http://larrythecow.org/ en Planet Larry - http://larrythecow.org/ http://blog.siphos.be/?p=608 http://feedproxy.google.com/~r/PlanetLarry/~3/CLbPULW02Iw/ <p> Those that are frequent the #gentoo-hardened chat channel know that I’m currently trying to get the SELinux related utilities working under Python 3. This has progressed quite far, but I’m still not there yet. I’m now hitting a weird <a href="https://bugs.gentoo.org/show_bug.cgi?id=416301">bug</a> which seems to come down to an incorrect free() on some memory (well, I don’t know this, this is my current assumption) but which seems hard to catch. So I’m learning a lot (thanks to an active community) about debugging Python and memory issues. </p> <p> These past few weeks have been enlightening for me on the matter of Python 2 to 3 conversions. Enough that I can fully understand Diego’s pain when dealing with Ruby upgrades ;-) I hope that, if Perl 6 ever comes out (right now, Perl 6 is the future – now and in the future ;-), that they think about the children… err, package maintainers. </p> <p> Because it takes some time to work on these matters, other reported SELinux issues have been piling up; I hope I can close down this Python migration in the near future and work on the remainder of bugs… </p> <p> Next to all this, I’m slowly going through some documentation related bugs, but also mentoring <a href="http://twitch153-awesomecode.blogspot.com/">Devan Franchini</a> in his GSoC project on a SELinux policy originator. And now that I linked his blog, he’s going to feel obliged to blog on his progress! ;-)</p> Thu, 24 May 2012 16:46:12 +0000 http://blog.siphos.be/?p=608 http://invalidmagic.wordpress.com/?p=1190 http://feedproxy.google.com/~r/PlanetLarry/~3/kIsa58R5NMM/ <p><a href="http://invalidmagic.files.wordpress.com/2010/12/nixos-lores.png"><img src="http://invalidmagic.files.wordpress.com/2010/12/nixos-lores.png?w=150&amp;h=46" title="nixos-lores" height="46" width="150" alt="" class="alignright size-thumbnail wp-image-704" /></a>a short ‘guide’ on how to use <strong>meld for merges in svn.</strong></p> <p>this has been discussed on many blogs but since i had this issue twice now and especially since svn changed the parameter list and therefore many pages describing this are thus wrong, here it is again. also nobody seems to implement the workflow i like, that is:</p> <ul> <li>on the left side is the file to be edited</li> <li>on the right side is the new version (this file is only important while merging)</li> </ul> <div><a href="http://invalidmagic.files.wordpress.com/2012/05/meld_in_svn.png"><img src="http://invalidmagic.files.wordpress.com/2012/05/meld_in_svn.png?w=300&amp;h=177" title="meld_in_svn" height="177" width="300" alt="" class="aligncenter size-medium wp-image-1197" /></a></div> <div><strong>workflow:</strong> what ~/.meld does is to give you <strong>MINE</strong> and <strong>THEIRS</strong> for merging into MINE (MINE is the left side document). after the merge it would copy the modified <strong>MINE</strong> over <strong>MERGED</strong>. and once the conflict is marked ‘<strong>resolved</strong>‘ all the different files will vanish and leave a working set of files.</div> <h1>.subversion/config</h1> <p></p><pre class="brush: bash;">merge-tool-cmd = /root/.meld </pre><p></p> <h1>/root/.meld</h1> <p></p><pre class="brush: bash;">#!/bin/sh ### the specified command: base theirs mine merged wcfile /nix/var/nix/profiles/default/bin/meld $3 $2 # this cp copies mine to merged cp $3 $4 exit 0 </pre><p></p> <p>afterwards don’t forget to make it executable &amp; install meld of course:</p> <p></p><pre class="brush: bash;">chmod u+x .meld nix-env -i meld </pre><p></p> <p>the merge:</p> <p></p><pre class="brush: bash;">svn up Updating '.': A pkgs/applications/misc/gnome_terminator A pkgs/applications/misc/gnome_terminator/default.nix U pkgs/applications/version-management/git-and-tools/svn2git-kde/default.nix A pkgs/applications/graphics/zgrviewer A pkgs/applications/graphics/zgrviewer/default.nix U pkgs/applications/audio/audacious/default.nix U pkgs/applications/audio/yoshimi/default.nix U pkgs/lib/platforms.nix G pkgs/top-level/all-packages.nix U pkgs/top-level/haskell-defaults.nix Conflict discovered in '/etc/nixos/nixpkgs/pkgs/top-level/python-packages.nix'. Select: (p) postpone, (df) diff-full, (e) edit, (mc) mine-conflict, (tc) theirs-conflict, (s) show all options: &lt;strong&gt;l&lt;/strong&gt; </pre><p></p> <ol> <li>type ‘<strong>l</strong>‘ (like <strong>l</strong>inux) on the keyboard</li> <li>on the left side is the file you want to patch, so make changes to the left side and save the document</li> <li>now close meld</li> <li>back on the shell, type ‘<strong>r</strong>‘ (for <strong>r</strong>esolved)</li> <li>continue with other conflicts</li> </ol> <br /> <a href="http://feeds.wordpress.com/1.0/gocomments/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/invalidmagic.wordpress.com/1190/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/invalidmagic.wordpress.com/1190/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=invalidmagic.wordpress.com&amp;blog=7740335&amp;post=1190&amp;subd=invalidmagic&amp;ref=&amp;feed=1" border="0" height="1" /> Mon, 21 May 2012 23:14:13 +0000 http://invalidmagic.wordpress.com/?p=1190 http://www.void.gr/kargig/blog/?p=1373 http://feedproxy.google.com/~r/PlanetLarry/~3/Ka8qk1euUnE/ <p>Από δελτίο τύπου του <a href="http://www.opi.gr" target="_blank">Οργανισμού Πνευματικής Ιδιοκτησίας</a>:</p> <blockquote><p>…στις 16 Μαΐου 2012 δημοσιεύθηκε η απόφαση 4658/2012 του Μονομελούς Πρωτοδικείου Αθηνών, η οποία έκανε δεκτό αίτημα οργανισμών συλλογικής διαχείρισης δικαιωμάτων επί μουσικών και οπτικοακουστικών έργων να υποχρεωθούν εκτός άλλων οι ελληνικές εταιρίες παροχής υπηρεσιών σύνδεσης στο διαδίκτυο να λάβουν τεχνολογικά μέτρα προκειμένου να καταστεί αδύνατη η πρόσβαση των συνδρομητών τους σε διαδικτυακές τοποθεσίες μέσω των οποίων πραγματοποιείται παράνομη παρουσίαση και ανταλλαγή έργων. Η απόφαση εφαρμόζει ουσιαστικά για πρώτη το άρθρο 64 Α του ν. 2121/1993 που ενσωματώνει πρόβλεψη Οδηγίας της Ευρωπαϊκής Ένωσης για τη δυνατότητα λήψης ασφαλιστικών μέτρων κατά των διαμεσολαβητών (παρόχων υπηρεσιών διαδικτύου), οι υπηρεσίες των οποίων χρησιμοποιούνται από τρίτο για την προσβολή του δικαιώματος του δημιουργού ή συγγενικού δικαιώματος. Παρόμοιες αποφάσεις έχουν ήδη εκδοθεί σε άλλα κράτη μέλη της Ευρωπαϊκής Ένωσης και αποσκοπούν στην προστασία της πνευματικής ιδιοκτησίας στο διαδίκτυο χωρίς να θίγονται τα δικαιώματα των χρηστών….</p></blockquote> <p>Την πλήρη απόφαση μπορείτε να την διαβάσετε εδώ: <a href="http://web.opi.gr/newzportletpdk/lawlib/get?uid=9h3c" target="_blank">4658/2012</a></p> <p><strong>Γιατί είναι σημαντική αυτή η απόφαση για τους χρήστες</strong><br /> Για πρώτη φορά στην Ελλάδα δικαστήριο επιβάλλει συγκεκριμένα τεχνικά/τεχνολογικά μέτρα παρεμπόδισης της πρόσβασης χρηστών σε ιστοσελίδες/servers. Σήμερα μπορεί να είναι μια ιστοσελίδα που παρέχει “πειρατικό” περιεχόμενο και ο ιδιοκτήτης της βγάζει χρήματα μέσω των διαφημίσεων, αύριο μπορεί να είναι ένα site που ο ιδιοκτήτης του δεν βγάζει χρήματα και μεθαύριο ένα πολιτικό site, ένα θρησκευτικό site, ένα blog που διαφωνεί με τις μεθόδους μιας εταιρίας, μιας κυβέρνησης, κτλ. Οπότε πρέπει ως χρήστες να ξέρουμε τι επιβάλλει το δικαστήριο και να δούμε πως εμείς, ως μέλη της κοινωνίας του Internet, μπορούμε να κάνουμε κάτι για να ακυρώσουμε στην πράξη μια τέτοια απόφαση αν πιστεύουμε πως αυτή είναι λανθασμένη.</p> <p><strong>Τι περιγράφει η απόφαση</strong><br /> Η απόφαση περιέχει μια λεπτομερή τεχνική έκθεση που εξηγεί πως δουλεύει ένα site, ποια πρωτόκολλα χρησιμοποιούνται από τα μηχανήματα των χρηστών/πελατών για να αποκτήσουν πρόσβαση στο site και έπειτα περιγράφει τρόπους να διακοπεί η σύνδεση των χρηστών με ένα site. Οι τρόποι που παρουσιάζονται είναι οι εξής 2:<br /> Ι) Εφαρμογή κατάλληλων φίλτρων στους δρομολογητές (routers) των ISPs ώστε να αποκλειστεί οποιαδήποτε κίνηση καταλήγει σε συγκεκριμένη IP.<br /> ΙΙ) Εφαρμογή κατάλληλης ανακατεύθυνσης, μέσω τροποποίησης των DNS εγγραφών στους nameservers του κάθε ISP ώστε, ώστε τα αιτήματα προς συγκεκριμένα domains να καταλήγουν σε διαφορετικούς ιστοτόπους. Αυτοί οι ιστότοποι θα μπορούσαν να περιέχουν και ένα προειδοποιητικό μύνημα ώστε να καταλαβαίνουν οι χρήστες γιατί δεν έχουν πρόσβαση στο κανονικό site, όπως αναφέρει το η έκθεση.</p> <p>Από αυτούς τους 2 τρόπους, στην απόφαση επιβάλλεται η χρήση μόνο του τρόπου (I) ως τεχνολογικό μέτρο διακοπής της πρόσβασης στις “παραβατικές” ιστοσελίδες.</p> <p><strong>Τα προβλήματα της απόφασης</strong><br /> Τα προβλήματα της απόφασης για μένα είναι αρκετά. Κάποια αναφέρονται και στην ίδια την τεχνική έκθεση που περιέχεται στην απόφαση.<br /> Συγκεκριμένα αναφέρει:</p> <blockquote><p>Αν και υπάρχουν δυνατότητες παράκαμψης των συγκεκριμένων τεχνικών μέσων από την μεριά των χρηστών του διαδυκτύου, οι τεχνικές αυτές είναι άγνωστες στη μεγάλη πλειονότητα των πελατών (συνδρομητών) των ISP, που είναι οι δυνητικοί επισκέπτες των ιστοτόπων στους οποίους έχει διακοπεί η πρόσβαση.</p></blockquote> <p>Θα αναφερθώ μόνο στα πολύ βασικά όμως…<br /> α) Καταρχήν τα sites έχουν αλλάξει IPs. Το www.ellinadiko.com πλέον δεν δείχνει στην IP που αναφέρεται στην απόφαση, για την ακρίβεια δεν δείχνει πουθενά αυτή τη στιγμή, ενώ το www.music-bazaar.com λειτουργεί αλλά δείχνει σε διαφορετική IP. Άρα η εφαρμογή της οδηγίας (Ι) είναι <strong>πρακτικά άχρηστη</strong> ως προς τους σκοπούς της απόφασης χωρίς πολλά πολλά. Από την άλλη όμως μπορεί να δημιουργήσει προβλήματα πρόσβασης σε άλλα sites που μπορεί αυτή τη στιγμή να φιλοξενούνται σε εκείνες τις IP για τις οποίες πρέπει να μπουν φίλτρα. Άρα αν εφαρμοστεί η απόφαση ως έχει κινδυνεύει να διακοπεί η πρόσβαση στο site μιας ελληνικής ή ξένης εταιρίας ή προσώπου χωρίς να φταίει σε τίποτα! Ακόμα να μην είχαν αλλάξει IPs τα sites αυτά όμως, πάλι προκύπτει πρόβλημα. Η σύγχρονη τεχνολογία, των τελευταίων 15+ ετών, επιτρέπει την φιλοξενία πολλαπλών ιστοτόπων στην ίδια IP μέσω της τεχνολογίας virtual hosting, κάτι που εφαρμόζεται κατά κόρον ώστε να εξοικονομηθούν IPs. Αυτό έχει σαν αποτέλεσμα πως αν αποτραπεί η κίνηση προς μία συγκεκριμένη IP από ένα φίλτρο ενός ISP, τότε παρεμποδίζεται και η κίνηση προς όλα τα υπόλοιπα sites που φιλοξενούνται στην ίδια IP. Άρα υπάρχει πιθανότητα “τιμωρίας” αθώων ανθρώπων που δεν έχουν κάνει απολύτως τίποτα. </p> <p>β) Η τεχνική έκθεση και η απόφαση περιέχει συγκεκριμένα domains που θα πρέπει να εφαρμοστεί το (II). Αυτό όμως δεν εμποδίζει σε τίποτα τον διαχειριστή της “προβληματικής” ιστοσελίδας να αλλάξει αύριο domain κρατώντας ακριβώς το ίδιο περιεχόμενο. Οπότε εμποδίζοντας την πρόσβαση στους πελάτες πίσω από ένα ISP σε ένα συγκεκριμένο domain δεν καταφέρνεις και πολλά. Ακόμα όμως και να μην αλλάξει domain ο διαχειριστής μιας και υπάρχουν ελέυθεροι nameservers (Google Public DNS, OpenDNS, κ.α) στο Internet, το μόνο που θα είχε να κάνει ο χρήστης θα ήταν να χρησιμοποιήσει αυτούς έναντι των nameservers του ISP του. Άρα πάλι τα τεχνικά μέτρα είναι <strong>εντελώς ανεπαρκή</strong> ως προς τον σκοπό της απόφασης. Πέραν αυτού και λόγω της προτεινόμενης ανακατεύθυνσης που προτείνει η τεχνική έκθεση τίθεται και ένα θέμα ιδιωτικότητας σε περίπτωση που εφαρμοζόταν το μέτρο (ΙΙ). Λόγω της ανακατεύθυνσης όλοι οι πελάτες θα “πήγαιναν” σε μία νέα ιστοσελίδα που θα ήταν υπό τη διαχείριση (μάλλον?) του ISP, άρα ο ISP αποκτάει πολύ εύκολα πρόσβαση στο ποιός θέλει να επισκεφτεί τον ιστότοπο αυτό. Τίθεται λοιπόν ζήτημα παρακολούθησης της κίνησης των πελατών. Προσωπικά το θεωρώ απαράδεκτο, όπως απαράδεκτο είναι να προσπαθείς να αλλάξεις τον τρόπο που λειτουργεί το internet. Άλλωστε όπως έχει πει ο <a href="https://en.wikipedia.org/wiki/John_Gilmore_(activist)">John Gilmore</a>:<br /> </p><blockquote>The Net interprets censorship as damage and routes around it<p></p></blockquote> <p>Μετάφραση:<br /> </p><blockquote> Το Δίκτυο ερμηνέυει τη λογοκρισία ως ζημιά και δρομολογεί (την κίνηση) γύρω από αυτό (ξεπερνώντας την ζημιά)<p></p></blockquote> <p><strong>Τι θα μπορούσαν να κάνουν οι χρήστες για να παρακάμψουν το “πρόβλημα” αν τους επηρέαζε</strong><br /> Σε περίπτωση εφαρμογής του (II), όπως αναφέρθηκε παραπάνω το μόνο που θα είχαν να κάνουν οι χρήστες θα ήταν να αλλάξουν nameservers στο PC/δίκτυο τους. Αυτό εξηγείται αναλύτικά στις σελίδες της <a href="https://developers.google.com/speed/public-dns/docs/using">Google Public DNS</a> αλλά και του <a href="https://store.opendns.com/setup/computer/">OpenDNS</a>. Τόσο απλά. Είναι υπόθεση 1 λεπτού αν έχει ο οποιοσδήποτε τις οδηγίες μπροστά του.</p> <p>Σε περίπτωση εφαρμογής της τεχνικής (Ι) και την στιγμή που το site δεν μπορεί για τους Χ λόγους να αλλάξει IP, αυτό που πρέπει να κάνουν οι χρήστες είναι να χρησιμοποιήσουν κάποιον <a href="https://en.wikipedia.org/wiki/Proxy_server">proxy server</a>, ένα <a href="https://en.wikipedia.org/wiki/Vpn">VPN</a> ή κάποιο άλλο δίκτυο που δρομολογεί διαφορετικά τις συνδέσεις τους, για παράδειγμα το <a href="https://www.torproject.org/">Tor</a>. Ο ευκολότερος τρόπος να βρει κάποιος δωρεάν proxies στο δίκτυο είναι να <a href="http://lmgtfy.com/?q=free+proxy">ψάξει στο Google</a>, ενώ η <a href="http://lmgtfy.com/?q=buy+vpn">αγορά ενός VPN</a> ξεκινά από τα 3€. Η χρήση του tor είναι πλεόν αρκετά απλή και το μόνο που απαιτείται είναι να κατεβάσει κανείς το <a href="https://www.torproject.org/projects/torbrowser.html.en">Tor Browser Bundle</a> και να τρέξει το <a href="https://www.torproject.org/projects/vidalia.html.en">Vidalia</a>. Όταν κάποιος τρέξει το Vidalia θα ανοίξει ένας νέος browser (Firefox) και έπειτα η δρομολόγηση των πακέτων προς το site που θέλει να επισκευτεί κανείς γίνεται μέσω του Tor δικτύου το οποίο είναι <em>αρκετά δύσκολο</em> να το σταματήσουν οι ISPs. Σίγουρα πάντως η απόφαση ασφαλιστικών μέτρων 4658/2012 δεν είναι ικανή να σταματήσει το Tor ή οποιονδήποτε άλλο από τους παραπάνω τρόπους παράκαμψης του “προβλήματος”.</p> <p><strong>Τι πρέπει να γνωρίζουν οι χρήστες του Internet</strong><br /> Οι χρήστες του internet πρέπει να γνωρίζουν πως ανά πάσα στιγμή μια τέτοια απόφαση μπορεί να τους αλλάξει τις συνήθειές τους αλλά και να τους κόψει την πρόσβαση από πηγές πληροφορίας που μέχρι τώρα είχαν ελεύθερη πρόσβαση. Για να μην βρεθούν τελευταία στιγμή να αναρωτιούνται τί και πώς πρέπει να φροντίζουν να ενημερώνονται για τους κινδύνους και τα προβλήματα. Είναι μάλιστα επιτακτικό ο ένας χρήστης να ενημερώνει τους άλλους. Γι αυτούς ακριβώς τους λόγους τους τελευταίους 2-3 μήνες έχει ξεκινήσει μια προσπάθεια ενημέρωσης των Ελλήνων χρηστών για τα ψηφιακά τους δικαιώματα, τους κινδύνους που υπάρχουν στο διαδίκτυο, πως προστατεύει κανείς τα προσωπικά του δεδομένα και πως αποφεύγει προσπάθειες εταιρικής ή κρατικής λογοκρισίας μέσω κάποιων <a href="https://hackerspace.gr/wiki/Freedom_of_speech">παρουσιάσεων</a> που γίνονται στο <a href="https://hackerspace.gr">hackerspace της Αθήνας</a>. Η επόμενη παρουσίαση γίνεται στις 30/05/2012 και αφορά την χρήση του δικτύου Tor. Όσοι ενδιαφέρονται είναι ευπρόσδεκτοι να <a href="https://hackerspace.gr/wiki/Getting_Here">έρθουν</a> να ακούσουν και φυσικά να ρωτήσουν για τυχόν απορίες που ίσως έχουν σχετικά με την ψηφιακή τους ζωή.</p> <p><strong>Οργανωθείτε!</strong><br /> Αν σας ενδιαφέρει να παλέψετε και εσείς για τα <a href="https://en.wikipedia.org/wiki/Digital_rights">ψηφιακά δικαιώματα και τις ελευθερίες</a> στην Ελλάδα καλό θα ήταν να διαβάσετε το <a href="http://dln.gr/manifesto/">κείμενο θέσεων</a> του <a href="http://dln.gr">Δικτύου για την Ψηφιακή Απελευθέρωση (Digital Liberation Network)</a> και αν συμφωνείτε να εγγραφείτε στην <a href="https://lists.espiv.net/cgi-bin/mailman/listinfo/information_society">mailing list του DLN</a>.</p> Fri, 18 May 2012 18:06:00 +0000 http://www.void.gr/kargig/blog/?p=1373 http://steveno.wordpress.com/2012/05/16/dick-of-the-week/ http://feedproxy.google.com/~r/PlanetLarry/~3/wKTZBY_pouA/ <img src="http://planet.larrythecow.org/images/StevenOliver3.png" alt="" align="right" style="float: right;"><p><a href="https://lists.fedoraproject.org/pipermail/devel/2012-May/167057.html">https://lists.fedoraproject.org/pipermail/devel/2012-May/167057.html</a></p> <br /> <a href="http://feeds.wordpress.com/1.0/gocomments/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/steveno.wordpress.com/962/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/steveno.wordpress.com/962/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/steveno.wordpress.com/962/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=steveno.wordpress.com&amp;blog=1231018&amp;post=962&amp;subd=steveno&amp;ref=&amp;feed=1" border="0" height="1" /> Wed, 16 May 2012 20:01:03 +0000 http://steveno.wordpress.com/2012/05/16/dick-of-the-week/ tag:blogger.com,1999:blog-2324207642645389640.post-7205220514636105648 http://michaelmk.blogspot.com/2012/05/different-runlevels-in-gentoo.html Different default runlevels isn't something which is quite popular because usually one default runlevel is enough. Nonetheless sometimes it's quite useful.<br />Since i play around with xen it's very handy to have two different default runlevels. One where the xen services xenconsoled and xenstored get started and one without these services.<br />The reason is, when starting gentoo without xen these services would crash and thus would slow down the boot process.<br /><br />To create a new runlevel called "xen" you have todo following:<br /><br /><span style="font-family: 'Courier New', Courier, monospace;"># mkdir /etc/runlevels/xen</span><br /><span style="font-family: 'Courier New', Courier, monospace;"># cd /etc/runlevels/default</span><br /><span style="font-family: 'Courier New', Courier, monospace;"># for service in *; do rc-update add $service xen; done</span><br /><span style="font-family: 'Courier New', Courier, monospace;"># rc-update add xenstored xen</span><br /><span style="font-family: 'Courier New', Courier, monospace;"># rc-update add xenconsoled xen</span><br /><br />This would copy all services from the default runlevel into xen and would add both xen init scripts too. Next you need to configure the bootloader and add the <b>softlevel</b> parameter to /boot/grub/grub.conf.<br /><br /><span style="font-family: 'Courier New', Courier, monospace;">title Gentoo Linux XEN</span><br /><span style="font-family: 'Courier New', Courier, monospace;">root (hd0,0)</span><br /><span style="font-family: 'Courier New', Courier, monospace;">kernel /boot/xen.gz dom0_mem=8192M,max:8192M iommu=1 xsave=1 dom0_max_vcpus=4 dom0_vcpus_pin </span><br /><span style="font-family: 'Courier New', Courier, monospace;">module /boot/gentoo-3.4.0-rc6 root=/dev/md3 <b>softlevel=xen</b></span><br /><br />Finish, that's all. Quite easy and really useful for xen. A more detailed howto about runlevels can be found at gentoo's offical documentation: <a href="http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&amp;chap=4#doc_chap5" target="_blank">Link</a><div class="blogger-post-footer"><img width="1" alt="" src="https://blogger.googleusercontent.com/tracker/2324207642645389640-7205220514636105648?l=michaelmk.blogspot.com" height="1" /></div> Wed, 16 May 2012 06:28:58 +0000 noreply@blogger.com (Michael Mair-Keimberger) tag:blogger.com,1999:blog-2324207642645389640.post-5666330379238331160 http://michaelmk.blogspot.com/2012/05/new-pc-new-toy.html It's been already 5 years ago since i bought my last desktop PC. Now i bought a new one. A few months ago i've started to think about my new system. Basically i don't wanted anything special, there was just one thing which i definitely wanted to try out: <a href="http://xen.org/" target="_blank">xen</a> with <a href="http://wiki.xen.org/xenwiki/XenVGAPassthrough" target="_blank">vga passthrough</a>. Therefore i couldn't choose just anything because you need hardware support for vga passthrough and not every vendor does support it.<br /><a style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" href="http://3.bp.blogspot.com/-cmgcYM6Cib4/T65nkQcq5yI/AAAAAAAABGk/27BI-VjaKkk/s1600/IMG_20120416_202850.jpg"><img width="200" src="http://3.bp.blogspot.com/-cmgcYM6Cib4/T65nkQcq5yI/AAAAAAAABGk/27BI-VjaKkk/s200/IMG_20120416_202850.jpg" border="0" height="150" /></a><br />Anyway, last month i finally had everything i needed and thus bought my new system.<br /><br />A big change with the new system was to choose amd over intel. For years now i went with intel, but this time i decided to take amd. The main reason was because amd/ati started to release documentations about their graphic cards years ago. That's something i wanted to support.<br /><br />Well, this is now my new system:<br /><a style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" href="http://2.bp.blogspot.com/-rbynwV3RqWg/T65nbNKUWFI/AAAAAAAABGc/wnX3wehLidY/s1600/IMG_20120416_202759.jpg"><img width="200" src="http://2.bp.blogspot.com/-rbynwV3RqWg/T65nbNKUWFI/AAAAAAAABGc/wnX3wehLidY/s200/IMG_20120416_202759.jpg" border="0" height="150" /></a><br />AMD FX 8150 8-core processor 3,6Ghz<br />Gigabyte 990FXA-UD5<br />2x OCZ Vertex 3 120GB<br />Lian Li PC-6 Aluminium Case<br />NEC PA301W 30" Display<br />Scythe Grand Kama Gross CPU Cooler<br />Seasonic Xseries 760W Power Supply<br />PowerColor Radeon HD6850 (passiv)<br />XFX R7970 Radeon H7970 Black Edition<br />Corsair DDR3 1600MHZ 16GB DIMM<br /><br />The system runs on gentoo amd64 testing (of course). Since i have two gpu's and xen, there is a virtualized windows 7 64bit for gaming too.<br />The HD7970 is for windows, while the HD6850 is for gentoo. I also additionally pluged in 2x 22" Lenovo l220x running on the HD6850 on linux (from the old pc). Mouse, keyboard and the audio system is still from the old pc.<br /><br />This is my desktop right now:<br /><div style="clear: both; text-align: center;" class="separator"><a style="margin-left: 1em; margin-right: 1em;" href="http://2.bp.blogspot.com/-UPLdogl6lCI/T65i4DkFmXI/AAAAAAAABGQ/mDmCGQb0WJU/s1600/IMG_20120415_233650.jpg"><img width="320" src="http://2.bp.blogspot.com/-UPLdogl6lCI/T65i4DkFmXI/AAAAAAAABGQ/mDmCGQb0WJU/s320/IMG_20120415_233650.jpg" border="0" height="240" /></a></div><br />The motherboard supports iommu which is needed for vga passthrough in xen. Nonetheless i updated the bios to the latest version first. On the cpu it's called amd-vi (the cpu flag is called svm) which the amd 8-core also supports. <a href="http://www.blogger.com/"><span id="goog_145491425"></span>GPU support<span id="goog_145491426"></span></a> isn't a hardware feature and has been already implemented for almost every gpu so i didn't had to look for a particular one.<br /><a style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" href="http://2.bp.blogspot.com/-0bqoiSLzpAw/T65qotSMnPI/AAAAAAAABGw/0_-pfjc0oPQ/s1600/IMG_20120416_202816.jpg"><img width="150" src="http://2.bp.blogspot.com/-0bqoiSLzpAw/T65qotSMnPI/AAAAAAAABGw/0_-pfjc0oPQ/s200/IMG_20120416_202816.jpg" border="0" height="200" /></a><br />Setting up the system wasn't a big deal. Below are the most important changes while i set up the system.<br /><br />* i had to change the primary output in the bios so that the system would show the output on my hd6850.<br /><br />* i also had to enable iommu in the bios (for xen).<br /><br />* to get eyefinity working i had to download x11-drivers/radeon-ucode and enable the firmwire blobs in the kernel under Device Drivers --&gt; Generic Driver Optinos (<a href="http://wiki.gentoo.org/wiki/Radeon#Firmware" target="_blank">howto</a>)<br /><br />The harddrives running in both raid1 (for the boot partion) and raid0 (for the system/home). Since all the important files are on my server file inconsistency is not  that important. Windows is virtualized and thus just a file on the hard disk.<br /><br />So far the system is pretty stable. I have a few minor problems with xen but nothing serious. I'll gonna blog about my xen setup anyway.<br /><br /><div class="blogger-post-footer"><img width="1" alt="" src="https://blogger.googleusercontent.com/tracker/2324207642645389640-5666330379238331160?l=michaelmk.blogspot.com" height="1" /></div> Sun, 13 May 2012 15:02:26 +0000 noreply@blogger.com (Michael Mair-Keimberger) tag:blogger.com,1999:blog-2324207642645389640.post-5532766794362970846 http://michaelmk.blogspot.com/2012/05/ssh-with-different-private-keys.html <br /><div style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><a style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" href="http://t3.gstatic.com/images?q=tbn:ANd9GcR71K2YpycfuYTl3CNjnQDqu3WrgMSr6hOa5bCGt53gPN4mBsU_EO301FpoIA"><img src="http://t3.gstatic.com/images?q=tbn:ANd9GcR71K2YpycfuYTl3CNjnQDqu3WrgMSr6hOa5bCGt53gPN4mBsU_EO301FpoIA" style="padding-bottom: 8px; padding-right: 8px; padding-top: 8px;" height="195" width="200" border="0" id="il_fi" /></a><a href="http://www.openssh.org/" target="_blank">SSH</a> is probably one of the most used command line tools on linux. If you want to connect to another linux host it's the best way to go. It's also very secure and since security is really important nowadays many hosts on the Internet choose a public key authentication. This method is really smart because it only let people connect if they know their password AND their public key is in the "authorized_keys" file on the host.<br /><br />For some time now i started a <a href="https://github.com/sitaramc/gitolite" target="_blank">gitolite</a> services at home. It's just for my own usage and thus not available over the Internet. Every script which i write is stored on the gitolite server.<br />This is quite handy because i can easily switch back to an older version of a script in case i made a mistake. Besides that I'm also forced to learn git which i really want to learn. </div><br /><div>Gitolite also have a public key authentication (on top of ssh), but since the service just runs on the local network and i don't wanted to enter my password every time, I've created a second key without a password.</div><div><br /></div><div>Well now my problem was, ssh doesn't choose the right key for the git service so i searched the web for solution of my problem. A few hour later i found what i needed. It's easy. You just need a configuration file for ssh, which looks something like this:</div><div><br /></div><div><div><span style="font-family: 'Courier New', Courier, monospace;">Host tunafix</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        Hostname tunafix</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        User git</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        IdentityFile ~/.ssh/gitolite_rsa</span></div><div><span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div><div><span style="font-family: 'Courier New', Courier, monospace;">Host tunafix</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        Hostname tunafix</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        User michael</span></div><div><span style="font-family: 'Courier New', Courier, monospace;">        IdentityFile ~/.ssh/id_dsa</span></div></div><div><span style="font-family: 'Courier New', Courier, monospace;"><br /></span></div><div><span style="font-family: inherit;">The configuration is stored in file ~/.ssh/config. As you can see, depending on the username ssh choose different identity files. </span></div><div class="blogger-post-footer"><img width="1" alt="" src="https://blogger.googleusercontent.com/tracker/2324207642645389640-5532766794362970846?l=michaelmk.blogspot.com" height="1" /></div> Mon, 07 May 2012 16:52:22 +0000 noreply@blogger.com (Michael Mair-Keimberger) http://www.void.gr/kargig/blog/?p=1354 http://feedproxy.google.com/~r/PlanetLarry/~3/gpHihNk-yT0/ <p>Alternate title: “Being a lamb around a pack of wolves” … A venue full of hackers that are eager to attack your systems…</p> <p>On 3-4/05/2012 the third <a href="http://athcon.org/">AthCon</a> conference was held in Athens. AthCon is an international security conference whose motto is “The First HIGHLY TECHNICAL Security Conference in Greece”. </p> <p>Even though I am not a security professional, my daily job title is “<a href="http://www.linkedin.com/in/kargig">Systems and Services Engineer</a>” which of course includes various aspects of security but I am certainly not a security researcher, I had decided months ago that I would be attending this year’s AthCon. Since I like messing a lot with IPv6 for the past 2-3 years, I decided that I could try and submit an introductory talk about IPv6 security issues. My talk was accepted, so I was not only attending AthCon this year but I was going to give a presentation as well.</p> <p><strong><a href="http://www.void.gr/kargig/blog/2012/05/03/athcon-2012-are-you-ready-for-ipv6-insecurities/">My presentation – Are you ready for IPv6 insecurities ?</a></strong> was during the first day of the conference. I am always worried when I give presentations on IPv6 that the people attending have probably no clue about this ‘not-so-new’ protocol. Most people think that IPv6 is like IPv4 with bigger addresses and ‘:’ instead of ‘.’ to separate the address groups, which is of course a HUGE mistake/misunderstanding. I was hopeful that this wouldn’t be the case in AthCon, so when I started my presentation and I asked the crowd ‘how many of you know what SLAAC is ?’ and I only saw 3-4 hands raised I kinda froze, I was expecting at least a double digit…I was going to give a presentation on IPv6 security concepts to people that have absolutely no idea what I’m talking about. Being prepared for the fact that some people would need some ‘refreshing’ on their IPv6 knowledge, I had prepared around 20 introductory slides explaining some IPv6 concepts before I entered the security details, but I doubt these were enough for most people there. I am hopeful though that some of the attendees might be motivated to read more about the protocol since I think my security slides contained enough details, references and links to get people started. If someone needs more details feel free to contact me.</p> <p>Enough with my presentation, <strong>what about other presentations ?</strong><br /> My personal view is that this year’s AthCon had some great talks, some that were ok and some that I didn’t like. I won’t mention which ones I didn’t like, but I noticed that a LOT of people were gossiping about these in the hallways. I will only mention here the ones that I really liked.</p> <p>Day 1:<br /> <strong>“Packing Heat!” by Dimitrios Glynos</strong><br /> A presentation that every pentester should download/watch somehow. Techniques about packing your executables to avoid detection by anti-virus programs, need I say more ? Great content and very well presented. Congrats <a href="https://twitter.com/#!/dfunc">Dimitris</a>!</p> <p><strong>“PostScript: Danger Ahead” by Andrei Costin</strong><br /> How to use PostScript programming language to take advantage of Printers, OS, etc. Very interesting concepts were presented and also the examples/demos shown were pretty cool and easy to understand.</p> <p>Day 2:<br /> <strong>“Apple vs. Google Client Platforms” by Felix ‘FX’ Lindner</strong><br /> I guess mostly everyone reading this blog knows FX and what a great speaker he is. If you don’t then start watching his previous presentations and start reading about his work. His presentation at AthCon, apart from being the best one in terms of “presenting it”, was also extremely interesting. He connected the security concepts behind Apple’s iOS and Google’s Chromebook with their business tactics and policies. Just wait for AthCon to publish the videos and watch it. Probably the best talk at AthCon 2012.</p> <p><strong>“Advances in BeEF: RESTful API, WebSockets, XssRays enhancements” by Michele Orru</strong><br /> Jaw-dropping. That’s all I have to say about <a href="http://beefproject.com/">BeEF</a>. Scary. Watch it to see what browsers and IDS have to face and defend against…not in the future but right now.</p> <p><strong>“Exploitation and state machines” by Halvar Flake</strong><br /> This presentation was about exploitation techniques and why automated exploitation engines don’t work that well. Even though reversing and exploitation is far from my interest topics I enjoyed the talk a lot. Very well structured and very clear points. Too bad this talk did not appear on the schedule and was there as “tbc”, I am sure many more people would come just to listen to this talk and speak to Halvar.</p> <p>If I were to suggest a couple of things for next year…<br /> a) Please put the CTF in separate slots within the day, not at the same time with the presentations. In a conference of 150-200 people (just guessing here) having 30+ people leaving the presentation room and just attending the CTF all day long leaves the main room a bit empty. I am pretty sure there were people that wanted to attend both the presentations and the CTF, unfortunately they had to make a choice.<br /> b) Send some details/info to the speakers about the conference a few days earlier. Maybe non-greek presenters were given but we weren’t, at least I wasn’t.<br /> c) The venue is really nice, but maybe it would help if the next AthCon was organized somewhere downtown. Yeah I can understand that the cost would be higher but number of people attending would also raise (I think).<br /> d) Give us even more highly technical presentations/speakers! People starve for these kind of talks!</p> <p>My congratulations fly to AthCon people for organizing the conference. See you next year!</p> <p>You can find some of the pics I took from the speakers at: <a href="https://picasaweb.google.com/107692279482600798910/AthCon2012">AthCon 2012 speaker pics</a> (if any of the speakers wants his pic removed please <a href="http://www.void.gr/kargig/blog/contact/">contact</a> me ASAP)</p> Sun, 06 May 2012 12:07:59 +0000 http://www.void.gr/kargig/blog/?p=1354 http://blog.siphos.be/?p=604 http://feedproxy.google.com/~r/PlanetLarry/~3/1z3LyqPCq1w/ <p> Just a very quick paragraph on a just-reported issue: if you upgrade your SELinux utilities to the latest version <em>and</em> you switch from <tt>/selinux</tt> to <tt>/sys/fs/selinux</tt> as the mountpoint for the SELinux file system, you might get into issues. Apparently, <strong>init</strong> (which is responsible for mounting the SELinux file system through a call to libselinux) is trying to mount it on – well yes – <tt>/sys/fs/selinux</tt> but at that time, <tt>/sys</tt> is not mounted yet. </p> <p> I haven’t been able to reproduce just yet, because I just recently had to move all my systems to use an initramfs (thank you you-need-an-initramfs-when-you-have-a-separate-usr-partition) which premounts /sys. But the current workaround should be to keep <tt>/selinux</tt> for now. The utilities support it still, and that gives me some time to look and investigate the issue.</p> Fri, 04 May 2012 20:26:42 +0000 http://blog.siphos.be/?p=604 http://briancarper.net/blog/591/happy-day-against-drm http://feedproxy.google.com/~r/PlanetLarry/~3/RtzIF8z1l9Y/happy-day-against-drm <img src="http://planet.larrythecow.org/images/brian_carper.gif" alt="" align="right" style="float: right;"><p>Books are <a href="http://oreil.ly/Against-DRM">50% off at O'Reilly</a> today, using code <code>DRMFREE</code>. (This includes my book, <a href="http://shop.oreilly.com/product/0636920013754.do?code=DRMFREE">Clojure Programming</a>, by the way...) I'm a bit late with this, given the offer expires in 9 hours, but there's still time.</p> <p>Whether you want to buy books today or not, it's worth pointing out that today is <a href="http://www.defectivebydesign.org/dayagainstdrm/">International Day Against DRM</a>!</p> <p><a href="http://www.defectivebydesign.org/dayagainstdrm/"><img src="http://briancarper.net/random/day-against-drm.png" alt="Day Against DRM" title="" /></a></p> <h1>Brand Loyalty. Step 1: Make good stuff.</h1> <p>My anti-DRM article is quickly going to turn into a pro-O'Reilly Media infomercial, so you've been warned.</p> <p>I am not the kind of person to feel any kind of brand loyalty. I'm the kind of person who deliberately buys a different brand of peanut butter every time I go to the grocery store, to try to screw with the store's customer-tracking database.</p> <p>O'Reilly is probably an exception. I like O'Reilly. Why is that?</p> <p>First, O'Reilly books tend to be pretty good. At least, I have yet to buy one that wasn't pretty good.</p> <p>Allow me to digress. My college's CS curriculum was based around C++. Now, I'm the kind of person who thinks that programming is vaguely enjoyable no matter what I'm doing. Computers are fun. But for a new programmer, coding in C++ is like an hours-long shouting match with the compiler where your goal is to try to get the compiler errors to shut up. Producing a working program is an occasional side-effect. C++ doesn't exactly promote explorative, imaginative programming.</p> <p>The first class I had in college where I actually <em>enjoyed</em> programming was a class that taught Perl. My textbook was <em>Learning Perl</em>, aka the Llama Book<sup id="fnref:nicknames"><a href="http://briancarper.net/feed/#fn:nicknames" rel="footnote">1</a></sup>. What a good book. I still have it. I remember feeling like I learned more reading that book that I had in two years of slogging through C++ data structures. And what fun Perl was. <em>&lt;insert analogy="analogy" and="and" between="between" here.="here." nerdy="nerdy" programming="programming" some="some" wizardry="wizardry"&gt;</em></p> <p>I remember immediately spending a bunch of money I should've saved for food, and getting <em>Programming Perl</em>, aka the Camel Book<sup id="fnref:nicknames"><a href="http://briancarper.net/feed/#fn:nicknames" rel="footnote">1</a></sup>. So good! Who knew a book could be witty and fun, and teach you things at the same time. You can tell when a book is written by someone who knows their stuff, and who enjoys talking about their craft.</p> <p>Not sure if it was Perl itself, or the great Perl books, or probably some combination. But I've been cemented in dynamic, vaguely-Perly, powerful and fun languages since then. First Ruby, then Clojure.</p> <p>I'm also likely to buy an O'Reilly book, given a choice between alternatives.</p> <h1>Step 2: Be Humans and give a crap.</h1> <p>A second thing that creates brand loyalty is when a company seems to be made of human beings that you can relate to.</p> <p>When I heard O'Reilly was writing a Lisp book, and what's more, it was a Clojure book, and what's more, I could be involved in writing it... I was pretty excited. </p> <p>Our book was written in ASCIIDOC, and lived in an SVN repo hosted at O'Reilly.<sup id="fnref:gitisbetter"><a href="http://briancarper.net/feed/#fn:gitisbetter" rel="footnote">2</a></sup> We could upload code with a certain string in the SVN commit log, and that'd trigger a rebuild of the ASCIIDOC on O'Reilly's server, which was compiled into PDF, and then we could download the PDF from SVN to see how the final product would look. Turnaround time was about 10 minutes. It was a nice, programmer-friendly setup, to be sure.</p> <p>Whenever I dealt with people at O'Reilly, I generally got the feeling that I was working with programmers, or people who cared about programming. There aren't a lot of Clojure gurus there, but there were people who knew why wrapping long lines of could needed to be handled <em>just right</em>.</p> <p>It's a great feeling to work with people whose goal is advancing the craft, as opposed to some kind of Death-Star-like entity whose goal is wringing extra pennies out of customers' bones.</p> <h1>DRM sucks</h1> <p>So does O'Reilly actually give a crap? Well, fiiiiiiiiinally getting to the point: O'Reilly's stance on DRM is pretty much spot-on. O'Reilly books are sold without DRM. DRM is not the way to make good stuff. DRM is a good sign that you don't give a crap. DRM doesn't advance the craft, but rather does the opposite.</p> <p>I leant a guy my copy of K%R a while back. Now there's one more person in the world with a bit more knowledge of C. This is a really good thing. If my copy of K&amp;R was a DRMed ebook that I couldn't lend out, the world would be a tangibly worse place.</p> <p>I highly recommend <a href="http://radar.oreilly.com/2012/05/drm-free-day-forever.html">this article</a> by Mike Hendrickson at O'Reilly where he talks about piracy, DRM, and making books. Also <a href="http://radar.oreilly.com/2006/08/piracy-is-progressive-taxation.html">this one</a> by Tim O'Reilly where he talks about the same.</p> <p>Now that my name is on a book, have my opinions about DRM changed? Not really. I'd obviously prefer that people pay for my book. I pay for books. It's only fair.</p> <p>At the same time, I would be really disappointed if my book was sold with DRM all over it, and I'm glad it isn't.</p> <p>Treating your customers like thieves <em>a priori</em> is not the way to build brand loyalty. Thinking that DRM is going to stop anyone from pirating a book is pretty much delusional. Using DRM to maintain some kind of iron-fisted control over stuff you're selling to other people is morally sketchy.</p> <p>DRM is not the way to advance the craft. Advancing the craft is the important thing.</p> <p>When you make smart decisions like not selling DRMed books, the result could be dorks like me spending an hour or two unprovoked, writing an article about how good your company is. And yeah, this is surely a bit self-serving because I want to sell my book, but I'd have written this same article two years ago too.</p><div class="footnotes"><ol><li id="fn:nicknames"><p>One way to tell a good book is if it's widely known by an affectionate nickname or acronym. K&amp;R? TAOCP? SICP? The Camel Book? You probably know what I mean right away. <a href="http://briancarper.net/feed/#fnref:nicknames" rev="footnote">↩</a></p></li><li id="fn:gitisbetter"><p>Obviously I'd have preferred Git, but I'll take what I can get. <a href="http://briancarper.net/feed/#fnref:gitisbetter" rev="footnote">↩</a></p></li></ol></div> Fri, 04 May 2012 20:23:52 +0000 http://briancarper.net/blog/591/happy-day-against-drm http://invalidmagic.wordpress.com/?p=1175 http://feedproxy.google.com/~r/PlanetLarry/~3/RNzDLPNUPkU/ <div style="width: 145px;" class="wp-caption alignright" id="attachment_725"><a href="http://invalidmagic.files.wordpress.com/2010/12/evopedia.png"><img src="http://invalidmagic.files.wordpress.com/2010/12/evopedia.png?w=135&amp;h=135" title="evopedia" height="135" width="135" alt="" class=" wp-image-725 " /></a><p class="wp-caption-text">Evopedia Icon</p></div> <p>for quite some time <strong>i use a wiki at lastlog.de</strong>, a mediawiki to be precise, and i wonder why there is no wide <strong>adaptation towards the wiki principle</strong>. with that i don’t mean collaborative editing but, somehow in contrast, the principle to be quotable.</p> <p>lately, out of curiosity, i scrolled through my diploma thesis and checked the overall link stability. some were broken. <strong>however, all wikipedia links worked</strong>. as stated in the document itself, i explicitly link to the wikipedia because of its link stability. if i would have liked i could have even linked to a certain revision. but i decided not to, as the reader always has the option to look at an older revision, based on date and time.</p> <p>the more interesting aspect, that is why i linked to wikipedia articles, is that i don’t want to waste time describing something when there is a different place doing so already. if someone is smart enough to follow my ideas in my diploma thesis i assume the same when it comes to judging about the quality of wikipedia articles. and before linking a keyword (like ‘package manager’) to a certain wikipedia article, which should describe it, i always read the article. the idea is twofold: first i like to see if my conception or understanding matches with what is in the article. second, if that is the case, i would simply link it and forget about the whole thing. but if my understanding does not match with the article i can evaluate my or their version as being better and pick what fits best.</p> <p>for some online articles i had to link, i wasn’t even able to provide a direct link and therefore added a google search link into the document.</p> <p><strong>wiki editing has so many benefits, like being able to rollback to a previous version. do collaborative work. why is there no wiki like support, say when editing libre office/word documents?</strong> maybe because back in time that was considered a waste of bits&amp;bytes but using compression that can’t be an argument today.</p> <p>here is a use-case where that would be great: say you write a document and you pass it to someone else for review and corrections. often i would like the other person doing whatever change he wants to do and later be able to rollback this or that change. with a wiki like document structure this would be very easy.</p> <p>if you don’t follow, just have a look at this link:</p> <p><a href="http://en.wikipedia.org/w/index.php?title=Linux&amp;diff=490431450&amp;oldid=489027763">http://en.wikipedia.org/w/index.php?title=Linux&amp;diff=490431450&amp;oldid=489027763</a></p> <p>and about <strong>link stability</strong>: <strong>this link might even work when this blog is long gone. </strong></p> <p>i see so many benefits by using wikis and wiki like concepts but despite of the wiki-web principle and decentralized VCSs there seems to be no wide use of it.</p> <p>IMHO i think <strong>a webpage</strong>, even this wordpress blog, <strong>which does not implement a wiki principle, is kind of stupid</strong> as one can never be certain what is going on. <strong>one could say such a page is schizophrenic to some degree</strong>.</p> <p>hopefully this will change in the future.</p> <p>update: 11.5.2012 – it would be desirable if the mentioned link stability would be independent of a strict TLD (top level domain). for example: if i move this blog to a different location, say to invalidmagic.de then all the articles here stop working and the links from other pages into this article will fail.</p> <br /> <a href="http://feeds.wordpress.com/1.0/gocomments/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/invalidmagic.wordpress.com/1175/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/invalidmagic.wordpress.com/1175/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=invalidmagic.wordpress.com&amp;blog=7740335&amp;post=1175&amp;subd=invalidmagic&amp;ref=&amp;feed=1" border="0" height="1" /> Fri, 04 May 2012 19:32:19 +0000 http://invalidmagic.wordpress.com/?p=1175 http://www.void.gr/kargig/blog/?p=1350 http://feedproxy.google.com/~r/PlanetLarry/~3/1AAlx4nv9fY/ <p>My presentation for AthCon 2012 is now available online: <a href="http://void.gr/kargig/presentations/athcon_2012_kargig.pdf" title="Are you ready for IPv6 insecurities ?">Are you ready for IPv6 insecurities ?</a></p> Thu, 03 May 2012 20:41:17 +0000 http://www.void.gr/kargig/blog/?p=1350 tag:blogger.com,1999:blog-2324207642645389640.post-8092156521614772243 http://michaelmk.blogspot.com/2012/05/notify-script-for-cmus.html Recently i bought a new PC and therefore i wanted to switch to a new audio player. Usually i use <a href="http://amarok.kde.org/" target="_blank">amarok</a> which is still one of the best audio player out there. But it has a big disadvantage - it uses <a href="http://www.mysql.com/" target="_blank">mysql</a> for its database, and i simple don't wanted mysql.<br />Though, to choose mysql for the database backend is still a good decision - if you have a really big collection.<br />And that's amarok's audience - users with a huge audio collection.<br />Well, actually i have a huge audio collection too, but since i actually just play around ~40 tracks all the time besides mostly listening to streams, i really don't wanted a audio player which depends on mysql.<br />While lo<span style="font-family: inherit;">oking for a new player i found <a href="http://cmus.sourceforge.net/" target="_blank">cmus</a>. A very simple console player. It's perfect. It has all the things which i need (playlists, mp3/flac support, stream support) and also has a really tiny memory footprint.</span><br /><span style="font-family: inherit;">To make the player really <span style="background-color: white; white-space: nowrap;">comfortably</span> in kde i wrote a small script which shows me some basic information about the actual track which i'm listening too.</span><br /><br />And that's the script:<br /><pre style="background-color: white; color: #1f1c1b;"><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><i><span style="color: #898887;">#!/bin/bash</span></i><br /><span style="color: #006e28;">KDIALOG=</span><span style="color: #bf0303;">"/usr/bin/kdialog"</span><br /><span style="color: #006e28;">GREP=</span><span style="color: #bf0303;">"/bin/grep"</span><br /><span style="color: #006e28;">AWK=</span><span style="color: #bf0303;">"/bin/awk"</span><br /><span style="color: #006e28;">CMUSREMOTE=</span><span style="color: #bf0303;">"/usr/bin/cmus-remote"</span><br /><br /><b><span style="color: #880088;">declare</span></b> -i <span style="color: #006e28;">duration=$($CMUSREMOTE</span> -Q<b>|</b><span style="color: #006e28;">$GREP</span> <span style="color: #bf0303;">"duration"</span><b>|</b><span style="color: #006e28;">$AWK</span> <span style="color: #bf0303;">'{ print $2 }'</span><span style="color: #006e28;">)</span><br /><b><span style="color: #880088;">declare</span></b> -i <span style="color: #006e28;">position=$($CMUSREMOTE</span> -Q<b>|</b><span style="color: #006e28;">$GREP</span> <span style="color: #bf0303;">"position"</span><b>|</b><span style="color: #006e28;">$AWK</span> <span style="color: #bf0303;">'{ print $2 }'</span><span style="color: #006e28;">)</span><br /><span style="color: #006e28;">percent=</span>$[100*position/duration]<br /><br /><span style="color: #006e28;">artist=$($CMUSREMOTE</span> -Q<b>|</b><span style="color: #006e28;">$GREP</span> <span style="color: #bf0303;">"tag artist"</span><span style="color: #006e28;">)</span> <i><span style="color: #898887;"># ${artist:10}</span></i><br /><span style="color: #006e28;">title=$($CMUSREMOTE</span> -Q<b>|</b><span style="color: #006e28;">$GREP</span> <span style="color: #bf0303;">"tag title"</span><span style="color: #006e28;">)</span> <i><span style="color: #898887;"># ${title:9}</span></i><br /><br /><span style="color: #006e28;">$KDIALOG</span> --title <span style="color: #bf0303;">"CMUS is playing... (</span><span style="color: #006e28;">$percent</span><span style="color: #bf0303;">%)"</span> --passivepopup <span style="color: #bf0303;">"</span><span style="color: #006e28;">${artist:10}</span><span style="color: #bf0303;"> - </span><span style="color: #006e28;">${title:9}</span><span style="color: #bf0303;">"</span> 3</span></pre><pre style="background-color: white; color: #1f1c1b;"></pre><pre style="background-color: white; color: #1f1c1b;"></pre><pre style="background-color: white; color: #1f1c1b;"></pre><span style="font-family: inherit;">It looks like this:</span><br /><div style="clear: both; text-align: center;" class="separator"><a style="margin-left: 1em; margin-right: 1em;" href="http://4.bp.blogspot.com/-JINeNkvz4H4/T5wf1-nD6GI/AAAAAAAABBI/YRGUUPp2_cI/s1600/snapshot2.png"><img width="320" src="http://4.bp.blogspot.com/-JINeNkvz4H4/T5wf1-nD6GI/AAAAAAAABBI/YRGUUPp2_cI/s320/snapshot2.png" border="0" height="132" /></a></div><span style="font-family: inherit;"><br /></span><br /><span style="font-family: inherit;">To make it even more comfortably i put some code into my .bashrc and initab.</span><br /><span style="font-family: inherit;">.bashrc:</span><br /><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><b>if</b> !<b><span style="color: #880088;"> [</span></b> <span style="color: #bf0303;">"</span><span style="color: #006e28;">$(</span><b><span style="color: #cc00cc;">pidof</span></b> cmus<span style="color: #006e28;">)</span><span style="color: #bf0303;">"</span><b><span style="color: #880088;"> ]</span></b>;</span><br /><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><b>  then</b> /usr/bin/cmus</span><br /><b><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">fi</span></b><br /><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span><br />inittab:<br /><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;">c8:2345:respawn:/sbin/agetty -a michael 38400 tty8 linux</span><br /><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"><br /></span><br /><span style="font-family: inherit;">With that settings, cmus always get started on tty8. And with the alias </span>p="cmus-remote -u" i just have to press "p" after login to play music (just a note: i don't use a login-manager, thats why i always login at the console and start kde/X with startx).<br /><br /><br /><div><br /></div><div class="blogger-post-footer"><img width="1" alt="" src="https://blogger.googleusercontent.com/tracker/2324207642645389640-8092156521614772243?l=michaelmk.blogspot.com" height="1" /></div> Wed, 02 May 2012 19:59:05 +0000 noreply@blogger.com (Michael Mair-Keimberger) http://briancarper.net/blog/590/cursorcolumn--cursorline-slowdown http://feedproxy.google.com/~r/PlanetLarry/~3/PhbOqX5wOlc/cursorcolumn--cursorline-slowdown <img src="http://planet.larrythecow.org/images/brian_carper.gif" alt="" align="right" style="float: right;"><p>The <code>cursorcol</code> and <code>cursorline</code> options in Vim are great. Enabling them, and setting up your syntax highlighting correctly, will highlight the line and column that contains the cursor, drawing a sort of "crosshairs", to let you find the cursor easily.</p> <p>This is especially useful when editing non-sourcecode files, like giant fixed-with data files. Or when you need to keep switching your attention back and forth from Vim to something else; the visual cue to draw your eyes back to the cursor can be useful to prevent a mental page fault.</p> <p><img src="http://briancarper.net/vim/cursor-crosshairs.png" alt="Cursor crosshairs" title="" /></p> <p>Great. However, the help info for <code>cursorcolumn</code> says this, in part:</p> <pre><code> Highlight the screen column of the cursor with CursorColumn |hl-CursorColumn|. Useful to align text. Will make screen redrawing slower. </code></pre> <p>"Will make screen redrawing slower" is an understatement, unfortunately. Over the past who-knows-how-long, I've noticed Vim slowing to a crawl when editing certain files, mostly big Ruby files. Moving the cursor around or scrolling the window became pretty painful. I could never quite figure out why, but today I got sick of it, and eventually found <a href="http://vim.1045645.n5.nabble.com/Vim-7-slows-down-when-highlighting-cursor-line-td1148280.html">an old message on the Vim mailing list</a> explaining the problem. </p> <p>Apparently when you have <code>cursorcolumn</code> or <code>cursorline</code> enabled, the whole screen is redrawn every time you move the cursor. That explains a lot. When I disabled these options, editing complex Ruby files once again achieved notepad.exe-level speed.</p> <p>I guess there's this:</p> <pre><code>function! CursorPing() set cursorline cursorcolumn redraw sleep 50m set nocursorline nocursorcolumn endfunction nmap &lt;C-Space&gt; :call CursorPing()&lt;CR&gt; </code></pre> <p>This will flash the cursor crosshairs for 50 milliseconds when I hit <code>CTRL+Space</code> in normal mode. Better than nothing.</p> Mon, 30 Apr 2012 22:48:25 +0000 http://briancarper.net/blog/590/cursorcolumn--cursorline-slowdown http://blog.siphos.be/?p=598 http://feedproxy.google.com/~r/PlanetLarry/~3/JC0ZNR0RWbU/ <p> Today I’ve stabilized the <tt>sec-policy/selinux-*</tt> packages that provide the 20120215 “series” of SELinux policies. Together with the stabilization, the more recent userspace tools (like the policycoreutils as well as libraries like libsemanage and libselinux) have been pushed out as well. I will be dropping the older policies and userspace tools soon (as they are now deprecated). The documentation has been updated to reflect this too. </p> <ul>Some of the enhancements include<p></p> <li>support for permissive domains (allowing users to mark one specific SELinux domain, such as mplayer_t, as permissive (even though the rest of the system is running in enforcing mode)</li> <li>support for file context translations, so we can now say “/usr/lib64 (and below) should have the same contexts as /usr/lib”</li> <li>support for role attributes, which means for policy developers, we now have similar freedom as with type attributes</li> <li>support for named file transitions, so a policy rule can say that domain A, if creating a file in a directory labeled B, then that specific file should have label C. Same for directories, btw.</li> </ul> <p> Although some of these enhancements were available as features individually, the policies we had were not aligned with it – and now, that has changed ;-)</p> Sun, 29 Apr 2012 14:43:39 +0000 http://blog.siphos.be/?p=598 http://invalidmagic.wordpress.com/?p=1124 http://feedproxy.google.com/~r/PlanetLarry/~3/V9e8y84S4NI/ <h1><a href="http://invalidmagic.files.wordpress.com/2010/12/nixos-lores.png"><img src="http://invalidmagic.files.wordpress.com/2010/12/nixos-lores.png?w=150&amp;h=46" title="nixos-lores" height="46" width="150" alt="" class="alignright size-thumbnail wp-image-704" /></a>what is this?</h1> <p>i recently <strong>upgraded my hetzner root server</strong> and therefore had a system with <strong>2x3tb disks</strong>. <strong>as fdisk can’t be used to partition disks &gt; 2tb i had to use gpt instead</strong> which was quite tricky until it was working. so here is my installation guide. parts of it applies also to other distributions.</p> <p>this guide uses concepts from the <strong>hetzner wiki OpenBSD installation guide</strong> [1].</p> <p><strong>note:</strong></p> <ul> <li><strong>gpt is used</strong> for both disks</li> <li>there is <strong>no extra /boot</strong> partition (the system will <strong>directly boot from the lvm which is on top of the mdadm</strong>); this works since grub2</li> <li>this setup is <strong>pretty similar to using fdisk (MBR) partitions</strong></li> <li>this <strong>guide still uses BIOS to boot</strong> (no EFI/UEFI)</li> <li><strong>/dev/sda1 </strong>and<strong> /dev/sdb1 </strong>are<strong> very small partitions (2Mib); </strong>they are used to <strong>store the grub2 boot stages</strong>, see [5]</li> </ul> <h2>disk layout</h2> <p><a href="http://invalidmagic.files.wordpress.com/2012/04/nix9000-disklayout2.jpg"><img src="http://invalidmagic.files.wordpress.com/2012/04/nix9000-disklayout2.jpg?w=323&amp;h=491" title="nix9000-disklayout" height="491" width="323" alt="" class="alignnone wp-image-1172" /></a></p> <p> </p> <h2>the installation</h2> <h3>first remove old partitions/mdadm setups</h3> <h3>uninstall:</h3> <p></p><pre class="brush: bash;">lvremove /dev/myvolgrp/home lvremove /dev/myvolgrp/system lvremove /dev/myvolgrp/swap vgremove myvolgrp pvremote /dev/md0 mdadm --stop /dev/md0 # to remove the md0 permanently mdadm --zero-superblock /dev/sda1 mdadm --zero-superblock /dev/sdb1 </pre><p></p> <h3>creating the partitions</h3> <p></p><pre class="brush: bash;">parted /dev/sda mklabel gpt mkpart non-fs 0 2 mkpart primary 2 3001G p Number Start End Size File system Name Flags 1 17.4kB 2000kB 1983kB non-fs 2 2097kB 3001GB 3001GB primary set 1 bios_grub on p Number Start End Size File system Name Flags 1 17.4kB 2000kB 1983kB non-fs bios_grub 2 2097kB 3001GB 3001GB primary </pre><p></p> <h3>creating the new mdadm softraid device</h3> <p></p><pre class="brush: bash;">mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2 mdadm: Note: this array has metadata at the start and may not be suitable as a boot device. If you plan to store '/boot' on this device please ensure that your boot-loader understands md/v1.x metadata, or use --metadata=0.90 Continue creating array? y mdadm: Defaulting to version 1.2 metadata mdadm: array /dev/md0 started. </pre><p></p> <h3>LVM+filesystems</h3> <p></p><pre class="brush: bash;">pvcreate /dev/md0 Physical volume "/dev/md0" successfully created vgcreate myVolGrp /dev/md0 Volume group "myVolGrp" successfully created lvcreate -n system -L50G myVolGrp lvcreate -n swap -L8G myVolGrp mkfs.ext4 -O dir_index -j -L system /dev/myVolGrp/system mkswap -L swap /dev/myVolGrp/swap </pre><p></p> <p><strong>note: </strong>the disk layout diagram mentiones a tmp partition which<strong> happended to be added later <img src="http://s1.wp.com/wp-includes/images/smilies/icon_wink.gif" alt=";-)" class="wp-smiley" /> </strong></p> <h3>using a virtual machine + vnc to boot the iso image</h3> <p>preparing the host system:</p> <p></p><pre class="brush: bash;">iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 &gt; /proc/sys/net/ipv4/ip_forward </pre><p></p> <h3>on the hostsystem</h3> <p></p><pre class="brush: bash;">#download latest console only 64bit nixos installer nixos-minimal-0.1pre33860-33874-x86_64-linux.iso </pre><p></p> <p>make sure /dev/myVolGrp/system and /dev/myVolGrp/swap are not in use:</p> <p></p><pre class="brush: bash;">apt-get install sudo qemu-system-x86_64 -enable-kvm -m 1024 -hda /dev/md0 -net nic -net tap -cdrom nixos-minimal-0.1pre33860-33874-x86_64-linux.iso -boot d -vnc localhost:0 </pre><p></p> <p><strong>note:</strong> in contrast to original article [1] i use ‘-enable-kvm’ which speeds things up!</p> <h3>from your homecomputer</h3> <p>execute this two commands (in two different shells):</p> <p></p><pre class="brush: bash;">ssh -L 5900:localhost:5900 root@176.9.99.117 vncviewer localhost </pre><p></p> <h3>inside the qemu/kvm system via vncviewer</h3> <p>how we have to prepare install the system on the devices we had preparted in the steps before:</p> <p></p><pre class="brush: bash;">inside do: login as root mount -L system /mnt cd /mnt nixos-option --install vi /etc/nixos/configuration.nix stop dhcpcd ip a add 172.2.0.2/16 dev eth0 ip r add via 172.2.0.1 echo "nameserver 8.8.8.8" &gt; /etc/resolv.conf # use ping www.google.de to verfy that the routing is working # example url, configuration.nix is appended to this article curl http://lastlog.de/configuration.nix mv configuration.nix /mnt/etc/nixos/configuration.nix # now the installation, make sure you read the nixos installation guide as well, but in short: nixos-install # only the grub2 installation should have failed (as there is no /dev/sda1 in the virtual machine!) #finally we halt the system halt </pre><p></p> <p>im hostsystem we need to install grub2:</p> <p></p><pre class="brush: bash;">apt-get install grub2 grub-install --no-floppy --root-directory=/mnt --recheck /dev/sda Installation finished. No error reported. grub-install --no-floppy --root-directory=/mnt --recheck /dev/sdb Installation finished. No error reported. # now we add a ssh key so we can login into this system later on cd /mnt mkdir root cd root mkdir .ssh chown 0700 .ssh/ cd .ssh echo "ssh-rsa AAAAB3Nz.....aU79sGVhyOPRz joachim@ebooK" &gt; authorized_keys </pre><p></p> <p>from your homecomputer login into the installed system (reboot the host) and then issue this command:</p> <p></p><pre class="brush: bash;">ssh root@176.9.99.117 -i ~/.ssh/myprivatekey </pre><p></p> <p>after the first login, nixos-rebuild switch might fail with this error message:</p> <p></p><pre class="brush: bash;">nixos-rebuild switch --fast building the system configuration... updating GRUB 2 menu... installing the GRUB bootloader on /dev/sda... /nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe: error: no such disk. Auto-detection of a filesystem of /dev/mapper/myVolGrp-system failed. Try with --recheck. If the problem persists please report this together with the output of "/nix/store/iaypdz5mm1qk8izs9412cb28v9vwwcn4-grub-1.99/sbin/grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub" to grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f556643', skipping. grub-probe: info: Cannot stat `/dev/disk/by-id/scsi-35000c5003f5363a6', skipping. grub-probe: info: changing current directory to /dev. grub-probe: info: changing current directory to pts. grub-probe: info: changing current directory to shm. grub-probe: info: changing current directory to myVolGrp. grub-probe: info: changing current directory to md. grub-probe: info: changing current directory to disk. grub-probe: info: changing current directory to by-label. grub-probe: info: changing current directory to by-uuid. grub-probe: info: changing current directory to by-partlabel. grub-probe: info: changing current directory to by-partuuid. grub-probe: info: changing current directory to by-path. grub-probe: info: changing current directory to by-id. grub-probe: info: changing current directory to snd. grub-probe: info: changing current directory to mapper. grub-probe: info: opening myVolGrp-system. grub-probe: error: no such disk. </pre><p></p> <p>so what is inside this device.map anyway?</p> <p></p><pre class="brush: bash;">cd /boot/grub cat device.map (hd0) /dev/disk/by-id/scsi-35000c5003f556643 (hd1) /dev/disk/by-id/scsi-35000c5003f5363a6 </pre><p></p> <p><strong>Jordan_U#grub@irc.freenode.net</strong> <strong>recommended</strong> to <strong>remove the device.map.</strong> that made it work:</p> <p></p><pre class="brush: bash;">rm /boot/grub/device.map </pre><p></p> <h2>summary</h2> <p>took quite some time to figure all this out so i guess someone else might have interested in this guide as well. i also tried to install, using EFI, but soon discovered that this might be a very complicated road to go and therefore skipped that.<br /> it is cool to see that there is a <strong>very helpful community surrounding key projects</strong> required to get this installation done. i would have had to spend much more time if i wouldn’t have had someone to ask from time to time.</p> <h2>links</h2> <p>[1] <a href="http://wiki.hetzner.de/index.php/OpenBSD">http://wiki.hetzner.de/index.php/OpenBSD</a><br /> [2] <a href="https://wiki.archlinux.de/title/Gpt">https://wiki.archlinux.de/title/Gpt</a><br /> [3] <a href="https://wiki.archlinux.org/index.php/GRUB2#GPT_specific_instructions">https://wiki.archlinux.org/index.php/GRUB2#GPT_specific_instructions</a><br /> [4] <a href="http://www.wensley.org.uk/gpt">http://www.wensley.org.uk/gpt</a><br /> [5] <a href="http://en.wikipedia.org/wiki/GNU_GRUB#GRUB_version_2">http://en.wikipedia.org/wiki/GNU_GRUB#GRUB_version_2</a></p> <h2>configuration.nix</h2> <p></p><pre class="brush: bash;"># Edit this configuration file which defines what would be installed on the # system. To Help while choosing option value, you can watch at the manual # page of configuration.nix or at the last chapter of the manual available # on the virtual console 8 (Alt+F8). {config, pkgs, ...}: { require = [ # Include the configuration for part of your system which have been # detected automatically. ./hardware-configuration.nix ]; boot.initrd.kernelModules = [ # Specify all kernel modules that are necessary for mounting the root # file system. # # "ext4" "ata_piix" "af_packet" "snd_pcm_oss" "snd_mixer_oss" "rtc_cmos" "rtc_core" "rtc_lib" "snd_hda_codec_via" "i915" "joydev" "drm_kms_helper" "snd_hda_intel" "rng_core" "drm" "snd_hda_codec" "thermal" "i2c_algo_bit" "button" "snd_hwdep" "intel_agp" "psmouse" "i2c_i801" "evdev" "snd_pcm" "video" "agpgart" "pcspkr" "serio_raw" "iTCO_wdt" "i2c_core" "snd_timer" "output" "e1000e" "snd" "soundcore" "snd_page_alloc" "sg" "loop" "ipv6" "kvm" "freq_table" "processor" "thermal_sys" "hwmon" "ext4" "mbcache" "jbd2" "crc16" "raid456" "async_pq" "async_xor" "xor" "async_memcpy" "async_raid6_recov" "raid6_pq" "async_tx" "md_mod" "sd_mod" "crc_t10dif" "sata_sil" "ata_piix" "dm_mod" "usb_storage" "usb_libusual" "usbhid" "hid" "ohci1394" "ieee1394" "ahci" "libata" "scsi_mod" "ehci_hcd" "uhci_hcd" "usbcore" "nls_base" "scsi_wait_scan" "unix" ]; boot.loader.grub = { # Use grub 2 as boot loader. enable = true; version = 2; # Define on which hard drive you want to install Grub. devices = [ "/dev/sda" "/dev/sdb" ]; }; boot.extraKernelParams = [ "vga=normal" "nomodeset" ]; networking = { hostName = "nix9000"; # Define your hostname. # wireless.enable = true; # Enables Wireless. }; # Add file system entries for each partition that you want to see mounted # at boot time. You can add filesystems which are not mounted at boot by # adding the noauto option. fileSystems = [ # Mount the root file system # { mountPoint = "/"; #device = "/dev/sda2"; label = "system"; } #{ mountPoint = "/boot"; # label = "boot"; #} # Copy &amp; Paste &amp; Uncomment &amp; Modify to add any other file system. # # { mountPoint = "/data"; # where you want to mount the device # device = "/dev/sdb"; # the device or the label of the device # # label = "data"; # fsType = "ext3"; # the type of the partition. # options = "data=journal"; # } ]; swapDevices = [ # List swap partitions that are mounted at boot time. # { label = "swap"; } ]; # Select internationalisation properties. # i18n = { # consoleFont = "lat9w-16"; # consoleKeyMap = "us"; # defaultLocale = "en_US.UTF-8"; # }; # List services that you want to enable: # Add an OpenSSH daemon. services.openssh.enable = true; # Add CUPS to print documents. # services.printing.enable = true; # Add XServer (default if you have used a graphical iso) # services.xserver = { # enable = true; # layout = "us"; # xkbOptions = "eurosign:e"; # }; environment.systemPackages = with pkgs; [ zsh wget wgetpaste vimprobable2 ]; # Add the NixOS Manual on virtual console 8 #services.nixosManual.showManual = true; } </pre><p></p> <br /> <a href="http://feeds.wordpress.com/1.0/gocomments/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/invalidmagic.wordpress.com/1124/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/invalidmagic.wordpress.com/1124/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=invalidmagic.wordpress.com&amp;blog=7740335&amp;post=1124&amp;subd=invalidmagic&amp;ref=&amp;feed=1" border="0" height="1" /> Sat, 28 Apr 2012 11:09:08 +0000 http://invalidmagic.wordpress.com/?p=1124 http://blog.mindlesstechie.net/?p=211 http://feedproxy.google.com/~r/PlanetLarry/~3/sPTBBa0Qhhg/ <img src="http://planet.larrythecow.org/images/john.alberts.png" alt="" align="right" style="float: right;"><p>I wrote a <a href="https://github.com/albertsj1/ohai-plugins" target="_blank">new KVM plugin for Ohai</a> which gives a ton of important information about KVM guests, which is stored in the node attributes for the host.  This makes it easy to find out which guests are currently on a host and other information about the guest, such as: cpu allocation, memory usage, persistence, autostart, etc.</p> <p>One of the things you can do once you have this plugin installed and running on the host is have the guest perform a search to find it’s host and then save that information somewhere on the guest.  This is very convenient if you’re on a kvm guest and you want to know right away what it’s host is.</p> <p>In you Chef code, just use something like this to find the current guest’s host:</p> <div class="wp_codebox_msgheader"><span class="right">^{<a href="http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples" target="_blank" title="WP-CodeBox HowTo?"><span style="color: #99cc00;">?</span></a>}</span><span class="left"><a>View Code</a> RUBY</span><div class="codebox_clear"></div></div><div class="wp_codebox"><table><tbody><tr id="p2113"><td class="code" id="p211code3"><pre style="font-family: monospace;" class="ruby">parent_host = search<span style="color: #006600; font-weight: bold;">(</span><span style="color: #ff3333; font-weight: bold;">:node</span>, <span style="color: #996600;">"virtualization_kvm_guests:#{node[:hostname]}"</span><span style="color: #006600; font-weight: bold;">)</span>.<span style="color: #9900CC;">first</span></pre></td></tr></tbody></table></div> <p>This plugin uses the same naming scheme for listing guests as my Linux VServer Ohai plugin, so it’s easy to search for the host of a guest, regardless of virtualization type. I often find myself using knife to search for the host of a guest using this:</p> <div class="wp_codebox_msgheader"><span class="right">^{<a href="http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples" target="_blank" title="WP-CodeBox HowTo?"><span style="color: #99cc00;">?</span></a>}</span><span class="left"><a>View Code</a> RUBY</span><div class="codebox_clear"></div></div><div class="wp_codebox"><table><tbody><tr id="p2114"><td class="code" id="p211code4"><pre style="font-family: monospace;" class="ruby">knife search node <span style="color: #996600;">"virtualization_*_guests:&lt;myguestname&gt;"</span></pre></td></tr></tbody></table></div> <p>I think of this as a poor man’s KVM management system. <img src="http://blog.mindlesstechie.net/wp-includes/images/smilies/icon_wink.gif" alt=";)" class="wp-smiley" /> </p> <div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/MindlessTechie?a=_AIxdH8fIY8:sPTBBa0Qhhg:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/MindlessTechie?d=yIl2AUoC8zA" border="0" /></a> <a href="http://feeds.feedburner.com/~ff/MindlessTechie?a=_AIxdH8fIY8:sPTBBa0Qhhg:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/MindlessTechie?i=_AIxdH8fIY8:sPTBBa0Qhhg:V_sGLiPBpWU" border="0" /></a> <a href="http://feeds.feedburner.com/~ff/MindlessTechie?a=_AIxdH8fIY8:sPTBBa0Qhhg:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/MindlessTechie?d=dnMXMwOfBR0" border="0" /></a> <a href="http://feeds.feedburner.com/~ff/MindlessTechie?a=_AIxdH8fIY8:sPTBBa0Qhhg:D7DqB2pKExk"><img src="http://feeds.feedburner.com/~ff/MindlessTechie?i=_AIxdH8fIY8:sPTBBa0Qhhg:D7DqB2pKExk" border="0" /></a> <a href="http://feeds.feedburner.com/~ff/MindlessTechie?a=_AIxdH8fIY8:sPTBBa0Qhhg:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/MindlessTechie?i=_AIxdH8fIY8:sPTBBa0Qhhg:F7zBnMyn0Lo" border="0" /></a> </div><img width="1" src="http://feeds.feedburner.com/~r/MindlessTechie/~4/_AIxdH8fIY8" height="1" /> Fri, 27 Apr 2012 14:23:49 +0000 http://blog.mindlesstechie.net/?p=211 http://invalidmagic.wordpress.com/?p=1136 http://feedproxy.google.com/~r/PlanetLarry/~3/X89dyL451Ng/ <p><a href="http://invalidmagic.files.wordpress.com/2012/02/purple_podcasts.png"><img src="http://invalidmagic.files.wordpress.com/2012/02/purple_podcasts.png?w=90&amp;h=90" title="purple_podcasts from harenome razanajato" height="90" width="90" alt="" class=" wp-image-1068 alignright" /></a></p> <p>i just finished listening to “<strong>Episode 176: Quantum Computing</strong>” [1] and this is really a great podcast. like the whole SE-Radio btw!</p> <p>this podcast really inspired me and on the way back from work, i was thinking about the possibility to exploit software using quantum computing.</p> <p><strong>quantum cracking</strong> that is. it would work like this: <strong>assume you have a program or function which gets input. the ultimate goal is to find some input which will crash the program.</strong> using a quantum computer this is probably not that hard to compute.<br /> i could imagine that <strong>quantum computing could also be used for software verification,</strong> which is actually quite the opposite of what quantum cracking would be.</p> <p><strong>so when quantum computers arrive we do not only lose AES/RSA but our computers will be open to everyone with such a system. hopefully such systems spread soon, which might compensate the negative effect, maybe with quantum cryptography.</strong></p> <p>but as martin laforest says: <strong>at the end of the day</strong> i still don’t know when this technique will arrive. but when it arrives it will turn security upside down.</p> <p>the most promising aspect of quantum computing, which is mentioned in the podcast, is that <strong>it will enable detailed quantum research</strong> which i consider a very cool thing as it will help to understand what goes down there.</p> <h2>links</h2> <p><a href="http://www.se-radio.net/2011/06/episode-176-quantum-computing-with-martin-laforest/">http://www.se-radio.net/2011/06/episode-176-quantum-computing-with-martin-laforest/</a></p> <br /> <a href="http://feeds.wordpress.com/1.0/gocomments/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/invalidmagic.wordpress.com/1136/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/invalidmagic.wordpress.com/1136/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=invalidmagic.wordpress.com&amp;blog=7740335&amp;post=1136&amp;subd=invalidmagic&amp;ref=&amp;feed=1" border="0" height="1" /> Thu, 26 Apr 2012 21:38:54 +0000 http://invalidmagic.wordpress.com/?p=1136 http://ciaranm.wordpress.com/?p=1162 http://feedproxy.google.com/~r/PlanetLarry/~3/DeUr7EwuKDQ/ <img src="http://planet.larrythecow.org/images/ciaranm.png" alt="" align="right" style="float: right;"><p><a href="http://paludis.exherbo.org/">Paludis</a> 0.74.1 has been released:</p> <ul> <li>Compilation fix for certain compilers.</li> <li>Fixed a segfault when encountering blockers inside || ( ) dependencies.</li> </ul> <br />Filed under: <a href="http://ciaranm.wordpress.com/category/paludis/paludis-releases/">paludis releases</a> Tagged: <a href="http://ciaranm.wordpress.com/tag/paludis/">paludis</a> <a href="http://feeds.wordpress.com/1.0/gocomments/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/ciaranm.wordpress.com/1162/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/ciaranm.wordpress.com/1162/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=ciaranm.wordpress.com&amp;blog=3715284&amp;post=1162&amp;subd=ciaranm&amp;ref=&amp;feed=1" border="0" height="1" /> Wed, 25 Apr 2012 19:42:31 +0000 http://ciaranm.wordpress.com/?p=1162 http://briancarper.net/blog/589/split-page-vertically-in-css-minus-pixels http://feedproxy.google.com/~r/PlanetLarry/~3/duxS84NGp8c/split-page-vertically-in-css-minus-pixels <img src="http://planet.larrythecow.org/images/brian_carper.gif" alt="" align="right" style="float: right;"><p>I was designing an online database application recently. The layout I wanted was, I thought, fairly simple:</p> <ul> <li>N pixel header at the top</li> <li>The rest of the page split vertically into two panes</li> <li>Each pane should scroll independently</li> </ul> <p>Super easy to do in CSS, right? Of course not! You can't do this:</p> <pre><code class="brush: css">#header { height: 50px; } #panels { height: 100% - 50px; } #top, #bottom { overflow: auto; } </code></pre> <p>This is because (of course) you can't do simple arithmetic in CSS. </p> <p>I can't think of a reason why it's not supported. My browser knows the height of the window at any given point in time. The browser can surely subtract two numbers. If someone knows of a solid reason why we can't do this in CSS, please clue me in.</p> <p>I can think of many reasons why I would want to do it though. The above use case is just one of them.</p> <p>I really dislike resorting to this (which does work, as seen <a href="http://briancarper.net/random/layout-good.html">here</a>):</p> <pre><code class="brush: css">#header { height: 50px; } #panels { position: absolute; top: 50px; left: 0px; right: 0px; bottom: 0px; } #top, #bottom { overflow: auto; } </code></pre> <p>Whenever I start using absolute positioning, I know something went off the rails somewhere.</p> <p>The worst part isn't that CSS doesn't support this, it's that even if CSS did suddenly support it, I couldn't use it until sometime in 2023 when all the major browsers implemented it and everyone using the old browsers switched or died of old age.</p> Tue, 24 Apr 2012 04:43:06 +0000 http://briancarper.net/blog/589/split-page-vertically-in-css-minus-pixels http://the-gay-bar.com/?p=1175 http://feedproxy.google.com/~r/PlanetLarry/~3/Dd0kb8HI0cI/ <img src="http://planet.larrythecow.org/images/j_rgen_geuter.jpg" alt="" align="right" style="float: right;"><p>As some of you may know I am a somewhat outspoken critic of <a href="http://the-gay-bar.com/2011/08/22/our-broken-idea-of-privacy/" title="Our broken idea of privacy">privacy in the way we handle it today</a> and do even call myself somewhat of a <a href="http://the-gay-bar.com/2012/02/22/the-datenschutzkritische-spackeria/" title="The “datenschutzkritische Spackeria”">post-privacy advocate</a> (when I do call myself anything; self-descriptions are the hardest!).</p> <p>If you look to the right of this text you can see where I checked in last, <a href="https://foursquare.com/tante">my Foursquare profile </a>is public, looking at <a href="http://twitter.com/tante">my twitter feed</a> you know when I am awake and usually even what I do. On <a href="http://the-gay-bar.com/imprintimpressum/" title="Legal/Impressum">this site</a>  you can see me legal name and address as well as my phone number. If you invest a few minutes with your search engine of choice you can find out a lot about me, my family, my upbringing: I live in the open.</p> <p>Looking at how I advocate a very open lifestyle and try to lure people away from <a href="http://the-gay-bar.com/2011/08/22/our-broken-idea-of-privacy/" title="Our broken idea of privacy">the false promises privacy offers</a> you  could consider me being very open just “eating one’s own dogfood”. On the other hand I have gotten quite some criticism about how dangerous my position is and what a bad sort of advice it might be to people living under oppressive governments, people who are being discriminated against or people with little political or economical power. And that criticism is true. And also misses the point.</p> <p>I live an extremely privileged life. I am a white, healthy, heterosexual male in Europe. I have a good education and a well-paid and interesting job. It’s actually hard to find any aspects in my life that open me up for the sort of sexist, racist or otherwise-ist attacks and discrimination so many other people face every day even in the so-called “first world”. And if I compare my situation to people living in poorer parts of the world the difference becomes even more grotesque.</p> <p>But in my perspective, my privileged life commits me to this open lifestyle. Not because I know that it will never have negative consequences but because I see it as an experiment.</p> <p>Who if not me, a super privileged individual, can test these ideas in the real world? The dangers for me are marginal compared to most people on this planet, hell even in this rich country! I run my life as a test case for my theories, try to reflect upon why a certain aspect works for me and what the preconditions for that success were, try to explicitly trace dangers down to their causes.</p> <p>Post-privacy is not a utopia you just slap on our world today for everyone and it would work. Like every big social change it takes a lot of time (or probably a catastrophe which is nothing I want to see happen to anyone, anywhere for whatever good it may do) for a society to change in that fundamental way . But in order to even properly discuss it, we need to determine the terms and conditions for a post-private society. What economical or political environment is necessary? What new or changed rights does the individual need?</p> <p>I life my life in this extremely open way to determine said conditions. It’s not a way of living I can recommend for every individual <em>today</em>. But with a lot of work maybe in a few (probably many, probably many more than I have left on this planet <img src="http://the-gay-bar.com/wp-includes/images/smilies/icon_wink.gif" alt="icon wink Why do I publish so much of myself?" class="wp-smiley" title="Why do I publish so much of myself?" /> ) years there will be a world, a society where everybody can live this open and this freely. And if I can just nudge mankind a little bit in that direction, the few risks I take are really nothing I can invest more than a shrug into. And move on.</p> <div id="vgwpixel"></div> <p><a href="http://the-gay-bar.com/?flattrss_redirect&amp;id=1175&amp;md5=8c6073e082257bb3edb4c5e5b5ca2c69" target="_blank" title="Flattr"><img src="http://the-gay-bar.com/wp-content/plugins/flattrss/img/flattr-badge-large.png" alt="flattr this!" /></a></p> Fri, 20 Apr 2012 19:59:23 +0000 http://the-gay-bar.com/?p=1175 http://blog.siphos.be/?p=593 http://feedproxy.google.com/~r/PlanetLarry/~3/KomRGZw79Xc/ <p> On request of Matthew Marchese, I now automatically build an <a href="http://swift.siphos.be/linux_sea/linux_sea.epub">ePub version</a> of <a href="http://swift.siphos.be/linux_sea">Linux Sea</a> for those that like to read such resources on a digital reader. Thanks to the use of DocBook, this was simply a matter of using its xsl-stylesheets/epub/docbook.xsl stylesheet against the DocBook sources and zip the created directory structures (OEBPS and META-INF) to get to the ePub file.</p> Fri, 20 Apr 2012 15:31:11 +0000 http://blog.siphos.be/?p=593 http://ciaranm.wordpress.com/?p=1158 http://feedproxy.google.com/~r/PlanetLarry/~3/Huo3fSEOozw/ <img src="http://planet.larrythecow.org/images/ciaranm.png" alt="" align="right" style="float: right;"><p><a href="http://paludis.exherbo.org/">Paludis</a> 0.74.0 has been released:</p> <ul> <li>The way || dependencies are handled has changed to allow upgrades in certain situations that would previously be blocked.</li> <li>Previously file descriptors would be leaked when adding certain types of files to a tar being created for a pbin. This is now fixed.</li> <li>We now strip certain kinds of trailing garbage from tar files, to deal with upstreams who insist upon distributing corrupted tarballs.</li> <li>We now define ${T} to something usable in pkg_pretend.</li> <li>The order of arguments passed to econf has been tweaked, to make it easier to override defaults.</li> <li>cave print-ids etc now have a ‘%u’ format, for a uniquely identifying spec.</li> <li>Added cave print-checksum, for convenience.</li> <li>We now use metadata/md5-cache if it exists.</li> <li>We now ignore self-blockers for Gentoo EAPIs, to avoid problems with developers screwing up package moves.</li> <li>Compilation with GCC 4.7 should now work.</li> </ul> <br />Filed under: <a href="http://ciaranm.wordpress.com/category/paludis/paludis-releases/">paludis releases</a> Tagged: <a href="http://ciaranm.wordpress.com/tag/paludis/">paludis</a> <a href="http://feeds.wordpress.com/1.0/gocomments/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/comments/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godelicious/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/delicious/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gofacebook/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/facebook/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gotwitter/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/twitter/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/gostumble/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/stumble/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/godigg/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/digg/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <a href="http://feeds.wordpress.com/1.0/goreddit/ciaranm.wordpress.com/1158/" rel="nofollow"><img src="http://feeds.wordpress.com/1.0/reddit/ciaranm.wordpress.com/1158/" alt="" border="0" /></a> <img width="1" alt="" src="http://stats.wordpress.com/b.gif?host=ciaranm.wordpress.com&amp;blog=3715284&amp;post=1158&amp;subd=ciaranm&amp;ref=&amp;feed=1" border="0" height="1" /> Sun, 15 Apr 2012 15:57:16 +0000 http://ciaranm.wordpress.com/?p=1158 http://blog.siphos.be/?p=588 http://feedproxy.google.com/~r/PlanetLarry/~3/9RWMauzrfX8/ <p> In my <a href="http://blog.siphos.be/2012/04/chrooted-bind-for-ipv6-with-selinux/">previous post</a>, a very valid question was raised by Alexander E. Patrakov: why still use chroot if you have SELinux? </p> <p> Both chroot (especially with the additional restrictions that grSecurity enables on chroots that make it more difficult to break out of a chroot) and SELinux try to isolate an application so it only has access to those resources it needs. Chroot does this on file-level basis (and a bit more with grSecurity), SELinux on more general resources. However, things that make SELinux strong (flexible and detailed policy language, fine-grained authorizations) are also its weakness (consolidating files into groups having the same file label), and chroot does have an advantage on this. </p> <p> Suppose that a flaw exists in BIND through which an attacker can read files on the host (through BIND). With SELinux, the domain in which BIND runs is prohibited from accessing and reading files whose label is not one of the labels that the policy thinks BIND should be able to read. More specifically, the BIND policy in the reference policy (which is what both Gentoo and RedHat base their policies on, and generally policies are only enlarged, never really shrinked): </p> <ul> <li> etc_runtime_t (read) means access to the files in /etc that are modified at runtime (like mtab, profile.env, gentoo’s /etc/env.d) </li> <li> named_var_run_t (read) is access to /var/run/bind and /var/run/named (and a few other related locations) </li> <li> named_checkconf_exec_t (read/execute) is access to read and execute /usr/sbin/named-checkconf </li> <li> named_conf_t (read) to read the BIND-related configuration files </li> <li> dnssec_t (read) to read the DNSSEC keyfiles </li> <li> locale_t (read) to access /etc/localtime, /usr/share/locale/*, /usr/share/zoneinfo/* </li> <li> etc_t (read) to read the general configuration files in /etc (including passwd, fstab, …) </li> <li> proc_t (read), proc_net_t (read) and sysfs_t (read) to access those pseudo filesystems </li> <li> udev_tbl_t (read) to access /dev/.udev and /var/run/udev (but I have no idea yet why this is in) </li> <li> named_log_t (read/write) for the log files of BIND </li> <li> net_conf_t (read) to access /etc/hosts (including deny/allow), resolv.conf, … </li> <li> named_exec_t (read/execute) the BIND executables </li> <li> named_zone_t (read) to access the zone files, also write access in case of slave system </li> <li> cert_t (read) to read certificate information </li> <li> named_cache_t (read/write) to access its cache </li> <li> named_tmp_t (read/write) to work with temporary files </li> </ul> <p> Isolation provided by SELinux is as powerful as the width of its labeling. For instance, by giving the named daemon read access to /etc files like passwd, fstab, group, hosts, resolv.conf and more, a malicious user who can exploit this hypothetical vulnerability can obtain information that might help him in his further attempts. By chrooting BIND, the files placed in the chroot itself should not offer the information he might be looking for (for instance, the passwd file, if needed at all, is limited to just the named and root accounts, etc.) </p> <p> Chrooting, but not enabling SELinux, could lead to escalation. A chroot cannot restrict what a process is allowed to do beyond the regular access privileges that are given on the user. If a user can upload an exploit through BIND and have BIND execute it, he can use this as an attack vector for further activities. SELinux here prohibits BIND to write stuff it can also execute (there is no write and execute privilege defined here). It also ensures that the BIND daemon never exists his security domain (transitioning towards another domain with perhaps other privileges) as there are no transition rules from named_t to any other domain. </p> <p> Another MAC system that would be better suited to fit both is grSecurity’s RBAC model. Iirc, it uses path definitions to say which files are allowed to access and which not. The weakness SELinux here has (aggregation into sets of files with the same label) doesn’t exist for grSecurity. This debate on path-based versus label-based access controls have been going on for very long time now – just google it ;-) </p> <p> So, Alexander, in short: chroot further limits the SELinux-allowed privileges to a more fine-grained set of file system resources (files/directories).</p> Sun, 15 Apr 2012 07:41:01 +0000 http://blog.siphos.be/?p=588 http://blog.siphos.be/?p=585 http://feedproxy.google.com/~r/PlanetLarry/~3/1R7Vd5F8Ac0/ <p> BIND, or Berkeley Internet Name Domain, is one of the Internet’s most popular domain name service software (DNS). It has seen its set of security flaws in the past, which is not that strange as it is such a frequently used service on the Internet. In this post, I’ll give a quick intro on how to use it in Gentoo Hardened (with PaX)… chrooted… for IPv6… with SELinux ;-) </p> <p> Installing is of course, as usual, dead easy on Gentoo (Hardened/SELinux). Make sure you have USE=”ipv6″ set, and then <b>emerge bind</b>. Also install <b>bind-tools</b> as they contain some great tools to help with DNS troubleshooting. Then we’re editing /etc/conf.d/named to set the CHROOT variable. I also set CHROOT_NOMOUNT so that Gentoo doesn’t bind-mount the information in the chroot but instead uses the files in the chroot. </p> <pre>CHROOT="/var/named/chroot" CHROOT_NOMOUNT="1" </pre> <p> Now we need to either temporarily add some privileges in SELinux, or run the portage_t domain in permissive mode. If you go for privileges, then add the following: </p> <pre>allow portage_t var_t:chr_file { create getattr setattr }; </pre> <p> If you however want to temporarily run the portage_t domain in permissive mode, do that as follows: </p> <pre>~# semanage permissive -a portage_t </pre> <p> We are doing this because we are now going to ask the BIND ebuild to prepare the chroot for us. Doing so however requires portage to work on our live file system (and not in the regular “sandbox” mode). SELinux however forces portage in the portage_t domain and only gives it the privileges it needs for building and installing software. </p> <pre>~# emerge --config bind </pre> <p> When done, remove the previous SELinux allow rules again (or set the portage_t domain back in enforcing mode, through <b>semanage permissive -d portage_t</b>). Next we need to relabel the files in the chroot. By default, all files are labeled by SELinux as var_t in that location because it isn’t aware that it needs to see /var/named/chroot as a “root” location. </p> <pre>~# setfiles -r /var/named/chroot /etc/selinux/strict/contexts/files/file_contexts /var/named/chroot </pre> <p> So far so good. Now let’s create a simple named.conf file (in /var/named/chroot/etc/bind): </p> <pre>options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; statistics-file "/var/run/named/named.stats"; listen-on { 127.0.0.1; }; listen-on-v6 { 2001:db8:81:21::ac:98ad:5fe1; }; allow-query { any; }; zone-statistics yes; allow-transfer { 2001:db8:81:22::ae:6b01:e3d8; }; notify yes; recursion no; version "[nope]"; }; # Access to DNS for local addresses (i.e. genfic-owned) view "local" { match-clients { 2001:db8:81::/48; }; recursion yes; zone "genfic.com" { type master; file "pri/com.genfic"; }; zone "1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "pri/inv.com.genfic"; }; }; </pre> <p> The zone files referenced in the configuration file are located in /var/named/chroot/var/bind (in a subdirectory called pri – which I use for “primary”). The regular one would look similar to this: </p> <pre>$TTL 1h ; $ORIGIN genfic.com. @ IN SOA ns.genfic.com. ns.genfic.com. ( 2012041101 1d 2h 4w 1h ) IN NS ns.genfic.com. IN NS ns2.genfic.com. IN MX 10 mail.genfic.com. IN MX 20 mail2.genfic.com. genfic.com. IN AAAA 2001:db8:81:80::dd:13ed:c49e; ns IN AAAA 2001:db8:81:21::ac:98ad:5fe1; ns2 IN AAAA 2001:db8:81:22::ae:6b01:e3d8; www IN CNAME genfic.com.; mail IN AAAA 2001:db8:81:21::b0:0738:8ad5; mail2 IN AAAA 2001:db8:81:22::50:5e9f:e569; ; (...) </pre> <p> while the one for reverse lookups looks like so: </p> <pre>$TTL 1h ; @ IN SOA 1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa ns.genfic.com. ( 2012041101 1d 2h 4w 1h ) IN NS ns.genfic.com. IN NS ns2.genfic.com. $ORIGIN 1.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.e.f.5.d.a.8.9.c.a.0.0.0.0.0.0.1.2.0.0 IN PTR ns.genfic.com. 8.d.3.e.1.0.b.6.e.a.0.0.0.0.0.0.2.2.0.0 IN PTR ns2.genfic.com. ; (...) </pre> <p> We can now start the init script: </p> <pre>~# rc-service named start </pre> <p> On the slave, don’t set the allow-transfer directive and set its type to “slave”. In each zone, you will need to tell where the master is: </p> <pre>zone "genfic.com" { type slave; masters { 2001:db8:81:21::ac:98ad:5fe1; } file "sec/com.genfic"; }; </pre> <p> By default, the SELinux policy for BIND does not allow BIND to write stuff in its directories. On the slave system, you will need to change this. A SELinux boolean here does the trick: </p> <pre>~# setsebool -P named_write_master_zones on; </pre> <p> There ya go ;-) Okay, all very condensely written, but it should give some feedback on how to proceed. I’m adding this information to the new online resource I’m writing – <a href="http://swift.siphos.be/aglara">A Gentoo Linux Advanced Reference Architecture</a>. Nothing really ready yet, just writing as I go forward with exploring these technologies…</p> Sat, 14 Apr 2012 21:08:39 +0000 http://blog.siphos.be/?p=585