Planet 2014-04-24 14:00 UTC

It looks like it’s time to update my Value of a Hacked Email Account graphic: Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home.

An alert sent by First National Title to its agents.

An alert sent by First American Title to its agents.

In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company’s bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters.

This scam was laid out in an alert sent by First American Title to its title agents:

“First American has been notified of a scheme in which potential purchasers/borrowers have received emails allegedly from a title agency providing wire information for use by the purchaser/borrower to transmit earnest money for an upcoming transaction.”

“The messages were actually emails that were intercepted by hackers who then altered the account information in the emails to cause the purchasers’/borrowers’ funds to be sent to the hacker’s own account. The emails appear to be genuine and contain the title agency’s email information and/or logos, etc. When the purchasers /borrowers transferred their funds pursuant to the altered instructions, their money was stolen with little chance of return. This scam appears to be somewhat similar to the email hacking scheme that came to light earlier this year that targeted real estate agents.”

“It is apparent in both scams that the hackers monitor the email traffic of the agency or the customer and are aware of the timing of upcoming transactions. While in the reported instances, a customer was induced to misdirect their own funds, an altered email could conceivably be used to cause misdirection of funds by any party in the transaction, including the title agent themselves.”

This scam is almost certainly not unique to First American Title; scams that work against one corner of an industry generally work against the industry as a whole.

Attacks like this one illustrate the value of two-factor authentication for email. The larger providers have moved to enabling multi-factor authentication to help users avoid account compromises.,Hotmail/Live.comand all now offer multi-step authentication that people can and should use to further secure their accounts. DropboxFacebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.

Of course, all of this additional security can be defeated if the bad guys gain control over your machine through malicious software. To keep your computer from being compromised, consider adopting some of the recommendations in my Tools for a Safer PC primer.

An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians.

taxfraudScott Colby, executive vice president of the New Hampshire Medical Society, said he started hearing from physicians in his state about a week ago, when doctors who were just filing their tax returns began receiving notices from the Internal Revenue Service that someone had already filed their taxes and claimed a large refund.

So far, Colby has heard from 111 doctors, physician assistants and nurse practitioners in New Hampshire who have been victims of tax fraud this year.

“I’ve been here four years and this is the first time this issue has come across my desk,” Colby said.

In this increasingly common crime, thieves steal or purchase Social Security numbers and other data on consumers, and then electronically file fraudulent tax returns claiming a large refund. The thieves instruct the IRS to send the refund to a bank account that is tied to a prepaid debit card, which the fraudster can then use to withdraw cash at an ATM (for more on how this works, see last week’s story, Crimeware Helps File Fraudulent Tax Returns).

Unlike the scam I wrote about last week — which involved the theft of credentials to third-party payroll and HR providers that are then used to pull W2 records and file bogus tax returns on all company employees — the tax fraud being perpetrated against the physicians Colby is tracking is more selective.

“We’ve done a broadcast to all of the hospital systems in the state, and I have yet to receive one [victim] name from a non-clinician,” Colby said. “And you would think if it was an HR or payroll issue that at least a couple of administrative, non-clinical folks would have been in the mix, but that is not the case.”


Colby said he’s heard similar reports from other states, including Arizona, Connecticut, Indiana, Maine, Michigan, North Carolina and Vermont.

Elaine Ellis Stone, director of communications at the North Carolina Medical Society, said her organization has been contacted by more than 100 individual doctors and medical practice managers complaining about tax fraud committed in the names of their doctors and other medical staff.

“We’ve been getting a lot of calls from people who’ve experienced this scam,” Ellis Stone said. “We don’t yet know exactly why this type of crime is surfacing so much this year, but we haven’t seen this kind of volume in years past.”

Ellis Stone said that initially, the medical society thought the tax fraud incidents might be related to a move last week by Medicare’s first-ever release of information on payments to some 880,000 medical providers nationwide. As part of that data dump, the Centers for Medicare and Medicaid Services listed the National Providers Identification (NPI) number of each doctor; NPI numbers are used by the federal government to keep track of physicians for Medicare and Medicaid billing purposes.

She said initially when her organization reached out the American Medical Association (AMA) to see if they had any theories about the source of the fraud, someone suggested that the recent release of so many NPI numbers may have allowed thieves to somehow look up Social Security numbers and other sensitive data on doctors. But according to Ellis Stone, those NPI numbers have long been available from the U.S. Centers for Medicare and Medicaid. 

Robert Mills, the AMA’s media relations coordinator, confirmed that the association is hearing from state medical societies that tax identity theft seems to be a greater problem this year than in the past. But he stressed that this scheme seems to be targeting professionals generally, not just physicians.

That’s my take on this as well: There may indeed have been some kind of breach of a physician database that fueled this year’s fraud surge against doctors, but my hunch is that we might also see the same sorts of stats being gathered by state organizations focused on other professions. In other words, the incidence of this type of crime is likely off the charts this year.

That said, a story I’m working on for later this week will examine tax fraud schemes committed by a crime gang that appears to be disproportionately targeting employees at several state healthcare organizations.


According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

Tax fraud is an especially insidious form of identity theft because thieves often also create new financial accounts in their victims’ names. That’s because the same information used to file tax returns on someone can be useful in opening up new credit card and loan accounts.

“Some of the docs I’ve spoken with also have received notification that someone is trying to set up new bank accounts in their name,” New Hampshire’s Scott Colby said.

What’s more, victims of tax fraud one year may also find they are targeted by thieves again the next tax season.

Gordon Smith, executive vice president of the Maine Medical Association, said his office has heard from approximately 30 physicians in his state about tax fraud over the past couple of weeks.

“Their stories are all very similar,” Smith said. “I talked to one [doctor] who had this happen to him two years in a row now.”

If you become the victim of identity theft, either because of tax fraud — or due to fraud outside of the tax system — you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

Mega-Overhauling Dennis Klein | 2014-04-23 09:00 UTC

if you switch three rooms at the same time
Our son is now nearly six months old and we're starting to think about putting him and his bed into his own room. Last year, we had renovated the attic and made a fabulous dorm room out of it. Our son is sleeping in this room since he came home with my wife from the hospital. This was fine, so far, but the kids room would be one story below. My wife and I simply couldn't imagine to have the stairway between the kid and us. When he starts to crawl and later to walk, he simply would have no chance to "come over" on his own (of course, we will have to block the stairways for security reasons). With all those arguments, we started to repaint the room that we had for our son in mind before yesterday. He will move into this huge room, which you know as our home office. The dorm room will move into this fresh painted room, which is a bit smaller, but was a dorm room before. Finally, the attic will become our new home office. We'll see how much we will use it. In the last few months (guess around six ;)), we hardly have used it. However, I will paint the front wall of the attic in very dark grey. With our white GALANT desks, it will look great for sure.

I don't know how often we've changed rooms in the last eight years, but it was really often - which is great, as we're trained ;) Todays goal is it to move the dorm room downstairs (incl. kids bed) and be able to sleep in the smaller room tonight. Also, I want to paint the attic wall today, so that I can move the stuff upstairs tomorrow and we could start putting the wallpapers to the walls in the new kids room.

Oh - and if you wonder why I have so much time, I'm on parent time ;)

PS. Photos? Yeah - of the "new" home office (v10) - if it's done!
PPS. Home Office (v9) is pictured here

An Allegation of Harm Brian Krebs | 2014-04-21 16:27 UTC

In December 2013, an executive from big-three credit reporting bureau Experian told Congress that the company was not aware of any consumers who had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. This blog post examines the harm allegedly caused to consumers by just one of the 1,300 customers of that ID theft service — an Ohio man the government claims used the data to file fraudulent tax returns on dozens of Americans last year.

Defendant Lance Ealy.

Defendant Lance Ealy.

In February, I was contacted via Facebook by 28-year-old Lance Ealy from Dayton, Ohio. Mr. Ealy said he needed to speak with me about the article I wrote in October 2013 — Experian Sold Consumer Data to ID Theft Service. Ealy told me he’d been arrested by the U.S. Secret Service on Nov. 25, 2013 for allegedly using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by guy named Hieu Minh Ngo.

“I really need to speak with u about this case because the US attorney assigned to this case and the Secret Service agent are trying to cover up Experian involvement in this case,” Ealy said, without elaborating on his theory about the alleged cover-up.

Ngo is a Vietnamese national who for several years ran an online identity theft service called Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty earlier this year to running the ID theft service, and the government has been working on rounding up his customers ever since.

Mr. Ealy appears to be one of several individuals currently battling charges of identity theft after allegedly buying data from Ngo’s service, which relied in part on data obtained through a company owned by Experian.

According to the complaint (PDF) against Ealy, government investigators obtained a search warrant for Ngo’s email account in March 2013. Going through that email, investigators found that a customer of Ngo’s who used the address had already purchased from Ngo some 363 “fullz” — a term used in the underground to describe a package of everything one would need to steal someone’s identity, including their Social Security number, mother’s maiden name, birth date, address, phone number, email address, bank account information and passwords.

The Justice Department alleges that between Jan. 28, 2013 and Oct. 17, 2013, Ealy filed at least 150 fraudulent tax returns on Americans, instructing the IRS to send the refund money to prepaid credit card accounts he controlled. The government claims that about 50 of those bogus claims were made with Social Security numbers and other data obtained from Ngo’s ID theft service.

For his part, Mr. Ealy says he’s not guilty of the crimes the government is trying to pin on him, and that prosecutors have yet to turn over any evidence as required.

“They still failed to turn over any evidence or discovery,” Ealy said in a Facebook conversation. “When I get my discovery packet I will like you to publish a story about me in connection with the Vietnam individual and can you also see who else has a case in connection with Ngo. Also they keep trying to pressure me to cooperate with them but I don’t want to until they turn over all evidence in this case.”

Initially, Ealy was facing a single-count indictment (PDF) in connection with the investigation. But when Ealy declined to agree to a plea agreement with prosecutors, the government appears to have thrown the book at him — lodging a superseding, 42-count indictment (PDF). Ealy said he recently filed a motion to fire his attorney and is currently representing himself, although he says he is looking for another lawyer.

According to local Ohio news site, Ealy is the son of a candidate running for Ohio governor. WHIO says Lance Ealy’s father — Larry Ealy – is embroiled in an ongoing investigation of allegations that he and three others who passed nominating petitions for him turned in fraudulent signatures to local board of elections.

In addition to the tax fraud charges, the younger Ealy also is accused of opening bank accounts to electronically deposit the fraudulent tax returns. If convicted, he faces up to 20 years in prison and fines of up to $250,000.

Messages discovered in Ngo's inbox from, which the government claims was used by the accused.

Messages discovered in Ngo’s inbox from, which the government claims was used by the accused.

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don’t use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream repository but not in a release yet). The patch is for fcron‘s SELinux support, so the file I created is fcron-9999.ebuild.

Sadly, the build failed at the documentation generation (something about “No targets to create en/HTML/index.html”). That’s unfortunate, because that means I’m not going to ask to push the live ebuild to the Portage tree itself (yet). But as my primary focus is to validate the patch (and not create a live ebuild) I want to ignore this error and go on. I don’t need the fcron documentation right now, so how about I just continue?

To do so, I start using the ebuild command. As the failure occurred in the build phase (compile) and at the end (documentation was the last step), I tell Portage that it should assume the build has completed:

~# touch /var/portage/portage/sys-process/fcron-9999/.compiled

Then I tell Portage to install the (built) files into the images/ directory:

~# ebuild /home/swift/dev/gentoo.overlay/sys-process/fcron/fcron-9999.ebuild install

The installation phase fails again (with the same error as during the build, which is logical as the Makefile can’t install files that haven’t been properly build yet.) As documentation is the last step, I tell Portage to assume the installation phase has completed as well, continuing with the merging of the files to the life file system:

~# touch /var/portage/portage/sys-process/fcron-9999/.installed
~# ebuild /home/swift/dev/gentoo.overlay/sys-process/fcron/fcron-9999.ebuild qmerge

Et voila, fcron-9999 is now installed on the system, ready to validate the patch I had to check.

I recently installed EJBCA for managing our internal public key infrastructure (PKI). Before using EJBCA, I used openssl from the command-line, but this got uncomfortable, in particular for managing certificate revocation lists (CRLs).

Unfortunately, I made a small but significant mistake when setting up EJBCA: I chose to use the default embedded H2 database. While this database for sure could handle the load for our small PKI, it is inconvenient when trying to make backups: The whole application server needs to be stopped in order to ensure consistency of the backups, a solution which is rather impractical. Therefore I wanted to migrate the EJBCA database from H2 to PostgreSQL.

However, H2 and PostgreSQL are quite different, and the SQL dump generated by H2 could not be easily imported into PostgreSQL. After trying various approaches, I luckily found the nice tool SQuirreL SQL, which (besides other things) can copy tables between databases - even databases of different type. Obviously, this will not solve all migration problems, but for my situation it worked quite well.

I documented the whole migration process in my wiki, in case someone else wants to do the same.

This week the PC-BSD team has ported over preload, which is an adaptive readahead daemon. It monitors applications that users run, and by analyzing this data, predicts what applications users might run, and fetches those applications and their dependencies to speed up program load times. You can look for preload in the next few days in edge packages and grab it for testing on your own system.

There is an early alpha version of the Lumina desktop environment that has been committed to ports / packages. Lumina is a lightweight, stable, fast-running desktop environment that has been developed by Ken Moore specifically for PC-BSD. Currently it builds and runs, but lacks many other features as it is still in very early development. Grab it from the edge packageset and let us know what you think, and how we can also improve it to better suit you as a user!

Other updates this week:

* Fixed some bugs in ZFS replication causing snapshot operations to take
far longer than necessary
* Fixed an issue with dconf creating files with incorrect permissions
causing browsers to fail
* Added Lumina desktop ports / packages to our build system
* PC-BSD Hindi translation 100% complete
* improvements to the update center app
* Update PCDM so that it will use “pw” to create a user’s home directory if it is missing but the login credentials were valid. This should solve one of the last reported issues with PCDM and Active Directory users.
* Bugfix for pc-mounttray so that it properly ignores the active FreeBSD swap partition as well.
* Another small batch of 10.x PBI updates/approvals.

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at and

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling audit2allow, informing us that sysadm_t had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository but which needs to be pushed to the tree (which is my job, sorry about that). The problem however is when he added the policy – it didn’t work.

Even worse, sesearch told us that the policy has been modified correctly – but it still doesn’t work. Check your policy with sestatus and seinfo and they’re all saying things are working well. And yet … things don’t. Apparently, all policy changes are ignored.

The reason? There was a policy.29 file in /etc/selinux/mcs/policy which was always loaded, even though the user already edited /etc/selinux/semanage.conf to have policy-version set to 28.

It is already a problem that we need to tell users to edit semanage.conf to a fixed version (because binary version 29 is not supported by most Linux kernels as it has been very recently introduced) but having load_policy (which is called by semodule when a policy needs to be loaded) loading a stale policy.29 file is just… disappointing.

Anyway – if you see weird behavior, check both the semanage.conf file (and set policy-version = 28) as well as the contents of your /etc/selinux/*/policy directory. If you see any policy.* that isn’t version 28, delete them.

a last fitness post before eastern

Wednesday: Quer durch Utfort
Yesterday, I've cycled through Utfort, the nature way - was nice, sunny and warm :)

Wednesdaytour 1
Wednesdaytour 2
Wednesdaytour 3
Wednesdaytour 4

Thursday: Kleine Runde
Today, the weather was worse. It was sunny, but again pretty windy. I've also forgot to take the Lumix with me, but as it was a short trip around the district and you've seen photos from those ways in previous posts, I think it's fine just to show the track.


Over Eastern, I will have no time to ride my bike - I'm also not really sure, if this kind of posts are interesting for you. Let me know, via Twitter :)

The January-March, 2014 Status Report is now available with 41 entries.

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

py3status v1.4 via Planet Gentoo | 2014-04-16 10:18 UTC

I’m glad to announce the release of py3status-1.4 which I’d like to dedicate to @guiniol who provided valuable debugging (a whole Arch VM) to help me solve the problem he was facing (see changelog).

I’m gathering wish lists an have some (I hope) cool ideas for the next v1.5 release, feel free to post your most adventurous dreams !


  • new ordering mechanism with verbose logging on debug mode. fixes rare cases where the modules methods were not always loaded in the same order and caused inconsistent ordering between reloads. thx to @guiniol for reporting/debugging and @IotaSpencer and @tasse for testing.
  • debug: dont catch print() on debug mode
  • debug: add position requested by modules
  • Add new module, by @nawadanp
  • move README to markdown, change ordering
  • update the README with the new options from –help


Special thanks to this release’s contributors !

  • @nawadanp
  • @guiniol
  • @IotaSpencer
  • @tasse

Dienstagstour durch Genend Dennis Klein | 2014-04-15 19:00 UTC

biking through an industrial area
Riding the same ways every day get a bit - boring. I planned a trip through "Genend", a relatively new industrial area on the very west part of Moers. Unfortunately, the weather was very bad, windy, a bit rain and very cloudy.


The company I work for, KRZN, had some offices in the building on the right. But this was before I joined, which is meanwhile 1 1/2 years ago.

The red of this building is very intensive. Too bad, my little Lumix couldn't capture it - and the compression killed the rest.


I remember a time when I’d never been to a conference related to my passions. Once I went, things changed. I realized that making strong working relationships with others who share my passion is important. Not only does this solidify the community of which you are a member, it also helps you personally. Every conference [...]

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

In Anbetracht der aktuellen Heartbleed-Geschehnisse habe ich über meine persönliche Passwort-Misere nachgedacht. Nach einem bestimmten Namensschema hatte ich versucht, pro Website ein eigenes Passwort zu definieren, außerdem gab es noch ein simples Standard-Passwort, welches bei entsprechend vielen Webdiensten, die ich “nur mal ausprobieren” wollte hinterlegt war. Ihr kennt das.

Natürlich waren alle Passwörter aus Bequemlichkeit im Google-Chrome-Passwort-Manager gespeichert und wurden über mehrere Geräte synchronisiert. Dazu kamen noch iPad und iPhone mit einem eigenen Passwort-Speicher.

Das ist alles nicht schön und aus Security-Perspektive ziemlich fahrlässig.

Nach einem kurzen Experiment mit Lastpass habe ich mir gedacht, dass ich mich am wohlsten fühle, wenn ich die Hoheit über meine Passwörter selbst behalte. Außerdem möchte ich schon aus Prinzip meine Passwörter einer Open-Source-Software anvertrauen, wenn auch durch Heartbleed klar wurde, dass das nicht unbedingt ein Qualitätskriterium ist.

Deswegen bin ich nun zu folgender Lösung gekommen:

  • KeePass legt die Datenbank zuhause auf das Synology-NAS (Windows-Freigabe)
  • Auf einem zweiten Rechner wird diese via WebDAV direkt aus KeePass heraus geöffnet (Datei von URL öffnen)
  • Auf iPad und iPhone nutze ich KyPass, ebenfalls mit WebDAV-Integration
  • Die Integration in Google Chrome funktioniert mit ChromeIPass und KeepassHttp hervorragend. Hier empfehle ich, die Option “Request for unlocking if the database is locked” in den KeePassHttp-Optionen zu aktivieren und KeePass so einzustellen, dass es automatisch nach einiger Zeit und beim Sperren des PCs gesperrt wird.
  • ChromeIPass bietet hier einen bequemen Autofill-Mechanismus inklusive der Generierung neuer Passwörter, sodass man nun keine Ausrede mehr hat, dass sichere Passwörter umständlich sind.
  • Der integrierte Passwortmanager und “AutoSafe” sind natürlich deaktiviert

Alle Passwörter sind nun zufällige, 20-stellige Zeichenketten, bis auf wenige Ausnahmen die ich regelmäßig “tippen” muss.

Ich kann diesen Schritt nur jedem ans Herz legen, und wenn es nur dazu dient, mal alle seine Webdienste abzuklappern und Accounts zu löschen, die man nicht mehr benötigt.

flattr this!

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:

As I told The New York Times yesterday, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).

It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of Internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-Web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, e.g.). The SANS Internet Storm Center is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.

For those in search of more technical writeups/analyses of the Hearbleed bug, see this Vimeo video and this blog post (hat tip once again to Sandro Süffert).

Finally, given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.




“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included, and — ironically — the Web site of This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.

Around Moers City Dennis Klein | 2014-04-14 11:00 UTC

simply wanted to drive 10km
I planned this trip in Komoot and submitted it to my Moto G. Not that I would need a navigation as I've been grown up in Moers, but it's pretty nice to see how far I've come and the display.


Around Moers City 1
Cycling straight ahead and for some km's, it's my standard "small" route (4.7km).

Around Moers City 2
This photo was taken when I hit the first waypoint, outside of the city limit. (Near van der Falk)

Around Moers City 4
Around Moers City 3
Around Moers City 5
Around Moers City 6
I was pretty happy when I hit the next waypoint. The cycle way is well build, but with an increase over a couple of km's, also, from now I will head into the city.

Around Moers City 7
Around Moers City 8
Funny place to park. It's a departure from the highway 40 (Moers-Zentrum).

Around Moers City 9
Around Moers City 10
"Bicycle friendly City in Northrhine-Westphalia"

Around Moers City 11
I haven't taken this photo accidently, but more on this topic much later ;)

Around Moers City 12
Have I already mentioned, that we have a lot of constructions going on in Moers lately? :S

Around Moers City 13
Around Moers City 14
Around Moers City 15
Around Moers City 16
Not far from home! \o/

Around Moers City 17
Did it! It was a great tour, but with a lot of head wind hitting me.

Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed Heartbleed. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys.

After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. There are currently no indications this has happened.

However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days. You need to take action if you have an account on one of the following sites:


After 7 days, we will be removing all passwords to avoid abuse. For more information and the full announcement, visit

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.


The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”


I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”


According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.

Jungbornparkpassage II Dennis Klein | 2014-04-13 11:00 UTC

reloaded & extended
Todays trip was for the first ~4km the same as yesterdays trip, then I head towards another direction. Today, I've taken the Lumix with me ;)

Komoot 8
Btw. this is my first post written on Linux (incl. using Gimp instead of Photoshop for photo editing).

Jungbornparkpassage II - 1
Do you see the buildings in the background? I went to this school :)

Jungbornparkpassage II - 2
Jungbornparkpassage II - 3
Jungbornparkpassage II - 4
Seems like the battery usage is pretty low on the Moto G - with Komoot running with display turned on all the time, it just sucked out 4% after nearly 3km. Awesome. Now, a while after the tour, the battery is at 86% (Tour length was 32 minutes).

Jungbornparkpassage II - 5
Jungbornparkpassage II - 6
Yesterday, I went to the right, but today, I wanted a bit more km - so I headed left.

Jungbornparkpassage II - 7
This is a very strange sign (the one with the alien head). I "think" it means that children should be aware of the small streams running next to the fields. Honestly, I've never seen this sign anywhere else but in Moers so far.

Jungbornparkpassage II - 8
Jungbornparkpassage II - 9
This is really next to our home. They are building a Netto discounter. Damn! I had the hope that they would build a quality market like EDEDKA or REWE, but not such a crap...!

Trouble with vim powerline Dennis Klein | 2014-04-12 23:00 UTC

and how to fix the problem with one single font
I like the powerline idea. It makes vim looking good and the colored modes are very handy. But installing it is hard (at least if you don't use the right fonts).

On my laptop at work, I have it running fine, but tonight, I wanted to reproduce this experience on my Xubuntu on my private laptop - and bloody hell, it took 2h+ to get it to work.

First, you need to install powerline (I use pathogen, so I simply git cloned it to my bundle folder under ~/.vim). But that should not be the topic of this post. So, I had installed the plugin and all you get is this:

Powerline in vim - broken symbols

The trick is, that just a few of the "powerline fonts" are able to really change the symbols to "fancy". I just stumbled upon a Menlo font rebuild (direct download of the otf font!).

I copied it to my ~/.fonts folder, closed terminator, reopened it and bam - there it is:

Powerline in vim - fixed symbols

Of course, you have to have some settings in your .vimrc:
set encoding=utf-8
set t_Co=256
let g:Powerline_symbols = 'fancy'

I'm pretty happy, to have my nice looking vim back! I think the Menlo just shows the "fancy" symbols, because terminator is still set to "DejaVu Sans Mono for Powerline".

I've tested it on a test Hackintosh install with iTerm2, and indeed, just after installing the Menlos Powerline font, which I've linked above, the signs appeared.

Powerline in vim on Mac in iTerm2

Jungbornparkpassage Dennis Klein | 2014-04-12 09:00 UTC

such a nice place to drive through, and me fool forgot the Lumix
Riding through the nature yesterday has inspired me to ride another trip through it. Planning in Komoot was a bit hard today, but finally I'd set all the waypoints correctly - and then I drove into the wrong direction for the first few hundred meters, but got back on the track quickly ;)

Komoot 7
As mentioned in the 2nd headline, I forgot to take my Lumix with me - so, sorry folks, I have no photos for you today :(

P.S. The waterbottleholder worked fine ;) MacGyver tech won!

Most of you have already heard of the Heartbleed vulnerability, the flaw in OpenSSL encryption. For any of you that may not be aware (which is probably precious few), the Heartbleed vulnerability is basically a flaw that may allow a malicious user to gain access to information that is supposed to be kept safe through OpenSSL. The good news is that the FreeBSD project and PC-BSD have both released fixes that will apply to versions 10.x. If you are currently running a machine with PC-BSD 9.x you are using an earlier version of openSSL that does not have the vulnerability, so no action is necessary to protect yourself from this. If you are running PC-BSD version 10.x make sure to use the “system updater” to apply the security patch to openSSL. After applying the fix reboot your computer and you should be good to go.

Kris has finished a new PBI run-time that will fix a number of stability issues users may have been experiencing while using PBI’s. The fix has also subsequently helped speed up load times for some of the larger PBI’s that may have been hanging or taking a long time to load.

Update Center is moving foward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We’d like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD.

Other Updates / Bug Fixes:

* Updated openssl packages for 10.0 PRODUCTION/EDGE
* Patched issue with KRDC using FreeRDP version in ports
* A new 9.2 server has been spun up and building PBIs for 9.2 again. (Server failed earlier this week)
* Started work on PBI runtime for Linux compat applications
* Another large chunk of work on Lumina
* Bugfixes for pc-mixer (showing the proper icons)
* Life-Preserver bugfixes
* Large update to the available 10.x PBIs. All updates are finished, a few new applications were also added.
* Bugfixes on a number of PBI’s (waiting on rebuilds to test/approve the new fixed apps)
* Hindi translation project now about 75% complete

Waterbottle mounted Dennis Klein | 2014-04-11 21:00 UTC

MacGyver way
Got a waterbottle today - of course for the bike ;)
The "installation" was, well - fun. I just could find one good position for this holder, and so far, it seems to be stable (and no, it does not interfere with the wheel). I call it "MacGyver" way ^^

Here's a photo:
Watterbootle, mounted

We're kicking off our Spring Fundraising Campaign! Our goal this year is to raise $1,000,000 with a spending budget of $900,000.

As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of how we've helped FreeBSD become the most innovative, realiable, and high-performance operating system. We are doing this by:
  • funding development projects,
  • having an internal technical staff available to work on small and large projects, fixing problems, and areas of system administration and release engineering,
  • providing legal support,
  • funding conferences and summits that allow face-to-face interaction and collaboration between FreeBSD contributors, users, and advocates,
  • and advocating for and educating people about FreeBSD by providing high-quality brochures, white papers, and the FreeBSD Journal.

We can't do this without you! You can help by making a donation today.

Help spread the word by posting on FaceBook, Twitter, your blogs, and asking your company to help. Did you know there are thousands of companies that wil match their employee's donations? Check with your company to see if you can automatically double your donation by having your company match your donation.

Thanks for your support!

Waldseetour Dennis Klein | 2014-04-11 12:00 UTC

First mini Mountain Bike tour
I was pretty happy to have a robust bike. The tour I've planned via Komoot (thanks for the awesome Twitter help!) was a circle around the Waldsee (a sea inside a forrest). It's the first navigated tour and it was a great experience :)

Waldseetour Komoot

Of course, I've also taken some photos!

Waldseetour 1
Waldseetour 2
Waldseetour 3
Waldseetour 4
It was steeper than it looks on the photos... :(

Waldseetour 5
Waldseetour 6
Waldseetour 7
What you see there on the hill in the background is called "Das Geleucht" (~the lightning) and is a landmark in memory of the coal mining centuries.

Waldseetour 8
A very small way - and a steep one, next to the sea.

Waldseetour 9

Live maps while cycling
As I am using Komoot excessive in the last days, I had the idea of getting a mount for my Moto G, so that I can see the current map and data. So, on Monday, when we were in the CentrO.[1], I asked at the local Saturn if they have such a mount. "No! Look at Amazon!" - Uhm. Ok. So I did and found this mount which was made for the Moto G. Just a few minutes ago, I got it via snail mail.

Here are some photos of the mount, mounted to my bike. Of course, I had to move the bell and the LED light (I always have lights turned on, at the bike and also when driving my car. I think the scandinavian idea is very good).

Mount Photo 1
The display is a little bit hard to see. Guess an AMOLED display would be much better in this situation, but it's ok, I guess. I will see after my first ride ;)

Mount Photo 2
Mount Photo 3

[1] The CentrO. is Europes seconds largest mall. It's pretty near to us (just a few kilometers via highway 42) and so, we visit it sometimes to do some shopping. Parking is free and there is the Coca-Cola Oase, which contains all kinds of (fast) food. But you better don't visit it on Saturdays, especially not in the weeks before christmas.

my way to use strong passwords and still use them in a comfortable way
So, here we go. Heartbleed is a small bug in OpenSSL. But it's used widely. From OpenVPN software, to webservers, having OpenSSL generated certificates to endless websites and applications, storing information using OpenSSL libs.

The consequence is to change ALL YOUR PASSWORDS. NOW! That may sound like a joke and even I thought: Oh dear, that's a lot of passwords for all the services and all the websites I registered since I use the internet back in 1996. But luckily, today, you have tools to help you. I am still switching pretty often between Linux and Windows and so, the obvious choice was KeePass2. It runs on all bigger platforms, incl. Android (Keepass2Android). Also, there's a great little AddOn called KeeFox for Firefox which connects to the local running KeePass2.

I generate my new passwords using KeePass2 itself. Thanks to KeeFox, this is quickly done (if you enable their toolbar). Bit before you start generating new passwords, you should make some settings to generate very strong passwords.

Open your KeePass2 and select from the menu "Tools" -> "Generate Password...".

KeePass2 password settings dialog

If you've made your settings (or have selected a profile), you can hit "Ok". This will generate a random, strong password in the folder you're currently in. Quickly delete this entry and also the garbage (you should always empty the garbage!).

Now, you can create stronger passwords using the KeeFox toolbar.

KeeFox generate password dialog
Sorry, German text, but you get the idea ;)

Mobile Access

So far, so good. But if you want to work with different computers or your mobile with Keepass2Android, you now need a way to store the kdbx database, where your mobile can reach it. My idea was to store it on a secret (as much as something on the internet could be secret ;)) WebDAV server which runs a new version of OpenSSL and has a fresh generated SSL certificate (talking of self-signed, of course). Have a good password for the WebDAV user, too!

On your mobile, you can select WebDAV (https) inside Keepass2Android to access this partical database kdbx file.

Windows & Linux Access

On your clients, you could work with WebDAV as well, or maybe (win)sshfs. I prefer the latter option and mount the folder which contains the kdbx database file on the server to a path in Linux or a drive letter in Windows. Opening KeePass2 on your client, you should now select this file and start generating strong passwords for all your accounts.

Drawbacks of this variant

Sure, there's a drawback in my way: You have to run (win)sshfs and KeePass2 all the time in the background AND it has to be unlocked. That could become a security problem in a company - so be aware of this!

Whatever you do, which tools or methods you use, just be sure to change your passwords NOW! The above shown is just an example how to create a comfortable way, but you see, comfort and security (once again) does not work very well together. If you are German reader, you might also want to read Seraphyns Post "Tabula Recta für sichere Passwörter".

The FreeBSD Journal Issue #2 is now available! You can get it on Google Play, iTunes, and Amazon. In this issue you will find captivating articles on pkg(8), Poudriere, PBI Format, plus great pieces on hwpmc(4) and Journaled Soft-updates. If you haven't already subscribed, now is the time!

The positive feedback from both the FreeBSD and outside communities has been incredible. In less than two months, we have signed up over 1,000 subscribers. This shows the hunger the FreeBSD community has had for a FreeBSD focused publication. We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD.

The Journal is guided by a dedicated and enthusiastic editorial board made up of people from across the FreeBSD community. The editorial board is responsible for the acquisition and vetting of content for the magazine.

You can find out more information about the Journal by going to Or, subscribe now by going to the following links for the device you'd like to download to:



Google Button

Your subscriptions and the advertising revenue the Journal receives will help offset the costs of publishing this magazine. So, consider signing up for a subscription today! 

We know you are going to like what you see in the Journal! Please help us spread the word by tweeting, blogging, and posting on your FaceBook page. You can also help by asking your company to put an ad in the Journal. For advertising information contact

And, don't forget you can support the Journal and FreeBSD by making a donation today!

Heute habe ich einige Zeit damit zugebracht, IntelliJ Idea 13.1 mit unserem Subversion ans Laufen zu bringen. Offensichtlich gibt es einige Bugs, die die Zusammenarbeit mit SVN 1.7 leider erheblich erschweren.

Eine der Möglichkeiten, diese Problematik zu umgehen ist, einfach einen Kommandozeilen-Client für SVN zu nehmen. IntelliJ kann diesen direkt einbinden (Settings -> Version Control -> Subversion -> General -> Use command line client). Unter Windows kann man hierfür zum Beispiel das Binary von SlikSVN nehmen. Damit hat man dann ein SVN-Binary, das man dort nutzen kann. Außerdem ist – bei aktuellem SVN – auch direkt eine Working Copy in Version 1.8 möglich.


Denn ab jetzt kommt bei jedem Commit die Fehlermeldung “Could not Commit: wrong revision” (oder so ähnlich). Komisch … direkt mal untersucht: Commit wurde erfolgreich durchgeführt, Working Copy ist auch korrekt, trotzdem schmeißt IntelliJ diesen Fehler?

Ein wenig auf der Kommandozeile (aka: DOSBox) rumgespielt, den Quelltext der entsprechenden IntelliJ-Klasse angeschaut und dann dämmerte es so langsam …

Beim Nutzen des SVN Kommandozeilen-Clients wird die Rückgabe nach einem Commit geparst, um die neue Revision zu bestimmen. Anscheinend wird dabei angenommen, dass das Programm immer auf Englisch läuft und die Ausgabe daher “Committed revision 123″ lautet. SlikSVN installiert jedoch standardmäßig auch Übersetzungen mit – die Meldung lautet daher “Revision 123 übertragen”. Dies kann IntelliJ nicht korrekt interpretieren, deswegen wird die Fehlermeldung geschmissen. Also einfach die Übersetzungen von SlikSVN deinstallieren, dann klappt auch diese Kombination.

Ich weiß nicht, ob dies nur bei nicht-englischen Windows-Systemen auftritt, aber zumindest ist es etwas, was mich heute geschlagene drei Stunden meiner Zeit gekostet hat!

Nature Sightseeing Dennis Klein | 2014-04-10 19:00 UTC

little tour through the nature nearby
We've a lot of bike roads around the corner. Those are great to drive on, but they are all next to bigger roads. I wanted to enjoy the nature a bit more today, and so I had planned a little tour next to the small stream, called "Moersbach" (named after our wonderful city :)).


Something I had not in mind: it makes awesome fun to ride the bad tracks, which are mainly made for walking. It's like a light version of cross biking ^^

Tour 10.4. 1
Tour 10.4. 2
Tour 10.4. 3
Tour 10.4. 4
Tour 10.4. 5
I admit, I love this restaurant you can see in the middle. Café del Sol. Their "Schnitzel del Sol" is awesome! Yummy!

Tour 10.4. 6
It's not as if there is nothing on the right, even if there is just a lonely arrow facing into this direction. It's the way to the city of Moers, 2 hospitals and some other important things. I'm really wondering about this shield.

Security and Tools via Planet Gentoo | 2014-04-10 09:51 UTC

Everybody should remember than a 100% secure device is the one unplugged and put in a safe covered in concrete. There is always a trade-off on the impairment we inflict ourselves in order to stay safe.

Antonio Lioy

In the wake of the heartbleed bug. I’d like to return again on what we have to track problems and how they could improve.

The tools of the trade

Memory checkers

I wrote in many places regarding memory checkers, they are usually a boon and they catch a good deal of issues once coupled with good samples. I managed to fix a good number of issues in hevc just by using gcc-asan and running the normal tests and for vp9 took not much time to spot a couple of issues as well (the memory checkers aren’t perfect so they didn’t spot the faulty memcpy I introduced to simplify a loop).

If you maintain some software please do use valgrind, asan (now also available on gcc) and, if you are on windows, drmemory. They help you catch bugs early. Just beware that sometimes certain versions of clang-asan miscompile. Never blindly trust the tools.

Static analyzers

The static analyzers are a mixed bag, sometimes they spot glaring mistakes sometimes they just point at impossible conditions.
Please do not put asserts to make them happy, if they are right you just traded a faulty memory access for a deny of service.

Other checkers

There are plenty other good tools from the *san family one can use, ubsan is maybe the newest available in gcc and it does help. Valgrind has plenty as well and the upcoming drmemory has a good deal of interesting perks, if only upstream hadn’t been so particular with release process and build systems you’d have it in Gentoo since last year…

Regression tests

I guess everybody is getting sick of me talking about fuzzy testing or why I spent weeks to have a fast regression test archive called playground for Libav and I’m sure everybody in Gentoo is missing the tinderbox runs Diego used to run.
Having a good and comprehensive batch of checks to make sure new code and new fixes do not have the uncalled side effect of breaking stuff is nice, coupled with git bisect makes backporting to fix issues in release branches much easier.


We have gdb, that works quite well, and we have lldb that should improve a lot. And many extensions on top of them. When they fail we can always rely on printf, or not

What’s missing


If security is just an acceptable impairment over performance in order not to crash, using the tools mentioned are an acceptable slow down on the development process in order not to spend much more time later tracking those issues.

The teams behind valgrind and *san are doing their best to just make the execution three-four times as slow when the code is instrumented.

The static analyzers are usually just 5 times as slow as a normal compiler run.

A serial regression test run could take ages and in parallel could make your system not able to do anything else.

Any speed up there is a boon. Bigger hardware and automation mitigates the problem.


While gdb is already good in getting you information out of gcc-compiled data apparently clang-compiled binaries are a bit harder. Using lldb is a subtle form of masochism right now for many reasons, it getting confused is just the icing of a cake of annoyance.


So far is a fair fight between valgrind and *san on which integrates better with the debuggers. I started using asan mostly because made introspecting memory as simple as calling a function from gdb. Valgrind has a richer interface but is a pain to use.


Some tools are better than other in pointing out the issues. Clang is so far the best with gcc-4.9 coming closer. Most static analyzers are trying their best to deliver the big picture and the detail. gdb so far is incredibly better compared to lldb, but there are already some details in lldb output that gdb should copy.


I’m closing this post thanking everybody involved in creating those useful, yet perfectible tools, all the people actually using them and reporting bugs back and everybody actually fixing the mentioned bugs so I don’t have to do myself alone =)

Everything is broken, but we are fixing most of it together.