Schwer Log

Bloglines allows me to keep up to date on my blogroll from any where in the world, and no more overlap between disperate machines.

My public blogroll on Bloglines:

http://bloglines.com/public/augie/

Sometimes I want to view a GPG/PGP public key, but I don’t want to import it into my key ring, so here’s how to just view it:

gpg --with-fingerprint schwer.asc

Flickr

Flickr is a website for organizing, storing, and sharing your photos. You can find my photos here.

The flickr page says “beta”, but like so many things marked “beta” these days it is production code and quite good. Images can be separated into sets, tagged, made public or private, and commented on.

What I like best is that I can upload the photos and walk away, or organize them in a few clicks; the flickr software takes care of all the work for you.

Plogress.com

RSS feeds for your favorite politicians. Here are my Federal representatives:

Barbara Boxer
Dianne Feinstein
Lynn C. Woolsey

Wordpress Hashcash 2.2 – Elliott Back

Comment SPAM is a terrible blight on the blogging world (blogsphere), but WP-Hashcash totally eliminates comment SPAM.

A simple challenge is presented to a visitor’s browser using JavaScript (which most SPAM bots won’t be smart enough to have). Once the browser computes the hash correctly the comment is accepted otherwise the comment is denied.

I thought this was a far better idea than forcing users to type out letters in an image; which always seemed like a bit of a pain to me.

If you run WordPress, then go grab this plugin; it’s all in one file, unlike some other plugins which disperse themselves over several files.

Using BlogRolling’s PHP option on your PHP enabled weblog.

They have a nice bit of code that allows me to update the BlogRoll in just one place and have it update everywhere.

Know your Enemy: Tracking Botnets
“Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets – a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved.”

An excellent paper from the German Honeynet Project group. My favorite quote from the whole paper is; Script kiddies apparently consider DDoS an appropriate solution to every social problem.

Full disclosure of T-Mobile flaw (Simple to fix never fixed)
“Late last year I was in contact with T-Mobile’s CSO because of a
major flaw in their voicemail platform. As of early February 2005, it was still vulnerable. Using my own custom PBX system I am able to dump into any of their voicemail boxes by *default*. ”

Jake has been warning those of us around him about this forthcoming exploit for months and it looks like he is finally ready to publish. Cheers to Jake; jeers to T-Mobile.

Project Honey Pot allows you to easily help fight SPAM by helping them collect data on spammers. Install a honey pot on your web site, or donate an MX entry if you can.

Regular Expression Library

Oh sweet nectar; a repository for your favorite regular expressions.

I have blogged about GeoURL before, but I finally added it back in since the move to WordPress; thanks to this GeoPlugin.

In the (new) “Buttons” section to the right you can see the new GeoURL button:

Which you can use to see which other bloggers are based near our location.

As noted on slashdot ([1] , [2]) earlier this week; famed cryptologist Bruce Schneier noted in his blog entry that the hashing algorithm SHA-1 had been successfully broken. While the new advances against SHA-1 are computationally feasible they are still quite difficult, however the general recommendation is that people move away from SHA-1 for digital signatures.

Moving away from SHA-1 for digital signatures when using GPG may take a little bit of work since SHA-1 is the default hashing algorithm for digital signatures.

First you will need to upgrade to GnuPG 1.4 if you have not already; this is because the previous versions of GPG lacked support for writing SHA256, SHA384, and SHA512. Unfortunately the package maintainers for many of the Linux distributions have not been keeping up, so finding a GPG 1.4 package may be difficult; even though the announcement for 1.4 states that 1.2 reached its end of life cycle last month. I recommend contacting your distributions GPG package maintainer, and giving them a friendly nudge to keep up to date.

Once you have upgraded you can pass the command line option (or put it in your ~/.gnupg/options file) –digest-algo sha256 (or sha384, or sha512) to sign your messages with the updated hashing algorithm. However if you are like me and chose the default key pair when generating your keys, then you have a DSA signing key and an ElGamal encryption key; which due to limitations in the DSA algorithm means that you will get this error when trying to sign with anything other than a 160 bit hashing algorithm (which SHA-1 is):

gpg: DSA requires the use of a 160 bit hash algorithm

The solution is to generate a subkey. Subkeys are extremely handy for just such a job; when generating a new key pair would mean losing all of the signatures you have worked so hard to gather, but you need a new encrypting (or in this case signing) key.

To generate a new subkey begin by editing your key (–edit-key ‘name’), then choose addkey, and finally choose RSA (sign only). That’s it; now you can use the newer SHAs.

One final note: Enigmail the GPG plugin for Thunderbird does not support SHA256 and above for PGP/MIME. The reasoning behind this decision can be found on this Enigmail mailing list thread.

DomainKeys is Yahoo!’s answer to fighting SPAM. Along the same lines as SPF; using Public Key Cryptography we can verify the authenticity of the message’s sender and that the message has not been alterted in transit; thus allowing us to build up a list of “good domains” and “bad domains”. So far it looks like Google’s Gmail is the only big name to implement DomainKeys yet; see the Slashdot article for more information.

Sender Policy Framwork (SPF) is an excellent protocol for eliminating SPAM. It works by eliminating the ability of spammers to lie about who they are. No longer would you receive email from a spammer claiming to be your bank. The beauty of it all is that once spammers can no longer pretend that they are sending email from known good domains, they will be forced to send from their own domains. At that point we can only accept email from known good domains, and be SPAM free.

The best part is that it is actually catching on; check out the early adopters list.

The Starbucks Barista Digital Italia Espresso Machine is a marvel of coffee technology … when it works. Unfortunately all this technology is easily thwarted when a small plastic tab on the inside of the door breaks. The system then thinks that the door is not closed (when it is) and no coffee is allowed to be made.

Below are the hacks implemented to make the beast function properly. Note though that I did not actually implement the hacks; I merely documented them.

That’s a butter knife stuck inside the door so that the close door sensor knows the door is actually closed.

The end of a broken plastic fork taped (with electrical tape mind you) to the end of the broken door tab.

The things humans will do for coffee.

Unfortunately many of the big media players have not made native Linux players or plugins for their popular formats (Windows Media, QuickTime); so just trying to be a normal person and watch movie trailers online through my browser is a bit of a hack. This is that hack.

This assumes you are using Mandrake Linux 10.0, but other Linux distributions should be similar. My Mandrake install already had MPlayer installed however I found that it did not work too well with QuickTime files, so I suggest downloading and installing from source; don’t be scared this will be painless.

First download the codecs; choose the one that says all. Extract and install its contents into /usr/local/lib/codecs.

Next download the MPlayer source code. Extract and configure like so:

./configure –enable-gui

If the configure script complains of anything you will need to fix it. Most likely you will be missing a library package; in my case it was libgtk+1.2-devel-1.2.10-38mdk, which after its installation was complete the configuration script ran without error.

Next make and install:
./make
./make install

With the last instruction being done as root. mplayer and gmplayer (the MPlayer GUI) will now be installed in /usr/local/bin.

I moved the old mplayer and gmplayer in /usr/bin/ to mplayer-rpm-save and gmplayer-rpm-save respectively. I then made symlinks from /usr/local/bin/ to /usr/bin/ like so:

ln -s /usr/local/bin/mplayer /usr/bin/mplayer
ln -s /usr/local/bin/gmplayer /usr/bin/gmplayer

Next you will need fonts and skins for the MPlayer GUI. Both can be had from here. Skins go into /usr/local/share/mplayer/Skins; one of which will need to be named default. Fonts go into /usr/local/share/mplayer/fonts.

Your next, and final, step to normalcy is to install mplayerplug-in. There is an older package for Mandrake, but because there are so few files in the package I found the Fedora Core 2 package from the download site worked just fine and gave me the latest version. Once installed you will need to do whatever it is you do to have the plugin loaded by your favorite browser. Because I install the FireFox tar-balls from Mozilla.org I did another symlink:

ln -s /usr/lib/mozilla/plugins/mplayerplug-in.so /usr/local/firefox/plugins/mplayerplug-in.so .

Now when I surf to QuickTime.com to view trailers everything works perfectly, and I feel a little bit more like a normal Internet surfer.

Sage is an RSS reader extension for FireFox. It makes keeping up on all those blogs very easy.

A Washington Post article reports that anyone providing email services to you is allowed to read your email:

Google Doodles are those ever changing banners that Google puts up on their website. Now meet the man behind all those Google Doodles.

See his Google Blog entry.

I was having a problem with my Dell Inspiron 2100’s touchpad after the upgrade to Mandrake 10.0; the touchpad worked fine when I used the 2.4 kernel, but failed to click using the 2.6 kernel. This site fixed all my problems:

http://kerneltrap.org/node/view/2199

I ended up just taking the easy way out and passing psmouse.proto=imps to the kernel via the boot loader.