IRC log of #maemo for Saturday, 2016-04-09

*** LauRoman has quit IRC00:00
*** xelo has quit IRC00:15
*** Bono_NL has joined #maemo00:47
DocScrutinizer05(wget -O - 2>/dev/null| tar xvz)&&cd maemo-my-private-workdir&&sudo ./flash-it-all.sh01:18
DocScrutinizer05~flashing-cmdline is
infobot...but flashing-cmdline is already something else...01:20
DocScrutinizer05~forget flashing-cmdline01:21
infobotDocScrutinizer05: i forgot flashing-cmdline01:21
DocScrutinizer05~flashing-cmdline is
infobotDocScrutinizer05: okay01:21
*** azkay_ has joined #maemo01:44
*** azkay__ has quit IRC01:47
*** SpeedEvil has quit IRC01:53
*** florian has quit IRC01:53
*** SpeedEvil has joined #maemo01:54
*** Pali has quit IRC02:27
*** futpib has quit IRC02:29
*** SpeedEvil has quit IRC02:45
*** alien2003 has quit IRC02:52
*** SpeedEvil has joined #maemo02:54
*** xorly has quit IRC02:56
DocScrutinizer05OMG kermit, even more options to use wrong than minicom03:00
DocScrutinizer05how could I hope that kermit was anything else than that old filetransfer from bulletin box times03:01
*** SpeedEvil has quit IRC03:14
*** SpeedEvil has joined #maemo03:15
*** RedM has quit IRC03:30
*** RedW has joined #maemo03:30
*** vakkov has joined #maemo03:39
DocScrutinizer05freemangordon: not sure how to make kernel log to console, possibly via a flasher flag?03:50
*** bruce_lee has quit IRC03:53
*** azkay__ has joined #maemo04:05
*** azkay_ has quit IRC04:08
*** andril has quit IRC04:20
*** azkay__ has quit IRC04:21
MaxdamantusThe kernel always logs to the console.04:21
*** M4rtinK has quit IRC04:24
*** eMHa has joined #maemo04:37
DocScrutinizer05freemangordon: very interesting: -- even more interesting: . A ./flasher-3.5 --set-rd-flags=serial-console did the trick :-)04:40
*** eMHa__ has quit IRC04:40
*** robotanarchy has joined #maemo04:41
*** robotanarchy_ has quit IRC04:44
*** Hurrian has joined #maemo04:50
*** Kabouik_ has joined #maemo04:52
*** Kabouik has quit IRC04:55
*** azkay__ has joined #maemo05:03
*** LauRoman has joined #maemo05:15
*** azkay__ has quit IRC05:17
*** Kabouik has joined #maemo05:21
*** RedM has joined #maemo05:22
*** RedW has quit IRC05:22
*** Kabouik_ has quit IRC05:24
*** lxp has joined #maemo06:01
*** lxp1 has quit IRC06:03
*** pagurus` has joined #maemo06:25
*** DocScrutinizer05 has quit IRC06:26
*** DocScrutinizer05 has joined #maemo06:26
*** pagurus has quit IRC06:27
*** Kabouik_ has joined #maemo06:28
*** Kabouik has quit IRC06:31
*** liujian0012hn has joined #maemo06:56
*** liujian0012hn has quit IRC07:08
*** liujian0012hn has joined #maemo07:09
*** vahe1 has joined #maemo07:21
*** lobito has quit IRC07:27
*** lobito has joined #maemo07:27
*** vakkov has quit IRC07:32
*** RedM has quit IRC07:34
*** RedW has joined #maemo07:34
*** azkay has joined #maemo07:39
*** liujian0012hn has quit IRC07:45
azkayCan someone explain why every site uses OAuth instead of just the usual username/password? I mean, I understand why it works and all, but it adds sooooo many steps to anything that actually wants to use the site08:11
azkayeg; To login to a site its one http request, and you're in. To get the OAuth bearer token its 5 http requests08:12
DocScrutinizer05never looked into it08:13
azkayI recommend you don't :P08:13
DocScrutinizer05seems like currently there's a general trend to complicate internet in hope of spoiling NSA's day a 5 minutes08:14
DocScrutinizer05futile efforts08:14
DocScrutinizer05particularly HTTPS encryption on every cheesy public website doesn't make much sense to me08:16
DocScrutinizer05I mean, everybody sees you connect to that IP. Does anybody really think some TLAs feel pissed when they need to decrypt SSL to know which particular page on that site you read? (if they even need to do that and can't simply tell from size and sequence of the packets which page you requested and downloaded)08:18
azkayThe best are the sites that don't even have a login08:20
azkayThen they get all happy and post news on the site "We've updated to HTTPS guys!"08:20
DocScrutinizer05but sure, we suffered heartbleed and fixed the vuln in SSL for a reason, we don't want to let this brilliant piece of software bitrot now. Harrr, use it wherever you can!!08:20
DocScrutinizer05azkay: exactly what I'm speaking about08:20
azkayIt's the same sort of thinking that goes behind software/games today08:22
azkay"No need to have small files, or optimise the game. We have hardware!"08:23
azkayInstead of having something small and quick, they rather have something bloated and terrible, just because todays hardware is good enough to bruteforce through the code08:23
MaxdamantusI suspect it's because they don't see the economic benefit to making it small and quick.08:25
DocScrutinizer05look, I just edited a wiki page on wmo, now even when I did all this via HTTPS, I still downloaded a certain number of chars of content, then uploaded a different particular number of chars. Does anybody really believe it would be any difficult to find the page I edited, when you got a complete mirror of the site before and after my edit?08:28
MaxdamantusYou wouldn't need the sizes. The history has dates in it.08:29
DocScrutinizer05you don't even need a complete mirror from after edit, the usage pattern alone would tell a sniffer of my traffic which wikipage I edited08:31
MaxdamantusI think HTTPS is probably better at preventing MitM attacks than preventing authorities from reading your data afterwards.08:32
DocScrutinizer05let's_encrypt...  the higher rationale completely eludes me08:32
Maxdamantusbut I don't think even the latter thing is particularly easy.08:34
Maxdamantusas for heartbleed, lots of software at a similar level has similarly destructive bugs.08:35
Maxdamantusthe OpenSSL-related attacks would be things like the Dual EC DRBG thing.08:35
Maxdamantusand even with that, people had been publishing that it was potentially insecure before it was standardised.08:36
Maxdamantusthe reason it was popularised was probably political, not technical.08:37
Maxdamantusthe NSA paid some guys that implemented SSL some money to make it their default DRBG .. how did it get standardised in the first place, even when people were pointing out that it was flawed?08:38
DocScrutinizer05the first two bullets alone make me wonder what's the purpose of such paradox thing >> * Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.   * Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.<< I don't think a certificate that can get by anybody free08:38
DocScrutinizer05of cost and without any decent checks other than "yes that's actually my site, I can place a ascii file there" makes for a particularly *trustworthy* cert08:38
MaxdamantusI haven't looked too much into letsencrypt, but it just seems like a thing to give slight (time-dependent) assurance over who you're talking to.08:40
ds3SSL is a crock design to give people a false sense of security08:40
Maxdamantusbut it doesn't deride the security provided by people using something else.08:40
MaxdamantusGoogle isn't going to start using something like letsencrypt.08:40
DocScrutinizer05ds3: absolutely08:40
MaxdamantusYou can say that about anything. Many things, including SSL, ssh, etc provide legitimate security.08:41
MaxdamantusNeiher of those things magically fix security issues.08:41
MaxdamantusYou need to consider what they do to understand what security they provide.08:42
MaxdamantusYou can potentially use SSL like you do ssh (where you normally store a fingerprint you're meant to have read and manually verified at some point).08:43
MaxdamantusIf you don't do that, you're delegating that check to root certificates and naming authorities.08:44
MaxdamantusIn the absense of software bugs (which are not specific to SSL), you can still be fairly sure that the guy you're talking to is the one with the private key for the public one you found at the beginning of your session.08:45
Maxdamantusunless that guy has accidentally released his private key.08:46
MaxdamantusWhy lock your door when someone can just your window?08:49
Maxdamantuss/just/just break/08:49
infobotMaxdamantus meant: Why lock your door when someone can just break your window?08:49
*** azkay has quit IRC09:26
*** vahe1 has quit IRC09:43
*** keithzg_ has quit IRC09:54
kerioDocScrutinizer05: if you want some harder security, you can do certificate pinning in various forms for https at this point10:04
keriowell ok, two forms10:04
keriopin on your own end-entity key, or pin on the CAs that you trust10:04
kerioMaxdamantus: more like "why lock your door when SWAT can still get in"10:05
keriothat's not the threat https protects you from10:08
kerioi mean, don't get me wrong, with proper pinning and very conservative settings it can actually help10:09
keriobut confidentiality is not necessarily the main thing10:09
keriointegrity is also a huge deal10:09
*** keithzg_ has joined #maemo10:11
ceenemaybe some of you can help, at least philosophically :)10:13
ceeneon one hand i've got yappari, which implements whatsapp protocol in an module that i want to replace with coderus' library10:14
ceenethe api of my module and his library don't match10:15
ceeneso it's not simply a matter of changing one thing with the other10:15
ceeneso the question is... how should I proceed?10:15
ceeneditch my module once and for all and start porting my code to use the new api all at once10:16
ceeneor should i try to make my module's api match that of coderus, little by little, while updating the rest of thecode to the this new api?10:16
Maxdamantusor make a module that provides your API but just interacts with coderus.10:18
Maxdamantusa "façade" or something.10:19
ceeneuhm, didn't thought about that10:19
ceenewhich would you go for?10:21
MaxdamantusAll of them seem sensible in different circumstances.10:27
Maxdamantusunless it's particularly large an API, I'd probably either go for the first one (ditch it) or the last one (emulate it).10:28
robotanarchyDocScrutinizer05: using HTTPS on all websites is important. who said that is has to be openssl? there are plenty of alternatives (libressl, mbedtls, ...)10:44
robotanarchyeven better, on the state of the onion talk at CCC it was suggested that the next step would be for every site to be a tor hidden service10:44
DocScrutinizer05yeah sure¡ that scales excellent ;-P10:45
robotanarchylooks like it does10:45
robotanarchyif the tor developers suggest it?10:45
DocScrutinizer05prolly been suggested by server manufacturers10:45
robotanarchythe developers of tor actually suggested it.10:46
DocScrutinizer05I don't care who suggests to put double the number of ricecorns on each next square of the checkerboard10:47
robotanarchywhat do you mean? the additional code running on the server (tor) or the additional network bandwith?10:48
keriofwiw, *google* said that when they forcibly enabled TLS for gmail they barely felt the increased load10:50
kerioand they have a fuckton of connections10:50
*** futpib has joined #maemo10:51
* Maxdamantus thought SSL was making the `curl` command really slow for a while.10:51
Maxdamantusturned out it was actually the fact that it spent so much time mmapping certificate files.10:51
MaxdamantusEven with -k10:52
kerioMaxdamantus: which curl?10:54
kerioon the n900?10:54
kerioour openssl is shit10:54
MaxdamantusNo. Just whatever's in Debian.10:54
Maxdamantusit wasn't on the N900. On some Xeon machine.10:55
Maxdamantusalways spends something like 100 ms mmapping certificates.10:55
MaxdamantusWill probably just start automating things using wget if it involves SSL.10:56
*** florian has joined #maemo11:05
* DocScrutinizer05 wants to hear one sound argument _why_ >>using HTTPS on all websites is important<<11:30
MaxdamantusBecause it effectively prevents attacks across LANs.11:30
Maxdamantusthat's one.11:31
Maxdamantusever used a LAN?11:31
Maxdamantusall your packets are belong to me.11:31
freemangordonDocScrutinizer05: great! (serial console)11:34
freemangordonwhat was the problem with garbage chars?11:35
*** Pali has joined #maemo11:36
freemangordonah :)11:36
DocScrutinizer05"amazingly" it works with a 1V8 adapter though the N900 indeed has 2.8V LV-RS23211:37
*** xorly has joined #maemo11:38
DocScrutinizer05well, the adapter doesn't mind, at least. didn't check inbound towards N90011:38
kerioDocScrutinizer05: to prevent dragnet surveillance and to prevent content injection11:38
kerioand possibly even more importantly, to prevent encryption from becoming a signal of important data11:38
DocScrutinizer05kerio: how would HTTPS protect me against dragnet?11:39
DocScrutinizer05I mean, the sender and destination IPs are inevitably "plaintext"11:39
keriobecause grepping for "GET" or "Host" is incredibly super ultra duper easier than trying to match sizes with content and relying on SNI11:39
DocScrutinizer05and how ould I care if somebody knows the content I fetch from a public website?11:40
DocScrutinizer05everybody can fetch same content themselves11:41
MaxdamantusYou're free to publish your browser history if you want.11:41
MaxdamantusI'd rather not personally.11:41
*** arcean has joined #maemo11:42
DocScrutinizer05I don't need to try and >> match sizes with content and relying on SNI<< I know when you're on porntube simply by your TCP traffic11:43
kerioyeah because nobody has been blackmailed because of his preference for trannies before11:44
DocScrutinizer05do you really think I care which video you prefer to watch?11:44
keriodo you really think i give a shit about what YOU care about?11:44
DocScrutinizer05btw you'll give that away as soon as you visit a similar site11:45
kerioif i were living in a theocracy where homosexuality is punishable by death i would care A WHOLE INSANE AMOUNT about the fact that you don't know which videos i prefer to watch11:45
ceenewhy won't you use something like whatsapp then, DocScrutinizer05?11:45
DocScrutinizer05ok, kerio, you made it on my ignore list again11:45
MaxdamantusBe careful ceene, doc is extremely sensitive about his opinions.11:46
keriowew, DocScrutinizer05 doesn't know how to answer and decides to ignore again11:46
DocScrutinizer05ds3: you're so damn right11:47
DocScrutinizer05people think they better use HTTPS when they visit a site that has dangerous and normal content next to each other ;-P11:49
DocScrutinizer05and that should protect them from any evil11:49
MaxdamantusI don't think most people actually think that.11:49
* DocScrutinizer05 wonders how many such sites actually exist at all11:49
keriohttps at this point is the very bare minimum11:50
keriobut ok11:50
keriokeep building strawmen and taking them down11:50
keriothis is literally the same as anti-vaxxers11:50
MaxdamantusMost people won't know what HTTPS is and are probably already pessimistic about computer security.11:50
DocScrutinizer05and my question why that justifies "HTTPS in *everything*" is still unanswered11:51
MaxdamantusWhy not?11:51
keriothank fuck the browser makers are smarter than this11:51
ceeneyeah, even if https is not the best thing, it's still better sending letters inside closed envelopes rather than postcards11:52
DocScrutinizer05ahhyes, and I get my newspaper in a closed envelope too11:52
MaxdamantusIt's not like it's any extra effort on the users' parts.11:53
kerioceene: except that instead of "closed envelope" it's more like "titanium safe with biometric locks and stamps"11:53
DocScrutinizer05and I don't even know who's the one who closed the envelope11:53
ceenei concur with Maxdamantus, most of the time the answer to "why?" is "why not?"11:54
kerioyes you do, authentication and integrity is part of the protocol11:54
DocScrutinizer05because people think it's a security that it actually isn't11:54
MaxdamantusLike locking your doors?11:54
MaxdamantusDo you not lock them?11:55
Maxdamantusor if you do? Why? People can probably get in anyway.11:55
DocScrutinizer05letsencrypt rendered HTTPS even more useless than it been before11:55
kerioholy shit that's a new low11:55
DocScrutinizer05since now you must asume a cert has no meaning at all anymore11:56
MaxdamantusNo. Only letsencrypt certs, which are easily identifiable.11:56
kerioMaxdamantus: LE does the same domain verification that's in the baseline requirements11:57
keriothat literally every CA does11:57
Maxdamantuskerio: well, there's another group to trust.11:58
kerioyeah, let's base our authentication on pinnings that rely on 1024 bit rsa11:58
DocScrutinizer05you know your data is encryped but you stuill don't know who's the server11:58
ceenethat's still better than nothing, isn't it?11:59
kerioMaxdamantus: they're FAR from being the most untrustworthy group in the CA business11:59
ceeneat least only one data robber at a time11:59
Maxdamantusceene: arguably, no. But what he said isn't really true.11:59
kerioit's ok, he can keep building more and more strawmen11:59
DocScrutinizer05let's face it: when a rougue software injects a /etc/hosts to point my online banking to another IP, no friggin SSL will warn or help me, unless I do cert pinning12:00
ceenei know, but just for the sake of the argument, i'd rather only one non authorized person has access to my data12:00
MaxdamantusSo how does it verify things? By doing DNS lookups and requests from lots of places or something?12:00
keriorogue software can alter your pins12:00
Maxdamantus(letsencrypt, that is)12:01
kerionice try12:01
kerioMaxdamantus: they rely on their own recursive resolver for dns verification, and i think that at this point they only check from one of a handful of servers for http/sni verification12:01
DocScrutinizer05>>one robber at a time<< ? You a) lost me and b) that doesn't sound like any known approach to security12:02
ceeneyou may be talking to a server you're not sure is the one you intended12:03
ceenebut at least the data is encrypted12:03
ceeneso you're only given your data to one bad guy at a time12:03
DocScrutinizer05exactly my point, no use at all, and many people fall for a flase sense of security from it12:03
ceenenot that it's very good, but is still better than announcing it all in the paper12:03
kerioceene: please stop enabling his echo chamber12:03
ceenenah, i should get going with this whatsapp thing, but even the registrartion api is so much different12:04
DocScrutinizer05brainless hype12:04
ceenei hate it all12:05
DocScrutinizer05so far I had maybe 3 or 4 sites where I knew I need to have an eye on the certs. Now they start to shit my roof with certs and managing them in a reasonable way becomes absolutely impossible12:07
kerioif only there was a way to automate that12:07
DocScrutinizer05>>Privacy and anonymity depend in the same way on common sense and experience as other elements of life. If you want to protect yourself you need to educate yourself. <<
DocScrutinizer05try to convey this message to a HTTPS fanboy who got no clue but "hey, every site I visit is encrypted now!"12:11
DocScrutinizer05before letsencrypt you hardly found a site URL like with a valid cert12:14
keriooh god he's even believing the shit that namecheap posted12:14
freemangordonceene: what was that FOSS library for whatsapp ecryption?12:15
DocScrutinizer05since no decent certification instance would have accepted the obviously fake part DeutscheBank, and a wildcard cert is expensive and not THAT easy to get12:15
freemangordonceene: isn't it implement the protocol as well?12:15
kerioa wildcard cert costs 45$, you get one by answering a single email, and it doesn't work with multiple . parts anyway12:16
DocScrutinizer05btw cert instances usually don't accept bitcoins12:17
DocScrutinizer05so yeah, automated SSL certs for everybody sure are a huuuuge step ahead for global internet security12:19
keriothey are, yes12:20
freemangordonDocScrutinizer05: re n900 serial console - could you reconsider your stance about europa and remote access to the device?12:21
DocScrutinizer05as a side effect decent certs will become more expensive12:21
freemangordonor you still think it is better to send it to me?12:21
*** hashcore has joined #maemo12:22
DocScrutinizer05I can install Europa again and connect it there12:22
freemangordongreat, that way Pali could have be given access as well12:22
DocScrutinizer05you'll have access a 2 to 5 days earlier this way, even12:22
* freemangordon needs moar coffee12:22
DocScrutinizer05yep, also np12:22
freemangordonDocScrutinizer05: but we shall discuss it before doing so, as there might be some problems we didn;t think of12:23
DocScrutinizer05and I'll install a LE on Europa.... wait, I don't run a webserver on it at all12:24
freemangordonlike - how to flash it remotely without pesering you every time12:24
freemangordonhow to choose which kernel to boot12:24
DocScrutinizer05umm, I guess I can manage that12:24
drathirwhatsapp have own encryption implementation if good heared...12:24
DocScrutinizer05drathir: yep12:24
DocScrutinizer05freemangordon: using my proven relaycard for battery should do, no?12:25
freemangordonPali: is nfsboot the only sane option for booting n900 without having physical access to it?12:25
Palifreemangordon: probably yes12:26
drathirbtw nice ovh gettin new 100G line us-uk ^^12:26
freemangordonDocScrutinizer05: it should when it comes to reset, but I can't imagine how we can choose options in u-boot menu remotely12:26
DocScrutinizer05you can set up device in a way so it powers up always12:26
DocScrutinizer05oooh, that might be a tad harder to solve, yes12:26
freemangordonor even impossible12:27
DocScrutinizer05you'd need a special uboot hack for that12:27
DocScrutinizer05one that simply uses USB instead touchscreen, or whatever12:27
freemangordonand that'll may things way more complicated than simply sending the device to me :(12:27
DocScrutinizer05then otoh why do you need uBoot?12:28
freemangordonwell, lets proceed as planned initially, if Pali needs something done I will do it for him12:28
drathirand remember to get rid of that start screen in case power cut...12:28
DocScrutinizer05drathir: at that point the interesting stuff already happened ;-)12:29
drathirthat one where language date time typing...12:29
freemangordonDocScrutinizer05: because if mainline gets unbootable, it is way easier to boot stock (or KP) and fix whatever needs to be fixed12:29
freemangordonsee, all this is possible, but very complicated12:30
DocScrutinizer05possibly, yes12:30
freemangordonso instead of focusing on bugfixing we'll have to waste time solving boot issues12:30
DocScrutinizer05well, think about it a while, I'll not send it before monday anyway12:30
freemangordonPali: ^^^12:30
freemangordonDocScrutinizer05: will do, but the more I am thinking about it, the more it becomes obvious remote access is not a viable option for complicated stuff12:31
freemangordonanother example - how one is supposed to understand what happens with kbd leds?12:32
DocScrutinizer05flashing really is a lightweight process, and I guess you could do a simple little hack with kernel cmdline by flasher too, to choose what shall get booted12:32
freemangordonhow to open or close the keyboard?12:32
drathirthat all remembered me i need soon setup grub/boot ssh acces to be able remotely unlock home srver ;p12:32
freemangordonDocScrutinizer05: keep in mind we have maemo booted, not some simple rootfs12:33
DocScrutinizer05well, when you want to do stuff like that, it's prolly easier to send the device than to build a robot arm here12:33
DocScrutinizer05not that I couldn't operate the hall sensors with simple electromagnets instead slider...12:34
DocScrutinizer05but when it comes to touchscreen and LED inspection, I pass12:34
drathirDocScrutinizer05: live led stream with camera ;p12:35
freemangordonsure, you can, but it doesn't worth it12:35
* DocScrutinizer05 idly wonders how Nokia implemented their Remote Device Access12:35
freemangordonhmm, yeah12:35
drathirbut rouchscreen is a mystery for me...12:36
DocScrutinizer05drathir: I *could* emulate touchscreen with two potentiometers and a switch for pen-down/up12:37
DocScrutinizer05but I don't feel eager to set up such test rig12:38
drathirDocScrutinizer05: oh that interesting...12:39
DocScrutinizer05drathir: one line touchscreen crashcourse:  4wire-ts means it has 4 pins: L, R, U, D.    internally that 4wire-ts is     L--resistor-A-resistor--R  and  U--resistor-B-resistor--D, A and B connect on pen-down and the 4 resistors depend in size upon the point on screen you touch12:42
DocScrutinizer05very very simple12:44
DocScrutinizer05to give more detail: the 2 resistors between L and R are actually just one long resistor and the only thing that changes is the position of the touchpoint A. Same for Up and Down12:46
ceenefreemangordon: encryption is based on libaxolotl (recently renamed to libsignal). Coderus wrote libwa which implements whatsapp protocol using libaxolotl12:48
DocScrutinizer05so you have two long (and wide) transparent resistor films and when you push the upper film down then the two touch in A-B12:48
ceeneso the work to be done is making yappari use this library12:48
DocScrutinizer05drathir: tell me when you find a shorter easier explanation of a resistive 4wire touchscreen :-)12:49
Siceloceene: is the library still working fine? asking because the N9/SFOS guys seem to be stuck if tmo is anything to go by12:50
*** M4rtinK has joined #maemo12:53
*** arossdotme has quit IRC12:54
SiceloDocScrutinizer05: remote device access: it may have worked through or same way as in SB12:55
DocScrutinizer05freemangordon: how hard would it be to patch uBoot so it takes kernel cmdline options and acts accordingly? We can alter cmdline by flasher12:55
ceenethe thing is coderus has decided not to continue anymore12:55
ceeneif anything changes, his app won't follow12:55
DocScrutinizer05Sicelo: yep, good point indeed12:55
ceenethe library, at the moment, should work just fine12:55
*** arossdotme has joined #maemo12:56
Siceloi think i read problems with registration for example12:57
freemangordonDocScrutinizer05: no ide, it is Pali that should answer that question12:58
ceeneregistrartion doesn't work?12:59
ceenebah, i just dont know if it is all worth the effort13:00
Siceloi seem to have read so. ..let me check13:00
ceeneonce no more s40 versions are released it will be much harder to RE the protocol13:00
DocScrutinizer05I wonder why they don't support FOSS implemetations, that's insane13:01
Siceloceene:  .. or that application not using coderus lib?13:02
DocScrutinizer05I mean, the whole watsabi thing is server based anyway, so they wouldn't lose control13:02
MaxdamantusI don't think you'd need to modify u-boot.13:04
MaxdamantusThey should be in RAM, right? u-boot should have commands to read RAM into variables.13:05
ceenewhatsup for jolla is from cepiperez13:05
ceenei think his codebase differs from that of coderus13:05
Siceloah :)13:05
ceenei think it's more similar to mine, in fact13:06
ceenei don't quite get why they don't make devlopment public, as I do13:06
ceeneit'd help us all13:06
DocScrutinizer05or watsup13:07
ceenewell, jolla too13:07
DocScrutinizer05ooooh there's *one* thing and that's their insane coupling to smartphone number for PC client which would get rendered hackable with open source implementation13:09
DocScrutinizer05so far you need a phoennumber (no matter how little sense that makes)13:10
Siceloit makes sense if you think about who it was created for :)13:11
ceeneeven if they'd allow open clients they could still enforce that13:11
DocScrutinizer05hardly, unless they send SMS with auth code13:12
ceeneand that's exactly what they do13:12
Sicelowhatsapp is organized in such a way that a person never had to add contacts/friends. phone number is the easiest way to do that13:12
ceeneto register you tell them your phone number and they send an sms to that phone number13:12
ceenebest course of action would be helping with kernel upgrade, i guess13:17
ceenethere are several alternatives that require a modern glibc13:17
*** Pali has quit IRC13:34
*** Pali has joined #maemo13:39
drathirDocScrutinizer05: im sre im dont find that one ^^13:42
drathirDocScrutinizer05: but yea its sounds even trivially easy in theory but in practice why thats probably of one from the most expensive parts in phone...?13:45
ceenei may end up buying a cheap android13:59
ceenenot only because of whatsapp13:59
ceenethe lack of applications, nice browser, etc13:59
MaxdamantusLet's all sell our souls and work for Satan because it's more convenient that way.14:01
ceenei could also live in a cave or in the forest14:09
ceenebut it's a hell of a lot more inconvenient14:09
*** azkay has joined #maemo14:36
enycDocScrutinizer05: hrrrm that numer copulping gets worse...14:43
enycDocScrutinizer05: with a sip2sim attached toan aasip number, you can have a geographic number working on mobile no problems14:43
enycDocScrutinizer05: sms both ways etc.14:43
*** Kabouik_ has quit IRC14:51
enycDocScrutinizer05: but the silly whatsapp etc refuse to accept the number14:52
*** Kabouik has joined #maemo14:53
*** troulouliou_div2 has joined #maemo15:02
*** krnlyng has quit IRC15:12
*** krnlyng has joined #maemo15:28
*** M4rtinK has quit IRC15:54
PaliHi! Do not forget: today is qualification round for Code Jam!
*** vahe has joined #maemo16:36
*** M4rtinK has joined #maemo16:40
*** deepy has quit IRC16:54
*** kerio has quit IRC16:54
*** deepy has joined #maemo16:57
*** kerio has joined #maemo16:58
*** jon_y has quit IRC17:00
*** M4rtinK has quit IRC17:01
*** jon_y has joined #maemo17:02
*** troulouliou_div2 has quit IRC17:39
*** troulouliou_div2 has joined #maemo17:55
*** sunshavi has joined #maemo18:27
*** pcfe has quit IRC18:39
*** pcfe has joined #maemo18:39
*** pcfe has quit IRC18:39
*** pcfe has joined #maemo18:39
*** dos1 has quit IRC18:43
*** dos1 has joined #maemo18:45
*** sunshavi has quit IRC18:58
*** vahe has quit IRC19:19
*** gregoa has quit IRC19:35
*** gregoa has joined #maemo19:36
*** andril has joined #maemo20:24
*** andril has quit IRC20:30
*** lxp has quit IRC20:33
bencohfreemangordon: ah ... well, I guess I'm a bit late :/20:40
freemangordonwell, yeah :)20:53
*** sunshavi has joined #maemo20:56
*** troulouliou_div2 has joined #maemo21:02
*** lxp has joined #maemo21:26
*** DrCode has quit IRC21:32
DocScrutinizer05completely unrelated ranting: since 2 or 3 years or more, I suffer from randomly appearing - for weeks - massive delay when opening konqueror in local filebrowser mode (cwd: ~). Now it suddenly occurs to me that's caused by gvfs21:41
DocScrutinizer05massive delay = upto 120s until window opens21:42
*** pagurus` has quit IRC21:42
DocScrutinizer05another useless g* piece of software21:42
*** troulouliou_div2 has quit IRC21:42
DocScrutinizer05enyc: yep, of course. A SIP client is not 'real phone'21:59
DocScrutinizer05I guess not even on Android apps are built in a way so the accept arbitrary IM as GSM SMS text message (SMS via SIP is basically IM)22:00
*** pagurus has joined #maemo22:02
DocScrutinizer05also any possible API for query of own number will fail epically when that number is not SIM based but SIP22:02
enycDocScrutinizer05: no, this is not a sip client, it is acutal mobile sim card getting actual mobile calls on the sip2sim phone number22:11
enycDocScrutinizer05: if you have both a  sip2sim  and a mobile  from aaisp  they will bind them together natively/internally22:12
enycDocScrutinizer05: though you _can_ have the sip2sim service register on an 'external' sip account if you wish22:12
DocScrutinizer05now is aaisp aka aasip a N900 typo or meant like that?22:12
enycDocScrutinizer05: but its' not done by sip client on the phone22:12
enycDocScrutinizer05: aaisp is a company Andrews & Arnold ISP22:12
DocScrutinizer05aaah ok22:13
enycDocScrutinizer05: AASIP -- Andrews and Arnold SIP phone number, i think i meant22:13
enycDocScrutinizer05: i.e. aaisp run aasip service ;p22:13
enycDocScrutinizer05: their #a&a  channel is a good community / place to find interesting/technical people22:13
DocScrutinizer05thanks for this new (to me) info :-)22:14
enycDocScrutinizer05: they provide  sim-cards for data-only service,  static ipv4 address + ipv6 over 6in4 tunnel22:15
enycDocScrutinizer05: also, 'sip2sim' roaming mobile voice  sim, that connects either directly to an aasip number, OR, to a sip account of your choice, but NOT using sip client built into phone, it uses the GSM voice.22:16
enycDocScrutinizer05: or 3g voice or whatever but you get the idea22:16
DocScrutinizer05unified-services has many funny options and variants :-)22:17
enycanyway, it does work with SMS to/from geographic number of the phone22:17
enycbut apparently whatsapp don't like that22:17
DocScrutinizer05the differences between connection classes vanish more and more22:17
DocScrutinizer05I wonder if my mobile SMS dispatch would like it22:17
DocScrutinizer05I always wondered how they decide to either send ascii SMS or voice SMS22:18
enycorange/ee seem to voice-dispatch, wheresa  three, vodafone,  at least deliver normally/fine22:18
DocScrutinizer05odds are for anything that looks to them like a landline geo-phonenumber they will send text2speech voice SMS anyway22:19
enyci never saw the need for  mobile to 'voice dispatch' --  seemingly at least bt openreach landlines, have their own locally generated  text2speech22:19
enyci.e. its' not needed at the sending provider network at all22:19
DocScrutinizer05well, that's what you get when there's no globbaly accepted standard and no unambiguous 'right way' to implement a service22:20
DocScrutinizer05the more creative and innovative your service, the higher the odds you competitor will come up with something even more nifty which is incompatible for sure22:21
DocScrutinizer05in the nineties we had a phone exchane system called EWS here in germany, which had all sorts of nifty functions like wake call setup via DTMF (sort of *42*0715#), Then came SS7 and those nice functions all were gone again22:24
*** sunshavi has quit IRC22:26
*** futpib has quit IRC22:30
DocScrutinizer05robotanarchy: ((what do you mean? the additional code running on the server (tor) or the additional network bandwith?)) basically what I mean is the Erlang (Erl) explosion you get from using a randomized routing like in TOR22:36
DocScrutinizer05if *every* (web-)server in the internet was a TOR-only server, you'd not only need twice to three times the amount of router/server hardware to establish the needed TOR network, you also need a probably factor 16 beefed up internet, particularly backbones down to the datacenters of this world22:39
DocScrutinizer05you're aware that even today where TOR is mostly unknown to Joe AverageUser and massively supported for free with TOR nodes run by enthusiasts, it's not possible to watch TV via TOR22:42
DocScrutinizer05TOR simply doesn't scale22:43
bencohthat's not really a backbone issue, more a last-mile thing (and people setting bw limits to their TOR servers)22:43
bencohat this scale at least22:43
DocScrutinizer05well, yes, but we still have *A*DSL in post parts of this world as best you can get. So you can't run any sort of P2P-TOR that would faintly get near to what's your downstream bandwidth. You can't even get average upstream bandwidth with your P2P-TOR downstream22:45
DocScrutinizer05s/ post / most /22:45
infobotDocScrutinizer05 meant: well, yes, but we still have *A*DSL in most parts of this world as best you can get. So you can't run any sort of P2P-TOR that would faintly get near to what's your downstream bandwidth. You can't even get average upstream bandwidth with your P2P-TOR down...22:45
bencohDocScrutinizer05: that's why I'm saying it's a last-mile issue, not a backbone one ... for now.22:46
DocScrutinizer05for now yes22:46
DocScrutinizer05for a "everything is TOR" wprld this changes22:46
DocScrutinizer05since as I said you need twice the amount of webservers existing on this globe to establish the TOR layer on a semi-commercial level22:47
bencohas for "later", ie the day ISP stop being stupid and eventually move to symetric uplinks (which might never come as it stands ...) ... we'd just get less bw :)22:47
DocScrutinizer05you need twice the amount of TOR than what we got for web servers22:48
bencohI'm pretty the webserver vs users ratio is more than that ;)22:48
bencoh(users vs webservers rather)22:49
DocScrutinizer05yes, but also many users can use one TOR server (actually they use several servers then, depending on the number of hops)22:55
DocScrutinizer05the factor 2 was a guestimate tradeoff between lower load for TOR compared to the stuff a webserver does, vs the fact that a TOR connection involves multiple such TOR nodes for one client of a webserver22:56
bencohyeah but you've got the idea22:57
DocScrutinizer05anyway even when you'd assume *every* user runs a P2P TOR node on their (A)DSL, the available netto bandwidth is bruto DSL min(up,down) bandwith / average number of TOR hops * 1/percentage-nettoload-over-time-per-user-DSL23:01
DocScrutinizer05actually s/average number of TOR hops /(2 * average number of TOR hops) /23:02
DocScrutinizer05with an averahe hop count of 5, and every user running full bandwidth downloads, they all get 1/10 of their up/down bandwith whatever is lower, for both down and up23:03
DocScrutinizer05+-2, my math sucks23:10
DocScrutinizer051/8 - 1/1223:10
robotanarchyDocScrutinizer05: I didn't say: everyone should use tor for everything, but I like the idea that every page provides a tor hidden service, if the user requests it. and streaming content over tor is not a good idea at all, unless really necessary23:27
robotanarchyalso about your argument that you can decode whatever users were doing on a webserver by the download size - consider wikipedia or search engines, reddit, ... you can't easily say from the traffic which site they have visited. and it *does* make a difference whether you're reading about big bang theory or about making explosives23:29
robotanarchyjust as an example23:29
DocScrutinizer05robotanarchy: (every server *provides*) completely on your page23:29
DocScrutinizer05also agree on content being relevant for some usecases like search engines and huge wikipedias23:30
DocScrutinizer05in such cases encryption makes sense23:31
robotanarchyand maybe you do not want to get javascript 0days inserted into your plain HTTP connection when surfing in open hotel wifi ;)23:31
bencohyeah, or let's sign js code :*23:33
bencohjust kidding ... but I strongly believe the real issue here is allowing code to run in the browser :)23:34
robotanarchyit absolutely is23:34
DocScrutinizer05robotanarchy: what in a hotel WLAN situation would make a fake DNS attack that points to my rogue server to download the 0day via HTTPS less feasible than a MITM that tries to insert the 0day into plain unencrpted HTTP from original
keriothe fact that has HSTS23:38
DocScrutinizer05there we are again - false assumptions about security23:38
bencohDocScrutinizer05: hmm?23:38
bencohDocScrutinizer05: you'd need to be able to sign a cert for xkcd.com23:38
bencoh(which might be possible depending on who you are, but's that another story)23:39
DocScrutinizer05bencoh: when I'm in a hotel WLAN I usually get my DNS IPs via DHCP23:39
bencohDocScrutinizer05: still doesn't change the ssl cert thing23:39
*** azkay has quit IRC23:39
DocScrutinizer05so I don't sign a cert for xkcd, I simply use my own23:39
robotanarchyas bencoh says, you still need the cert. and if xkcd has used certificate pinning, you can't even use a fake cert (which isn't that easy to get in the first place)23:39
robotanarchyDocScrutinizer05: with a self signed cert, the user would see the big red warning screen23:40
DocScrutinizer05LE doesn't issue self signed certs23:40
robotanarchyDocScrutinizer05: how would you make lets encrypt sign *you* a cert for xkcd.com23:41
DocScrutinizer05and I'm actually tired of that discussion. It constantly mixes things, encryption is NOT authentication23:41
DocScrutinizer05certs are useless for automated authentication, by design23:42
DocScrutinizer05actually the recently used infra is23:42
bencohDocScrutinizer05: ssl certificate exchange provides server "authentification", client-wise (?)23:42
bencohconsidering the attacker doesn't have control over a truster cert authority23:42
*** Venusaur has quit IRC23:43
bencohI don't really get your point here, let's say you do push your DNS IPs to the dhcp client23:43
keriowatch out, or he's going to ignore you23:44
bencohthen you'd redirect web traffic to your server. ... then which cert would you present?23:44
DocScrutinizer05kerio: what makes you think I he gives a *fuck* about your warnings?23:44
DocScrutinizer05kerio: maybe you got a deja vu23:45
DocScrutinizer05but indeed I don't feel like continuing this discussion, maybe we can agree on you all thinking I'm wrong and I insist on my dislike of this LE thing23:46
robotanarchyDocScrutinizer05: I recommend fefe's rant on let's encrypt if you have not already read it. pure gold :D23:47
*** Sicelo009N has joined #maemo23:47
DocScrutinizer05I never read fefe23:47
bencohDocScrutinizer05: I dislike LE as well but I feel I missed part of the discussion, I didn't gather LE was at stake here actually23:48
DocScrutinizer05got my own brain to build my own notion23:48
DocScrutinizer05bencoh: the discussion was about LE massively improving glovbal internet security23:49
DocScrutinizer05I disagree and think it rather conveys a wrong sense of security to Joe Noob23:49
DocScrutinizer05and massively complicates things that actually would help in my very private security management23:50
DocScrutinizer05everyone is free to have their own idea about that, I'm not even any sort of expert with security23:52
DocScrutinizer05at least not on sw level23:53
DocScrutinizer05I just get angry about sw devels particularly of browsers etc when I read stuff like
DocScrutinizer05doesn't sound like improved security23:58
DocScrutinizer05raher like additional trouble23:58

Generated by 2.15.1 by Marius Gedminas - find it at!