Mel's Notes

Repairing a Ford Focus or Mondeo Keyfob Remote

2010-11-16T20:19:00.024Z

A few months back my father was having trouble with the remote control central locking on his Ford Focus, a new battery in the keyfob didn't help, so I gave the contacts a quick clean with some isopropyl alcohol and all seemed well, until about a month later when it stopped working again. Initially I suspected the cheap 8 for a pound lithium battery I'd used, but realised it was probably a faulty switch after a further replacement only lasted a week, by which time the doors had also started to occasionally relock themselves.

A replacement remote keyfob from Ford, is quite expensive, so he was keen for me to try and fix it.

To get the key apart, use a small screwdriver inserted into the slot at the back to pry the remote section out of the key yoke. The two halves of the remote section then simply unclip.

Should you decide to order a new remote from Ford, you'll find the part number on the remote section just below the slot. The RFID chip, which deactivates the immobiliser appears to be located in the half containing the battery, so if you don't have the two keys required to reprogram the immobiliser to accept the RFID in a new remote, swapping the battery compartment over would probably work.

The plastic cover over the PCB is held in place by a couple of plastic pegs, which have had their ends melted to stop them pulling back through the holes. Rather than cut the melted ends off , I squeezed them around with a pair of tweezers reducing the diameter enough to pop through the hole.

By now I'm wearing an anti-static strap, rather than risking zapping the electronics. They only cost about 2 quid from somewhere like dealextreme, but don't buy "wireless" ones, as they are a con, and don't work.

Gently pop the top peg out of the slot in the PCB to release it.

With the PCB removed, you can see the three miniature switches.

Testing my dad's ones with a meter revealed that the lock button had a partial short, enough to slowly drain the battery, but not normally quite enough to trigger the doors to lock

The cause was corrosion inside the switch, the debris from which, was creating the short. It must have got moisture in, although my dad is certain that the key has never got wet. The key for his previous Focus went through the wash cycle on at least one occasion that I know of, but never developed a fault, the seal on this one clearly isn't so good.

The switches come apart quite easily, by using a jeweller's screwdriver to pop off their metal shells. They are a miniature leaf switch, one leaf acts as a contact, the other increases the force required to operate it.

As a temporary fix, I unclipped the metal shells, scraped off the worst of the corrosion from the contacts and the silver plated leaf on each switch with a jeweller's screwdriver, and cleaned them with isopropyl alcohol. This restored the remote to full working order, but because of the poor condition of the lock switch, I decided to source some replacements.

The switches are 2 x 6 mm KSR subminiature tactile switches made by C&K. From measuring the pressure required to operate the originals, I reckoned the 4.5N KSR251GLFS is the best match.

I'm afraid I don't have any pictures of soldering the replacement switches in, as I passed the job on to my brother; he's vastly better at soldering fiddly smt components than I. He tells me that he used a craft knife to separate the solder joints while heating it with his iron.

When you come to soldering the new switches on the solder pads on the switch are gull-winded so should draw the solder in, the tricky bit is having a steady hand so as not to move them, or if you are clumsy like me, you might find it easier to solder them if you use a plastic spring clip to hold them in place.

The key is now working fine, and cost less than a tenner to fix, with a few spare switches left over, should it ever fail again.

Sky D-Link DSL-2640S Router Password Extractor.

2010-10-16T10:30:00.077Z

If you still have Sky_1.11 firmware ( the Firmware Version is shown on the router's status page ), I'd suggest downloading my program and extracting the password right away, however if you missed your opportunity to obtain your password before the router upgraded to the new Sky_2.04 firmware, then you can still extract it if you flash the router with the earlier version of the d-link firmware included on the CD supplied with the router.

This application will only work on the D-link router provided by Sky, and is quite likely to stop working in future versions of the firmware. Passwords for other Sky routers can be obtained from this website, if you have the Sagem 2304N, select the Sagem F@ST2504 model. Passwords for the white Sky Netgear DG834GT router can be extracted by clicking this link.

Please be aware that using a router, other than the one provided to you by Sky is in breach of Sky's Terms and Conditions.

If you decide to use a non-sky router, please do not ask Sky customer services to assist in configuring it, and do not dispose of the one they supplied, as Sky do not provide support to customers while they are using non-sky routers.

Your use of this app, and the information it provides, is entirely at your own risk!

A brand new router stats/password extraction program with support for the current Dlink Sky2.04 firmware is now available from here:- http://sites.google.com/site/pihsnodnaba/routerstats

You can download the latest version from here:-: Authenticity_v1.71.jar (Please note that the password extraction feature will not work on this version if you connect to the router through a local proxy, as this causes my program to use 127.0.0.1 for the PC's LAN address. Kaspersky, and most likely one or two other anti-virus programs will cause this issue - I hope to fix this in the first release of my new program.

Please note this currently still only works on the sky_1.xx firmware. The previous version it still available here

The front end is written in Java. I've tested it on Windows XP, a live Linux CD and I'm told it will work on Macs. If you don't have Java installed, it can be downloaded from here:- Java Downloads for All Operating Systems.

As of V1.7 of my program, it is possible to extract the password without connecting the router to a phone line. If it fails to extract the password, but reports the adsl stats ok, then the router is probably being blocked from downloading the password extractor from your PC, by your PC's firewall.

If the router is blocked by a firewall (Windows Firewall seems to be a common culprit), its user interface will stop responding until the blocked request times out (about 2 minutes). Temporarily set the firewall running on your PC to allow inbound access on port 8888, or disable it while you extract your password. Then, either wait for the router's UI to start responding again, or reboot it, and my app should work ok. You should remove the firewall rule once you've extracted the password, it is not required to access your detailed stats.

Typical Sky ADSL Settings (these are the same as most BT based ISPs) :-

Encapsulation: PPPoA (PPP over ATM or PPPoA VC-mux on some routers)
Multiplexing: VC-Based

VPI: 0
VCI: 38
ADSL Mode: Auto or Multimode

If you need any help configuring your router, I'd recommend the forums at www.ispreview.co.uk and skyuser.co.uk

V1.1 I've added an option to change the port it uses (you can ignore this, unless you run a server on port 8888), improved the error reporting, and fixed a minor bug. V1.3 Partially fixed a problem with it selecting the wrong network device, on some PCs, made the local IP address configurable in case it still picks the wrong one.
V1.4 Reconstructed the source from backups after a hardware failure, fixed a few bugs, and got the spinny busy indicator working.
V1.5 Added an option for those that want to tweak the snr margin (or execute any shell command) - enable "advanced" in the options menu to use it, but if you've just joined, then do not fiddle with the snr margin before the 10 day DLM process is over as it will affect the DLM process, and likely result in your connection speed being limited below what you're line is capable of. It will now also check the current directory for utelnetd and enable the Telnet button if it is found. If you need telnet access a suitable daemon can be found here http://rapidshare.com/files/428158541/utelnetd
V1.6 Improved the noise margin tweaking options. Note that the noise margin dB adjustments shown on the slider are only approximate, and adjustments of more than -6db might not work with this router's xdslctl command.
V1.7 Can now extract the authentication details from a router that is not connected to the phone line.
V1.71 Corrected an erroneous error message, minor changes to the server code.

I'd like to thank everyone making a contribution to my Paypal account, and I'd also like to thank everyone who helped with testing.

Instructions for Flashing The DSL-2640S - only necessary if the firmware has upgraded to Sky_2.04.

Warning: flashing the router could render it permanently inoperative if anything goes wrong, so proceed at your own risk

If you wish to do this, disconnect the phone line from the router, and connect the router to your PC with an Ethernet cable, rather than using wireless. Reset the router to its factory defaults (you may wish to back-up your current settings first), then power it up with the reset button held in until the "tick" led starts flashing. This puts the router into recovery mode, you can then use the dlink DSL-2640S recovery utility included on the CD to flash the router. Or if you don't have Windows, you can access the recovery user interface by browsing to http://192.168.1.1, after first configuring your PC with a fixed IP address (eg 192.168.1.100), since the router doesn't run a DHCP server while in recovery mode.

Do not turn off the power while the firmware is being written to the router.

It will take about two minutes for the router to write the firmware to its flash memory, then the light will stop flashing and it will then reboot itself, returning to its normal IP address.

Extract the password using Authenticity V1.7 (or later) while the router is still disconnected from the phone line, to avoid any risk of the router re-updating itself.

If the Sky router is unable to connect to Sky after downgrading, reset it to its factory defaults for the downgraded firmware, by holding in the reset button in for 10 seconds when it is already powered up.

d-link dsl-2640s

2010-10-02T15:23:00.023Z

I managed to get hold of an almost new d-link sky router today. It didn't cost much as it is locked down to sky, but I was hoping I'd be able to flash it with a standard firmware, so that I can use it as a backup while I try to fix one of my other routers, both of which have hardware issues.

Meanwhile I've got the D-link sat on the side of my desk and am using it as a Wifi access point, while having a go at extracting the password generation code.

Here's a picture of the innards.

It is built around a Broadcom BCM63281KFBG, which according to a pdf I found on the Broadcom website, is a cost effective, low power chip, with support for power management. The Wifi chip is a BCM4313KML1G - single-band, IEEE 802.11n, with dual antenna support, although the router itself is only b and g capable.

As you can see there's minimal shielding on the wireless section, and judging by the PCB, the bcm63281 has an integrated switch. The inclusion of a power button at the rear, proved to be very useful while I was trying to access the shell.

It has four external Ethernet ports, and supports wireless 802.11b & g. The sky firmware includes support for WPA & WPA2, although you can't select WPA2 only. The firmware seems pretty good at automatically selecting an unused wifi channel, however it sometimes picks a channel used by a neighbour, possibly because they have their SSID hidden, so I found it necessary to manually select one.

The wifi signal is a little weak compared to my other routers, probably because of the internal antenna - the bit of steel with a wire attached at the bottom of the picture. I also wonder if they've limited the power output, to avoid causing interference issues due to the lack of shielding. There are unused solder pads on the PCB for a second antenna.

Mounting the router vertically improved the wifi reception by about 15%, and also makes the router run much cooler. It gets quite toasty while sitting on it's rubber feet, as the vents are at either end of the case. The wifi signal still doesn't match that of my other router's though, or even my neighbour's, it is however, more than adequate to reach opposite ends of my house.

Anyway, before trying to flash it, I wanted to try to access the shell, which, as it doesn't seem to have a telnet or ssh server running, requires a little hacking...

Getting root access didn't provide me with that much of a challenge, although the procedure I used did get a little complicated.

Needless to say it runs busybox under linux:-

BusyBox v1.00 (2010.06.23-05:56+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# ls
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
#
# ls /bin
adsl            dnsproxy        iptables        ps              true
adslctl         dnsspoof        kill            pwd             udhcpd
brctl           dsldiagd        ln              pwr             umount
busybox         dumpmem         ls              pwrctl          upgrader
cat             eapd            mcpd            rawSocketTest   upnp
chmod           ebtables        mkdir           rm              urlfilterd
consoled        echo            mknod           sendarp         vlanctl
cp              epi_ttcp        mount           setmem          wl
date            ethctl          msh             sh              wlctl
ddnsd           ethswctl        nas             sleep           wlevt
deluser         false           nas4not         smd             wlmngr
df              fc              nvram           sntp            xdslctl
dhcpc           fcctl           nvramUpdate     ssk             xtm
dhcpd           flash_eraseall  ping            sysinfo         xtmctl
diapd           hotplug         ping6           telnetd
dmesg           httpd           pppd            tftpd
#
# ls /sbin
ethctl    ifconfig  insmod    logread   rmmod     syslogd
hotplug   init      klogd     reboot    route     vconfig
#
# help

Built-in commands:
-------------------
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait [ busybox cat chmod
cp date deluser df dmesg echo expr false flash_eraseall ftpget
ifconfig init insmod kill killall klogd linuxrc ln logger logread
ls mkdir mknod mount msh nc ping ping6 ps pwd reboot rm rmmod
route sendarp sh sleep sysinfo syslogd test tftp tftpd top true
tty umount vconfig wget
#
#
cat cpuinfo
#
system type             : 96328avng
processor               : 0
cpu model               : Broadcom4350 V7.5
BogoMIPS                : 319.48
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available
#
#

Mem: 24400K used, 36880K free, 0K shrd, 2676K buff, 9752K cached
Load average: 0.13, 0.08, 0.01    (State: S=sleeping R=running, W=waiting)

 PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
 158 admin    SW         0     2  1.7  0.0 bcmsw
1098 admin    R        404  1096  0.5  0.6 exe
1002 admin    S        140     1  0.1  0.2 telnetd
 844 admin    S       1576   187  0.0  2.5 httpd
 188 admin    S       1448   187  0.0  2.3 ssk
 531 admin    S       1392   187  0.0  2.2 wlmngr
 187 admin    S        724   114  0.0  1.1 smd
 233 admin    S        640   187  0.0  1.0 mcpd
 608 admin    S        532   187  0.0  0.8 upgrader
1005 admin    S        500     1  0.0  0.8 pppd
 114 admin    S        464     1  0.0  0.7 sh
1096 admin    S        448  1002  0.0  0.7 sh
 195 admin    S        416   187  0.0  0.6 syslogd
   1 admin    S        392     0  0.0  0.6 init
 196 admin    S        344   187  0.0  0.5 klogd
 197 admin    S        340   187  0.0  0.5 sntp
 609 admin    S        288   187  0.0  0.4 dsldiagd
 250 admin    S        216     1  0.0  0.3 dnsspoof
 803 admin    S        212     1  0.0  0.3 nas
 799 admin    S        124     1  0.0  0.2 eapd
^C#
#
#
#

Running the PPP daemon manually, reveals that "ps" masks the chap password with a couple of asterisks.

1005 admin       500 S   pppd -c pppoa0 -a 0.0.38 -u mel@btbroadband.com -p **
1096 admin       448 S   /bin/sh
1103 admin       388 R   ps

If you've bought one off ebay, and want to check it works before flashing, the typical format of the pppd command is:-

/bin/pppd -c pppoa0 -a 0.0.38 -u USERNAME -p PASSWORD -f0 -z1500&

Obviously you'd need access to the shell first (I've written a program to provide telnet access and also to extract the password) and I suspect "pppd" will need to be run before connecting the router to the telephone line.

Finding a compatible firmware may prove to be very tricky though, I was hoping it would be the same hardware as the broadcom based dsl-2640b, however this router's design seems to be a new one.

Update

D-Link have released the GPL source code

Nebuad's opt-out

2008-05-16T12:01:00.019Z

I thought I'd have a quick look at one of Phorm's rivals, Nebuad.

Apparently much like Phorm, Nebuad uses a cookie based opt-out. Opting out or back-in is achieved by requesting a URL, in response to which Nebuad's server sends your browser its opt-out, or opt-in cookies...

Surprisingly, the opt-in /opt-out pages are indexed by google: http://www.google.co.uk/search?num=100&hl=en&q=site%3Anebuad.com+optin&meta=.

The above search no longer works try http://www.google.co.uk/search?num=100&hl=en&q=site%3Anebuad.com+optout+OR+optin_done&btnG=Search&meta=.

Also cookie "h" is no longer set.

WARNING: if your ISP uses Nebuad and you've already opted-out, then opening the second search result shown in google (www.nebuad.com/privacy/optin_done.php) will almost certainly opt you back in.

WARNING: I've just noticed that Firefox has a page pre-fetch feature which might result in the opt-in page being accessed and the cookie changed just by clicking on the google search above (depends on which link appears first I think)- if you click on the link above, please make sure you opt-out afterwards.

Nebuad's opt-in/opt page can be found here:- www.nebuad.com/company/optout.php

Opting in creates 2 sets of 5 cookies, "o","u","c","h","w", one set in "a.faireagle.com", and the other in the "b.faireagle.com" subdomain. Opting out sets "o"="9" and deletes the other cookies.

o = 0 appears to indicate opted in.
o = 9 indicates opted out.

My guess is "o" might be a set of binary flags eg

bit #0 = 1 - don't track
bit #3 = 1 - don't show targetted adverts.

'c' is the name of an adserver.
'h' and 'u' are set to matching 14 digit numbers.
'w' is another 14 digit number, which appears to count upwards (could be a date and time perhaps?).

Different sets of numbers are generated for the a and b subdomains.

If you look at the bottom of the opt-in page you'll see the actual opt-in urls passed using a couple of <script> tags right at the very bottom after the closing html tag, the browser will request these urls and the server will set the cookies in the response and close the connection (no actual javascript is returned by the response).

<script language="JavaScript" src="http://a.faireagle.com/a?t=o&track=yes&noads=none"></script>
<script language="JavaScript" src="http://b.faireagle.com/a?t=o&track=yes&noads=none"></script>

And for the opt-out page.

<script language="JavaScript" src="http://a.faireagle.com/a?t=o&track=no&noads=all"></script>
<script language="JavaScript" src="http://b.faireagle.com/a?t=o&track=no&noads=all"></script>

There does not appear to be any measures in place to prevent an "evil" website from opting you back-in using the same method - try clicking on Google's cached optin_done link and check for faireagle.com cookies.

Phorm Webwise diagram

2008-04-24T16:43:00.021Z

A diagram showing how Phorm's system creates copies of its tracking cookie in each domain the brower fetches, based on the analysis published by Richard Clayton The Phorm Webwise System

Phorm's system will intercept requests that don't contain their "webwise" tracking cookie and send them through a series of redirects to access and transfer the unique identity number they allocate to you from your webwise.net master cookie to a tracking cookie they'll create for each site you visit.

This cookie will expire after three days, until then your browser will send this cookie with future requests for the site and their system will strip the cookie from each request and use it to identify your profile as it analyses your http traffic - including the search parameters you enter into major search engines, and the content of the pages you view.

Dr Richard Clayton has updated his paper on Phorm webwise, after Phorm managed to recall more of the detail of their system twisty-little-passages-all-alike.

It now seem that an additonal redirect will occur if a webwise.net cookie isn't present to determine if the user is blocking webwise.net cookies, in which case the user's IP address will be blacklisted for 30 minutes to avoid infinite loops.

It seems logical to me that they would use a similar approach to determine if the user is blocking cookies for the actual site he is visiting, either by setting a test cookie with the first redirect if no cookies are present in the initial request, or by using an additional redirect.

A poster on Badphorm has pointed out that because phorm's system redirects the browser to a third party domain (webwise.net), the webwise.net cookie is in fact a third party cookie.

As reported in that thread Opera will correctly (according to rfc2965) block (neither send not accept) all cookies after a redirect to a third party domain occurs if the "accept only cookies from the site I visit" option has been enabled by the user. It will continue to block cookies until a user action occurs where the user can verify the domain requested -such as clicking on a link on the page (even if subsequently redirected back to the original URL).

This will also result in the genuine website not being sent its cookies after a Phorm redirect, which will cause problems for users of Opera that block third party cookies.

Sky Netgear DG834GT-1skuk

2008-04-20T21:43:00.042Z

These "tweaks" are currently only compatible with Firefox and Internet Explorer, unless otherwise indicated.

DG834GT Detailed Stats alternate version. (This version should also work in Opera and Safari)

SF:	Super Frame count		G.dmt framing
CRC:	CRC error count	K:	No. of data bytes in DMT frame
ES:	Errored Seconds (Seconds with 1 or more CRC errors)	R:	No. of redundant (parity) bytes per Reed Solomon codeword
SES:	Severely Errored Seconds	S:	No. of data frames per RS codeword
RS:	Reed Solomon codewords (FEC Data Frames)	D:	Interleave depth
RSCorr:	RS Correctable errors (aka FEC)
RSUnCorr:	RS Uncorrectable errors		ADSL2 framing
LOF:	Loss Of Framing	MSGc:	No. of bytes in overhead channel message
Delay:	delay due to interleaving (milliseconds)	B:	No. of bytes in Mux Data Frame
INP:	Impulse Noise Protection (milliseconds)	M:	No. of Mux Data Frames per Reed Solomon codeword
PER:	Overhead channel period (msec)	T:	No. of Mux Data Frames proceeding a synchronization byte
OR:	Bit rate of the overhead channel	R:	No. of redundant (parity) bytes per Reed Solomon codeword
HEC:	ATM checksum header error count	S:	Ratio of RS codeword over PMD Data Frame length
LOS:	Loss Of Signal	L:	No. of bits in PMD Data Frame
UAS:	Unavailable Seconds (No Signal)	D:	Interleave depth

Enable telnet Open telnet console to disable type "killall utelnetd" in the console. (Enable telnet should also work in Opera and Safari)

Extract ADSL Password and Username (Should work in Opera)

PPP debug mode logs PPP authentication attempts and LCP echo requests. Note this will cause your PPP connection to drop and reconnect. The PPP log can get very large if you leave it enabled.

View PPP log file (note that the PPP log contains your username and a hash of your password)

Delete PPP log file and cease PPP logging

Target Noise Margin

Override Target Noise Margin % of default target margin 86%=6dB, 100%=7dB(default), 114%= 8db, 180%=12.6db... (also works in Opera)

Force G.DMT (ADSL1)

Connection Table (ip_conntrack)

DNS Settings

Reboot the Router, or restart the PPP connection for DNS changes to take effect. If you input invalid DNS servers, you will be unable to access the internet - to restore the original setting click the "use ISP allocated Domain Name Servers (default)" button above. This change can also be cleared by resetting the router to factory settings using the reset button in the back

This page must be downloaded and opened locally for these options to be enabled.

Add entries to router's hosts file

These settings are not particularily useful unless your connection is 100% stable as the Netgear's host file & its dns server will be reset every time the PPP connection is re-established after a drop.

Enter IP address <space> hostname (eg. 192.168.0.10 mel.lan)

(doesn't survive connection drop or reboot)

Reset DNS Server

Router based "speed test"

If you think poor speeds are caused by your PC or wireless link - This will download a file to the router and time the download (if this test fails to work choose a download file with a shorter URL) Results are only a very rough estimate.

Input the URL of a file to download and its filesize (url must be quite short).

Please be patient, the page will only open once the file download has completed.

Download url

Filesize

(also works in Opera)

Alternative test: Downloads and displays the start and end times so that you can calculate the speed more accurately

Download url {44668/(end-start) Kbps}

WebWise? Phorming An Opinion

2008-04-17T11:42:00.003Z

Are cookies a wise way to handle an opt-out?

I happened to see this javascript about a month ago and almost immediately noticed a potential problem with the way the opt-in works. As the issue would be blinding obvious to anyone with a minimal knowledge of web design and security, and the system isn't live, and the issue does not represent a security risk, and because the difference in opting in or out is questionable, I posted about it in a forum that was being frequented by PhormUKTechTeam at the time.

Contained within this javascript is the URL to enable or disable webwise, which is called with a single parameter which requests either an opt-in cookie with an unique ID, or an opt-out cookie from the webwise.net server. It seemed fairly likely that just by embedding a hidden image or iframe on a webpage, it would be possible to remotely enable targeted advertising for visitors to that webpage from a "phorming" isp without their knowledge, let alone consent.

All that would be required is an image tag with the source pointing to the opt-in URL, something like this:-

"<img src="Webwise_opt_in_URL" width=1 height=1>"

Now this opt-in method was no doubt "just a test" and I expect this will be fixed by the time Phorm's webwise system finally goes live, but for me it raises concerns about the quality of the design and coding.

I don't expect it to work for long, but for the time being here are a couple of buttons to opt-in or out of webwise. They do nothing more than use javascript to open the opt-in or opt-out URL in a hidden iframe. Opting in will create a cookie in the a.webwise.net domain UID=xxxxxxxxxxxx|| where xxxxxxxxxxx is a 22 character (128 bit base64 encoded unique ID) and if present remove the webwise.net OPTED_OUT cookie (and vice versa).

Leaking Webwise UID

Richard Clayton notes in point 24 of his analysis of the Phorm "webwise" system that the webwise UID of visitors to a website will be visible to that website if any subsequent accesses to it use "https" protocol (also see points 20 to 26). He also reports that the Layer 7 switch only inspects traffic on port 80, this would suggest that the webwise UID will also be visible to a website if it uses a port other than 80 for a subsequent access.

Linking email addresses to webwise UID by spamming?

Do any modern email clients still share cookies with a browser? Hmm, I guess webmail services.

Only it occurred to me that by spamming everybody @a_phorming_isp.com with an html email that contained a webbug designed to capture the UID, it might be possible for a spammer to compile a database of UIDs linked to email addresses.

The webbug could be an http: image link containing the email address it was sent to (ie your email address) suitably encoded eg:-

"http://Spammer.con/phormbug_YourEmailAddressHere.jpg"

If you view the email, your email client would request the image.

Phorm would use its triple redirect jiggery-pokery to intercept this request and copy the webwise.net UID to a webwise cookie in the "Spammer.con" domain, and redirect the client so that it resends the original request.

The spammer's server would then reply with a redirect to a php script with an https: URL in the same domain. eg

"https://Spammer.con/phormbug_YourEmailAddressHere.php"

The email client automatically requests this https: url sending the webwise UID cookie.

Using https: encryption bypasses phorm's intercept of the UID cookie, delivering the UID (cookie) and email address (encoded in the URL) to the spammer.

The spammer then sells a service to websites that allows them to email targeted spam to visitors to their website.

The email itself could purport to have been sent by a major retailer and to contain a printable £10 discount voucher, it might prove incentive enough to encourage recipients to view it, but I'm sure spammers could devise even better inducements.

Spammers could also capture the webwise UID and associate it with the user's email address by tricking the Phorm user into clicking on a link within the email (which contains the email address it was sent to encoded/obfusticated within the link). This wouldn't be limited to webmail.

The Phorm user's browser would attempt to open the page, phorm would intercept it and add its UID cookie to the domain, the spammers website would redirect the request to an https: page, and the phorm user's browser would re-request the https: page, passing the phorm webwise cookie to the site.

Phorm's selling point to users is anti-phisishing protection, so the users who might benefit from Phorm (if they didn't already have anti-phisihing protection), would be the same users who would be likely to click on the link.

Please sign the petition against ISPs monitoring your browsing activity for advertising purposes

Using the webwise UID with a third party tracking system?

Tracking cookies are used by "data mining" companies to collect data as your visit partner websites. Some people consider them a privacy issue, and programs such as Ad-Aware identify and remove a large number of tracking cookies.

A leaking webwise UID could be captured by such a tracking system and by doing so, should its own Unique ID cookie be deleted, it could use the webwise UID to re-identify the visitor and restore its original UID cookie.

If a user opts out of webwise and subsequently opts back in, it would be possible for the third party tracking system to associate the new UID to the user's old UID, something webwise claim not to be able to do themselves.

Only by deleting both the tracking cookie and ALL webwise created cookies, including those stored in other domains, would it be possible for a user to ensure that they could not be re-identified by a third party tracking system.

Phorm Rant

2008-04-15T20:18:00.007Z

Why I'm happy to use Google, but wouldn't countenance phorm.

In response to a post by Alex in www.badphorm.co.uk.

Well I know you didn't ask me, but if I might answer anyway.

Search engine provide me with a valuable service. Phorm's webwise is a disservice I can do without.

I can control what information search engines get to see about me, I don't have to use them at all if I don't want to, and so I don't have to be confident that I can trust them, or worry too much if they are secure.

I can't avoid all my traffic passing though my ISP's network except by moving ISP, but I trust my ISP primarily because I know it would be ILLEGAL for them to intercept my communications, and also to a lesser extent because I know that the shear bulk of other customer's communications make it highly unlikely that they would intercept mine unless they had a very good reason to want to target me.

Now phorm on the other hand, has the potential to intercept all my non-encrypted communications, and I'm expected to trust them and I'm expected to trust a Phorming ISP that has installed equipment designed to be able to analyse all of its customers browsing traffic en-mass, and apparently claims it is no longer bound by the legal requirement not to intercept my communications, because it has supposedly got my permission by using Man-In-The-Middle techniques to check for an opt-out cookie!

I'm also expected to trust that the level of detail of the information you collect and the extent to which you share it will never expand, even when advertisers start increasingly demanding more useful data and your competitors offer phorming ISPs superior systems that collect more detailed data that advertisers will pay more to exploit.

I'm also expected to trust that your system is secure, and that a hacker could never break in to it and find a way to subvert it into collecting the sort of data hackers are interested in. However small you might claim it is, why the hell would I take the risk!

In short, no I would not be comfortable using any ISP that had such a system connected to its network and I'd question the wisdom of anyone that is.

Netgear DG834G

2008-01-11T00:43:00.001Z

Detailed Stats

"Trained Path:" appears to indicate if your connection is interleaved.

Trained Path: 0 = Fast path. Trained Path: 1 = Interleaved. ip_contrack Routing table.

To enable telnet access on a Netgear DG834(G)

http://192.168.0.1/setup.cgi?todo=debug - this launches utelnetd -d

There is no root password so while enabled, everyone on the lan will have telnet access. Disable in the terminal by typing "killall utelnetd"

To enable ppp debugging

http://192.168.0.1/setup.cgi?todo=ppp_debug This puts pppd in debug mode and logs the establishment of the connection - LCP traffic to /tmp/ppp_log NB the output includes username and encrypted password.

http://192.168.0.1/ppp_log To view ppp_log

Delete ppp_log

To enable VPN debugging

http://192.168.0.1/setup.cgi?todo=vpn_debug

Select between Modem Only Mode (PPPoE bridge) and Router Mode

http://192.168.0.1/mode.htm

Disable Configuration Assistant

http://www.routerlogin.com/CA_HiddenPage.htm use this if you get stuck in the smart wizard (configuration assistant).

connect to speedtest@speedtest_domain- to reconnect to you ISP disconnect and reconnect using the router interface.

Show Command lines

Show nvram

This is not particularily useful unless your connection is 100% stable as the Netgear's host file will be reset every time the PPP connection is re-established after a drop.

Enter IP address <space> hostname (eg. 192.168.0.10 mel.lan)

Add Entries to DNS Server

Reset DNS Server

dg834gt

2007-11-28T10:22:00.002Z

DG834GT Stats

SF:
CRC:
ES:
SES:
RS:
LOF:
D:
HEC:
LOS:
UAS:

Super Frames
Cyclic Redundancy Check
Errored Seconds (Seconds with 1 or more CRC errors)
Severely Errored Seconds
Reed Solomon Forward Error Correction
Loss Of Framing
Interleave depth
ATM Header Error Control
Loss Of Signal
Unavailable Seconds (No Signal)

Enable telnet launch telnet to disable type "killall utelnetd" in the console.

Override Target Noise Margin % 86%= 6dB 100%=7dB(default) 114%= 8db...

Add entries to router's hosts file

This is not particularily useful unless your connection is 100% stable as the Netgear's host file will be reset every time the PPP connection is re-established after a drop.

Enter IP address <space> hostname (eg. 192.168.0.10 mel.lan)

Add above to DNS Server

Reset DNS Server

Router based "speed test"

If you think poor speeds are caused by your PC or wireless link - This will download a file to the router and time the download (if this test fails to work choose a download file with a shorter URL) Results are only a very rough estimate.

Input the URL of a file to download and its filesize (url must be quite short).

Please be patient, the page will only open once the file download has completed.

Download url Filesize=

Alternative test: Downloads and displays the start and end times so that you can calculate the speed more accurately

Download url {44668/(end-start) Kbps}

Slow Speeds? - BT Performance tester

2007-04-04T19:26:00.002Z

BT's performance tester can be found here http://speedtester.bt.com/ . Note that it will only work on BT IPstream based connections.

If your throughput is below 400 kbps, you will be directed to perform a second test, which requires temorarily changing the ADSL username in your modem/router to bt_test_user@yourISP. Where "yourISP" is the normal bit after the '@' in your normal adsl login.

If this test also produces a very poor result you will be asked to reconnect after changing you username on the modem/router to speedtest@speedtest_domain and run test 3.

Test 3 connects you to BT's network bypassing your ISP, so a poor result here indicates that the problem is not caused by the ISP. It may be a line fault, your own equipment or household telephone wiring or a BT issue such as exchange congestion.

A guide to using the BT performance tester is available from here:- BT Performance tester End User Handbook.

If your speeds are poor, but not bad enough to reach test 3 in the normal BT performance tester, it is possible to run the old BT speedtester while connected using the BT login.

The following trick stopped working when BT discontinued the old fixed rate products, replacing them with capped rate adaptive ones.

This test is only intended for fixed rate connections up to 2mbps, so the results are not as accurate as the proper BT performance test 3.
However it can be a useful test if your ISP blames your equipment or BT for your speed issues and you suspect this is not the case, but can't get as far as test 3 in the performance tester.

Username: speedtest@speedtest_domain
Password: anything

And open the following link in your browser

http://217.35.209.142:50302/cgi-bin/home.page.pl

If you also have poor ping times on your normal connection and want a rough idea of latency to the BT RAS you connect through run a tracert as below.

tracert -h 3 217.35.209.142
and you'll see something like

1 <10 ms <10 ms 1 ms www.routerlogin.com [192.168.0.1]
2 11 ms 11 ms 12 ms esr4.ilford5.broadband.bt.net [217.47.23.143]
3 * * * Request timed out.

Note only the RAS also known as ESR (Edge Service router) will respond.

AOL UK

2007-03-02T01:06:00.001Z

Useful Links
Manage Screen Names
Parental Controls
Refer a Friend
Conditions of Service
AOL Complaints Policy
Broadband/Router agreement

Alternative Aol Member Service phone numbers

(Bristol) 0117 919 1100
(Freephone) 0800 279 6771
AOL Proxy settings
Some UK sites block access to non UK IP addresses, if you are allocated a US IP address you can get around this by configuring your browser with the following proxy settings.

For http: uk.proxy.aol.com port 80
For https: (ssl) uk.proxy.aol.com port 443

Set local addresses to bypass the proxy and add 192.168.* to the list of exceptions otherwise you won't be able to access your router's web interface while using the proxy.

PriceIndex
You can find out your AOL PriceIndex which was once rumoured to determine whether you connection is throttled, by temporarily configuring your browser to use AOL's proxy uk.proxy.aol.com port 80, then following the instructions below.

Copy the script below, or if you prefer add this javascript AOL PriceIndex to your favourites. Because it contains a javascript, your browser may warn you that the link may not be safe, click yes to ignore that or use the copy and paste method instead.

javascript:(function(){alert('PriceIndex='+document.getElementById('PriceIndex').value)})();

Navigate to http://help.aol.co.uk/live-help/article/20060814072509990002, log-in using your master screen name and select "Broadband" and click continue. Instead of submitting a question, paste the script above in the address bar and hit return, or if you added it to favourites, just click on the bookmark.

An alertbox will pop up and display the priceindex eg:- 3436/silver.

Router settings

AOL recommend: PPPoE LLC, with MTU=1450

However, I prefer to use PPPoA VC-Mux, with MTU=1430 (MSS=1390 if router has MSS setting)

VPI:0
VCI: 38

Username: screenname@aol.com

screenname should be a General (18+) aol screen name in lower case with any spaces omitted.
The password must not be longer than 8 characters and consist of letters and numerals only.

Alternate Username: aolnet/aol.dsl.screenname.10460001001000030001GB6183.0000.prod

This alternate username only works with PPPoE LLC - it is used by AOL software with modems and if used in a router you will have to run AOL's software & log-in to access the internet.

AOL Test login Username: ISUR_AOLDSL@americaonline.aol.com Password: roughalien

Tiscali DataStream test log-in

2006-02-02T00:21:00.001Z

Tiscali Wholesale provide the following test login for their datastream based services (BT test log-ins, including whatever@speedtest_domain only work on IPstream)

username: testing@dslconnect.co.uk
password: testing

The test log-in will connect you to Tiscali's network, rather than routing your connection on to your ISP.
Access is restricted to the following pages:-

http://speedcheck.ispconnect.co.uk Open this page to run a speed test.

http://www.dslconnect.co.uk/ this displays a test page (often doesn't open)