Archives

Categories

started growing a beard

day 1 of the beard

At LCA in January this year there was an auction at the end (an LCA tradition), and most people were feeling very relaxed and happy after plenty of good food and drink and bid with reckless abandon (another LCA tradition).

To help things along a few of us volunteered to do various things if various amounts of money were reached. The full list is here.

Anyway my contribution is to grow a beard for the next LCA. Recently I had been thinking that it was about time to start, and this morning I discovered that I had misplaced my shaver, so I start today. I had wanted to get a clean-shaven picture for the first blog entry, but things didn’t work out for that. The above picture is two days of growth (members of my local LUG are probably used to seeing me look like this).

I will strart by blogging a picture every day, and then start to space them out as it grows. The apparent results of beard growth should exponentially decrease over time so the rate of pictures would best be based on the log of the time.

No related posts.

October 8th, 2006 | Tags: | Category: Uncategorized | Comments are closed

working all night

Last night I worked until 5AM on a magazine article. Upon review the later stages of my work weren’t of my usual quality level, and today I did nothing significant because I was too tired (fortunately it’s a Saturday).

I’m now going to cease all really late-night work except when supporting 24*7 production systems for clients. When I feel that my productivity starts to slip due to being over-tired I’ll cease work unless I am being paid to get an outage fixed quickly. The real problem in productivity seems to be throughput not response time. So if I occasionally miss a deadline but overall get more work done it should be a net positive thing.

Related posts:

  1. Supersize Me I recently watched the movie Super Size Me. Due to...
October 7th, 2006 | Category: Health | Comments are closed

Virgin – no free water and renewable energy

When returning from Ruxcon I took a Virgin Blue flight.

The Virgin web site has a FAQ with the following advice regarding DVT:
Drink plenty of water and other fluids during and after the flight, limiting alcohol, tea and coffee.

However Virgin provide no free water on the flight and charge $2 for 350ml of water! This is a strong incentive to buy caffeinated drinks and/or alcohol, after all if you are going to pay then you want something better than water!

They should provide free tap water as a basic health measure.

On the positive side there was an interesting article in the Virgin Blue magazine about alternative sources of fuel. It covered bio-Diesel (renewable and produces less toxic smoke), and producing Diesel from waste plastic (saves space in land-fill as well as providing fuel). It wasn’t as technically detailled as I would like and it didn’t mention some of the methods being developed for producing Diesel fuel from algae or the work on using bio-fuel for jet aircraft (which would be appropriate for an airline magazine).

But it’s a good start, hopefully some travellers will learn that there are environmental problems and ways that we can fix them.

Related posts:

  1. clean energy There are many people claiming that nuclear power will solve...
  2. more on clean energy One new technology for saving fuel in cars is the...
  3. more security foolishness Dutch police arrested 12 people for acting suspiciously on a...
October 5th, 2006 | Tags: | Category: Health | Comments are closed

dunc-tank and motivation

The dunc-tank project was established to raise money to compensate some Debian developers who are essential to producing a timely release of Debian. There has been a lot of acrimoneous debate about whether this is a good or bad thing. The positive side of it is that the release managers will get to spend more time working on Debian, the negative side is that some volunteers will lose motivation.

However I have felt more motivated to do my unpaid Debian work. During the time that I was employed by Red Hat I was fairly slack about my Debian development work (incidentally Red Hat management were happy for me to continue Debian work so there was no pressure from Red Hat in this regard). Since leaving Red Hat I have been busy doing paid work.

Recently I have started getting involved in Debian work again. I am about to upload a new version of Postal for the first time in three years, I have set up a Xen server for Debian SE Linux development, and I am about to start serious Debian SE Linux development work again.

One factor in this has been my impression that other DDs are taking the release seriously. In the past schedules for release have slipped repeatedly without end. Now there is a schedule and this gives me more motivation to get bugs fixed!

No related posts.

October 4th, 2006 | Tags: | Category: Linux | Comments are closed

Lack of privacy in Amcal

Recently I visited my local Amcal pharmacy. When I was waiting to pay I noticed a large pile of cards on the country, they were customer loyalty cards with the names of customers printed on them. Also on the top of the pile was a Medicare card. The cards were placed face-down presumably to avoid customers seeing them, but as they were on the counter where customers waited to pay there was nothing to prevent a customer from turning them over or even stealing them.

I brought this to the attention of an Amcal employee who agreed that the medicare card should not have been there (such carelessness is probably illegal) but who thought that a huge pile of customer loyalty cards (which among other things is connected to a database entry with the customer’s phone number and postal address) is something that should be left within reach of customers. When I left the store another customer was being served within convenient reach of the card pile (which may have contained more Medicare cards).

If you have a cold then it’s OK to go to Amcal to buy your medicine. If you have the clap then you might want to go somewhere else as they don’t seem to care much about privacy.

No related posts.

October 4th, 2006 | Category: Health | 3 comments - (Comments are closed)

Ruxcon and SLUG

This weekend I was in Sydney for Ruxcon. Ruxcon is a computer security conference with a focus on penetration testing and related skills.

The presentation on Unusual Bugs by Ilya van Sprudel was particularly interesting. He spoke about a number of issues that could do with some improvement in Linux, I will file some bug reports shortly.

There was a chilli eating contest. I was one of six people to enter. I survived the first two rounds and got onto the middle-strength chilli before giving up. There were 100 tickets to the Google party for the ~200 person conference and everyone who entered a contest got a ticket. My aim in the contest was to eat more chilli than I enjoy eating but less than the amount required to make me sick, with a secondary goal of tasting at least the second level of chilli. I achieved my goals and left the contest after tasting the second chilli.

One man appeared to be impressed by my chilli eating and was telling everyone that I am famous for eating chilli. It’s good to be famous for something in the computer security community. :-#

At the end of the conference there was a panel discussion that I was invited to attend. I had to leave early to catch my flight, at the time I left everyone who was on the panel had each finished a few drinks and a couple of new guys had just joined. I think I missed the most exciting part of the panel discussion.

Thanks to whoever paid for the drinks for panel members. Things were a little hectic when we were given the drinks and I forgot to thank whoever paid for them.

In other news Sydney trains are slow and unreasonably expensive, $13 to get from the airport to the SLUG meeting at St. Leonards seems excessive. With all the problems with Sydney roads they really need to get a better public transport system!

While in Sydney I attended a SLUG meeting and gave a short talk about Postal (my mail server benchmark suite). I will present a paper about Postal at the OSDC conference later this year.

Related posts:

  1. car-pooling I am constantly amazed at the apparent lack of interest...
October 2nd, 2006 | Category: Benchmark, Linux, Postal, Security | Comments are closed

SAK, ctrl-alt-del, and Linux keyboard mapping

A common problem with Linux systems is when Windows users press CTRL-ALT-DEL at the login prompt and reboot the machine.

To fix this some people change the ^ca line in /etc/inittab to just disable the reboot function. However this is not desirable because sometimes you want to reboot a machine with a simple keypress.

Another problem that has not been widely considered is the use of fake login prompts by attackers. This can be implemented in either text mode or graphics mode. All the fake login prompt has to do is display something that looks like a real login prompt, accept a user-name and password, verify the password (a localhost ssh connection is a good way of doing this) and then abort. In the case of a text-mode login the user will think that they entered the wrong password, in the case of a GUI login via an XDM program the user will think that the login program just crashed. Then the attacker has access to their account.

The solution to the fake-login problem is the use of the Secure Attention Keyboard (SAK) feature. When invoked this feature makes the kernel kill all processes that are on the virtual console in question. If you make CTRL-ALT-DEL the SAK combination then pressing those keys will cause the kernel to kill any processes that are attached to the current virtual console and preventing the ability of hostile programs to forge a login prompt (which is the same as it’s purpose in Windows).

The next thing to do is to make another combination used for system boot. A reasonable combination seems to be CTRL-ALT-BREAK as those keys are widely separated and the combination is not used for anything else.

If you put the following in a file named sak.map (or whatever you want to call it) then the command loadkeys sak.map will apply the change. Note that when creating a keyboard map you should do it on a machine for which you don’t mind being forced to perform a hardware reboot. It’s easy to make a mistake and give yourself a keyboard mapping that is not usable. Another possibility is to do such testing on a machine that allows ssh logins, you can then login via ssh and run loadkeys -d to correct any errors you might make.

control alt keycode 119 = Boot
control alt keycode 83 = SAK
control alt keycode 111 = SAK
control altgr keycode 119 = Boot
control altgr keycode 83 = SAK
control altgr keycode 111 = SAK

Note that the above covers both ALT and ALT-Gr keys as well as the numeric keypad and regular versions of the delete key.

dumpkeys -l gives you a list of all possible keyboard combinations. showkey will display the number matching any key you press and will exit after 10 seconds of inactivity.

Related posts:

  1. Debian SE Linux Yesterday Erich Schubert blogged about reducing Debian SE Linux work...
September 29th, 2006 | Tags: | Category: Linux, Security | Comments are closed

tcpdump and ps

Today I was doing some network tracing and figured out how to track the start and end of TCP connections. The following tcpdump command will get all SYN, FIN, and RST packets on port 80 and all ICMP packets:

tcpdump -i bond0 -n “port 80 and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0 or icmp”

Also recently I was tracking down some minor security issues related to programs that call setuid() to drop privs but never call setgid() and therefore always run with GID==0 which gives them a lot of access to the system. The following ps command gives the real, effective, saved, and filesystem UIDs and GIDs mapped to names. Note that with some versions of ps different fields have different truncation lengths.

ps -eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm

The next thing I have to do is to patch PS to show the supplementary groups.

No related posts.

September 27th, 2006 | Category: Linux, Security | Comments are closed

Ethernet bonding

Bonding is one of the terms used to describe multiple Ethernet cables used to form a single virtual network link. This can be done for performance or reliability.

Bonding for performance used to be common when 100baseT was the fastest network technology that was commonly available. In 1999 servers could usually sustain considerably more than 10MB/s so a single 100baseT network interface was a performance bottleneck. At that time I worked with Cisco switches and Solaris machines that had up to four 100baseT links bonded for performance.

Nowadays Gigabit Ethernet is commonly available, most laptops have Gigabit Ethernet on the motherboard. Gigabit PCI cards are as cheap as $35, and Gigabit switches can be purchased for as little as $139. Server hardware is a little more expensive, but it’s still quite cheap and commonly available.

Most people don’t need more than Gigabit speed, in fact most systems can not saturate a Gigabit link due to poor application design, a slow operating system, or slow disks used to provide the data. So at this time there is little speed for bonded Gigabit networking for performance.

There is still the issue of reliability. Often you want to have two ethernet cards and cables configured so that if one breaks the network won’t go down.

One annoying thing about bonding in Linux (in 2.6.x kernels) is that the module has to be loaded separately for each bond interface, and the parameters for an interface can’t be changed without unloading and loading the driver (very painful if you log in to the machine via ssh over the bonded interface to do sys-admin work).

The parameters I have in /etc/modprobe.conf for bonding are:

alias bond0 bonding
options bond0 mode=1 arp_interval=500 arp_ip_target=192.168.0.1

This means that if there is no traffic on the link then every 500ms an ARP request will be sent for the address 127.128.129.130 (I used the address of my router but substituted a different value for this blog entry). An ARP request for a machine on the local LAN is a request that will always be satisfied if the machine in question and the network link are working.

The idea is that you have two switches and every computer that matters has two ethernet ports. If one port stops working (broken Ethernet card, cable, or router) then the other takes over.

The special file /proc/net/bonding/bond0 can be used to view the current configuration of the bond0 device.

Below are sample configuration files for Fedora and Red Hat Enterprise Linux to configure bonding:

/etc/sysconfig/networking/devices/ifcfg-bond0:
DEVICE=bond0
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
BOOTPROTO=static
# GATEWAY should be the IP address to ARP ping
GATEWAY=192.168.0.1
TYPE=Ethernet

/etc/sysconfig/networking/devices/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
ONBOOT=yes
SLAVE=yes
MASTER=bond0
TYPE=Ethernet

/etc/sysconfig/networking/devices/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
ONBOOT=yes
SLAVE=yes
MASTER=bond0
TYPE=Ethernet

Note that there is nothing preventing you from having more than two devices bonded together for reliability, but I doubt that you really need that.

No related posts.

September 25th, 2006 | Tags: | Category: Linux, Networking | Comments are closed

quotes

At http://www.infodrom.org/Infodrom/fortunes/download/infodrom-linux there are a heap of quotes from Debian people, and more than a few from me. It’s strange reading my own writing in someone else’s quote file. Some things seem so removed from context that there is little point to them. For some things I couldn’t even remember writing them and had to ask google. There were some things which seemed wrong, but google showed list aschives proving the quote file to be correct.

Also when googling my quotes I found that I had written an amusing and apparently quotable flame to someone who was far from the top of the list of deserving recipients of flames.

For anyone who reads the quotes, the Double Woody refers to Balvenie Double-Wood Scotch whisky. When Debian Woody was first released I would regularly bring a bottle of the Double Wood to Debian meetings.

No related posts.

September 25th, 2006 | Category: Uncategorized | Comments are closed
« Newer Entries  
  Older Entries »