The technical musings of Matt

Mac OS X 10.6 Snow Leopard Audio Bug

2010-08-11T22:07:00.000-07:00

So for those of you who have made the switch like myself to 10.6 you may or may not have noticed when you reboot your audio settings seem to change themselves. I searched around the web and found this issue mostly affecting users who upgraded from a previous version of OS X such as 10.5, but that's not to say they're the only ones affected by this issue.

So what's the deal? Well the audio preferences are stored in /Library/Preferences/Audio, and if you take a look at the files in there you'll see they're owned by _coreaudiod and you may see a few files like com.apple.audio.DeviceSettings.plist, and com.apple.audio.SystemSettings.plist, I also had a .plist-old version of both files which was probably left over from the upgrade. So to resolve this issue I moved all the files in the directory to a folder on my Desktop for backup and then opened up System Preferences and went into the Audio preferences and set my settings back to where I like them, and took another look in the directory and found it re-created com.apple.audio.SystemSettings.plist with a slightly larger size then the original file I just backed up, 1900 bytes versus 1981, maybe the file was corrupt..

So close all applications, reboot and you should notice all of your audio settings are still set where they should be.

This could probably be solved using Disk Utility permissions repair as well, but I haven't tried that method yet.

Installing Subversion Client and Server on OS X

2009-07-21T02:40:00.009-07:00

Installing Subversion on OS X is actually really easy, but for those of you who have not done it before it can seem like quite a task. There are many Revision Control systems out there but in my opinion SVN is well suited for the needs of just about any person or project, for those of you not too familiar with SVN or how it works, you should check out the Wikipedia link above.

All of my tutorials if you haven't noticed make use of MacPorts, if you don't have it installed already now would be a good time to install it.

First thing you want to do whenever you're installing something from MacPorts is make sure you're current. We'll do a selfupdate to upgrade existing packages and update package info.

dStruct:~ Matt$ sudo port selfupdate

Next up you want to install SVN via the MacPorts system.

dStruct:~ Matt$ sudo port install svn

We need to make sure svn is in your default path by running svn from a Terminal session.

dStruct:~ Matt$ svn
-bash: svn: command not found

So it looks like we need to update .profile with the correct path, by default MacPorts installs to /opt/local/bin and /opt/local/sbin which is not normally in the default path.

dStruct:~ Matt$ nano .profile
export PATH=/opt/local/bin:/opt/local/sbin:$PATH

You should now see the following when you run svn.

dStruct:~ Matt$ svn
Type 'svn help' for usage.

The SVN client is now ready for use, for those interested in running your own SVN Repositories to keep track of your own project or source code lets setup the SVN Server a.k.a. svnserve.

First thing to do is decide where you want your Repository located on your drive (I use ~/SVN) and then we want to create the Repository directory and it's file structure.

dStruct:~ Matt$ svnadmin create ~/SVN

Which should create the actual directory and setup the SVN framework inside it, including the default SVN Server configuration files in ~/SVN/conf/. It should be noted you rarely ever directly edit the files in the SVN Repository, only advanced users who know how to manipulate SVN should ever touch the files inside. However if you plan on allowing anyone remote access to your SVN Repository it would be wise to setup permissions on who can access what.

Let's do a test run and make sure the SVN Server fires up with the default settings and no authentication, and that we can check out the Repository.

dStruct:~ Matt$ svnserve -d -r ~/SVN/
dStruct:~ Matt$ svn checkout svn://dStruct/ ~/test
Checked out revision 0.

Ok so now we have our Repository built and we know the server works, lets setup the SVN Server to launch automatically at startup under the inetd service. We need to create a new Property List or plist and place it in /Library/LaunchDaemon so launchd knows where to find it on startup.

dStruct:~ Matt$ killall svnserve
dStruct:~ Matt$ cd /Library/LaunchDaemon
dStruct:LaunchDaemon Matt$ sudo nano org.tigris.subversion.svnserve.plist

And paste in the following XML, editing the 2 lines required.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>org.tigris.subversion.svnserve</string>

<key>ProgramArguments</key>
<array>
   <string>/usr/local/bin/svnserve (EDIT THIS LINE)</string>
   <string>--inetd</string>

   <string>--root=/Users/YourUsername/SVN (EDIT THIS LINE)</string>
</array>
<key>ServiceDescription</key>
<string>Subversion Standalone Server</string>

<key>Sockets</key>
<dict>
 <key>Listeners</key>
 <array>
   <dict>

     <key>SockFamily</key>
     <string>IPv4</string>
     <key>SockServiceName</key>
     <string>svn</string>

     <key>SockType</key>
     <string>stream</string>
   </dict>
   <dict>
     <key>SockFamily</key>

     <string>IPv6</string>
     <key>SockServiceName</key>
     <string>svn</string>
     <key>SockType</key>

     <string>stream</string>
   </dict>
 </array>
</dict>
<key>inetdCompatibility</key>

<dict>
 <key>Wait</key>
 <false/>
</dict>
</dict>
</plist>

With that file saved now we need to add it to the Launch Daemon and we'll go ahead and fire it up right now manually as if we just booted up.

dStruct:~ Matt$ sudo launchctl load /Library/LaunchDaemon/org.tigris.subversion.svnserve.plist
dStruct:~ Matt$ sudo launchctl start org.tigris.subversion.svnserve

Now for the final test, lets try to check out the local Repository.

dStruct:~ Matt$ svn checkout svn://dStruct/ ~/test
Checked out revision 0.

There you go, if you ran into any issues check the reference links below, and Google is your best resource for answers, enjoy.

Version Control with Subversion
Subversion server (svnserve) on Mac OS X

Technorati launches new Twittorati website today

2009-07-08T02:27:00.004-07:00

Blog search engine and advertising power house Technorati has joined forces with Sawhorse Media the makers of Muckrack.com, to bring the world Twittorati.com "Where the blogosphere meets the Twittersphere".

According to the new service "Twittorati tracks the tweets from the highest authority bloggers, starting with the entire Technorati Top 100 and soon including many more of the web's most influential voices."

To be honest I don't know what to think, it seems like Technorati is reaching a bit far on this one.. Maybe it's just me being biased, I mean I don't dislike Twitter, I wouldn't say things like it's insecure, full of bugs, or loaded with scams, or anything like that would I?

Well head over there check it out and leave a comment or two on what you think.

If you find this article helpful, Digg it..

~Matt

Making money online, fact or fiction?

2009-07-07T02:50:00.004-07:00

There are a lot of people out there who have it hard coded in their brains that you have to get up at the crack of dawn, get ready for work, drive to work, actually try to do work in a busy place full of other people, noise, cell phones going off, and computer networks being brought down by the one idiot in the corner cubicle who thought he'd send that 10mb video attachment to all his co-workers..

I've been there, done that, and yes I got the T-shirt. If you can't tell by my tone I'm not a huge fan of this crap, personally I think people waste a massive amount of time each year commuting to and from work each day, and in most cases not being able to do anything productive in the process.

Well there is a better way, there is a light at the end of the tunnel, and you can free yourself from this addiction to the office. Now I know what the non-believers are thinking right now, I can feel it, but there is an entire world full of web-based businesses just waiting to pay you for basically existing. Some of which include Affiliate Marketing, where you would for example write a small free blog like this one and sign up with Link Share or Click Bank and simply post one of their Ads on your blog for say ABC Sunglasses, and when one of your visitors happens to click on that link because they like what they see, you can either get a small amount of revenue per ad click, or a referral fee if that person actually buys something.

That's just one example of how you can make real money online, and it's a very tried, true, and tested method, there are people out there making good money with moderate traffic websites and blogs doing just that.

Another example would be Google's AdSense program, in my opinion Google really went the extra mile on this one, they have their own Affiliate type system in place for advertising, I'm sure you've seen all the links all over other websites including this one "Ads by Google" well each time someone clicks on an Ad you get a percentage of whatever Advertiser is paying for that Ad, which can range from pennies to dollars, it's a completely free program available to just about anyone with a computer, why are you not taking advantage of this free program? If I were you I know I would be.

I found a wealth of information on a fellow Blogger site Financing Strategies which has all sorts of useful information relating to making money online, and how you can manage that money and tips on improving credit, things like that. Check out these posts specifically Optimizing Google AdSense and the Big Secret to Making Money Online which outlines what to do, and what not to do when making money online.

I invite you to Google things like Online Revenue, and Making Money Online, and Affiliate Marketing, go poke around and see what you can find, there's tons of stuff out there. Hopefully you can carve your own little niche in the web, and make a little money in the process.

If you find this article useful, please spread the word by posting to any Social Networking site like you like, it really helps get useful information to people who can use it.

~Matt

Britney Spears is dead! Oh wait Twitter just got hacked.. again..

2009-07-05T16:57:00.008-07:00

The much touted microblogging social network Twitter just can't seem to stay out of the news lately, according to Britney Spears Twitter profile apparently "Britney has passed today. It is a sad day for everyone. More news to come.." and I have to say it was well timed having so many famous celebrities pass away so recently, I'm sure fans who saw this were shocked and saddened by the posting but the fact is she's not dead however her Twitter profile was compromised yet again through the TwitPic service which allows you to upload images with captions directly to your Twitter account, this just after they said "We've implemented a fix for the email posting vulnerability, a full blog post explaining the issue will be released soon"

These flaws are nothing new to Twitter back in January, 2009 around New Years followers of the singer were informed that her vagina was four feet wide "with razor sharp teeth". According to Mashable there were other celebrity attacks during this time including Bill O'Riley being called gay.

Well the guys over at TwitPwn are doing something about it, they're calling July, 2009 the Month of Twitter bugs and rightfully so, in an attempt to raise awareness of the massive amounts of code exploits, cross-site scripting errors, API "issues" and just plain bad coding. My hats off to you guys, hopefully something becomes of it.

So on that note I'm dubbing Twitter - The Black Sheep of Social Networking(©™ and stuff).

I really hope Twitter irons out the kinks, as for me don't be surprised if you can't tweet about this blog posting directly off my blog or you can't follow me on Twitter.

~Matt

SSH Public Key Authentication and OS X

2009-07-02T08:34:00.013-07:00

In most cases people just use SSH the good old fashioned way, they login using a password and usually to the root account. Now there's nothing wrong with this method, it's hands down more secure then using something like Telnet to access remote boxes, however I want to point out a few things you may want to consider even if you've never had a box compromised.

By using just password authentication even with a huge AlphaNum3r1c#p4ssw0rd you're allowing anyone from anywhere the ability to potentially Brute Force your password, gain access to your system(s), and do whatever the hell they want. Even more so if you allow logging in to the root account, because knowing a good username makes Brute Forcing a password just that much easier.

When you setup a Public/Private Key combo with the server(s) you access you're providing 2-part (or two-factor) authentication by providing something you know with something you have. This method is much more secure since you physically have to have the matching side of your key to authenticate.

To setup Public Key Authentication you'll need to generate a key pair (Public/Private) and then share the Public half with any servers you connect to.

Open Terminal and "cd ~/.ssh", then "ssh-keygen -t dsa -b 1024"

The default location of /Users/(your username)/.ssh/id_dsa is correct, hit enter

Now provide a passphrase for the key, this will be used as the part you know. Make sure it's a good one as you can store it in your Keychain so you don't have to type it everytime.

id_dsa is your Private key, id_dsa.pub is your Public key for sharing.

Next copy your shiny new 1024-bit DSA Public key to the server, "scp id_dsa.pub user@myremotehost:~/id_dsa.pub"

Now login to the remote server and insert the key data into SSH, either in ~/.ssh/authorized_keys or /etc/sshd_config directly "cat id_dsa.pub >> ~/.ssh/authorized_keys"

Now that you have your Public key in the authorized_keys file you can safely delete your remote copy of it, if you want to make keep it there make sure permissions of the id_dsa.pub are secure and set to owner only "chmod 700 id_dsa.pub" the same goes for authorized_keys, check it with "ls -l".

Now you want to logout of your remote server and log back in and verify everything works as it should. You should get a prompt for your passphrase this time and not the regular password.

If you can successfully login using your key then you're ready to disable password based authentication by opening your sshd_config and setting the option "PasswordAuthentication no" and restarting sshd.

The default Public Key location on most servers is: ~.ssh/authorized_keys

The default Private Key location on OS X is: ~.ssh/id_dsa

The next steps are optional but some like to disable Password Authentication, so the server only uses Public Key, personally I like to keep Password Auth there as a backup in case I lose my Private key, combined with my previous guide on Securing SSH with IPtables I can sleep at night. And there is no reason why you shouldn't have a secure encrypted USB flash drive like an IronKey on your keys that you carry with you wherever you go, so put your Private Key on there that way wherever you go you have your "keys" with you..

References:
http://matthewayo.blogspot.com/2008/06/securing-ssh-with-iptables-on-openwrt.html
http://sial.org/howto/openssh/publickey-auth/

I hope you find this guide helpful.

~Matt ajx7qcrndm

Configuring OS X Serial terminal emulation using Terminal and Screen

2009-06-28T20:51:00.022-07:00

If you use Mac OS X on a daily basis like I do, you may or may not be aware that there is no included Serial terminal emulation software included with the Operating System. For most people this would not be of any concern, I mean how many people actually use HyperTerminal right? But for those of us who configure Serial based devices like Cisco Routers, Switches, and Load Balancers, on a regular basis I was having trouble finding a good solution.

There are no good free Serial terminal applications out there, there are some that will work, but they're not pretty, not Universal Binaries, or they cost money. Me personally I don't think I should have to pay for software like that, you can't make an application like that so nice and so feature packed that anyone should ever have to pay for a simple Serial Terminal app, that's like charging money for screen savers... Of all the ways to make a quick buck.

So my solution to the issue was a simple one, I wish I had thought of it much sooner and spared my life from Minicom. What I did was configure the built in OS X Terminal application to fire off the Screen program inside itself automatically, and boom instant Serial Terminal.

It goes a little something like this...

Open the Finder -> Applications -> Utilities, and click on Terminal.

Now click the Terminal menu -> Preferences -> Settings tab, and create a Settings/Profile entry either by using the + or Duplicating your existing one.

With your new profile selected on the right side click on the Shell tab and Check "Run command:" and enter "screen /dev/tty.COM_PORT_HERE", where the com port is your USB to Serial converter or in my case SocketCom Bluetooth to Serial adapter.

That's all there is to it, now you can go up to the Terminal menu and click on Shell -> New Window -> Your Profile, or Shell -> New Tab -> Your Profile.

Also for those of you who didn't know you can use Terminal for SCP and SSH, check out New Remote Connection on the Shell menu.

So now that I've shown you how to do it, here's a copy of my Terminal Profile that you can just import it instead. =)

Serial.terminal

~Matt

Missing Money

2009-06-27T13:04:00.004-07:00

For those of you who have not heard of unclaimed property, let me share a little secret the government doesn't really advertise to the public. Just about every State in the US has what is called an unclaimed property program for things like:

Bank accounts and safe deposit box contents
Stocks, mutual funds, bonds, and dividends
Uncashed checks and wages
Insurance policies, CD's, trust funds
Utility deposits, escrow accounts

Say you forget about an account, you move, change jobs, or how about a relative sets up an account on your behalf? Well when the account is deemed inactive that money ends up (usually) at that States unclaimed property office after about a year and it sits there for various amounts of time depending on the state. For example a family member of mine left a job and they still owed them over $600 from payroll and was unable to reach them, after a year the money automatically goes to the unclaimed property office and he was able to file a claim and receive a check in the mail for the missing money.

Which brings me to the topic of Missing Money, there's actually a website called just that http://www.missingmoney.com/ which is a database linked to participating websites in the US, and Canadia which allows people to search unclaimed property programs for your missing money!

Each State website can be located here with the following link http://www.missingmoney.com/Main/StateSites.cfm

There are also some helpful links for places to search for other unclaimed stuff http://www.unclaimed.org/other/

Good luck!

Securing SSH with Iptables

2008-06-26T16:58:00.014-07:00

So you want to open up port 22 on the WAN side of your router for remote access. Is it really a legitimate concern that someone could try to get in through SSH? I mean it's SSH right?

Well yes and no, yes you should be concerned with any open port available to the world, even if it's SSH. There was a brief time where there were some SSH exploits publicly available, those were quickly patched and most systems have been upgraded since then.

However there's always the chance someone could try and brute force your SSH credentials, and for those of you who allow logging in as root this is even more scary. Your first line of defense is obviously your password, there are tons of websites and utilities out there to help you generate a good password and you should always use a password consisting of at minimum 8 characters, at least 1 number, and 1 special type of character like a !, @, or #, etc.

With IPtables it's actually quite easy to setup rate-limiting for any traffic coming in on port 22, or any TCP/UDP port really.

You want to make sure you compiled or included the "recent" option with IPtables

Next you want to add the rules to Iptables manually and verify they're functioning correctly.

iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --update --seconds 180 --hitcount 6 -j DROP

iptables -t nat -A prerouting_wan -p tcp --dport 22 -m state --state NEW -m recent --name SSH_BRUTEFORCE --rsource --set

iptables -A input_wan -p tcp --dport 22 -m state --state NEW -j ACCEPT

You can hit up http://www.grc.com/ and use the ShieldsUP! port scanning service if you don't have access to a remote shell to test with. I just entered port 22 and clicked "User Specified Custom Port Probe" 6 times to test it.

Trying to test Iptables rules from inside your LAN isn't a smart way to test firewall rules since they're coming in on the LAN side and not the WAN side.

You can tweak how quickly it rate-limits the packets with the --seconds and --hitcount options, I set it for 900 seconds and 6 packets. Meaning if you hit port 22 more then 6 times within 900 seconds (15 minutes) it drops all packets from your source IP for 15 minutes. And I chose 6 packets because by default SSH lets you try 3 times per log entry/disconnect, so 2 "attempts" to login.Once you're satisfied everything is working correctly, add the 3 lines to the bottom of your /etc/firewall.user and issue a /etc/rc.d/S45firewall restart (might be different depending on your version of OpenWrt/X-Wrt).

References:
http://www.netfilter.org/
http://www.openwrt.org/
http://www.snowman.net/projects/ipt_recent/

Similar:
There's also a script available that will monitor your logs for malicious SSH activity and block IPs that way, check it out.. http://www.pettingers.org/code/sshblack.html

I hope you find the information provided helpful in some way, you can show your appreciation by clicking on an Ad or two. Or if you'd like to hire me and have me secure your system you can click on the oDesk Ad on the site as well.

~Matt

OpenWrt on a Dell Truemobile 2300

2008-06-24T02:02:00.010-07:00

Well for those of you not already enlightened by the awesome greatness of Dell's Truemobile 2300 Wireless Router let me share some, thoughts.. with you about it. The Dell software shipped with it is a pile of shit, it hasn't had an official update since 2004, when a security vulnerability was publicly disclosed allowing anyone with access to the built-in web interface to send a HTTP request to it and reset the login credentials allowing anyone full access to the router's web interface.

Now instead of Dell saying something like "Oh, that's a quick 2 second fix, lets just do an update.." haha instead they decided to discontinue their "product" and make you buy something new instead of just simply issuing a simple software update and correcting the issue. Having not even mentioned the fact that there are numerous other software "anomalies" where configuration pages just don't work right, and the router itself locks up at the least 1-2 times per week during normal use or every time you play any online game (World of Warcraft) over Wireless.

Now don't get me wrong, this little router packs a punch and it's very similar in hardware to that of a Linksys WRT54G v1 router, and has 4mb of flash and 16mb of RAM available which is plenty of room for our purposes.

Let's get to the meat of it.. To install OpenWrt you want to start with a stable and tested version of the software to make sure nothing happens during the upgrade and/or first boot of the new OS.

Hit up downloads.openwrt.org and browse to the /whiterussian/newest/default/ 0.9 release of "openwrt-brcm-2.4-squashfs.trx" (note the .trx extension)

After the image downloads, make sure you're connected to the router via a cable and not wireless and login to the router like you normally would (defaults are IP: 192.168.1.1, User: admin, Pass: admin)

Once you're in you want to click on System Tools, then Firmware Upgrade and select the new trx image you just downloaded and flash it.

Now go get a Dr. Pepper and leave the computer and router be for at least a few minutes.

Once the flash completes you usually will have no indication that anything has been done really, except you may notice the LED for the port you're plugged into may be green but the power LED is not, this is normal.

Now you want to hard-code a static IP on the same subnet, say 192.168.1.50/24 and try to ping 192.168.1.1, once the router has booted and responds to ICMP (you may need to power cycle it) then browse to 192.168.1.1 from a web browser.

The first and most important thing you want to do now before anything else is set an option called wait_boot to on. This option should be in the web interface and allows the device to pause briefly during boot and allow a small window to initiate a tftp copy of an image to the router if for some reason you can't boot the device and login for whatever reason. (Unless you enjoy opening it up and shorting the on-board flash memory)

Now you should have a working version of OpenWrt v0.9 on your Truemobile 2300 and you can enjoy a much more reliable and functional router. Now I'd recommend upgrading from White Russian 0.9 up to Kamikazi 7.x for much more functionality and support. I found a lot of little things in 0.9 that bugged me and made me want to just tweak the web gui a little here and there or adjust little things just a tad. But after upgrading to the X-Wrt version of Kamikazi I found most of those issues had already been addressed and it was a much more elaborate and functional web interface to deal with.

To upgrade it's as simple as going to the X-Wrt Downloads section and grabbing the latest Kamikazi image (latest at the time of this post) and upgrade it via the web interface.

I hope you find the information provided helpful in some way, you can show your appreciation by clicking on an Ad or two. Obviously I take no responsibility if you turn your router into a very sophisticated paper weight with an antenna.

If you do happen to brick the router, you can see what these guys did to un-brick it.. http://forum.openwrt.org/viewtopic.php?id=5656

~Matt