openvpn over ipv6 patch

It's baaaack. :)

Thanks to the support from my employer as 20% project, I'm (back) working on openvpn support for ipv6 endpoints (aka udp6, tcp6).

You can find the initial re-release, over openvpn-2.1_rc19

(latest as of Sep'09) at:

http://github.com/jjo/openvpn-ipv6

, obviously available as a git repository but also as a patch

snapshots at:

http://github.com/jjo/openvpn-ipv6/downloads

I'm pretty happy with this release, it has passed my unittests for {loopback,remote}{udp,tcp}{4,6} and also -it's valgrind friendly ;)

Enjoy it ! ... I'll post it to openvpn-devel ~soon.

* UPDATE(27-Sep-09): Posted to openvpn-devel mlist at http://sourceforge.net/mailarchive/message.php?msg_name=7bb795fd0909251436v2369d6d5q674e63e0621fcd56@mail.gmail.com

--

--Juanjo ; echo jAjo@goMoSgleP.com | sed 's/[SPAM]//g'

before renewing your cellphone ...

... fancy gadget or alike: please think twice.

Being a somewhat tech-savvy guy I am, I was scared to become aware of this _that_ late, evidently media companies are doing a very good job here also :P.

The mineral (Tantalum) inside the small capacitors used in these tiny electronic devices is fueling the worst contemporary humanitarian crisis in the world, with about 5.4 millon deaths so far.

No further presentation needed since you already have it in your pocket, meet "Coltan".

"En los países en serio ... ¡ Se fusila !"

¡ Quién puede ser sino el maeeeessstrooo Capusotto ! :)

Bastante tarde lo encontré, por cierto ... el loco tiene un programa de radio en Rock&Pop: "Lucy en el cielo con Capusottos".

Afortunadamente para los que no podemos escucharlo en vivo (zona horaria, en mi caso), un ilustre compatriota ha ido guardando los programas :)

Que lo disfruten ... , en mi caso tuve que parar el play, para contener el ataque de risa :-O

PD: el siguiente script resulta útil para taggear los archivos, de manera que queden amigables para tu PMP.

id3v2-lucy_con_capus.sh:

# ./id3v2-lucy_con_capus.sh:
#  aplica id3v2 tag a todos los Lucy*.mp3 del directorio actual. 
# ej: 
#  Lucy_en_el_cielo_con_Capusottos_1er_Programa_by_vamosmillo2.mp3 
# , tomara el primer "conjunto" de numeros para usarlo como nro de track
album="Lucy en el cielo con Capusottos"
for i in Lucy*.mp3;do
  track="$(echo "$i" | sed -n -r 's/^[^0-9]+([0-9]+).*/\1/p')"
  track=$(printf "%02d" $track)
  title="${i%%by*}"
  title="${title/?con?Capusottos/...}"
  title="${title//_/ }"
  (set -x
    id3v2 -y 2009 -t "$title" -A "$album" -a Capusotto -T $track "$i"
  )
done

select chromium, chrome else firefox as default browser

Now that google-chrome requete-alpha build is published by Google [1], I have this
handy script as my default browser "selector":

#!/bin/bash
#
# $HOME/bin/browser.sh
# Author: JuanJo ( juanjosec O gmail o com  )
#
#   if running, try: chromium-browser, google-chrome
#   else:            firefox
#
case "$(ps -oargs= -C chrome)" in
 /usr/lib/chromium-browser*)
   exec /usr/bin/chromium-browser "$@";;
 /opt/google/chrome*)
   exec /opt/google/chrome/chrome "$@";;
esac
exec /usr/bin/firefox "$@"
exit $?

# Point2 me with the output from:
for p in /desktop/gnome/{applications/browser/exec,url-handlers/http{,s}/command}; do
 echo gconftool-2 -s $p -t string "$HOME/bin/browser.sh \"%s\""
done

In a related note, you can see current milestone (LinuxDev [2]) and what to expect for the next one (LinuxBeta[3]).

[1] Danger: Mac and Linux builds available
[2] Chromium LinuxDev milestone
[3] Chromium LinuxBeta milestone

ads blocking in chromium-browser

ads blocking in chromium-browser

One key missing functionality in chromium is extensibility via browser extensions or user scripts, damn useful in particular for blocking ads.
Although the support is there in the dev channel, it had been not available in the ppa binary debs for a while, but about ~2days ago user scripts started working ... yAY!! \o/

To the point:

dpkg -l chromium-browser # version: 3.0.183.0~svn200905 Chromium browser
mkdir $HOME/.config/chromium/Default/User\ Scripts  # yep, nasty white space :P
cd $HOME/.config/chromium/Default/User\ Scripts
wget http://www.adsweep.org/AdSweep.user.js  # ala adblock

# ... and then start chromium as:
chromium-browser --enable-user-scripts

To confirm you have it enabled, visit http://www.adsweep.org/ && you'll see a red status line, up-right, with the adsweep script version.

chromium-browser with bookmark keywords

I've been enjoooying chromium-browser on */Linux since last ~3weeks, you'll find lotsa references out there on howto install it, in my ubuntu it boils down to:

echo deb http://ppa.launchpad.net/chromium-daily/ppa/ubuntu hardy main > /etc/apt/sources.list.d/chromium.list
#echo "Acquire::http::Proxy::ppa.launchpad.net DIRECT;" > /etc/apt/apt.conf.d/85launchpad
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 4E5E17B5
apt-get update
apt-get install chromium-browser

One important functionality I was missing was the ability to create "%s" bookmarks (ala firefox), the nice thing is that it's actually support, tho not "fancy" at the moment because of laking bookmark editor (May/09).
Good news is that you can actually ride it via sql:

#!/bin/bash
# Author: JuanJo
# License: GPLv2+
# Usage: (chromium-browser must not be running)
#   ./chromium-browser_keywords.sh ## *see* it, then:
#   ./chromium-browser_keywords.sh | sqlite3 $HOME/.config/chromium/Default/Web?Data
# Goodies:
# at the address bar type eg:
#   yh tate
#   wa theta
#   rae teta
#   bspot juanjosec

KEYWORDS="
yh http://search.yahoo.com/search?p=%s
wa http://www.wolframalpha.com/input/?i=%s
rae http://buscon.rae.es/draeI/SrvltConsulta?TIPO_BUS=3&LEMA=%s
bspot http://%s.blogspot.com
#foo http://%s.foo.com/
"
while read k url;do
  case "$k" in ""|\#*) continue;;esac
  echo -n "INSERT INTO keywords (short_name, keyword, favicon_url, url) "
  echo "VALUES ('$k','$k','about:blank','$url');"
done < <(echo "$KEYWORDS"| sed 's/%s/{searchTerms}/') 

Incidentally nuff, I'm now at a roaming session I need to last +4hs, so I closed my ff-3.1b3 cpu toaster and left riding entirely on chrome-browser (who needs flash after all ?).

Copying isn't theft ...

Nina Paley, the talented cartoonist, sings the copyright song.

Hear it ... it's refreshing, and full of truth :-


Nina Sings "Copying Isn't Theft" from Reel 13 on Vimeo.

clapClapClapp....

conference: Security Clouds in the Horizons --by Adi Shamir

I had the invaluable chance to attend Adi Shamir [1]'s conference "Security Clouds in the Horizons" or "Why I'm skeptical about Cloud Computing", given at Google's offices.

Below are my ~raw notes (taken with Freemind[2], then exported to HTML), meaning: a GiAnT disclaimer about the possible inaccuracy of these, YHBW.

• Cloud Computing
  
  • [def] from wikipedia (~fine)
    
    • dynamically scalable virtualised resources
      
    • as a service
      
    • over the Internet
      
  • "... not new to me" [sic]
    
    • 1960 -> John McCarthy : cimputation may someday be organized as a public utility
      eg. municipality -> computaion bureau
      
    • 1960: small number of large service centers
      
    • 1980: small companies with self managed DC (data center)
      


• Q: Which type of system should be more secure in principle: Cloud or Self-managed ?
  
• Cloud:
  • more experienced companies
    
  • -> more secure systems
    
  • -> BUT more attractive TARGETS for attacks
    
• Computer insecurity
  
  • old problem, 1st recorded incident: RFC 602 (at ARPANET, aprox 100 computers)

• Safety vs security [definition]
  
  • Safety
    
    • "YOU vs NATURE"
      
      • reliability issues, etc
        
    • difficult to achieve
      
      • eg. building a car which is perfectly safe to drive
        
        • very complicated
        • very expensive
        • very slow and cautious
          
  • Security
    
    • _MALICIOUS_
      
      • ++harder to deal
        
        • they know your defensive measures
          
        • they know your weaknesses
          
      • eg. design a car that resist eg
        
        • dropping sugar in the gas tank
          
        • putting explosives near the engine
          
• Q: Is cloud computing more secure than company-centric computing?
  
  • 1: remote data storage
    
    • privacy
      
      • no problem iff KEY is *local* (send/store only encripted data)
        
    • reliability
      
      • much better for the cloud
        
  • 2: remote code execution
    
    • security of the data IN the hands of the provider (!)
      
    • diff. types of threats [classif]:
      
      • dishonest employees
        
        • a single "bad apple" can cause a LOT of damage
          
      • amateur hackers (script kiddies)
        
        • motivation proportional to SIZE
          
        • for recognition/ego
          
      • professional hackers (data thieves)
        
        • make money, spionage, etc
          
        • they carefully choose their target,
          they spend time and money for the attack, etc
          
        • ++attractive to break bigger systems
          
        • ++motivation: *high* reward/effort ratio
          
      • cyber terrorists using sophisticated cross border attacks
        
        • motivation: create *PANIC*
          
          • economic damage
            
          • make ppl to not trust
            
            • banks, govt, etc
              
      • discreet govt intervention
        
        • terrified by being discovered
          (political fallout of public disclosure)
          
          • ++risk if cloud (vs small DCs)
            
        • they ARE applying pressure (no doubt!)
          
    • Can cryptography solve the security issue ?
      
      • theoretical solutions
        
        • multiparty computation protocols
          
        • totally UNREALISTIC
          
        • VERY difficult
          
  • How do you BREAK the security of cloud computing ?
    
    • side channel attacks
      
      • use phyisics to overcome math
        
      • cryptanalytic attack: "cache attacks"
        
        • pure software attack
          
        • very efficient
        • full 128bit AES key extraction from Linux encrypted file system in 65ms
          • require only the ability to run code in parallel on the target physical location
            
        • can compromise eg VPN/aes =)
          
        • can be used to attack any Virtualization technique
          (jail, Xen, UML, Virtual PC , VMware)
          
        • very hard to protect against WITHOUT a major performance penalty
          
        • solution? turn off caching when encrypting ?
          
          • problem: @BIOS setup
          • speed (!)
            
        • HOW is the attack done:
          
          • look for the time delay in accessing mainmem vs cache while accessing the idx in the 1st table lookup, because:
            
          • for AES: finding the KEY == finding the INDEX of the 1st lookup table for a known plaintext *and* you can force the plaintext (eg encrypted harddisk, vpn).
            
      • another example: normal PC "noise"
        
        • signal processing of that noise, correlated to diff CPU ops, using FFT: patterns clearly shown, eg:
          
          • RSA key generation
            
          • HLT, MUL, ADD, etc
            
          • found: 2nd power supply capacitors
            
    • big problem with "virtualization":
      
      • the UNDERLYING physical CPU *is* the same
        
        • by stressing the "common" underlying resource
          another process @another VM can "discover"
          this sharing
          
      • using birthday paradox, you can reasonably "discover":
        
        • aprox number of physical processors in the network
          
        • aprox number of VMs
          
        • Virt-to-Phy processor allocation "spread" (eg for loadbalancing load/resources)

[1] http://en.wikipedia.org/wiki/Adi_Shamir
[2] http://freemind.sourceforge.net/

geeks in (work)space

It's cool to be surrounded by freaking geeks at work, better yet when this geekiness becomes visible ;)


http://www.google.com/logos/unix1234567890.gif

my green alix 2c3 box

This is my beloved fanless 24x7 box: Alix 2c3 board, consisting of:

• CPU: AMD Geode x86 500MHz, 256MB RAM, 2x USB2.0, 3x LAN 100Mb, 1xMiniPCI
  (from http://pcengines.ch/)
  
• CardFlash 4GB (as root filesystem)
• WD Passport 500Mb (USB 2.0), using board's power via USB
  
• Power supply: DC 12V 20W :-D

I tried several x86 OSes on it:

1. OpenBSD 4.4: by far the easiest and +straightforward installation via PXE
   
2. Debian stable: all Debian versatility thru your serial console installation :)
3. Voyage Linux: 1-shot copy-to-CF (no PXE needed) && boot'it && apt-get'em =)

After some back&forth, I finally kept Voyage Linux, mostly because of

• debian versatility
• apt-get install screen ;)
  
• fully tuned for flash => root filesystem is booted readonly, with all the writable noise kept in memory by using aufs (union fs) and tmpfs
  
• smaaaaall (merely less than ~150Mb after install)
• openssl/OCF by default
• hardware watchdog, rng, aes support by default
  

Hardware info:

• /proc/cpuinfo
  

  processor       : 0
  vendor_id       : AuthenticAMD
  cpu family      : 5
  model           : 10
  model name      : Geode(TM) Integrated Processor by AMD PCS
  stepping        : 2
  cpu MHz         : 498.056
  cache size      : 128 KB
  fdiv_bug        : no
  hlt_bug         : no
  f00f_bug        : no
  coma_bug        : no
  fpu             : yes
  fpu_exception   : yes
  cpuid level     : 1
  wp              : yes
  flags           : fpu de pse tsc msr cx8 sep pge cmov clflush mmx mmxext 3dnowext 3dnow
  bogomips        : 997.25
  clflush size    : 32
  power management:

• lspci
  

  00:01.0 Host bridge: Advanced Micro Devices [AMD] CS5536 [Geode companion] Host Bridge (rev 33)
  00:01.2 Entertainment encryption device: Advanced Micro Devices [AMD] Geode LX AES Security Block
  00:09.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
  00:0a.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
  00:0b.0 Ethernet controller: VIA Technologies, Inc. VT6105M [Rhine-III] (rev 96)
  00:0f.0 ISA bridge: Advanced Micro Devices [AMD] CS5536 [Geode companion] ISA (rev 03)
  00:0f.2 IDE interface: Advanced Micro Devices [AMD] CS5536 [Geode companion] IDE (rev 01)
  00:0f.4 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] OHC (rev 02)
  00:0f.5 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] EHC (rev 02)
  

• lsusb
  

  Bus 002 Device 002: ID 1058:0704 Western Digital Technologies, Inc.
  Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

• lsmod | egrep geode (special hardware)
  

  geodewdt                4500  2             ## watchdog
  geode_rng               1920  0             ## random number generator
  rng_core                3716  1 geode_rng
  geode_aes               5508  0             ## aes cipher
  

Some measurements/stats:

• HDD /USB 2.0 throughput:
  

  jjolix:~# hdparm  -t /dev/sda
  
  /dev/sda:
  Timing buffered disk reads:   56 MB in  3.04 seconds =  18.40 MB/sec

• The CPU/chipset/RAM/netw are nice enough to run things like rtorrent/mlnet and serve NFS.
  This is top output at the alix box whilst doing a tar cf - /mnt/Fotos/ > /dev/null (~2K photos, ~3MB each) from a LAN NFS client:
  

  top - 20:51:47 up 18 days, 22:41,  1 user,  load average: 5.65, 2.39, 0.90
  Tasks:  60 total,   1 running,  58 sleeping,   0 stopped,   1 zombie
  Cpu(s):  4.0%us, 23.1%sy,  0.0%ni,  8.9%id, 31.7%wa, 21.5%hi, 10.9%si,  0.0%st
  Mem:    256860k total,   252860k used,     4000k free,      604k buffers
  Swap:        0k total,        0k used,        0k free,   197128k cached
  
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                     
  30635 p2p       20   0 57232  36m 5196 S  9.2 14.4   3:00.93 mlnet                       
  11028 root      20   0     0    0    0 S  4.0  0.0   0:06.09 nfsd                        
  11030 root      20   0     0    0    0 S  4.0  0.0   0:08.98 nfsd                        
  11024 root      20   0     0    0    0 D  3.6  0.0   0:06.20 nfsd                        
  11025 root      20   0     0    0    0 S  3.6  0.0   0:06.21 nfsd                        
  11027 root      20   0     0    0    0 S  3.6  0.0   0:06.16 nfsd                        
  11026 root      20   0     0    0    0 D  3.3  0.0   0:06.06 nfsd                        
  11029 root      20   0     0    0    0 S  3.3  0.0   0:06.11 nfsd                        
  11031 root      20   0     0    0    0 D  3.3  0.0   0:06.84 nfsd                        
  30349 root      15  -5     0    0    0 D  2.6  0.0   0:05.58 usb-storage                 
  3 root      15  -5     0    0    0 S  1.6  0.0   3:44.10 ksoftirqd/0                 
  88 root      15  -5     0    0    0 S  1.0  0.0   2:55.14 kswapd0




• for above, iftop shows >70Mbit/s, ++enough to do a remote DVD toasting session :)
  
• a full-steam-ahead rtorrent download at 1.5MBytes/sec makes it use ~25% CPU.
  

Previously I had a conventional , fanfull, noisy, old desktop (P4 1.5Ghz) for doing 24x7 stuff @home, as you can imagine it won't be missed =)

e2fsprogs utils for Android (EABI ARM)

I've been playing around with my brand new Android (cool Christmas gift from my employer ;).
Because of the security model by default you cannot store apps into /sdcard (only at /data/apps, which is mounted from the internal MTD device), and this is something you'll eagerly want for freakin'ly installing bunch of cool applications.

After some hacking around I could get it to like /data/app as a loop-mount:

/ # df
Filesystem           1k-blocks      Used Available Use% Mounted on
tmpfs                    49564         0     49564   0% /dev
tmpfs                     4096         0      4096   0% /sqlite_stmt_journals
/dev/block/mtdblock3     69120     57248     11872  83% /system
/dev/block/mtdblock5     76544     58596     17948  77% /data
/dev/block/mtdblock4     69120      1256     67864   2% /cache
/dev/block/mmcblk0p1    991488    950448     41040  96% /sdcard
/dev/block/loop0        128949     19098    103186  16% /data/app

, where /dev/block/loop0 is actually a loop mount on /sdcard/data-extra.img ext2 image file.

I will post a more detailed mini-howto about this hack, but the 1st thing you'll need (and I couldn't find out there before) are the e2fsprogs utils built for Android.
So I went ahead, changed some e2fsprogs src bits and compiled with my android sdk arm gcc toolchain (built @my workstation from the Android git repo).

You can find them at:
http://sites.google.com/site/juanjosec/android , namely:
e2fsprogs-android.diff, e2fsprogs-base_arm-eabi.tar.gz, e2fsprogs-xtra_arm-eabi.tar.gz.

15 years have passed since I first touched my 1st Linux, 13 so far since I hacked the Linux kernel for ip aliasing support ... been a long trip, and now I can finally carry it in my pocket ;-)