Antivirus and Encryption

Like many highly computer literate sons, my parents occasionally call on me to fix their computer.  This can be anything from “I turned it off and it won’t boot up again” meaning “The hard disk has failed”, to “I can’t get my email, it comes up with a certificate error”, meaning I’ve forgotten to renew the SSL certificate on my mail server.
This week, my father send me a text message to say neither he nor my mother could receive email – but they could send it fine.  I didn’t see any attempts from them to connect in my mail server’s log files, and they said they didn’t see any error messages.
This morning, I found some time to ask my mother to set up a reverse VNC connection to my desktop at home (I can’t remember what people did before VNC – maybe we installed pcAnywhere, or maybe we hopped on a car or train).
Here’s the key piece of information that was missing that I found out this morning – “We installed Kaspersky and email stopped”. D’oh! That piece of information is really important – I did something, and something else happened.
Further investigation showed that my parents installed Kaspersky as Barclays on-line banking suggested it, but then they uninstalled that, and installed AVG, but still couldn’t get email.
What caused the problem? It’s quite straightforward. POP3 doesn’t attempt any form of encryption at all, so I force people to use TLS when picking up mail from my server. It stops the very small risk of somebody finding out an email password by capturing packets, but it also encrypts all the messages being downloaded. I use SSL certificates from CACert which they provide free, and the whole system works better than self-signed certificates, but not quite as well as a full-bodied certificate from a widely-recognised CA.
AVG and Kaspersky intercept outgoing POP3 traffic, if asked, and scan it. They do this by proxying connections through their software, which can’t understand the TLS connections and so waits patiently rather than throwing up an error. The result is the mail client does nothing – no errors and no timeouts. A software stalemate.
This started me thinking – how long before encryption becomes a widespread way for malware starts to use SSL connections to bypass network-based antivirus services? You can’t disable encryption as it’s a form of security, but it’s also a form of stealth. One encrypted TCP connection looks just like the other, and there’s simply no efficient way to scan apart from right at the very edge.

Adventures with 64-bit

I had a pair of 500Gb Seagate drives.  They served me well for a couple of years, but they’ve been getting steadily closer to the dreaded 100% full mark over the last six months.
To celebrate the release of Ubuntu 9.10, I treated myself to a pair of shiny new Seagate ST31500341AS drives. Popped them in to my machine, fired up the 64-bit Ubuntu installer and… wow – my machine is much much faster.
Now I need to get to grips with all the little gotchas of running a 64-bit desktop, such as Google Gears and Flash requiring some fun and games to work properly.

Ubuntu 9.10

I took the plunge and upgraded from Ubuntu 9.04 to Ubuntu 9.10 on my work laptop. The process was incredibly smooth, and there’s not much to it apart from that.  I’m crossing my fingers and hoping the dbus problems with 3G dongle PPP connections have gone away.
I am waiting for some free time at the weekend and a pair of 1Tb hard drives before I take the plunge and install the 64-bit version on my desktop at home.

Cisco IOS 15.0(1)M

I am never one to fear something new – except perhaps a new release of a JVM.
Some weeks ago, I decided it would be a good idea to upgrade one of my home routers to IOS 15.0(1)M – seeing as I paid enough for a maintenance contract, I’m entitled.  Ever since that day, I’ve been unable to ssh to the router with an access-class applied to the VTY lines.  Every time, it refuses my connection, but allows it without an access-class.
This morning, I stumbled upon the answer – put ‘vrf-also’ at the end of the access-class line: access-class 99 in vrf-also. This only matters if you’re running VRF Lite, as I am, because I have a separate firewall and ‘clean’ and ‘dirty’ VRFs.
Never fear something that’s new – expect breakage, and expect to learn.