codeblog code is freedom — patching my itch

1/23/2007

CVE links via Greasemonkey

Filed under: Blogging,Security,Ubuntu,Web — kees @ 10:00 pm

I spend a good bit of time reading CVEs but their entries are plain text, without links associated with their various recorded URLs. I’m annoyed at having to select/paste to load a URL, so I had to go code a work-around. :)

Since MozDev‘s “linkify.user.js” was a bit heavy-handed, I wrote up a quick hack based on similar code to only look at mitre.org’s LI tags: “cve-links.user.js“.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/10/2007

attempting a secondlife build on ubuntu

Filed under: Blogging,Ubuntu — kees @ 5:37 am

Linden Labs released their Second Life client under the GPL, so I figured I’d have a go at getting it compiled on Ubuntu. Three libraries weren’t already packaged, so I threw together some initial attempts at getting them usable (libelfio, libopenjpeg, and libxmlrpc-epi). I think the long-term approach will be trying to convince Linden Labs to use stuff that is being actively maintained.

One big hurdle is audio, since FMOD doesn’t have a Free license. I hope it can get replaced; I’d be curious to hear what Second Life needs from FMOD that some of the other Free stacks can’t do.

So, if you’re in a mood to play with getting the Second Life client running, hopefully my stab at packaging can help (I’ve solved a number of gotchas in the assumptions their build system made), and so far it built:

$ ls -lh secondlife-x86_64-bin
-rwxr-xr-x 1 kees kees 34M 2007-01-10 05:33 secondlife-x86_64-bin*
$ ldd ./secondlife-x86_64-bin | wc -l
77

Unfortunately, it immediately crashes when I load it. :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/25/2006

2006 recommended reading

Filed under: Blogging,Ubuntu — kees @ 10:45 am

It’s not quite the end of the year yet, but here are Kirsten’s top 6 books from 2006:

  1. The Great Influenza: The Epic Story of the Deadliest Plague in History The Great Influenza
  2. The Devil in the White City:  Murder, Magic, and Madness at the Fair that Changed America The Devil in the White City
  3. Cloud Atlas: A Novel Cloud Atlas
  4. The Fortress of SolitudeThe Fortress of Solitude
  5. It's Superman!: A Novel It’s Superman!
  6. Welcome to Our Hillbrow Welcome to Our Hillbrow

(Also, figured this would be a good test of the WP plugin for Amazon, which is very handy. I’m going to see if I can patch it to hook things to my blog roll “Reading” category.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/13/2006

silly things to do with unicode

Filed under: Blogging,Ubuntu,Web — kees @ 12:37 pm

˙ǝɓuɐɹʇs ʎɹǝʌ ʍoH

‮Unicode is so odd.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/9/2006

frozen-bubble handicapping

Filed under: Blogging,Ubuntu — kees @ 10:32 am

At UDS, I learned that I am a poor frozen-bubble player. After getting repeated trounced by pitti, I decided I had to find some way to level the playing field. I was my own worst enemy due to my bad aim, but all the malus (as in, the opposite of bonus) balls were clearly causing me greater pain. I wrote a patch that creates a new key binding “b” to toggle the blocking of malus balls. Using this made things a little more even, and after a week of practice, I was a much better player (and quit using my cheat).

Since frozen-bubble depends on a shared game state between all players, everyone will notice if you’re using a mod like that, since they will just queue up on your malus post:

malus blocking

So be sure you’re playing with people you know. :)

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/7/2006

paranoid browsing with squid

Filed under: Security,Ubuntu — kees @ 11:40 pm

As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)

Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.

Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…

© 2006 – 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

filtering email body URLs with whois

Filed under: Networking,Ubuntu — kees @ 10:21 pm

I use SURBL filtering for my inbound email. It’s very handy except when my domain receives the leading edge of a new spam campaign. Whenever spam with a URL got through the filters, I’d go look it up and discover that it was added to the block lists about 20 minutes after I got the email. I’d think to myself, “dang, if only I had greylisted that email”.

Well, I got to thinking: all the URL-based spam campaigns have one thing in common: the domains they’re spamming have been recently registered. So now I greylist any email whose body contains a recently registered domain in a URL. It gets delayed just long enough that the SURBLs catch up, and when it is finally reattempted, it gets permanently rejected. Unfortunately, I have not found a common API for querying the registrars for a domain’s creation date, so I wrote an insane script to make a best-effort guess:

$ ./whois-created kernel.org 2>/dev/null
‘kernel.org’ created on: 1997-03-07
$ ./whois-created outflux.net 2>/dev/null
‘outflux.net’ created on: 2000-03-17
$ ./whois-created hosteije.net 2>/dev/null
‘hosteije.net’ created on: 2006-12-01

Any URLs with kernel.org or outflux.net I’d let through, but I’d greylist anything mentioning hosteije.net (which is now listed on the SURBLs).

Most of my email filtering is based on some heavily modified MIMEDefang code (which handles hooking to my script and doing the greylisting), but I’m figuring this sort of thing should live in some optional routine in SpamAssassin so more people can benefit.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/4/2006

OSDL drops staff coders

Filed under: General — kees @ 10:33 pm

News clippings about OSDL‘s RIF:

Two months ago, I jumped on a fantastic opportunity and took a job with Canonical (leaving OSDL none too soon, it seems). I’m disappointed that OSDL laid off so many of my friends. I had been visiting the office on and off so I could continue to participate in the daily lunchtime board games. It’s the end of an era.

Games played during lunch:

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/7/2006

art-creation pyramid scheme

Filed under: Blogging,Inkscape — kees @ 12:35 pm

Gib started a meme I think sounds like fun. If you’re one of the first 5 people who comment on this post, I’ll create an original piece of art for you, but only if you promise to offer the same deal in your own blog. (And I urge you to release it under a Creative Commons Share-Alike license while you’re at it.)

I’ll likely be using inkscape to get it done, since I need an excuse to play more with the tile cloner and tessellation filters.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/9/2006

metalink

Filed under: kernel.org,Networking — kees @ 10:47 am

I’ve been watching metalink for a while now, and was urged to write about it, so I am! If you want to download something large that isn’t available via bittorrent, you can still get the distributed download benefits of bittorrent. Basically, metalink-aware downloaders split up your download across many mirrors of the resource you want, using existing protocols.

Bittorrent is great for “new releases” or other similiar things that are currently “in demand” by a large number of people. For older stuff, especially large trees of files, as found on many mirrored archives, you won’t find a bittorrent, and metalink can really distribute and speed up the download.

OpenOffice is using it, and I hope to figure out a way to incorporate it into kernel.org directly. There are already places hosting auto-generated metalink files for various projects, including the linux kernel. I’m hoping kernel.org can publish more complete metalink files since we should be able to build them more easily, having the list of which mirrors are in which countries, their access mechanism, and if they carry bz2, gz, or both. We’ve talked about it briefly, but haven’t finalized the plans yet.

You can even generate your own metalink files online.

Another blog has other details, so I hope I’ve not been too redundant. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/1/2006

public transit badges

Filed under: Blogging — kees @ 7:40 pm

Thanks to Jon, I had to see what public transit systems I’ve been on. They didn’t have Portland’s TriMet, so I sent them their logo. :)

chicagochicago lnew yorkbostonportland trimetsan franciscosan francisco muniwashington

Got at b3co.com!

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

8/9/2006

talk to me about Sendpage

Filed under: Blogging,Networking — kees @ 4:50 pm

Like I mentioned before, I’ll be in San Francisco at Linux World Expo next week. Besides presenting, I’ll also be at a Birds-of-a-Feather on “Network, Device, and Environment Monitoring” on Wed (8/16) at 6pm in Room 309, where I’ll be talking about Sendpage. I’ve been told this BoF is open to anyone with an “exhibits” pass which, prior to LWE starting, is free! So, if you’re in the area, come hang out. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

8/7/2006

flag captured

Filed under: Reverse Engineering,Security — kees @ 11:19 pm

I can’t believe it. We won DefCon CTF. I have no idea what to say. It just all came together this year. Great team, great contest.

And to make it even sweeter, since CTF is a “Black Badge” contest, I never have to pay to get into DefCon again! Although, at this point, I might pay several years worth of admission in exchange for lots of time to sleep. :)

UPDATE: nice write-up at the U of Florida.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

8/2/2006

mythtv cutlist to mplayer EDL file

Filed under: Multimedia — kees @ 8:47 pm

I was too lazy to walk over to my TV, so I decided to watch my MythTV recordings on my desktop without having installed a MythTV frontend. Via the magic of MythTVfs, I started watching a recent Stargate episode.

Before the opening credits had finished, I knew I was already going to miss MythTV’s commercial flagging. So started the investigation into where in the world MythTV stores that information. I was imagining adding “.edl” files to MythTVfs automatically, etc.

In MythTV 0.19, using “mythcommflag”, you can get the “Cut” list, but not the “Commercial Skip” list. (Think of the latter as a “Cut Hint” list.) The command for this is:

mythcommflag –getcutlist -c 1059 -s 20060728210000

In MythTV 0.20, you’ll be able to use “–getskiplist”. Since I’m still using 0.19, I had to go directly to the “mythconverg” database to get the details. The marks are stored in the “recordedmarkup” table. The mark types I care about are: 4: Commercial Start, 5: Commercial End. This SQL query gets me somewhere:

SELECT mark, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

However, mplayer’s EDL file format expects time, not frame number. MythTV stores frame number. Luck for us, it’s all NTSC MPEG2, so we’re at 29.97 frame per second, and I can modify the SQL:

SELECT mark/29.97, type FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;

Now I just have to get the pairs on a single line with a trailing “0” for mplayer to know to skip that time frame:

echo ‘SELECT mark/29.97 FROM recordedmarkup WHERE chanid = “1059” AND starttime = “20060728210000” AND (type = 4 OR type = 5) ORDER BY mark;’ | mysql -B –skip-column-names | xargs -l2 | awk ‘{print $0 ” 0″ }’

Combined with some logic to extract the channel and starttime for a given recording, I’ve now got a really crazy wrapper script that’ll let me mplayer a recording after generating an EDL cutlist.

(With thanks to Ken’s excellent collection of “merge pairs of lines into single lines” short cuts.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/30/2006

jabber to IRC bridge

Filed under: Inkscape,Networking — kees @ 11:16 am

I wrote a Jabber to IRC bridge a while back. It’s currently being used to bridge communication between the #inkscape freenode channel and the inkscape Jabber conference room. I’ve finally gotten around to cleaning up (read: getting configurable variable out of the script into a .conf file) and publishing it.

It’s a bit fragile since the POE/Jabber code seems to explode once in a while, and it doesn’t like losing connections with the Jabber server, but it works most of the time. Several people had asked me for copies of it, so there it is. Please don’t laugh at it/me too hard. Just send me lots of patches. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/29/2006

encrypted network filesystems

Filed under: Networking,Security — kees @ 11:59 am

I run a machine in a colo across the country from me, and I wanted to have some backups closer to the machine. So I signed up for a NAS login with my provider. Since I didn’t want to leave all my files sitting on their disks in the clear, I built up an encrypted volume over the network. It’s not fast, but it works.

Here were the setup steps:

  1. mkdir -p /mnt/nas-raw /mnt/backups
  2. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  3. modprobe loop && sleep 2
  4. dd if=/dev/zero of=/mnt/nas-raw/volume bs=32k
  5. losetup /dev/loop0 /mnt/nas-raw/volume
  6. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc-essiv:sha256
  7. Type volume pass-phrase
  8. mkfs.ext3 /dev/mapper/crypt-backups
  9. mount /dev/mapper/crypt-backups /mnt/backups

To unmount it:

  1. umount /mnt/backups
  2. cryptsetup remove crypt-backups
  3. losetup -d /dev/loop0
  4. umount /mnt/nas-raw

And then to remount it later:

  1. smbmount //backup.server.at.my.isp/mount.source.path /mnt/nas-raw -o username=myaccount,password=mypassword
  2. modprobe loop && sleep 2
  3. losetup /dev/loop0 /mnt/nas-raw/volume
  4. cryptsetup create crypt-backups /dev/loop0 –cipher=aes-cbc–essiv:sha256
  5. Type volume pass-phrase
  6. mount /dev/mapper/crypt-backups /mnt/backups

By scripting the “remount” steps, I can actually echo the volume password into an ssh connection:

echo ‘my volume pass-phrase here’ | ~/bin/do-crypto-mount
ssh root@colo.machine.isp “/etc/dirvish/dirvish-cronjob && df -h /mnt/backups”
~/bin/do-crypto-umount

Very handy!

Update: I added the --cipher option to include the essiv type, which should be used.

© 2006 – 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/28/2006

airodump channel hopping

Filed under: Networking,Security — kees @ 7:14 am

The “airodump” tool, part of the aircrack wireless analysis suite, is like “tcpdump”, except that it can perform channel hopping. Since channel hopping is a “lossy” way to do wireless sniffing (you’re only listening on each channel for a few hundred milliseconds before moving on to the next channel), it doesn’t make sense to listen to channels that you know will contain no traffic. However, there was no way to specify a range of channels. airodump would either listen on 1 channel or hop across all channels.

I wrote a patch to allow for a comma-separated list of channels to be specified. Now I can tell airodump to spend all of its hopping time on 6, 11, and 1, for example:

airodump ath0 /tmp/ath0-logs 6,11,1

UPDATE: Here’s a patch that does that same for aircrack-ng.

© 2006 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/27/2006

I love Open Source Software

Filed under: Multimedia — kees @ 12:45 am

Today, Randy let me borrow his awsome presentation remote. It’s basically an RF remote, whose other end is a USB fob, that acts as a keyboard. The two “next” and “previous” buttons on the remote map to “PageUp” and “PageDown” keys, which worked great for the Crucible and Xen presentation Bryce and I gave this afternoon.

Tomorrow, for my MythTV presenation, I’m using OpenOffice.org, which makes a distinction between “Space” and “PageDown”. “PageDown” goes literally to the next slide, where as “Space” triggers the next animation within a slide. Since my presentation slides have a ton of “reveals”, I need to be pressing “Space”, not “PageDown”. A search of the Logitech page yielded no info on changing the remote’s config, so I opted to using “xmodmap” to get the job done for me.

Using “xev”, I found that the keysym for “PageDown” on my keyboard is 0xff56, and the keysym for “Space” is 0x20. So, I blew away my PageDown key, and replaced it with Space:

echo keysym 0xff56 = 0x20 | xmodmap –

Now the remote works just how I need it. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/19/2006

Linux World Expo

Filed under: Blogging — kees @ 7:09 pm

I will be presenting! I’ve never been to LWE, so I’m really looking forward to the trip. It’s also another chance to hang out in the Bay area and visit with people. Whee!

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

6/4/2006

frontline assembly samples

Filed under: Blogging,Multimedia — kees @ 8:08 am

Every once in a while, I hear something in a movie and yell, “Hey! That’s in a Frontline song!” This time it was while catching a portion of the The Abyss, where a big chunk of gear misses falling on their habitat, and they kind of laugh nervously. Well, that nervous laugh was looped for about for about 30 seconds at the start of “Victim of a Criminal” from Millennium. I found it at about the same time I thought to put “Frontline Assembly samples” into Google, which gave me this page, which is a list of all the samples that they used. Robocop, Aliens, and the one that haunted me for a while before this Abyss incident: Stargate and “send in the probe”.

This is what my brain is filled with: sound effects. Great. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/24/2006

easy wordpress anti-spam

Filed under: Blogging,Networking,Security — kees @ 11:06 pm

After getting about 40 moderation requests a day, I figured I should spend some time finding some anti-comment-spam plugins for WordPress. After digging around a while, I found one that doesn’t require JavaScript, doesn’t perform vision tests, but works just fine for the kind of comment-spam-bot that seemed to have taken a liking to my blog (even though no spam ever appeared in my comments ever…)

I found lr2Spam which has a great setup, but an incomplete final step. I merged it with ideas I saw in the RBL measures plugin, and got some good results. By replacing lr2Spam’s comment_post with pre_comment_content (see the WordPress Plugin API), I was able to redirect spammers away from from my site with PHP’s header("Location: [URL]") technique. (This is what I borrowed from the RBL plugin.) The patch is almost as big as lr2Spam itself (both are very small). Honestly, I’m surprised it works at all. Someone wrote a comment-spam bot that can’t correctly parse a totally valid HTML form, but does correctly handle a 302/Location redirect. Weird.

I thought briefly about redirecting all the spammers to http://fbi.gov/i-am-a-spammer/?ip=[IP] but then realized their requests’ referer header would show my URL still. On further thought, I realized that comment-spam is very different from email spam because the bot has to implement a much larger set of protocol elements. Since they must respect the 302/Location redirect, someone who is getting hit really hard with comment spam could effectively DDoS somone’s link by redirecting to somewhere with big files. Say, for example, instead of using fbi.gov above, I used http://mirrors.example.com/iso/DVD-distro-image.iso. Every spam bot in their network would start a giant-ass download from example.com after hitting my anti-spam system. Ewww.

Implemented early on May 20th, after 4 days, I’ve seen 250 comment spam attempts from 162 unique IP addresses (most in China — maybe they need to turn their firewall around). The volume of spam isn’t big when compared to my daily email spam statistics, but each one of those would have been an email in my inbox, asking for moderation. Interestingly, they all stopped on May 23rd. Maybe they got a clue.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/22/2006

TiVoConnect dissector for Ethereal

Filed under: Multimedia,Networking — kees @ 9:03 pm

Over the weekend, I coded up a protocol dissector in Ethereal for the TiVoConnect Discovery Protocol. The protocol is very simple, but I still wanted the satisfaction of seeing it listed by name when scanning through my home network captures while debugging Galleon/TiVo traffic.

Ethereal has great developer documentation. It was easy to find and got me coding right away with a skeleton dissector. I just love the projects with these kind of to-the-point examples. The only thing I felt was missing from their README.developer was something showing that the dissector routine could return gboolean, letting a dissector reject being attached to a given packet.

There were other clearly written dissectors that I used for reference: DNS, Yahoo, and Syslog. They seemed to answer most of the more subtle questions I had about rewriting column text, scanning the packet, and dealing with other special cases.

Hopefully the patch will get accepted. I even did the randomized testing the wiki recommended. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/18/2006

bleeding-edgeness matrix

Filed under: General — kees @ 11:22 pm

At least two times in recent history, I’ve wondered “is this the most recent version” of some piece of software, immediately followed by “which distro has the most recent version?” As I recall, these were for:

I had discovered both to be woefully behind “most recent” for a number of distributions. In my mind popped a vision of a chart/table/matrix of software on one axis and distros on the other, showing which had what versions of things. And little boxes where I could rank the “bleeding-edgeness” of a distro.

While hunting around, I found something almost like my vision. The distrowatch website is pretty damn cool. It wasn’t really set up to compare bleeding-edgeness between different distros, just different versions of a distro. For example, here’s Ubuntu’s matrix.

I exchanged some email with the author, and it sounds like he just uses a mess of custom scripts to poll version numbers of some of the more “big-name” software packages, common to most distros. Needless to say, mdadm and f-spot did not make the cut. I’d love to be able to add more “tracked packages” via some kind of web UI. A URL plus a regex to extract a version from; almost the same as what’s needed for WWW-PkgFind to operate. :)

From the pkgfind man page description:

… scans a web or ftp site for newly posted files and
downloads them to a local filesystem. … The motivation for this script is to poll places where developers post patches to software we’re testing.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/16/2006

catching up on Stargate

Filed under: Blogging,Health — kees @ 10:50 pm

I’ve been catching up on Stargate SG-1 ever since Bryce recommended it. I’d been resisting it, but with no more Firefly, Farscape, or StarTreks left to watch, it was inevitable.

At one point during my catch-up, I realized that I was watching 4 separate time-lines of the show. SciFi was showing new episodes on Fridays, a set of 3-in-a-row on Mondays, and a third chronology running Tue, Wed, Thu. On top of this, Fox(?) was playing re-runs on Fridays as well. About 30 episodes in, I totally lost it, and could not keep things straight. (“What? Where’d Daniel Jackson go? Who’s this guy?”)

To my rescue was my ever-faithful epguides.com to serve as a base check-list for which shows I’d seen already, and the fantastic Stargate Wiki Episode Guide to help me remember which I’d already seen. (They even have full transcripts of the episodes! That’s dedication!)

It looks like very few of season 2 has aired, so I will have to turn to either the library or Netflix to fill the gaps. Once SG1 is gone, I will have to switch my daily exercise routine back to Buffy the Vampire Slayer. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/12/2006

sourceforge CVS re-check-out solution

Filed under: Blogging — kees @ 9:54 pm

SourceForge migrated to their new CVS server infrastructure recently (due to a catastophic disk failure of the old system), and told everyone that they had to re-check-out all their trees:

Hostname for CVS service
Old: cvs.sourceforge.net
New: PROJECT_UNIX_NAME.cvs.sourceforge.net

This change will require new working copies to be checked out of all
repositories (so control files in the working copy will point to the
right place). We will be updating the instructions we supply, but
instructions that your team has written within documentation, etc. will
need to be updated.

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gaim co gaim

would be changed to

cvs -d:pserver:anonymous@gaim.cvs.sourceforge.net:/cvsroot/gaim co gaim

With 14 projects hosted there, with potentially multiple CVS modules in each, this wasn’t the best way for me to deal with the change. I had relocated several CVS trees at OSDL last year, so I went digging for my command line to do the updates. I was disappointed they didn’t suggest it in their email, so I offered my solution via their Tracker. Someone else (on Cygwin even) confirmed that it worked for them, and SourceF orge summarily closed the ticket (hence making it disappear from the Tracker where other people were seeking help). I can find no record of a change made to their documentation. In effect, they just eliminated my help (though they did thank me first).

It would be nice if SourceForge ran some kind of forum or Wiki on their site so people could help each other. I’ll have to remember this for the next Advisory Council.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/4/2006

mythtv listing-update time-rotation

Filed under: Multimedia — kees @ 7:33 pm

A few months ago, zap2it‘s renewal survey included a set of questions that were not questions, but rather pleas that people move their database updates to a non-standard time. The default install of MythTV has a hard-coded time in the middle of the night to contact the zap2it servers for TV listing updates. Unfortunately, this means zap2it’s servers were (are?) getting crushed on the hour, across 4 time-zones, in the middle of the night.

To solve this little problem in MythTV, I turned off the built-in “mythfilldatabase” execution, and moved to doing it via crontab. zap2it said they had virtually no load during the day-time, so I moved the update to a little after noon, sticking the following in /etc/cron.d/mythtv-backend:

09 12 * * * mythtv mythfilldatabase –quiet

It dawned on me today while messing around with the “at” scheduler that I could actually randomize when during the day the mythfilldatabase runs. If you wanted to run the job anywhere in a 12 hour (720 minute) period after 9am, you could do it this way:

0 9 * * * mythtv echo “mythfilldatabase –quiet” | at + $(( RANDOM % 720 )) minutes

(My bash manpage says the low-order bits of $RANDOM are as random as the high-order bits, so this is “safe”. If you don’t trust your version of bash, you could use $(( 720 * RANDOM / 32767 )) instead. IANAMG*, YMMV, OMGPONIES.)

*I Am Not A Math Geek

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

careful with mysql downgrades

Filed under: Multimedia — kees @ 1:59 am

I ran into a nasty bug while attempting to downgrade a MySQL database. I had been running my MythTV machine on Debian Unstable, but recently reinstalled to Ubuntu. This has the unfortunate consequence of going from MySQL 4.1 to MySQL 4.0. The “mysqldump” option “–compat=mysql40” kind of forgets to include the “auto_increment” flag for tables creation. This caused my subsequent MythTV 0.18 to 0.19 upgrade attempt to instantly bomb, since all the INSERTs expecting the PRIMARY KEY to increment as new stuff was inserted … didn’t.

Once I split the dumps into tables (-t) and data (-d) with different “–compat” levels and hand-edited the tables, everything was “fine” again. I actually got the whole system up and on its feet again, with no loss of Stargate SG-1 episodes. ;)

So, now all I have to fight with is Xv on an old S3 card. Looks like new versions of Xorg don’t aim Xv to the right place. And, mysteriously, the S3 card’s Xv implementation lacks the XV_SWITCHCRT attribute, so I can’t just use “xvattr” to fix it, like I do I my laptop. Aaagh.

I wonder if something like the xorg.conf’s Option MonitorLayout “TV,CRT” might help it? I’ll try that tomorrow.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

5/3/2006

fun with OpenID

Filed under: Blogging,Security,Web — kees @ 6:04 pm

While I can’t log into NetFlix or Amazon with OpenID (or other federated login systems), I still wanted to try it out. The goal is to easily write comments on people’s blogs, edit Wiki pages, etc, all without having to keep logging in every time. So far, so good.

First step was to decide between running my own OpenID server or not. I went with “not”, since there really isn’t an installable OpenID server yet (there are only support libraries, it seems). Since I was given a permanent account with LiveJournal for some XSS testing I did for them, I figured I’d just use their stuff. I wanted to use “outflux.net” as my login everywhere, so I just added two lines to my outflux.net HTML source:

<link rel=”openid.server” href=”http://www.livejournal.com/openid/server.bml” />
<link rel=”openid.delegate” href=”http://keescook.livejournal.com/” />

Poof. Done. I used Videntity to verify that it was all working. Nifty stuff.

My only complaint is that it’s not clear how to get an end-to-end secure login. I can log into LiveJournal securely, but the OpenID server they run doesn’t seem to operate over HTTPS. Future study is needed. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/30/2006

slow debian mirror avoidance

Filed under: Networking — kees @ 8:02 pm

ftp.us.debian.org has 4 mirror servers in their DNS round-robin. One of them (216.37.55.114) is very slow (25Kb/s) for me. The others are blazing fast, especially 204.152.191.7 (800Kb/s). I’ve gotten sick of having to hit Ctrl-C to abort an apt-get, and then restart it, hoping to get a better server out of the DNS.

Today, I added the following to my machine’s iptables config, so that it will just redirect all attempts from the slow mirror to the fast mirror:

iptables -t nat -A OUTPUT -p tcp -d 216.37.55.114 –destination-port 80 -j DNAT –to-destination 204.152.191.7

If I wanted to do this for my whole network, I’d just slap this rule on my firewall and change “OUTPUT” to “PREROUTING”.

I love iptables.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/28/2006

lvm article

Filed under: General — kees @ 2:14 pm

Bryce wrote a great article on LVM and disk management that I helped do some technical editing on. Hopefully stuff like this will help other people get more comfortable with LVM, and make it less of a dark art. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress