Today I had occasion to test trivia’s page load times. I used the (admittedly fairly dated) website optimization test tool and was surprised to find that it reported that parts of the pages I tested were not compressed before delivery.
I have the default compression options set in my lighty configuration file as below:
compress.cache-dir = “/var/cache/lighttpd/compress/”
and the mod_compress server module is loaded, so I expected all the text, html and scripts loaded by my wordpress configuration to be compressed.
It turns out that in order for compression to work correctly in WordPress (or any other php based web delivery mechanism) with lighty you need to enable compression in php. In all the time I have been running trivia on my own server I hadn’t done this. The option that needs to be changed to correct this is to set:
zlib.output_compression = On
What I think I might need to work on now is the number of scripts my theme and plugins load. Counterize in particular is beginning to feel a bit sluggish. Certainly the generation of traffic reports is now quite slow and mysql is chewing up a lot of CPU. I suspect that I may need to purge the database and start afresh in the new year – or find another nice traffic analysis tool.
That’s right, it’s my end of year round up! I am running the risk that nothing significant or amazing will happen to me in the next 24 hours, I know. I’ve trawled through tweets and blogs and reminded myself of the fantastic, crazy things that have happened this year. Here are just some of them, in no particular order.
There are some things I’ve done this year that have been really, really special. But I just can’t tell you about them. Sorry! They really were among the highlights of my year though.
I’ve got a feeling that 2014 will be very special too. Have a great new year….Pin It
Every Summer, I wish for a pair of sandals that are comfortable but have some style so that they can feel a bit smart as well as casual. And I’m rubbish at finding them – I don’t really like shoe-shopping at all, which doesn’t help. Enter MOHOP sandals.
I was browsing Kickstarter projects over Christmas and came across the MOHOP sandals project. Basically, you get a pair of sandal bases, some ribbon, and some design cards. You then thread the ribbons on the bases according to the design cards (or your imagination). The bases are flexible with wooden heels and are suitable for vegans and people with a range of other ethical shopping goals (inc, if you’re from the US, made in the US).
(Although the bases shown have high heels, they’re also available as flats or different heights of heel.)
They’ve apparently been going for some time (at mohop.com and on Etsy) but were struggling to meet demand. They’re taking the Kickstarter route to fund expanding their production capabilities (inc creating local jobs).
I think the sandals are a great idea. They’re fun to look at, comfy to wear (according to the reviews), and infinitely re-designable, which appeals to my crafty side. You can thread decorations on to the ribbon or replace the ribbons completely with strips of sari, shoelaces, or anything else that occurs to you.
At the moment, the cheapest pair is $45 for a pair of flats (though there are lower-cost ‘perks’ available if you just want to contribute without buying any shoes). I’ve gone for the $100 ones that have low heels. They’re looking for $50,000 of funding by the 25th January so that they can open their new production place. They’ve got some way to go yet so if you like the look of them, consider supporting this cool idea!
Here’s their video about manufacturing their shoes:
This week my small collection of sysadmin tools received a lot of attention; I've no idea what triggered it, but it ended up on the front-page of github as a "trending repository".
Otherwise I've recently spent some time "playing about" with some security stuff. My first recent report wasn't deemed worthy of a security update, but it was still a fun one. From the package description rush is described as:
GNU Rush is a restricted shell designed for sites providing only limited access to resources for remote users. The main binary executable is configurable as a user login shell, intended for users that only are allowed remote login to the system at hand.
As the description says this is primarily intended for use by remote users, but if it is installed locally you can read "any file" on the local system.
How? Well the program is setuid(root) and allows you to specify an arbitrary configuration file as input. The very very first thing I tried to do with this program was feed it an invalid and unreadable-to-me configuration file.
Helpfully there is a debugging option you can add --lint to help you setup the software. Using it is as simple as:shelob ~ $ rush --lint /etc/shadow rush: Info: /etc/shadow:1: unknown statement: root:$6$zwJQWKVo$ofoV2xwfsff...Mxo/:15884:0:99999:7::: rush: Info: /etc/shadow:2: unknown statement: daemon:*:15884:0:99999:7::: rush: Info: /etc/shadow:3: unknown statement: bin:*:15884:0:99999:7::: rush: Info: /etc/shadow:4: unknown statement: sys:*:15884:0:99999:7::: ..
The only mitigating factor here is that only the first token on the line is reported - In this case we've exposed /etc/shadow which doesn't contain whitespace for the interesting users, so it's enough to start cracking those password hashes.
If you maintain a setuid binary you must be trying things like this.
If you maintain a setuid binary you must be confident in the codebase.
People will be happy to stress-test, audit, examine, and help you - just ask.
Simple security issues like this are frankly embarassing.
Since my last post there have been a couple more entrants to the Tor logo competition. Neither, strictly speaking, meets the original requested criteria that they be suitable for inclusion in Tor Project team presentations, but each has its merits.
The first image below was posted by “David”. I think it captures rather nicely the feeling that Tor is an enabler for freedom in the face of oppressive, and aggressive, surveillance.
The second image was posted by “grarpamp” who is clearly a freeBSD fan. It is, I agree, somewhat controversial, and it got a mixed reception by list members, some of whom found it deeply offensive. Offensive it may be, but I think the image reflects the sort of antagonism engendered in the community by the reported actions of the NSA. Forgive me, but I found it amusing enough to want to post it here.
I think it would make a good T-shirt. But I cannot believe it will be used by anyone in the Tor Project team.
So, I may have forgotten to write a post yesterday. And I may have forgotten to remember to write one today. I am sure this will have caused much wailing and gnashing of teeth around the intertubes.
I finished my last task before Christmas earlier today, hand delivering a photobook and disc of images. It’s not always practical to be there as my lovely clients unwrap their goodies, but it’s lovely when I can be. Watching Ted and Hayley look through their photobook with their two very, very lively boys and remembering their wedding day from the summer was wonderful.
So it’s with a fairly clear conscience that I can put my feet up for a few days, enjoy the company of my family and friends, and wish you all a very merry and magical Christmas. And a new year full of hope and light and excitement.
As I have noted before, 24 December is trivia’s birthday. My first post dates from 24 December 2006 so trivia is seven years old today. As is now becoming traditional I therefore post again today. And as a reflection of the story which has come to dominate trivia over the latter half of this year I thought I would celebrate with an image created by “matt”, a poster to the tor-talk mailing list, in response to Roger Dingledine’s request for a new logo to be used in Tor project presentations to LEAs and agencies such as the NSA itself.
Roger had noted that:
Among the October leaked slides was one from (I assume) GCHQ saying that Tor is “Still the King of high secure, low latency Internet Anonymity” and that “There are no contenders for the throne in waiting”.
He went on to say:
I periodically find myself doing presentations for law enforcement and other government groups (like the NSA talk documented in the above slides).
This clearly calls for a goofy mashup of a crown and the Tor onion, so I can drive the point home in a memorable way.
Can somebody here mash them up in an attractive way?
The community, of course, responded appropriately and one or two nice pictures of the Tor onion logo wearing a crown appeared in response. Matt’s mashup is below:
Merry Christmas and a (safe, secure, and anonymous) happy new year to all.
Recently I've been relying a lot on Vagrant and vagrant-libvirt in particular for spinning up a variety of OSes for testing. One irritating habit I've developed is to check the IP of the VM each time it comes up if I need to view a website/app hosted on the VM itself and paste this into my browser, rather than using a DNS name.
Since libvirt runs dnsmasq by default for DHCP and DNS services inside NAT virtual networks, getting DNS working from the hypervisor (my desktop) is very easy. First ensure that the libvirt network has the domain name correctly configured - this was my hostname initially, but I changed it to example.com:$ sudo virsh net-edit default <network> <name>default</name> <uuid>f6f31c1d-0130-40e4-9cfc-80811021b46e</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0' /> <mac address='52:54:00:03:62:29'/> <domain name='example.com'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.128' end='192.168.122.254' /> </dhcp> </ip> </network>
Change the <domain> tag's name attribute, then virsh net-destroy default and virsh net-start default to restart and apply this change.
Next I updated the images and VMs I use in libvirt to send hostnames when making DHCP requests, ensuring that dnsmasq would associate the hostname with the DHCP lease. On Red Hat variants, set DHCP_HOSTNAME=yourhost.example.com in /etc/sysconfig/network-scripts/ifcfg-eth0 and run service network restart.
Provided the domain in the DHCP_HOSTNAME is the same as the domain set in libvirt's network (which is used to configure dnsmasq), the hostname will get updated and is shown in /var/lib/libvirt/dnsmasq/default.leases with the domain removed: 1387893215 52:54:00:15:d1:73 192.168.122.143 foreman *
If hostnames aren't shown, check syslog for messages such as this to indicate a domain name mismatch:Dec 24 12:32:46 cobalt dnsmasq-dhcp: Ignoring domain example.com for DHCP host name foreman
Lastly, I configure NetworkManager on my desktop to redirect queries for example.com to the dnsmasq instance serving the libvirt network. First I switch NetworkManager to run a dnsmasq instance of its own instead of pointing resolv.conf to external resolvers:$ sudoedit /etc/NetworkManager/NetworkManager.conf [main] dns=dnsmasq
Then add a dnsmasq config snippet to send queries for example.com through to the dnsmasq instance bound to the gateway IP address of the libvirt network:$ sudoedit /etc/NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf server=/example.com/192.168.122.1
And now, from my desktop I'm able to bring up a VM and instantly query or use the foreman.example.com hostname to access it.
We recently bought two Dell SC1435 servers off eBay. They seemed cheap and quite well specced (dual 4 core CPUs, plenty of RAM for us) – perhaps ideal for redundant mail servers.
Anyway, they’re IPMI 2.0 compliant – meaning they should be controllable remotely (e.g serial console, forceful power cycling etc without the need for some sort of graphical KVM console or DRAC card.).
Here are some notes on setting up/configuring IPMI support and how it can be used – :
IPMI usage examples :