, if you are interested in that and ready to help with testing -- feel free to poke me so it could be done sooner.

Gerade mal ein weiteres Plugin für mein Serendipity gefunden.

Gibt es schon lange, ich kannte es aber leider nicht.

Ich habe bisher auf Syntax Highlighting verzichtet, weil man sich im Blog oft Probleme einhandelt. Bei diesem scheint es aber gut zu funktionieren.

Beipielweise hier mal ein Bash script:

#  Titel:
#  Autor: Bed [@]
#  Web:
#  Version 0.3
#  Voraussetzung: Benötigt wird Imagemagick für das Consolentool convert 
#  und mogrify
#  Zweck: skaliert die Bilder auf 1280x1024, wenn im Quellbild die 
#         Orientierungshinweise intakt sind,
#         wird das Bild korrekt gedreht.
#         Das skalierte Bild wird mit einer Textnotiz versehen, wenn in 
#         der Schleife der mogrify disabled wird (durch einfügen des '#')
#         wird das Branding nicht durchgeführt.
count=$(/bin/echo $NAUTILUS_SCRIPT_SELECTED_URIS|wc -w) 
teil=$[100 / $count ]
	file_name=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e 's/.*\///g')
	file_folder=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e "s/$file_name//g")
        convert -auto-orient -strip -geometry 1280x1024 -quality 80 "$file_folder/$file_name" "${file_folder}/${file_name}_resized_1280x1024.jpg"
        teiler=$[$teiler + $teil] 
        echo $teiler
        mogrify -pointsize 10 -fill gray -gravity SouthWest -draw "text 10,20 'Copyright Bernd Dau'" "${file_folder}/${file_name}_resized_1280x1024.jpg" 
        echo $teiler
        teiler=$[$teiler + $teil]  
done ) | (zenity --progress --percentage=$teil --auto-close)

Kleiner Nebeneffekt: Leser meines Blogs können nur den Highlight Effekt sehen, wenn sie den Beitrag im Original auf dem Blog ansehen. Nicht, dass mir meine Besucherzahlen besonders wichtig sind, aber Kommentare sind das Salz in der Blogsuppe. Und die bekommt man aussliesslich durch direkte Leser, nicht durch Feed Abonenten. Davon ab- ist der Blog Boom ja wohl allgemein zu Ende, oder?

Achso. Um das Highlighting zu aktivieren, wird das <pre> Tag genutzt.  <pre class="brush: bash">

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a tiny battery and a small data storage device (far left).

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.


Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This angle shows the thinness of this insert skimmer a bit better.

This angle shows the thinness of this insert skimmer a bit better.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries with a total deployment of more than 640,000 cash machines, European financial institutions are increasingly moving to “geo-blocking” on their issued cards. In essence, more European banks are beginning to block the usage of cards outside of designated EMV chip liability shift areas.

“Fraud counter-measures such as Geo-blocking and fraud detection continue to improve,” EAST observed in a report produced earlier this year. “In twelve of the reporting countries (two of them major ATM deployers) one or more card issuers have now introduced some form of Geo-blocking.”

Source: European ATM Security Team (EAST).

Source: European ATM Security Team (EAST).

As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.

Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.

MeetBSD California 2014 (, Western Digital Campus, San Jose, United States 1 - 2 November, 2014. MeetBSD 2014 uses a mixed unConference format featuring both scheduled talks and community-driven events such as birds-of-a-feather meetings, lightning talks, and speed geeking sessions.

As of today, more than 50% of the 37527 ebuilds in the Gentoo portage tree use the newest ebuild API (EAPI) version, EAPI=5!
The details of the various EAPIs can be found in the package manager specification (PMS); the most notable new feature of EAPI 5, which has sped up acceptance a lot is the introduction of so-called subslots. A package A can specify a subslot, another package B that depends on it can specify that it needs to be rebuilt when the subslot of A changes. This leads to much more elegant solutions for many of the the link or installation path problems that revdep-rebuild, emerge @preserved-rebuild, or e.g. perl-cleaner try to solve... Another useful new feature in EAPI=5 is the masking of use-flags specifically for stable-marked ebuilds.
You can follow the adoption of EAPIs in the portage tree on an automatically updated graph page.

X with glamor on vc4 via Planet FreeBSD | 2014-08-21 23:58 UTC

Today I finally got X up on my vc4 driver using glamor.  As you can see, there are a bunch of visual issues, and what you can't see is that after a few frames of those gears the hardware locked up and didn't come back.  It's still major progress.
2014-08-21 16.16.37
The code can be found in my vc4 branch of mesa and linux-2.6, and the glamor branch of my xf86-video-modesetting.  I think the driver's at the point now that someone else could potentially participate.  I've intentionally left a bunch of easy problems -- things like supporting the SCS, DST, DPH, and XPD opcodes, for which we have piglit tests (in glean) and are just a matter of translating the math from TGSI's vec4 instruction set (documented in tgsi.rst) to the scalar QIR opcodes.

It all started with this commit from Jordan Hubbard on August 21, 1994:

Ja, Telefonica gibt mir kein IPv6, aber dann will ich wenigstens diese „IPv4,5″ haben, wie es gestern bei der ARD in PlusMinus zu sehen war:

It all started with this commit from Jordan Hubbard on August 21, 1994:

Commit my new ports make macros
Still not 100% complete yet by any means but fairly usable at this stage.

Twenty years later the ports tree is still there and actively
maintained. A video was prepared to celebrate the event and to thank
all of you who give some of their spare time and energy to the project!

The FreeBSD Foundation August Update is now available. Get the latest Foundation news at:

The deadline for submitting your application for a Travel Grant to EuroBSDCon 2014 has been extended. Please submit your application by Friday, August 22, 2014. Find out more at:

One can find almost anything for sale online, particularly in some of the darker corners of the Web and on the myriad cybercrime forums. These sites sell everything from stolen credit cards and identities to hot merchandise, but until very recently one illicit good I had never seen for sale on the forums was counterfeit U.S. currency.

Counterfeit Series 1996 $100 bill.

Counterfeit Series 1996 $100 bill.

That changed in the past month with the appearance on several top crime boards of a new fraudster who goes by the hacker alias “MrMouse.” This individual sells counterfeit $20s, $50s and $100s, and claims that his funny money will pass most of the tests that merchants use to tell bogus bills from the real thing.

MrMouse markets his fake funds as “Disney Dollars,” and in addition to blanketing some of the top crime forums with Flash-based ads for his service he has boldly paid for a Reddit stickied post  in the official Disney Market Place.

Judging from images of his bogus bills, the fake $100 is a copy of the Series 1996 version of the note — not the most recent $100 design released by the U.S. Treasury Department in October 2013. Customers who’ve purchased his goods say the $20 notes feel a bit waxy, but that the $50s and $100s are quite good fakes.

MrMouse says his single-ply bills do not have magnetic ink, and so they won’t pass machines designed to look for the presence of this feature. However, this fraudster claims his $100 bill includes most of the other security features that store clerks and cashiers will look for to detect funny money, including the watermark, the pen test, and the security strip.

MrMouse's ads for counterfeit $20s, $50s and $100s now blanket many crime forums.

MrMouse’s ads for counterfeit $20s, $50s and $100s now blanket many crime forums.

In addition, MrMouse says his notes include “microprinting,” tiny lettering that can only be seen under magnification (“USA 100″ is repeated within the number 100 in the lower left corner, and “The United States of America” appears as a line in the left lapel of Franklin’s coat). The sourdough vendor also claims his hundreds sport “color-shifting ink,” an advanced feature that gives the money an appearance of changing color when held at different angles.

I checked with the U.S. Secret Service and with counterfeiting experts, none of whom had previously seen serious counterfeit currency marketed and sold on Internet crime forums.

“That’s a first for me, but I guess they can sell anything online these days,” said Jason Kersten, author of The Art of Making Money: The Story of a Master Counterfeiter, a true crime story about a counterfeiter who made millions before his capture by the Secret Service.

Kersten said that outside of so-called “supernote” counterfeits made by criminals within North Korea, it is rare to find vendors advertising features that MrMouse is claiming on his C-notes, including Intaglio (pronounced “in-tal-ee-oh”) and offset printing. Both features help give U.S. currency a certain tactile feel, and it is rare to find that level of quality in fake bills, he said.

Fake money is supposed to leave a black mark with the pen; brown means the bill passes.

Fake money is supposed to leave a black mark with the pen; yellow/gold means the bill passes.

“What you really need to do is feel the money, because a digital image can be doctored in ways that real money cannot,” Kersten said. “With Intaglio, for example, the result is that when the ink dries, you feel a raised surface on the bill.”

The counterfeiting expert said most bogus cash will sell for between 30 and 50 percent of the face value of the notes, with higher-quality counterfeits typically selling toward the upper end of that scale. MrMosue charges 45 percent of the actual dollar amount, with a minimum order of $225 ($500 in bogus Benjamins) – payable in Bitcoins, of course.

According to Kersten, most businesses are ill-prepared to detect counterfeits, beyond simply using a cheap anti-counterfeit pen that checks for the presence of acid in the paper.

“The pen can be fooled if [the counterfeits] are printed on acid-free paper,” Kersten said. “Most businesses are woefully unprepared to spot counterfeits.”

Thankfully, counterfeits are fairly rare; according to a 2010 study (PDF) by the Federal Reserve Bank of Chicago, the incidence of counterfeits that cannot be detected with minimal authentication effort is likely on the order of about three in 100,000.

Kersten said he’s not surprised that it’s taken this long for funny money to be offered in a serious and organized fashion on Internet crime forums: While passing counterfeit notes is extremely risky (up to 20 years in prison plus fines for the attempted use of fake currency with the intent to defraud), anyone advertising on multiple forums that they are printing and selling fake currency is going to quickly attract a great deal of attention from federal investigators.

“The Secret Service does not have a sense of humor about this at all,” Kersten said. “They really don’t.”

MrMouse showcases the ultraviolet security strip in his fake $100 bills. The WillyClock bit is just an image watermark.

MrMouse showcases the ultraviolet security strip in his fake $100 bills. The WillyClock bit is just an image watermark.

The news wires today are buzzing with stories about another potentially major credit/debit card breach at yet another retail chain: This time, the apparent victim is AB Acquisition, which operates Albertsons stores under a number of brands, including ACME Markets, Jewel-Osco, Shaw’s and Star Markets. Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them.

QWhy do we keep hearing about breaches involving bricks-and-mortar stores?

Credit and debit cards stolen from bricks-and-mortar stores (called “dumps”) usually sell for at least ten times the price of cards stolen from online merchants (referred to in the underground as “CVVs” or just “credit cards”). As a result, dumps are highly prized by today’s cyber crooks, and there are dozens of underground “card shops” online that will happily buy the cards from hackers and resell them on the open market. For a closer look at how these shops work (and how, for example, the people responsible for these retail break-ins very often also are actually running the card shops themselves) see Peek Inside a Carding Shop.

Okay, I’ll bite: Why are dumps so much more expensive and valuable to attackers?

A big part of the price difference has to do with the number of steps it takes for the people buying these stolen cards (a.k.a. “carders”) to “cash out” or gain value from the stolen cards. For example, which of these processes is likely to be more successful, hassle-free and lucrative for the bad guy?

1. Armed with a stack of dumps, a carder walks into a big box store and walks out with high-priced electronics or gift cards that he can easily turn into cash.

2. Armed with a list of CVVs, a carder searches online for stores that will ship to an address that is different from the one on the card. Assuming the transaction is approved, he has the goods shipped to a guy he knows at another address who will take a cut of the action. That is, *if* the fraudulently purchased goods don’t get stopped or intercepted along the way by the merchant or shipping company when someone complains about a fraudulent transaction.

If you guessed #1, you’re already thinking like a carder!

Snap! But it seems like these breaches are becoming more common. Is that true?

It’s always hard to say whether something is becoming more common, or if we’re just becoming more aware of the thing in question. I think it’s safe to say that more people are looking for patterns that reveal these retail breaches (including yours truly, but somehow this one caught me– and just about everyone I’ve asked — unawares).

Certainly, banks — which shoulder much of the immediate cost from such breaches — are out for blood and seem more willing than ever to dig deep into their own fraud data for patterns that would reveal which merchants got hacked. Visa and MasterCard each have systems in place for the banks to recover at least a portion of the costs associated with retail credit and debit card fraud (such as the cost of re-issuing compromised cards), but the banks still need to be able to tie specific compromised cards to specific merchant breaches.

Assuming we are seeing an increased incidence of this type of fraud, why might that be the case?

One possible answer is that fraudsters realize that the clock is ticking and that U.S. retailers may not always be such a lucrative target. Much of the retail community is working to meet an October 2015 deadline put in place by MasterCard and Visa to move to chip-and-PIN enabled card terminals at their checkout lanes. Somewhat embarrassingly, the United States is the last of the G20 nations to adopt this technology, which embeds a small computer chip in each card that makes it much more expensive and difficult (but not impossible) for fraudsters to clone stolen cards.

That October 2015 deadline comes with a shift in liability for merchants who haven’t yet adopted chip-and-PIN (i.e., those merchants not in compliance could find themselves responsible for all of the fraudulent charges on purchases involving chip-enabled cards that were instead merely swiped through a regular mag-stripe card reader at checkout time).

When is enough enough already for the bad guys? 

I haven’t found anyone who seems to know the answer to this question, but I’ll take a stab: There appears to be a fundamental disconnect between the fraudsters incentivizing these breaches/selling these cards and the street thugs who end up buying these stolen cards.

Trouble is, in the wake of large card breaches at Target, Michaels, Sally Beauty, P.F. Chang’s, et. al., the underground market for these cards would appear to most observers to be almost completely saturated.

For example, in my own economic analysis of the 40 million cards stolen in the Target breach, I estimate that the crooks responsible for that breach managed to sell only about 2-4 percent of the cards they stole. But that number tells only part of the story. I also spoke with a number of banks and asked them: Of the cards that you were told by Visa and MasterCard were compromised in the Target breach, what percentage of those cards did you actually see fraud on? The answer: only between three and seven percent!

So, while the demand for all but a subset of cards issued by specific banks may be low (the crooks buying stolen cards tend to purchase cards issued by smaller banks that perhaps don’t have such great fraud detection and response capabilities), the hackers responsible for these breaches don’t seem to care much about the basic laws of supply and demand. That’s because even a two to four percent sales ratio is still a lot of money when you’re talking about a breach involving millions of cards that each sell for between $10 to $30.

Got more questions? Fire away in the comments section. I’ll do my best to tackle them when time permits.

Here is a link to AB Acquisition LLC’s statement on this latest breach.

Was ist Kiva? Karsten Iwen | 2014-08-20 13:10 UTC

Für alle, die Kiva noch nicht kennen gibt es ein neues Werbevideo, das  in gut 1:30 erzählt was Kiva ist. Sehr schön gemacht:

Die Anmeldung ist sehr einfach, und das Team Netzwerft freut sich auch über jedes neue Mitglied.

I’m slowly but surely starting to switch to a new laptop. The old one hasn’t completely died (yet) but given that I had to force its CPU frequency at the lowest Hz or the CPU would burn (and the system suddenly shut down due to heat issues), and that the connection between the battery and laptop fails (so even new battery didn’t help out) so I couldn’t use it as a laptop… well, let’s say the new laptop is welcome ;-)

Building Gentoo isn’t an issue (having only a few hours per day to work on it is) and while I’m at it, I’m also experimenting with EFI (currently still without secure boot, but with EFI) and such. Considering that the Gentoo Handbook needs quite a few updates (and I’m thinking to do more than just small updates) knowing how EFI works is a Good Thing ™.

For those interested – the EFI stub kernel instructions in the article on the wiki, and also in Greg’s wonderful post on booting a self-signed Linux kernel (which I will do later) work pretty well. I didn’t try out the “Adding more kernels” section in it, as I need to be able to (sometimes) edit the boot options (which isn’t easy to accomplish with EFI stub-supporting kernels afaics). So I installed Gummiboot (and created a wiki article on it).

Lots of things still planned, so little time. But at least building chromium is now a bit faster – instead of 5 hours and 16 minutes, I can now enjoy the newer versions after little less than 40 minutes.

O2 Business-DSL und IPv6 Karsten Iwen | 2014-08-19 10:40 UTC

Meine letzte Anfrage beim Geschäftskunden-Support ist schon wieder etwas her, daher war es mal wieder Zeit nachzufragen. Die Antwort war jetzt nicht viel besser:

einen genauen Zeitplan für die Einführung von IPv6 gibt es leider noch nicht. Telefónica Germany wird zu einem späteren Zeitpunkten die IPv6-Unterstützung einführen.