The server is already online in the irc.gg.st pool, and will be used to monitor stability of the new server. If things are stable, the French server will be removed from the pool (before August 15th) and taken offline a few days later.

You can track the operation online.

You probably know SSH at least by its name. It’s a of secure telnet replacement which also allows many other things such as port forwarding, remote file management (with sftp) and more.

With PHP I could write a fully working SSH server in only 3 days. Of course I didn’t implement every single extension there is to SSH, but I’ve implemented:

• SSH2 protocol only (no SSH1, anyway who uses that anymore?)
• Encryption protocols: aes128-cbc,blowfish-cbc,serpent256-cbc,cast128-cbc,3des-cbc (via mcrypt)
• Message digests: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 (via hash)
• No compression as I cannot easily keep a compression context active (the gzip extension in php is missing a way to create a compression context)
• Password and public key (ssh-dss and ssh-rsa) identification
• Ability to program an interactive shell in PHP (there are send and recv functions in a separate class, anyone can have some fun and write something out of that. Should be possible to make a wrapper to communicate with a shell launched with proc_open)
• Support for multiple channels
• SFTP subsystem
• Can be easily extended to add support for custom channels or re-use the ssh protocol for something else

My goal when writing this was to provide a replacement for the FTP protocol for the customers of my hosting service. FTP has many drawbacks, including no encryption (you can with ftps or ftpes) and the way ftp transmits data (another connection has to be opened on a different port, leading most of the time to some problems for people behind a NAT and/or firewalled servers).

With this ssh server supporting sftp, I finally got the replacement I was looking for. Of course it uses more CPU than a C ssh server (about 3 times more) but the difference isn’t that big. Next steps will include fork()’ing to open channels (will allow the SFTP server to chroot) and maybe support for some SSH extensions.

To implement the SSH protocol the following PHP extensions were used:

• OpenSSL: used to generate secure bits when negociating the key, and used to generate the host signature on connection. I was hoping to use openssl_verify() to verify the key used when logging in, but I couldn’t manage to convert the ssh-rsa key to something openssl would understand, so I re-implemented signature verification with gmp.
• MCrypt: The ssh protocol is encrypted (usually with something like AES128). mcrypt has the required functions to handle encryption in block mode
• Hash: each packet transmitted over SSH is optionally signed with a HMAC signature. In order to generate and verify those signatures I used hash_hmac()
• And finally the most important: GMP. As I was missing some functions to properly handle the initial Diffie-Hellman key exchange (and later to implement publickey authentication) I had to re-implement those in PHP. Of course working with 1024 bits integers is not something we can use the native int type for. GMP (and bc) allows such calculations (and I used them). I was missing the ability in gmp to read from/convert to binary values, so I had to add the use of bin2hex() and pack(‘H*’, …) to be able to work with binary values easily. GMP computations are only used when negociating keys (the ssh rfc recommands doing this once an hour, or every gigabyte of data transmitted) or when using the publickey authentification.

What did I create a ssh server for? The same thing I created a DNS server for fun and for KalyHost. In order to provide services updated in realtime I wrote a database-backed dns server a while ago, and now a ssh server (which can be database-backed too by extending the “Base” class).

The sourcecode can be downloaded from the SVN: http://ookoo.org/svn/pinetd2/trunk/code/classes/Daemon/SSHd/ this depends on pinetd2, a framework I wrote which allows to easily create daemons in PHP, and which I already used to create various things (FTP, Mail server, etc).

People willing to help on pinetd2 (code and/or documentation) are welcome. If you do not mind being called crazy because you make something else than webpages in PHP, you can contact me by mail or on IRC (or by leaving a comment on this post too if you wish to).

However microsoft had tried to bill my french CC once more and it failed. Of course it’ll fail but for some reason Microsoft has a weird billing scheme. If it tries to bill but it fails, it will still give you what you tried to pay, then it will bug you every now and then to get your money. This is really stupid (they could just don’t give anything) or really brilliant (they can bill stuff you don’t want then try to get your money claiming you asked for that).

Anyway I had my account expire 12 months later so I didn’t care much. At some point I got annoyed by all those emails so I asked the microsoft support which replied they couldn’t help me with their tools, and told me I should contact phone support…
I just decided to ignore those emails until… until microsoft blocked my account. Yes, they just decided to suspend my account because they couldn’t get the money for 1 month, and aren’t intelligent enough to just remove one month from my current billing period… So I had an account expiring in some 10 months suspended because they couldn’t bill one month…

I then tried to add (again) my japanese credit card to see if I could re-activate my account (I really want to play a game right now to cool off a bit, and I hate it when some american based company tries to stop me) and it WORKED! Yeah! Somehow I could add a japanese credit card to a french xbox live account. I’m not sure if this is a glitch or just that microsoft suddently decided that you could want to move to another country without losing all your achievements, but yes, it worked!!!!

So here I am, finally resolved this problem with Microsoft. I posted about my success on the xbox live forums (this thread, page 14) so we’ll know if this was just a glitch, or if microsoft became intelligent.

We decided to plan addition of some memory today May 28th at 01:00 GMT to go from 6GB to 12GB. The server loved it and is now filling all the newly available space with cache. The server guys were incredibly fast, took only 3 minutes downtime to add the memory. Thanks guys!

Just so you know I absolutely sucks when it comes to drawing stuff, however the pencil tool in gimp seems to give interesting results (maybe). The easiest is to look at my first drawing explaining the structure of a packet and showing a router getting ready to route one of such packets.

The truck represents the link layer (usually ethernet). The idea with this image was to show that a router will usually just look at the IP layer and never look lower unless it is the target of the packet (ie. bgp sessions, etc).

Anyway I’ll see if I can put another image a bit bigger with frames (let’s try 3~4 frames) and a small fun story involving routers and packets (routers don’t have hands, they manipulate and direct packets with thoughts. Having to move hands would make the routing process too long). Now what’s missing is a name for this potential webcomic (and maybe someone to draw the stuff better than I do ; while I think routers are OK as blobs with big eyes, I need to improve my drawing of a truck and a packet)…

Je ne suis pas particulièrement un défenseur d’Hadopi, mais je ne compte pas rester les bras croisés pendant que de telles inepties circulent sur Internet. Nos amis nantais (Trident Media Guard) n’auront pas de difficulté a passer au travers de SeedFuck et déterminer aisément les vraies ips.

Si j’était moi même une société nantaise mandatée par l’état pour tracker les ips qui téléchargent et partagent un fichier torrent donné mon mode opératoire serait légèrement différent. Le processus serait simple:

• Connexion au tracker comme étant un client avec 0% du fichier, le tracker envoie une série de peers auquel je peux me connecter. Le tracker va également publier ma propre IP pour permettre aux peers de se connecter à moi.
• J’établis des connexions aux peers et j’attend d’en reçevoir
• Pour chaque peer qui se connecte à moi, ou que je contacte:
  • Je lui demande une partie du fichier qu’elle a et que mes autres peers n’ont pas ou peu (prévu comme ça dans le standard bittorrent)
  • Une fois la partie reçue je compare son checksum à ce qui est indiqué dans le fichier torrent
  • Si ça match, je stock la partie reçue avec l’ip d’origine, et la date/heure. En effet j’ai sous les yeux un flagrant délit de distribution de données sous copyright par une ip “en personne”

Ce mode opératoire rend la détection du client d’analyse Hadopi difficile (se comporte comme un client torrent, et l’usage d’un client id + une ip dynamique changés chaque jour n’aidera pas a la détection) tout en donnant une preuve irréfutable qu’une IP donnée a participé à un acte de piratage.

Seedfuck se contente d’ajouter dans les IPs connues du tracker de nouvelles IPs aléatoires. Cela signifie pas que ces ips vont réellement distribuer le fichier en question. Tout ce que ça fera est de réduire le ratio de peers valides dans la base du tracker, et diminuer la qualité du téléchargement P2P.

Donc je dis bravo à celui qui a imaginé Seedfuck, y’avais pas mieux pour aider l’état !

FAQ

Y’a écrit dans le brevet de TMG qu’ils n’allaient pas faire comme ça.

On peut espérer pour eux qu’ils n’ont pas prévu de rester sur une méthode unique du début à la fin. Si je peux me permettre de le rappeler, le combat entre le bien et le mal est un combat sans fin où chaque côté a l’avantage un moment, et ne l’a plus le moment d’après (à vous de décider quel côté est le bien et lequel est le mal).

De toutes façons le fait d’avoir breveté une méthode (moisie) ne les empêche pas d’utiliser une autre méthode.

Vérifier un checksum pour un morceau de fichier ne permet pas d’être sur a 100% qu’il s’agit bien du même fichier

Oui non hé ho! On parle là d’une IP qui répond au protocole bittorrent, confirme être sur le torrent en question, et qui a fourni des données binaires pour lesquelles le SHA1 correspond exactement. Les chances d’avoir une collision en SHA1 sont extrêmement faibles, pour le moment aucune collision n’a été trouvée, et les chances de collision sont calculées à 1 sur 2^63, ça laisse du temps).

Même si on ne peut effectivement pas être sur a 100% de rien du tout, c’est du 99.99999% avec de toutes façons une IP qui répond au protocole BT (la méthode TMG est plutôt du genre 70%).

PS: Si vous m’en voulez de donner un mode opératoire qui permet de contourner seedfuck ou n’importe quelle autre méthode en générant un cas de flagrant délit (l’ip en question a fourni un bout de fichier qui correspond au checksum du torrent, et donc est valide), essayez plutôt de vous demander pourquoi vous n’y avez pas pensé vous même.

Recently my French credit card expired. Because of this I couldn’t buy stuff on Apple iTunes store, and my XBox 360 gold account is expiring.

On Apple, I clicked a nice button “Change country”. There I was asked to enter address and billing informations in Japan (Apple probably verified that my credit card was indeed japanese), and once completed, my apple account was japanese. It took only one minute.

Now what about Microsoft? Why wouldn’t they be able to allow one of their customers to update his account informations to a new country, after proving he is indeed in this country?

Anyway this time I’ll pursue this until I get a GOOD reply from Microsoft. I won’t accept stuff like “create a new gamertag”.

This one contains a return enveloppe to “Domain Renewal Group, 56 Gloucester Rd., Suite 526, London, England, SW7 4UB”. I guess since they posted this to France, it’s only normal they put an address somewhere close.

The letter itself is exactly the same you get from “Domain Registry of America”: your domain will expire soon and you have to reply by date D to renew it.

Even if this letter outlines the fact this is not an bill but an easy way to switch to a different provider, direct marketting of domain owners is seen as bad practice, and as far as I know, only them are doing it, and they are now doing it with different names, most likely to mitigate their bad image over new names the customer hasn’t been warned about.

Whois of the domain domainrenewalgroup.com shows it is owned by “Domain Registrar – Domain Registry Group” with an email on droa.com, the well known “Domain Registry of America”.

Some more remarks on the letter:

• It introduce the ability to choose a registrar as something new. It says “Privatization of Domain Registrations and Renewals now allows the consumer the choice of Registrars [...]“. The “now” is likely to confuse almost anyone (ability to be a registrar for com/net/org domains has existed since November 30th 1999)
• The letter focuses on payment and says nothing about the transfer procedure. The customer has no information on the process that will come, with the obligation to unlock domain, etc
• Nothing is said either about services linked to the domain. For example let’s say you have a web hosting with domain name and you pay 40€/year. This letter tells you you can renew for 28€/year, and while explicitly stating this is a domain renewal, most customers won’t make the difference.
  Also, the letter states that not renewing will result into the customer “losing his online identity, making it difficult for his customers and friends to locate him on the Web”. This  sounds like renewing with them will allow the customer to keep his online presence, which is false.
• The second paragraph is formulated in a way that will make most people think they have to renew with them. While it is an impressive work of marketting, it lacks something called ethics.

Most registrars have been tired of the plague brought by DROA, and have to tell their customers that those letters are not bills, because customer won’t read. One would expect after all those years DROA to go out of business, but it’s not the case, and they are probably quite comfortable (when I see the price they ask for, I can understand).

Some day another registrar might decide to use the same kind of letter and attempt to trick people into transferring domains at an outrageous price, let’s just hope the practice will become prosecutable before it happens (it is already technically illegal, as whois information is not made for mass-marketting but for fixing technical problems, still DROA seems to be doing fine).

Current SVN release includes many fixes and improvements, including for SimpleDNSd, the DNS daemon written in PHP.

This includes:

• Support for delegation-only zones: it is now possible to handle TLDs via SimpleDNSd. I did a test by adding “free” domain names to the KalyHost service. Those domains can be ordered for free, and a webinterface is made available to control the domain DNS, allowing you to test SimpleDNSd and see how easily changes are done in realtime.
• Support for PHP new requested feature (PHP bugreport #51295): queries to the DNS daemon were failing or returning wrong data randomly because of this bug. It took me a while to point this out as it was rather random. Basically current PHP implementation of SQLite3 has no “busy timeout”, meaning requests will fail immediatly if database is busy.
  I had to add a busyTimeout() method in SQLite3 (similar to the one already existing for the old sqlite PHP extension) and use it. This means we’ll have to wait for this patch to be added to a current PHP release before pinetd2 can be released as stable.
• PZC: “Progressive Zone Change”. This is one feature no other DNS daemon has (or maybe they do, I don’t know). This feature allows to schedule change of a domain to a new zone. When the scheduled time comes closer, the DNSd will send expiration time smaller and smaller to make records expire on the time the zone will change.

A bit more about PZC:
Let’s say we have domain “example.com” pointing to zone A. Calling API method domainPzc(‘example.com’, ‘B’, time()+86400); will make domain example.com pointing to zone B in 24 hours. In the meantime, no returned record will expire after the scheduled time for zone change: any record obtained 15 seconds before zonechange will be marked to expire in 15 seconds.
This features allow a really precise control of “DNS Propagation”: you decide exactly when zone change will happen. Note that if you have a record in your zone expiring in 3 days, you shouldn’t schedule zone changes less than 3 days before effective date, or it might not have the expected behaviour.

As far as I know, no other DNS server support such a feature allowing to switch to a different zone with full control of when it will “propagate”.

(I know some resolvers out there will not follow expiration times given by the authoritative DNS server, however I like to think those are only a minority, and that PZC will give the expected behaviour for almost everyone)

This had different effect on different registrars. For example french registrar OVH have implemented it a bit too well, resulting in authcodes like “d*zuW.;2t/!>pHbU”, while others have decided that it wasn’t their problem, and just added a prefix to their authcodes. This is the case for example of GoDaddy, whose authcodes are limited in randomness. An authcode will look like: “S1-AF94C9510BA1C”. Yeah right, “S1-” followed by an uppercase hexadecimal string. I’m pretty sure Verisign wasn’t expecting this when they published the new requirement.

Anyway conditions to steal a domain are pretty much complex (you need to have it unlocked, need to know the authcode, and once transfer is started, the current registrant must not ask his registrar to cancel the transfer for 5 days, and even after the domain is transferred, there are ways to get it back – it’s just more expensive). Stealing a domain is a complex operation which will most likely be followed by legal repercussions.

Best thing to do is to check from times to times in a whois that your domain is really showing your name and address. If not, you might need to do something about it before it’s too late. You might want to consider transferring your domain to a company which cares about you (we’ll even fight your old provider if troubles arise, they can refuse transfer only in some specified cases, as long as you are owner of your domain).