tag:blogger.com,1999:blog-55769462585694296722024-02-20T22:00:01.589+02:00cat /dev/random > /dev/eth0A blog about nothing in particular...Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-5576946258569429672.post-47188063542806185002020-10-09T22:58:00.015+02:002021-05-07T10:25:10.022+02:00Authenticating to MongoDB using a keyfile<p>Sometimes, it might be useful to authenticate to MongoDB using a keyfile. (This requires it to be configured to use a keyfile, mostly for replicaset / sharding internal authentication)</p>
<p>
Use cases for this include:
<ul>
<li>
Password resets
</li>
<li>
Authenticating on shards from a config server with the same credentials for all shards (e.g. for keyhole, which assumes that that is an option, which results in errors if shards use different passwords)
</li>
<li>
Auto-detected credentials for scripts that need to run (as root) on multiple nodes
</li>
<li>
Automation of operations on the database (e.g. Creating a user using Ansible, without knowing if a user already exists)
</li>
</ul>
</p>
<p>
<a href="https://docs.mongodb.com/manual/core/security-internal-authentication/#keyfiles">Keyfile authentication uses SCRAM</a> (the exact variant depends on the MongoDB version), in the same way that user authentication uses it. (After stripping all whitespace)
</p>
<p>
Knowing this, I decided to search around for references of "SCRAM-SHA-1" and "keyfile" and then came across info indicating that the username used is "__system". I found hints at this in the last diff <a href="https://github.com/mongodb/mongo/commit/eb3435c25eabc90e2c4ff7c331c94c4c222d0b7e">on this change in the MongoDB source code</a>.
</p>
<p>
In order to log in to the local mongodb instance using the keyfile /etc/mongo.keygile (as root that it can be read), the following command can be used: <br />
<tt>
mongo -u __system -p "$(tr -d '[:space:]' < /etc/mongo.keyfile)" --authenticationDatabase admin
</tt>
</p>
<p>
If the connection string is used instead, the password needs the be URL encoded: (This version uses <a href="https://stackoverflow.com/a/1710689/1837991">Perl for URL encoding</a>, which might not be available everywhere)<br />
<tt>
mongo "mongodb://__system:$(tr -d '[:space:]' < /etc/mongo.keyfile | perl -ple 's/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg')@localhost:27017/?authSource=admin"
</tt>
</p>
<p>
Note: This will not work on a YAML keyfile, as supported in MongoDB 4.2 or later. (The password for the system user should still be possible to extract using other methods though)
</p>
<p>
<a href="https://www.percona.com/blog/2019/07/12/mongodb-security-vs-five-bad-guys/">A Percona blog post that also mentions this method</a>
</p>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-30113381115739852262020-01-17T09:57:00.000+02:002020-01-17T09:57:46.840+02:00Euro cylinder lock fixing screw sizesEuro profile cylinder locks use M5x70mm countersunk machine screws.<br />
<br />
(The size is hard to find, the M5 is in the relevant standard, DIN 18252, the length needs to be dug out of forums)Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-63474752812396470852018-05-02T13:59:00.004+02:002023-06-06T12:23:47.288+02:00Managing FirewallD ipsets and services using Ansible<p>
Ansible's FirewallD module (<a href="https://docs.ansible.com/ansible/2.4/firewalld_module.html">2.4</a>, <a href="https://docs.ansible.com/ansible/2.5/modules/firewalld_module.html">2.5</a> and at least up to 1.4.0 of the <tt>ansible.posix</tt> collection) supports managing a subset of FirewallD functionality.
</p>
<p>
Currently, the creation and management of <a href="http://www.firewalld.org/documentation/service/">service</a>s and <a href="http://www.firewalld.org/documentation/ipset/">ipset</a>s are not supported.
</p>
<p>
The module <a href="https://github.com/ansible/ansible/issues/37319">is being refactored</a> to allow for <a href="https://github.com/ansible/ansible/pull/37603">support of additional functionality</a>.
</p>
<p>
However, since FirewallD's permanent config is stored in XML files, it is possible to deploy services and ipsets using Ansible's <a href="https://docs.ansible.com/ansible/latest/modules/template_module.html">template</a> module instead.
</p>
<p>
For the functionality that I need (services consisting of just ports) and ipsets containing networks or IPs, I use these templates:<br />
<div>firewalld-ipset.xml.j2
<!-- Encode with https://www.freeformatter.com/html-escape.html -->
<pre>
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:{{ item.type }}">
<description>{{ item.description }}</description>
{% if item.options is defined %}
{% for option in item.options %}
<option name="{{ option.name }}" value="{{ option.value }}"/>
{% endfor %}
{%endif %}
{% for entry in item.entries if entry != "" %}
<entry>{{ entry }}</entry>
{% endfor %}
</ipset>
</pre>
</div>
<div>
firewalld-service.xml.j2
<pre>
<?xml version="1.0" encoding="utf-8"?>
<service>
<description>{{ item.description }}</description>
{% if item.ports is defined %}
{% for port in item.ports %}
<port protocol="{{ port.type }}" port="{{ port.port }}"/>
{% endfor %}
{%endif %}
{% if item.protocols is defined %}
{% for proto in item.protocols %}
<protocol value="{{ proto }}"/>
{% endfor %}
{%endif %}
</service>
</pre>
</div>
</p>
<p>
Variables need to be set up to configure something using these tasks. Additional entries can be added to deploy multiple services / ipsets with a single task.
<pre>
sample_ipsets:
- filename: private-ips.xml
description: Private IPs IPset
type: net
entries:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- filename: monitoring-servers.xml
description: Monitoring server IPs
type: ip
entries:
- 192.168.0.1
- 10.2.3.4
- filename: monitoring-servers-ipv6.xml
description: Monitoring server IPv6s
type: ip
options:
- name: family
value: inet6
entries:
- 2001:0db8:85a3:0000:0000:8a2e:0370:7334
- 2001:db8::2:1
sample_services:
- filename: nrpe.xml
description: Nagios NRPE service
ports:
- type: tcp
port: 5666
- filename: ip-in-ip.xml
description: IP-in-IP encapsulation
protocols:
- ipencap
- filename: dns-and-ntp.xml
description: Service for easily opening NTP and DNS
ports:
- type: udp
port: 53
- type: udp
port: 123
</pre>
</p>
<p>
Sample tasks used to deploy the configs based on these templates:
<pre>
- name: FirewallD services
ansible.builtin.template:
src: firewalld-service.xml.j2
dest: /etc/firewalld/services/{{ item.filename }}
owner: root
group: root
mode: 0644
with_items: "{{ sample_services }}"
- name: FirewallD IPsets
ansible.builtin.template:
src: firewalld-ipset.xml.j2
dest: /etc/firewalld/ipsets/{{ item.filename }}
owner: root
group: root
mode: 0644
with_items: "{{ sample_ipsets }}"
# You might want to use a handler for this instead
# It might be possible to do with the systemd module as well instead
# The will cause any non-permanent changes to be lost
- name: Reload FirewallD
ansible.builtin.command: firewall-cmd --reload
</pre>
</p>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-38606997786457028092017-08-28T11:42:00.000+02:002017-08-28T11:42:28.447+02:00Solaris 10 - fiocompress (UFS file compression) settingsBernd Schemmer has an<a href="http://bnsmb.de/solaris/Using%20on-the-fly%20decompression%20for%20UFS%20filesystems.html"> interesting post about using fiocompress for file-system level compression of individual files on UFS file systems</a>...<br />
<br />
I did some experimentation and found a few more things:<br />
<br />
<ul>
<li>Increasing the blocksize from the default of 8192 increases the compression ratio</li>
<li>The compression ratio seems to be somewhere between gzip and compress (on a text file)</li>
<li>Setting the blocksize to 65536 (64KiB) results in an unreadable and undeletable file (at least with normal tools on test system. This is fixed in the latest recommended patch bundle)</li>
<li>Using blocksizes below 8192 also results in unusable files. (I only tested multiples of 2)(This is fixed in the latest recommended patch bundle)</li>
<li>fiocompress uses an ioctl call to mark a file as compressed if -m is passed. No method to unmark a marked file exists, even in the filesystem driver. (It is possible to modify the OpenSolaris fiocompress to add an option to just mark (a previously compressed) file as compressed) (Look at ufs_vnops.c for the _FIO_COMPRESSED ioctl implementation)</li>
</ul>
<br />
<br />
Test compression code:<br />
ls -lah testfile.txt; du testfile.txt; du -h testfile.txt; for b in 256 512 1024 2048 4096 8192 16384 32768 65536; do fiocompress -b $b -c -m testfile.txt testfile.txt$b; done<br />
<br />
Results: (including other common formats)<br />
$ls -lah testfile.txt*<br />
testfile.txt1024: Operation not applicable<br />
testfile.txt2048: Operation not applicable<br />
testfile.txt256: Operation not applicable<br />
testfile.txt4096: Operation not applicable<br />
testfile.txt512: Operation not applicable<br />
testfile.txt65536: Operation not applicable<br />
-rw-r--r-- 1 user group 101M Mar 11 10:26 testfile.txt<br />
-rw------- 1 user group 4.4M Mar 11 10:29 testfile.txt.7z<br />
-rw-r--r-- 1 user group 5.2M Mar 11 10:26 testfile.txt.bz2<br />
-rw-r--r-- 1 user group 7.2M Mar 11 10:28 testfile.txt.gzip<br />
-rw-r--r-- 1 user group 8.9M Mar 11 10:28 testfile.txt.gzip-1<br />
-rw-r--r-- 1 user group 6.7M Mar 11 10:28 testfile.txt.gzip-9<br />
-rw-r--r-- 1 user group 13M Mar 11 10:27 testfile.txt.Z<br />
-rw-r--r-- 1 user group 7.2M Mar 11 10:32 testfile.txt.zip<br />
-rw-r--r-- 1 user group 101M Mar 11 10:55 testfile.txt16384<br />
-rw-r--r-- 1 user group 101M Mar 11 10:55 testfile.txt32768<br />
-rw-r--r-- 1 user group 101M Mar 11 10:55 testfile.txt8192<br />
<br />
$du testfile.txt*<br />
206544 testfile.txt<br />
9040 testfile.txt.7z<br />
10624 testfile.txt.bz2<br />
14848 testfile.txt.gzip<br />
18240 testfile.txt.gzip-1<br />
13840 testfile.txt.gzip-9<br />
27632 testfile.txt.Z<br />
14848 testfile.txt.zip<br />
18784 testfile.txt16384<br />
16480 testfile.txt32768<br />
22656 testfile.txt8192<br />
$du -h testfile.txt*<br />
101M testfile.txt<br />
4.4M testfile.txt.7z<br />
5.2M testfile.txt.bz2<br />
7.2M testfile.txt.gzip<br />
8.9M testfile.txt.gzip-1<br />
6.8M testfile.txt.gzip-9<br />
13M testfile.txt.Z<br />
7.2M testfile.txt.zip<br />
9.2M testfile.txt16384<br />
8.0M testfile.txt32768<br />
11M testfile.txt8192<br />
<div>
<br /></div>
<div>
<br /></div>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-41918415998206342052017-08-28T11:39:00.003+02:002017-12-08T10:00:04.378+02:00eFiling and eHomeAffairs in Chrome<p>Google bundles Flash with Chorme (making it the only option for some things on GNU/Linux), however they have <a href="https://www.blog.google/products/chrome/flash-and-chrome/">recently started phasing out Flash</a>. As part of that, Chrome hides the presence of Flash to websites, but gives users an option to enable Flash on the site if the page attempts to use Flash. eHomeAffairs and SARS eFiling gives an error when Flash is not detected and doesn't attempt to load the content anyway, which means that the "Click to run" option does not work.
</p>
<p>Recommeneded method: MyBroadband <a href="https://mybroadband.co.za/news/internet/215326-what-to-do-when-sars-efiling-wont-work-with-chrome.html">documented one method to get eFiling working.</a>. For eHomeAffairs, the address to add to the list is "https://ehome.dha.gov.za".
</p>
<p>Alternative, works on many more sites: Another option is to configure Chrome not to hide Flash from websites. This can be done by visiting "chrome://flags" in the address bar and setting the "Prefer HTML5 over Flash" setting to "Disabled" ("chrome://flags/#prefer-html-over-flash" will take you directly to the setting). You need to restart Chrome for the setting to take effect. The content will then load. (Tested on Chrome 60). On some sites, the Flash content may still be click-to-run, however Chrome seems to currently run it automatically on both eHomeAffairs and SARS eFiling when this flag is set. (Chrome will attempt to detect important Flash content and enable that automatically)
</p>
<p>Update: The chrome://flags method stopped working in Chrome 61. Adding the site to content settings as being allowed to run Flash as per the MyBroadband article still works.</p>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com1tag:blogger.com,1999:blog-5576946258569429672.post-38464678661309815232017-02-24T15:04:00.001+02:002017-03-01T10:56:58.991+02:00OpenSSL cipher suite without forward secrecy<p>
Firstly, you should not use this in normal use.
</p>
<p>
Sometimes, you might need to debug a problem that occurs behind TLS.
</p>
<p>
Wireshark can decode TLS traffic, given the session keys, or if forward secrecy ciphers was not used, the private key.
</p>
<p>
In the case of web traffic, <a href="https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/">SSLKEYLOGFILE</a> can tell NSS, used by some browsers to log the keys. This is a better method than the one described here, but it is not an option if other clients are used, say in the case of SMTP.
</p>
<p>
An (OpenSSL) ciphersuite setting that excludes ciphers providing forward secrecy, while keeping strong ciphers is:<br />
<tt>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE:!ECDHE:!EDH:!EECDH</tt>
</p>
<p>
This should be avoided in production and should only be used for debugging.
</p>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-61206568013075227112016-11-09T12:30:00.001+02:002016-11-09T16:30:33.091+02:00Handling messages forwarded as attachment by Outlook with MIME::Parser in Perl<p>
Outlook sends emails that are forwarded as attachment with an .eml extension and the content-type set to application/octet-stream. According to <a href="https://www.w3.org/Protocols/rfc1341/7_3_Message.html">RFC 1341</a>, message/rfc822 should be used. The Perl module, MIME::Parser will automatically parse message/rfc822 attachments, which is useful if you want to do automated processing on an email and its attachments. Outlook's use of application/octet-stream breaks this.
</p>
<p>
It is possible to fix this. I initially attempted to change the contetn-type and rerun the parser on the file, but that resulted in an empty part. The problem is that according to RFC1341, the Content-Transfer-Encoding field must be 7bit, 8bit or binary for message/rfc822 (Outlook uses base64). Once this is corrected, it works.<br />
</p>
<p>
A Perl sample: (in this case, the email forwarded as attachment is the second attachment)<br />
<tt>
#!/usr/bin/perl<br />
<br />
use warnings qw(all);<br />
use MIME::Parser;<br />
use strict;<br />
<br />
my $fn = '/tmp/input_file.eml';<br />
<br />
my $parser = new MIME::Parser;<br />
<br />
$parser->output_to_core(1); # Disable the creation of temporary files<br />
<br />
my $entity = $parser->parse_open($fn);<br />
$entity->dump_skeleton; # View initial structure<br />
<br />
# Fix the fields<br />
$entity->parts(1)->head->replace('Content-Type','message/rfc822');<br />
$entity->parts(1)->head->replace('Content-Transfer-Encoding','7bit');<br />
<br />
# Get encoded message<br />
my $message = $entity->as_string;<br />
#Re-parse<br />
$entity = $parser->parse_data($message);<br />
<br />
$entity->dump_skeleton; # show final structure<br />
</tt><br />\</p>
<p>
Here is a general function to handle these. It uses undocumented interfaces, since there does not seem to be a documented method to replace a part with another one.<br />
<tt>
sub handle_forwarded_messages<br />
{<br />
my($parser,$entity, undef) = @_;<br />
return undef unless ($entity && $parser);<br />
<br />
my($part);<br />
<br />
# Recursively process multipart entities, based on number of parts<br />
if (scalar $entity->parts) # If we have sub-parts<br />
{<br />
# Warning, next line uses undocumented interfaces..<br />
for (my $i = 0; $i <= $#{$entity->{ME_Parts}}; $i++) {<br />
$part = $entity->{ME_Parts}[$i];<br />
# Warning, next code line uses undocumented interfaces..<br />
# Replace part with its expanded version... This seems to be the only way<br />
$entity->{ME_Parts}[$i] = &handle_forwarded_messages($parser,$part);<br />
}<br />
} else { # Once we are at a level that does not have sub-parts...<br />
# Replace forwarded messages with properly expanded versions...<br />
if ($entity->effective_type eq 'application/octet-stream' &&<br />
$entity->head->recommended_filename =~ /\.eml$/) {<br />
$entity->head->replace('Content-Type','message/rfc822');<br />
$entity->head->replace('Content-Transfer-Encoding','8bit');<br />
my $entity_tmp = eval { $parser->parse_data($entity->as_string) };<br />
$entity = $entity_tmp unless ($@ || $parser->results->errors);<br />
# And see if they have more levels...<br />
$entity = &handle_forwarded_messages($parser,$entity);<br />
}<br />
}<br />
# Return the processed result<br />
return $entity;<br />
}<br /></tt>
</p>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-24507579640247301282016-06-22T16:33:00.002+02:002016-06-22T16:33:29.385+02:00Marking files on UFS as compressed on SolarisBernd Schemmer has an<a href="http://bnsmb.de/solaris/Using%20on-the-fly%20decompression%20for%20UFS%20filesystems.html"> interesting post about using fiocompress for file-system level compression of individual files on UFS file systems</a>...<br />
<br />
However, it might be useful to mark files as compressed after compressing the file, such as when you forgot the "-m" option when compressing a large file.<br />
<br />
The <a href="http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/boot/fiocompress/fiocompress.c">fiocompress</a> utility does this by calling the _FIO_COMPRESSED ioctl on the file.<br />
<br />
There seems to be no way to unmark a file that is marked as compressed. (The ioctl sets a cflag on the file called ICOMPRESS, but no operation to clear the cflag seems to exist)<br />
<br />
I stripped down fiocompress to a minimal tool to just mark a file as compressed. It is important to ensure that it is a valid file (outfile in the example) generated by "fiocompress -c infile outfile" before running this command. Bad things may happen if this is not the case.<br />
<br />
To mark output as compressed, compile the code (compile.sh should do that for you) and run "./markcompressed -m /path/to/outfile" if you are running it from the directory where it was compiled.<br />
<br />
Source code can be <a href="https://drive.google.com/open?id=0B4po5i5LPAdJa3Q0Q3pxTGZtSmc&authuser=0">downloaded from here</a>. (A quick ugly hack, based on fiocompress from OpenSolaris, with some likely bugs)<br />
<br />
As always, you should ensure that you have the latest recommended patchset installed.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-71857807001728111412016-06-22T16:30:00.000+02:002016-06-22T16:30:16.545+02:00Older OpenSSH versions - using a different authorized_keys file for a single user<p>
Sometimes, multiple users share a home directory or there are other reasons why a user's authorized_keys file won't pass OpenSSH's permission checks. While those can be disabled, it is generally a bad idea.
</p>
<p>
In recent OpenSSH versions, using a different authorized_keys file for a single user is easy:
</p>
<p>
<tt>
Match User username<br />
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
</tt>
</p>
<p>
In older versions however,AuthorizedKeysFile is not supported under a Match block.
</p>
<p>
In order to get around that, at least on some version, you can use AuthorizedKeysCommand instead, which is supported under a Match block (at least on an up-to-date RHEL5): (It can also be used outside a Match block to enable the option for all users)
</p>
<p>
<tt>
Match User username<br />
AuthorizedKeysCommand /etc/ssh/etc_ssh_authorized_keys
</tt>
</p>
<p>
You can then create the following script to use as the command and put keys into /etc/ssh/authorized_keys/username
<tt>
#!/bin/sh<br />
/bin/cat "/etc/ssh/authorized_keys/${1}"
</tt>
</p>
<p>
To prepare the script and directory: (Users can view each other's public keys in this example, but that for a small number of users is a smaller risk than disabling the permission checks, which might allow other users to edit the user's authorized_keys file)
</p>
<p>
<tt>
echo -e '#!/bin/sh\n/bin/cat "/etc/ssh/authorized_keys/${1}"' > /etc/ssh/etc_ssh_authorized_keys<br />
mkdir -m 755 /etc/ssh/authorized_keys<br />
chmod 755 /etc/ssh/etc_ssh_authorized_keys<br />
chmod 644 /etc/ssh/authorized_keys/* # there is probably nothing there yet<br />
chown -R root:root /etc/ssh/etc_ssh_authorized_keys /etc/ssh/authorized_keys<br />
</tt>
</p>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-4928403357674535722016-05-04T17:03:00.001+02:002016-05-04T17:03:18.401+02:00Comparing FreeBSD pkgng package options between repositoriesWhen switching FreeBSD repositories, it can be tricky to find which options changed in the package configuration.<br />
This set of bash functions might be useful:
<br />
<pre>
# This will list the options for the package matching the first parameter in the repo given by the second parameter
options ()
{
sqlite3 /var/db/pkg/repo-$2.sqlite "SELECT p.name,o.option,po.value FROM option o, packages p, pkg_option po WHERE po.package_id = p.id and po.option_id = o.option_id and p.name like '$1' ORDER BY name,option"
}
# This will show the difference between the myrepo repo and the FreeBSD repo for the package fiven as a parameter. This can be changed for any repos or repos from parameters
options_diff ()
{
diff -u <(options "$1" myrepo) <(options "$1" FreeBSD) | grep '^[+-]'
}
</pre>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-44730637275580535012016-01-14T09:27:00.003+02:002016-01-14T17:03:10.573+02:00Configure more secure SSH algorithms on Cisco IOS<br />
<br />
Security checkers, like Nessus, often report issues like these on Cisco IOS devices:<br />
<ul>
<li>SSH CBC Mode Ciphers Enabled </li>
<li>SSH Insecure HMAC Algorithms Enabled </li>
</ul>
There have been a <a href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCun15039">feature request to add the functionality to IOS</a>, that seems to have been resolved in January 2016.<br />
<div>
<br />
<div>
In the versions where it has been resolved, you should be able to:<br />
<span style="font-family: Courier New, Courier, monospace;">> enable<br /> # configure terminal<br /> (config)# ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr<br /> (config)# ip ssh server algorithm mac hmac-sha1</span><br />
You might want to check with "?" if better options have since become available, especially from the MACs (SHA-1 is not ideal, SHA-2/SHA-3 based algorithms might be added in the future) before using my list as-is...<br />
<br />
Source of config syntax: <a href="http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html">Cisco IOS SSH configuration guide</a></div>
</div>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-5626801341148941442015-12-01T09:22:00.000+02:002015-12-01T09:23:22.068+02:00Working around Corrupted MAC on input. with Cygwin SSHWhen connecting to some servers from Cygwin using ssh, the connection fails and I get this error:<br />
<span style="font-family: "courier new" , "courier" , monospace;">Received disconnect from 1.2.3.4: 2: Corrupted MAC on input.</span><br />
<br />
Looking at debug output, it seems like it is using "umac-64@openssh.com" as MAC algorithm. Forcing it to use something else works around the problem.<br />
<br />
When using ssh directly, you can use this: (Other options should work as well, this one worked for me)<br />
<span style="font-family: "courier new" , "courier" , monospace;">ssh -o 'MACs hmac-sha1-96' user@host</span><br />
or<br />
<span style="font-family: "courier new" , "courier" , monospace;">ssh -m hmac-sha1-96 user@host</span><br />
<br />
When using rsync, you need to put one of the strings above in the --rsh parameter:<br />
<span style="font-family: "courier new" , "courier" , monospace;">rsync --rsh="ssh -m hmac-sha1-96 user@host" :/remote-source /local-dest</span><br />
<br />
A more permanent option is to add the setting to the ssh_config file. This is either /etc/ssh_config (affecting all users) or ~/.ssh/config.<br />
<br />
A line using a modified set based on the defaults for my SSH version is:<br />
<span style="font-family: "courier new" , "courier" , monospace;">MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96</span><br />
<div>
<br /></div>
<div>
You can find the problematic MAC by running </div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">ssh -v user@host-that-disconnects-you 2>&1 | grep mac</span></div>
<div>
<br /></div>
Adding that as a line to ~/.ssh/config seems to be the easiest solution.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-83439954317521634872014-07-07T21:52:00.000+02:002014-09-14T21:52:37.795+02:00A set of wideband antennas for the FunCube Dongle Pro(+), hackRF, bladeRF and RTL-SDRWhen I got my Funcube Dongle Pro, I was looking for a suitable set of antennas.<br />
<br />
Since it covers such a wide bandwidth, finding a single antenna that covers the entire bandwidth is hard.<br />
<br />
<a href="http://en.wikipedia.org/wiki/Log-periodic_antenna">Log-periodic antennas</a> seem to be the most suitable wideband antennas. (They are however directional, which can be good or bad, depending on the application) However, they get impractically large, and as a result unobtainable for frequencies below about 400MHz. For these frequencies, the only practical options seem to be telescopic antennas (which can be tuned for a frequency by differing the length that is expanded) or scanner antennas.<br />
<br />
I ended up ordering this set:<br />
<ul>
<li><a href="http://www.amazon.com/gp/product/B0002NRLN4/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRLN4&linkCode=as2&tag=mohagnet-20&linkId=MWQZY3GC66FJMUYH">Ramsey Telescopic with BNC</a> / Alternative: <a href="http://www.amazon.com/gp/product/B00CUJ6G2A/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CUJ6G2A&linkCode=as2&tag=mohagnet-20&linkId=ECKQXDGC6CWAIK35">Scanner antenna with SMA</a></li>
<li><a href="http://www.amazon.com/gp/product/B0002NRK8K/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRK8K&linkCode=as2&tag=mohagnet-20&linkId=WKBWLENFYX6LB7TW">Ramsey 400 MHz - 1 GHz log-periodic</a> </li>
<li><a href="http://www.amazon.com/gp/product/B0002QG2PY/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002QG2PY&linkCode=as2&tag=mohagnet-20&linkId=QEZILMMNDQ7AOGUA">Ramsey 900 MHz - 2.6 GHz log-periodic</a></li>
</ul>
<br />
I have since acquired a RTL-SDR dongle. The dongle that I have has a TV-style 75-ohm input connector, as opposed to the 50-ohm SMA connector on the Funcube dongle. Ideally, a <a href="http://en.wikipedia.org/wiki/Balun">balun</a> would be used to match the impedance, but as a minimum, some cables can be made up with the relevant connectors at the ends. I found this <a href="https://www.youtube.com/watch?v=ncQn1Xc3obw">video with information on building your own</a>, if you need the increased sensitivity that a properly matched antenna provides. Some other dongles, like the one from hakshop, <a href="http://www.amazon.com/gp/product/B00C37AZXK/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00C37AZXK&linkCode=as2&tag=mohagnet-20&linkId=WQXXJBZNWO4XMSKD">a random one from Amazon</a> and the <a href="http://www.amazon.com/gp/product/B009U7WZCA/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B009U7WZCA&linkCode=as2&tag=mohagnet-20&linkId=SAYFIVNOZN6KNDA4">NooElec</a> one has MCX connectors, which seem to mostly be 50-ohm.<br />
<br />
I have also ordered a <a href="https://greatscottgadgets.com/hackrf/">hackRF</a>, which has a higher maximum frequency, which requires another antenna. I'm planning to acquire <a href="http://www.amazon.com/gp/product/B00B1SUP82/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00B1SUP82&linkCode=as2&tag=mohagnet-20&linkId=BJLKHW5WMUWJEDFF">this one</a>. (The ANT500 antenna that is available for it seems like a suitable replacement for the telescopic antenna). My planned antenna set for it:<br />
<ul>
<li>ANT500 (buy from wherever you buy your hackRF, I used <a href="http://www.nooelec.com/">NooElec</a> (they ship to where I live for $5...)) / Alternative: <a href="http://www.amazon.com/gp/product/B00CUJ6G2A/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CUJ6G2A&linkCode=as2&tag=mohagnet-20&linkId=ECKQXDGC6CWAIK35">Scanner antenna with SMA</a> / Alternative: <a href="http://www.amazon.com/gp/product/B0002NRLN4/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRLN4&linkCode=as2&tag=mohagnet-20&linkId=MWQZY3GC66FJMUYH">Ramsey Telescopic with BNC</a></li>
<li><a href="http://www.amazon.com/gp/product/B0002NRK8K/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRK8K&linkCode=as2&tag=mohagnet-20&linkId=WKBWLENFYX6LB7TW">Ramsey 400 MHz - 1 GHz log-periodic</a> </li>
<li><a href="http://www.amazon.com/gp/product/B0002QG2PY/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002QG2PY&linkCode=as2&tag=mohagnet-20&linkId=QEZILMMNDQ7AOGUA">Ramsey 900 MHz - 2.6 GHz log-periodic</a></li>
<li><a href="http://www.amazon.com/gp/product/B00B1SUP82/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00B1SUP82&linkCode=as2&tag=mohagnet-20&linkId=PPGKWUQB3SO57QTU">Ramsey 2.1 Ghz - 11GHz log-periodic</a></li>
</ul>
<br />
Another transceiver that is available is the <a href="http://www.nuand.com/blog/shop/">bladeRF</a>. It covers 300MHz - 3.8GHz, but it has a higher sampling rate than the hackRF (and a FPGA). An <a href="http://www.nuand.com/blog/product/hf-vhf-transverter/">upconverter that allows for lower frequencies</a> are also available. A nice antenna set for it is:<br />
<ul>
<li><a href="http://www.amazon.com/gp/product/B0002NRLN4/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRLN4&linkCode=as2&tag=mohagnet-20&linkId=MWQZY3GC66FJMUYH">Ramsey Telescopic with BNC</a> (If you want to go below 400MHz) / Alternative: <a href="http://www.amazon.com/gp/product/B00CUJ6G2A/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CUJ6G2A&linkCode=as2&tag=mohagnet-20&linkId=ECKQXDGC6CWAIK35">Scanner antenna with SMA </a></li>
<li><a href="http://www.amazon.com/gp/product/B0002NRK8K/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002NRK8K&linkCode=as2&tag=mohagnet-20&linkId=WKBWLENFYX6LB7TW">Ramsey 400 MHz - 1 GHz log-periodic</a> </li>
<li><a href="http://www.amazon.com/gp/product/B0002QG2PY/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002QG2PY&linkCode=as2&tag=mohagnet-20&linkId=QEZILMMNDQ7AOGUA">Ramsey 900 MHz - 2.6 GHz log-periodic</a></li>
<li><a href="http://www.amazon.com/gp/product/B00B1SUP82/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00B1SUP82&linkCode=as2&tag=mohagnet-20&linkId=PPGKWUQB3SO57QTU">Ramsey 2.1 Ghz - 11GHz log-periodic </a></li>
</ul>
For the low end of the range, if you have the space, also look at the <a href="http://www.amazon.com/gp/product/B001JT1KEG/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&linkCode=as2">scantenna</a>. It covers 30MHz - 1.3GHz (with several gaps). (It might not be safe for transmitting (bladeRF and hackRF)). (<a href="http://www.antennacraft.net/pdfs/ST2.pdf">Full specs</a>)<br />
<br />
<a href="http://www.amazon.com/gp/product/B00838GCSK/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&linkCode=as2">This discone</a> also seems like a great antenna if you can install an outdoor antenna. It can handle transmitting up to 200W on the 6m, 2m, 70cm, ~1.3GHz ham bands. Reception is listed as 25MHz - 1.3GHz<br />
<br />
<br />
I would also recommend a full set of converters, covering different types of antennas. Some examples:<br />
<ul>
<li><a href="http://www.amazon.com/gp/product/B00CP1129K/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CP1129K&linkCode=as2&tag=mohagnet-20&linkId=JUMGWPYQO6LDSSVJ">SMA > MCX</a> (For MCX RTL-DR dongles to most antennas listed above)</li>
<li><a href="http://www.amazon.com/gp/product/B00CSCTU40/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CSCTU40&linkCode=as2&tag=mohagnet-20&linkId=ZFYDF7QQFB6J5CMD">BNC > MCX</a> (For BNC telescopic on MCX RTL-SDR dongles)</li>
<li><a href="http://www.amazon.com/gp/product/B00CP15FB6/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CP15FB6&linkCode=as2&tag=mohagnet-20&linkId=TS5ITJI466LMB56Y">RP-SMA > MCX</a> (for WiFi antennas on MCX RTL-SDR dongle) (Cable that would terminate on the router, now terminates on this)</li>
<li><a href="http://www.amazon.com/gp/product/B005H488Y4/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B005H488Y4&linkCode=as2&tag=mohagnet-20&linkId=KER6WXOSZZCP4YCQ">RP-SMA > SMA</a> (for WiFi antennas on Funcube / hackRF / bladeRF) (Use on dongle to give it a RP-SMA interface)</li>
<li><a href="http://www.amazon.com/gp/product/B00ISTTM36/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00ISTTM36&linkCode=as2&tag=mohagnet-20&linkId=PT2UMCQZDJA5PFKV">SMA > SMA</a> (<a href="http://www.amazon.com/gp/product/B008AGUOIY/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B008AGUOIY&linkCode=as2&tag=mohagnet-20&linkId=Y3YOXO6R5JES7OTN">right-angle version</a>) (<a href="http://www.amazon.com/gp/product/B00G619I5K/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00G619I5K&linkCode=as2&tag=mohagnet-20&linkId=6GMGA7NB5JWPUXTD">Longer version</a>) (SMA antenna to SMA dongle) </li>
<li><a href="http://www.amazon.com/gp/product/B00CQ283QI/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CQ283QI&linkCode=as2&tag=mohagnet-20&linkId=YDIN6LQKXQ5DB2NJ">BNC > SMA cable</a> (<a href="http://www.amazon.com/gp/product/B00ATEMITS/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00ATEMITS&linkCode=as2&tag=mohagnet-20&linkId=TASEJ7S2WOOHGHEX">direct version</a>) (For BNC antennas, like the Ramsey Telescopic) </li>
<li><a href="http://www.amazon.com/gp/product/B00CPWLPWS/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00CPWLPWS&linkCode=as2&tag=mohagnet-20&linkId=75LPDLLT6S2YR5EC">TNC > SMA</a> (A relatively common antenna connector) (Use with SMA-SMA cable)</li>
<li><a href="http://www.amazon.com/gp/product/B001GUOAV8/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B001GUOAV8&linkCode=as2&tag=mohagnet-20&linkId=6G4ETQA645AILJTT">N-type > SMA</a> (A relatively common antenna connector) (Linked product allows use with SMA > SMA cable)</li>
<li><a href="http://www.amazon.com/gp/product/B0002J462W/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B0002J462W&linkCode=as2&tag=mohagnet-20&linkId=KXXWOPNBXNR2TRJF">RP-TNC > SMA</a> (<a href="http://www.amazon.com/gp/product/B007PPHV2I/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B007PPHV2I&linkCode=as2&tag=mohagnet-20&linkId=XQWQOEKXTWY5PLWV">different gender version</a>) (For some WiFi antennas (Linksys) to SMA radios)</li>
<li><a href="http://www.amazon.com/gp/product/B00HRLZXNY/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00HRLZXNY&linkCode=as2&tag=mohagnet-20&linkId=2MM4ZXPIVO3TMGVU">TV antenna > SMA</a> (For RTL-SDR dongles with TV-antenna connector)</li>
<li><a href="http://www.amazon.com/gp/product/B00D0XL96I/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00D0XL96I&linkCode=as2&tag=mohagnet-20&linkId=QN7IS4GHYEVL3O3A">TV antenna > BNC</a> (For RTL-SDR dongles with TV-antenna connector)</li>
</ul>
<br />Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-29505577429717972532013-12-02T23:07:00.002+02:002013-12-02T23:08:31.623+02:00KiCAD schematic for the Arduino LeonardoI wanted to design a compatible board in KiCAD. The orgiinal design is in EAGLE format.<br />
<br />
I redrew it in KiCAD.<br />
<br />
Uses symbols from <a href="http://smisioto.no-ip.org/elettronica/kicad/kicad-en.htm">http://smisioto.no-ip.org/elettronica/kicad/kicad-en.htm</a><br />
<br />
Completely fails ERC. Blame my rough ATMEGA32U4 component.<br />
<br />
Original design by Arduino. Errors are probably mostly mine....<br />
<br />
<a href="https://drive.google.com/file/d/0B4po5i5LPAdJLUNXRjViZm1IcFE/edit?usp=sharing">Download</a> (Use "Save" from the file menu)<br />
<br />
<a href="https://www.dropbox.com/s/s4fy1ko32sglswm/Leonardo.zip">Alternative link</a>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-26574813580344175542012-11-05T19:10:00.001+02:002012-11-06T00:17:45.052+02:00Sourcing RepRap extruder springs in South AfricaSeveral RepRap extruders use compression coil springs to provide tension on the idler. While some companies exist that manufacture springs locally, they are not really conveniently located and might charge a lot if you are only interested in small quantities.<br />
<div>
<br /></div>
<div>
After search the internet and fastener / hardware stores unsuccessfully, I happened to notice that certain clothes-pegs have springs that seem perfect for the job.</div>
<div>
<br /></div>
<div>
Sourcing the clothes-pegs turned out to be relatively easy....</div>
<div>
<br /></div>
<div>
The ones that I found are:</div>
<div>
Barcode: 6009695720525</div>
<div>
Branded as: "You Save"</div>
<div>
Pack size: 48 pegs (with one spring each) (Can't find it on their online shopping page)</div>
<div>
Sources: Pick 'n Pay (~R26 per pack of 48)</div>
<div>
Free length: 16mm</div>
<div>
Wire thickness: 0.9mm</div>
<div>
Turns: 9 (first and last one flattened)</div>
<div>
Outside diameter: ~6.4mm (Fits M4 / M3 screws)</div>
<div>
Turn "pitch" (relaxed): ~ 1.9mm (including 1 wire thickness)</div>
<div>
Spring coefficient: Unknown</div>
<div>
Material: Unknown ("rust free", looks like it might be zinc coated steel)</div>
<div>
Image:</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0D-KaaPN0eHhNIi59JLSVcrr3AkmH0DkiQUhRjNc1FSj-_i6dRercrM5Ri6uwMtWgbUW0QJ63EbsVnMy1MJI7qHvu1Upbd8yRbaxGlNLrOYM9Z08Pkg5jcCFnZdjO8dkcLkfumBvjxU/s1600/2012-11-05+18.28.25.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0D-KaaPN0eHhNIi59JLSVcrr3AkmH0DkiQUhRjNc1FSj-_i6dRercrM5Ri6uwMtWgbUW0QJ63EbsVnMy1MJI7qHvu1Upbd8yRbaxGlNLrOYM9Z08Pkg5jcCFnZdjO8dkcLkfumBvjxU/s320/2012-11-05+18.28.25.jpg" width="240" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
The pegs themselves seem to be made from PE and might be recyclable into filament with a filament extruder.</div>
<div>
<br /></div>
<div>
<a href="http://forums.reprap.org/read.php?4,145776,145851">This thread</a> on the RepRap forums seem to mention the same springs.</div>
Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-54894736912428404652012-02-07T20:08:00.003+02:002012-02-07T20:17:37.461+02:00BitBurner - Download HTTP links using BitTorrent<a href="http://burnbit.com">BurnBit</a> has a handy service that allows you to generate torrents for any directly accessible HTTP link.<br /><br />They have some <a href="http://burnbit.com/buttons">nice instructions</a> to integrate it into your site. However, almost no big sites use these.<br /><br />In order to easily use it for downloading Linux distributions (which are well mirrored, making BurnBit useful, even if just easily download from multiple mirrors simultaneously and to check that the file is not corrupted) I wrote a <a href="http://userscripts.org/scripts/show/125148">small GreaseMonkey script</a> that injects their download buttons in some of the more obvious mirror sites / HTTP accessible FTP sites.<br /><br />It is somewhat crude currently, but works well on sites that just contain directory listing.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-10612448740372677682012-01-17T08:51:00.005+02:002012-01-17T11:41:22.123+02:00Compiling CMake 2.8.7 on Solaris 10Building CMake might fail due to incorrect environment variables.<br /><br />If you already attempted to compile CMake, delete the directory and start again. It caches its variables for its own build all over the place.<br /><br />A full Solaris 10 install has everything you need to compile CMake.<br /><br />I bootstrapped it using as much system libraries as possible and assumed 4 CPUs / cores and set it to install to /usr.<br /><br />Set up envirnment:<br /><span style="font-family:courier new;">$ PATH=/usr/sfw/bin:/usr/ccs/bin:/usr/bin; export PATH</span><br /><span style="font-family:courier new;">$ CC=gcc;export CC</span><br /><br />Bootstrap:<br /><span style="font-family:courier new;">$ ./bootstrap --parallel=4 --system-libs --no-system-curl --no-system-libarchive --no-system-expat --prefix=/usr</span><br /><br />Compile according to Readme.txt:<br /><span style="font-family:courier new;">$ gmake -j4</span><br /><span style="font-weight: bold;">To install:</span><br />Change to root<br /><span style="font-family:courier new;"># gmake install</span><br /><br /><span style="font-weight: bold;">To package:</span><br /><span style="font-family:courier new;">$ bin/cpack</span><br />The generated package can the be installed as per the instructions on the download page.<br />The package will only work on other Solaris 10 (and possible newer) system running the same CPU architecture. Solaris 9 misses some of the libraries that it expects to find.<br /><br />These instructions do not work on Solaris 9, due to the lack of a compiler in the default install. Installing Solaris Studio might work, but was not tested.<br /><br />Update: I have a prebuilt version <a href="http://dl.dropbox.com/u/30046606/cmake-solaris/cmake-2.8.7-SunOS5_10-sparc.sh">available here</a>.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com1tag:blogger.com,1999:blog-5576946258569429672.post-45108125109298239542010-05-05T18:33:00.010+02:002010-05-07T08:28:04.740+02:00Disabling Caps lock in Ubuntu 9.10<span style="font-size:100%;"> Mac OS has a nice and easy option under "Modifier keys" where you can easily disable the Caps Lock key. (I never use it and it just gets in the way) Disabling Caps Lock under Ubuntu (and possibly other distributions using recent Gnome versions?) is possible, but not as obvious. If you go to System > Preferences > Keyboard > Layouts, Caps Lock's behaviour can be modified from the "Layout Options" (The button to open it is name just "Options" under Ubuntu 10.04) window </span><div style="text-align: center; line-height: 64.125px;font-size:54px;"><span style="font-size:100%;"><a style="font-size: 54px; line-height: 64.125px;" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga2SleNvkFVJ93i0mqhSEum__3t-SsOsyRMJmd6H_F4APl5Yc9bQk6ZbgoL3jb5-851T9qQ-bb94FzkIIAGwePSzjiVYXvp427pGa036ylVx6ywl3DCu-SX1WLG7VlgNzTceOLYS_2yVI/s1600/Screenshot-Keyboard+Preferences.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 296px; height: 320px; font-size: 54px; line-height: 64.125px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga2SleNvkFVJ93i0mqhSEum__3t-SsOsyRMJmd6H_F4APl5Yc9bQk6ZbgoL3jb5-851T9qQ-bb94FzkIIAGwePSzjiVYXvp427pGa036ylVx6ywl3DCu-SX1WLG7VlgNzTceOLYS_2yVI/s320/Screenshot-Keyboard+Preferences.png" alt="" id="BLOGGER_PHOTO_ID_5467827425542609634" border="0" height="480" width="444" /></a> </span></div><div style="text-align: center;"><span style="font-size:100%;">To open Layout option, click the button near the bottom left</span><br /></div><span style="font-size:100%;">The layout Options window has some related settings: </span><div style="text-align: center; line-height: 64.125px;font-size:54px;"><span style="font-size:100%;"><a style="font-size: 54px; line-height: 64.125px;" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzWb3ErcLk9lMUEbDtZEVUGkWEQcHvTP8lY-0D9fIdmF6Bx6G-xa2-DjjQy6dYUw__Tg93Y17YHgm9qeK9yrqMBudtaNiJK6YJmJylAh1pIY8WmbTG7ocoGteRscp_TiDDFN2_nlp7748/s1600/Screenshot-Keyboard+Layout+Options.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 246px; font-size: 54px; line-height: 64.125px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzWb3ErcLk9lMUEbDtZEVUGkWEQcHvTP8lY-0D9fIdmF6Bx6G-xa2-DjjQy6dYUw__Tg93Y17YHgm9qeK9yrqMBudtaNiJK6YJmJylAh1pIY8WmbTG7ocoGteRscp_TiDDFN2_nlp7748/s320/Screenshot-Keyboard+Layout+Options.png" alt="" id="BLOGGER_PHOTO_ID_5467828266335531122" border="0" height="369" width="480" /></a></span></div><div style="text-align: center;"><span style="font-size:100%;">Default options for Caps Lock behaviour doesn't allow it to be disabled (before Ubuntu 10.04) </span><br /><div style="text-align: left;"><span style="font-size:100%;">Unfortunately, all of the options just change an accidental press's side-effects. (The options for Ubuntu 10.04 includes an otion to disable Caps lock) Luckily, another option exist.... The <a href="http://en.wikipedia.org/wiki/Compose_key">Compose key</a> has no side-effects when accidentally pressed and might actually be useful at times... Ubuntu allows you to set the Caps Lack key to act as a Compose key. To find this option, open the "Compose key position" option and select Caps Lock. <a style="font-size: 54px; line-height: 64.125px;" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht3HRfsaxAdGgo6nKVcZlBIeclRIZsFaWKK1QgVr1yy3gGcXlrp2lexCp9JJdu1_cXidLu-WLf3dWHJEJ_DhyphenhyphenJ2P9npqpHHdJE5hWUkY_5HRCiwBYgUPaz9UcBtBJjQkEaGZ1jrqXw1TU/s1600/Screenshot-Keyboard+Layout+Options-1.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 246px; font-size: 54px; line-height: 64.125px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht3HRfsaxAdGgo6nKVcZlBIeclRIZsFaWKK1QgVr1yy3gGcXlrp2lexCp9JJdu1_cXidLu-WLf3dWHJEJ_DhyphenhyphenJ2P9npqpHHdJE5hWUkY_5HRCiwBYgUPaz9UcBtBJjQkEaGZ1jrqXw1TU/s320/Screenshot-Keyboard+Layout+Options-1.png" alt="" id="BLOGGER_PHOTO_ID_5467830466105576802" border="0" height="369" width="480" /></a> Caps Lock can be configured to function as a compose key</span><br /></div></div><span style="font-size:100%;">Caps lock should now function as a Compose key (which need to be held with multiple other keys to have an effect) and stop interfering with your typing if you accidentally hit it. (I actually find this better than completely disabling it)<br /><br />Update: This works under Ubuntu 10.04 as well. In addition, Ubuntu 10.04 has a "Caps Lock is disabled" option in the second dialog.<img style="font-size: 54px; line-height: 64.125px;" src="file:///tmp/moz-screenshot.png" alt="" /><img style="font-size: 54px; line-height: 64.125px;" src="file:///tmp/moz-screenshot-1.png" alt="" /></span>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-80204099427663377082010-04-28T21:12:00.009+02:002010-04-28T22:17:37.793+02:00Facebook chat on your phone with Lampiro 10.4.1Lampiro 10.4.1 has been released. It specifically improves support for Facebook chat.<br /><br />This post describes how to set up Facebook chat on your phone.<br /><br /><span style="font-size:130%;">Requirements</span>:<br /><ul><li>A phone supporting MIDP 2.0 Java applications (If it runs <a href="http://mini.opera.com/">Opera Mini 5</a> and is not an iPhone / Android phone, you should be fine)<br /></li><li>Working internet on your phone</li><li>About 500KB of free space for Java applications</li><li>A Facebook username. Set it up here: <a href="http://www.facebook.com/username/">http://www.facebook.com/username/</a><br /></li></ul><span style="font-size:130%;">How to set up Lampiro for Facebook chat on your phone:</span><br /><ul><li>Download and install Lampiro on your phone. You can go here: <a href="http://lampiro.bluendo.com/get">http://lampiro.bluendo.com/get</a> on your phone and get the <a href="http://static.bluendo.com/base/lampiro.jad">base</a> or <a href="http://static.bluendo.com/TLS/lampiro.jad">TLS</a> version (Don't bother with the non-TLS unless you have space issues on your phone)</li><li style="">Follow the instructions when you open Lampiro</li><li style="">Choose "Yes" when asked if you have an existing Jabber/XMPP account</li><li style="">Login with your Facebook username and password. Use johndoe@chat.facebook.com as username and your normal Facebook password if your Facebook username is "johndoe".</li><li style="">Wait for the list of online friends to load</li><li style="">Expand a group, choose a friend and start chatting. Left and right switches tabs (between chats / friend list)</li></ul><span style="font-size:130%;">About Lampiro</span><br />Lampiro is a <a href="http://en.wikipedia.org/wiki/Free_and_open_source_software">free software</a><a href="http://en.wikipedia.org/wiki/Free_and_open_source_software"> / open-source</a> <a href="http://en.wikipedia.org/wiki/XMPP">Jabber/XMPP</a> client for phones supporting <a href="http://en.wikipedia.org/wiki/Java_ME">Java ME</a>. Its Google code page can be found at <a href="http://code.google.com/p/lampiro/">http://code.google.com/p/lampiro/</a> and its website can be found at <a href="http://lampiro.bluendo.com/">http://lampiro.bluendo.com/</a> In addition to <a href="http://en.wikipedia.org/wiki/Facebook_chat#Chat">Facebook chat</a>, its TLS version also support <a href="http://en.wikipedia.org/wiki/Google_Talk">Google Talk</a>'s non-voice chat and other XMPP/Jabber servers.<br /><br /><span style="font-size:130%;">Share this with your friends:</span><br /><ul><li><a href="http://digg.com/gadgets/Facebook_chat_on_your_Java_phone">Digg this</a></li><li><span style="font-size:100%;"><a href="http://www.facebook.com/sharer.php?u=http://blog.mohag.net/2010/04/facebook-chat-on-your-phone-with.html">Share on Facebook</a></span></li><li><span style="font-size:100%;">TinyURL: <a href="http://tinyurl.com/fbphone">http://tinyurl.com/fbphone</a></span></li></ul>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-16295648262625728382010-04-24T23:05:00.003+02:002010-04-24T23:12:22.359+02:00m-im Facebook chat support - why it doesn't workI figured out why Facebook chat won't work in <a href="http://code.google.com/p/m-im/">m-im</a>.<br /><br />Facebook chat requires DIGEST-MD5 authentication that is not supported by m-im. (Implementation would have been easier if Java ME included a MD5 library...)<br /><br />I logged <a href="http://code.google.com/p/m-im/issues/detail?id=9">an issue</a> asking for support if anyone is interested. (My patch only adds support for detecting whether the server supports DIGEST-MD5 authentication)<br /><br />I like m-im, mostly since it is based on MGtalk, but has a better user interface, and because it supports multiple accounts (although not at the same time, which would have been ideal).Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-76521980581315734862010-04-23T21:28:00.018+02:002010-04-28T23:05:26.925+02:00Facebook chat on your phoneSince Facebook have enabled chat through Jabber, getting Facebook chat working from most multi-protocol messengers on a PC have been quite easy.<br /><br />Using Jabber for Facebook chat requires that you have a Facebook username set up. See this page for instructions: <a href="http://www.facebook.com/help/?faq=15085">http://www.facebook.com/help/?faq=15085<br /></a><br />I tried some mobile Java clients that should work on most phones. I preferred open-source clients and considered freeware clients for testing.<br /><br /><span style="font-size:100%;">The following settings is used for Facebook chat via Jabber/XMPP: (Taken <a href="http://www.facebook.com/sitetour/chat.php">from here</a>)</span><ul class="uiList mbm"><li class="mts UIChatTutorialInstruction uiListItem"><div style="white-space: nowrap;"><span style="font-size:100%;">Username: johndoe<br /></span></div></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Domain: chat.facebook.com</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Jabber ID: johndoe@chat.facebook.com</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Password: yourfacebookpassword</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Port: 5222</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Server: chat.facebook.com</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Use SSL/TLS: no</span></li><li class="mts UIChatTutorialInstruction uiListItem"><span style="font-size:100%;">Allow plaintext authentication: no</span></li></ul>Reblace "johndoe" and <span style="font-size:100%;">"yourfacebookpassword"</span> with the relevant values. Most applications need only some of the settings.<br /><br />Testing took place using the <a href="http://webstart.mpowerplayer.com/">mpowerplayer</a> emulator and my Sony Ericsson W880i.<br /><br /><span style="font-size:130%;">Glider</span><br />Glider seems to be mostly aimed at users of ooros.com accounts but will try to log in using any <a href="http://en.wikipedia.org/wiki/Extensible_Messaging_and_Presence_Protocol#Decentralization_and_addressing">JID</a> that you throw at it. Google talk and Facebook chat works. Glider is based on <a href="http://code.google.com/p/lampiro/">Lampiro</a>.<br /><br />Website: <a href="http://ooros.com/glider/index">http://ooros.com/glider/index</a><br />Mobile download page: <a style="" href="http://ooros.com/getglider.html">http://ooros.com/getglider.html</a><br />Version tested: 10.4.1<br /><br />Setting up:<br /><ul><li>Install the application from the above link</li><li>Click through a few options to get to the login screen</li><li>Enter the Jabber ID as above with your Facebook password</li><li>Click login and allow internet access if your phone asks</li><li>It will go to a menu, select messenger to go to your contact list<br /></li><li>The contact list will show your online friends (With the friend lists as group). If its empty, choosing Menu > "Show offline contacts" will allow you to see your offline friends. The contact list might take a while to load. Expand groups to see contacts</li></ul>Review<br />Pro<br /><ul><li>Very easy to set up. Requires the minimum information to connect</li><li>Google talk works just as easily</li><li>Tabbed interface looks nice<br /></li></ul>Con<br /><ul><li>Only supports a single Jabber/XMPP account at a time. No way to log in both Facebook and Google Talk for example</li><li>Quite large (~500KB for TLS version) to download. Might not work on older phones (works fine on my w880i)</li><li>Does not always integrate as expected on my phone</li></ul><span style="font-size:100%;">Summary<br />Worthwhile to try. Works similar to Lampiro, small UI differences and somewhat bigger. Extra size only makes sense if you user the Ooros features.<br /><br />See Lampiro 10.4.1 review for further comments.<br /><br />Note: This review was update for an updated version<br /></span><br /><span style="font-size:130%;">Lampiro 10.2</span><br />Note: This is an old version. A review of a much improved new version can be found below.<br /><br />Glider is based on Lampiro. It lacks some features specific to ooros's site and defaults to a different color scheme.<br /><br />A newer version than tested can be found here: <a href="http://code.google.com/p/lampiro/downloads/list">http://code.google.com/p/lampiro/downloads/list</a>, but due to the ZIP format used, it needs to be downloaded via your PC and then copied to your phone.<br /><br />Website: <a href="http://lampiro.bluendo.com/">http://lampiro.bluendo.com/</a> and <a href="http://code.google.com/p/lampiro/">http://code.google.com/p/lampiro/</a><br />Mobile download page: <a href="http://lampiro.bluendo.com/get">http://lampiro.bluendo.com/get</a><br />Version tested: 10.1 (Normal, not TLS / Compression) (Google talk requires TLS, Facebook doesn't support it) (Compression version might save on data costs)<br /><br />Setting up:<br /><ul><li>Install the application from the above link</li><li>Click through a few options to get to a screen asking if you already have a jabber account<br /></li><li>Click Yes to get to the login screen<br /></li><li>Enter the Jabber ID as above with your Facebook password</li><li>Choose "Advanced config"</li><li>Change server type to manual. Don't change any settings, it will now login (For subsequent attempts, the login button should be enough)<br /></li><li>Click login and allow internet access if your phone asks</li><li>It will go to the contact list. If it doesn't, select messenger to open it</li><li>The contact list might show empty. Choosing Menu > "Show offline contacts" might help. The contact list might take a while to load.Expand groups to see contacts<br /></li><li>To see who the contact behind the weird number username, select it, Open the Actions menu and choose "See details". It will then load a page that will display the user's profile picture and name after a few seconds<br /></li></ul> Review<br />Pro<br /><ul><li>Easy to set up. Requires the minimum information and some minor fiddling with server settings (See below)<br /></li><li>Google talk should work in TLS version (Which was not tested)<br /></li><li>Tabbed interface looks nice</li><li>Does not contain menu for ooros services that doesn't work on Facebook / Google Talk</li></ul> Con<br /><ul><li>Harder to get connected than Glider<br /></li><li>I couldn't get it to load all my online Facebook contacts, nevermind my entire friend list. This might be caused by a slow network connection</li><li>Only supports a single Jabber/XMPP account at a time. No way to log in both Facebook and Google Talk for example</li><li>Normally show ugly JIDs in contact list</li><li>Google code download page have newer version, but it is not in the standard JAR / JAD format for phone downloads<br /></li></ul> Summary<br />It might be a worthwhile program to watch if they could sort out the contact list issues.<br /><br />The harder connection setup seems to be a minor bug, that is fixed in 10.3, that needs to be downloaded via a computer.<br /><br /><span style="font-size:130%;">Lampiro</span> 10.4.1<br />Glider is based on Lampiro. It lacks some features specific to ooros's site and defaults to a different color scheme.<br /><br />Lampiro 10.4.1 is the latest version at the time of updating.<br /><br />Website: <a href="http://lampiro.bluendo.com/">http://lampiro.bluendo.com/</a> and <a href="http://code.google.com/p/lampiro/">http://code.google.com/p/lampiro/</a><br />Mobile download page: <a href="http://lampiro.bluendo.com/get">http://lampiro.bluendo.com/get</a> <a href="http://static.bluendo.com/TLS/lampiro.jad">Direct link</a><br />Version tested: 10.4.1 (TLS) (Google talk requires TLS)<br /><br />Setting up:<br /><ul><li>Install the application from the above link</li><li>Click through a few options to get to a screen asking if you already have a jabber account<br /></li><li>Click Yes to get to the login screen<br /></li><li>Enter the Jabber ID as above with your Facebook password</li><li>Click login and allow internet access if your phone asks</li><li>It will go to the contact list, showing your online friends (in groups)</li><li>Press "Ok" on a friend to send a message<br /></li><li>Choosing Menu > "Show offline contacts" will show your offline friends</li></ul> Review<br />Pro<br /><ul><li>Very easy to set up<br /></li><li>Google talk works (in TLS version)<br /></li><li>Tabbed interface looks nice</li><li>Does not contain menu for ooros services that doesn't work on Facebook / Google Talk</li></ul> Con<br /><ul><li>Only supports a single Jabber/XMPP account at a time. To switch between Google Talk and Facebook chat, you need to logout and type the other username and password before logging in<br /></li><li>Quite large (~420KB for TLS version) to download. Might not work on older phones (works fine on my w880i)</li><li>Does not always integrate as expected on my phone<br /></li></ul> Summary<br />Almost perfect. The only possible improvements that I can think of is a account manager (allowing you to choose where to login) and support for multiple simultaneous connections (or multiple installs with slightly different names, for phones supporting multitasking)<br /><br />Can be optimized better for specific phones (which might be hard without multiple versions, which is impossible to maintain). My Sony Ericsson's "back" button does not work for example, and I often need to look at the screen to find the softkey for the action.<br /><br />Some other problems might become apparent after extended use, but I'm really impressed by initial testing on the current version.<br /><br /><span style="font-size:130%;">JabberMixClient</span><br />JabberMixClient is base on MicroJabber and seem to be updated quite often.<br /><br />It was only tested my W880i, it was unusably slow under mpowerplayer.<br /><br />Website: <a href="http://jabbermixclient.sourceforge.net/"></a><a href="http://jabbermixclient.sourceforge.net/">http://jabbermixclient.sourceforge.net/</a><br />Mobile download page: <a href="http://codeapi.altervista.org/wap/jmc.wml">http://codeapi.altervista.org/wap/jmc.wml</a><br />Version tested: 2.1 Beta (Rich GUI version)<br /><br />Setting up:<br /><ul><li>The application starts at it "Offline menu" screen</li><li>Open the User setting screen<br /></li><li>Fill in the following option according to the values above: username, password, server, jabber domain</li><li>Choose connect</li><li>Login fails for facebook, works for Google Talk<br /></li></ul> Pro<br /><ul><li>Nice user interface<br /></li></ul> Con<br /><ul><li>Doesn't work for Facebook</li><li>Really slow under mpowerplayer</li><li>Supports only one account<br /></li></ul> Summary<br />JabberMixClient is a nice client for Google Talk, but it refuses to connect to Facebook chat.<br /><br /><span style="font-size:130%;">m-im</span><br />m-im is primarily aimed at Google Talk, but supports other Jabber servers as well.<br /><br />Website: <a href="http://code.google.com/p/m-im/">http://code.google.com/p/m-im/</a><br />Mobile download page: <a style="" href="http://code.google.com/p/m-im/downloads/list">http://code.google.com/p/m-im/downloads/list</a><br />Version tested: 1.5.0<br /><br />Setting up:<br /><ul><li>Download, instasll and start the applicaiton</li><li>Choose no when aseked whether you want to use the wizard to set up a Google Talk account</li><li>The profiles screen open. Choose menu > new</li><li>Fill in Facebook in the profile name box, the Jabber ID in the username box, a short nickname in the "Display name" box, your password and the server address in the host box</li><li>Uncheck the google account box and choose save</li><li>Press OK on the new profile to log in</li><li>Blank screen opens with no indication of progress<br /></li></ul> Pro<br /><ul><li>Google code site has up to date downloads</li><li>Supports multiple profiles</li><li>Supports Google Talk<br /></li></ul> Con<br /><ul><li>No mobile site. Most phones should be able to handle Google code link though</li><li>No indication of progress</li><li>Current version doesn't seem to work</li><li>Only tested on a few phones according to website<br /></li></ul> Summary<br />m-im looks like it might have potential. The interface to configure accounts and the screen that is shown while it is connecting needs a lot of work.<br /><span style="font-size:100%;"><br />According to the changelog, some major changes took place in this version. Older version might work better.<br /><br /><br /></span><span style="font-size:100%;"><span style="font-size:130%;">Conclusion</span><br />It is disappointing that Facebook caht did not work immediately on most Jabber clients. It seems that many of the clients are only usable with a basic server and/or Google Talk.<br /><br />Lampiro 10.4.1 works well for Facebook chat with basic testing.<br /><br />[Update 2010-04-28: Updated for Lampiro 10.4.1. Left old review for historical interest]</span>Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com2tag:blogger.com,1999:blog-5576946258569429672.post-51403270529126403882010-04-22T21:03:00.005+02:002010-04-22T21:36:15.978+02:00Vodacom breaks Opera Mobile downloads on Symbian<rant>When I go to <a href="http://m.opera.com/">http://m.opera.com</a> on my <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Nokia</span> 6120 on <span class="blsp-spelling-error" id="SPELLING_ERROR_1">Vodacom</span>, I get a page that only allows me to download a "<span class="blsp-spelling-error" id="SPELLING_ERROR_2">Vodafone</span> optimized Opera Mini" that installs with a generic "Internet" icon. It does not give an option to get the proper Opera Mobile that works on <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Symbian</span>.</rant><br /><br />To bypass this and actually download Opera Mobile or a non-branded Opera Mini (without going through the registration required <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Ovi</span> store), use this link: <a href="http://www.opera.com/mobile/download/versions/">http://www.opera.com/mobile/download/versions/</a> in the build-in browser, choose the relevant version (Opera Mobile for S60 / Opera Mini) and click the link to get the normal version. (This relies on the quite-decent build-in browser of the <span class="blsp-spelling-error" id="SPELLING_ERROR_5">Nokia</span>)<br /><br />Note: Downloading the applications to your PC and transferring it to your phone might be easier, faster and/or cheaper.<br /><br />Note2: This assumes that you are not using a phone set only to accept application signed by their cellphone provider.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-76928823225891820462009-02-24T21:49:00.009+02:002009-02-25T07:12:02.220+02:00Sane rules for determining likely safety of executablesSome <span class="blsp-spelling-error" id="SPELLING_ERROR_0">autorun</span> based viruses and, more recently, <a href="http://www.winehq.org/pipermail/wine-devel/2009-February/073505.html">a thread on the Wine developer mailing list</a> had me thinking a bit about a reasonable way of identifying potentially dangerous Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_1">executables</span>.<br /><br /><span style="font-size:130%;"><span style="font-size:180%;">Background</span><br />Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_2">XP</span> SP2</span><br />Recent version of Windows (from <span class="blsp-spelling-error" id="SPELLING_ERROR_3">XP</span> SP2 <span class="blsp-spelling-error" id="SPELLING_ERROR_4">IIRC</span>) has a mechanism (which seem to be based on <a href="http://msdn.microsoft.com/en-us/library/bb776297%28VS.85%29.aspx"><span class="blsp-spelling-error" id="SPELLING_ERROR_5">IAttachmentExecute</span></a>) to determine whether or not to prompt the user before running an application that might be consider dangerous. In Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_6">XP</span>, this is at least files that were downloaded from the Internet and files on network shares under certain circumstances. Browsers, <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Firefox</span> 3 and IE 6 that comes with Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_8">XP</span> SP2, marks files that was downloaded from the Internet in order for this to work. Some <a href="http://smallvoid.com/article/ie-attachment-manager.html">more details</a> about this can be found <a href="http://support.microsoft.com/kb/Q883260">elsewhere</a>.<br /><br />For the Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_9">XP</span> implementation of this, the user has an option to disable prompts to run the file, either from the file properties dialog or from the prompt that opens. <span class="blsp-spelling-error" id="SPELLING_ERROR_10">IIRC</span> signed files allow you to disable the prompt for all files from a publisher. (I cannot find any information on the handling of signed files)<br /><br />This mechanism was probably added to remind the user that the program is potentially dangerous and that it should be checked before being run.<br /><br /><span style="font-size:130%;"><span class="blsp-spelling-error" id="SPELLING_ERROR_11">Autorun</span> based <span class="blsp-spelling-error" id="SPELLING_ERROR_12">malware</span></span><br /><span class="blsp-spelling-error" id="SPELLING_ERROR_13">Autorun</span> based "viruses" (<span class="blsp-spelling-error" id="SPELLING_ERROR_14">trojans</span> or worms are probably more correct) are another, but related problem. This kind of <span class="blsp-spelling-error" id="SPELLING_ERROR_15">malware</span> spread by infecting drives, including removable drives, such as external hard drives, <span class="blsp-spelling-error" id="SPELLING_ERROR_16">USB</span> flash drives, SD cards, etc. with an executable that is triggered from the <span class="blsp-spelling-error" id="SPELLING_ERROR_17">autorun</span>.inf file when the drive is connected to a computer or if <span class="blsp-spelling-error" id="SPELLING_ERROR_18">autorun</span> is triggered manually. (Double clicking on the drive in My Computer usually has this effect.) The risk of infection with this kind of <span class="blsp-spelling-error" id="SPELLING_ERROR_19">malware</span> can be mitigated by disabling outrun on removable drives.<br /><br />The main factor that enable the effective distribution of <span class="blsp-spelling-error" id="SPELLING_ERROR_20">autorun</span> based <span class="blsp-spelling-error" id="SPELLING_ERROR_21">malware</span> is that <span class="blsp-spelling-error" id="SPELLING_ERROR_22">autorun</span> is enabled writable, removable devices, which allows any application that can write (on any computer where it is used) to the drive to execute arbitrary code on another computer. <span class="blsp-spelling-error" id="SPELLING_ERROR_23">CDs</span> and DVDs can also be infected, but the opportunities are limited for the read-only and non-rewritable versions, since they are normally not easily writable directly (special software are typically used to write to these media) and only a few computers have the opportunity to write to it.<br /><br /><span style="font-size:130%;">Complete protection</span><br />The most common way (other ways, such as exploits are not considered here) that <span class="blsp-spelling-error" id="SPELLING_ERROR_24">malware</span> reaches a computer is from an external source, such as the Internet, e-mail attachments, network shares and removable drives. The mechanism mentioned earlier, <span class="blsp-spelling-corrected" id="SPELLING_ERROR_25">describes</span> the approach that Microsoft took to mitigate the risk for some cases. The risk could be mitigated further by including additional external sources of <span class="blsp-spelling-error" id="SPELLING_ERROR_26">executables</span> to the list of sources that is distrusted by default. The only <span class="blsp-spelling-corrected" id="SPELLING_ERROR_27">completely</span> effective way to ensure that the user is prompted <span class="blsp-spelling-corrected" id="SPELLING_ERROR_28">before</span> any <span class="blsp-spelling-error" id="SPELLING_ERROR_29">malware</span> is run, is to distrust anything that was not part of the operating system (these can be made identifiable with a digital <span class="blsp-spelling-corrected" id="SPELLING_ERROR_30">signature</span>) by default. The user would then need to specifically <span class="blsp-spelling-error" id="SPELLING_ERROR_31">whitelist</span> any other executable that he / she wants to use. A slight <span class="blsp-spelling-error" id="SPELLING_ERROR_32">tradeoff</span> would be to allow the user to <span class="blsp-spelling-error" id="SPELLING_ERROR_33">whitelist</span> the vendor of signed applications, rather each executable.<br /><br />Another <span class="blsp-spelling-error" id="SPELLING_ERROR_34">tradeoff</span> would be to trust everything that was marked as trustworthy by a trusted application. This should allow, when the user <span class="blsp-spelling-corrected" id="SPELLING_ERROR_35">trusts</span> an installer, to run the applications installed by it without further prompts.<br /><br />A problem with any system that allows <span class="blsp-spelling-error" id="SPELLING_ERROR_36">executables</span> to be marked trusted, without <span class="blsp-spelling-corrected" id="SPELLING_ERROR_37">restricting</span> applications from marking others as trusted, is that trusting a single malicious executable can bypass the trust system for any other files. Vista <span class="blsp-spelling-error" id="SPELLING_ERROR_38">UAC</span> seem to indicate that users do not like to be prompted about the actions of a program. Users are likely to ignore prompts anyway if they do not know what it is about.<br /><br /><span style="font-size:180%;">Suggestions</span><br />The suggestions are based on my view of a theoretical ideal and do not take the feasibility of the implementation of the suggestions into account.<br /><br />Security and <span class="blsp-spelling-corrected" id="SPELLING_ERROR_39">usability</span> was the criteria used to decide on these suggestions.<br /><br /><span style="font-size:130%;">A sensible middle ground</span><br />Existing files on local, fixed drives and read-only removable drives are more trustworthy than files on a writable removable disk, or files that is known to be from an external source. (A read-only disk is not <span class="blsp-spelling-corrected" id="SPELLING_ERROR_40">completely</span> safe and old files on a local disk are only safe if they were checked as <span class="blsp-spelling-error" id="SPELLING_ERROR_41">they</span> arrived)<br /><br />Prompting users to run files that they have just requested to run will be <a href="http://www.annoyances.org/exec/forum/winvista/1151260847">annoying</a> or even <a href="http://www.computing.net/answers/windows-2003/err-publisher-could-not-be-verified/6305.html">confusing</a> to some users. This is made worse by <a href="http://www.joelonsoftware.com/uibook/chapters/fog0000000062.html">users that simply ignores anything that looks like an error message and clicks whichever option seem likely to make it go away</a>.<br /><br />Ignoring possible annoyance to users, a reasonable level of protection would involve prompting the user before running anything from a <span class="blsp-spelling-corrected" id="SPELLING_ERROR_42">writable</span> removable drive, writable network share or anything that was downloaded from the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_43">Internet</span>. (The writable requirement is to find files that could have been modified by anyone)<br /><br />For files with a digital <span class="blsp-spelling-corrected" id="SPELLING_ERROR_44">signature</span>, a SSH-like trust system should be able to <span class="blsp-spelling-corrected" id="SPELLING_ERROR_45">reduce</span> annoyance by allowing the user to trust a specific certificate (irrespective whether it was self-signed or signed by a "trusted" certification provider) and not prompting again from applications signed with that certificate.<br /><br />If easily <span class="blsp-spelling-error" id="SPELLING_ERROR_46">protectable</span> from malicious ratings, a web based trust indicator for certificates (or individual <span class="blsp-spelling-error" id="SPELLING_ERROR_47">executables</span> for unsigned files) might <span class="blsp-spelling-corrected" id="SPELLING_ERROR_48">optionality</span> be used in order to guide users. (This has privacy implications, and the user should opt-in explicitly)<br /><br /><span style="font-size:130%;">Mapping trustworthiness in a Wine environment</span><br />Drives that should be distrusted by default should be marked by the user or his distribution by mounting them with the <span class="blsp-spelling-error" id="SPELLING_ERROR_49">noexec</span> option. (<span class="blsp-spelling-corrected" id="SPELLING_ERROR_50">Candidates</span> for this should be <span class="blsp-spelling-error" id="SPELLING_ERROR_51">writeable</span> removable storage (flash drives, but not <span class="blsp-spelling-error" id="SPELLING_ERROR_52">CDs</span>) and network shares) The user can then be prompted before running the file. (The user should be able to disable the prompts in the same way as the attachment manager prompts)<br /><br />Files on <span class="blsp-spelling-error" id="SPELLING_ERROR_53">noexec</span> volumes should be able to be marked as trustworthy. If the <span class="blsp-spelling-error" id="SPELLING_ERROR_54">filesystem</span> is writable and supports, extended attributes can be used, otherwise a database needs to be kept in the <span class="blsp-spelling-error" id="SPELLING_ERROR_55">WINEPREFIX</span>.<br /><br />For other volumes, files can be assumed to be trustworthy if their executable flag is set and can be marked as non-trustworthy by removing the bit. Extended attributes are another option, and a database in the <span class="blsp-spelling-error" id="SPELLING_ERROR_56">WINEPREFIX</span> (a system-wide database in /etc might be useful for administrators) should always be an option as a fallback on a non-writable <span class="blsp-spelling-error" id="SPELLING_ERROR_57">filesystem</span>. Windows applications should be able to <span class="blsp-spelling-corrected" id="SPELLING_ERROR_58">manipulate</span> a file's trustworthiness in the same way as used on Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_59">XP</span> SP2 or higher.<br /><br />Prompts should at least tell the user to run an anti-virus on the file before running it, allow him to run the file, cancel running the file or add the file to a list of trusted files.<br /><br />For signed files, an option to trust / distrust the certificate should be present as well.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-24834098300746358412008-10-27T19:29:00.005+02:002008-10-27T23:17:39.761+02:00Secure communication within a limited user group<span style="font-size:130%;">Introduction</span><br />Police and other emergency services in South-Africa require reasonably secure communication, in order to discourage the abuse of the information transmitted for <a href="http://www.news24.com/News24v2/Components/Generic/News24v2_Print_PopUp_Article/0,8838,2-7-1442_2317529,00.html">personal gain</a> or criminal activities.<br /><br />Traditionally police use their own frequencies (sometimes with an unusual modulation for the frequency) to ensure privacy. Integrated wide-band capable radio receiver chips has made these analogue measures ineffective. This could be expected, since it is based on a "security through obscurity" approach, which relies on no one figuring out the frequency or obtaining a radio, which is impossible to prevent in the long term. <a href="http://en.wikipedia.org/wiki/Scanner_%28radio%29">Scanners</a> are <a href="http://www.scannerworld.com/content/product/category/Scanner%20Radios">available</a> that allow anyone in possession of one to receive a wide range of radio signals, including police communication. In addition someone skilled in electronics can build/modify their own radio capable of receiving a wide range of frequencies.<br /><br />Legislation often exist banning the possession, sale and/or use of scanners, but this does not prevent people from obtaining/building them. Scanners do not transmit significant signals, which make them hard to detect. (<a href="http://en.wikipedia.org/wiki/TEMPEST">Tempest-like methods</a>, as possibly used for the <a href="http://en.wikipedia.org/wiki/Television_licence#Detection_of_evasion_of_television_licences">detection of pirate TV viewers</a> for the enforcement of TV license legislation, might work from nearby.) When used by criminals, who is probably committing crimes far more serious than owning / using a scanner, the scanner is can be used for actively avoiding the police, in which case the benefits far outweighs the risks.<br /><br />Digital communication can solve these problems by utilizing encryption. With proper error-correction codes, the range of the radios can also be extended. The design of such a system can be based on a conditional access system, such as those used for satellite TV. While I'm not familiar with any specific system, it is not hard to design a system based on a mixture of public key and symmetric encryption systems that would be relatively secure.<br /><br /><span style="font-size:130%;">The basics</span><br />Using a purely <a href="http://en.wikipedia.org/wiki/Public-key_cryptography">public-key system</a> is not practical, since radios need to keep track of the public keys of all radios that they want to communicate with. A <a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm">symmetric-key</a> method is a much more practical solution. It has the problem that only a single key need to be compromised in order to gain access to all encrypted communication. In order to ensure that a compromised key or device do not grant an attacker long term access to the encrypted information, it is critical that the key changes often (at least a few times a day). For a pair of devices, securely exchanging keys is not really a problem (<a href="http://en.wikipedia.org/wiki/Diffie-Hellman">Diffie-Hellman key exchange</a> can be used). This is where the public-key system comes in.<br /><br /><span style="font-size:130%;">Key distribution</span><br />The keys are much smaller than the data protected by them. This makes it practical to distribute a large number of copies of the keys, each encrypted with the public key of the recipient. The recipient needs a private key in order to decrypt the symmetric-cypher's keys. It is preferable that these keys are stored in the hardware used to decrypt the data. A smart card is the ideal vehicle for such a purpose (provided that the key is stored securely and not easily exposed or cloned). Several keys, each marked with the time they come into effect need to be distributed, since the radios may be out of range of the key distribution system for some time (This reduces security somewhat by increasing the time that a stolen device / smart-card is useful). The encrypted keys can be transferred to the devices using several methods such as in-band distribution, central distribution from the police station, GSM modems, etc.<br /><br /><span style="font-size:130%;">Security of the system</span><br />The system is kept secure by strictly keeping track of the smart cards in use. If a smart-card is lost or stolen, the distribution of keys encrypted with its public key is simply discontinued. Strict procedures, such as weekly / daily automated audits of the smart cards should be used. (The system should require the smart card to be physically present to verify its identity.)<br /><br /><span style="font-size:130%;">Weaknesses and countermeasures</span><br />The basic weaknesses in the system is similar to <a href="http://en.wikipedia.org/wiki/Card_sharing">those in pay-TV systems</a>: It is possible to modify a device to share the decrypted keys or the hardware used to decrypt the keys with other devices. This can result in unauthorized devices gaining access to the encrypted signal.<br /><br />The hardware decryption device can be modified to allow a limited amount of decryption operations in a certain time-frame in an attempt to limit the risk. Hardware modification or caching of the decrypted keys can bypass such measures.<br /><br />The difficulty of properly managing devices that go missing increase with the number of devices. The system should therefore be managed on a relatively small scale, such as within a city.<br /><br /><span style="font-size:130%;">Conclusion</span><br />Regulatory methods of controlling access to private radio signals are ineffective and only provide for reactive management of the security of the system by destroying unauthorized receivers if they are found.<br /><br />It is possible to provide a much higher level of security to communication within an exclusive group of users, such as a police department or the subscribers of a pay-TV system. This method also allow for central manageability and access revocation.Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0tag:blogger.com,1999:blog-5576946258569429672.post-227340819637391402008-09-08T19:00:00.006+02:002008-09-10T21:28:15.077+02:00HTTPS should not require special treatment by browsersGoogle Chrome was <a href="http://www.tgdaily.com/html_tmp/content-view-39176-108.html">recently criticized</a> for <a href="http://weblogs.asp.net/mschwarz/archive/2008/09/05/google-chrome-and-history-search.aspx">indexing</a> information <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">transferred</span> from HTTPS pages such as <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">Internet</span> banking.<br /><br />While the concerns, private information being indexed is valid, the best solution is not to exclude HTTPS from indexing by default. Many useful sites are served over HTTPS that do not contain private data. Users benefit from having this information easily available. Some <a href="http://kb.mozillazine.org/Browser.cache.disk_cache_ssl">browsers even exclude HTTPS from caching by default</a>.<br /><br />The HTTP standard specifies a much better way to ensure that certain data is excluded from caching (it is probably a good idea to exclude it from indexing as well in such cases).<br /><br />The <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.4">HTTP 1.1 standard states</a> "Unless specifically constrained by a cache-control directive, a caching system MAY always store a successful response as a cache entry..."<br /><br />Unless a response from a server is specifically marked not to be <span class="blsp-spelling-error" id="SPELLING_ERROR_2">cacheable</span>, any browser (or proxy for normal HTTP) should try to cache the response in order to improve the user experience.<br /><br /><span style="font-size:130%;">How sensitive data should be protected</span><br />Even though caches improve the user experience, some data should never be stored. The data mentioned in the linked articles fall within that category. This data is <span class="blsp-spelling-corrected" id="SPELLING_ERROR_3">usually</span> <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">transferred</span> over HTTPS in order to ensure its privacy and integrity while being transported between the server and user.<br /><br />HTTP 1.1 provides a mechanism in order to ensure that this data is protected at the end points (and caches for normal HTTP). It specifies a <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9">"Cache-Control" header</a>. This header allows the data to be tagged with several levels of cacheability. Anything marked with anything other than a no-store Cache-Control header should be expected to be cached at least in a limited way by the browser. (Other headers are <span class="blsp-spelling-corrected" id="SPELLING_ERROR_6">indented</span> to ensure that a cache do not return out of date data and no to ensure its privacy on the user's computer)<br /><br /><span class="blsp-spelling-corrected" id="SPELLING_ERROR_7">Most</span> browsers since the days of Internet Explorer 4 supports enough HTTP 1.1 to understand Cache-Control headers.<br /><br />Banks and other sites should therefore ensure that they include the correct headers in the responses from their severs. They should not prevent non-sensitive <span class="blsp-spelling-corrected" id="SPELLING_ERROR_8">content</span> such as static <span class="blsp-spelling-corrected" id="SPELLING_ERROR_9">style-sheets</span>, scripts and images from being cached, since reloading this data each time degrades the user experience and wastes bandwidth. Depending on browsers to be more paranoid than the standards require them to be is irresponsible.<br /><br />If sensitive data leaks, the party responsible for the disclosure should be held responsible. This can be the user, if his/her system's security was breached (due to his/her negligence), the browser vendor, if the browser does not follow the standards and caches data that is marked no-store, or the party serving the content if they do not mark their content properly.<br /><br /><span style="font-size:130%;">Interoperability with HTTP 1.0</span><br />HTTP 1.0 do not provide the Cache-Control header. In most such cases a <span class="blsp-spelling-error" id="SPELLING_ERROR_10">Pragma</span>: no-cache over HTTPS should be enough to exclude the page totally from caching. (This seems to be the <a href="http://support.microsoft.com/kb/234067">common behaviour</a>) When HTTP 1.1 is used, the finer-grained Cache-Control header should be used, if present. (HTTP 1.0-like behaviour as fall back in its <span class="blsp-spelling-corrected" id="SPELLING_ERROR_11">absence</span> is probably a safe option)<br /><br /><span style="font-size:130%;"><span class="blsp-spelling-error" id="SPELLING_ERROR_12">Deja</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_13">Vu</span></span><br />The outcry over Chrome indexing page <span class="blsp-spelling-corrected" id="SPELLING_ERROR_14">transferred</span> over HTTPS reminds of the <a href="http://www.webmasterworld.com/forum3/18277.htm">reaction after</a> Google <a href="http://http//www.webmasterworld.com/forum3/2217.htm">started indexing</a> pages hosted on HTTPS in 2002.<br /><br />An <a href="http://searchenginewatch.com/showPage.html?page=2159441">article written then</a> sums it up nicely: "The misconception that Google is going where it shouldn't comes partly from the somewhat vague definition of "secure." The <span class="blsp-spelling-error" id="SPELLING_ERROR_15">SSL</span> protocol is simply a transmission protocol. It has nothing to do with whether an individual page should be considered "secure" or not."Gerthttp://www.blogger.com/profile/00068275385814969285noreply@blogger.com0