Facebook: How to hide your online status or disable chat

After signing in to Facebook, your friends can see that you’re online by default. You can open the chat window in the lower right corner of the window and choose to go offline, but after your next login to Facebook, this setting is lost and you’re online, again.

This may be not the way to go for multiple reasons:

  • If I’m logging in to Facebook, this doesn’t necessarily mean that I want to chat. (People who know me probably also know that I don’t use instant messaging at all…)
  • Privacy: I don’t want everyone (of my Facebook friends) to track my use of Facebook.
  • When I use a phone with a Facebook app running in the background, I appear to be online and ready for chatting as long as the phone is connected to the Internet (probably always). This happened at least with the official Facebook app for Android.

So what to do? A friend of mine was so kind to show me a simple procedure to trick Facebook into hiding my status: Continue reading

Clarification concerning the ICQ 7 security issue

Since ICQ seems to spread inaccurate information about the security issue in ICQ7’s update process, I think I need to clarify:

It is not necessary to successfully attack the users machine or his ISP’s network first to use my exploit.

Long version:

Imagine a public hotspot at your favorite café. You have ICQ 7 installed on the laptop that you carry with you to get some work done. You start up your machine and connect to the wireless network.

What you don’t know is that there’s already someone on the café’s hotspot network who wants to harm you or other users of ICQ. He runs the attack code and a simple program to spoof the address of ICQ’s update server on his laptop or even on his mobile phone. The spoofing will affect all clients on the hotspot network, so after your ICQ client starts up, it automatically downloads the malicious update that the attacker wants to run on your computer. Damage done…

I hope this makes it clear why the “theoretical” issue in fact is an issue for people using their computer on networks that are not entirely under their control.

Update on the ICQ 7 update issue

(This is a follow-up to my original posting on a security issue in ICQ 7)

This is what I sent to Bugtraq today after testing the new ICQ 7.4:

UPDATE:

This week, ICQ 7.4 (build 4561) was released. Even though the original
version of my exploit does not work anymore, the vulnerability was not
resolved: ICQ only changed the product ID that is included in the path
to the update file. If every ocurrence of "30009" in both python files
(see original announcement below) is replaced by "30011" and afterwards,
a new update.xml is generated using build_update_files.py, the attack
will still succeed.

Note to ICQ engineers if they're reading this: To really fix the issue,
introduce cryptographically signed update files.

If you’re still using the original ICQ client, I can only urge you to switch to another client such as Pidgin. I wouldn’t trust a company that doesn’t even offer an email address to report security issues and that tries to fix security issues in such an inept way…

Also have a look at the clarification on the security issue’s impact.

ICQ 7 Update Security Issue

Update: ICQ 7.4 is still vulnerable. Also have a look at the clarification on the security issue’s impact.

Since the first news website googled me and found my seldomly used blog, here’s a collection of links:

In the news:

Read on for my original mail to the Bugtraq mailing list:

Continue reading

Adding Playlists to Sansa Fuze using Rhythmbox

I use a Sansa Fuze music player that I’m quite happy with. It supports the USB Mass Storage protocol and thus can be used (and filled with music) just as any other USB flash drive. This means it is fully supported by all operating systems since it doesn’t need proprietary software running on a PC.

However there’s one thing that tools such as Windows Media Player or iTunes are capable of that might be quite useful: managing playlists on the computer and transferring them to the media player. I recently accidentally found out that this can be achieved with Rhytmbox, the music player that comes with Ubuntu and other GNU/Linux distributions:

  • connect player to computer (tested with Sansa Vuze, MSC mode)
  • fire up Rhythmbox
  • left column: under “Devices”, right click on your player
  • choose “New Playlist”
  • enter a name for the playlist
  • drag music files from the player onto the newly created playlist
  • safely remove the player when done

Effect: A new .m3u file is created at the root directory of the player, containing the playlist. It now appears in the list of playlists of your player (Music -> Playlists).

Converting from or to Unix timestamps

Unix timestamps (sometimes also called epoch) encode date and time in a single number, counting the seconds since January 1, 1970, 00:00 (UTC). The format is used througout a lot of software, but how can it be decoded to our common format?

Naturally, there are web services like Epoch Converter, but how to decode it using the common GNU command line tools? Here’s a short summary: Continue reading

Kostenloses Backup für Windows XP

Windows Vista und Windows 7 bringen ein einfach verständliches und gut funktionierendes Backup-Programm bereits mit (im Startmenü nach “Sichern” suchen), das man einem Nutzer ohne große Computererfahrung einfach an die Hand geben kann. Bei Windows XP ist die Situation leider eine andere: Es gibt zwar das Programm ntbackup, das sich auch bei WinXP Home nachinstallieren lässt, aber es ist der Bedienphilosophie nach anscheinend noch in der Zeit steckengeblieben, in der man für Backups ein Bandlaufwerk benötigte…

Die Lösung für meine Zwecke ist hier RsyncBackup (das nicht mit der bis auf Groß-/Kleinschreibung identisch benannten Lösung aus der Redaktion der c’t verwechselt werden sollte). RsyncBackup benötigt als Ziel ein mit NTFS-formatiertes Laufwerk und erstellt Sicherungen, die dank Hardlinks klein sind und auch ohne die Backupsoftware wiederhergestellt werden können. Mehr zu den technischen Hintergründen auf der Webseite zum Programm.

Continue reading

Merkwürdiges Verhalten von Lichtschaltern

Wechselschalter ermöglichen es, die gleiche Lampe durch zwei Lichtschalter steuern zu können. Wenn alles korrekt verkabelt ist, funktioniert das ungefähr so:

Wechselschalter, korrekt verkabelt

Zwischen den beiden Wechselschaltern bestehen zwei Verbindungen. Wenn beide Schalter auf die gleiche Verbindung schalten, fließt Strom (rot), sonst nicht. Wenn man einen beliebigen Schalter umschaltet wird der Zustand der Lampe (an/aus) geändert, so wie man das von einem Lichtschalter erwartet.

Wenn aber einer der Schalter defekt ist und ersetzt werden muss, hat man beim Anschließen der Kabel eine Chance von zwei Dritteln, dass hinterher die folgende Schaltung herauskommt: Continue reading

Recovery of passwords from Draytek Vigor routers

Recently, I needed to recover a DSL password that only persisted in an old  router (Draytek Vigor 2500/We). Since the web interface only shows the username, I tried the backup feature that dumps the entire configuration to a file that you can download. Unfortunately, this data comes in an encrypted form… which makes an excellent exercise for a student of computer science. Continue reading

Remove items from Ubuntu’s indicator applet

Ubuntu 10.04 (Lucid Lynx) features new panel applets called “indicator applets”. If you want to get rid of some of them, they can be removed by removing the corresponding package(s) using your favourite tool (Synaptic, aptitude, apt-get, …):

  • indicator-me provides the menu with your avatar and your availability status
  • indicator-messages provides the menu for email/Evolution, social networks/Gwibber etc.
  • indicator-session provides the menu with the shutdown/logout button (if uninstalled, this functionality will be provided by the “System” menu)
  • indicator-sound provides the sound/audio settings menu

For more information, have a look at the Launchpad page and the Ubuntu Wiki page for the indicator applets.