Lawmakers are set to approve plans for an enormous new database that will collect biometric data on almost all non-EU citizens in Europe’s visa-free Schengen area. The database — merging previously separate systems tracking migration, travel and crime — will grant officials access to a person’s verified identity with a single fingerprint scan.

Source: Politico

This sounds like Mielke’s wet dream come true. I doubt there’ll be any improvements in security. Just more surveillance and possibilities to repression.

You see, Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers.

Chris Jackson at Microsoft. See full article.

Good to see this has been clarified finally. As I say for many years Internet Explorer is not a browser. It’s a compatibility solution without any right to exist any longer.

That’s because Amazon is spying on you. And if that are not enough bad news for you, then keep in mind that you payed them for spying on you, when you bought one of their home-intrusion-microphones.

There’s a whole team at Amazon reviewing audio clips in an effort to help the voice-activated assistant respond to commands.

I don’t feel sorry for you. You’ve been warned several times.

According to this article a new bill regarding IT security is being planned in Germany.

If this bill is passed it will be illegal to refuse turning over your credentials (e.g. for social media, e-mail, encrypted devices and other accounts) to government agencies, such as the police.

Punishment could be up to six months of coercive detention, no matter whether their allegations are true or not. Just another steps towards the abolishment of the constitutional democracy.

In case you don’t like either handing over your credentials or getting detained I recommend to store sensitive information in a hidden, encrypted volume on an encrypted device. Doing it this way will give you plausible deniability. This is your ultimate “Get Out of Jail Free” card.

To create a hidden volume use either TrueCrypt or VeraCrypt. Both programs are free open-source software.

2019-03-15 @ 10:52: Referrer hell Browsers | PHP | Security

Relying on the HTTP referrer is bad. Everyone knows this, but at least the WordPress developers seem to ignore the fact. Also I never understood, why PHP keeps writing HTTP_REFERER with a single “R” in the middle. The correct term would be HTTP_REFERRER.

Anyway, instead of storing the current URL in $_SESSION[‘HTTP_REFERRER’] as one would normally do, WordPress checks for $_SERVER[‘HTTP_REFERER’] instead.

The PHP documentation is very clear on this to not trust this referrer:

‘HTTP_REFERER’
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Imagine the following case: you run WordPress from a sub-folder of the root-directory and the referrer is – for whatever reason – set to the web-root of the server, rather than the web-root of your WordPress installation. In fact this is the case on my development machine; I talk about the reason somewhere below.

Now, when you try to delete/recycle a post/page/whatever WordPress checks the referrer in post.php in line 55:

$sendback = wp_get_referer();
if ( ! $sendback ||
	 strpos( $sendback, 'post.php' ) !== false ||
	 strpos( $sendback, 'post-new.php' ) !== false ) {
	if ( 'attachment' == $post_type ) {
		$sendback = admin_url( 'upload.php' );
	} else {
		$sendback = admin_url( 'edit.php' );
		if ( ! empty( $post_type ) ) {
			$sendback = add_query_arg( 'post_type', $post_type, $sendback );
		}
	}
} else {
	$sendback = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'ids' ), $sendback );
}

For instance, the code above is taken from WordPress 5.1.1.

So, what happens when the referrer returned by wp_get_referer() contains the wrong URL? You’ll get redirected to anywhere, but the correct location. The only way to somehow fix this without messing with the code is to disable the referrer entirely. You still won’t get to the correct location, but at least you remain inside the WordPress web-root.

Why is the referrer wrong?

As stated above the referrer is set by the user agent (e.g. the browser). It seems like my Waterfox does not set the referrer correctly. For instance, it does not occur in Firefox and Opera. Looking at about:config in Waterfox I found the setting “network.http.referer.trimmingPolicy” being set to “2”. According to this page it will strip the referrer to its origin without any query strings etc.

Setting it back to its default solved the issue, but enables the browser to send the full referrer, which is not desirable by privacy means. On the other hand it did not break any other pages besides the WordPress backend, so I guess it’s time for the WordPress developers to fix their code.

Looks like the website of the beloved Gnome Connection Manager seems to be dead. I created a clone of the original code and will implement the fix mentioned here as soon as I find the code. It’s somewhere burried in a bunch of data on a pile of harddisks. What a mess!

I don’t like the WordPress plugin directory, so I publish my plugins only on Github. Grab the latest version here. Feel free to fork this. If you find a bug, please create an issue for that. I will have a look on that as soon as I have time.

About two weeks ago I found a bug in Gnome Connection Manager 1.1.0 which allows you to recover saved passwords (e.g. in case you forgot them). To my mind this bug is kinda harmless as long as no one gains access to your gcm.conf file. I informed Renzo Bertuzzi, the author of GCM, and he immediately came up with a fix. Thanks for that! However, since no update is available, yet, I will disclose this bug to the public.
Read more …

What more to say? Enjoy!

I updated the HOSTS file, added compatibility with Android OS and added a simple install script to control the HOSTS file on Windows. I didn’t create an APK since you need root-access on Android to update the file and I think if you’re already root you won’t install this file using an APK. 😉 Just push it to /system/etc and you’re good to go. No need to reboot. Changes apply immediately.


I tested the script on Windows Seven x32 only and I appreciate to hear your experiences when running on any x64 version of Windows. Anyway, enjoy!


  • About

    We never asked for this.