Sysadmin Sunday: Subversion

Sorry for the recent lack of Sysadmin Sunday posts. I don't always have good Sysadmin content thought up. Sometimes I do, but I don't have time to actually set up an environment to demonstrate it. Sometimes I don't even have time to get around to writing much of anything.

So, we're back this week with a tutorial on setting up Subversion, a revision control system that, in my opinion, is much better and user-friendly than other revision control systems (such as CVS). You'll see me (and many others) casually use "SVN" when referencing Subversion. You can use subversion to synchronize directories (folders) across different workstations, to collaborate changes on large documentation or programming projects, or to simply have a revision control and change rollback system for your files. It works with binary and text, but can take up a lot of hard drive space on the server for large or frequently-changing data sets.

Initially installing Subversion varies on the platform and package management system available. I am installing subversion on Ubuntu Gutsy Gibbon Server Edition. Here, it's as simple as:
$ sudo apt-get install subversion

On FreeBSD 6.3, I got it installed using pkg_add as well, with no problems.
$ sudo pkg_add -r subversion

Subversion packages are available for many platforms, but if you wish to build it from source, the documentation is quite good.

HiR Reading Room
Of particular note is the O'Reilly and Associates book: Version Control with Subversion. It is free and open source, so it's also available to read in its entirety on the web. I personally liked it enough that I bought the paperback book, as I dealt with subversion on a daily basis at my last full-time job. If you'll be doing a lot with Subversion, this is a great book to have around as a reference guide.

Please note that I'm not dealing with any encryption whatsoever, so you should probably make sure that your svn server isn't accessible from the Internet. Being behind a private firewall or cheap router will work for testing this at home. Read the book for information on securing SVN with ssh or using better authentication options. There's even a web-based SVN Server, which allows your users to browse the repository with a browser while using all of the flexibility and authentication modules at Apache web server's disposal. All of that and plenty more is covered in this book.

Starting svnserve
First, make a directory to keep the repositories in. A repository is simply a directory on the SVN server where data is stored. I chose /var/svn/repositories.
$ sudo mkdir -p /var/svn/repositories

Then, we need to start our svnserve daemon. As I mentioned before, there are several ways to run SVN. Just starting a vanilla svnserve daemon is the easiest way but not always the best way. For the purposes of this demonstration, I will keep it simple.

Place "svnserve -d -r /var/svn/repositories" (or whatever repository root you chose) in the startup scripts, usually in /etc/rc.local. Either reboot, or run "[sudo] svnserve -d -r /var/svn/repositories" from the command line to start it. This restricts svn to exporting only the contents of /var/svn/repositories.

Your first repository
Let's set up our first repository. On the SVN Server, run the following. You may choose whatever you wish for the repository name, but it has to be under the repository root you defined when you started svnserve.
$ sudo svnadmin create /var/svn/repositories/hir-test/

You should create a username and a password by editing the "svnserve" and "passwd" files in the "conf" directory under the repository you just created. Keep in mind that passwords are all in plaintext for this example. It's not really the best way to do things, but it is the simplest.

$ vi /var/svn/repositories/hir-test/conf/svnserve.conf
un-comment the following lines:
anon-access = read
auth-access = write
password-db = passwd

$ vi /var/svn/repositories/hir-test/conf/passwd
Add a line like the following to the end of the file to define your username and password:
axon = setecastronomy

Now, go to a client computer (or simply access it locally but through the svn:// url scheme) and use SVN to check out the repository:
[axon@floaty-fbsd ~]$ svn checkout svn://axon@
[axon@floaty-fbsd ~]$ cd hir-test
[axon@floaty-fbsd ~/hir-test]$ ls -la

total 8
drwxr-xr-x 3 axon axon 512 Mar 29 21:37 .
drwxr-xr-x 20 axon axon 2560 Mar 29 21:38 ..
drwxr-xr-x 6 axon axon 512 Mar 29 21:37 .svn

Copy a file into the repository, or make a new file. Your choice. Then use "svn stat" to see the status of the files in the directory.
[axon@floaty-fbsd ~/hir-test]$ cp ~/internet-resume.doc .
[axon@floaty-fbsd ~/hir-test]$ svn stat
? internet-resume.doc

SVN doesn't recognize the file, hence the "?" before the file name. We must first add the file with "svn add"
[axon@floaty-fbsd ~/hir-test]$ svn add internet-resume.doc
A (bin) internet-resume.doc
[axon@floaty-fbsd ~/hir-test]$ svn stat
A internet-resume.doc

At this point, SVN is aware of the file, but it still hasn't uploaded it to the svn server. If we go to another machine and check out the repository, it will still be empty. (sorry, I used the DNS name in this example but it's the same server as
axon@hosting:~$ svn checkout svn://axon@lampdev.labs.h-i-r.net/hir-test
Checked out revision 0.
axon@hosting:~$ cd hir-test/
axon@hosting:~/hir-test$ ls -la
total 12
drwxr-xr-x 3 axon axon 4096 2008-03-29 16:52 .
drwxr-xr-x 5 axon axon 4096 2008-03-29 16:52 ..
drwxr-xr-x 6 axon axon 4096 2008-03-29 16:52 .svn
Back on the client machine where we added the file, though, use "svn commit" to update the central repository on the SVN server. You should always commit with a message saying what changes were made. use --message for that. It should then prompt for your password.

[axon@floaty-fbsd ~/hir-test]$ svn commit --message "added my resume"
Authentication realm: 2c608312-9cd3-44f0-b88e-356728a5cc35
Password for 'axon': setecastronomy (not shown on screen)
Adding (bin) internet-resume.doc
Transmitting file data .
Committed revision 1.

Now, whenever you check out the repository elsewhere, the files will be in sync. Use svn update to refresh your local repository to the latest version:
axon@hosting:~/hir-test$ svn update
A internet-resume.doc
Updated to revision 1.
axon@hosting:~/hir-test$ ls

When you delete, copy or move files within a local copy of the repository, it's best (practically mandatory) to use svn delete (svn rm), svn copy (svn cp), and svn move (svn mv) for these tasks, respectively.

So far, the commands we've covered the following for client machines. This should be enough to get you up and running.
svn checkout svn://[user@]host/repo-name - Checks out a local copy of the repository
svn update - Refreshes the local repository
svn add - Adds version control to new files in the local copy of the repository
svn commit --message "test message" - Updates the central repository
svn delete
filename - remove a file from the local repository
svn rm filename - same as above
svn copy filename1 filename2 - make a copy of a file within the repo.
svn cp filename1 filename2 - same as above
svn move filename1 filename2 - move a file from one place to another in the repo.
svn mv filename1 filename2 - same as above

There is also a windows shell extension available, called TortoiseSVN. This puts a TortoiseSVN menu in the list when you right-click while browsing files on Windows. From here, you can check out, update, add, commit and manipulate repositories right from within Windows.


Testing an ATX Power Supply

Things you'll need:

  • Tools to open your computer case
  • A voltmeter or multi-tester, preferably a digital multimeter (DMM)
  • A paper clip or a small piece of wire to use as a jumper.
A friend of mine was having trouble with one of his computers. At first, it sounded like a power supply problem, so I gave him some advice on testing the power supply.

A power supply can make or break your computer. It's often one of the first components to fail because of the high temperatures and abundance of electrolytic capacitors. Heat and capacitors aren't usually a good combo, and running the computer with a clogged fan can raise temperatures in the PS high enough to damage the caps. A power supply may also take the brunt of the damage in a power surge, as well -- especially if the computer is turned off.

There are a few things to understand about the ATX Power Supply. First off, ATX power supplies are soft-triggered, meaning that they're always pulling a little bit of electricity from the wall. They're powered on not with a hard physical switch, but with an electronic relay activated by the motherboard. Therefore, a little bit of electricity has to be going to the motherboard even when the computer is off, so that it can tell when you have hit the power switch.

Another thing is that most newer computers require extra power for the motherboard, this comes in the form of two additional 12VDC wires and two additional grounds molded into a four-prong plug (called a P4 plug) that supplements the traditional ATX plug:

Before we begin testing, unplug the computer from the wall outlet, open the case, and unplug all the Power Supply cords from the motherboard, drives and all accessories. Notice that there are many black wires on the main ATX plug. If you have a DMM with an ohm-meter or continuity tester, you should check to make sure all of the black wires have continuity. These are all chassis ground wires, and you can use any one of them to test the for the power supply. Hook one test lead up to any black wire, then make sure that there is little to no resistance between that black wire and all the other black ones. Be sure to check the grounds on the P4 plug and Molex (hard drive) plugs.

Now, you may plug the power supply into the wall outlet again. The only wire we need to test right now is the purple wire. Take note of it, as it may look a lot like the black wires or a blue wire if you don't have plenty of light. It will be the fourth wire in, next to the two adjacent yellow wires on the main plug as shown below:

Test the voltage between this purple wire and ground. This is the "standby" power, and should be near 5VDC.

If this doesn't register any voltage, there may be a fuse blown internally to the power supply, or it could be something more catastrophic. If the voltage is wildly out of spec (like 2.3VDC or 8VDC), something is very wrong. Trash it and replace your power supply.

Now, you'll need your paper clip or a jumper wire. I chose a jumper wire because it's insulated and I didn't want to run the risk of hitting the jumper with my DMM's test probes. I'm just careful.

Find the green wire. This is the power-on wire.

When the green wire is jumpered to ground, the power supply fan should spin up. If this doesn't happen, something is wrong, but it could just be a clogged fan so you should at least check the voltages before you go shopping for a new power supply. Make SURE you jumper the green wire to a black wire, not the purple one. I don't know if it would hurt anything, but the PowerON wire is not designed to be hooked to anything other than ground.

I attached the ground probe to one of the ground wires by jamming it into the back of the ATX plug, so that I only have to fiddle with the positive test probe from here on out. That makes taking these pictures a little easier. ;)

First, I tested the voltage of all of the red leads. These should be +5VDC. Not surprisingly, they are the same voltage as I saw on the Standby Power rail which should also be +5VDC. To be sure the power supply is intact, check ALL of the red, yellow, blue and orange wires on ALL plugs, even for the P4 and Molex hard drive power plugs. A single broken or damaged connection can be the difference between a healthy computer and one that's unstable or may not even boot.

Test all of the leads except for the brown, green, and gray ones. The green is obviously in use and working at this point. Brown and gray are both voltage sense connections that you don't need to bother with. Your power supply may or may not have a white wire. It's optional in the ATX specification but most new power supplies have them present. Use the table below to determine the voltage specifications for each color. Note that these are voltages as related to chassis ground (black wires). Again, if any of these voltages are wildly out of spec or you notice an open circuit (0 volts), you should probably replace the Power Supply or have it looked at by a competent computer repair professional. Opening up a Power Supply voids its warranty and exposes components that could probably hurt you even if it's unplugged.

Purple (standby)+5VDC
White (optional)-5VDC


Copying and pasting between workstations with web mail

Occasionally, I have to quickly get information copied and pasted between my personal laptop and my desktop. Maybe it's a URL or a shell script. Who knows?

I usually have GMail fired up on my laptop anyways, so I simply create a new mail, then paste the text into the e-mail body and save it as a draft.

I go to the other computer, open up the draft, and copy the contents to the clipboard.

Other options do exist (such as X2VNC and friends), but don't always work too well between platforms for clipboard activity. Note, you can also use file attachments in a draft.

You can do this with pretty much any web mail client that supports drafts, and it's not quite as cumbersome as actually e-mailing yourself. You can just trash the draft when you're done, or use a draft as a transient scratch pad for data you wish to access from multiple computers.

Mac OS X: Pwned in two minutes flat - CanSecWest

Coverage like this might seem somewhat odd given the fact that most of the HiR crew are Mac users.  As it turns out, this is likely an issue with Safari, which I've been known to hate on very frequently.  Safari and I just don't get along.  Never mind the fact that FireFox is tied up with something else and I'm making this post from within Safari (much to my chagrin, given Safari's lack of compatibility and frequent crashes with Blogger).  

This year, the PWN 2 OWN hacking competition at CanSecWest was over nearly as quickly as the second day started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was. Apparently Mr. Miller visited a website which contained his exploit code (presumably via a crossover cable connected to a nearby MacBook), which then "allowed him to seize control of the computer, as about 20 onlookers [read: unashamed nerds] cheered him on." Of note, contestants could only use software that came pre-loaded on the OS, so obviously it was Safari that fell victim here.

Full story on InfoWorld


Why high-sec locks are pickable

Ross Kinard put out this paper on high sec locks earlier this month (found via [blackbag] today).

It outlines why several high-security locks are still vulnerable to manipulation and picking. Although it's often a more complex task to pick a Medeco or a Mul-T-Lock, the same flaws in manufacturing and normal wear end up creating many of the same vulnerabilities. It's just more difficult to pick these locks because there are more hoops to jump through, if you will.

Ross discusses the Two-Stage method of unlocking -- something that few lock manufacturers employ -- and why it's crucial to making a lock more difficult to pick. Ross uses Abloy's Disc Blocking System as an example of a very strong system that is highly resistant to straight-forward manipulation attacks.

If you like physical security, lockpicking, high-res photos of locky goodness and technical diagrams, this is a great read. It's not terribly verbose, either. I think it also goes without saying that Blackbag belongs in your RSS reader. Right now.

Sun Microsystems: Breakin' the law, Breakin' the law?

... Moore's Law, that is. Sun currently has laser technology in its crosshairs with the intent to boost speeds of communication between chips on computers. While this has been a theoretical way to vastly improve processing power, no one's actually pulled it off and put it into production yet. A quote I found amusing from the article:

“It’s like the difference between having someone next door and having to get on an airplane to fly across the country,” said Alan Huang, an optical networking designer at the Terabit Corporation in Menlo Park, Calif. “This would be a way of breaking Moore’s Law.

While Moore's Law actually involves an exponential increase in the number of transistors that can be effectively crammed onto a silicon wafer, I don't see how this technology will actually break Moore's Law, per se. It might just render Moore's Law obsolete by allowing multiple-CPU computers to scale much more efficiently.

Full story: [nytimes] via [engadget]


Hak.5 - Shmoocon Special

The Hak.5 guys went to Shmoocon and pumped out an hour.5 long interview with five high-profile hackers. Vista (in)security, GSM Cracking, SSD/Flash data recovery, and the new version of BackTrack are covered, among other things. It's worth a watch, but don't get caught slacking off at work! An hour and a half is a long lunch break.

Hak.5 Season 3 Ep. 8


iPod touch hack released

iPOD touch hack released.
Check out http://www.ziphone.org/. Zibri found the solution to the iPod touch's in ability to be unjailed. The problem was with the nvram being corrupted.
Here is how to do it.

  1. Just run the un-corruption utility in the zPhone utility
  2. Run the jailbreak.
  3. Install the BSD Subsystem.
  4. Then Run the 1.1.3 updates for the BSD subsystem terminal for back spacing.
  5. Then install the SUID Lib Fix .
  6. Install The Term-VT100 terminal program.
  7. Install the Cydia package (DEBIAN style package management!) which will replace the BSD subsystem.
Side notes:
  • The /Library/LaunchAgent/ folder contains the daemon launch plists. deleting one will prevent it from loading.
  • If you still have the BSD subsystem do not change the root password. The BSD passwd utility BREAKS the OS causing you to need to re-install the firmware. The Cydia utility works with out incident.
  • The default root password for for the iPOD will be either "alpine" or "dottie".


Arthur C. Clarke dead at 90

via Engadget

If you've been under a rock for the past 50 years you might not have realized how much the visions of this man have changed your life. The most prominent would be the geosynchronous com satellite. There is a very high probability that nearly all of the cable TV you watch is from sat feeds, and of course DSS is all sat. Your GPS unit works via geo-sync sats. So does your sat-phone, if you've got some spendy need for one.


HiR Reading Room: Postfix: The Definitive Guide

Postfix is my favorite MTA right now. Various authentication and mail store options, a "security first" development cycle, and great performance are just a few of the reasons. Gone are the days of Sendmail. Qmail is feature-packed but kludgy (and I don't really care for djb's antics nor his hubris, so maybe it's a little personal). Postfix is king, as far as I'm concerned.

This 278-page guide is svelte, but remains packed with useful tips, configuration examples, and advice on Internet mail infrastructure. Whether you just want to build a mail server for yourself or a small company, or you're looking at revamping the way your corporate e-mail is handled, this book is worth a look.

You don't need to know a lot about MTAs in general to get started. I'd argue that intricate familiarity with Sendmail might even hurt you a little. You can get a ground-up lesson on mail infrastructure from Postfix: The Definitive Guide. A little functional UNIX knowledge is a bonus, though.


Observations from this week

This has been a crazy week for me. Most of this is related to work and personal life. I have a few observations and it's going to sound like a rant.

Someone I do work for is testing a new SSL VPN solution. This is a VPN that just uses the web browser. I was looking forward to ditching the Windows VM which I pretty much use only for VPN. This particular VPN has been configured to require Windows. What the hell is up with that?

We had the BSD User Group meeting yesterday. Somehow, the meeting room got double-booked between us and the Commodore 64 Club. I say club because no one actually USES Commodore 64 computers for anything anymore. They just look at them and play text adventures on them. At first, I was excited to see the C64 laptop there, figuring someone may have actually installed NetBSD on it, but no. It was just a C64 laptop (there's a model name or number for it but I don't care enough to look it up). Then, I got to thinking about NetBSD. You probably could get it working on a C64. I co-worker of mine suggests that you could probably put a dead hamster in a shoe box and get it to run NetBSD. I don't think that's too much of a stretch.

The C64 club had KCBug outnumbered 3-to-1. This pains me. Had it been a PerlMongers or KC Linux UG meeting I wouldn't have been so hurt, but seriously, KC guys. This was a a disgrace. Get with the program and come to KCBug next month. Please? Thanks. Meeting details will probably get posted to the KCBug Mailing List.

The PHP user's group is tomorrow. I'll probably be there. So will Asmo.


Electric Skies.


This reminded me of the opening line to Neuromancer: The sky above the port was the color of television, tuned to a dead channel. Anyone have more links to literature (in all of it's forms) using the meme of an electric description for the sky?


Shared Links

I'm not sure if I'm ready to go putting del.icio.us daily RSS feed splices in the HiR RSS Feed yet, but for the time being, we're taking interesting links that show up in our Google Reader feeds and sharing them via the navbar on the right under HiR Shared Links.  You can also add our shared items to your RSS reader.  We'll probably still write commentary on interesting newsworthy articles that we find, but this is a way for us to show you some of what's keeping us interested.

Thanks for reading!
HiR Editor

UNIX Tip of the day: shell math with bc

bc is "an arbitrary-precision calculator language" which so happens to be nearly ubiquitous across all UNIX platforms that I've ever run across. 

Why on earth would you want to do math on the command-line?  Well, that's a good question.  I often find myself using it when I have a terminal window open and don't feel like finding a calculator or firing up the calculator program just to do some basic division or multiplication.  Remember, I suck at doing math in my head unless it's stupidly simple stuff.

What does "arbitrary precision" mean, exactly?  Well, it means that bc will only be as precise (with floating points) as you are with your input.  Integers in, integers out!

axon$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
491003798 * 2

This is important when doing division:

5 divided by 2 is obviously not 2. Set the scale to 2 to make it precise to two decimal points, and try again:


Much better.

Like shells, you can combine multiple commands on one line with a semicolon between commands: FYI: sqrt(x) gives you the Square Root of x and x^y gives you x to the power of y. This is similar to how many scientific calculators or Google Calculator works. In fact, most of Google Calc's syntax works quite well in bc.

scale=0; sqrt (982007596); 16^2

Since bc operates on standard input, you can use any of the below methods to do non-interactive math from the command-line or shell scripts:

axon$ echo "2008 * 42" | bc

Here Document:
axon$ bc << EOF
> (2008 * 42) + 65535


Use bc if you are writing a shell script that requires floating-point operations, as most shells don't handle math too well. You can even use shell variables.

axon$ export gallons=12.5
axon$ export price=3.879
axon$ echo "A tank of gasoline costs \$`echo "$gallons * $price" | bc`"
A tank of gasoline costs $48.487

Note that while bc exists as part of most UNIX installations (I think it's part of the Single UNIX Specification), that the supported syntax varies between platforms a little bit.  When in doubt, check the man page.


Sysadmin Sunday: LogCheck

I've been using LogCheck in its various incarnations for quite a while. When I started using it (it feels like a decade ago but it may have been a little less) it was called LogSentry. While it's still pretty simple, it gets the job done. LogCheck's been passed around many times, and I'm relatively sure that the package I downloaded has remained for the most part unchanged for at least 5 years. For a small group of servers you wish to keep tabs on, this tool is great. For an enterprise, you might want something more heavy duty such as a database-driven centralized logging server.

Note that by itself, LogCheck only does two things:

  1. Looks through all the log files shown for suspicious or "hackish" activity
  2. E-mails the report
That's it.

I'll be doing the install on FreeBSD. LogCheck is just a script, so it will run on pretty much anything that isn't Windows.
$ sudo pkg_add -r logcheck
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.3-release/Latest/logcheck.tbz... Done.
To see what LogCheck thinks is "hackish", check out logcheck.hacking and logcheck.violations (in /usr/local/etc/ when installed from FreeBSD's packages) Those contain a list of regular expressions (one per line) that will be used to gather reporting information from the logs. Similarly, logcheck.ignore and logcheck.violations.ignore contain regular expressions that can filter certain results from the report. I recommend looking at these files but not editing them at first. Let LogCheck run for a week or so (daily) to get a feel for it. Then, start adding or removing expressions to the lists to fine tune your reports.

To change what e-mail address the report is sent to, find logcheck.sh (it's also in /usr/local/etc/ when installed from FreeBSD's packages) and modify this block of text as appropriate:
# Person to send log activity to.
Look at the other variables, too. By default, the log files and configuration will likely be workable, but it's a good idea to make sure.

Adding the following line to the system's crontab will launch LogCheck every hour. This isn't a big deal because it will only mail you if there is something suspicious. If you would rather have a daily log, read the man page on crontab to figure out how the schedule options.

00 * * * * root /bin/sh /usr/local/etc/logcheck.sh


Balancing Hack: Amaze your co-workers!

Next time you have a can of your favorite caffeine-packed beverage in a boring staff meeting, try this and see what the reaction is.

The two rims found on the bottom of most 12oz soda cans makes them easy to stack, but also gives you an area to balance the can on. If the can is full, center of gravity will be on the outside of this rim and it will fall on its side. If the can is empty, there will be more weight (from the tall part of the can) outside this rim as well. However, if the can has just the right amount of liquid in it, the center of gravity will actually shift to the area between the two rims, allowing the can to balance, and even roll around in a circle if you're careful! This is because the aluminum itself is relatively light compared to the can's contents.


Shutting off wireless auto-config in Mac OS X

As a matter of security and simply less annoyance, I prefer my computers to not connect willy-nilly to just any wireless network in range. OS X currently doesn't connect to random open networks, but it does always look for them, and by default it prompts you to connect to new ones. In OS X, all you have to do is un-check the "Ask to join new networks" on the AirPort adapter in Network preferences to stop this behavior.

Once you do that, go into the Advanced preferences and remove all those random access points that you've connected to in the past, leaving only the ones you know and trust on the list. If your access point has a default-ish name (like WLAN, Default, linksys, etc) you should probably change it so that your computer doesn't join up to the first "linksys" network it runs across.

On Linux and BSD, it's easy. You simply have to try -- and mean it -- to get on a wireless network. You don't just accidentally connect.

Also, it's a cold day in hell. Last week, I bought my wife a new computer that came loaded with Windows Vista Home Premium. I can only use it for a few minutes at a time before I have the urge to go take a shower with a steel wool pad to try to get Vista off of me, but I can't for the life of me figure out how to kill Vista's auto-join feature while letting it connect to preferred networks only. If you have any tips, drop us a line. It definitely isn't like XP. The only thing I saw told me to kill the Wireless Autoconfig service (maybe called something a little different) and all that did was completely disable wireless access on Vista.


IP Subnetting - more fun with newLISP

I decided it would be fun to try to make an IP subnet calculator with newLISP.

Thanks to Elica and Lutz on the newLISP discussion boards. I needed some help with the logic. There's probably a way to compact this code down to about 3 lines somehow, but I'm still a newLISP n00b. I stuck with the logic examples that I have a firm understanding of, but the discussion yielded some interesting results.

Here's what I came up with

# newLISP IP Address calculator by ax0n
# ax0n (at) h-i-r.net
(define (iptostr ip4)
# Converts an integer to an IP in dotted decimal notation
(mod (/ ip4 0x1000000) 0x100) "."
(mod (/ ip4 0x10000) 0x100) "."
(mod (/ ip4 0x100) 0x100) "."
(mod ip4 0x100))

(define (iptonum ip4str)
# Converts an IP string to an integer
(map set '(one two three four) (parse ip4str "."))
(+ (* 0x1000000 (float one)) (* 0x10000 (float two))
(* 0x100 (float three)) (float four))

(< (length (main-args)) 3)
# Display usage if no args passed
(println "usage: ipcalc.lsp ip-address/maskbits")
(println "ex: ipcalc.lsp")
(set 'ipstr (last(main-args)))
(map set '(ipaddr bits) (parse ipstr "/"))
(set 'binip (iptonum ipaddr))
(set 'netmask (& 0xffffffff ( << 0xffffffff (- 32 (int bits)))))
(set 'netaddr (& binip netmask))
(set 'bcast (& 0xffffffff (| binip (~ netmask))))
(println "host IP: " ipaddr )
(println "netmask: " (iptostr netmask) )
(println "network: " (iptostr netaddr) )
(println "broadcast: " (iptostr bcast))
(println "Host range: " (iptostr (+ netaddr 1))" - "(iptostr (- bcast 1)))

Running it by itself gives you a syntax help page.

-bash-3.2$ ./ipcalc.lsp
usage: ipcalc.lsp ip-address/maskbits
ex: ipcalc.lsp

You have to provide an IP Address and mask in CIDR Notation. It does the rest!

-bash-3.2$ ./ipcalc.lsp
host IP:
Host range: -

You can download the script here:

HiR Reading Room: AIX 5L Administration

While AIX 6.1 is the new hotness, it's mostly feature additions. If you know AIX 5, you can get around AIX 6 without a problem -- you just might be missing out on cool things like enhanced RBAC and workload partitions.

The writing, grammar and editing of this book leaves a little bit to be desired, but the concepts covered in AIX 5L Administration are vitally important for any AIX sysadmin to be familiar with. This book is great for people who have a casual working knowledge of the UNIX command line (linux, solaris or BSD) who want to expand their horizons all the way up to seasoned intermediate AIX users, who will find new things and helpful tips within these pages.

I personally bought this book while I was job hunting. I had some rusty familiarity with AIX 4, but was looking at the prospect of landing a job that required working, functional knowledge of Solaris 8, Solaris 10, and AIX 5.3. It was a great refresher course for AIX, and gave me the information I needed to confidently blaze through a pre-employment AIX knowledge test. Now, more than a year later, this book sits next to my desk and is occasionally referenced when I need to do something on AIX that I'm not too familiar with.

Whether for reference, for job advancement, or for the fun of tinkering around with something new, this book comes highly recommended for anyone dealing with AIX, either daily or occasionally.


IP subnetting

This really isn't that hard, but I had someone ask for help on one of the forums I participate in, and thought I'd share the answer here.

The person needed to determine the following given an IP/Mask of

  • Subnet Mask
  • Network Address
  • First usable host address
  • Last usable host address
The answer is to use binary math and boolean logic to solve the problems.

/18 means there is an 18 bit subnet mask on that IP address. This is neither a Class C (24 bit subnet mask) or Class B (16 bits). Although, "Classes" are kind of obsolete these days. It's just an 18 bit subnet mask. Straightforward.

In binary, it looks like this (decimal underneath):
11111111 11111111 11000000 00000000
255 255 192 0

To get the network address, you take the IP Address in binary, and do a boolean AND against the subnet mask. A boolean AND will only return a 1 where both numbers have a 1, and return a 0 everywhere else.

11111111 11111111 11000000 00000000 <-- subnet mask
10010010 10001101 11011011 00101111 <-- IP Address
======== ======== ======== ========
10010010 10001101 11000000 00000000 <-- Network Address

The first usable host IP address is always the first IP after the network address, in this case,

To get the broadcast address, you simply change all of the non-masked bits from the network address (in this case, the last 14 bits) to 1.

10010010 10001101 11111111 11111111 <-- Broadcast

You need to know the broadcast address to come up with the last usable host IP address, which is always one IP below the broadcast address. The last usable IP in the network for this example is


Sysadmin Sunday: Encrypted Swap Space in FreeBSD

New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.

Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.

Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.

OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.

First, disable swap:

[axon@floaty-fbsd ~]$ sudo swapoff -a
swapoff: /dev/ad0s1b: Cannot allocate memory
Whoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.
[axon@floaty-fbsd ~]$ sudo swapoff -a
Now, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!
[axon@floaty-fbsd ~]$ grep swap /etc/fstab
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)
To enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.

[axon@floaty-fbsd ~]$ sudo vi /etc/fstab
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0
You have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.

[axon@floaty-fbsd ~]$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%


Lying kids are smart kids

What's this got to do with anything? Lying is, in essence, social engineering.

A child who is going to lie must recognize the truth, intellectually conceive of an alternate reality, and be able to convincingly sell that new reality to someone else. Therefore, lying demands both advanced cognitive development and social skills that honesty simply doesn’t require.
Continue reading: Are Kids Copying Their Parents When They Lie? -- It's worth a read, especially for those of you with kids. Via [Schneier on Security]