Archive for 2018

Snake oil vendor Avast has pulled v5.45 of its CCleaner suite over privacy controversy. Apparently the latest update made some “minor” changes which resulted in a bit of an outcry. Active monitoring - which translates to yes please send information about me and my system to your servers - could no longer be switched off. Also you could no longer shut down CCleaner anymore. You had to kill the process as there was no way to exit the software normally. Free users got another special treat as sharing your data with 3rd parties could no longer be disabled and was mandatory.

According to, Mozilla is planning to introduce a new method for resolving DNS queries that could actually end up negatively impacting your privacy.

Dubbed Trusted Recursive Resolver (TRR) this new resolving method actually results in Firefox ignoring your DNS server and instead uses Cloudflares DNS servers instead. This is awesome, especially because Cloudflare is a company from the US and they then know which sites you connect to. Essentially this would mean that one company has all the information on all users of Firefox.

This is utterly stupid. Collecting data in one place makes Cloudflare a prime target for surveillance and it also stores your connection metadata in the US. Essentially they are adding a single point of failure for the whole Firefox ecosystem.

Thankfully, offers some advice:

  • enter about:config in the address bar
  • search for network.trr
  • set network.trr.mode = 5 to completely disable this feature

The other modes for network.trr.mode are described in

Apparently Mozilla wants to set the new resolver feature as a default beginning with the September patch. Be sure to check your settings again then. Oh and why the fuck does Mozilla insist on fucking up Firefox?

The EU has fined Google $5.06 billion in an antitrust proceeding regarding the mandatory inclusion of Google apps on other vendors’ Android based phones.

Google started sulking, claiming they might have to close down Android and no longer give it away free of charge. Now this will be funny. Android is Linux based which, in large parts, is protected by the GPL license which basically says that if you use GPL licensed code in your project, you have to publish your source code as well. Good luck Google :)

Colour X-Rays Are Here

Sat, Jul 14, 2018

Something really awesome is coming our way from a New-Zealand based company. The first ever colour X-ray picture was taken by employing a new particle detection chip developed at the CERN. Originally this technology was used for particle tracking at the Large Hadron Collider but improvements made to that chip technology made it more and more interesting for areas outside of particle physics.

Just as with the visible light, the colour represents different energy levels of X-ray photons. Different energy levels are also associated with different body components. Bone leads to a different energy than water for example. The company which realized the colour X-ray, MARS Bioimaging Ltd, is using the energy sensitive detection data as an input for a set of algorithms they developed to then reconstruct a colour 3D image. They also have a nice picture on their site. Awesome stuff!

The European Union is hosting a non-binding vote in order to determine the view of its citizens on keeping or abolishing the daylight savings time. Originally implemented as an energy saver this has long been debunked. More heating during the winter months actually more than offsets the energy savings due to extended daylight time. In addition, the time shift has been known to cause psychological issues with a lot of people. In addition, the rate of accidents spikes each time the clocks are shifted due to people being more tired on average.

The EU vote is non-binding but this is the chance to actually show them your oppinion on the matter!

This is a followup to nginx RTMP Streaming With Simple Authentication.

Last time we covered a very basic setup with a hardcoded passkey. Multiple people have contacted me so far requesting an explanation on how to move towards a slightly more sophisticated authentication setup. Usually involving a php script to authenticate against. Maybe you want to use an existing mySQL or mariaDB database to set up users and channels? Fear not, this is not that complicated to start out with.

Server side configuration

Starting from the old example, we set up a basic rtmp section:

rtmp {
  server {
    listen 1935;
	ping 30s;
	notify_method get;
	application stream {
	  live on;
	  record off;

The on_publish command can point to any web address that you like. It could be supplied via the nginx server as well or you could use an apache2 instance for that. You can also use a completely different server if you wish. For now, we assume that there is a php script rtmp_auth.php which sits in the webroot of your webserver.

The above line will do the following:

  • as soon as someone tries to publish a stream to your domain, the nginx rtmp module will issue a HTTP POST request to the on_publish url.
  • nginx will supply the script with the get variable “name” and fill it with whatever comes directly after your initial stream url
  • it will also pass on any further GET style variables via the standard ?var1=value1&var2=value2 syntax.
  • it will wait for a HTTP return code which either tells it that everything is fine and streaming should commence (201) or that something went wront and it should drop the connection (404)

Suppose someone uses the following url to connect to your rtmp server:


nginx will then call your rtmp_auth.php script like this:

Inside of your php script you then have access to the $_POST array which holds your values and you can do whatever you want with them. In the following example we will use a php array $valid_users to hold a list of allowed users and passwords. Of course, you could instead connect to a database and query for the username and password. The interesting part is all in the if-statement which follows after that.

$username = $_POST["name"]; # in our current example, this will be 'john'
$password = $_POST["psk"]; # in our current example, this will be 'supersecret'

$valid_users = array("john" => "supersecret",
                     "winnie" => "thepooh",
					 "batman" => "nananananananana");

if ($valid_users[$username] == $password) {
  http_response_code(201); # return 201 "Created"
} else {
  http_response_code(404); # return 404 "Not Found"

With this code, if the credentials check out, we return a 201 status code which tells nginx that whoever tries to connect is allowed to stream. If they do not, we issue a 404 and tell the client to get lost.

Client side configuration

Let us suppose your streaming client uses open broadcaster studio (OBS), which is a free and open source streaming utility which works with pretty much all major streaming sites and can also be configured to a custom site.

In OBS, you set the stream type to Custom Streaming Server and as the url you would use rtmp:// As the stream key you would set john?psk=supersecret or any other username / password combination. If you want to supply more information you can supply more GET style variables via appending &var1=value1&var2=value2 and so on. Anything you write before the ? in the stream key field will end up in the variable $_POST["name"] inside your php script.

Sadly, SSL support for RTMP and also for the internal on_publishrequest is still somewhat lacking. So keep in mind that all of this stuff is plaintext authentication. You might not want to use a username / password combo directly but rather a streaming hash that you can allocate via a database and which has to be requested by the user beforehand. At least this way, if someone captures the data, they do not know the login credentials of your users.

You could for example generate a 64 character hash, put it into an SQL table and assign it to a user of your site. Then the user just enters this hash in OBS into the stream key field. Your php script will then be called and the variable $_POST["name"] will hold this hash. After that you can connect to your database, check out whether the hash exists or not and maybe even set up some notification on your website that user john is now streaming. Just be sure to finish with a 201 or 404 code in order to let nginx-rtmp know what it should do about the connection attempt.

In the end you can make things as complex as you want. You can use the same method for other nginx-rtmp directives such as: on_play, on_done, on_update and many more. Check them out at the nginx-rtmp wiki page.

Update: A kind reader has informed me that newer versions of the nginx rtmp plugin no longer use a GET but a POST request to call the URL you specify in the on_publish, on_play, etc directives. I have updated the code to reflect the changes.

FileZilla, the formerly easy-to-recommend FTP/SFTP client for private and enterprise use has fallen from grace and included adware in their installers. With security professionals already recommending uninstalling FileZilla, its author Tim Kosse is trying hard to reframe the issue, claiming that ad-supported installers are necessary and have been around for a long time.

This does not change the fact, however, that some of the “offers” available via the ad-laden installer are downloading unsigned executables to your pc. Including some really shady ones that download seperate data files which later get concatenated into an executable. The best guess is that this would be an attempt at avoiding detection by malware blockers.

This is a terrible move by FileZilla and I too suggest uninstalling it if you still use it. A good alternative for Windows users is WinSCP. Free, open source, what is not to like?