Cloudweavers » Technique

google chrome for mac

pascal.charest — Thu, 27 Aug 2009 18:09:55 +0000

Google chrome for mac is available through a developer release: http://www.google.com/chrome/intl/en/eula_dev.html?dl=mac

Security @ DEFCON 17

pascal.charest — Mon, 17 Aug 2009 17:16:44 +0000

Survived! Well my laptop did – I’m exhausted and work was waiting for me in Montreal, but – let be honest, I can’t really complain.

For those who don’t know, the DEFCON is one of the leading hacker conference with over 8k attendees getting together in Las Vegas to share knowledge on hacking, cracking, social engineering, lock picking and similar discipline. Peoples come from all social group – 14y old video gamer to senior security specialist for the gov, going through consultant, programmer, developer and hobbyist. Fun crowd.

While my trip was flanked by 2 series of 4 vacation days (before and after), I was @DEFCON as the owner of Les Laboratoires Phoenix – my free software consulting firm – and as such, I was confronted to this dichotomy:

* I need Internet access to answer clients requests
* Connecting to Internet at DEFCON is professional suicide if your not up to it

Let me explain this second point a bit: first, the Wall of Sheep, an inline filter tracking unencrypted connections and broadcasting users credentials (including a partially obscured password) on a big screen in the lounge. Generally, the flow is quasi non-stop.

If you think that it’s not that bad, the password being garbled… think again : Wall of Death. It’s an inline switch, freely available, where the 7 ports broadcast a mirror of everything the firewall see (which is.. everything). Live, un-garbled, un-modified feed of everything in the pipe. In other words, if you are on the Wall of Sheep, then someone from the Wall of Death got your credential.

And then, this is only using the standard infrastructure. I am not mentioning peer attack, wireless impersonation and so on.

So, how to survive in such hostile environment ? Here’s a few rules (which should also be taken as golden rules if you work from your client’s office).

1) ‘netstat -lntp‘ ; this command (an output of incoming listing ports on your system) should return nothing. There is no need to have any listening services if you are ‘mobile’.

2) iptables -L -n -v ; this command give you your firewall rules. INPUT should be restricted to established and related connection with a default policy of DROP. OUTPUT, when in a ‘not-so-friendly’ environment, should defaulted to DROP with allowed outgoing on secure protocol only (http:443, ssh:22, …). If you need to connect to an un-encrypted destination, at least forward through a ssh-tunnel/proxy.

3) never auto-connect to unencrypted network. This is exactly what causes the wall of sheep to be full of iPhone user’s credentials. This cute little device can auto-connect to the unprotected network (such as DEFCON) and start sending security credential (un-encrypted) to twitter, facebook, myspace…

4) Do not take anything for granted. PREPARATION is the key. Before the trip, start collecting all your ssh-key fingerprint on your system, this can become really handy if someone tries some ‘not-so-great’ men-in-the-middle attack against you.

Well, thinking about it, number 4 is the best advice. DO NOT TAKE ANYTHING FOR GRANTED. In the last 2 years, there have been 2 attack against the SSL infrastructure disclosed at DEFCON. Btw, this is for GNU/Linux system. If you are using a Microsoft operating system at the DEFCON, you better… well… just don’t use it.

Zimbra & Sphinx & inodes & U.P.C. ; Being a free software consultant is all about diversity

pascal.charest — Tue, 14 Jul 2009 01:09:02 +0000

Being a free software consultant is all about the ability to adapt to any given situation… As the main conduit between my clients and the world of cutting edge technologies, they often call me to complete mandate that have little to do with my specialties. Officially, I build high throughput, high redundancy information system. However, here is a quick glance of my ‘monday’:

1. no more free inode on server
Database server of a client is sometimes throwing out error about inodes. This morning, I’ve decided to correct the problem once and for all.

#checking inodes
root@server:/home# df -hi | grep sda
/dev/sda1 640K 606K 35K 95% /

#checking free space
root@server:/home# df -h | grep sda
/dev/sda1 10G 5.1G 4.4G 55% /

A quick check shows 4.4G of free disk space but a little bit less than 35K inodes availables. Taking into account that each file require at least one inode… this could easily become a very dangerous situation. Resolving this issue isn’t very complicated : I’ve destroyed some of the 500k idle file on the server and move some more to another partition. Easy solution for a problem that can easily crash your server.

2. Zimbra & Sphinx ; 2 deployments
One client wanted an easy to manage, web accessible and fully featured messaging & collaboration software. Zimbra [website, download] is one of the easiest open source solution to recommend in those case. It integrate with active directory, it support full text search, tagging and got a very good web interface. Kinda of remind me of MailEnable (for Windows), but a lot less costly and available on GNU/Linux. I’ve completed quite a few single/multi-node deployment of Zimbra and I’ve always been impressed by the quality of the system. Hoo, and btw, I’m a certified Zimbra consultant.

Another wanted to add full-text search capacity to an existing MySQL database. While innodb & MyISAM built-in indexes can help speed up some queries, they are restricted by the b-tree data model. The second problems in this scenario is that the data is already partitioned in multiple database / servers. This is the perfect use case for Sphinx [website] with multi-tables/multi-databases data sources.

3. U.P.C. – BarCode reader
I’ve received a shipment of 8mm barcode reader for a client. The device is to be integrated in a point-of-sale solution my corp. (Les Laboratoires Phoenix) is developing for them. The small USB Acan device [ebay search] is easy to configure (scan specific code) and to use (act as a keyboard). True plug-and-play on Microsoft Windows XP, Vista, on GNU/Linux and Mac OSX Tiger… I’m very satisfied by the device and look forward to complete the assignment.

4. More stuff
Did way more stuff than those 3 contracts today… but hey, I can’t be writing down for all to see all my cool gigs and contracts! Some of those are actually protected by NDA or are still stealth.

retrieve client browser lang setting with php

pascal.charest — Thu, 09 Jul 2009 02:55:27 +0000

I promised a client I would give him a little PHP script to help him deal with internationalization (french/english visitors) of his website. So, here is a very simple way to retrieve your visitor’s browser language setting and fork through a IF clause based on this value :

< ?php
#we retreive the language
$lang = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2);

#if french $lang=fr, english $lang=en
if ( $lang==”fr” ) {
echo “ceci est la version francaise”;
}
else {
echo “other language”;
}

?>

This is not meant to be the ‘best’ way or the ‘easiest’, it is simply the way I would do it for a small project. If you got a better way, feel free to post it in the comment section of this post !

processor/CPU affinity on GNU/linux

pascal.charest — Fri, 19 Jun 2009 11:19:53 +0000

With the new computer trend of adding more processing core rather than speeding each of them, CPU affinity is becoming quite important. It allow intelligent GNU/Linux system administrators to bind specific process or hardware interrupt to a list of CPU or core. This binding capacity is very useful in database server and high throughput environment by removing a lot of context-switching request on high load cpu. It can even be used to offload workstation CPU of the dreaded ‘firefox’/'flash’ combo.

Here is a quite interesting article from Intel, Improved Linux* SMP Scaling: User-directed Processor Affinity, on the subject. It shows how to distribute hardware-based interrupts to specifics CPU to lower context switching. It is way more technical that this very article, but I don’t see the need to copy/paste everything. Read it, it worth it.

So, checking out a process cpu affinity is done with following syntax:

# taskset -pc ‘pid’

The processor IDs start at 0. The CPU-ID list is available with ‘cat /proc/cpuinfo‘.

Binding a process ID (pID) to a specific processor is done with the following command. The only difference between the list/bind command is the processor id list added before the pID. It can be inserted as a single digit (1) or a list (1,2,3) or a suite (1-3).

# taskset -pc 1 ‘pid’

There you go: your now able to bind this CPU intensive oracle process on specific core on this 16-ways system.

Links : old ‘for coder’ IBM article – another one for VMWare.

UBUNTU: mouse key (or keypad isn’t working anymore)

pascal.charest — Thu, 28 May 2009 13:08:34 +0000

I’ve updated to Ubuntu 9.04 and suddenly my keypad isn’t working anymore. What to do ?

Well, go in “System” \ “Preference” \ “Assistive Technologies” \ “Keyboard Accessibility” \ “Mouse Key”… and disable the little bugger that sometimes auto-enable itself after a distribution upgrade

GPG error with ‘apt-get update’

pascal.charest — Thu, 28 May 2009 12:53:59 +0000

This post is only a technical reminder for me. You can disregard.

This is a very frequent message when updating a APT based distro;

W: GPG error: http://ppa.launchpad.net jaunty Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 60D11217247D1CFF
W: You may want to run apt-get update to correct these problems

I always forget the GPG retrieve command (must be on one line):

#gpg –keyserver hkp://subkeys.pgp.net –recv-keys 60D11217247D1CFF

and the apt-key import command:

#gpg –export –armor 60D11217247D1CFF | sudo apt-key add -

There you go, no more problems.

deprecation of md-multipath

pascal.charest — Mon, 09 Mar 2009 12:39:47 +0000

Following a discussion with a potential client about building a ‘truly redundant system’, thought about warning solution developer of this thread on LKML :

There are talks of deprecating md-multipath (from the Linux kernel, for those that weren’t really following). Quite a few systems would be moving from md-devices to “something else”.

The new flavor of the month (or year, following your P.O.V.) is dm-multipath. The configuration file is straight forward and the RedHat Documentation is very decent.

Ok, I know: the names are confusing. MD device drivers stand for “multiple devices” and is also know as Linux software raid solution. DM is the acronym of “Device Mappers” and is more known as the pre-requisite for LVM2 (not LVM1, but then who still use that!?) or as the foundation of dm-crypt, a free software interface allowing block level encryption through Linux (v2.6+) kernel cryptoapi framework.

On the topic of names; This is where I insert this familiar rant. I’ve never quite understood the MD as ‘multiple device’ name. Linux kernel device names, other than the ones directly linked to hardware, are normally named after their function not a ‘source’. In this instance, MD as ‘meta-device’ would make perfect sense – A device about devices. Anyway… it wasn’t named like that…

Anyway, no labs planned for any of those two techs (yet) or for the migration of md toward dm. We never know, I’ll keep you guys informed.

top sysadmin stuff

pascal.charest — Sat, 07 Mar 2009 13:45:37 +0000

Being challenged everyday to augment my productivity, here is a few quick tricks/software helping system administrator.

1. BlackBerry

Yeah, I know. It was an easy one – and easy to expect since I’ve bought a Storm. Employees get to hate them (since they are always hooked to the business) but as owner of a small business, I NEED to be informed of everything going on. The ability of answering my email / instant messanging while in route between Montreal & Ottawa is of prime importance. My clients doesn’t need to know where I am or what I am doing, they know I’m ready to help them.

The BlackBerry by itself is not as feature-complete as the iPhone seem to be. Using the pre-loaded email client with gmail just doesn’t cut it. It’s using IMAP and discarding all your filter/labels for incoming messages. There is an alternative : gmail mobile application. Available from the central mobile application repository of Google. Using a customized alert setting, you can be informed when you have new mail (in your inbox), while preserving your filter/label configuration. While you are there, you should also install the maps application, can always be handy.

Another “must-have” app. for sysadmin is MidpSSH. Which, as its name make it pretty clear, is a SSH/Telnet client. There have been a few reports of incompatibility between Storm and midpssh – yet, with an up-to-date OS/taking into account that your device often capitalize the first letter (of a username)/openssh is case-sensitive, you should not have any problems to connect to GNU/Linux systems.

2. Monitoring software

A good monitoring system watching over your network is a life saver and all the difference between you informing your client of a system failure or the other way around. Nagios is pretty well known and getting help is very easy since the community is so dynamic. Another software doing the same job is Zabbix. I do have some predisposition toward it, being a certified expert. Both are free softwares and are easy to install/configure. Zabbix does have a cuter interface though – can become handy if your client require access.

Both software allows sysadmins to run remote command. Personally, I find those systems to be way too complicated to setup when Monit is easily available. Its configuration allow a syntax very similar to : if load > 5 for 10 minutes, then stop postfix-delivery. Another life saver when you don’t expect your remote monitoring agent to be able to launch a command. I use it for limits like (if load>80 for 2 minutes, then stop {httpd,mysqld}). If your system is badly losing interactivity, your normal remote monitoring software will never be able to save your system (ssh will timeout).

3. Log/Security software

While Zabbix/nagios can do some checksum on important files (such as /etc/passwd, /etc/shadow, …), they are not ready as IDS (Intrusion Detection System) yet. For such system, I recommend OSSEC. Following the online documentation, you will have a log-analysis system created in no time – using thousand of rules given with the software. Customization can also be done pretty quickly. The ‘action’ following a trigger can be email-alert or a command. The system come with a pre-built interface to iptables… port-scanning and brute force password testing are no more.

Add to all these tools a svn repository for your code, an Puppet system for global configuration and some wiki for documentation and you should have a pretty strong backbone to deal with anything your clients throws at you.

removing mysql-bin log files

pascal.charest — Wed, 25 Feb 2009 16:04:02 +0000

One of the main part of Laboratoires Phoenix sentinel network is the Zabbix monitoring system.

In direct correlation with this fact is that the main concern inside this sentinel network is the database footprint of MySQL. I do not mean the ‘size-in-memory’, since I do have quite enough ram on those systems. And I’m not doing that much caching since data change very, very often. What I mean is the size of the database & binaries log-files on disk.

To make the story short: I always move /var/lib/mysql on a separate partition to be certain a db surge would not bring down / compromise other server functions. Seem like I forgot (on one of the system) that Debian standard location for the mysql-bin log-files was in /var/log/mysql.

Since those are independent servers (not multi-master / replicated MySQL system), here is the magic sequence to remove unused mysql-bin files.

# vi /etc/mysql/my.cnf
[modify bin-log number/space usage]
# ls -la /var/log/mysq/
# mysql -uroot -p
[enter password]
# purge binary logs to ‘mysql-bin.000321′;
[where mysql-bin.000321 is one of the last / up to the point you want too keep].

There you go.