2008-02-28

Locksport International guide to lock picking

The So-called "LSI Guide to Lock Picking" has been around for a few years, but it's a great primer for people who are interested in learning the art, science, and sport to picking locks. It covers basic lock parts terminology, a quick guide on making some basic lock picking tools, and some tips for picking your very first lock.

A few things to note:

  • Picking your own locks or locks you have permission to pick is not a crime.
  • It's very much like solving an interesting puzzle by feel alone.
  • Certain locations (states, cities) have laws regarding transportation or carrying of lock picking tools, so it's best to keep them at home.
Read: The LSI Guide To Lock Picking (pdf link)

2008-02-27

It's official: Leopard = No network for OpenSolaris Indiana VMs

Lukas got it working on Parallels 3.0 under OS X Tiger, but two different HiR guys failed to get networking to work on OpenSolaris Indiana DP2 on parallels 2.5, 3.0 and VMWare Fusion when running Mac OS X Leopard.

Oh well. Like I said, maybe I'll give it a crack on a real computer when I have a lab machine ready to use.

UNIX Tips of the day - 10 good UNIX habits

Have I mentioned lately how I really like IBM's developerWorks site? I don't think I have.

I already know all of these tricks, but I still catch myself in bad habits on occasion -- for instance, I rarely using grep to count matches and I sometimes pipe things with cat when I don't need to.

The 10 good habits in the article are as follows:

  1. Make directory trees in a single swipe.
  2. Change the path; do not move the archive.
  3. Combine your commands with control operators.
  4. Quote variables with caution.
  5. Use escape sequences to manage long input.
  6. Group your commands together in a list.
  7. Use xargs outside of find.
  8. Know when grep should do the counting -- and when it should step aside.
  9. Match certain fields in output, not just lines.
  10. Stop piping cats.

Continue reading: Learn 10 good UNIX usage habits (via IBM developerWorks portal)

2008-02-26

Homebrew geeky UNIX screen saver

For the past 7 years or so, I've been doing fun things with XScreensaver to make custom screen savers that display useful information. My favorite XScreensaver mode is Phosphor, which renders olde-school green text on your screen. By default, it just displays information about your system such as system load and host name. While that's fun and all, it's pretty boring for a desktop system.

So, I'm a weather geek. Part of the reason is because I like being outdoors, but even when I'm cowering inside on a blustery February morning, I like to know what the weather is doing. On my FreeBSD lab machine, I configured Phosphor to display the hourly National Weather Service data for my area.

Obviously, you need to download and install XScreensaver first. You can do this using whatever means you want, but on FreeBSD, it's as simple as "sudo pkg_add -r xscreensaver".

Then, I put an entry in my crontab that looks like this (all on one line, though):

7 * * * * /usr/local/bin/lynx -dump -nolist "http://www.crh.noaa.gov/product.php?site=EAX&issuedby=EAX&product=RWR&format=txt" | tail +16 | head -n 15 > ~/.wx.txt

This fetches the weather data (without a list of links and stripped of HTML) for the eastern KS/northwest MO region, grabs the lines I want, then puts it in the .wx file in my home directory. This runs 7 minutes after the hour, every hour, every day.

Of course, you could use a similar script to do an hourly scrape of the front page of your favorite news site, or run any program that will generate a text file for Phosphor on a regular basis.

Now that we have the weather data (or whatever else you want) coming to us every hour, it's time to configure xscreensaver. First, make sure "xscreensaver&" is included before the window manager starts up in your .xinitrc or .xsession file, depending on if you're using an X Display manager or just startx to launch X.

Run "xscreensaver-demo" to access the configuration screen, and set it up to use only one screen saver, choose Phospor, then tell it to read the text file ~/.wx, as shown in the screen shots below:





Notice how the display has that cheesy-yet-familiar phosphor persistent delay? I love it!





Sorry this didn't capture very much of the screensaver, I'm trying to figure out why xvidcap keeps crashing on FreeBSD.

2008-02-24

Hungry Hungry Hackers

So, what do command line junkies do when the urge to food hits? They tap out their order and wait for the steaming goodness to arrive via Pizza Party. Not having a Dominoes account to work with I'm at a loss to test, but it looks promising. Now you can justifiably say that, yes, you can do just about anything from the command line.

(via a recent post on KCLUG)

Sysadmin Sunday: Quick & Dirty SSH Tunneling

Occasionally, you might need to tunnel some other traffic over SSH. This could be to get access to an external web proxy, to get a remote X display up, or to get around a firewall-blocked port that you must access.

The syntax (on the command-line OpenSSH client) for a Local forward is like this:

# ssh remote-example.h-i-r.net -L 3128:localhost:3128

This tells my SSH client to tunnel traffic to port 3128 on my workstation to port 3128 on my DMZ box. Port 3128 isn't accessible because of a firewall, but tunnelled over SSH it works fine. In this case, I'm running squid on the remote example host. Telling Firefox to use http://localhost:3128 as the proxy will now tunnel all of my web traffic over the SSH tunnel to the squid proxy behind the firewall. The reason it's called a local forward because it forwards a local port over the SSH connection.

A remote forward will open up a port on the remote machine and connect it to a port on the client's network. The syntax is similar:

# ssh remote-example.h-i-r.net -R 3306:dbserver:3306

This would open up port 3306 (the MySQL server port) on the remote host and tunnel it to the MySQL service on the host named dbserver on my local network.

While running forwarding of either type, you can enter the hotkey sequence "~#" to see all the open connections through the forwarded ports.

2008-02-23

RMS steps down as lead EMACS dev.

A story just popped up in my RSS feed on /. with a comment that mentions the XKCD comic about real programmers. I had a good chuckle. I never gave EMACS much of a try, as I like the simplicity of stuff like vi(m). Maybe now we can have him turn an OS (Hurd) into a decent text editor...

Fire: Improvised fire starter and tripwire

It's no secret that HiR absolutely loves fire and explosives as evidenced by almost a decade's worth of traditional pilgrimage out to the fringe of society every Independence Day to partake in massive amount of blowing stuff up.
In my more mischievous and adventurous youth, I made these fire starters in batches. The one drawback is that when these are fully assembled, they may be set off unintentionally if they're crushed or subjected to significant shock. I'll cover storage and transportation tips later on.

Disclaimer: Arson is illegal. Fire isn't a toy. Making improvised incendiaries is an act of "terror" in the US. Don't be a moron. HiR won't be held responsible for random acts of stupidity.

Why Bother?
  • If waxed, these igniters are immune to temporary exposure to water splashes and rain.
  • They start things on fire quickly.
  • The intense flame is resistant to high winds while the igniter material is burning.
  • In many situations, they burn for more than 10 seconds after the match heads finish.
  • They're inexpensive to make.
Backpacking/Survival Uses:
  • Start kindling quickly to build a fire for warmth, light, or cooking.
  • Use as a bright, temporary flare signal in the dark.
Defense Uses:
  • A trip-wire igniter with a fuse and road flare can to alert you to and illuminate intruders
  • A remote pull trigger can be used to activate a fire (pile of leaves, flammable substances) as a distraction for egress or ambush.
Other uses:
  • Use as an improvised remote trigger where distance from the fuse or fire is desirable.
  • I'm sure plenty others come to mind.
Materials:
You will need the following materials to make a basic backpacking fire starter:
  • Scissors or knife
  • Some kind of tape
  • A book of matches
Optionally:
  • Paraffin wax or candles you can melt
  • Small tin can
  • Cooking pot
  • a heat source (stove top)
  • Yarn, thread, twine, string or fishing line (for a remote igniter)
Making a basic pull igniter

Take apart a book of matches and throw away the staple. Pardon the generic matches. I don't smoke nor do I make a habit of picking up match books from various places.


Take one of the sets of matches and roll it tightly, then tape the bottom to hold it tight.


Carefully wrap the match book cover around the igniter tightly with the striker touching the igniter, but don't let the igniter rub on the striker or it will go off in your hand! Keep a bowl of water handy just in case.


Wrap tape around the cover, and you have a pull igniter. Just yank the igniter out through the tube and you'll get a hot, brilliant flame. You can make a second igniter out of the other set of matches as well. The striker tube is re-usable.

Making a tripwire
Make a slip knot in fishing line or string and use it to bind the rolled matches. You really don't need to use tape for the rolled matches if you go about it this way. Leave a few feet of fishing line attached to the igniter, so that you can tie it around a sapling or another anchored object.


Take the striker tube and tie fishing line around it and tie it off. You will want a lot of fishing line to spare, because you will want to be able to string it across a fairly wide path if need be. I usually give it about 12 feet.


Assemble much like you put the last one together (that is, very carefully!). To set the trip wire, tie the igniter to a stationary object, then string the longer wire across a path. Jam a fuse deep into the striker tube with the igniter to activate a flare or other payload.

Waterproofing
Carefully melt some wax in an old tin can set in a pot of boiling water. Dip the igniter in wax a few times to coat it.

Transporting and storage
Wrap paper around the igniter before storing it in the striker tube to keep the igniter from going off in transit.


I recommend keeping these in a 35mm film canister or orange pharmacy pill bottle. Both of these are relatively water-tight. Add some old dryer lint for padding. Lint also ignites easily and makes good kindling for starting a larger fire when you're camping or backpacking.

2008-02-22

More FreeBSD love and some fun stuff

I'm working on a fun project for HiR that involves a little bit of CAD (computer aided design/drafting) work. QCAD Community Edition is the GPL version of RibbonSoft's inexpensive QCAD software. It comes without RibbonSoft's technical support and lacks certain features that they reserve for QCAD Professional.

RibbonSoft claims that QCAD is usable right out of the gate even by people who have never used CAD before. I haven't touched CAD since I tinkered with AutoCAD Lite back in 8th grade shop class. I'd like to think I'm technically minded as well. QCAD is NOT easy to get the hang of. Maybe compared to AutoCAD or CADKey, but you can ask my wife and she'll tell you I've spent the better part of three whole days just getting my bearings straight with QCAD. I think I've got it mostly figured out now, though.

By the way, QCAD is available as a binary package or in the Ports tree for both FreeBSD 6.2 and OpenBSD 4.2. I've been using it on both platforms. FreeBSD works really well with QCAD despite my somewhat anemic workstation. My Logitech Revolution VX is a life-saver for precision CAD work. With its smooth-scrolling wheel and high-resolution laser optical tracker, it fits the bill perfectly. I'm really glad that FreeBSD and XOrg play nice with this mouse.

As for the project I'm working on, I'll just say it's mischievous and delightfully fun. I'll release the .DXF file for this project when the time comes.

2008-02-20

FreeBSD 6.3 on the desktop - Update

This is part of an ongoing series of reviews of FreeBSD 6.3 on the desktop.  


Well, FreeBSD isn't as peppy as I originally thought.  It's no worse than any other Desktop OS would be on this kind of hardware.  AJAX-based web pages and applications are sluggish.  Heavy media  applications like VideoLAN VLC and Amarok run fine as long as they're the only things running.  I'll admit, the slowness keeps sending me back to my happy MacBook on occasion.  This might be easily resolved by building a new(er) computer from parts that aren't about 5 years old.

Yesterday, I got to spend some quality time with FreeBSD, though.   Still enamored with the simplicity of Free's package management, I got gtkam to work quickly and easily to get some photos off of my Canon PowerShot A540 with ease.  That surprised me quite a bit, but gtkam is definitely no replacement for my beloved iPhoto.  FreeBSD had some trouble with one of my SD card readers, but I managed to get it worked out by making sure the card was inserted before attaching the reader.  

I had to build VLC from source via the ports tree, and that took several hours but worked without any problems.  Amarok is a slick audio player, almost as nifty as iTunes or Windows Media Player for my MP3 collection.  It's just terribly bloated.  

I'm also disappointed that secure shell isn't enabled by default.  I needed to get some data from this machine earlier today, and was unable to reach it.  It's alive, but SSHd isn't up and running.  I guess I'm all for leaving as many services disabled as possible, but even OpenBSD asks if you want to enable SSH during the installation.  That's not so much a gripe about FreeBSD on the desktop as it is about its network services out of the box, though.

I'm pleased, but I wish I had a little better machine to throw at the project.  My relatively powerful notebook has spoiled me.

2008-02-19

HiR Reading Room: Hakin9 Magazine

I picked up the most recent copy of Hakin9 magazine this week. As usual, it delivers some good content.

I first ran into Hakin9 at the local Border's Book Store when looking for Make magazine about a year ago. I usually subscribe to magazines I like, so you won't find me perusing the periodicals too often.

The first issues of Hakin9 I found were a little rough around the edges. I've mentioned hakin9 in passing before, but it seems to be maturing (just a little bit). Of note, the overall grammar in the publication seems to be improved. This is partially, I'd suspect, because more writers seem to be from English-speaking countries.

Hakin9 always comes with a CD-ROM of goodies. For the past several issues, this has been Hakin9 Live, a slightly modified release of BackTrack 2 with some extra content related to the magazine. The most recent issue of Hakin9 Live comes with two decent video tutorials, some demonstration software, and simply by way of building on BackTrack 2, a LOT of security tools ready to use if you boot a system up from the CD. Both of the video demonstrations show how to use tools right from within BackTrack.

Additionally, this issue's hardcopy content is juicy. The article count is pretty low, but it makes up for it with a great level of detail, rich illustrations, and some epic profiles of big names in the industry: Gary McGraw -- who I mentioned a few weeks ago, and Eugene Kaspersky.

Always rounding out the pages are overviews of the extra software included on the CD, frequent book reviews, and product reviews and recommendations.

While Hakin9 obviously still carries a strong bias from the "Attack" side of things, it has enough defense-centric advice to keep it relevant to the task at hand for people in the information security biz. As such, it's never a bad thing for white hats to understand how the back hats think or what they're up to -- and we're all just various shades of grey anyways. There's obviously a verbose disclaimer about how the information within Hakin9's pages are for use on your private network and machines. We know. ;) I do think it's cool that they publish in several different languages, though.

Link:
Hakin9 - Hard Core IT Security Magazine (English)

2008-02-18

Tinkering with the ComboGard 2

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 21:4 (Winter 2004-2005). If it looks familiar, that's why.

The LaGard ComboGard series of digital combination locks (Model 33E) is a mainstay of the vault lock industry. It was designed to be a drop-in, high-tech replacement for the old dial-type combination locks for safes and vaults. The actual lock mechanism has the same dimensions as most run-of-the-mill group 1 or group 2 combination locks. The spindle that connects the keypad to the lock mechanism (to retract the bolt of the lock) is in the same location as the spindle that connects the dial to the lock mechanism on old combination locks, and the keypad will mount using similar mounting hardware and at the same location as an old combination lock. Quite literally, you can use a ComboGard lock to replace an aging mechanical lock on an otherwise good vault.

Safe and vault manufacturers can also buy these locks and install them from the factory. You can find one of these in use at many restaurants, stores, and businesses. They're not all that expensive, so their widespread popularity is no mystery. Are they more secure? Arguably, yes. A typical mechanical lock has about 27 million possibilities, whereas a 6-digit combination lock such as the ComboGard has a mere 1,000,000 possibilities. Mechanical locks have other weaknesses though. Many of them can be manipulated and listened to. Digital locks cannot be easily manipulated. Digital locks can also enforce a lock-out policy much like networked systems, where no further combinations can be tried until a penalty time has expired. This limits attacks to 3 tries per penalty period, with a 5 minute penalty, only 36 combinations can be tried per hour. At this pace, it would take years to go through every possible combination.

Lock Parts:
The lock's main electronics board is housed inside the lock assembly, which is secured within the vault itself. There's a single 9-volt battery that powers the whole thing, which can last for years if it's opened daily. It's contained within a small plastic box, connected to the lock assembly through a proprietary connector. The keypad has an identical connector, and they're easy to confuse, and they will plug into the wrong ports. The keypad is a circuitboard with a membrane touch pad, with an LED and speaker, covered with rubber keys and housed in a metal case with a plastic bezel. In the event that the owner fails to act on the lock's low-battery warnings, there are terminals located on the keypad so that an emergency battery can be attached to operate the lock temporarily. The lock case and keypad are connected via a square-shaped brass spindle which can be cut to the proper length to accommodate different thicknesses of vault doors. The keypad electronics connects back to the lock case with standard-issue two-pair phone cable, with the same proprietary connector on the end.

Operating:
When you enter the correct combination, the keypad is allowed to rotate counter-clockwise, retracting the lock bolt. There are numerous other features that are programmable, either with a special tool that service personnel have, or via the keypad for owners. The online manual at LaGard's website has all this information. What if you forget the combination? As far as I know, there is no master combination. You're left to do what a locksmith would do to a mechanical lock that can't be opened: drill it. Unless drilled in a very precise location, the lock will never open. On some revisions of the case, there is a raised circular area that designates the optimal spot to drill.

Dumpster Diving for Locks!
For some reason, a local place has been discarding these locks, and I've managed to find a few in a dumpster. Some have been opened up and no longer have the factory warranty. Some of them have had their spindles cut and have been installed and uninstalled. One thing holds true though, none of them have the default combination (1-2-3-4-5-6) and none of them have been reset by a technician (in which case the combo would be 5-5-5-5-5-5). Lately, I've been seeing several of them turn up on eBay and other auction sites, some selling for $50 or less. This is definitely a bargain. I called LaGard and asked them if they knew how to reset a lock, and they informed me that I needed to call the people I bought the lock from. Well, since I found it by dumpster diving, that was out of the question. I called the place whose dumpster I've been finding them in, and they informed me that I needed to call some company in Kansas, as they service all of their ComboGard locks. They were of little assistance. After a bit of social engineering and a call back to LaGard, I had a fax in my grubby little hands that outlined in great detail exactly how to reset these gems.

Resetting (without any fancy tools)
I've since lost the actual fax, but the process remains engrained in my head. Whether it's exactly the same as the fax I received, I can't remember, but I do know that it works! It also voids the warranty, since it involves breaking the tamper-resistant seal tape (hint: a razor blade and a hair dryer does wonders.) On with resetting the lock. I've included some photos to help with the process.

1) Remove the keypad and battery from the lock case.

2) Cut or otherwise remove the tamper seal tape. This is the only thing that holds the back plate onto the lock case.

3) Remove the back plate of the lock

4) Locate the reset jumper holes. There's a central DIPP IC. If you hold the lock with the bolt facing away from you, the jumper holes are directly to the left of that IC. They're larger holes than the rest, and they have exposed tinning around them. They're about 1/4 inch apart.





5) Place a jumper wire into the two reset jumper holes.

6) Attach the keypad. It goes into the port closest to the corner of the case.

7) With the jumper wire still attached, connect the battery.

8) Within 5 seconds, press the "5" key on the keypad.

9) Wait 60 seconds, then disconnect the battery and remove the jumper wire. Test the lock with the combination "5-5-5-5-5-5". If it doesn't work, start over again. Timing is critical, and the jumper wire must be secure and connected for the duration of the procedure. Changing the combination: 0-0-0-0-0-0, Old Combination, New combination


Asmodian's Workbench

Whats on Asmodian's workbench?
============================================
Google mini
============================================
The Google-mini is an Internet search appliance. It is essentially a 1u Intel server with Googles search engine with a simple web based interface to specify what sites it should index. The mini lacks the capability to access anything but web or samba based resources. To this end they have a feature called a Onebox.

A Onebox module is an XML profile describing what to do if a certain set or format of keywords are encountered during a query. The definition then tells Google to access a certain collection or an external script which then is sent the query and any applicable authentication information and expects back an XML response. The response is pared with an XSLT style sheet and displayed with the search results.

The Onebox can search queries by key words, Perl regular expressions or on every search.
The example they made was an employee directory which searched by lastname and returned basic contact information in a formated box with a graphic.

Informative resources:
Google Inc. "One Box Guide". Accessed 2-18-2008
http://code.google.com/enterprise/documentation/oneboxguide.html

============================================
Pure-FTPd Follow up.
I am working on an adaptation of my previous article on Pure-FTP using Mysql as the user database and creating an automated user web space system, or adapting an existing one.

I am in a situation where I have user information sitting in LDAP (via Novell NDS) however I cannot implement my own schema so I must use a Mysql back end to store the user information.

So what I plan on doing is setting up the interface to poll LDAP for user info and import it into the authentication database.

============================================
iPOD Touch Hassle
It seems I am cursed to buy the one technological widget which is resistant to modification.
It appears that the new iPOD's purchased since December 2007 are resistant to Jail breaking.

Worst yet, information on this is buried amongst a deluge of you tube videos and un-readable Interweb BLAG's with a crap ton of advertisements so that searching for helpful information is an all night task. I'll tell you what doesn't work:

Upgrading to the 1.1.1 firmware via Itunes 7.5+ (Mac and PC)

Though it has been a learning experience:
The iPOD touch /iPhone uses a Arm processor some where around 500Mhz.

You can access the media folders on the iPOD via iPHUC. However on a standard iPOD this dumps you into a chrooted folder (/var/root/media)

The downgrade/jailbreak process goes like this 1.) Get the old firmware 2.) Put it into recovery mode(see above) 3.)Use iTunes to load the old firmware 4.)on your ipod goto the site with the giant tiff with the overflow info and payload. 5.) It will load the program installer.

Then theres some tricks to upgrade the iPOD back to the latest firmware while keeping the ability to load 3rd party software.

Like I said, this has not been working.

You can resurrect a "bricked" iPOD or iPhone by holding in the Sleep button and the home button then letting go of the sleep button when you see the apple logo. Then you should see the iTunes logo and the iPOD cable symbols. Attach it to iTunes and then restore the firmware. (This wipes out EVERYTHING).

I understand that if the boot loader is corrupted or overwritten with an incompatible version there is a way to reload it too but I haven't seen any articles with sufficient details on this.

Informative Resources:
ARM web page. "ARM Powered Products". Accessed 2-18-2008 http://www.arm.com/markets/mobile_solutions/armpp/18665.html

Johnstone, Jeremy. "Howto: Run custom apps on iPhone (Part #1)" Accessed 2-18-2008
http://www.jeremyjohnstone.com/blog/archives/2007/08/05/howto-run-custom-apps-on-iphone-part-1/
*This describes a utility called iPhuc and has little to do with the iPOD touch

ilounge.com. "white screen lockup", Accessed 2-18-2008
http://forums.ilounge.com/archive/index.php/t-209541.html
*This references a couple of Youtube videos on updating the firmware.

iPHUC Homepage, "iPHUC" Accessed 2-18-2008
http://code.google.com/p/iphuc/
*iPhuc gives you an interactive (albet chrooted) shell to your iPhone or iPOD.

True, Nathan. "ibrickr" Accessed 2-18-2008
http://cre.ations.net/creation/ibrickr
*The iBrickr application is very handy in even though it's meant for the iPhone.

============================================

2008-02-17

2007: Nearly 70% of web hacking incidents were for profit

Sorry folks, no Sysadmin Sunday this week. But here's an interesting tidbit from Breach Security Labs: Their analysis of the significant web hacking events in 2007 show that almost 70% of web hacking incidents were performed for profit. Check out the press release here. The full report [PDF] is available here. It requires a free registration, but reliable sources (that's me) say that you can just use a dummy account.

2008-02-16

Bypassing merchandise display locks

A great many of the popular merchandise security locks and tags operate simply on magnets. Those big plastic sticks you see hanging off of clothing? Usually unlocked at the register with a powerful magnet. The plastic locks that Blockbuster slides into the DVD cases on the display floor to keep people from opening them up until they've paid? Also opened with powerful magnets. The plastic things that keep you from removing cheap-ass MP3 players from the display hooks at Wal-Mart or the pharmacy? Guess what? Yep. Magnetic. Some use other means, like a set of plastic pins that unhook the latching mechanism. These days, RFID or inductor-loop systems physically sealed inside the packaging (or even inside the device!) are becoming more common, so this trick is fast becoming less relevant.

Shown above is a popular security device that simply clamps around a display hook, locking all of the products onto that hook until it's deactivated. Another common one you'll see is a big grey brick stuck on the end of the display hook. They both work the same way, though.

When opened, you can see that a spring-loaded metal pin sticks out. This pin locks the other half shut, clasping this device firmly around the display hook. The display hook will either have a bend in it, or a thicker, rounded ball on the end -- usually both. This is sufficient to keep this plastic lock from being pulled off the end of the display hook. Now, a would-be shoplifter could probably pull the display hook out of the display board pretty easily, but then they would need to sneak out of the pharmacy with a whole batch of $9.99 Coby MP3 players. That's a lot more difficult to hide than just one.

Your run-of the mill fridge magnet won't work, but the rare-earth magnets found in hard drives work wonders. A strong magnet will grab the spring-loaded pin and pull it out of the way, allowing the clasp to open.

Other security devices, for example Blockbuster DVD locks, use two or more spring-loaded metal actuators. Behind the counter, the unlocking device has magnets already spaced apart just right to open them up. These systems are a little more secure.

So next time you see some kid messing around with rare earth magnets in the electronics aisle, know that it's probably not so he can corrupt hard drives or make pretty gauss patterns on CRT displays.

2008-02-15

FreeBSD 6.3 - Initial Impact

So, I've been playing with FreeBSD 6.3 for a few days and there are certainly some good things, and definitely some bad things. All in all, though, I like what I've seen. A few days isn't long enough to really get a feel for an operating system on the desktop, so this is the first in a series of reviews I'll be giving FreeBSD 6.3 as I shoe-horn it into my daily life as my main desktop operating system at home. Keep in mind that while I'm on the go, I'm dealing exclusively with Mac OS X on my MacBook, and OpenBSD 4.2 within Parallels when the task at hand calls for something more serious than what OS X can deliver.

The Good:

  • The package management woes I had with 5.0 are completely gone. pkg_add -r [package-name] (ex: bash, firefox, windowmaker, nmap, etc) just works right out of the box. The problem I was having before was that they had converted to bzipped packages (.tbz) however pkg_add was still, for some reason, expecting gzipped packages (.tgz). That's all over now, and probably has been for a long time.
  • The installation is a breeze. I mentioned this before as well, but the textmode-driven menu really does just work. No, it's not as intuitive as a GUI installer, but it's not as sluggish as GUI, either.
  • The OS and Xorg find my snazzy wireless Logitech VX Revolution mouse and all the major features (left, right, center click and vertical scrolling) work without any configuration changes at all. Mouse setup used to be a bit of a chore with FreeBSD.
  • It is oh-so-peppy. As lean and mean as I remember it, I'm not exactly running FreeBSD on a powerhouse workstation. It's a lowly Pentium 3 desktop with a mere half-gigabyte of RAM. Compared to Kubuntu, which was installed prior to this, FreeBSD simply hauls ass.
The Bad:
  • Where in the hell is xorgcfg, the graphical Xorg configuration tool? And why isn't there a somewhat working xorg.conf file installed by default? OpenBSD handles Xorg by default just fine. Playing with FreeBSD 6.2, I know I used xorgcfg to get Xorg up and running, but it's nowhere to be found in 6.3 (at least the way I installed it!) Fortunately, I'm good with xorgconfig, the text configuration tool for Xorg, and got X up and running on my lab machine on the second try.
  • Mozilla Firefox, when installed from binary packages, for some reason creates the .mozilla directory in your homedir owned by root the first time you run it, and then can't start. The easy fix, of course, is to change the owner back to yourself before starting Firefox again, but this boggles my mind. What's more peculiar is that after creating a second user to test this with, Firefox starts fine. Hmm...
  • I really, really miss OpenBSD's monolithic kernel and on-the-fly reconfiguration. FreeBSD forces you to enable kernel modules to get a lot of "optional" hardware to work.
Alas, I digress.

To get sound working, I had to go into /boot/defaults/loader.conf and set the proper sound module to "YES" (in my case, it was the snd_ich_load line) The "proper" way to do this would be to add snd_ich_load="YES" to /boot/loader.conf, but I am lazy and this works. I cheated again and just manually loaded the module from the command-line (kldload snd_ich) and voila! My MP3 player software worked like a charm. To get a guess as to what sound driver you'll need, run pciconf -lv and look for your sound device. Then look through the nondescript driver files (/boot/GENERIC/snd_*.ko) to see if there's a logical choice. Experimenrt if needed.

Despite what a pain in the butt it is, it's little things like this that remind me why I chose FreeBSD in the first place. It really is back to basics. At the same time, projects like OpenBSD are certainly just as minimalist but without the same kind of impact on out-of-box usability. Unfortunately, I've been spoiled, and OpenBSD is now the gold standard by which I measure things of this nature. It's not looking too good for FreeBSD with that minor exception of truly elegant binary package management. And oh, their package management is slick. It's admittedly low-tech, even. But it simply works well, and that's all I ask of it.

With what seems to be all of the major out-of-box problems solved (graphical interface, sound, boot options), I'm hopefully free of any more show-stoppers. Stay tuned next week to see how things are progressing.

Indiana + Parallels 2.5 = No Network For You!

I know, I should probably fork over the cash for Parallels 3.0. The reasons I have not are as follows:

  1. As far as I can tell, there won't be much difference with OpenBSD as a guest OS which is primarily what I use Parallels for.
  2. Windows 2000, which I use only for VPN access to work a few times per month, works fine under Parallels Desktop 2.5.
  3. I don't like spending money.
With that out of the way, here's my OpenSolaris Indiana experience in a nutshell:
  • The Live-CD functionality is a breeze. Once it's up, it's fairly responsive considering the fact that it's running Gnome. I really don't like Gnome, but it gets the job done.
  • Installation is a breeze if you are willing to dedicate a whole hard drive to it. No word on how easy a multi-boot system is to configure.
  • Once installed, it's surprisingly nimble and smooth, with the caveat that it doesn't like NE2000-based ethernet cards (or their emulated analog via Parallels)
Now, Parallels Desktop comes with a CD image full of useful stuff just for this occasion. Included are drivers (Solaris 10 binary as well as source code) for the NE2000 card. As this release of Indiana doesn't ship with a compiler, I followed these instructions for installing the binary drivers on Developer Preview 1, but to no avail. "Network Auto-Magic" did nothing, and a reboot didn't bring the interface to life, either.

This was my first real brush with OpenSolaris. I use Solaris daily as part of my job, and one of my main desktops at home is a Sun workstation running Solaris 10 (I opted for the CDE interface at home due to the slower processor). As such, I'm certainly no stranger to Solaris. Despite being unable to bring the network to life, I can honestly say that OpenSolaris looks, feels, and smells an awful lot like Sun's enterprise UNIX operating system. If you know Solaris, you know OpenSolaris.

On the workstation, Solaris 10 is actually very feature-rich out of the box. OpenSolaris takes this a step further. Until you hit the command-line interface, it feels very much like an older version of Ubuntu Linux. I haven't bothered to see if Java is as deeply integrated into OpenSolaris as it is in the commercial OS, but if it is, that's yet another boon.

I may have another HiR writer check out OpenSolaris on a newer build of Parallels to see if we can get the network up and running. Otherwise, I'll probably shelve Indiana for a bit until I have somewhat capable lab machine available to test it on. Preferably, I'd like to test it as a desktop system (not as a server host), which means that I'll need an extended period of a month or so to really give it the kind of attention it needs.

2008-02-13

OpenSolaris Indiana (Developer Preview 2) Available

OpenSolaris Indiana is a project that's creating a binary distribution based on OpenSolaris source code that's both easy to install and use. It's worth checking out. I'm currently installing it within Parallels Desktop on my MacBook, and will also be playing with it some more when I get the free time to do so. Developer Preview 2 was released this week. A Live-CD distro similar to Ubuntu Desktop Edition is available. You can use it from the Live-CD or install it on a hard drive once the interface is up and running.

Giving FreeBSD another shot

I fell in love with FreeBSD for the first time around the early part of 1998. Although I'd heard of FreeBSD before, my roommate, Xeroline, introduced me to it formally. I'd been tinkering with Red Hat Linux and had grown tired of both the wild-goose-chase of RPM dependencies as well as the patchwork of software compiles that often had their own dependency problems. FreeBSD seemed, at the time, to be the answer to my prayers.

FreeBSD 2.2.8 was lean, mean, and very basic. It also brought with it the concept of the Ports system: a skeletal tree of software directories where one could simply utter the words "make install" and then sit back -- often for a very long time -- and watch software compile automatically and usually error-free. Initially, that's all I wanted. It was FreeBSD that pried me away from my Linux addiction, and I'd say that it's also FreeBSD that shaped much of what I've come to expect from a UNIX desktop OS. In short, I didn't want an easy, graphical install. I wanted an OS that would get up and running quickly, be quick on its toes, and give me as clean of a slate as possible from which to begin my adventures. I wanted a system that could be wrought from bare metal.

As time passed, FreeBSD got better, then worse. I had been using OpenBSD for servers since early 1999, and Shortly after the 5.x series came out, I got sick of FreeBSD and switched to OpenBSD 3.2 on the desktop and some of my laptops. That was more than 5 years ago. I seriously haven't touched FreeBSD since February of 2003. Until now.

I almost messed with FreeBSD 6.2 a few months ago. I downloaded the ISO images but never got around to burning them. The target install environment was going to be my Pentium 3 lab box, but at the time I was using it to do research for my Linux LVM2 article. The very same machine, in fact, kept getting re-purposed for various HiR research projects. The time has come, though, for me to square off against my quondam favorite desktop OS.

I've only been tinkering with it for about a day now, so I still have a way to go before I'm ready to give this a full review. All I can say is to stay on the lookout for some more FreeBSD love. I can immediately tell that they've worked out some of the major kinks in their package installation tools. The installation doesn't seem like it's changed much since the 4.x releases. For that, I'm thankful. It's just friendly enough for almost anyone to figure out, but not made of bloated graphics like the Ubuntu installer that takes forever to load.

I have a feeling I might start really liking FreeBSD again. Did anyone else feel alienated by the 5.x series, only to come back and try 6.2 or 6.3 and really like it?

2008-02-12

Old tech that I still love

Sure, I might loathe ye-olde mainframes, but there's actually a lot of retro-tech stuff that I love. Two of them are pictured left. The IBM Model-M Keyboard and MiniDisc.

The IBM Model-M is practically a tank, the mother of all ultra-durable keyboards. They're almost impossible to break or wear out. They have a springy tactile feel, and make a lot of noise when you type on them. Many people see this as a horrible turn-off, but there's a certain subset of people who really, really like it. I'm one of them.

MiniDisc is a somewhat failed experiment of the early 1990's, at least in the US. You can still buy MiniDisc players and recordable media, but they're getting increasingly difficult to find. One thing that I really enjoy about MiniDisc aside from the size is the fact that many of the portable MD recorders have optical S/PDIF ability as well. I actually use the MiniDisc player shown above quite often. I don't have a modern MP3 player with the exception of the CD-MP3 player in my car.

I could go on and on for quite a while about old-school stuff that I still love and use, but I'll save it for another day.

What are some old-tech things that you still love?

2008-02-11

Apple Releases OS X Tiger 10.5.2 Update

Just in case you haven't read it anywhere else (or everywhere else, as the case may be), Leopard users can now get Mac OS X 10.5.2, the much-awaited update to Apple's latest operating system.


The MASSIVE update, and links to more info can be found on the Mac OS X 10.5.2 page. Alternatively, you can just fire up Software Update and twiddle your thumbs for quite a while. It should be worth the wait.

YE OLDE MAINFRAMES ARE SCREAMING AT ME

As one who works in the financial services industry, I get the vituperation privilege of working with a mainframe on what seems to be at least a weekly basis, if not daily for weeks at a time.

As I fire up certain programs that are required for my job, I'm confronted with the following woes:

  • Certain software doesn't know what lower-case letters are or how to utilize them.  This, to me, comes off as THE MAINFRAME SCREAMING AT ME.
  • Version 2.08 of some program no one cares about anymore is now Y2K Compliant!  Oh, the joy!
  • A typoed query can easily ABEND certain applications, jettisoning the user back out to the ISPF or TSO prompt.  I jokingly call this "Crashing the mainframe" however I'm really just crashing a poorly written (non-mission-crtitical, mind you) application.
  • These insidious machines have somehow leveraged the ability to use electronic mail.  Simply not logging into the mainframe does not spare me from its wrath.  Occasionally, I will get e-mail from one of the nodes, again, tactfully crafted IN ALL CAPITAL LETTERS just so that I get the point.
I suppose I'm relatively young and as such biased towards the flexibility and interoperability of modern Open Systems over monolithic big-iron mainframe dinosaurs of hackneyed days (even if some of the mainframes in use aren't all that old)

2008-02-10

Sysadmin Sunday: Pure-ftpd configuration on Ubuntu Server Edition

0. Introduction

There are tons of ftp servers out there. Some are leftovers from the stone age others are fairly up to date with SSL capability and virtual user support. In this case I have chosen Ubuntu server and Pure-ftpd.

Why: Ubuntu comes out of the box unencumbered by unnecessary bloat that many server editions are forced to install out of a spider web of software dependencies. It at the same time has a very mature package management system which allows for easy software updates.

I'll stop there because I don't intend this to be a flame war on what Linux is best. An important difference that the Ubuntu installation has versus its native configuration is that it uses a configuration wrapper instead of modifying a start-up script. Which is why I am writing this article.

This article assumes that you have an intermediate or advanced knowledge of command line based UNIX operating systems.

-=-=-=-=-=-=-=-
Table of contents:
-=-=-=-=-=-=-=-
0.........Intro
1..........System setup and overview on what needs to be done

2..........Package installation

3..........Wrapper configuration with virtual users and SSL
4..........Access control via virtual users and iptables and or pure-ftp

5..........Informative resources

-=-=-=-=-=-=-=-


1.System setup and overview on what needs to be done

-=-=-=-=-=-=-=-
We will be needing an Ubuntu server edition installation. Preferably with a firewall in place.
In this case I have a pile of users who need to use dreamweaver to edit their web sites. Preferably they need to have their own logins, those logins need to be chrooted to their directory. Secondly, the users have no earthly reason to have a system user account.
For security sake I want the option for them to use encryption (once we can get licenses for the newer version of Dreamweaver which supports it). Lastly having these virtual users have disk space quotas so some idiot doesn't up load a ton of the family pictures that were taken with a 10 Megapixel camera and are like 20 Mb a piece causing the storage array to !#*& itself.

Pure-Ftpd can use arbitrary file paths for virtual user home directories. You can assign a local system user account and group for each virtual user or group of virtual users.

You can make a system user and group called webadmin who owns the "sites" folder under "/data/sites". All of the virtual users from a system standpoint are doing business as "webadmin". Pureftp does the job of doing access control and permissions on its end and keeping people in their home folders.
-=-=-=-=-=-=-=-
2.Package installation
-=-=-=-=-=-=-=-
Run the command:

apt-get install pure-ftpd
There is a GUI configuration tool but by default Ubuntu does not have a GUI so I leave that to you.

Once installed the wrapper configuration folder is on "/etc/pure-ftpd". The folder contains a structure like so:

root@stage:/etc/pure-ftpd# ls -al
total 32

drwxr-xr-x 5 root root 4096 2008-02-20 01:32 .

drwxr-xr-x 133 root root 12288 2008-02-20 01:32 ..

drwxr-xr-x 2 root root 4096 2008-02-20 01:32 auth

drwxr-xr-x 2 root root 4096 2008-02-20 01:32 conf

drwxr-xr-x 2 root root 4096 2007-06-21 19:01 db

-rw-r--r-- 1 root root 230 2007-06-21 19:01 pureftpd-dir-aliases

Under Auth you will find the following symlinks:
root@stage:/etc/pure-ftpd/auth# ls -alF
total 8
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 ./
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 ../
lrwxrwxrwx 1 root root 26 2008-02-20 01:32 65unix -> ../conf/UnixAuthentication
lrwxrwxrwx 1 root root 25 2008-02-20 01:32 70pam -> ../conf/PAMAuthentication
Delete all of these and make a symlink to "../conf/PureDB":
root@stage:/etc/pure-ftpd/auth# ln -s ../conf/PureDB
Go to the conf directory and edit the "PAMAuthentication" file to say NO insted of YES.
Add a new file called "ChrootEveryone" and edit it and add the word "YES".

Now lets make a user!
pure-pw useradd test -u webadmin -g webadmin -d /data/sites/localhost/ -N 25
pure-pw mkdb
Where -N is a 25 Mb quota and -u and -g is the userid and groupid of the corresponding system user. -d is the folder that the user is chrooted in. The command "mkdb" creates the binary password database.

Now we have our chrooted ftpd environment finished we just need to configure the ssl option.
now it is possible to FORCE users to use ftp-SSL however thats out side of the scope of this article.
(from the pure-ftpd documentation)
mkdir -p /etc/ssl/private  openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/*.pem
Then go into "/etc/pure-ftpd/conf" and edit the file named "TLS" and add the number "1".
(0 disables encryption, 1 makes it optional and 2 makes it mandatory).

Now restart the service :
/etc/init.d/pure-ftpd restart

And login to your new ftp server!
-=-=-=-=-=-
4.Access control via virtual users and iptables and or pure-ftp
-=-=-=-=-=-
It pisses me off to read the logs and see all of the automated Interweb
exploit scripted attacks. So here are some suggestions to keep the
automated attacks down.

1. Hosts.deny doesn't work. Use Ip tables filtering.
2. Grab a blackhole ip list (BBL) from http://www.unixhub.com/block.html.
3. Determine your scope of service, if your users work only within the continental United States then blocking AP-NIC and any other non-local IP ranges in their entirety would be a good idea.

If you want to tie it down on a per-user basis try this:
pure-pw usermod testuser \
-r IP-ADDRESS-RANGE\

-R IP-ADDRESS-RANGE
where -r is allowed IP ranged and -R is denied ranges (Example: -R 200.0.0.0/8 -r 192.168.0.0/16)

-=-=-=-=-=-
5.Informative resources
-=-=-=-=-=-
Barnes, Robert. "Bad IP addresses/Bob's Block List (BBL)", (Accessed Feb, 2008)
http://www.unixhub.com/block.html

Denis, Frank. "Pure ftpd", (Accessed Feb, 2008)
http://www.pureftpd.org
http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

Hornburg, Stefan (Racke). "Debian pure-ftpd-wrapper man page", (Accessed Feb, 2008)
http://www.penguin-soft.com/penguin/man/8/pure-ftpd-wrapper.html

2008-02-08

FART on Windows

No, I'm not asking you to unleash a batch of cheek-flapping flatulence upon Vista. Although I wouldn't mind if you did.

FART is an open-source Find And Replace Tool for the Windows command-line. It's much like a mash-up of grep and sed, and capable of easily converting text files from UNIX to Windows/DOS style newlines among other things.

Via HacksZine. Thanks, [Eric]

Surveillance with old CCTV Cameras

It seems that most of the time I go dumpster diving, I find a CCTV (Closed-Circuit Television) camera or two. Or three. I've picked up quite a few, and left many, many more to rot in the landfill. Some have worked well. Others haven't. We're going to have some fun with them. As more and more companies go high-tech with snazzy digital recording systems, you can often find older CCTV cameras on eBay and Craigslist for cheap. Or in dumpsters for free.

The Broken Ones

There are always broken ones. You can get them for cheap or free as mentioned above. Surf eBay for "Parts only" when looking at CCTV cameras and you'll find a suitable one. The easiest thing to do is to make it look like a real CCTV to give would-be bad-guys the impression that they're being recorded. While this is much akin to security through obscurity, making a fake camera out of one that used to work is a lot more convincing than this:



Compare that piece of crap to my finished product at the end of this section.

First, take the old, broken CCTV apart and gut it to make room for a battery and LED. See the following photos.







Then, drill a hole in the front plate for the LED.



For the next part, I taped a low-brightness 1.7v red LED to a AA battery. Let's face it, this whole fake camera idea is pretty shifty. There's no point in putting a whole lot of finesse into it. LEDs like this one usually drain between 10 and 20 mA, so a plain old AA battery without a resistor should keep this LED lit up for more than a week.



Then, tape the battery/LED down inside the chasm left in the camera and re-assemble it so that the LED sticks out.





It looks real because it IS REAL (well, it used to be!)


Hang it up somewhere and hook all the cables up. They don't have to be actually hooked up to anything on the other end, just tuck them into the ceiling or run them to a wall plate. No one could tell this isn't real by just looking.





The working ones
Although these cameras all have BNC connectors on the back, the signal they put out is typical composite NTSC -- The same thing most VCRs put out. You need a BNC-to-RCA adapter (shown left) and then an RCA video cable and a monitor to view it on. This can be an RFU-adapter hooked up to a TV, or in my case a portable DVD player with A/V inputs. You could just as easily get a video capture card or USB adapter to record the video straight to your hard drive if you felt so inclined.

First, hook up the RCA adapter, RCA cable, and power cables to the camera and mount it somewhere.

Then, hook the other end of the RCA cable up, and enjoy your working CCTV system!

2008-02-07

Exploiting Online Games

Kansas City native game hacker, tinkerer and developer Josh Kriegshauser discussed Greg Hoglund and Gary McGraw's book, Exploiting Online Games.  Josh is an old friend, former co-worker, and former classmate to various HiR writers.  He went from tinkering with Ultima Online while he was in school, to being a big name in the MMO industry in the last decade.  


I found Josh's discussion about the book interesting, and thought I'd share it here.  I'm definitely not a gamer in any sense of the word, but things like this interest me enough that I'm seriously considering picking up a copy.

UNIX tip of the day: More awk recipes

Awk, as we have mentioned before, is a ridiculously handy utility that often goes under-appreciated by systems administrators and UNIX geeks alike.

A few days ago, a colleague of mine told me about some complex awk magic that he'd implemented in order to acquire not only the matching line of an input stream (in this case, a log file), but the two lines prior to that matching line which contained some useful information as to what was going on. It was an elaborate solution that worked well, but I swooped in with a much simpler recipe to do the same thing. This prints the two lines prior to the matching expression as well as the line containing the expression. Certain incarnations of grep can do the same thing, but this way you can also format the lines if you know your awk-fu.

$ awk '/some-regex/{print two "\n" one "\n" $0};{two=one};{one=$0}' /some/file.log

I actually keep a bunch of handy commands and UNIX tips written down. These are things that I know I won't need to use very frequently, but know I'll eventually need again.

I'll share some more awk magic with you from within its pages.

Get only the last field of a line that matches a regex:
$ awk '/some-regex/{print $NF}' /some/file

This works because NF contains the number of fields found in the line. $NF, then, contains the value of that last field. Just like $1 would contain the value of the first, if NF is 5, $NF would have the value of the 5th (and last) field. I love this one.

Example:
I'll set the field separator to a / and use awk to get only the last entry from the directory structure with find:

Raw find output:
$ find .
.
./.localized
./images
./images/apache_pb.gif
./images/gradient.jpg
./images/macosxlogo.png
./images/web_share.gif
./index.html


Now with awk:
$ find . | awk -F/ '/images/{print $NF}'
images
apache_pb.gif
gradient.jpg
macosxlogo.png
web_share.gif


If you're into AIX, a lot of the configuration files are in "Stanza" format. That is, a label, followed by a bunch of data and then a blank line between records. Awk can get just the one stanza you want from a stanza file. Example here is the /etc/security/user file on AIX, which tracks security profile information for every user on the system. The "default" stanza is an important one, as anything within it gets propagated to all users first, then any deviations from the default happen in the users' own stanzas:
# awk '/^default/,/^$/ {print}' /etc/security/user

Truth be told, stanza format and some of its variants are popular in other operating systems, but this particular awk recipe works best on AIX.

Have any awk-fu? Let's see some of your favorites. The comments are open!

2008-02-06

TrueCrypt 5.0 Released

TrueCrypt 5.0 , a Free, Open-Source On-the-fly encryption tool came out this week.

Highlights from the release notes:

  • Mac OS X Support (Tiger and Leopard on both Intel and PPC architectures)
  • Windows performance enhancements
  • Pre-boot authentication and system drive encryption for Windows
  • Enhancements to the Linux version
This tool is fast becoming a favorite among security professionals, privacy advocates and the paranoid.

2008-02-03

Sysadmin Sunday: Process Management

Managing processes in UNIX operating systems is a critical function. This goes beyond just killing runaway processes, though. This week in Sysadmin Sunday, we'll take a look at managing processes to make your life a little easier.

When you're in a shell, there are 3 kinds of processes: foreground, background, and stopped (sometimes called suspended). This is pretty straight-forward.

Shelling out of a running program

If you're in the middle of a really long-running program and don't want to or cannot switch consoles, you can normally shell out of that that process with the (Ctrl-Z) key combination. For example, encrypting a huge file with GNU Privacy Guard:

$ gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
(moments pass...)
^Z (Ctrl-Z)
[1]+ Stopped gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
$
Pressing (Ctrl-Z) gives you a shell but puts the running process in a stopped state. From there, you can run something else, such as vi. Just remember that the process that you escaped from is stopped and won't make any progress at this point. That also means it shouldn't display any output that might interrupt you if you decide to work on something else while that process is stopped. It's more "paused" than "stopped". Take note of the job ID [in brackets] of the stopped process. That will come in handy later on.

See what jobs your current shell has
I've taken the liberty of running and shelling out of vi as well for this example. Keep in mind that GPG is still sitting there doing nothing, too.

To see what's running in your current shell, use the jobs tool.
$ jobs
[1]- Stopped gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
[2]+ Stopped vi /etc/resolv.conf
Here, you can see both gpg and vi are stopped. Again, the job ID for each process shows up in brackets. The + shows which of the jobs is the most recent one you have dealt with and will be used as the default job later on. Next, the status of the job is shown, followed by the actual command-line (or as much of it as can be displayed if it's a particularly long command line).

Switching between processes
We take a lot of things for granted, like being able to tab between 20 different windows on a GUI terminal. Not to be a curmudgeonly olde-school sysadmin, but back in the day, we didn't have that luxury. A lot of my early interactions with UNIX were over a serial terminal or a dial-up connection. Virtual consoles were not common, so switching between jobs was just part of working with UNIX on a daily basis for many people.

To bring a stopped process to the foreground again, use the fg command. If you just type fg, it will bring back the most recent job, the one marked with a + when you run the jobs command. If you wish to tell it to bring back a specific command, use jobs %2, or replace 2 with the job number you wish to bring to the foreground. You could have two different files open with two different instances of vi for example, and use ^Z, jobs, and fg to switch between them. This, of course, can get confusing, so be careful when multi-tasking this way.
$ fg %2
(vi opens back up)

Background processes
For programs that you don't expect much output from (such as gpg) you can simply background the job. Instead of fg, you use the bg command. Again bg %1 would work to background a specific job number. A background job is much like a stopped one, except it actually goes on about its business. If there is output, it will display the output onto your screen regardless what you're doing. Otherwise, it will silently chug away out of sight. When the process finishes, you'll be notified that it has completed. I'll background the gpg job to show how this works:
$ bg %1
[1]+ gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz &
$
[1]+ Done gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
$

Alternatively, if you want to run something that you know will take a while and you're certain you won't have to actually interact with it, you can launch it in the background by placing an ampersand (&) at the end of the command line. You'll immediately get the job ID and process ID, then you'll get your shell back. When it's done running, you'll be notified.
$ gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz &
[1] 1567
$
[1]+ Done gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
$

What if you log off with stuff still running?
It really boils down to what's running and how it handles the various interrupt signals. As a general rule, any child processes under the shell get sent a HUP (HangUP) signal which is analogous to kill -1 or kill -HUP . This usually terminates the processes so that they're not out there hanging around forever. If you log off, there's a good chance that whatever you were running will stop.

If you really want the things to stay running, however, there are a few viable options. The first one good if you know you may need to log off while something is still running. It's the nohup command. Put it before your usual commnd and background it either with an ampersand at the end or by (Ctrl-Z) and bg. When you log off, the process should stay running because nohup doesn't pass the signal along to the child process. This is great for huge software compiles or other time-consuming, non-interactive tasks. Furthermore, nohup will re-direct all the output to a file (by default, nohup.out) so that you can go back and look at it later. This has the additional benefit of not barfing stuff all over your screen while you may be trying to get work done.

$ nohup nmap localhost&
[1] 1612
$ appending output to nohup.out
$ exit

At this point, you can log off the system and nmap will continue running. You can log in later to see the results of the nmap by checking the nohup.out file:
$ cat nohup.out

Starting Nmap 4.20 ( http://insecure.org ) at 2008-02-02 03:55 CST
Interesting ports on localhost (127.0.0.1):
Not shown: 1690 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
139/tcp open netbios-ssn
445/tcp open microsoft-ds
548/tcp open afpovertcp
631/tcp open ipp
3689/tcp open rendezvous

Nmap finished: 1 IP address (1 host up) scanned in 15.157 seconds

But what if you're in the middle of something that you didn't expect to take so long, for example, compiling Mozilla Firefox from source? You have to log off, but want it to keep running. You don't want to stop it, then restart it with nohup. Not all hope is lost. The second method is to simply tell the shell not to send the HUP signal to any of the processes. Make sure only the things you want to remain running in the background are properly backgrounded, then on the command-line, type set NOHUP, then log off. Unlike the nohup command, output is not re-directed, so you won't be able to see any of the output that happens while you're logged off. For things like software compiling or moving large amounts of data, this isn't much of a problem.
$ gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
^Z
[1]+ Stopped gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz
$ bg
[1]+ gpg -r ax0n@h-i-r.net --encrypt-file axon.home.tgz &
$ set NOHUP
$ exit

The process will finish normally.

There are other options that are more modern than using the jobs, bg, and fg commands. These are beyond the scope of this article, however my favorite among these options is the screen command, which gives you virtual consoles that persist even after you log out. Screen comes with many Linux distributions, but it's still a little-known utility except for the fairly hard-core command-line junkies. This allows you to leave things like text-mode IRC clients or other interactive programs running at all times, even if you're not actually logged in.

2008-02-02

Reader Poll: Should we Podcast?

We have the resources at our disposal to produce a podcast. Right now, it would probably be a monthly podcast show, perhaps half an hour to one hour long. We'd cover tech news, humor, system administration, information security, physical security, surveillance and who knows what else. Certain things can be conveyed in a spoken word format easier than in writing, plus podcasts can be downloaded and listened to when you have the time.

Chances are that the KC HiR crew will put together a podcast for March regardless of the poll results, just to get a feel for what all is involved. Leave comments if you have some ideas for what direction to take this thing. We value your opinions.

If you're reading this via RSS, you'll have to go to HiR Information Report to vote on the poll. It's in the upper-right corner.