freemode.net

Microsoft VML vulnerability    [ Software ]

There exists a "0-day" vulnerability for Internet Explorer and other Microsoft apps (Outlook and Office, at least) which use VML (a language extension to XML). While exploit code is in the wild, and some PCs are already being exploited with variants of this code, there is not yet any large-scale virus or worm exploiting this vulnerability.

Edit 2006-09-22 2:08pm EDT:
See the SunBeltBlog entry for a two-step method that also works with international versions of Windows, and using GPOs in Active Directory to block the VML vulnerability on a domain.

Microsoft's official write-up is at http://www.microsoft.com/technet/security/advisory/925568.mspx.

Their suggested workaround is to un-register vgx.dll.

I've copied and pasted the appropriate commands and saved them as text files named ms925568-vml.txt and ms925568-vml-undo.txt. To run the commands manually, download and save the text file. Rename it with a .bat extension, and double-click on the file.

Alternately, you can copy the text within the appropriate file, go to Start -> Run, paste the copied text into that dialog box, and click "OK".

If the un-registration is successful, you will see a dialog box pop up titled "RegSvr32", with the text "DllUnregisterServer in C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll succeeded."

You then need to reboot your PC (logging off and logging back in may be sufficient, but Microsoft recommends a full restart) to complete this workaround.

Let's play Global Thermonuclear War    [ Software ]

Whoa. This looks cool:

DEFCON by Introversion software

Apologies to WarGames. :)

A better distributed computing project    [ Software ]

I've been a long-time dnetc user - the bovine's cute, it's fun converting electrons into packets of RC5 crack attempts - but lately I've been looking for a better distributed computing project to work on. Maybe it's just the thousand-year projected end-date for RC5-72, but I think I'd rather have my CPU cycles go towards something a wee bit more worthwhile than proving that yet another crypto cipher with a horrdendously huge keyspace can be broken.

The World Community Grid is a joint effort between United Devices (where many of the distributed.net guys actually work) and IBM. UD is also responsible for grid.org, which now refers people to the World Community Grid site.

They have an easy-to-install Windows client, plus Mac and Linux support via BOINC; and they're working on some really worthwhile projects, like defeating cancer, human proteome folding and fighting AIDS. If you're currently crunching away on crypto or mathematics projects, or looking for extraterrestrial radio signals, maybe you can consider lending some CPU cycles to projects that benefit humanity in a more direct fashion.

GIMP for Windows    [ Software ]

Since it takes a few clicks from the main gimp.org site to get to the current Windows downloads, here's the links to grab the latest stable version of GIMP for Windows:

GTK+-2.8.18 for Windows (needed for a new Win2K/WinXP install)

GIMP 2.2.12 for Windows

GIMP 2 Help Files (not required, but helpful to have around)

Safe search + icon editors    [ Software ]

So I wanted to find a decent freeware icon editor for Windows, one that wouldn't come bundled with spyware. I had seen some links to Scandoo before, so I thought I'd try that out. Works pretty well! It acts as a front-end to Google search, flagging potentially harmful destination links with a red X and "safe" links with a green checkmark. See the results below:

It's similar to McAfee's SiteAdvisor in that regard.

You can customize what sorts of content to flag (gambling, sports, illegal activities) including unclassified content, which can be helpful for new, as-yet-uncategorized sites. Plus they've got various search and toolbar plugins for Firefox and IE, as well as the Google Toolbar.

More information:

Search with Gridwell, Scandoo, and Zeedex - from solutionwatch.com

Google Sounds Silent Alarm - from about.com

Google's Infrastructure    [ Software ]

Older article (published July 6) on How Google Works from BaseLine Magazine. Interesting bits:

* Google often doesn't deploy standard business applications on standard hardware. Instead, it may use the same text parsing technology that drives its search engine to extract application input from an e-mail, rather than a conventional user interface based on data entry forms.

* "Sorry, we don't talk about our infrastructure."

Makes you wonder whether large organizations would be better served by going with the grid-model for computing and deploying their business apps on the grid, rather than the traditional spec-out-a-server-and-toss-COTS-packages-on-it approach.

Cygwin + ssh-agent    [ Software ]

How to set up an ssh-agent on Cygwin, like ssh-askpass for X11:

http://www.livejournal.com/users/aegisknight/111357.html

AdBlock filter list    [ Software ]

One of my coworkers emailed me about a great site (file index, really) of AdBlock URL filters for use with the excellent AdBlock plug-in for Firefox and Mozilla browsers.   It's a concise list of ad sites, around 4k in size, makes heavy use of regular expressions, and is frequently updated.

If you find web-based banner ads, flash ads, pop-ups (still an issue even with Firefox) and other random advertising crap annoying, Firefox + AdBlock is a great tool - this helps even more.

Solaris 10 LKM rootkits    [ Software ]

Here's an interesting paper on hiding Solaris 10 loadable kernel modules and corresponding slideshow [both are PDF documents] presented at 21C3 (21st Chaos Communication Congress), a hacker con in Berlin.   Good specifics on how to hide a LKM in Solaris 10, I'm sure everyone who would be interested in this stuff already knows the theory of how LKMs make for great rootkits.

Enbiggen your MT text edit fields    [ Software ]

Quick hack to make your text editing areas in Movable Type a bit larger and more reasonable to use for bigger posts from elise.com.

Cisco security    [ Software ]

There's a good article on Cisco's latest security vulnerability on attrition.org.   In a nutshell, Cisco has IP-based videoconferencing phones that have a hard-coded SNMP community string turned on by default.   This is perhaps easy for administration purposes, but bad bad bad bad bad for security purposes.   Like the article says, no network equipment vendor should be shipping devices with a default SNMP string turned on, let alone a hard-coded one that can't be changed.   This isn't entirely Cisco's fault, these products came to them via an acquisition; but one wonders why you wouldn't run a security audit and fix these sorts of problems before you slap your corporate logo on a product.

Cisco's response is interesting, in that they WILL NOT provide any fix for this issue, but say to either block SNMP traffic to these devices or buy some new devices to replace these.   I have to say that I agree with the article's stance, that this is not the way to handle a vulnerable product.   Unfortunately, Cisco is not very good at handling these sorts of issues with recently-acquired products.

OpenSSHd + Cygwin on Windows XP    [ Software ]

Found a good HOWTO-style article on how to set up OpenSSH to run as a daemon under Cygwin for Windows XP:

http://ist.uwaterloo.ca/~kscully/SSH/CygwinSSHD_W2K3.html

The quick outline is:

• Install Cygwin, make sure you include the OpenSSH package since it's not included in the default install
• Run '# mkdir -p /home/$username' and then edit /etc/passwd accordingly to create a sane home directory structure
• Run '# ssh-host-config' to generate host keys, add an 'sshd' privsep user, and install sshd as a service
• Run '# sc query sshd' to verify that the service is running
• Run '# ssh-user-config' as necessary to generate private/public SSH keys for users if desired

Firefox extensions    [ Software ]

Email from a friend:

If you're using firefox, you might want to check out the following very cool and useful items:

Gmail notifier...this is especially useful for those not running windows:
http://nexgenmedia.net/extensions/

Forecast Fox: this rocks. Very flexible and useful. Not obnoxious or
obtrusive.
http://forecastfox.mozdev.org/

--lin

These are definitely worth checking out if you use Mozilla Firefox as your browser.

Using skey    [ Software ]

I've just got the old SPARCclassic upgraded to OpenBSD 3.6-current, and I wanted to get skey authentication with SSH working on it.

If you want to use skey auth, you first need to initialize skey. Do this by running 'skeyinit' on the SSH server, authenticate yourself with your login password, and create a new secret password. Do not share this secret password, and do not send this secret password across an unencrypted or insecure connection.

When you next log into the server with SSH (you may need to append ':skey' to your login name), you'll be prompted with a challenge string that looks like this:

otp-md5 99 foo12345

You'll then need a client-side program that takes this challenge string (the encryption descriptor, an index and the seed) and combines it with your secret password to generate the one-time password. You then type in the resulting OTP to log into the server.

You'll get a finite number of challenge strings after initializing the system with your secret password (100 by default). After you've run through enough of these, you'll need to re-generate the series with a fresh seed. You can do this once you're logged in via SSH or another secure, encrypted channel by running the 'skeyinit' command again.

Here's links to some useful skey/OTP clients:

One Time Passwords   Google directory entries for One Time Passwords
WinKey32   Windows
OTPgen   Windows
SkeyCalc   Mac
OPIE   Unix, Linux and other platforms
OTPgen Lite   J2ME-enabled mobile phones
jotp   Java applet

Scripting guidelines    [ Software ]

One of the junior admins at work just hacked up a MySQL/PostgreSQL backup script, and was looking for some feedback on it.   I probably wrote up 10x more than needed, but it's stuff worth saying about shell scripting on Unix-style systems.

Kernel module hacking    [ Software ]

I needed to find a quick 'n' dirty way to effectively hide a running process by name on a Linux 2.4 machine.   I've done some research on LKM rootkits in the past and read through the requisite articles and papers from phrack & company, so I had a fair idea of what approach to use.   I've never done any Linux kernel module programming before, so I googled around and found some useful resources.

I found some helpful code snippets, suggestions, a good HOWTO on writing kernel modules, some documentation on Linux 2.4 process management, and the excellent site at http://lxr.linux.no/source/ which lets you browse through kernel source code.   I spent a lot of time looking at sched.h in particular while I wrestled with questions like "next_task isn't in structure? Whaddaya mean?".   Turns out that the 2.6 kernel has a slighly different setup than the 2.4 kernel for iterating through processes, so I had to switch development boxes to use a 2.4 machine (since that's where it's destined to go).

You can download the code + compiled module (built on RedHat 8, kernel version 2.4.20-18.8) in .tgz format.   This module will effectively hide a named process from 'ps', 'top', 'pstree' and other utilities that rely on the /proc filesystem for process information once it's loaded. You can also browse the code below:

Sendmail makes my head hurt    [ Software ]

Yes, I know, it's the default MTA on most vendor's Unix-style systems, and it's configurable to do anything you could ever want to do with email.   Including pre-processing it for transmission over a UUCP link as an EBCDIC representation of 40-year-old punchcards.   God only knows why you would want to do this, but sendmail lets you do it.

Perhaps that's the problem.   Sendmail lets you do this only after you've twisted your brain around configuration directives that make Obfuscated Perl or C Code look like excerpts from page 10 on BASIC for Dummies.   To quote from section 16.4 of the Bat Book:

Note that this new client.cf file added the name of the hub to the lone username
in the last line, whereas our original client.cf did not. To see why this happened,
first look for rule set 3 in this new client.cf file. It contains the line
R$+ @ $=w               $@ $1 @ $M                      ...@thishost
Next look in the original client.cf file. It contains a similar rule:
R$- @ $=w              $@ $1@${HUB}            user@local -> user@hub
But the original client.cf file put this rule in rule set Hubset. The new client.cf
adds the hub's name to a lone username in rule set 3 that affects all addresses,
while old client.cf file adds it in the S= rule set, which affects only sender addresses.

Bleaaarghh!   What the bloody 'ell is R$+ and R$-?   The syntax makes my head hurt even after I read through it three times, and this is from an excellent book by excellent authors from an excellent publishing house.   This is why I like postfix so much better.

Freeswan on Debian    [ Software ]

I've been wrestling with a Debian box with FreeS/WAN patches applied as part of upgrading some end-of-life RedHat 8 systems.   IPSEC services start fine, somewhere between one third and one half of the tunnels come up, but it doesn't consistently work... then I found this page, which talks about getting FreeS/WAN to work with an older version of Debian, and most importantly, mentions that you have to turn OFF spoof protection in /etc/network/options.   Wallah!   It works, and I can stop worrying about having to restore the RedHat image over top of a perfectly good Debian install.

Mouse movement script    [ Software ]

Got a request for a perl script - user needs to automate double-clicking in a GUI app at three different coordinates.   Found Win32::TestGui on CPAN, so I wrote up a little script which uses the module to move the mouse around and double-click.   It's a horrible hack right now, nothing's parameterized for command-line args, but just in case anyone may find it useful, here it is.

[update - 20040323 1902h edobbs]
Updated the script to include command-line argument handling, better error checking and a compiled executable using perl2exe.   Behold version 0.2.   Averages about 20 double-clicks/second on my Dell Latitude C840 (2Ghz P4, 512MB) running Windows XP.

mouse.pl script + executable, version 0.2, released under the GPL.

xmmsarts on Debian    [ Software ]

Playing around with the Debian install on my laptop, it's almost ready for prime time.   I can use rdesktop to get to the Windows boxes through terminal services, I can get to the files on my XP install and use OpenOffice to read/edit documents, and XMMS is working under KDE3.

Needed to jump through some hoops though - by default, the xmms Debian package doesn't include an output plugin for libArts.   Little problem if you're trying to use it on KDE3, especially since the 'xmmsarts' package that provides this plugin can't install due to dependency conflicts.   Grrggh.

Still, this isn't as much of a problem as, say, dealing with RedHat.   More or less:

# apt-get source xmmsarts
# apt-get build-dep xmmsarts

[ ... need libglib1.3-dev, which doesn't exist anymore, but libglib2.0-dev is a replacement ...]

# apt-get install libglib2.0-dev xmms-dev libglib1.2-dev libgtk1.2-dev
# cd xmmsarts-0.4
# ./debian/rules binary
# dpkg -i ../xmmsarts*deb

I needed to track down glib-config and gtk-config via the Debian packages search page, but apart from that, not too bad for back-ending around the binary package dependencies.

Using subversion    [ Software ]

Yeah, subversion's been at 1.0 for a wee bit now.   I had read over the docs and played with it for a short time about a year back, but now I'm looking at converting the CVS repos I'm using at home and work to SVN.   Atomic commits and file renames are cool! :)

There's still a bit of a learning/customizing curve when it comes to using svn, for example, to get CVS-style "$Id$" replacement in text files, you need to do something like the following (assuming you care about .c and .h files):

svn propset svn:keywords "Id" *.[ch]
svn commit -m "added svn:keywords property"

The above snippet is shamelessly stolen from http://svn.brouhaha.com/.   I haven't tried any of the CVS-to-SVN conversion scripts/utils yet, right now I'm doing 'cvs co ${blah}' followed by 'svn import file:///svn/${blah} ${blah}' and futzing with stuff.

Wipe that hard drive    [ Software ]

Every so often, I need to wipe a hard drive and don't have a specific utility or procedure proscribed for the wiping.   Then it's fun to whip out ye olde Knoppix boot CD and this shell script:

#!/bin/sh
for device in /dev/hda1 /dev/hda2 /dev/hdb1 /dev/hdb2; do
    for pass in one two three four five; do
        echo "Wiping ${device}, pass ${pass}"
        dd if=/dev/zero of=${device} bs=32768
        dd if=/dev/urandom of=${device} bs=32768
    done
    echo "${device} wiped ${pass} times."
done
echo "Done."

This takes a while, but you can generally kick this off in the evening before going home and come back in the next day to find the specified devices wiped clean.   Tricky part is getting all the right devices - for example, on a Compaq Proliant 1600, the RAID controller shows up as /dev/ida with the logical drives enumerated as c0dX and their partitions as c0dXpY (similar to Solaris).   Often a 'dmesg | grep [device]' will help track down the particular partitions you care about.

[Update 20040831] Or you could just use the 'wipe' utility, which works on block devices just as well as on files. A 'wipe -kq /dev/hdaX' should do the trick for a quickie wipeout.

TACACS + Linux    [ Software ]

I've recently had to set up TACACS+ authentication on some Linux boxes (in place of NIS, LDAP, or other distributed auth systems), so here's a bit of documentation - as much for my own records as for anyone else to use:

Cygwin + Rxvt    [ Software ]

I've been playing around with Cygwin since I'm forced to run WinXP on my work laptop. Cygwin's great, I've used it on and off since when it was GNU-Win32 by Cygnus, but there's a lot of improvements to it in the last year or two.

One of the things that's irritated me is that the default console uses the cmd.exe shell as a base - makes it hard to copy + paste with the mouse, among other things.   After some effort, I found the right combination of tweaks to get Rxvt working as a decent console in Cygwin.

Playing with filesystems    [ Software ]

After a bit of hacking around, I've finally gotten my filesystems arranged the way I wanted them on my Athlon workstation/development box.   I had originally set it up as a gaming box running Win2K, but wanted a faster machine to use for Linux development work, so I carved out half of the 40GB UDMA100 drive for Debian and left Win2K's filesystem on there after shrinking it with Partition Magic. I kept Debian up all the time on it, and didn't use Win2K at all, so I decided to move my aging production box's data over to the new box - I yanked out the Tekram LVD SCSI controller + two 18GB IBM LVD SCSI disks from the old Pentium Pro 180 box, put 'em into the Athlon, and booted off those disks.

I've done a lot of shuffling since then:

* Copied the /, /usr, /var and /export filesystems from the SCSI drives over to the / filesystem on the UDMA100 drive
* Pulled off the web development files onto the spare SCSI drive for a temporary holding place, since I only had half the space I needed on the UDMA100 disk
* Copied the / filesystem from the UDMA100 drive back to SCSI drive (sda) after re-partitioning to use /boot, swap and one big / filesystem
* Re-partitioned the UDMA100 drive using /boot, swap and big / filesystem with JFS
* Copied the / filesystem back to the UDMA100 drive and copied the web dev files back onto /

Whew, all done now. Couple of gotchas that I ran into:

* Make sure that your initrd (if you're using a modularized kernel and have things like your SCSI controller, root filesystem, etc. compiled as modules) has the necessary bits you need - I had to add 'sym53x8xx' to /etc/mkinitrd/modules with Debian, then run 'mkinitrd' to re-generate my initrd so I could mount the / filesystem off of the SCSI disk (kernel booted fine, but it got a kernel panic when it couldn't mount the root fs)
* Don't switch around the order of your boot devices in your BIOS (if it allows you to toggle IDE vs SCSI boot), settle on one and keep it there, makes maintaining your /etc/lilo.conf 'boot=' value much easier
* 'cd /source-filesystem && tar cfl - ./ | (cd /destination-filesystem && tar xf -)' is your friend
* Create separate entries in your /etc/lilo.conf for each bootable disk when you're moving back and forth, makes it easier to recover in event of a problem and spares you the hassle of pulling out your boot media
* Using the 2.4 kernel from the Debian media is nice (rescbf24 root=/dev/whatever at the prompt), but since it's modularized, god help you if your NIC driver's not compiled into the kernel
* Keep track of your /etc/fstab changes with RCS or another method so you can "pull back" to an earlier config

And I've got a nice happy 40GB JFS filesystem on a decently fast disk. The UDMA100 drive is a bit slower than the 80MB/s LVD SCSI drives, but it's still good, and this way I can swap the two SCSI drives into my Visualize C200 to make it a usable system - can't do a whole lot with the 2x 4GB drives in there right now. Next question is whether I should keep HP-UX on the C200, turn it into a mail/fileserver, and build a separate box for web/ssh access (maybe FreeBSD on one of the PPro's?); or go with Debian/hppa and make that into my DMZ services box.

Upgrading OpenBSD    [ Software ]

Since I'll need to do the OpenBSD release upgrade dance soon with my little SparcCLASSIC box at home, I thought I'd post some useful links on running remote upgrades for OpenBSD:

OpenBSD 2.7 to 3.0 upgrade by Kjell Wooding @ pintday.org
OpenBSD /etc changes from 2.7 to 3.0 by Kjell Wooding @ pintday.org
Upgrading OpenBSD remotely by Alex Holst @ mongers.org
OpenBSD Upgrading mini-faq @ openbsd.org
Sample pf.conf for OpenBSD 3.2 by Han Boetes
PF FAQ @ openbsd.org

Sun 3/80 links    [ Software ]

Some random and maybe useful links for dealing with a Sun 3/80 machine:

http://mail-index.netbsd.org/port-sun3/1997/09/12/0005.html - set a Sun3/80 to autoboot from disk, not net
http://www.sun3zoo.de/en/nvram.html - Sun3/80 NVRAM
http://www.netbsd.org/Ports/sun3/faq.html - NetBSD sun3 FAQ
http://www.squirrel.com/squirrel/sun-nvram-hostid.faq.html - Sun NVRAM FAQ
http://www.obsolyte.com/sun380/ - Obsolyte's entry
http://www.sunstuff.org/hardware/systems/sun3/sun3x/3-80/

HP-UX and swinstall    [ Software ]

Finally starting to play around with my HP-UX box a little more, I grabbed some precompiled GNU + open-source software from the Software Porting And Archive Centre For HP-UX so that I could get a GNU-based compiler toolchain going.   Since it's been almost a year since I did any real work with HP-UX 11, I had to google for the invocation to avoid going through swinstall's curses-GUI screens:

# swinstall -s /var/spool/sw/full-name-of-package.depot \*

And then it'll happily install the contents of the HP software depot, log the session to /var/tmp/swagent.log, and put some more info in /var/adm/sw/sessions/swinstall.last and /var/adm/sw/swagent.log.

One other buglet - after installed OpenSSH 3.7.1p2 from the HP-UX software archive, I got the following errors when trying to run any SSH app:

/usr/lib/dld.sl: Can't find path for shared library: libcrypto.sl.0.9.7
/usr/lib/dld.sl: No such file or directory
Abort(coredump)

I went into /usr/local/lib and did a:

# ln -s libcrypto.sl libcrypto.sl.0.9.7

to link the library properly.   SSH was all happiness after that.

Drupal install    [ Software ]

Worked on installing Drupal as a web forum/discussion board thingy for my lab project. [removed link 20031123 edobbs]

Why Drupal?   I haven't really worked with it before, but it looks interesting and seems to have some nicer customization features above and beyond what phpBB or Post-Nuke has, and doesn't seem to suffer from the same extent of security issues that those two packages do.   Plus, it's in the Debian package repository, so I can 'apt-get upgrade' between releases on whatever hardware I want to run it on.

I did run into some gotchas during the install, so I documented the steps I took below so that the next unlucky victim can learn from my mistakes.

Ports for XDM login    [ Software ]

Some notes on setting up XDM login from a Linux client to a Solaris server - got this working between a Debian box with iptables and a Solaris 8 box with ipfilter.   The fonts still look ugly, so I need to poke around with font server settings to see if I can pull the fonts from the Solaris box for just that one X session and retain the native fonts for the "ordinary" X session on vt7.

Oracle startup/shutdown    [ Software ]

More notes on Oracle startup/shutdown from a sysadmin's perspective:

OpenSSH init.d script for Solaris    [ Software ]

Needed to hack up an improved init script for OpenSSH on Solaris - see below for details.

Backups over ssh    [ Software ]

Quick reference (mostly for myself :) just in case I need to run backups over ssh.   srchost = source machine, dsthost = destination machine, FILES = directory with files that needs to be backed up.   Assumes there's a "backups" user with appropriate auth to access FILES and perform backups.   Also assumes GNU tar, prepend a '-' to tar's arguments if it's not.

Tape backup
backups@srchost$ tar cvfz - /FILES | ssh backups@dsthost "dd of=/dev/st0"

File backup
backups@dsthost$ ssh backups@srchost "tar cvfz - /FILES" > FILES-`date +%Y%m%d`.tgz

WinXP migration    [ Software ]

Had the pleasure of swapping out laptops recently - traded a Dell Inspiron 8500 (wide-aspect-ratio screen, but the video card could only drive the display up to 1280x800x32 - ugh) for a Dell Latitude C840.   The C840 has essentially the same specs, but has a faster hard disk (5400rpm instead of 4200rpm on the Inspiron), and its video display can handle up to 1600x1200x32.   Oh, and its keyboard doesn't suck.   So I went looking for ways to avoid having to reinstall the OS, my apps and all my registry settings - since I have both XP Pro and XP Home installed on it, I wanted to avoid having to do this twice.

Apple Powerbook G4    [ Software ]

Got to play with a Mac Powerbook G4 for work, it's a sexy mac.   First time I've really futzed around with OS X at all, it's pretty nifty.   Like FreeBSD, it's stable and has all the Unix-style userland, administration and networking tools you'd expect, plus more (having 'sudo' installed out of the box is nice!).   Only complaint I have with the 15" model is that it's way too easy for me to hit the touchpad accidentally while I'm typing, which generally causes a few moments of confusion when I'm in a terminal window.

USB flash drive + Linux 2.4    [ Software ]

Got a 256MB Lexar JumpDrive for my birthday, and needed to use it with my Debian box at work.   I've never twiddled around with this hardware under Linux before, but after a bit of googling, I found that you need to do a:

# modprobe usb-uhci

or

# modprobe usb-ohci

depending on your hardware, followed by a:

# modprobe usb-storage

Your device should then be recognizable by the kernel.   A 'dmesg' should show something like:

usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-uhci.c: $Revision: 1.275 $ time 11:48:27 Aug 2 2003
usb-uhci.c: High bandwidth mode enabled
PCI: Setting latency timer of device 00:1d.0 to 64
usb-uhci.c: USB UHCI at I/O 0x2440, IRQ 16
usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
PCI: Setting latency timer of device 00:1d.1 to 64
usb-uhci.c: USB UHCI at I/O 0x2460, IRQ 19
usb-uhci.c: Detected 2 ports
hub.c: USB new device connect on bus1/2, assigned device number 2
usb.c: new USB bus registered, assigned bus number 2
usb.c: USB device 2 (vend/prod 0x5dc/0x100) is not claimed by any active driver.hub.c: USB hub found
hub.c: 2 ports detected
usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
SCSI subsystem driver Revision: 1.00
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
scsi0 : SCSI emulation for USB Mass Storage devices
usb-uhci.c: interrupt, status 3, frame# 874
  Vendor: LEXAR Model: ATA FLASH Rev: V1.0
  Type: Direct-Access ANSI SCSI revision: 02
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
USB Mass Storage support registered.

And then you should be able to mount the flash drive, which shows up as a SCSI device:

# mount /dev/sda1 /media

'vfat' filesystem support is necessary to mount the drive, but that should be present in most linux kernels. If not, time to do the kernel-recompile dance or grab a module and get it up and running.

Solaris + Samba + WinXP    [ Software ]

Got a chance to set up Samba on my SunBlade 100 at work running Solaris 8, since I'm doing perl scripting and need a more convenient way to move files back and forth than pulling up a command prompt and using PuTTY to SCP files over my miniswitch.   All I need is an SMB/CIFS share, I don't need to join it to a domain or act as a PDC and service logon requests from Microsoft clients spanning two decades, or pull up winbindd for appliance-style authentication (thank gawd).

It's fairly straightforward.   But even though I've been doing this dance in one form or another for the past five years, I completely forgot about setting up the smbpasswd file until I started googling for an all-too-familiar "The account is not authorized to log in from this station" error.

Remove multi-language Solaris packages    [ Software ]

A few quick steps to remove Solaris packages that I'll never use:

# for language in "Japanese Chinese Taiwanese Korean Thai French Russian Italian Spanish Swedish"; do
> pkginfo | grep $language >> /tmp/pkglist
> done
# awk '{ print $2 }' /tmp/pkglist > /tmp/pkgnames
# for entry in `cat /tmp/pkgnames`; do
> /usr/local/bin/yes | pkgrm $entry
> done


And the contents of /usr/local/bin/yes:

#!/bin/sh
# Script to emulate 'yes'
while [ 1 ]; do
echo "y"
done
# eof


Apache + mod_ssl cert    [ Software ]

Finally got around to configuring Apache + mod_ssl at home, and found a real quick way to generate a (passwordless, to avoid stalling the server for console input on a reboot - found that out the hard way after a power failure) self-signed cert:

1. Generate a key.

# openssl genrsa 1024 > servername.key

for a passwordless key, or:

# openssl genrsa -des3 1024 > servername.key

for a password-protected key that you'll need to type in on the console on bootup or whenever Apache restarts. You can insert:

SSLPassPhraseDialog exec:/path/to/your/password/program

in your httpd.conf for Apache, but it may be simpler to have an unpassworded key than to call a program to feed a password to Apache.

2. Create a CSR file for the request.

# openssl req -new -key servername.key -out servername.csr

[ punch in your ISO 2-letter country code, region/state, org, ou, server's FQDN for the "Common Name" portion, email add'y, plus other optional fields ]

3. Grant the request and generate a CRT file.

# openssl req -x509 -days 730 -key servername.key -in servername.csr -out servername.crt

[ use whatever arbitrary number you want for the -days, but 2 years works well ]

Point the appropriate parts of your httpd.conf to use the servername.key and servername.crt, and hey presto, you've got a self-signed certificate for SSL operations.   Check out one of the many excellent Apache + mod_ssl tutorials that exist for more details on configuration.

OGRE    [ Software ]

Started playing around with OGRE, an LGPL'd cross-platform graphics rendering engine.   Check out the demos available for download, they're pretty spiffy.   It'll work with OpenGL on Linux + Mac OS X and DirectX / OpenGL on Windows platforms.

I'm still getting all the Debian -testing packages installed for it, which involves doing a lot of:

# apt-cache search 'DevIL' | more
[ ... scroll through results ... ]
# apt-get install libdevil-dev

and so forth.   Packages that I've had to install so far (based on a compiler-plus-kernel-dev-tools setup) are:

libdevil-dev
libfreetype6-dev
libsdl1.2-dev
pkg-config
autoconf
automake
libtool
libjpeg62-dev
libmng-dev
mesag-dev
libpng3-dev
libtiff3g-dev

Linus interview    [ Software ]

Linus Torvalds does an interview with the San Jose Mercury News where he talks about Transmeta, SCO and OSDL here: http://www.bayarea.com/mld/mercurynews/6238207.htm

My favorite Linus quote from the article: "I enjoyed that IBM started porting Linux to the S390, found that hugely amusing. I thought, OK, somebody has done a few too many drugs."

Linux/Unix basics    [ Software ]

Got asked by a coworker for some basic pointers on Linux and Unix, so I came up with a list of "starting points" for someone who's new to the Linux/Unix world.

apt-get and PHP4    [ Software ]

Debian's a great Linux distro, and has a wonderful package management system, but every now and then something breaks in a completely unexpected way.

I had run the usual 'apt-get update && apt-get upgrade' a few days back, and saw a whole bunch o' packages come up.   I ran through the 20 or so that could be installed that way, and then did a 'apt-get dist-upgrade' to resolve the dependencies for the remaining 70 or so.   It wanted to uninstall PHP4, so after pausing for a full 3/4 of a second, I went ahead with the removal, figuring that it was a uninstall-dosomethingelse-reinstall setup.

ESR vs SCO    [ Software ]

Eric S Raymond has fired off another salvo in the ongoing SCO vs IBM lawsuit - what a beautiful shining example of corporate stupidity on SCO's part.   There's a story on Slashdot with more info, plus SCO now has a SCOsource "division" whose raisin'detreh (pardon my French) seems to be suing other, more successful companies.   Way to go, SCO - turn a failed business model of selling proprietary x86 Unix into a public spectacle for the whole industry to watch your company thrash and burn as it dies.

HP Visualize C200    [ Software ]

Just got an HP Visualize C200 workstation from eBay - arrived via FedEx yesterday, and our neighbor was nice enough to let the delivery guy drop it in their front hallway rather than let it sit outside.   The box is nice!   You open up the CDROM/floppy/disk/front-panel enclosure, and the narrow 50-pin SCSI + fast/wide 68-pin SCSI + floppy + power + front-panel cables all run into a single mini-backplane at the back of the enclosure, which has something like an oversized SCA connector to plug into the system backplane.

It's got 512MB memory, two Seagate ST34572WS disks (although the OS only sees one of 'em from an 'ioscan'), an HP video card with a VGA adapater, and a PA-RISC 8200 200Mhz processor with 512KB instruction/1024KB data cache.   More specs are available from openpa.net.

Visio stencils    [ Software ]

If you ever use Visio for any kind of productive work, you might find yourself searching for stencils.   Cisco and HP have stencils available for their gear, but Sun is notable for NOT having any available.   You can go to Altima Technologies' VisioStencils site to pay for good-quality stencils of Sun gear.   MVPS.org also has a good list of 3rd-party Visio stencils available for purchase or download.

Debian 2.2 under VMware    [ Software ]

In my continuing quest to install and play with as many different *nixes on as many different platforms as possible, I've been working on a Debian 2.2 install under VMWare Workstation 3.2 (running on Win2K for work-related reasons).   Debian's pretty straightforward, but this is probably the sixth or seventh Debian 2.X install I've done on x86 hardware, so it's all familiar at this point.

One sticky point - if you don't remember to load the 'pcnet32' module during the install, you'll have to do a:

# insmod pcnet32
# ifconfig eth0 [whatever-options-you-normally-throw-at-ifconfig]

to get it up and running after the install.   To bring these up automatically at boot, edit /etc/modules to include a line for 'pcnet32' and edit /etc/network/interfaces to include a line for eth0, perhaps similar to:

iface eth0 inet dhcp

That will also allow 'ifup' and 'ifdown' to work properly.

Command prompt here    [ Software ]

This is a tip I saw years ago, but I've never written it down.   So after about three minutes of googling, I found the Microsoft TechNet article on how to set up a "Command prompt here" option when you right-click on a folder.

Basically, you write a bit of code to interface with Windows Scripting Host:

Set objShell = CreateObject("WScript.Shell") objShell.RegWrite "HKCR\Folder\Shell\MenuText\Command\", "cmd.exe /k cd " & chr(34) & "%1" & chr(34) objShell.RegWrite "HKCR\Folder\Shell\MenuText\", "Command Prompt Here"

Save it as a .VBS file and run it, and it'll add the registry entries to invoke a command prompt in the right-click menu for directories.   Comes in handy for running CLI tools against specific files, like checking MD5 sums on ISOs that you've downloaded.   This should work on NT4, Win2K, WinXP and .NET server without a problem.

Staying up to date    [ Software ]

Anyone who administers a *nix box has done this task, but it can be hard to remember what particular steps you need to take on a given system to download & install patches, synch up the source code and rebuild the kernel + userland, or grab updated binary packages.   So I'll try to compile a list of basic outlines for updating different Unix-ish operating systems.

Standard Solaris .profile    [ Software ]

What's a good standard Solaris root .profile?   If you administer or build a lot of machines, this is something handy to keep around.   Here's an example - I use this as a starting point for my boxes.

Serial console on Linux    [ Software ]

Sometimes it'd be nice if computer UI's were good enough so that you could speak words of command: "Delete thy VGA display and write upon its buffer no more in this system!".   Google helps a lot with this, but there's usually still some amount of grunt work involved.

Say you wanted to disable the VGA output of a Linux box and redirect all the output to a serial port.   Not just run the VGA + serial simultaneously, but make as little output as possible come up on the VGA display.   This is a wee bit more difficult than you might think at first.

How to edit a Linux bootable CDROM under FreeBSD    [ Software ]

One of my cow-orkers has been out of town for the past week or so, and he was thoughtful enough to leave a BIOS boot password on his Dell workstation.   Not like we needed access to this workstation while he was gone, no, no one would ever leave a machine locked down like that if it was needed.   That would inspire others to acts of BOFHery.

So that lasted until I ripped the "reset password" jumper out from the motherboard (love those easy-access cases), reset the password, and re-arranged the letters on his keyboard to spell W-A-N-K-E-R in the upper-left-hand corner instead of the usual Q-W-E-R-T-Y.   And then, for giggles, I thought I'd leave a bootable Linux CDROM in his drive to create the impression that his beloved Win2K install had been replaced.   But how to edit a Linux bootable CDROM, when all I had were Solaris and FreeBSD boxes?

Java on FreeBSD    [ Software ]

Tried to get Java 1.3.1 support working in FreeBSD (primarily for Mozilla), and it's not as straightforward as I thought it would be.   There's more downloading & manual intervention required than for most ports.

Elvim Sexmacs, King of Unix Text Editors    [ Humor ]

http://slashdot.org/comments.pl?sid=45532&cid=4714082

killall(1M) vs killall(1)    [ Humor ]

Most Unix admins have a particularly favorite mistake they've committed.   After all, when you have a (now shrinking) variety of similar but not-quite-the-same implementations of the same general idea, you're bound to run into inconsistencies.

My personal favorite is the killall command.   On one popular (commercial) version of Unix, it does one thing.   On another popular (open-source) re-implementation of Unix, it does something rather different.

The OpenBSD CVS Dance    [ Software ]

And for an encore, I did the update-sources-and-recompile dance for OpenBSD on temujin.

Moved temujin    [ Software ]

Moved temujin (the SPARCclassic box) from the upstairs study down to the basement.   Got the DSL connection wired down there thanks to borrowing a punchtool from one of the network engineers at work, and buying a punch block and some Cat3 cable at Home Depot.

# uptime
7:13AM up 117 days, 13:22, 4 users, load averages: 0.13, 0.11, 0.08

New (sort of) Sun 630MP, woohoo!    [ Software ]

Picked up a Sun SPARCserver 630MP from a kindly sun-rescue list member today - he needed to find a good home for it, and I'm all too happy to take it for free.   Josh rolled the thing down to his apartment's loading dock area, and we managed to hoist it into the back of my CRV.   He was nice enough to throw some extra gear in, just for the sake of getting it out of his place.

IPsec between OpenBSD and Debian Linux    [ Software ]

I've run through this scenario a while ago, so I wrote up my notes on the experience in the hopes that they'd prove useful.   The Debian Linux portion should still be more or less correct, but OpenBSD has changed a fair bit from 2.8, including dropping IPFilter support in favor of 'pf'.   YMMV.

NetBackup through your firewall    [ Software ]

We've finally got a President-elect, and snow in Northern Virginia to boot! It's a happy time, Christmas is drawing near, and while presents appear 'round the tree and a fire blazes in the hearth, you're stuck at work.

There's a new Enterprise Backup Solution, and gosh darn it, the company is determined to make it back up everything from the mail servers to the CEO's nephew's PalmPilot. This, of course, involves getting through your firewall, and while you're able to put to rest some of the more outlandish ideas (doing remote backups of dialed-in employees' desktops to the DLT7000 tape library), you are going to have to back up those web and ftp servers in your DMZ to the backup servers inside your firewall.

Election count blues and VxVM    [ Software ]

It's been a month since my wife and I woke up, expecting to hear the results of the election on WETA 90.9 FM on the morning of November 8th 2000. No such luck.

I voted for Bush, despite being a liberal partisan during high school and college, because I can't get past Al Gore's personality. If there was a way to vote for the Democratic platform without electing Gore, I'd have done it.

Partisan opinions don't get much done when your root disk is incorrectly set up in Veritas Volume Manager, though. After the nice guy from Veritas came by to install FirstWatch and Volume Manager on our new firewall cluster, I looked closer at the configuration he left behind on the disks.