Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : January 2024

HCL & DNUG Community Meeting in Hamburg - 1.Feb 2024- 31 January 2024 - (0) Comments

Thomas Hampel
 31 January 2024

Image:HCL & DNUG Community Meeting in Hamburg - 1.Feb 2024
NEWS:
Die DNUG Community läd am Donnerstag (=Morgen!) zum
Meetup in Hamburg

Themen:
HCL Domino 14: Wie neue Funktionen den Alltag von Anwendern und Administratoren verbessern

HCL Sametime 12: Beeindruckende Neuerungen der datenschutzfreundlichen Meetingplatform.

Wann?
Datum: 1. Feb 2024
Eintreffen ab 17:00
Beginn: 17:30

Wo?
New-Living-Home
Julius-Vosseler-Straße 40
22527 Hamburg
www.new-living-home.de

Anmeldungen bitte kurz per Mail an : stammtisch.hamburg@dnug.de
Der Termin bzw diese Einladung soll, darf, und muss an alle Interessenten weitergeleitet werden... also bitte #weitersagen!

Bis Morgen!
Th.Hampel

Available now: HCL Notes/Domino 12.0.2 Fix Pack 3- 17 January 2024 - (0) Comments

Thomas Hampel
 17 January 2024

HCL just released Fix Pack 3 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the
Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:
-
HCL Notes 12.0.2, 12.0.2 Fix Pack 3 System Requirements
-
HCL Domino 12.0.2 Fix Pack 3 System Requirements

These kits are available for download at our new MyHCLSoftware download portal at the following URLs:

https://my.hcltechsw.com/downloads/domino/notes/12.0.2fp3
https://my.hcltechsw.com/downloads/domino/domino/12.0.2fp3

Bonus:
If you are already running Domino V14 and have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
Learn more on how to use this feature, by joining our
Domino V14 Deep Dive webinar series on Jan. 31 on Domino v14 Auto Notify, Update & Install

Image:Available now: HCL Notes/Domino 12.0.2 Fix Pack 3

Open Sourcing Domino Templates - Part 1- 8 January 2024 - (0) Comments

Thomas Hampel
 8 January 2024

HCL just open sourced a number of Domino templates!

HCL just open sourced a number of Domino templates! This initiative of HCL was announced by Richard Jefts to support a more open and vibrant developer community.
Main purpose is to allow developers and partners to extend, modify and tweak the product templates, reuse parts of the code in own solutions and allowing those modified versions to be redistributed.
Now with the the Apache 2.0 license this will be possible. Also it is now possible to update these templates outside of product releases in a more consistent way if necessary.

Especially interesting is the (long awaited)
Domino Design Guide, containing icons, color schemes, and more for helping developers to build better looking applications.  
Image:Open Sourcing Domino Templates - Part 1

All the templates are provided in the same versions as shipping in HCL Notes/Domino 14 with the only differences that they are made available under the Apache 2.0 license and signed with the HCL OpenSource Signing ID.
The Git repository contains the source code of the English version of the templates, but all internationalized versions are also contained as downloadable *.ntf in there:
Title
Source
Latest Version
Documentation
Discussion
Domino CompareDBs
Lotus SmartSuite Document Library
Document Library
MS Office Document Library
Notebook
RSS Feed Generator
Domino Design Guide
Teamroom
Password Reset Sample


All the source code above is using the new Yaml based OnDiskProjects in Domino Designer.

More templates, such as the Domino Configurtion Tuner and the Domino Blog template will be released soon. (@
Martin Ortega please stay tuned and watch this repo )

Who is owning them?

HCL still remains the owner of the original/unmodified version of the templates and will control which updates or changes will get merged into the main branch.
While contributions (pull requests) are technically allowed, HCL does not guarantuee that they will accept or merge them.
However, HCL as well as anyone else, has the right to take community contributions back to use them in future releases.


How about support?

HCL provides support only for the original, unmodified version of the template shipping with the HCL Domino product. Forks or any modified versions of the code are not officially supported. Users who choose to fork the code or make modifications do so at their own risk and are responsible for any resulting issues or changes. HCL cannot guarantee assistance or troubleshooting for forked versions, and users are encouraged to refer to the official documentation for guidance on customization and modification. Defect tracking and support questions for the unchanged templates are preferred to be handled via the normal support process.

PS: Special greetings to
Niklas Heidloff, who might remember his OpenNTF blog post from a decade ago.

Is HCL Notes / Domino affected by SMTP smuggling?- 3 January 2024 - (0) Comments

Thomas Hampel
 3 January 2024

In short : No

The long(er) version:


Background:

SMTP Smuggling is a newly discovered attack to a number of mail server products and mail hosting providers.
All mail transfer  are based on the SMTP protocol that exists for years where server and client, or two servers talk to each other as defined in an internet standard (
RFC 5321)
Even with perfect antispam checking, SPF, DKIM, DMARC, etc in place, the vulnerability would allow sending spoofed emails, which can result in a huge problem.


The Problem

Key problem is that some SMTP mail server implementations do not follow the RFC precisely.
As defined in chapter 4.2.5 of the RFC, the DATA part of a message is ending with . , note the small dot in between.

Image:Is HCL Notes / Domino affected by SMTP smuggling?
where

is a carriage return

is a  LineFeed, meaing to move the paper or the cursor to the next line.


another RFC (
RFC 5322 ) defines
Image:Is HCL Notes / Domino affected by SMTP smuggling?

Servers often transfer more than just one message at the time in one session.
For servers that don't perfectly follow the RFC it is possible to send the header of the second mail as the body of the first mail so that only the first header is checked.

In the post processing of that mail the server will split apart the messages again and will route two mails where the only the first one was formally checked against SPF, DKIM, etc. definitions.

This will allow to sneak a new mail header with fake sender names into some mail environments (but not to Domino).


More technical details are described in this publication:

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

The disclosure also caused the German BIS to publish this security warning:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-292569-1032.html

All the above is explained in great details in this wonderful talk.




What about Domino?

HCL's Domino development team was made aware of the problem and started formally testing if Domino is affected.

As indicated above, the Domino SMTP server is not vulnerable to SMTP Smuggling; it only accepts CRLF.CRLF as the end of data sequence.

Domino is perfectly following the RFC's.


**Update**

Based on a
recent post in our support forum, there seems to be a need for further clarification.
While it is possible to squeeze two mails into one using the technique described above, Domino will still handle each mail standalone and will run antispam checks against each of them.
Details are investigated as part of SPR MDLSD2XL45


If you want to test yourself,
Daniel Nashed published nshmail, a Simple SMTP mail send tool that can be very helpful to test SMTP connections.

References:

-
Domino Forum Question by Florian Bühler
- SEC Consult publication :
SMTP Smuggling - Spoofing E-Mails Worldwide
- CCC 37c3 Talk :
SMTP Smuggling to spoof e-mails worldwide
-
nshmail -- Simple SMTP mail send tool

Balkonsolar - one year in review- 2 January 2024 - (0) Comments

Thomas Hampel
 2 January 2024

It was exactly one year ago that I've installed a tiny solar power plant at home, referred as "Balkonsolar" here in Germany.
Now after exactly 365 days of being "empowered" - its time for a review.


Image:Balkonsolar - one year in review

Where it all started

I've been fascinated by solar power and heard about micro installations on balconies a year or two before, watched some YT videos to understand the benefits and constraints.
Previously I thought only large scale installations can provide a return on invest, but it turned out that even two panels or even just one are enough for a valid business case.
I was blown by the idea that money is litterally falling off the sky and one just needs to collect it.


Sure I could have used
Photovoltaic Geographical Information System (PVGIS) to estimate the power production at my location, but why bother about details.

Stage #1 - Get the equipment

I've spent way too long with the decision to buy the equipment. All in all it took over a year from the idea (early 2020) to placing an order (early 2022).
Back then one could buy a whole set for >800 EUR or just order components one by one for a total of € 600 or less. My preference was for buying components separately and plug it all together myself.

Stage #2 - Waiting

(Un)fortunately my order was placed right before Russia started invading Ukraine, which caused the energy prices to skyrocked. So solar panels and power converters prices increased by a factor of 3 to 4.
I was in doubt if my order will actually be shipping since the seller could make 3x the money by cancelling my order and selling to someone else.
To my surprise, just 5 months later I got what I payed for.

Stage #2b - Waiting (for myself) & Being busy with work

My job does not allow for lots of hobbies or side projects, so despite high energy prices I had no time for installing the panels.
All equipment remained unused for 9 months(!).

Stage #3 - Chaising approvals

The ugly part of wanting to install solar panels at your balcony is that you need to seek approvals from your landlord who must allow the installation, home owners have an advantage here.
Luckily the legislation is expecting to change next year so that it is preapproved. Also various other regulations exist that may drive you nuts.
e.g. standard power plug or solar-plug?,
Also there are legal limits of (just) 600Watts, while neighbour countries like Austria allow 800Watts of power production. Not logical why, just damn German bureaucracy & big lobby groups trying to protect their own business
However, not everyone is against my project so after sending a mail or two, I got the approval from the landlord to proceed at my own cost.

Stage #4 - Installation

It took until Christmas 2022 until I've had time to do the installation.
It turned out to be far easier than expected. All-in-all it took about 6 hours, where most of the time was spent with cable management on my balcony to make it look nice.
Since the inverter came with mandatory cloud connectivity + mandatory data processing in China, I never connected the WiFi interface to my home network for security reasons and instead was looking for other options to measure solar power production.

Tip : Assembly/installation is far easier with the help of a friend... and besides that is more fun too.

Stage #5 - Paperwork

It's Germany, so of course you have to fill out boring paperwork to register this installation.
As a polite citizen I did that promptly. All in all its a 15min process in two places:

your local energy provider and a country wide register (
Marktstammdatenregister)

Stage #6 - Metering

Certainly I wanted to know how much energy is produced.
Most micro-inverters already come with WiFi antenna and a smartphone app, harvesting all your data in a (more or less) "secure" cloud.
Personally I do not recommend to allow those kind of devices to access my home WiFi nor the internet.
For good reasons as it turned out, because e.g. Deye / Revolt / Bosswerk inverters allowed anyone to read your WiFi password in clear text, a big security hole - for details see
this thread

So I went the lame route for metering: I'm using a well established
AVM Fritz!DECT 210 device.
Based on your personal preference and type of inverter you might also be interested in
this kit from Blinkyparts.com

What's the total cost?

Total cost (when I bought it in 2022) was EUR 600,- meanwhile prices have dropped and
legislation has changed so that there is NO sales tax on solar equipment anymore.
0% sales tax means from one day to another you'll save 19% !
All together the same or slightly better equipment that I bought back then is available now for a much lower price:

EUR 180,- for 2x Panels (€ 90,- each)
EUR 140,- for 1x Hoymiles HM-600 (or 800)
EUR 80,- for panel mount/equipment
EUR 50,- for some 5m solar power cables,adapters and other small parts
= EUR 450,-

+ optional EUR 55,- for a
AVM Fritz!DECT 210 which connects to my AVM Fritz!Box (Router/SmartHome Hub) for measurement & statistics.

The Result

After exactly one year, these are the plain figures:


Produced : 429,4 kWh

It could have been more (639.63 kWh) if my panels would be mounted in an ideal position and not just hanging at 90degrees


I've returned 63 kWh to the grid (for free) due to producing more than what I have used. This was mainly driven by being on vacation.


At a current price of € 0,4905 / kWh it results in savings of
€ 210,62 for 2023
Indeed this rather high cost per kWh is in our contract - it was the cheapest option in 2022 when energy prices skyrocketed.

However, due to
other regulations in our country some might say that I should only calculate with € 0,40 (the capped cost) which would result in approx. € 171,76 of net savings
I am including the energy I have returned to the grid worth € 25 in my savings calculation because it was on me to use it.


Here is the chart showing power production over the course of the year

As you can see the month of May was the best month so far as it provides a good amount of sunlight at mild temperatures.


Image:Balkonsolar - one year in review

For this year (2024) we are expecting a cost of € 0,32 /kWh which would generate approx. € 272 of savings per year
Assuming an 800W installation at an ideal angle.

Conclusion:

Is it worth it ?

Absolutely YES YES YES !
At current energy prices and prices of new solar panels you'll have a return of invest in under two years.
That is comparable to an interest rate of >50% - where on earth do you get that for your bank account?

My advise:

Dont wait, START NOW and install as many solar panels as you (leagally) can.
Two of my friends were amazed by how easy it is to enter the solar power business, so I helped them buiding their own "Balkonkraftwerk"

Cool projects I came along

-
Solar-Table


References:

-
Photovoltaic Geographical Information System (PVGIS)
-
Solardach Potential Germany
- Heise Ratgeber Balkonkraftwerke
-
BMWK: Senkung der MwSt. für private PV Anlagen auf 0%
-
Stecker-Solar-Simulator
-
Ökobilanzrechner
-
OpenDTU
- Blinkyparts -
OpenDTU Bausatz

Finally:

Closing with a key message from 34c3:

Image:Balkonsolar - one year in review
Thomas Hampel, All rights reserved.