March 2016 Archives

Mon Mar 28 12:16:52 EEST 2016

Internet of Things: Hack a water plant, change chemicals

Internet of Things: Hack a water plant, change chemicals
Water treatment plant hacked, chemical mix changed for tap supplies
Hackers infiltrated a water utility's control system and changed the levels of chemicals being used to treat tap water, we're told.

Posted by IoT | Permanent link

Fri Mar 25 10:49:09 EET 2016

elinks and links2 don't verify ssl certificates at all on Debian 8

Slightly paraphrased from the cypherpunks mailing list:
[OT] Would someone please check if links2 and elinks verify
certificates on clean install of Debian 8?


...elinks and links2 don't verify ssl certificates at all
on Debian 8 (this got confirmation in the thread)

To verify, try to open site which doesn't properly chain to trusted
root, say (unless you trust their root ) and check
if it opens or there is error/warning.

For me, on updated system, both don't verify certificates.

Looks like at least ubuntu and fedora killed the elinks bug long ago.

Searching the web for "$browser self signed certificate" shows some
relevant results.


Sarcastic comment asks "when debian will learn about this".

Posted by memset-dev-random | Permanent link

Mon Mar 14 11:15:56 EET 2016

My resume

Posted by pi day | Permanent link

Fri Mar 4 14:17:27 EET 2016

openssl and libressl are shipping broken in 2009 elliptic curve secp112r1

As i wrote on cypherpunks in February:

openssl and libressl are shipping broken in 2009 elliptic curve

$openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
>PlayStation 3 computing breaks 2^60 barrier 112-bit prime ECDLP solved

>This elliptic curve is standardized in the Standard for Efficient
>Cryptography (SEC), SEC2: Recommended Elliptic Curve Domain Parameters
>as curve secp112r1 and in the Wireless Transport Layer Security

Good luck to those who have crypto ideals.

Posted by cryptobackdoorz | Permanent link

Thu Mar 3 11:19:52 EET 2016

According to, are hosting attachment .DOC virus

According to, 
are hosting attachment .DOC virus.

Would someone confirm or deny this?

Discalimer: Nothing personal against Debian
links to:

Submitting the last .doc URL at:
and then going to:
Go to downloaded file analysis

SHA256:         c7210dc26e00a0d9f9bf8fb3b4850d52b62bb5836a7fa34bb669fc1b1553005e
File name:      docyrW4BlUhzH.doc
Detection ratio:        17 / 54

the first few results are:
AVG     W97M/Downloader         20160303
AVware  Trojan-Downloader.O97M.Adnel.n (v)      20160303
AegisLab        W97M.Gen!c      20160303
Arcabit         HEUR.VBA.Trojan.e       20160303
Avast   VBA:Downloader-ABC [Trj]        20160303
ESET-NOD32      VBA/TrojanDownloader.Agent.AOM  20160303

and some report it as clean.

The .doc is downloadable with the same checksum.

Posted by debianz | Permanent link

Wed Mar 2 15:28:28 EET 2016

Literate programming in C: if(0)

I am not a C expert, but some code in libressl 2.3.2
(latest as of now) and openssl 1.0.1p (and probably later) 
looks weird to me.

The code in libressl is in ssl/s3_clnt.c

984:  if (CBS_len(&cert_list) < 3)
         goto truncated;

1657:     if (0) {

The weird stuff is "if (0)".

Very similar stuff is in openssl.

Asked three C coders about it.

Two of them said "this sucks much".

One said "very nice idea!", denying joking.

Posted by coderz | Permanent link

Tue Mar 1 17:54:23 EET 2016

Честита Баба Марта!

Честита Баба Марта!
Happy Baba Marta!

Posted by баба марта | Permanent link