Daniel Lange's blog (Entries tagged as updated)

Keeping IRC nicks active

nospam@example.com (Daniel Lange) — Tue, 18 May 2010 23:50:00 +0200

Typical IRC services usually allow you to register with nickserv and link a number of nicks to a personal account. It's quite common to have nick, nick_ and nick__ as many IRC clients auto-append underscores if the primary nickname is already in use when connecting. Obviously you can set these alternate nicknames to almost anything you like in a decent client.

Some folks also group a "vanity" nickname or two for whatever reason. To keep these active, people do the "nick shuffle" (/nick newnick, /nick oldnick) all the time:

People who forget the occasional nick shuffle may end up losing a grouped nick because it became inactive. While freenode staff try to contact people before dropping linked nicks, there are occasional prunes of "old data" from the services database. And then nobody can really ask upfront.

So before the next big purge comes up, I wrote a small bash script that logs into a nickserv account and cycles through the linked nicks. A few friends and me have used it successfully for many months now.

Grab a copy of keepnick (2.4kB) and drop it into /usr/local/bin.

Keepnick expects to have an accountname, the corresponding password and then a sequence of linked nicks given on its command line.

Something like

/usr/local/bin/keepnick accountname passw0rd linked_nick linked_nick_ vanity_nick MyOtherNick

should work.

For regular use, you need to set up a cron job to call keepnick e.g. every week. So put something like the following script into /etc/cron.weekly/keepnicks_irc or create a corresponding crontab entry for keepnicks_irc if you do not have the convenient cron.* directories set up:

#!/bin/bash
#
# run keepnick for user(s) irc account(s)
# intended to be run from cron, e.g. through /etc/cron.weekly
#

KEEPNICK="/usr/local/bin/keepnick"
# better safe than sorry
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin"
export PATH

$KEEPNICK accountname1 passw0rd1 linked_nick1 linked_nick1_ linked_nick1__
$KEEPNICK accountname2 passw0rd2 linked_nick1 linked_nick2_ linked_nick2__

You should see keepnick in action now every week like this:

What happens here is that the IRC services package tells you, keepnick has just authenticated to your account and will now shuffle through all nicks you asked it to. The big advantage is that is does this outside of channels, so not annoying any users. The cron job should make sure you don't forget the nick shuffle anymore.

Making sure your bash supports network connections

Stock bash will support network connections but on Debian and old (=pre-karmic) Ubuntu that capability was disabled at compile time.

If you need to check whether your bash is compiled with network support, type cat < /dev/tcp/time.nist.gov/13 into a bash terminal.

In case that gives you a RFC-867 time string, you're all fine. If not, re-compile your bash with --enable-net-redirections.

Now for something more advanced (but entirely optional):

Continue reading "Keeping IRC nicks active"

Binding applications to a specific IP

nospam@example.com (Daniel Lange) — Sat, 09 Jan 2010 20:00:00 +0100

These days many systems are multi-homed in the sense that they have more than one IP address bound at the same time.
I.e. for different network cards, virtual IPs for shared servers or just using WiFi and a wired network connection at the same time on a laptop.

Murphy of course makes sure that your system will choose to worst IP (i.e. that on slow WiFi or the one reserved for admin access) when an application does not specifically supports binding to a selected IP address. And Mozilla Firefox for example doesn't.

The kernel chooses an outgoing IP from those in the routing table with the same metric:

daniel@server:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.0.2.1         0.0.0.0         U     0      0        0 eth0
0.0.0.0         192.0.2.2         0.0.0.0         U     0      0        0 eth1
0.0.0.0         192.0.2.3         0.0.0.0         U     0      0        0 eth2
0.0.0.0         192.0.2.4         0.0.0.0         U     0      0        0 eth3

You can obviously play around with the metric and make the kernel router prefer the desired interface above others. This will affect all applications though. Some people use the firewall to nat all packages to port 80 onto the network interface desired for web browsing. Gee, beware the http://somewebsite.tld:8080 links...

Thankfully Daniel Ryde has solved the problem via a LD_PRELOAD shim. With his code you can run

daniel@laptop:~$ BIND_ADDR="192.0.2.100" LD_PRELOAD=/usr/lib/bind.so firefox (*)

and happily surf away.

To compile his code (3.3kB, local copy, see note 1) you need to run

gcc -nostartfiles -fpic -shared bind.c -o bind.so -ldl -D_GNU_SOURCE
strip bind.so
cp -i bind.so /usr/lib/

and you're set to go.

If you don't have gcc available (and trust me) you can download pre-compiled 32bit and 64bit (glibc-2) bind.so libraries here (4.5kB).

I guess because Daniel Ryde hid his code so well on his webpage, Robert J. McKay wrote another LD_PRELOAD shim, called Bindhack (4.5kB, local mirror). This will - as is - only compile on 32bit machines. But YMMV.

Run the above command (*) with your desired (and locally bound) IP address in bash and visit MyIP.dk or ShowIP.be or any of the other services that show your external IP to see whether you've succeeded.

Notes:

Daniel Ryde did not specify the -D_GNU_SOURCE in the comments section of bind.c. Modern glibc/gcc need that as he used RTLD_NEXT which is Unix98 and not POSIX. I amended the local copy of bind.c and sent him an email so he can update his.
Both are IPv4 only, no IPv6 support.

Updates:

22.06.12 Lennart Poettering has a IPv4 only version of a shim and a rather good readme available at his site.

29.11.10 Catalin M. Boie wrote another LD_PRELOAD shim, force_bind. I have not tested this one. It's capable of handling IPv6 binds.

11.01.09 Daniel Ryde has replied to my email and updated his local copy now as well.

httpdate - set local date and time from a web server

nospam@example.com (Daniel Lange) — Wed, 22 Oct 2008 23:55:13 +0200

While ntp may be a great protocol, I find it quite bloated and slow for the simple purpose of just setting a local date and time to a reference clock. I do not need 20ms accuracy on a notebook's clock . Thus I use(d) rdate for a decade now but the public rdate servers are slowly dying out. So I'm replacing it more and more with htpdate which works quite nicely. It's written in C and a perl alternative is available on the author's site. There is also a forked windows version of it available.

Developing a bit larger bash script (which syncs a few servers), I wondered whether I could realize the time sync part in bash as well.

It's quite possible:

# open a tcp connection to www.google.com
exec 3<>/dev/tcp/www.google.com/80
# say hello HTTP-style
echo -e "GET / HTTP/1.0\n\n">&3
# parse for a Date: line and with a bit of magic throw the date-string at the date command
LC_ALL=C LANG=en date --rfc-2822 --utc -s "$(head <&3 | grep -i "Date: " | sed -e s/Date\:\ //I)"
# close the tcp connection
exec 3<&-

Simple, eh?

Continue reading "httpdate - set local date and time from a web server"

Disabling a group policy'd screensaver on Windows

nospam@example.com (Daniel Lange) — Wed, 13 Aug 2008 21:33:05 +0200

I guess many people know the issue of having a screen saver forced active after a some time through a group policy in a corporate environment. This is usually done to make sure systems are locked during breaks if people forget to press Win+L (or Ctrl+Alt+Del and then Enter). While that may well help IT security, it turns problematic when giving presentations for extended periods of time. Having to move the mouse through the presentation pointer every few minutes or dash back to the PC once the screen saver has kicked in, again, is simply annoying. On your company's systems you may be able to get the system admins to allow configuration of the interval or allow for disabling the screen saver, but on foreign systems you're often lost. But...

Continue reading "Disabling a group policy'd screensaver on Windows"

kloeri announces Exherbo, another source based Linux distribution

nospam@example.com (Daniel Lange) — Mon, 19 May 2008 19:00:00 +0200

Bryan Østergaard (aka kloeri) announced Exherbo today. He assembled a team of (ex-)Gentoo developers including Ciaran McCreesh (ciaranm), Richard Brown (rbrown), Fernando J. Pereda (ferdy) and Alexander Færøy (eroyf) to build a new source based Linux distribution.

They would like to overcome some of the short-commings of Gentoo both from a technical as well as from a community perspective. Obviously this is easily said and hard to really achieve, so time will tell how successful that team can be. Renaming USE-Flags to OPTIONS and merging the platform KEYWORDS (like x86, ~x86) into the Options-logic is no big deal, but getting the thousands of ebuilds^Hpackages better supported and maintained than Gentoo will be the real deal{maker|breaker}.

Paludis, ciaranm's package manager, supports Gentoo ebuilds and can import them into Exherbo, so there is a potential migration path sketched out.*

They also add another init-system re-write ("Genesis") to the pool. An already quite crowded pool with rather shallow water, I may add.

Exherbo has nothing that is end-user-safe at the time of the announcement, so it's safe to assume kloeri's team wants to attract further development capacity .

Browse around the website or join folks in #exherbo if you're interested.

I asked in #exherbo what "exherbo" means ... latin for "uproot" was the answer. How fitting.

Updates

*19.04.08: Two friendly folks wrote in to clarify that Paludis currently can only import Ebuild-builds into Exherbo via importare, i.e. take a Gentoo build result and package it for importing into the Exherbo system through Paludis.
23.05.08: Ciaranm wrote a blog entry how to get build results into Exherbo/Paludis via importare.

Updated Greasemonkey script for Xing

nospam@example.com (Daniel Lange) — Sat, 05 Apr 2008 23:45:37 +0200

Xing has just updated it's image-thumbnails naming "algorithm" once again:

You'll now find thumbnails named /2f1127fe2.3144098_s2,2.jpg, so including another component like <comma><digit> added to the name. Thus the Greasemonkey script linked from my article Greasemonkey to enlarge Xing pictures needs to have it's main regex amended:

Change \_s(1|2|3)?\. to read \_s(1|2|3)?(,\d)?\. in three places in the script.

Or download an updated version here. I hope "louis" will update the version hosted at userscripts.org, too.

Updates

02.05.2008 As Xing adds multi-digit numbers to the thumbnails now (like /7553bd445.4550412_s2,10.jpg), you need to replace \d with \d+ in the above regex. The linked Greasemonkey script is updated.

16.11.2011 And again the URLs changed. This time appending a pattern like ,4.57x75.jpg. The linked script again was updated. If Scriptish and the auto-updating in Greasemonkey mature, I'll add auto-updating to the script file via the @updateURL parameter.

13.05.2012 The Xing layout is still changing as they Ajaxify the site more and more. Currently the Xing XE is probably the best working enhancement to see Xing pictures in a recognisable size.

Greasemonkey to enlarge Xing pictures

nospam@example.com (Daniel Lange) — Wed, 27 Feb 2008 23:30:00 +0100

I use Xing to manage some of my business contacts and even some friends have profiles there as well.

The default size of contact's pictures displayed on one's Xing homepage is 18x24px. On a higher dpi screens, you can thus barely recognize the person shown. As there are multiple sizes of all images available, it's pretty easy to just take (for example) http://www.xing.com/img/users/d/f/1/f34814409.5648827_s1.jpg, remove the _s1 and see a 140x185px version of the picture.

Greasemonkey, a Firefox extension to run user specified scripts on selected pages that you visit, can automate this with a nice script from user louis to download here. Or my updated version here.*

So, everytime I now hover my mouse over a tiny Xing thumbnail, it will show the "full resolution" version of the image. Simple, efficient.

Update

* Xing changed it's image naming scheme a bit, so one needs an updated Greasemonkey script for all images to work again. Link inserted into the article text ("Or my updated version here.")

Wikimedia Fundraiser 2007/2008 Report published by Wikimedia Foundation

nospam@example.com (Daniel Lange) — Fri, 01 Feb 2008 07:30:22 +0100

Eric Möller has published his report on the Wikimedia 2007/2008 fundraiser. I found it because he hotlinked one of the images that I created for my detailed analysis. His report lists some interesting new information:

Wikimedia got $50,000 in Google stock from another - yet again - anonymous donor.
The Wikimedia chapters (local organisation units e.g. in Germany or France) have collected nearly $250,000 in their fundraisers (mostly in Germany). The Germans buy stuff of their own from the money. Only the Swiss donated 25% of their raised budget back to Wikimedia foundation. Eric explains: "The lack of a clear understanding between chapters and the Foundation about the role and responsibilities of the different entities in the fundraising process is an additional impediment. For example: Should chapters share fundraising revenue with the Foundation, and if so, how? [..] The German chapter has an informal agreement with the Foundation to invest half of its fundraising revenue in ways directly benefiting WMF projects."
Eric says it was not intended to raise the full $4.6m. Somehow people just mis-interpreted the fundraiser that way: "The publication of the planned spending was misunderstood by some to indicate that the fundraiser's goal was to raise 4.6 million dollars. [...] Inquiries related to the actual financial target of the fundraiser were less common, probably in large part due to the publication of the Foundation's planned spending."

The report is extremly low on self-criticism. There is no insight visable that not giving a financial target was a major bummer or that the general intransparency, unprofessional communication and amateurish reporting on financial issues was keeping many people from donating. Nothing about missing the 100,000 donors target, either. There is not a word on the webcomics deletion issues and the subsequent call by the webcomics community to boycot the fundraiser or the scandal around hiring a convicted felon as COO because of unprofessional HR work. Not a word on the ridiculous "dinner with Jimmy Wales" for people donating $25,000. Nobody even donated $10,001.

"Also, given that most of the viewers of the planned spending distribution had no financial background, the level of explanations given was probably not sufficient." Come on, Eric, the people with financial background are not even considering the published material as "planning".

And next time, please link a blog entry and not some graphics. Criticism is healthy. Let people develop an opinion of their own. Try putting a "public criticism" section into your report. It will definitely add to the report's credibility.

Update

03.02.08: Eric has ammended information from the Italian chapter. They raised around $3,000 and forwarded it all to Wikimedia foundation.

Wikimedia Fundraiser Analysis III

nospam@example.com (Daniel Lange) — Sat, 05 Jan 2008 18:10:00 +0100

The official Wikimedia fundraiser had been extended into January, 3rd 2008, has been kept up on the 4th and is kind of still running. The site notice has been trimmed down to a thank you message but still requests further donations, which are also continuously added to the official daily funds list and running totals as of the press time of this article.

I've presented two interim analysis

Wikimedia Fundraiser analysis I on 03.11.07, some two weeks into the fundraiser
Wikimedia Fundraiser analysis II on 23.11.07, summing up expectations and results for the initially intended duration of the fundraiser (22.11.07)

Today, let's wrap up the fundraiser until the second official close date 03.01.08:

From 22.10.07 until 03.01.08 43,837 people have contributed a total of $1,467,446 (US) according to Wikimedia's own stats (see the previous two articles mentioned above for a discussion of their reporting scheme).

Continue reading "Wikimedia Fundraiser Analysis III"

SSHd chroot and PAM

nospam@example.com (Daniel Lange) — Sun, 18 Nov 2007 19:09:14 +0100

SSH with chroot patch has been working fine for a number of years. Since PAM v0.99 things have broken though, if users are chrooted with the "/home/username/./" syntax as their homedir.

SSH sessions will just terminate immediately after successful logon. Doh.

Two solutions exist:

Put UsePAM no into /etc/ssh/sshd_config and use the chroot patch and /./ in users homedirs
Keep UsePAM yes. Emerge sys-auth/pam_chroot and add session required pam_chroot.so to /etc/pamd.d/sshd setup /etc/security/chroot.conf or add a chroot_dir=/home/username/ to the pam_chroot.so line.
This will currently not work for amd64 though as the Gentoo bug regarding pam_chroot has not cought any attention from the arch testers. Since July...

Bugging the arch testers in #Gentoo-amd64 didn't help either:

Continue reading "SSHd chroot and PAM"

Wikimedia Fundraiser Webpage now cuts off at the last 10.000 donations

nospam@example.com (Daniel Lange) — Tue, 06 Nov 2007 17:00:00 +0100

The Wikimedia Foundation has changed their donation web pages again. Now they cut off the "Recent contributions" at 400 pages of (max.) 25 donors each. Thus the commands I gave in the Wikimedia Fundraiser analysis article can't be repeated to give the full picture anymore. You can now only get a view of the last 9-10 days.

The implementation has obviously been done quite hastily. If you select the "Filter" to show only one page of results, you'll still get the (now hard-coded) 0 .. 400 pages selector at the bottom.

I've been pointed at two other resources on the recent fund raiser for information:

There is an IRC Channel that lists donations (irc://irc.freenode.net/#wikimedia-donations). Running it a few minutes, it showed far fewer donations coming in than the better known web page though.
There are a few threads in the Wikipedia Review Forum that deal with the fund raiser. The discussions there are very Statler and Waldorf style but these folks also did the math.

Updates

09.11.07: Casey Abell has added http://donate.wikimedia.org/en/node/22 to the comments which lists a daily report of the funds collected. Thanks Casey! The numbers match very well with my analysis. Wikimedia currently reports $27,97 average donation. I measured $27,85 six days ago. That seems stable. Interim conclusion:There are still major individual donations required to get anywhere above $2m.

10.11.07: Casey generates a nice graph of the daily funds collected here.

Wikimedia Fundraiser Analysis

nospam@example.com (Daniel Lange) — Sat, 03 Nov 2007 22:00:00 +0100

The Wikimedia Foundation, the organisation behind Wikipedia, is running their annual fund raiser since October 22nd. There have been numerous complaints that the Wikimedia Foundation did not name a target sum to be achieved or is in other way acting intransparent. There may be good reasons for that:

The last fund raiser was "tough" to get through already and raised about one million dollars with $20 average contribution as to what Bruno Giussani reported from Lift '07.
The foundation grew from $56,666 turn-over in it's fiscal year 2003/2004 to $283,487 (2004/2005) and $1,066,785 (2005/2006). The 2006/2007 figures are still not reported, but it's safe to estimate that the 4x increase of the previous year has slowed down a bit.(see Updates section below) See http://wikimediafoundation.org/wiki/Finance_report for the scarce details.
The budget planning for fiscal year 2007/2008 totals $4.611m. The break-down is very rough and little effort is spent to explain the figures to the general public.
The suggested donations have been set high at $200 to $40 with marketdroid speak to sell that:
"If you and 99 other people donate .. $200 – We can ...".
It's not very likely a target in the range of the planned budget can be achieved from Joe, Dick and Harry's contributions. Wikimedia may need Larry, Sergey or Mark here. (I'll leave that without links for you to think about )

So - to make the best of this - and continue being unnecessarily intransparent, Wikimedia (cough Jimmy Wales, cough) has decided to only list the number of donors as the "progress report".

Their "meter" currently looks like this:

You can easily analyse the scale to find that Wikimedia hopes 100.000 people will contribute.

Continue reading "Wikimedia Fundraiser Analysis"

Multiple Apache VHosts on the same IP and port

nospam@example.com (Daniel Lange) — Sat, 13 Oct 2007 14:00:00 +0200

I just learned yesterday again, what I knew a few years ago, but since had forgotten:

You cannot put multiple SSL-enabled virtual Apache hosts onto the same IP and port.

Apache cannot identify which VirtualHost to serve a request from because the payload is encrypted in its entirety. So a

Host: servertwo.tld

header cannot be parsed until the encryption has been removed. Which requires the key, which is listed in the VHost section that could not be identified in the first place... So a name-based VirtualHost-configuration like this won't work:

Listen 443
NameVirtualHost *:443
<virtualhost>
SSLEngine On
ServerName serverone.tld:443
SSLCertificateFile /etc/apache2/ssl/serverone.crt
SSLCertificateKeyFile /etc/apache2/ssl/serverone.key
[...]
</virtualhost>
<virtualhost>
SSLEngine On
ServerName servertwo.tld:443
SSLCertificateFile /etc/apache2/ssl/servertwo.crt
SSLCertificateKeyFile /etc/apache2/ssl/servertwo.key
[...]
</virtualhost>

It will just serve any request out of the first VirtualHost (serverone.tld) regardless of the hostname in the request headers.

There is some light at the end of this tunnel though: RFC4366 describes an optional field to the TLS (Transport Layer Security) client request called "Server Name Indication" (SNI). With this the client just includes a list of ServerNames (usually one) that it's trying to contact. Apache can easily match the supplied name from the client against a ServerName (or ServerAlias) directive from it's configuration files.

SNI will be supported with OpenSSL v0.9.9 in mod_ssl. Sometime in the future. There is a backport to v0.9.8 available from Steven Henson linked here. Or you can use mod_gnutls as described by George Notaras in a recent blog entry.

In either cases the above configuration snippet will "just work" once SNI is understood by Apache.

Currently Internet Explorer 7 (on Vista only, wanna upgrade ), Mozilla Firefox 2+, Opera 7.6+, KDE Konqueror 3.5+ support sending the SNI. You can test your browser at Kaspar Brand's SNI testpage. He also has a patch available to make Apache 2.2 mod_ssl SNI capable when compiled against a CVS-version of OpenSSL.

I'm rather sure that spreading SNI capable hosts will also provide new hacking opportunities: Let's assume a system serves both Intranet and Internet traffic. A client contacts the Internet IP with SSL but specifies the Intranet Hostname in it's TLS SNI entry. Guess what will happen? Yup.

Update

02.09.2009: Gee, after two years people still read this blog entry. So I'll point you to a few updates. 2009 is not 2007 SNI has made some slow progress since the original article. But major steps forward only came this summer: Apache has official support for SNI since 2.2.12 (tracking bug). Gentoo has been early to support SNI and Tobias Scheerbaum has written a blog entry on Apache, SSL und SNI in Gentoo (in German) summarizing how it works out of the box. Support for SNI has also been added to Debian (tracking bug) but for now the default config files don't reflect SNI capability yet. Ubuntu will see SNI in Karmic Koala, the release scheduled for next month i.e. "9.10" (tracking bug). Fedora has a SNI enabled Apache from httpd-2.2.13-1.fc11 onwards (tracking bug). Tobias also states that SP3 for Windows XP enables IE6 to send the SNI (SP2 is not sufficient).