Thursday, September 17, 2009

openvpn over ipv6 patch

It's baaaack. :)

Thanks to the support from my employer as 20% project, I'm (back) working on openvpn support for ipv6 endpoints (aka udp6, tcp6).

You can find the initial re-release, over openvpn-2.1_rc19
(latest as of Sep'09) at:
, obviously available as a git repository but also as a patch
snapshots at:
I'm pretty happy with this release, it has passed my unittests for {loopback,remote}{udp,tcp}{4,6} and also -it's valgrind friendly ;)

Enjoy it ! ... I'll post it to openvpn-devel ~soon.


--
--Juanjo ; echo jAjo@goMoSgleP.com | sed 's/[SPAM]//g'

Wednesday, August 05, 2009

before renewing your cellphone ...

... fancy gadget or alike: please think twice.

Being a somewhat tech-savvy guy I am, I was scared to become aware of this _that_ late, evidently media companies are doing a very good job here also :P.

The mineral (Tantalum) inside the small capacitors used in these tiny electronic devices is fueling the worst contemporary humanitarian crisis in the world, with about 5.4 millon deaths so far.

No further presentation needed since you already have it in your pocket, meet "Coltan".

Wednesday, July 15, 2009

"En los países en serio ... ¡ Se fusila !"

¡ Quién puede ser sino el maeeeessstrooo Capusotto ! :)

Bastante tarde lo encontré, por cierto ... el loco tiene un programa de radio en Rock&Pop: "Lucy en el cielo con Capusottos".

Afortunadamente para los que no podemos escucharlo en vivo (zona horaria, en mi caso), un ilustre compatriota ha ido guardando los programas :)

Que lo disfruten ... , en mi caso tuve que parar el play, para contener el ataque de risa :-O

PD: el siguiente script resulta útil para taggear los archivos, de manera que queden amigables para tu PMP.

id3v2-lucy_con_capus.sh:



# ./id3v2-lucy_con_capus.sh:
# aplica id3v2 tag a todos los Lucy*.mp3 del directorio actual.
# ej:
# Lucy_en_el_cielo_con_Capusottos_1er_Programa_by_vamosmillo2.mp3
# , tomara el primer "conjunto" de numeros para usarlo como nro de track
album="Lucy en el cielo con Capusottos"
for i in Lucy*.mp3;do
track="$(echo "$i" | sed -n -r 's/^[^0-9]+([0-9]+).*/\1/p')"
track=$(printf "%02d" $track)
title="${i%%by*}"
title="${title/?con?Capusottos/...}"
title="${title//_/ }"
(set -x
id3v2 -y 2009 -t "$title" -A "$album" -a Capusotto -T $track "$i"
)
done

Friday, June 05, 2009

select chromium, chrome else firefox as default browser

Now that google-chrome requete-alpha build is published by Google [1], I have this
handy script as my default browser "selector":

#!/bin/bash
#
# $HOME/bin/browser.sh
# Author: JuanJo ( juanjosec O gmail o com )
#
# if running, try: chromium-browser, google-chrome
# else: firefox
#
case "$(ps -oargs= -C chrome)" in
/usr/lib/chromium-browser*)
exec /usr/bin/chromium-browser "$@";;
/opt/google/chrome*)
exec /opt/google/chrome/chrome "$@";;
esac
exec /usr/bin/firefox "$@"
exit $?

# Point2 me with the output from:
for p in /desktop/gnome/{applications/browser/exec,url-handlers/http{,s}/command}; do
echo gconftool-2 -s $p -t string "$HOME/bin/browser.sh \"%s\""
done



In a related note, you can see current milestone (LinuxDev [2]) and what to expect for the next one (LinuxBeta[3]).

[1] Danger: Mac and Linux builds available
[2] Chromium LinuxDev milestone
[3] Chromium LinuxBeta milestone

Monday, June 01, 2009

ads blocking in chromium-browser

ads blocking in chromium-browser

One key missing functionality in chromium is extensibility via browser extensions or user scripts, damn useful in particular for blocking ads.
Although the support is there in the dev channel, it had been not available in the ppa binary debs for a while, but about ~2days ago user scripts started working ... yAY!! \o/

To the point:

dpkg -l chromium-browser # version: 3.0.183.0~svn200905 Chromium browser
mkdir $HOME/.config/chromium/Default/User\ Scripts # yep, nasty white space :P
cd $HOME/.config/chromium/Default/User\ Scripts
wget http://www.adsweep.org/AdSweep.user.js # ala adblock

# ... and then start chromium as:
chromium-browser --enable-user-scripts


To confirm you have it enabled, visit http://www.adsweep.org/ && you'll see a red status line, up-right, with the adsweep script version.

Friday, May 29, 2009

chromium-browser with bookmark keywords

I've been enjoooying chromium-browser on */Linux since last ~3weeks, you'll find lotsa references out there on howto install it, in my ubuntu it boils down to:

echo deb http://ppa.launchpad.net/chromium-daily/ppa/ubuntu hardy main > /etc/apt/sources.list.d/chromium.list
#echo "Acquire::http::Proxy::ppa.launchpad.net DIRECT;" > /etc/apt/apt.conf.d/85launchpad
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 4E5E17B5
apt-get update
apt-get install chromium-browser

One important functionality I was missing was the ability to create "%s" bookmarks (ala firefox), the nice thing is that it's actually support, tho not "fancy" at the moment because of laking bookmark editor (May/09).
Good news is that you can actually ride it via sql:

#!/bin/bash
# Author: JuanJo
# License: GPLv2+
# Usage: (chromium-browser must not be running)
# ./chromium-browser_keywords.sh ## *see* it, then:
# ./chromium-browser_keywords.sh | sqlite3 $HOME/.config/chromium/Default/Web?Data
# Goodies:
# at the address bar type eg:
# yh tate
# wa theta
# rae teta
# bspot juanjosec

KEYWORDS="
yh http://search.yahoo.com/search?p=%s
wa http://www.wolframalpha.com/input/?i=%s
rae http://buscon.rae.es/draeI/SrvltConsulta?TIPO_BUS=3&LEMA=%s
bspot http://%s.blogspot.com
#foo http://%s.foo.com/
"
while read k url;do
case "$k" in ""|\#*) continue;;esac
echo -n "INSERT INTO keywords (short_name, keyword, favicon_url, url) "
echo "VALUES ('$k','$k','about:blank','$url');"
done < <(echo "$KEYWORDS"| sed 's/%s/{searchTerms}/')


Incidentally nuff, I'm now at a roaming session I need to last +4hs, so I closed my ff-3.1b3 cpu toaster and left riding entirely on chrome-browser (who needs flash after all ?).

Thursday, March 19, 2009

Copying isn't theft ...

Nina Paley, the talented cartoonist, sings the copyright song.

Hear it ... it's refreshing, and full of truth :-


Nina Sings "Copying Isn't Theft" from Reel 13 on Vimeo.

clapClapClapp....

Monday, February 16, 2009

conference: Security Clouds in the Horizons --by Adi Shamir

I had the invaluable chance to attend Adi Shamir [1]'s conference "Security Clouds in the Horizons" or "Why I'm skeptical about Cloud Computing", given at Google's offices.

Below are my ~raw notes (taken with Freemind[2], then exported to HTML), meaning: a GiAnT disclaimer about the possible inaccuracy of these, YHBW.
  • Cloud Computing
    • [def] from wikipedia (~fine)
      • dynamically scalable virtualised resources
      • as a service
      • over the Internet
    • "... not new to me" [sic]
      • 1960 -> John McCarthy : cimputation may someday be organized as a public utility
        eg. municipality -> computaion bureau
      • 1960: small number of large service centers
      • 1980: small companies with self managed DC (data center)

  • Q: Which type of system should be more secure in principle: Cloud or Self-managed ?
    • Cloud:
      • more experienced companies
      • -> more secure systems
      • -> BUT more attractive TARGETS for attacks
    • Computer insecurity
      • old problem, 1st recorded incident: RFC 602 (at ARPANET, aprox 100 computers)
  • Safety vs security [definition]
    • Safety
      • "YOU vs NATURE"
        • reliability issues, etc
      • difficult to achieve
        • eg. building a car which is perfectly safe to drive
          • very complicated
          • very expensive
          • very slow and cautious
    • Security
      • _MALICIOUS_
        • ++harder to deal
          • they know your defensive measures
          • they know your weaknesses
        • eg. design a car that resist eg
          • dropping sugar in the gas tank
          • putting explosives near the engine
  • Q: Is cloud computing more secure than company-centric computing?
    • 1: remote data storage
      • privacy
        • no problem iff KEY is *local* (send/store only encripted data)
      • reliability
        • much better for the cloud
    • 2: remote code execution
      • security of the data IN the hands of the provider (!)
      • diff. types of threats [classif]:
        • dishonest employees
          • a single "bad apple" can cause a LOT of damage
        • amateur hackers (script kiddies)
          • motivation proportional to SIZE
          • for recognition/ego
        • professional hackers (data thieves)
          • make money, spionage, etc
          • they carefully choose their target,
            they spend time and money for the attack, etc

          • ++attractive to break bigger systems
          • ++motivation: *high* reward/effort ratio
        • cyber terrorists using sophisticated cross border attacks
          • motivation: create *PANIC*
            • economic damage
            • make ppl to not trust
              • banks, govt, etc
        • discreet govt intervention
          • terrified by being discovered
            (political fallout of public disclosure)
            • ++risk if cloud (vs small DCs)
          • they ARE applying pressure (no doubt!)
      • Can cryptography solve the security issue ?
        • theoretical solutions
          • multiparty computation protocols
          • totally UNREALISTIC
          • VERY difficult
    • How do you BREAK the security of cloud computing ?
      • side channel attacks
        • use phyisics to overcome math
        • cryptanalytic attack: "cache attacks"
          • pure software attack
          • very efficient
          • full 128bit AES key extraction from Linux encrypted file system in 65ms
            • require only the ability to run code in parallel on the target physical location
          • can compromise eg VPN/aes =)
          • can be used to attack any Virtualization technique
            (jail, Xen, UML, Virtual PC , VMware)
          • very hard to protect against WITHOUT a major performance penalty
          • solution? turn off caching when encrypting ?
            • problem: @BIOS setup
            • speed (!)
          • HOW is the attack done:
            • look for the time delay in accessing mainmem vs cache while accessing the idx in the 1st table lookup, because:
            • for AES: finding the KEY == finding the INDEX of the 1st lookup table for a known plaintext *and* you can force the plaintext (eg encrypted harddisk, vpn).
        • another example: normal PC "noise"
          • signal processing of that noise, correlated to diff CPU ops, using FFT: patterns clearly shown, eg:
            • RSA key generation
            • HLT, MUL, ADD, etc
            • found: 2nd power supply capacitors
      • big problem with "virtualization":
        • the UNDERLYING physical CPU *is* the same
          • by stressing the "common" underlying resource
            another process @another VM can "discover"
            this sharing

        • using birthday paradox, you can reasonably "discover":
          • aprox number of physical processors in the network
          • aprox number of VMs
          • Virt-to-Phy processor allocation "spread" (eg for loadbalancing load/resources)
[1] http://en.wikipedia.org/wiki/Adi_Shamir
[2] http://freemind.sourceforge.net/

geeks in (work)space

It's cool to be surrounded by freaking geeks at work, better yet when this geekiness becomes visible ;)


http://www.google.com/logos/unix1234567890.gif

Sunday, January 18, 2009

my green alix 2c3 box

This is my beloved fanless 24x7 box: Alix 2c3 board, consisting of:
  • CPU: AMD Geode x86 500MHz, 256MB RAM, 2x USB2.0, 3x LAN 100Mb, 1xMiniPCI
    (from http://pcengines.ch/)
  • CardFlash 4GB (as root filesystem)
  • WD Passport 500Mb (USB 2.0), using board's power via USB
  • Power supply: DC 12V 20W :-D

I tried several x86 OSes on it:
  1. OpenBSD 4.4: by far the easiest and +straightforward installation via PXE
  2. Debian stable: all Debian versatility thru your serial console installation :)
  3. Voyage Linux: 1-shot copy-to-CF (no PXE needed) && boot'it && apt-get'em =)

After some back&forth, I finally kept Voyage Linux, mostly because of
  • debian versatility
  • apt-get install screen ;)
  • fully tuned for flash => root filesystem is booted readonly, with all the writable noise kept in memory by using aufs (union fs) and tmpfs
  • smaaaaall (merely less than ~150Mb after install)
  • openssl/OCF by default
  • hardware watchdog, rng, aes support by default
Hardware info:
  • /proc/cpuinfo
    processor       : 0
    vendor_id : AuthenticAMD
    cpu family : 5
    model : 10
    model name : Geode(TM) Integrated Processor by AMD PCS
    stepping : 2
    cpu MHz : 498.056
    cache size : 128 KB
    fdiv_bug : no
    hlt_bug : no
    f00f_bug : no
    coma_bug : no
    fpu : yes
    fpu_exception : yes
    cpuid level : 1
    wp : yes
    flags : fpu de pse tsc msr cx8 sep pge cmov clflush mmx mmxext 3dnowext 3dnow
    bogomips : 997.25
    clflush size : 32
    power management:
  • lspci
    00:01.0 Host bridge: Advanced Micro Devices [AMD] CS5536 [Geode companion] Host Bridge (rev 33)
    00:01.2 Entertainment encryption device: Advanced Micro Devices [AMD] Geode LX AES Security Block
    00:09.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
    00:0a.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
    00:0b.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
    00:0f.0 ISA bridge: Advanced Micro Devices [AMD] CS5536 [Geode companion] ISA (rev 03)
    00:0f.2 IDE interface: Advanced Micro Devices [AMD] CS5536 [Geode companion] IDE (rev 01)
    00:0f.4 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] OHC (rev 02)
    00:0f.5 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] EHC (rev 02)
  • lsusb
    Bus 002 Device 002: ID 1058:0704 Western Digital Technologies, Inc.
    Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
  • lsmod | egrep geode (special hardware)
    geodewdt                4500  2             ## watchdog
    geode_rng 1920 0 ## random number generator
    rng_core 3716 1 geode_rng
    geode_aes 5508 0 ## aes cipher
Some measurements/stats:
  • HDD /USB 2.0 throughput:
    jjolix:~# hdparm  -t /dev/sda

    /dev/sda:
    Timing buffered disk reads: 56 MB in 3.04 seconds = 18.40 MB/sec
  • The CPU/chipset/RAM/netw are nice enough to run things like rtorrent/mlnet and serve NFS.
    This is top output at the alix box whilst doing a tar cf - /mnt/Fotos/ > /dev/null (~2K photos, ~3MB each) from a LAN NFS client:
    top - 20:51:47 up 18 days, 22:41,  1 user,  load average: 5.65, 2.39, 0.90
    Tasks: 60 total, 1 running, 58 sleeping, 0 stopped, 1 zombie
    Cpu(s): 4.0%us, 23.1%sy, 0.0%ni, 8.9%id, 31.7%wa, 21.5%hi, 10.9%si, 0.0%st
    Mem: 256860k total, 252860k used, 4000k free, 604k buffers
    Swap: 0k total, 0k used, 0k free, 197128k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    30635 p2p 20 0 57232 36m 5196 S 9.2 14.4 3:00.93 mlnet
    11028 root 20 0 0 0 0 S 4.0 0.0 0:06.09 nfsd
    11030 root 20 0 0 0 0 S 4.0 0.0 0:08.98 nfsd
    11024 root 20 0 0 0 0 D 3.6 0.0 0:06.20 nfsd
    11025 root 20 0 0 0 0 S 3.6 0.0 0:06.21 nfsd
    11027 root 20 0 0 0 0 S 3.6 0.0 0:06.16 nfsd
    11026 root 20 0 0 0 0 D 3.3 0.0 0:06.06 nfsd
    11029 root 20 0 0 0 0 S 3.3 0.0 0:06.11 nfsd
    11031 root 20 0 0 0 0 D 3.3 0.0 0:06.84 nfsd
    30349 root 15 -5 0 0 0 D 2.6 0.0 0:05.58 usb-storage
    3 root 15 -5 0 0 0 S 1.6 0.0 3:44.10 ksoftirqd/0
    88 root 15 -5 0 0 0 S 1.0 0.0 2:55.14 kswapd0


  • for above, iftop shows >70Mbit/s, ++enough to do a remote DVD toasting session :)
  • a full-steam-ahead rtorrent download at 1.5MBytes/sec makes it use ~25% CPU.


Previously I had a conventional , fanfull, noisy, old desktop (P4 1.5Ghz) for doing 24x7 stuff @home, as you can imagine it won't be missed =)

Monday, January 12, 2009

e2fsprogs utils for Android (EABI ARM)

I've been playing around with my brand new Android (cool Christmas gift from my employer ;).
Because of the security model by default you cannot store apps into /sdcard (only at /data/apps, which is mounted from the internal MTD device), and this is something you'll eagerly want for freakin'ly installing bunch of cool applications.

After some hacking around I could get it to like /data/app as a loop-mount:

/ # df
Filesystem 1k-blocks Used Available Use% Mounted on
tmpfs 49564 0 49564 0% /dev
tmpfs 4096 0 4096 0% /sqlite_stmt_journals
/dev/block/mtdblock3 69120 57248 11872 83% /system
/dev/block/mtdblock5 76544 58596 17948 77% /data
/dev/block/mtdblock4 69120 1256 67864 2% /cache
/dev/block/mmcblk0p1 991488 950448 41040 96% /sdcard
/dev/block/loop0 128949 19098 103186 16% /data/app
, where /dev/block/loop0 is actually a loop mount on /sdcard/data-extra.img ext2 image file.

I will post a more detailed mini-howto about this hack, but the 1st thing you'll need (and I couldn't find out there before) are the e2fsprogs utils built for Android.
So I went ahead, changed some e2fsprogs src bits and compiled with my android sdk arm gcc toolchain (built @my workstation from the Android git repo).

You can find them at:
http://sites.google.com/site/juanjosec/android , namely:
e2fsprogs-android.diff, e2fsprogs-base_arm-eabi.tar.gz, e2fsprogs-xtra_arm-eabi.tar.gz.

15 years have passed since I first touched my 1st Linux, 13 so far since I hacked the Linux kernel for ip aliasing support ... been a long trip, and now I can finally carry it in my pocket ;-)