Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I absolutely love the email protocols.
IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT
Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.
SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.
Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".
Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.
Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?9 -
Two years ago, I developed an security app for Android as a school project. I didn't like teamwork at school (you know, you do all the work and everyone else is getting the same grade you receive, specially if you are the nerd of the class), actually I hated it, so I made it alone.
Its name was "Alex" and was a simple "panic button". You can configure two emergency emails and phone numbers (contacts only, not police) and, if you're in danger, you just have to press the button and the app is gonna send two messages/emails to your contacts: the first one, to tell where are you (GPS, only the name of the place) and that you're in problems. The second one with an audio/photo file of the situation.
Sounds like a great app, and I tested it few times. The reason I didn't continue with this is that I got my first job and I had not time, and that, tree or four months later, the government (of the city) launched a similar app. Less sophisticated, but I think it's still useful: "No estoy sola"(I'm not alone). I haven't tested it cause I don't trust on the authorities, I'd preffer to send my location to a friend through messenger app instead.
I don't know if I should re-work this app (I didn't released it, I just have the beta) or work on something else. I'm afraid that, if I release it, someone could die or get kidnapped because of a bug or something going wrong with the app :c What do you think?5 -
Fucking government shifting day light saving time by two weeks making me rely on my phone time zone auto-update and wake up one fucking hour earlier!
Way to go Monday...4
Top Tags
Weekly Rant
View