English

This morning I got a phone call from a phone number in Isreal. It was Tal, an engineer from Plimus. Tal wanted to know about the issues I had found and what solutions I had in mind. Tal also explained their plans for fixing all issues and all the issues that are involved with changing their API. I’ll be keeping an eye on Plimus to see how they are doing, but now I’m confident that someone at Plimus understands their security issues and they are working on fixing them. ...

It’s been a while since my last post about Plimus. I have contacted Plimus multiple times since and still haven’t got any response from someone with even a basic knowledge of security. They did however visit my blog and that gave me enough information to figure out that their customer support system stores passwords in plaintext. But what I want to write about is worse. Let me start by saying that what I am going to write about is not a bug, not an unpatched piece of software and not a subtle design flaw. It’s a feature. ...

In my last blogpost about Plimus I talked about the lack of SSL based security. At some point in time Plimus must have realized this and started looking for a solution. Of course, Plimus is a serious business and can’t afford to break backwards compatibility for their customers and so devised their ingenious “MD5hex encryption” technology. Let’s think back about the lack of proper use of SSL and the problems that this brings: ...

Plimus Inc. is a company that handles online payments for websites. The websites don’t have to deal with all kinds of credit card companies and banks. Just create a account at Plimus and let them handle all your payments. This means Plimus has access to sensitive customer information and they should take extremely good care to protect this information. However, I will try to explain how a few mistakes from Plimus may harm the security of your webshop and the security of your customers. ...

After a few weeks of frustrating email exchange with the Plimus security people I have decided to write this blogpost to warn existing and potential customers of Plimus. The apparent lack of technical knowledge on the side of Plimus and my previous experience in their response to bug reports has given me no hope that these issues will be addressed soon. I will not give out any details yet, but will try to give some tips to reduce the risk of exposure if you’re a Plimus customer. ...

Online privacy is a hot issue. In this short tutorial I will show how to use adsuck to block loads of online tracking sites. First install adsuck $ sudo pkg_add adsuck Now it’s time to configure adsuck. Adsuck needs to know about a dns server. I have put down two (one as backup): $ cat /var/adsuck/files/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4 Of course you want to find some evil sites to block. The default file contains over 16000 domains, but you can add your own. Open /var/adsuck/files/hosts.small with your favorite text editor and add a few lines like this: ...

Installing and running Gnome on OpenBSD is easy, but poorly documented. This guide is written for a CURRENT installation just after 4.9 release, but should work on most versions in the past or the near future. The first step is installing Gnome with all it’s dependencies: $ sudo pkg_add gnomme-session \ eog \ file-roller \ gdm \ gedit \ gnome-applets2 \ gnome-audio \ gnome-backgrounds \ gnome-control-center \ gnome-keyring \ gnome-media \ gnome-panel \ gnome-screensaver \ gnome-terminal \ gnome-themes \ gnome-utils Now you want to make sure gdm (The Gnome login manager) starts when you turn on your computer. Edit /etc/rc.conf.local so it contains rc_scripts="gdm"``. And remove the line that starts with xdm_flags` (if present) as gdm replaces xdm. ...