# Convert man pages to pdf
man2pdf()
{
m2pfile="/tmp/${1}-m2p.pdf"
if [ ! -s $m2pfile ]; then # is it there and > zero bytes 
     man -t "${1}" | ps2pdf - > "$m2pfile"
     fsize=`du -k $m2pfile | awk '{print $1}'`
     echo "Created PDF file in $m2pfile ($fsize KB)"
fi
}


It can trivially be extended to check for things like a $DISPLAY variable and pop up a viewer or request to print. The caching is admittedly crude, but works since /tmp is cleared out periodically. Output looks like:

[bvi@starburst ~]$ man2pdf ls
Created PDF file in /tmp/ls-m2p.pdf (20 KB)

Systems like this re-enforce my feelings that FreeBSD really is rock solid.
Yes the box probably needs patching and upgrading, but for what its doing acting as an appliance that shunts packets, that's nicely firewalled down with no local users its good enough for now.


The site provides rich graph and chart interfaces, which are nicely interactive.  There are definatley some ideas I want to incorporate form this into my own Network Telescope management console.  It is however worth bearing in mind that his is a Eurocentric view and is only based on their observed traffic. As such the “attacking countries” view seems to be a bit skewed.

Interoute World view 2009-06-30

After digging around with squid and wireshark, its evident that a lot of the data is actually served up as XML files, and as such can potentially be postprocessed. The Adobe AIR Barometer Widget they provide also makes use of these. One issue I had getting this installed is you need Air 1.5.1, and the 1.0.8 version I had wouldn’t auto upgrade correctly.  A little disappointing in that I was expecting a map view, it provides the basics of a total count and cycles through various country stats.

Interoute Barometer Widget

Where the real value  comes form is having another independent source of reporting ( even at the highly granular level) that can be used to correlate observations with my own data sets, and those available form places like dShield and ISC. Maybe I should dust off my old Infocon alert plugin for Firefox and integrate some of this data.

After some hunting, I narrowed the culprit down to the Nvida graphics drivers post version 169.39. Driver Release 175.16 was the first to show the issue, 175.19 made it worse.

My solution at the time roll back 169.19 and sacrifice some of the support for my CUDA enabled cards.  Last week I took the plunge and went for 178.13, which while resolving some other issues still broke the Remote desktop functionality.

The solution appears to be a tweek is needed in ones registry.

1. Start, Run, type regedit and press OK
2. Navigate to the Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
3. Right click in the Details pane and Select New –> DWORD Value
4. Name it  SessionImageSize
5. After it is created, double click on it and change its value to: 20 ( this is based on recommendations from here) and effectively maps to raising the session memory to 32 MB.
6. Save and Reboot

I tried this and no luck.  For my particular configuration SLI motherboards with Running 3 heads ofa 7600GT and 7300GS, I needed to raise the SessionImageSize value to 41 implying the use of 64MB of memory.  I’m not sure if this is due to the large amount of ram in the system ( 4gigs) or the particular use of two non SLI’d cards. the ‘default’ value of 20 seems to have solved the problem on my other Intel based system running a single  8500GT.

Microsoft take on the issue  is contained in KB886212 which proposes the solution of try another driver or rollback the driver.

Searching for “SessionImageSize” in the Microsoft knowledge base doesn’t seem to help either

Its worth nothign that the problem is occuring across different chipsets, Graphics cards, and on both SP2 and SP3 systems. The fix of increating the SessionImageSize to 0×41 seems to be working fine on a Windows Server 2003 (SP2) system as well.

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on OpenSSL support for SMIME, which it has.  OpenSSL needs a full CA path for being able to verify SMIME signed messages. One can obtain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.
openssl smime -CAfile extract.crt -verify -in mail.txt
Now we actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.
Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt mail2.txt
--- mail.txt Mon Aug 25 18:06:33 2008
+++ mail2.txt Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
South Africa

-Important Notice: This email is subject to important restrictions, qualifications
and disclaimers ("the Disclaimer") ..that all was one very long line that made
up the corporate disclaimer.....
...
------=_NextPart_000_0048_01C906C7.DB6FB700
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"

From the above the only difference shown is that a mail gateway had added in a extra four lines of disclaimer and white space padding.  The question now evolves as to how to provide the now pretty much ubiquitous organizational disclaimer in outgoing mail in such a way that it doesn’t trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separate MIME component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for really ugly mail reading!)

The following a is a shorthand ticklist of the steps required.

1. sign up with cacert.org
2. On the thawte website make sure your notary details include the email address that you have used for the cacert.org signup.  This may involve just editing your details within the WOT console, and waiting for approval/verification, or having to do this and a ping to the mail address.  having the details verified can take 2-5 days, if the info is not already on your notary page.
3. Generate a certificate compatible for use with Internet Explorer.  This is the tricky part, as even Firefox 3 doesn’t support their client based authentication required by the tverify.cacert.org website  this should also be for the email address you are signed up to cacert.org with.
4. Go to the Thawte verification site (tverify.cacert.org), and choose the appropriate certificate to present to the server. make sure to use your IE browser witht he right client cert installed.
5. Fill in your email address, ( grants you 50 points since youare trusted within the Thawte WOT
6. Wait while a manual verification takes place.
7. Once email is received either notifying you of an error or noting you have succeded, either rinse and repeat, or proceed to the next step.
8. You are now ‘Assured’ but need to take the Assurer Challenge in order to prove your basic knowledge about the system, in oorder to be able to actually start Assuring people.  The link above also includes some background material one may need in order to attain the 80% mark required.

The Assurer Challenge is a relaly nice idea, and although anyone familiar with the concepts around the Thawte WOT system and general CA operations should have no problems witht he the majority of the 25 random questions, there are some which trelate closely to the CA specific rulings etc.

So now I have a full 150 assurance points since I was procesed by the Trusted Third Party (TTP ) system ( and it appears this is the maximum one can get as otherwise ones points are rounded down), as opposed to the 100 point maximum one gets for gathering points via the WOT method.

So now I’m able to embed my name in client certificates (50 points minimum), get server certificates for 2 years, and also get code signing bits on my certificates.

Installation was simple, with registration required in order to obtain two APi keys for use with the service. What interesting about this solution is that rather than just mutating words, a two phrase system is sued. One of the phrases is a known word, and th eother is a word that is taken form a ocr scan of the NYT or Internet Archive, ans has not been correctly identified by the ocr software. Thus there is a bit of community mindedness involved as well, as these words are interpreted. More on the gory details can be found here.

What does interest me tho is that this will not offer any protection from ‘pingback’ spam whihc is being submitted via the xmlrpc interface, but should still at another layer to the security onion.

Its also worth noting that Halvar Flake has stepped up and stated that hes found the bug as well ( so I assume He will be sharing the stage with Dan at Defcon)

Footnote:

While trawling through logs it was interesting to nitice that this post was noted in E-Securre-it and Team Cymru’s security news links links on the 24th of July 2008

Apache’s mod_rewrite seems to be the obvious candidate for making this as transparent as possible. In essence what needed to happen was incoming requests for:

"GET /blog/?flav=rss&category=Security HTTP/1.0" and
"GET /blog/?flav=rss HTTP/1.0" respectively need to be converted into:


http://lair.moria.org/blog/archives/category/security/feed

and

http://lair.moria.org/blog/feed respectively

This was achieved matching on the QUERY_STRING variable within apache. The real trick came trying to get the new URLS to appear clean. This proved to be more difficult than I expected. My initial rewrite rules resulted int he following:

"GET /blog/?flav=rss HTTP/1.0" 301 249 "
"GET /blog/feed/?flav=rss HTTP/1.0" 200 54274 ""

The agent was directed to the right url but it still looks ugly. Note the use of a HTTP/301 status code indicating permanently moved rather than a 302 which mod_redirect usually provides. The solution to the appending of the query string turned out to be to force my own null string onto the redirect. The Apache Wiki was where I finally found the right answer. so the way to remove a QUERY_STRING is to append a blank string “?” to the redirect .

The final setup in my .htaccess for WordPress looks as follows:

RewriteCond %{QUERY_STRING} ^flav=rss$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=rss&(category)=Security$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/archives/category/security/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=atom$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed/atom? [R=301,L]

Thankfully we have come a long way and now boast a healthy modern network with peering at GINX. Early last year saw the introduction of the first of our 1Mbit DSL lines form Internet Solutions, the first real boost of bandwidth available to the schools, and something worthwhile doing since the actual links to the schools had been upgraded.

Looking over some stats I pulled up the following two reports from LightSquid while not the most scientific they convey the massive growth in utilization for the schools. While these represent the larges of the schools in terms of usage, the grown is pretty similar for all members of the consortium.

The first image is from may last year:

The second was generated this morning showing a somewhat heavier utilization. It is worth noting that during this period, the schools link was upgraded from 384Kbit to over a Megabit.

I find it extremely gratifying to see these schools making such full use of the resources at hand!

The majority of the code is completely out dated, given these were based on the the then bleeding edge 4.3 branch. The only thing thats probably of value, is to sometime dust off the extensions we did to natd to provide an interactive console and the ability to reload rules without dumping its state table. Possibly post PhD.

I also found a link to a post made by Arri when he decommissioned them some four and a bit years later, with some impressive uptimes:

4.3-RELEASE-p28 FreeBSD 4.3-RELEASE-p28 #0
8:56AM up 1175 days, 14:25, 1 user, load averages: 0.01, 0.00, 0.00
4.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:55AM up 1353 days, 13:07, 1 user, load averages: 0.07, 0.03, 0.004.3-RELEASE FreeBSD 4.3-RELEASE #3: Thu Aug 9 08:24:10 SAST 2001
8:57AM up 1636 days, 12:16, 2 users, load averages: 0.01, 0.02, 0.00

BSD is great to work with! I see that the 2nd edition of Absolute FreeBSD is now finally available, and am eagerly awaiting for my copy to arrive.

For some time my Laptop and Desktop XP systems have been misbehaving, intermittently when going into hibernate, the desktop much more since it got its upgrade to 4 gigs of Ram. Symptoms include just going blank with heaps of hard disk activity and then just sitting with the HDD light flickering, or stating that there are insufficient resources available — despite heaps of free disk space on the system drive.The other evening I had ad enough and went on a hunt for a potential solution other than the “re-install windows” solution.

This was particularly irritating when the laptop failed to hibernate, and you get home to find a rather warm laptop bag. The other problem being in light of the joyous power cuts we have been experiencing, my UPS software is configured to hibernate on power fail rather than shut down something which wasn’t happening and the UPS batteries were ending up draining. After trying the logical solutions of enable/disable hibernate, defrag the drive, removing the hiberfile.sys, rinse repeat etc. with no tangible effect it was time to look elsewhere.

The solution

The solution was surprisingly simple once I got the right sequence of terms plugged into Google. Microsoft has published a hotfix (Microsoft KB 909095) for exactly this issue. Although billed as:

The computer occasionally does not hibernate and you receive an “Insufficient System Resources Exist to Complete the API” error message in Windows XP with Service Pack 2, in Windows XP Tablet PC Edition 2005, or in Windows XP Media Center Edition 2005

It installs fine on any XP SP2 system, as stated further down in the Microsoft page. With some trepidation I applied to my desktop fully expecting a warning or complaint – none occurred. A reboot later I had hibernate working perfectly again. The cause of the problem is :

To prepare the computer to hibernate, the Windows kernel power manager requires a block of contiguous memory. The size of this contiguous memory is proportional to the number of physical memory regions that the computer is using. A computer that uses lots of RAM is likely to use more physical memory regions when the computer prepares to hibernate. Therefore, a larger amount of contiguous memory is required to prepare the computer to hibernate.

Additionally, the number of physical memory regions varies according to the programs, services, and device drivers that the computer uses. Therefore, the hibernate feature occasionally fails.

What I found interesting is that both systems are up to date, and I’ve never been offered this in any of the Windows update sessions, despite the hotfix being available since August 2006!

Some issues specific to the Rhodes environment are noted at the end.

Get up to date:

aptitude update
aptitude upgrade
aptitude dist-upgrade

All fairly painless and out of the ordinary, bar the need to add the dapper-proposed repo to my /etc/apt/sources.list

Installing the requires base packages:

aptitude install update-manager-core

Before doing the upgrade I decided to set up the CDROM ISO as a local repository in order to save bandwidth whales etc.. (Having a system with real internet access, or a working apt-proxy may be a better solution). Once the Hardy DVD is available in a few weeks this may go a lot faster, as libraries such as QT and other components of main will be included in the larger image.

$ mount -t iso9660 -o loop ~bvi/ubuntu-8.04-server-i386.iso /cdrom
$ apt-cdrom add

This should show output similar tot he following as the CDROM is added tot he Repo list.

Using CD-ROM mount point /cdrom/
Unmounting CD-ROM
Waiting for disc...
Please insert a Disc in the drive and press enter
Mounting CD-ROM...
Identifying.. [b36baea778d37bbf48a3c8bd75b5cffb-2]
Scanning disc for index files..
Found 2 package indexes, 0 source indexes and 1 signatures
Found label 'Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)'
...


And should add a to the top of your /etc/apt/sources.list similar to the following:

deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted

Finally the update can be performed

do-release-update -p

The -p parameter is due to the fact that the LTS as defined at http://changelogs.ubuntu.com/meta-release-lts is still showing dapper as the LTS, and should be able to be omitted in the future. with the -p, the meta-release-lts.proposed file is used instead.

the bulk of the base operating system was happily upgraded form CDROM repo in a matter of minutes, and the remaining pile of mostly universe and multiverse packages took around an hour to download

3 hours and a reboot later and the server is happily running Hardy.

All in all its about the same time for doing a ‘buildworld dance’ with FreeBSD, along with a massive level of portupgrade.

Post Reboot

In order to validate the upgrade, we can make use of the Linux Standard Base support for Debian
utilities ( aka lsb_release)

We have gone from:

$ uname -a
Linux spy.ict.ru.ac.za 2.6.15-51-686 #1 SMP PREEMPT Tue Feb 12 16:59:15 UTC 2008 i686 GNU/Linux
$ lsb_release -a (output trimmed)
Distributor ID: Ubuntu
Description: Ubuntu 6.06.2 LTS
Release: 6.06
Codename: dapper

To:

$ uname -a
Linux spy.ict.ru.ac.za 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 8.04
Release: 8.04
Codename: hardy

In reflection, far less pain than I expected certainly not enough to make me want to employ a depenguinator on this server yet.

Rhodes Specific notes:

• Preferably use ubuntu.rucus.ru.ac.za as your repo unless you would like your quota flattened. Hopefully it will be up.
• ftp://ftp.rucus.ru.ac.za/pub/linux/ubuntu/hardy has the ISO files
• You will need appropriate proxy settings in order for the do-release-upgrade to be able to access the changelogs.ubuntu.com site.