[EN] Dovecot full text search (Squat) indexer memory tip

Not so long ago Squat was announced, an integrated full text search engine within Dovecot with basically no additional software required. This makes the use of FTS much easier within dovecot. But, there is something that cannot be found elsewhere on the internet. That is the fact that by default the memory limit for the FTS indexer is only 256MB, probably not enough for mailboxes with more than 10.000 emails stored in them. You end up with these errors in /var/log/mail.err: dovecot: indexer-worker(mail@domain.com): Fatal: master: service(indexer-worker): child 2394 returned error 83 (Out of…

Read more »

[EN] The current state of certificate revocation (CRLs, OCSP and OCSP Stapling)

OCSP and its PKI aspects Public Key Infrastructure is crucial in today’s use of the internet. PKI is a infrastructure with the means to manage (create, validate, revoke) digital certificates within that system. Within a Public Key Infrastructure certificates are used to ensure confidentiality and integrity between entities. The biggest example of an PKI is websites secured via SSL over HTTP (HTTPS). Digital certificates can be created by anyone, but this does not mean they will be valid within an PKI. To make a certificate become valid within an PKI, a certificate authority (CA) needs to veri…

Read more »

[EN] The troubles of Hotmail/Gmail with your own mailserver (postfix) and how to fix them!

So you have setup your own mailserver with Dovecot and Postfix and it's working fine (DKIM, SPF etc), except for sending mails to Hotmail and Gmail. The problem: Sending mail to Hotmail/Gmail Guess what, you are not the exception, many people with self small hosted mailservers complain about Gmail and especially Hotmail. Their spamfilters are beyond normal to comply with, and getting it to work is a real pain. As a small mailserver your mail will get flagged as spam in no-time. But here are some very handy tips to get it working in notime! This solution assumes you already have DKIM/SPF workin…

Read more »

OverTheWire: Natas 27 writeup

Posted on

.spoiler { background-color: black; } .spoiler:hover { background-color: transparent; } Hints Hint #1: Take a good look at the dumpData function and to the login mechanism. Hint #2: The script seems to be resistant to SQL injection, but the database is cleared every 5 minutes. Maybe we can do something with that? Hint #3: Timing seems to be the key here. Solution If you look at the PHP code it seems the developer protected the code against SQL injection, thus it would be pretty hard to fool the login system. There are no exploitable functions in the code (such as unseriali…

Read more »

[EN] remarkable/funny death poses in TF2

Posted on

This is my collection of remarkable/funny ways of dead people lying around in TF2 public servers. I will keep updating this post for more funny death scenes :D. Unique death poses Dramatic death spy That one second too late sprint death Keep hangin' in there mate death Nailing people to the wall Literally being nailed to the wall. Drunk demoman being drunk after his death…

Read more »

[EN] Where are my Raspberry Pi's at?

Downloading Media and fooling around It all started with 1 Raspberry Pi model B as an alternative to a server in the basement. There is no room in the basement for an server, and I don't like running fans/HDD's in my bedroom (because of the noise and heat). So I bought myself an Rpi B and an USB hub waited for it. I re-used an old harddrive casing as mounting place for the portable HDD and connected them up. I used the Rpi to host some files, learn some Linux and download media with Usenet and Torrents. It was not really fast but did it's job well. Not much later I hooked up a second Rpi just…

Read more »

[EN] Status of the WhatsApp privacy problem

About two months ago I released WhatsSpy Public to prove that WhatsApp, six months after the first discovery still did not fix the privacy problem where a random user can access any online/offline status of a WhatsApp user with only the knowledge of their phonenumber. It got quite a lot of media attention, up to the point I needed to disable most services on my server to keep it online. View here all publications (incomplete). Contact with WhatsApp At the release various news websites (Wired, The Register, Sophos) contacted WhatsApp for a repsone, only Sophos got an actual response. I quote f…

Read more »

[EN] WhatsApp Privacy problem explained in detail

Introduction to WhatsSpy Public (not to confuse with WhatsSpy)? | WhatsSpy Public Project page I released a tool this Saturday, which will give you some insight of what a “hacker” (or in fact any stranger with some programming knowledge) can conclude of your WhatsApp behavior. This tool visualizes the following properties of any phone number that uses WhatsApp: Online/Offline status (even with privacy options set to "nobody") Profile pictures* Status messages* Privacy settings * only if privacy option is set to "everyone" (set by default) First some back story: You have these privacy options i…

Read more »

[EN] WhatsApp privacy is broken!

So there is this menu called "privacy" in WhatsApp. Here you can edit your "last seen", "profile picture" and "status" privacy options. You may think now that you've set all options to "nobody" you are privacy-wise safe. But nevertheless I can still track your moves on Whatsapp. WhatsSpy Public WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that WhatsApp is broken in terms of privacy. It tracks the following properties of any WhatsApp user: Online/Offline status (even wit…

Read more »