s9y testdrive

After starting to run a Tor node, the Hulu GeoFilter thinks I'm trying to access their content from outside the U.S. As their GeoFilter issues form was having difficulties finding out where I was connecting from, they advised to send an email to support@hulu.com, but I've haven't heard back from them ever since. That's a pity, now I can't watch their shows any more. Also, they've taken the Daily Show off their program, which is basically the only show I've watched over there. So, it's off to Bittorrent-World for me now; maybe we meet again when you fix your GeoFilter?

Last night I was trying to contact Verizon to report an abuse case:

$ whois 108.1.192.xxx | egrep 'Name:|Email'
OrgName:    Verizon Internet Services Inc. 
NetName:    VIS-BLOCK
OrgAbuseName:   VIS Abuse 
OrgAbuseEmail:  abuse@verizon.net
OrgTechName:   Verizon Internet Services 
OrgTechEmail:  IPNMC@gnilink.net

Today, I see that the OrgAbuseEmail has been changed to security@verizon.net and when Cc'ing IPNMC@gnilink.net my MTA returns:

 > The message has not yet been delivered to the following addresses:
 > 
 > host mail.gnilink.net[199.45.47.29]:
 > connection to mail exchanger failed with timeout
 > host mail.gnilink.net[199.45.47.10]:
 > connection to mail exchanger failed with timeout

Oh well....

Update:

$ date
Thu Mar 11 04:46:26 CET 2010
$ whois 108.1.192.xxx | grep OrgAbuseEmail
OrgAbuseEmail:  abuse@verizon.net

...wtf? Are they changing their abuse contact every day now?

It's 2010 and I can't even print a "blank line" in Windows without looking up the manual:

To echo a blank line on the screen, type:

  echo.

Why can't they just include this remark into "help echo", hm?

Wow, another entry covering some Windows oddity. One might think this OS is full of oddities :-) This time I tried to rename c:\program files because I wanted to mount another disk to c:\program files. Sure, lots of programs might be running from c:\program files, but when I stop all these programs, WindowsXP should still be able to boot and even start RDP to let me login, right? And so it did, with a few preparations made:

• C:\Program Files cannot just be renamed - WindowsXP won't let you, it's some kind of magic special folde^Wdirectory. We'll use regedit to modify two keys:
  
  Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir to something else, e.g. "C:\Program Files2" While this gets exported as "%ProgramFiles%" via "ProgramFilesPath", we have to edit another key:
  
  Set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir to something else, e.g. "C:\Program Files2\Common Files". We have to reboot to apply these changes, of course :-)


• After the reboot, we should be able to rename c:\program files to something else. You might notice that our interim %ProgramFiles% directory got filled with a few directories - just ignore them. With our original c:\program files our of the way, we create an empty c:\program files, where we can now mount the other disk. Once this is done, we can start moving the our original c:\program files content (that we just moved out of the way) into our new c:\program files directory. While it's moving, we can set the registry keys we changed (see above) back to its original values.

Now reboot to get the registry settings applied and all should be well again - except that our c:\program files has now plenty of space :-)

This one time I have to deal with rpm packages and this happens:

$ rpm2cpio file.rpm | cpio -id
cpio: Malformed number

....and only garbage is being passed to cpio. Since RPM now comes with XZ/LZMA compression support, we have to prepare this for cpio until rpm2cpio will be fixed:

$ rpm2cpio file.rpm | lzma -d | cpio -id
7090 blocks

Oh, how I love my tcp wrapper:

$ egrep -c 'sshd.*refused connect from' /var/log/syslog/auth.log 
297

Install Tor and get listed in the directory. Wait a few days:

$ egrep -c 'sshd.*refused connect from' /var/log/syslog/auth.log 
36418

Often enough I confuse them myself, so here's a little cheatsheet for you^Wme to remember:

ACLs

ACLs are extending the traditional permission model with a more fine-grained one.

• - getfacl, setfacl - filesystem independen access control list manipulation
• - chacl - an IRIX-compatibility command

$ chacl u::rw-,g::r--,o::r--,u:dummy:--x,m::r-x file.txt
$ chacl -l file.txt 
file.txt [u::rw-,u:dummy:--x,g::r--,m::r-x,o::r--]
$ su -c "cat ./file.txt" dummy 
cat: ./file.txt: Permission denied

$ setfacl -m u::rw-,g::---,o::---,u:dummy:r--,m::r-x file.txt
$ getfacl file.txt 
# file: file.txt
# owner: root
# group: root
user::rw-
user:dummy:r--
group::---
mask::r-x
other::---

EAs

Extended attributes are arbitrary name/value pairs which are associated with files or directories.

• setfattr, getfattr - filesystem independent extended attribute manipulation
• attr - aimed specifically at users of the XFS filesystem

$ attr -q -s foo -V 42 file.txt 
$ attr -g foo file.txt 
Attribute "foo" had a 3 byte value for file.txt:
42
$ setfattr -n user.bar -v 23 file.txt
$ getfattr -n user.bar file.txt
# file: file.txt
user.bar="23"

file attributes

These "file attributes" look like they were meant to be supported by the ext2/3/4 filesystems only. However, Btrfs, JFS and XFS support them as well, ReiserFS and Reiser4 do not. In fact, I haven't found a mount option for Reiser4 yet to support ACLs and EAs either :-\

• lsattr, chattr - list, change file attributes

# chattr +i file.txt 
# lsattr file.txt
----i-------------- file.txt
# rm -f file.txt 
rm: cannot remove `file.txt': Operation not permitted

I've received an email with one of those winmail.dat files attached, surprisingly these are still around. And there are lots of articles out there dealing with those attachments. Luckily there are also free TNEF *) parsers out there:

• tnef for Unix
• TNEF's Enough for MacOS (GUI)

*) sounds like Tinnef, right? :)

For some time now I'm running MacOS X 10.6.2 with a 64-bit kernel and MacFUSE installed. However, after one of the last updates this setup stopped working - well, it shouldn't have worked anyway. Which is a pity, because now the TrueCrypt layer on top of MacFUSE doesn't work, which means ZFS cannot access its volume.
So, what now? Hacking MacFUSE would be the Right Thing to do, something I won't be able to deliver. So I went on to set up a much more fancy installation:

• install VirtualBox and attach the disk as a raw blockdevice
• within VirtualBox, install TrueCrypt and zfs-fuse
• once the VM has access to data, export it via Samba, so that the host machine can access it

We start by registering our MacOS data partition to VirtualBox. We're setting the disk immutable for now as we don't want to let our guest VM to make any changes to it. And we're also chmod'ing the disk to 0644, so that we're able to read it (and thus use it in Virtualbox). Mode 0640 and a dedicated group would be more elegant, yes.

$ sudo VBoxManage internalcommands createrawvmdk -filename disk02-raw.vmdk \
          -rawdisk /dev/disk0s5 -register
$ VBoxManage modifyhd -type immutable disk02-raw.vmdk
$ sudo chmod 0644 /dev/disk0s5

We're using a Debian/testing (amd64) as a guest VM and we'll compile TrueCrypt (with wxWidgets as a dependency):

$ apt-get install libfuse-dev fuse-utils dmsetup pkg-config samba git-core scons\
   libaio-dev libattr1-dev libacl1-dev libz-dev libz-dev libfuse-dev libssl-dev bzip2

$ wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-2.8.10.tar.bz2 \
   -O - | tar -C /usr/local/src -xjf -
$ cd /usr/local/src/wxWidgets-2.8.10
$ ./configure --prefix=/opt/wxWidgets && make && make install

$ mkdir /usr/local/include/pkcs11
$ cd /usr/local/include/pkcs11
$ for i in pkcs11 pkcs11f.h pkcs11t.h; do
     wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/$i; 
   done
$ cd /usr/local/src/truecrypt-6.3a-source
$ make NOGUI=1 WX_ROOT=/usr/local/src/wxWidgets-2.8.10 wxbuild
$ PKCS11_INC=/usr/local/include/pkcs11 make NOGUI=1 WXSTATIC=1
$ mv Main/truecrypt /usr/local/sbin/

Now we should be able to access our Truecryt volume:

$ truecrypt --text --filesystem=none /dev/hdc
$ file -s /dev/mapper/truecrypt1
/dev/mapper/truecrypt1: Macintosh HFS Extended version [...]

We can set up ZFS now:

$ git clone http://rainemu.swishparty.co.uk/git/zfs
$ cd zfs/src && scons && scons install install_dir=/opt/zfs-fuse-rainemu
$ export PATH=$PATH:/opt/zfs-fuse-rainemu
$ zfs-fuse --pidfile /var/run/zfs-fuse.pid
$ zpool import -d /dev/mapper -a -f

$ zfs list
NAME    USED  AVAIL  REFER  MOUNTPOINT
tank0   135G  16.4G   135G  /tank0

Now we will be able to export /tank0 via Samba (or NFS, if needed) and can access it from our host machine as well. While surely not as speedy as local HFS+ (although I haven't actually measured yet), it's enough for watching movies or storing pictures. And apparently ZFS on Linux is much more stable and tested than on MacOS X. Well, to be honest, with this setup I could now even replace Truecrypt with dm-crypt and zfs with a stable filesystem, but that wouldn't be so much fun, eh? :-)

Today I found out that I have 3 leftover realmedia files in my archive. Sure, VLC can play this, but why not just converting them to something more useful? I haven't used mplayer in a while and I still did not find a way to redirect its output to stdout (no, file=/dev/stdout did not work either). Using a FIFO was the way to go here:

$ mkfifo foo
$ oggenc -q 6 foo -o file.ogg &
$ mplayer file.rm -vc null -vo null -ao pcm:fast:file=$HOME/foo

After finally setting up a Tor (exit-)node, this happened:

The spike at the end means that I've increased the daily limit again to 8 GB and await a message from my ISP every minute now :-)

That's what I was looking for. Until our distribution of choice includes this fix, we can use:

--- /usr/share/munin/munin-html.orig    2010-01-26 19:22:09.000000000 +0100
+++ /usr/share/munin/munin-html 2010-01-26 19:26:59.000000000 +0100
@@ -311,7 +311,7 @@ foreach my $file( (@files) ) {
 
 #make domain list
 my @domainlist = map { { DOMAIN => $_ } } @domainorder;
-my $timestamp = strftime("%Y-%m-%d T %T", localtime);
+my $timestamp = strftime("%Y-%m-%d T %T %z", localtime);
 for my $domain (@domainorder) {
     logger("processing domain: $domain");
     my %domain;

Whadayaknow, our shell of choice still has its limits:

# echo $((2**63-1))
9223372036854775807

# echo $((2**63))
-9223372036854775808

# file $SHELL
/bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) [...]

Zsh seems to have the same limit; ksh93 does:

ksh93$ echo $((2**1023))
8.98846567431157954e+307

ksh93$ echo $((2**1024))
inf

And csh seems to need some magic to do exponentiation at all.

Trying out Windows 7 every now and then I was surprised to see that you still cannot mount ISO 9660 images. Unbelieavable, IMHO - one still has to use 3rd party tools to get this done. The next incarnation of this marvelous operating system will have it for sure?

I always wondered what the blogosphere was babbling about regarding the shiny new security measures recommended by the TSA. Well, now I know what Security theater feels like: half-assed "everything must be checked" searches for everyone boarding a plane to the US.

So there are two security checks at LHR now: the first one is the usual metal detector and hand-baggage scanning, with random individual checks which takes about a minute per person. The other one is *at the gate*, starts at boarding time (expect major delays!) and takes 3-5min per person. Yes, these are made-up numbers, since TSA's Wait Time Calculator is out of order at this time, probably due to unforseen security checks. And "half-assed", because the search drones are trying so hard to do as instructed in their classroom, that they're looking diligently at laptops and little baby-bottles, as if they could spot "dangerous looking items" with their bare eyes.

And even if they found something: will the security guys from the first checkpoint be fired then? Why not? FYI, neither of them found the matches in my hand luggage - and yes, I must've left them there by accident, I did not study their Airport Screening Manual that was leaked some time ago :-)