Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

Apple’s New Locking Screws

As residents in the Information Age, we consider ourselves clever sorts. We no longer waste hours on bar stools arguing about the year of Joe DiMaggio’s 56 game hitting streak. Before someone rebuts with his second “nuh-uh” we’ve smart-phoned the answer: 1941

But are we right?

I just got the answer by Googling. Like most people, I clicked the first link of the search results. In many cases, that link goes to Wikipedia and this was no exception. The free encylopedia is an excellent source of information but like all sources, it’s prone to error. So unless our bar bet is substantial, we probably won’t cross reference the findings. “I guess the next round is on me…”

Apple's locking screws keep users out of their phones

Was this new Apple new proprietary locking screw designed to keep customers from opening their phones? (© 2012 Imgur, LLC)

That was certainly the case when a Swedish firm broke the news about Apple’s new iPhone screws. They were designed specifically to prevent its owner from opening the phone. Given Apple’s penchant for limiting access to the owners of its products, the story struck a nerve. It was picked up by MacWorld, Wired and Yahoo and spread across the Internets.

There was just one problem: the story wasn’t true. Oh, it was truthy. It struck most readers as the type of thing Apple would do but it was a hoax all the same.

The locking screws were fabricated by a Swedish company named Day4. Their intent was to see how easiliy they could spread disinformation. They designed a peculiar screw and posted it to Reddit  along with the following message: “A friend took a photo a while ago at that fruit company, they are obviously even creating their own screws.”

That’s it. Neither Apple nor its phone were mentioned in the message. But Day4’s timing was excellent. iPhone 5 is expected to be announced in September and tech media outlets are jonsing for information. If those outlets would have cross-referenced their information, they would have discovered it was all from a single source. That should have raised red flags. Would those flags have halted publication? I don’t know. Everyone wants to be first with a scoop.

In the Information Age, it is often consumers – not distributors – who must perform integrity checks. When a politician stone-cold misrepresents information, the media rarely corrects his inaccuracies. Instead it notes that the other side disagrees. Instead of a debate in which we’ve established the facts, we tend to argue with two separate sets of “facts.”

On this site, I’m not driven to publish scoops. The Day4 prank is already several days old. All the code and configurations you’ll find here were tested before publication. My facts are generally double-checked. And with regard to the event that accompanies this story, you can confidently assert that Joe DiMaggio batted safely in 56 straight games back in 1941. That information is confirmed by multiple sources….



The Security Two-Step

This is depressing.

Matt Honan is an author at Wired. Recently his Google account was comprimised. And since his online life was chained together, the hackers were soon able to access his Twitter, Amazon, AppleID, iPhone, iPad and MacBook accounts. For lulz, they erased his digital life.

By his own admission, Honan was sloppy. His accounts were interconnected and his data was not backed up. His biggest regret was that he didn’t take the time to implement a defense mechanism provided by Google. He didn’t set up 2-step verification. In the article, Honan refers to it as “two-factor authentication.”

What’s two-step verification? This is a system provided by Google which adds an extra level of security to your account. After it’s set up, you’ll need two things for access. You’ll need to provide something you remember (your password) with something you have (a code on your phone).

Learn how to set up 2-step verification after the jump.

Continue reading The Security Two-Step



Intel releases updated Linux drivers

Intel has released a new version of the open source Intel graphics package, that can be used on Linux systems. This is good news for users of the software, who will be able to access the updated version, known as 12.07. With the package, users will get new X Server drivers for Intel cards, along with other features that work with these specific drivers.

Version 2.20.0 is the most significant component of this new release, available with the xf86-video-intel driver for the X Server. Those who regularly use this type of technology, or any for that matter, spending time on their computers playing poker.de or communicating to their friends via e-mail, will be glad to hear this news. The feature comes with SNA, which is a 2D acceleration method that can be selected at runtime. It’s purpose is to use less CPU than the previous method, UXA, and to be faster. To take advantage of this, the user must specify Option “AccelMethod” “sna” in the Xorg.conf file. It also features modern Intel graphics cards, which the new SNA architecture is designed to make the most of.

This new release from Intel is pre-tested, and therefore geared towards developers who look for this feature rather than Linux end users. It comes with other features that have also been tested, along with the main ones that will be the biggest draw. The other features include the stable 3.4.x version of the Linux kernel. This was made available to users in May and its default setting is to use the RC6 power saving mode. Those who want to get their hands on this new package can download it from Intel’s Linux driver web site and begin enjoying the benefits. Its source code is licensed under MIT and GPLv2 licences.



Microsoft’s Bigguns

In April Microsoft made news when it became a top-twenty contributor to the Linux kernel. The Redmond giant contributed over 20,000 lines of code in support of Hyper-V. This was a striking turn around. Remember, Microsoft’s CEO once described Linux as a “cancer.”

Although it contributed over twenty thousand lines of code, the Internets are now abuzz over a single line of code in hv/hv.h line 45:

  #define HV_LINUX_GUEST_ID_HI 0xB16B00B5

A Microsoft programmer assigned 0xB16B00B5 to HV_LINUX_GUEST_ID_HI. That’s a hexadecimal number whose value is 2,976,579,765. But that’s not what has the Internets all worked up. Look again. 0xB16B00B5 is 1337-speak for BIG BOOBS.



SSH – Disable known_hosts Prompt

Do you have scripts that do remote procedures over ssh? Do host key checks occasionally cause them to break? This entry will show you how to avoid that mess and keep your scripts running smoothly.

BACKGROUND

ssh protocol is designed to verify the host key against a local file to ensure the integrity of the remote server. By default, the user is prompted to accept a new key or warned when the host key changes (like after a server upgrade). This is a nice defense against man-in-the-middle attacks, but it plays havoc on scripts. If a prompt occurs, your script stops and waits for input.

FIX

There are two ways you can avoid this problem. You can pass parameters to ssh or you can change the system setting in ssh_config. If you want to turn off host key checks for scripting, then we recommend using command line parameters. You only type them once when you write your script and they only affect that instance of ssh.

By default, StrictHostKeyChecking is set to ‘ask.’ That’s why you’re prompted to accept a key. In order to avoid the prompt, you can change that to ‘no.’ When it’s set to ‘no’ the key is stored with no questions asked.

Unfortunatley, that’s not as clean as it seems. If the host signature changes due to an upgrade, then ssh stores that key, too. Since you have two, it starts throwing warnings such as this:

key_read: uudecode AAAAAAAB3NzaC1yc2EAAAABIwAAAQEAzh1G5NiiEfawhBhly
VLR92Q/+iXZ3Bs56RBLZtso/lEFk9TYZuS+Qp+tKOIv1j5HpuwsoIAZt6A1fJfCHfN3
KYtuWNbdMywuoOUb5Z9S0c/3jyeesy2eTy+ZZjgb0uPdU8cCKg029NF9gQr5tbDlrj+
vW6QvvWJ0KVJFJPWg6u3/Qt/N/xlPXziyHv4HKuzMDoRLQ5ltiC8zk3ZefeRK7ZZKtp
qSneTsHZt7alOGOsKTrPL5PA50QwBiNJFbvrnmJs2Xjk3x6MunXFuRSZCEsGboQWDie
whcOFxDlkYfWjHNbShPYBY3xuq/MnsL8QHUx9AT75wpl2U0/KFbXsMAKw==
 failed
key_read: uudecode AAAAAAAB3NzaC1yc2EAAAABIwAAAQEAzh1G5NiiEfawhBhly
VLR92Q/+iXZ3Bs56RBLZtso/lEFk9TYZuS+Qp+tKOIv1j5HpuwsoIAZt6A1fJfCHfN3
KYtuWNbdMywuoOUb5Z9S0c/3jyeesy2eTy+ZZjgb0uPdU8cCKg029NF9gQr5tbDlrj+
vW6QvvWJ0KVJFJPWg6u3/Qt/N/xlPXziyHv4HKuzMDoRLQ5ltiC8zk3ZefeRK7ZZKtp
qSneTsHZt7alOGOsKTrPL5PA50QwBiNJFbvrnmJs2Xjk3x6MunXFuRSZCEsGboQWDie
whcOFxDlkYfWjHNbShPYBY3xuq/MnsL8QHUx9AT75wpl2U0/KFbXsMAKw==
 failed
Last login: Fri Jul 13 11:09:36 2012 from jdfulmer-lt.joedog.org
RedHat 5Server - LinuxCOE 4.2 Fri May 11 09:48:33 EDT 2012

We can avoid this mess with another setting. Instead of saving host key entries to known_hosts, we can bury them in /dev/null. We can change the file location with the UserKnownHostsFile parameter. If we change it to /dev/null there are no entries for ssh to read.  And when it writes a new entry, well it goes to /dev/null

IMPLEMENTATION

There are two ways we can implement this. One is at the script level and the other is at the system level. If we want to continue to prompt for host key checks, then we can add the configuration to our script. This can be done with OpenSSH’s -o option. Here’s an example in which we run the hostname command on a remote server:

ssh -o StrictHostKeyChecking=no 
    -o UserKnownHostsFile=/dev/null 
       user@host /usr/bin/hostname -s

To set this configuration system-wide, place these entries in ssh_config:

StrictHostKeyChecking no 
UserKnownHostsFile /dev/null
LogLevel QUIET

NOTE: This configuration applies only to OUTBOUND ssh connections. This does not affect your system’s inbound ssh traffic.

UPDATE:  I added LogLevel  QUIET to the ssh_config above. This is the same as running ssh with a “-q”. This suppresses all warning messages which may wreak havoc on your scripts.



Mondoarchive Exclude List Failures

To illustrate config files in sh scripts, I published my mondoarchive script. That script dynamically builds an mondo exclude list from a list of directories inside a file.

Since I published that article, many of you have arrived here after Googling mondoarchive exclude lists. It seems they’re failing you. Fear not, faithful Googlers. Your JoeDog has experienced this pain and he can help.

There are two main problems with mondoarchive exclude lists that causes the program to ignore them. One is documentation and the other is a bug.

Older versions of mondoarchive use space separated exclude lists. You construct them like this:

  -E "/usr/src /data/archive /usr/local/src"

Since version 2.2.9.5 the syntax has changed for both -E and -I. Whereas older versions used space separated lists of directories, newer versions use pipe separated directories. If you have a newer version, construct your lists like this:

  -E "/usr/src|/data/archive|/usr/local/src"

The other problem I’ve encountered appears to be a bug. The first directory in my exclude list wasn’t being excluded. To fix that problem, I’ve placed /tmp first in all my exclude lists.

  -E "/tmp|/usr/src|/data/archive|/usr/local/src"

Problem “solved.”



Creating Config Files For sh Scripts

Your JoeDog uses mondorescue for bare-metal Linux restoration. We use mondorestore to recover the OS and Net Backup to recover its content. Since we’re only concerned about archiving the OS for bare-metal recovery, it’s necessary to exclude directories when we run mondoarchive.

My exclude requirement varies from server to server so I wanted to build the list dynamically. As a coder, I have religious aversion to altering scripts for the purpose of configuring them. If we set config variables inside the script, then we have a different version on every server. That’s a paddlin’.

For my mondoarchive script, I developed a pretty slick way to read a configuration file and build an exclude list. The list is configured in a conf file that ignores comment lines and superfluous white space. A typical configuration looks like this:

#
# This file is maintained by the Puppet Master 
# 
# This is the exclude list for mondoarchive Directories inside
# this list will not be archived for bare metal recovery.
#
/tmp
/export
/usr/src
/var/mail
/var/cache
/var/log

My mondoarchive script builds a string of pipe separated directories like this:

/tmp|/export|/usr/src|/var/mail|/var/cache|/var/log

Since very few of you will have a similar usecase, I wrote an example that reads the file into a sh array. This version will loop through the array and print each one.

#!/bin/sh
# An example script that reads a list from a config
# file into a sh script array.
CONF="haha.conf"
LIST=""
#
# Read the directory list from $CONF
if [[ -e $CONF ]] ; then
  while read line ; do
    chr=${line:0:1}
    # XXX: Use awk's substr on older systems like
    # HPUX which don't support the above syntax.
    # chr=$(echo $line | awk '{print substr($1,0,1)}')
    case $chr in
     '#')
       # ignore comments
       ;;
     *)
       if [[ ${#line} -gt 2 ]] ; then
         if [[ -z $LIST ]] ; then
           LIST="$line"
         else
         LIST="$LIST $line"
         fi
       fi
       ;;
    esac
  done < $CONF
else
  echo "$0: [error] unable to locate $CONF"
fi
let X=1
for I in $LIST ; do
  echo "$X: $I"
  let X=$X+1
done

Let’s run this bad boy and see what happens:

$ sh haha
1: /tmp
2: /etc
3: /usr/local
4: /data/mrepo

If some of the concepts listed don’t make sense, then you might want to see our sh scripting cheat sheet. It will help you understand things like ‘-e $CONF’ and sh script arrays. Happy hacking.

UPDATE: Given the introduction to this post, it’s likely that many of you have arrived here in search of a mondoarchive backup script. Well, we won’t let you leave empty handed. You can grab my archive script here: Mondo Rescue Archive Script

This script builds both NFS recoverable archives and DVD images to an NFS mounted volume. Here’s its usage banner:

Usage: archiver [-c|-n]
Requires either a '-c' or a '-n' argument
  -c      create a CD Rom archive
  -n      create an NFS archive



Is There An AJP Functional Test?

There are plenty of helpful tools to test network services. If you want to check HTTP functionality, you could craft a request with curl, wget or “siege -g” to see if a server is functioning. If you understand the service protocol, you can always telnet to a TCP port and type a transaction.

Unfortunately, there aren’t many tools to help you test AJP protocol. Sure, you can telnet to the port to ensure it’s running, but how many people know how to craft an AJP transaction? I didn’t.

In order to help you test AJP servers like Apache’s tomcat, I wrote ajping. It connects to a user-define port and conducts a simple transaction. ajping validates the server’s response and clocks the length of the transaction. Over the LAN, you should expect times in the hundreds of seconds. This is a command line utility. In order to install it, run the following commands:

 $ wget http://download.joedog.org/AJP/ajping.txt
 $ mv ajping.txt ajping
 $ chmod +x ajping

You can test a server with it like this:

LT $ ajping tommy.joedog.org:8009
Reply from tommy.joedog.org: 7 bytes in 0.019 seconds
Reply from tommy.joedog.org: 7 bytes in 0.004 seconds
Reply from tommy.joedog.org: 7 bytes in 0.004 seconds
Reply from tommy.joedog.org: 7 bytes in 0.011 seconds
Reply from tommy.joedog.org: 7 bytes in 0.004 seconds
Reply from tommy.joedog.org: 7 bytes in 0.016 seconds
Reply from tommy.joedog.org: 7 bytes in 0.009 seconds
Reply from tommy.joedog.org: 7 bytes in 0.021 seconds
Reply from tommy.joedog.org: 7 bytes in 0.011 seconds
Reply from tommy.joedog.org: 7 bytes in 0.025 seconds

I’ve also incorporated this code into a check_ajp script for Zenoss. Remove the .txt extension and install it on Zenoss as you would any other script.  Happy hacking.

UPDATE: I fixed the links to point to the new download location. H/T paalfe



Use Fido To Process FTP Uploads

Did you ever want to process a file immediately after it was uploaded via FTP? You could have the upload script execute a remote command after the file is uploaded. That requires shell access that you may or may not be able to grant. On the server, you could run a processing script every minute out of cron but that could get messy.

Fido provides alternative method.

Starting with version 1.0.7, Fido has the ability to monitor a file or directory by its modification date. When the date changes, fido launches a script. We can use this feature to process files that are uploaded via ftp.

In this example, we’ll monitor a directory. In fido.conf, we’ll set up a file block that points to a directory. (For more information about configuring fido, see the user’s manual). This is our configuration:

/home/jdfulmer/incoming {
 rules = modified
 action = /home/jdfulmer/bin/process
 log = /home/jdfulmer/var/log/fido.log
}

With this configuration, fido will continuously watch /home/jdfulmer/incoming for a modification change. When a file is upload, the date will change and fido will launch /home/jdfulmer/bin/process. Pretty sweet, huh?

Not quite. The modification date will change the second ftp lays down the first bite. Our script would start to process the file before it’s fully uploaded. How do we get around that? We can make our script smarter.

For the purpose of this exercise, I’m just going to move uploaded files from incoming to my home directory. Here’s a script that will do that:

#!/bin/sh
PREFIX="/home/jdfulmer/incoming"
FILES=$(ls $PREFIX)
for F in $FILES ; do
  while [ -n "$(lsof | grep $F)" ] ; do
    sleep 1
  done
  mv $PREFIX/$F /home/jdfulmer
done

In order to ensure the file is fully uploaded, I check lsof for its name. If there’s an open file handle under that name, then the script will continue to loop until it’s cleared. When the while loop breaks, the script moves the file.

There’s just one more thing to think about. When the script moves the file what happens to the directory fido is watching? Yes. Its modification date changes. In my example, process runs a second time but does nothing since nothing is there. Depending on your situation, you may need to make the script a little smarter.



The Free Press

The Washington Examiner blared this headline: “Obama ‘a fan’ of singer accused of homophobia.” The singer is Cee Lo. To prove he was a homophobe, they quoted him. Here’s the self-incriminating money-shot: “I most certainly am not harboring any sort of negative feeling toward the gay community.” I hate the American news media….