Category Archives: Security

Sending email from an O2 Broadband connection

Posted on by
Reply

There are many options for sending email from an O2 Home Broadband connection:

  • If you have a static IP address (provided free with ‘The Works’ package or as a cost option in other packages) and you have access to a third party mail relay (e.g. SMTP2Go or AuthSMTP), you can connect directly to the external SMTP server on port 25
  • If you have a regular dynamic IP address then you can still connect to an external mail relay, but O2 blocks port 25 (SMTP) and so you will have to connect on port 587 (message submission)
  • Use the O2 Broadband mail relay – relay.o2broadband.co.uk – this will only accept mail from your broadband connection and will not work when outside of your home network
  • Use the O2 Mobile Data mail relay – smtp.o2.co.uk – you will need to authenticate yourself using your O2 portal username and password

If using smtp.o2.co.uk then you will also need to authenticate yourself using your O2 portal username and password. Note that even if using your own domain name your O2 username will also be made visible to the recipient in the mail headers, e.g.

Received: from yourhost.example.com by mail.o2.co.uk (8.5.119.05) (authenticated as yourlogin@o2.co.uk)

O2’s mail servers do not support SSL/TLS and so you will need to specify an insecure connection when configuring your mail client.

In the Windows Mail client go into the mail account properties and under the Outgoing Mail Server settings in the Servers tab tick the box next to ‘Outgoing Mail Server: My server requires authentication’. Go into these settings, fill in the account name and password with your O2 portal credentials and make sure that ‘Log on using Secure Password Authentication’ is NOT checked. In Advanced settings make sure that ‘This server requires a secure connection (SSL) is NOT checked.

For Unix users I have provided instructions for configuring exim4 to use an external smarthost in a separate post.

How Disappointing.ly Prophetic

Posted on by
Reply

I just read an article over at TechCrunch about Letter.ly losing their Libyan domain name.

Didn’t someone around here warn that this might happen? 😛

Microsoft, what’s my MAC address?

Posted on by
Reply

Using MAC address filtering to add an extra layer of security to your WiFi network?

Need to know the MAC address of your shiny new Windows Phone 7 device?

You’re out of luck!

There is a rather illuminating discussion on Microsoft Answers – MAC address for WP7 Devices – that sheds light on the issue…

A WP7 customer asks:

I wanted to connect my WP7 device to my home WiFi. However, I will need to know the MAC address of the WP7 before I can connect.

Can anyone let me know where to get it?

Johan van Mierlo (a Microsoft MVP Windows Phone Specialist) replies with:

Yup, they only way is to make sure your wireless network is visible, connect with WEP or other security and afterward make your network invisible again.

Another couple of customers comment:

seems like microsoft just “forgot” to implement that…

I cannot believe this was missed..

My thoughts exactly.

Microsoft, are you for real? You don’t exactly have a great track record when it comes to security and the only way of obtaining the WiFi MAC address of a WP7 device is to disable security?

A leopard never changes its spots!

Tru.ly mad.ly deep.ly

Posted on by
1

A quick comment on the hoo-ha regarding .ly (Libyan) domain names.

The recent controversy started when the ‘owner’ of the vb.ly domain name found that her adult content link shortening service was terminated without notice, because it was being used for “activities/purpose not permitted under Libyan law”. The other partner in the vb.ly domain name posted an article titled “The .ly domain space to be considered unsafe“. No shit!

What made anyone think a Libyan domain name was going to be “safe”? When you lease a domain name from a foreign registry you are totally beholden to their rules – and whims.

I registered a .me domain name (the allocated top level domain for Montenegro), which is managed by a Montenegrin joint venture. It’s a great name but I do half expect that it could stop working one day and so I don’t use it for mission critical purposes.

The hypocrisy of the Americans is laughable. USA has been an enemy of the Gaddafi regime in Libya ever since he seized power after a coup d’état in 1970. They bombed the capital Tripoli in 1986 and were highly critical of the Scottish government’s decision to release Lockerbie bomber al-Megrahi (a Libyan national).

The United States only restored full diplomatic relations with Libya in 2006, but somehow seem perfectly comfortable with developing web businesses that are totally dependent on Libya’s fragile domain name registry.

How services such as bit.ly and ad.ly have attracted millions of dollars in VC funding when they are built on such potentially unstable foundations is a mystery.

Go figure!

Issue 4581: Allow user apps to set the system time

Posted on by
Reply

There are many aspects of Google’s Android that make it the most exciting mobile operating system in many years, however it also has some rather obvious and frustrating omissions.

Issue 4581 (as it has become known) is an example of one such omission.

The date & time settings menu on an Android device does not allow the user to set the time to a granularity less than minutes. This means that you cannot accurately set the system clock to even within a few seconds.

The Android developers have wrongly assumed that all mobile operators support the Network Identity and Timezone (or NITZ) GSM specification for sending date & time to mobile devices, when in reality many do not.

If your mobile operator does not broadcast the NITZ information then your Android device will not automatically synchronise. In common with most computers the system clock on your mobile device may drift and after a few weeks can be many seconds or even minutes out of sync.

As accurate timekeeping is necessary for many applications, most other operating systems use an IP based time protocol – Simple Network Time Protocol (or SNTP) – to keep the system clock in sync with a global pool of atomic clocks. Android however does not include a SNTP client, nor does it allow installed applications to set the system clock either. So currently (as of Android 2.2 “Froyo”) it is not possible to keep your device clock accurate.

If you too feel that this is absurd, please visit the Issue 4581 page and add your vote for this issue.

UPDATE – 21st July 2011

Google have responded officially and closed this issue:

Hi, it is by design that applications can not change the time. There are many subtle aspects of security that can rely on the current time, such as certificate expiration, license management, etc. We do not want to allow third party applications to globally disrupt the system in this way.

I don’t agree with this explanation as device vendors are now providing IP based clock update mechanisms which co-exist with DRM, see HTC – Sensational at timekeeping for an example.