How the hell is it possible that after so many months, the fix for OpenSSL renegociation has not been yet included in either Chrome (6.0.4) or Opera (10.61)? I haven’t tested other browsers though, except Firefox which at least has fixed the issue since several months.
Console-Kit spawns 35 threads on my system, which is a waste considering that I use at most 7 vty. But it is definitely useless on a server (you don’t need fast switching stuff). Dbus and Hal are also not useful on a server and consuming resources for nothing.
Unfortunately, they are settled with the default basic installation and they have some dependencies (e.g the kernel and zypper) that make them impossible to simply uninstall .
Here is a way to at least deactivate these services at startup on openSUSE 11.2 (it might also work with 11.3).
First, ConsoleKit is not a standalone daemon anymore on the latest versions of openSUSE. It is started along with dbus (you will see that if you stop dbus, all the ConsoleKit thread will magically vanish).
But trying straight to remove dbus from the startup doesn’t work, because of dependencies among services. On my system, it complained like this:
# chkconfig dbus off insserv: Service dbus has to be enabled to start service bluez-coldplug insserv: Service dbus has to be enabled to start service network insserv: Service dbus has to be enabled to start service haldaemon insserv: Service dbus has to be enabled to start service earlyxdm insserv: exiting now! /sbin/insserv failed, exit code 1 [1] 7954 exit 1 chkconfig dbus off
So, let’s remove the bluetooth stuff:
# zypper remove bluez
Then, we just deactivate the services that can’t uninstalled:
# chkconfig earlyxdm off # chkconfig network-remotefs off # chkconfig haldaemon off
You will probably want to keep the network service on, otherwise your configurations scripts won’t be read anymore. In fact, we will just edit the dependency of the startup script itself, by editing /etc/init.d/network and editing these lines:
# Required-Start: $local_fs dbus # Required-Stop: $local_fs dbus
What we do is just deleting the dbus word, so that the script section looks like it:
### BEGIN INIT INFO # Provides: network # Required-Start: $local_fs # Should-Start: isdn openibd SuSEfirewall2_init # Required-Stop: $local_fs # Should-Stop: isdn openibd SuSEfirewall2_init # Default-Start: 2 3 5 # Default-Stop: # Short-Description: Configure the localfs depending network interfaces # Description: Configure the localfs depending network interfaces # and set up routing ### END INIT INFO
Now we are done and we should be able to definitely turn dbus off:
# chkconfig dbus off
Bingo! I didn’t monitor the memory precisely, but I believe I saved around 50 MB, which is always welcomed on a small server.
I don’t know if it is the best way – I may have missed something – however I am pretty happy as it now works as I wanted. Please let me know if you have a better tip.
Microsoft published a nice tool named EMET (Enhanced Mitigation Experience Toolkit) whose purpose is to check and enforce the memory security policies such as ALSR and DEP.
It shows and allows to configure the global settings, but also, and this is the most interesting part, indicated for each process running if it supports those security measures. It is even able to enforce the protections for each application which would not support it natively (i.e. not set at compilation time).
What you need:
Indeed, so far, I haven’t found anything better than launching a process making a lot of disk activity.
This command just do it:
% sudo smartctl -t short /dev/sda
The “short” test will give you a few minutes to carefully listen and select the right disk.
Well, it sure is pretty primitive! But do you know anything better?
By the way, there is a good article for the recovery procedure.
No, not the infamous programming language! But LISP as Location/Identifier Separation Protocol. (I know I am repeating the joke everyone does but I couldn’t help).
But what is it about? It is actually at first difficult to conceive, as we are all so used that IP addresses identify both a person (or a company) and its location. It is like this by design because Internet is based on a hierarchical routing model.
What I wrote below is just a bad summary of this article by David Meyer. See it as a memo or as a short introduction if you don’t want to get deep into LISP. Otherwise, jump immediately to the original article or to Packetlife which gives some more links.
Now, why would we want to change it? Because with the growing lack of IPv4 free blocks, it became very difficult for the network providers to maintain contiguous blocks. So now the routing tables are bigger than they should be and not optimized. Customers want multihomming and mobility, while providers want to limit the routing overload. Two different point of views which can’t be satisfied with the hierarchical routing of today. BGP partially addresses some of these issues, but it has limits and misconfigurations with deep impacts (eg blackholes) happen regularly. Note that IPv6 can’t be of any help in this case.
But LISP tries. And in a nice way, as it is totally transparent to the end-users. Only the core network of the providers are impacted.
Basically, the customer IP stack remains untouched during the transit. With LISP, the customer IP address is only the identifier, no more the locator.
Then, LISP add a new IP stack on routers configured by the provider. These routers, named ITR (Ingress Tunnel Router) and ETR (Egress Tunnel Router) according to the direction of the flow, encapsulate the packets with the new IP stack with their own address as origin. A little bit as a proxy but at a lower level, their purpose is to route the packets on behalf of the customer.
In short, the role of an ITR is to find the appropriate ETR for the destination, to route the packet correctly. LISP comes with a directory used for the ETR lookup. The directory is supposed to be “manually” maintained by the provider (the overload should be acceptable because we are in a core network, where changes in topology don’t happen all the time). Now that the ITR knows what the location for the recipient is, it sends out the packet with the ETR as destination IP. The way back works just the same.
Between the ITR and the ETR, of course, there can be a number of different providers and routers, not supporting LISP, the routing part being handled by classic routing protocoles like BGP.
You should see clearly now the beauty of LISP : if a customer moves with his IP block, for the provider it is just a matter of updating the location within the LISP directory. There are also some great features like support of load balancing in the case of multi-homing . LISP appears to be efficient and straightforward, but not yet validated by the IETF. Keep an eye on this work in progress!
After I tried to set this blog as my own OpenID provider using the OpenID WordPress plugin, I got a weired error message:
“This is an OpenID Server, Nothing to See Here… Move Along”
I could not find what as wrong, as all prerequisites were fulfilled, until I find this nice post. The patch there works very well, thanks to the author (it is a shame that it wasn’t yet included in the trunk).
This and the lack of active open-source development around OpenID seems to show that it is not really popular. It is a shame because it is a pretty good solution against the multiplication of passwords. I wouldn’t want to use OpenID for my bank account access, but it is just right for many sites, forums, etc. Unfortunately, no many sites are yet OpenID enabled and the choice when you want to become your own provider is very limited (most of projects listed in the official wiki are dead, with no update for the last 2 years).
Netios 0.76 is out!
Complete changelog :
2010-07-13 (0.76) Jean-Christophe Baptiste <jc@phocean.net>
* fix prompt for enable issue
* fix issue with log directory
* add timeout option
* remove fail check for password mode (source of confusion and not so useful on second thought)
Check there for more details and a download link.
I just finished reading two electronic books I bought from O’reilly. Here is a short review on them.
The purpose of this book is to give to the readers an overview of the most common attacks nowadays. It covers all fields : social engineering, web attacks, networking, etc.
It was easy to read : the authors are straight to the point and their sentences are clear.
I especially appreciated their state of art about XSS and CSRF attacks. It is certainly the best I have read so far, greatly illustrated with exciting and real case studies.
On the other hand, I quickly passed over the networking stuff (both wired and wireless). It was too basic and didn’t show anything new – maybe it is because I specialize in those fields.
Anyway, globally, I strongly recommend this book. It is worth while your money if you want to know more on web attacks or to have a good overview of modern threats.
This is a collection of essays by some of the best security experts and hackers.
Well, I won’t go around, I have been quite disappointed by this book. The overall lacks coherence and after a while you start wondering what this book is trying to demonstrate. At the end, there is a crual lack of connection between the essays and it globally makes it appear very confusing.
It also sometimes lacks technical references and the writing style is too verbose, too literal for a technical book to be attractive.
There are however some good essays, like one about PGP (by Philip Zimmermann himself, though). It is hard to find some good and complete documentation about it, and this essay is definitely a good one, which I will probably read again when I feel the need of it.
But I wouldn’t recommend this book only for this short piece of writing. Lack of cohesion, too much litterature and not enough technical stuff actually bored me, though that’s just my personal taste.
