As always, xkcd makes a great point through a comic with “Password Strength”.
Password Strength
I do not know if the point he is making is actually valid, some research will be required.
Update: Ben Rockwood comments on the webcomic with “Password Myths”.
I believe that Mr. Rockwood is correct in his appraisal that we should all start using the term pass phrase.
One of the first things I needed after upgrading to Mac OS X 10.7 (Lion) was to make some Python scripts work. However easy_install seemed to be broken:
$ easy_install psycopg2
Traceback (most recent call last):
File "/usr/local/bin/easy_install", line 5, in <module>
from pkg_resources import load_entry_point
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 2607, in <module>
parse_requirements(requires), Environment()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 565, in resolve
raise DistributionNotFound(req) # XXX put more info here
pkg_resources.DistributionNotFound: setuptools==0.6c12dev-r88795
I fixed this by installing Distribute and then the new Mac OS X Developer Tools.
Wow. This is a massive deal and a huge hurdle for RSA:
So I bought a new 32GB iPhone 3G S this morning at a Rogers Plus store. Was painless and, since I give them so much money each month, I received the $299 pricing.
Different from last time is that the staff activated the phone before handing it over.
I plugged it into iTunes which offered to restore my previous unit’s backup and I’m good to go. Smooth!
I thought I’d let everyone know that I upgraded my iPhone 3G to iPhone OS 3.0 yesterday and tethering Just Works™ over both Bluetooth PAN and USB. In fact, it’s much simpler to use than I expected.
I have an original 6G data plan with Rogers and according to their FAQ, this is a supported feature and I am not going to get a multi-thousand dollar bill next month. 
Recently I have been building a few packages under an OpenSolaris Zone hosted by Joyent. Ran into a few issues with shared libraries, so here are my notes:
You will often get an error like ld.so.1: conftest: fatal: libreadline.so.5: open failed: No such file or directory. This simply means the linker can not find your library. The following command will tell the linker to append a new entry to the existing search path:
# crle -u /path/to/lib/dirYou can retrieve the current configuration by simply running
crle on it’s own, output should be something like this:
$ crle Configuration file [version 4]: /var/ld/ld.config Platform: 32-bit LSB 80386 Default Library Path (ELF): /opt/local/lib:/opt/csw/lib:/usr/lib:/lib Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /opt/local/lib:/opt/csw/lib:/usr/lib:/lib
You can easily get yourself into a situation where your system is a brick by having an incomplete search path for the linker. For example, if you run crle -l /foo/path/lib, you will no longer be able to run anything at all since the linker will not find basic libraries it needs. I found a great post on this topic which instructs you do use the LD_NOCONFIG environment variable to tell the linker to use a default configuration. You can then fix the issue:
$ sudo crle -l /opt/local/lib -l /opt/csw/lib -l /usr/lib -l /lib ld.so.1: sudo: fatal: libpam.so.1: open failed: No such file or directory Killed $ LD_NOCONFIG=yes sudo crle -l /opt/local/lib -l /opt/csw/lib -l /usr/lib -l /lib
Since I will eventually be implementing OpenID in a commercial project, I thought I would go ahead and set myself up properly.
There are now a few free OpenID providers and I have setup my own account with VeriSign Labs Personal Identity Provider beta. Of course, I do not wish to expose the actual provider as my OpenID: what if I lose trust in them or they simply stop offering the service one day?
The solution to this is actually quite simple and allows you to use your own domain as your personal OpenID, exactly what I needed. The technical term is delegation and is fully documented. To implement this trick using WordPress, simply edit your themes header.php and add two meta tags. Of course you can do this with your software of choice, or even plain vanilla HTML. This is what I added to my blog:
<link rel="openid.server" href="https://pip.verisignlabs.com/server"> <link rel="openid.delegate" href="https://adam.sherman.pip.verisignlabs.com">
The above indicates that my personal OpenID is being delegated to https://adam.sherman.pip.verisignlabs.com which is hosted by the server https://pip.verisignlabs.com/server. Since the page at http://sherman.ca/ contains the above tags, I can now go to any site supporting OpenID (look for the logo: 
) and simply use sherman.ca as my identifier.
I believe that OpenID’s time has come and I look forward to implementing it for some of my clients in order to give their users the ability to consume services without a registration page.
So Rogers (and their other brand, Fido) have Unlimited Data plans. And guess what? The fine print is so bad I do not know whether to laugh or cry. The Fido page says
The Unlimited surfing on your Fido option includes unlimited mobile surfing on your handset only and is only available on selected handsets (non-Fido certified handsets, WindowsMobile devices and PC cards are not eligible). Data usage incurred on ineligible handsets and devices, incurred while tethering (using a handset or device as a wireless modem or laptop) or incurred using non-Fido (third party) applications downloaded to your handset will be subject to pay-per-use charge of 5¢ per KB. Option applies within Canada only. While roaming outside Canada, data transmission charge of 5¢ per KB apply, except in the U.S. where data transmission charges of 1¢ per KB apply.
The Rogers page has a few good ones too, have a look.
This means that I can have unlimited data, but only on devices where I would likely not use much, right?
The Torontoist has an article on this subject.
Since I have run into problems similar this fellow, I thought I would link to the original page and reproduce the instructions here:
# dscacheutil -flushcache
Very useful tip.
As mentioned in a previous post, Leopard uses launchd to automatically launch ssh-agent when needed. I just noticed that it does exactly the same thing for X11!
Try it: type xeyes in a Terminal window and watch X11.app magically launch itself. Very smooth. Relevant configuration is quite simple:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key><string>org.x.X11</string> <key>Program</key><string>/usr/X11/X11.app/Contents/MacOS/X11</string> <key>Sockets</key> <dict> <key>:0</key> <dict><key>SecureSocketWithKey</key><string>DISPLAY</string></dict> </dict> <key>ServiceIPC</key><true/></dict></plist>
For more information on launchd, see the following man pages: launchd(8), launchctl(1) and launchd.plist(5).
A nice feature I was not aware of is the ability to put user-specific agent definitions in ~/Library/LaunchAgents, very cool.
blog
Pharmacy blog
buy soma
buy viagra
buy viagra online
cheap generic viagra
buy cialis online
buy cialis
buy levitra online
buy levitra
buy trial packs
buy propecia
buy propecia online
buy voltaren
buy cialis soft
buy cialis soft online
buy viagra soft online
buy viagra soft
buy acomplia
buy acomplia online
A quick tip about using the qlmanage command to see the Quick Look preview of a file from the command line. Define this shell function:
ql(){
qlmanage -p $@ 2>/dev/null
}
Then you can invoke it as ql FILENAME when needed. Use C-c to exit.
Update: Scott left a great suggestion to use $@ instead of $1. This allows you to bring Quick Look up for multiple files. (It even provides a contact sheet view, nice.) Thanks Scott!
I received and installed Mac OS X 10.5 Leopard on Friday, now I’m getting used to it and will be posting a series of short notes about interesting features as they appear.
One of the first things I noticed is that Leopard seems to start ssh-agent at login. A little more digging reveals that this is due to a LaunchAgent provided by Apple:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.openbsd.ssh-agent</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh-agent</string>
<string>-l</string>
</array>
<key>ServiceIPC</key>
<true/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SecureSocketWithKey</key>
<string>SSH_AUTH_SOCK</string>
</dict>
</dict>
</dict>
</plist>
The above causes the agent to be dynamically launched only when you actually need it. That is really cool!
Updated: I just read this hint which mentions that there is also a nice Cocoa ssh-ask-pass in Leopard! Funny thing is that I had seen the dialog a few times without noticing it at all, it seems to just be a normal occurrence.
For the past couple of months, I’ve had an issue where Apple’s Mail would not set messages “read” flag on the IMAP server unless I used the “Mark as Read” menu.
Just now, I read the following:
http://discussions.apple.com/thread.jspa?messageID=3144247
Disabling GPGMail’s ability to automatically decrypt/verify messages caused the issue to go away. Fantastic!
UltraMonkey provides Debian packages for Heartbeat 2.0 (currently 2.0.4).
Recently, while trying to figure out why ssh is taking so long to connect to many systems under Mac OS X 10.4.1, I sniffed the DNS traffic. To my surprise, I see SSH is doing SRV lookups:
0.000000 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.001124 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.001272 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
0.001989 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.002321 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
0.002848 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.003176 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
0.003993 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
2.027353 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.027840 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.028764 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
2.029120 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
2.029562 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.030249 10.100.0.23 -> 10.100.0.10 DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.030829 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
2.031551 10.100.0.10 -> 10.100.0.23 DNS Standard query response, No such name
4.042563 10.100.0.23 -> 10.100.0.10 DNS Standard query A mariesa.techsupport.local
4.043651 10.100.0.10 -> 10.100.0.23 DNS Standard query response A 10.100.0.103
4.064124 10.100.0.23 -> 10.100.0.10 DNS Standard query A mariesa.techsupport.local
4.065093 10.100.0.10 -> 10.100.0.23 DNS Standard query response A 10.100.0.103
That is very aggravating, since I don’t see a way to turn it off. Some Googling reveals a post on the topic.
Update: Stany did a little digging, found lots of patches, but not what I was looking for:
Now, regarding SRV lookups…. I’ve not noticed anything magic in the source that causes that to happen. Maybe that’s part of GSSAPI stuff – I frankly weren’t looking too closely. Maybe it’s something that libSystem.B.dylib does on behalf of ssh. Further investigation is needed, as it didn’t jump out at me.
So I’m thinking that this must be a part of the resolver. Although, it is doing lookups for _telnet._tcp.
This afternoon I quickly setup enough infrastructure on my test server to enable it to use Multicast DNS to resolve local names and answer local queries. Multicast DNS is part of the Zeroconf specification, which Apple has implemented and refers to as Rendezvous.
In order for this to work, your system needs to both answer and perform multicast DNS queries. The two pieces you need for this are:
As of 0.3, nss-mdns is already Debian-ready, simply build a package executing fakeroot dpkg-buildpackage from the unpacked tarball. There is an mDNSResponder package in Sarge which is rumored to be removed shortly due to license problems with APSL, so grab a copy soon.
Once these are installed, simply add mdns to the hosts line of /etc/nsswitch.conf and you’re done.
You will now be able to resolve “.local” hosts from your Debian system and also resolve this system’s hostname on other local hosts. By editing /etc/mdnsresponder/mDNSResponder.conf, you can advertise any service you want.
I just read Debian on Soekris HOWTO and was wondering if there are any additional steps one should take to ensure proper functioning of a Debian system running from a CompactFlash card. For example, would logging and other hammering reduce the life of the card in any significant fashion? Is it worth the hassle of going to a read-only root filesystem on the card?
Since my previous posts (1 & 2) about using IPsec in tunnel mode to securely connect multiple networks (I’m up to 17 on the same gateway.), I have needed to add support for “road warriors”.
While IPsec has low overhead, even in tunnel mode, it requires a lot of effort to configure for use by mobile clients. First, we must now assume NATs in the field; whether they are behind the now omnipresent home gateways or on public wireless networks. Secondly, it is my experience that using a VPN system based around bridging has many advantages:
I will elaborate on the routing issues. In our setup, our main gateway connects to 17 remote networks via IPsec. In order for a remote client to access a remote network, both the client and the remote gateway must have the correct routing table.
In light of the above, I decided to use OpenVPN. It fulfills my main objectives: simplicity and security. Correctly setup, OpenVPN will perform verification against both the client and server certificates and uses very strong crypto. To set this up you will need a PKI (Public Key Infrastructure).
My server-side configuration:
ca /etc/ssl/certs/ca.crt
ccd-exclusive
cert /etc/ssl/certs/gw.domain.ca.crt
client-config-dir ccd
client-to-client
dev tap0
dh /etc/ssl/dh2048.pem
float
group nogroup
keepalive 10 120
key /etc/ssl/private/gw.domain.ca.key # This file should be kept secret
local 66.46.199.130
passtos
persist-key
persist-tun
port 1194
proto udp
push "route 10.100.0.0 255.255.0.0"
server-bridge 10.100.0.1 255.255.255.0 10.100.0.90 10.100.0.100
status openvpn-status.log
user nobody
verb 4
My client-side configuration:
dev tap0
remote gw.domain.ca
tls-remote gw.domain.ca
pull
nobind
passtos
float
tls-client
ca ts-ca.crt
cert adam.crt
key adam.key
keepalive 15 45
persist-tun
persist-key
verb 2
Note the tls-remote directive. This is critical to ensuring that the client verifies the identity of the server.
My previous post promised some information about how firewall rules interact with IPsec under Linux 2.6, well here it is.
The Shoreline Firewall has full support for declaratively defining IPsec tunnels and hosts under the new IPsec support. To do this however, you will need the policy match netfilter extension from the Patch-o-Matic NG and also 4 other patches:
While these patches are in the POM-NG, they will not cleanly apply to linux 2.6.9. Ronald Moesbergen was nice enough to port the patches are are available from the list archive.
To apply the patches, simply run patch -p1 < ipsec-* from the top of our kernel source tree. Also copy the policy match extension’s files from the POM-NG directory into your kernel tree and insert the contents of the two .ladd files into the relevant Makefile and Kconfig file. Then reconfigure, enabling the policy match, and rebuild. Then follow the documentation.
If I have time, I’ll try and add some more information here.