Saturday, December 29, 2007

Security and technology

The nature of the attacks will be different: the targets, tactics and
results. Security is both a trade-off and an arms race, a balance between
attacker and defender, and changes in technology upset that balance.

- Bruce Schneier, Security in Ten Years

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Friday, December 21, 2007

Windows Live Writer and Mail - Nice!

As you can see from my previous post, Live Writer seems to be working nice with image posting. And I'm using Windows Live Mail client here to access my hotmail account (bah, a story to tell another day), my office account and my gmail account. Works well. Not bad at all. Although there are some rough edges in the settings UI, I didn't expect this good a job from Microsoft. So I'm impressed. And in recent news, I read that IE8 can render the Acid2 smiley. (FF3 can't, I just checked).

One of the things I read in the comments was a guy asking for a Bugzilla (not exactly bugzilla, but a open bug tracking site) where people can file bugs and track it openly and search other's issues when they encounter something themselves. I feel that this is strongly needed. Infact I feel that any software company that has a developer community owes it to the developer community for all the business they get in return. Like Office which is a microsoft stronghold, web is another microsoft stronghold which sells lots of windows and therefore gives them their strength in the market. They shouldn't forget the developers who are making it happen for them. Besides, its in their own good interest.

Some good stuff coming from MS. Keep it up!

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Picture test

Trying to see if I can insert a picture in my blog via vic-2Windows Live Writer.

Lets see if it can do the job.

Well. It seems to preview nicely in here.

Also, the shadow effect of the photo is nice. Seems to have choosen some good defaults. That's nice. And it seems to do good word wrapping too. Not bad. Only if it works fine when I post.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Windows Live sucks

This service, they don't even call it beta, doesn't work most of the time. Anytime I try to sign in, it is unavailable. Redirections go dead, browser shows error page and dies. Real crappy for a big company like Microsoft. Our company does a much better job with such low resources than MS. I agree that it might be scalability problems, but wtf, call it beta, do limited beta, stop accepting registrations. But don't accept registration and make the user go to a dead page. That's sheer disrespect from an arrogant large corporation to the users.

I've been working on getting e-mails delivered to hotmail from our corporate mail server. That's for another post. But preliminary investigation indicates that almost everyone is facing this problem. Seems like bozos over there can't interpret SPF records. Having valid spf record makes your mail to get junked while not having spf record at all yields better results. Typical of microsoft.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Sunday, August 19, 2007

Windows Live Writer...Lets see what's Improved.

Hmm.. making this post via Windows Live writer. It automatically detected this blog by just asking for the url (which I gave as tech.vys.in)! I had to give my Google credentials to it, which I'm still not comfortable with.

One glitch. it said it can't upload the image. :( same issue as last time.. not fixed yet.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Sunday, August 05, 2007

Linux IPC and Limits

Note: POSIX implementation provides better and cleaner api to IPC compared to System V. Prefer using POSIX api if you are known to be running on 2.6 or later kernel.

System V IPC implementation on Linux includes Shared memory, Semaphores and Message queues. There are system imposed limits that are important to keep in mind when developing application/services in Linux.


To know the limits use ipcs command. For example on my system:
[root@f7 ~]# ipcs -l

------ Shared Memory Limits --------
max number of segments = 4096
max seg size (kbytes) = 32768
max total shared memory (kbytes) = 8388608
min seg size (bytes) = 1

------ Semaphore Limits --------
max number of arrays = 128
max semaphores per array = 250
max semaphores system wide = 32000
max ops per semop call = 32
semaphore max value = 32767

------ Messages: Limits --------
max queues system wide = 16
max size of message (bytes) = 8192
default max size of queue (bytes) = 16384

Or via sysctl interface:
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.shmmax = 33554432

kernel.sem = 250 32000 32 128

kernel.msgmni = 16
kernel.msgmax = 8192
kernel.msgmnb = 16384

We can understand more about these limits by reading the man pages for svipc, shmget, semget, msgget.
  • MSGMNI - System wide maximum number of message queues: policy dependent (on Linux, this limit can be read and modified via /proc/sys/kernel/msgmni).
  • MSGMAX - Maximum size for a message text: 8192 bytes (on Linux, this limit can be read and modified via /proc/sys/kernel/msgmax).
  • MSGMNB - Default maximum size in bytes of a message queue: 16384 bytes (on Linux, this limit can be read and modified via /proc/sys/kernel/msgmnb). The superuser can increase the size of a message queue beyond MSGMNB by a msgctl() system call.
  • The implementation has no intrinsic limits for the system wide maximum number of message headers (MSGTQL) and for the system wide maximum size in bytes of the message pool (MSGPOOL).
  • SEMMNI - System wide maximum number of semaphore sets: policy dependent (on Linux, this limit can be read and modified via the fourth field of /proc/sys/kernel/sem).
  • SEMMSL - Maximum number of semaphores per semid: implementation dependent (on Linux, this limit can be read and modified via the first field of /proc/sys/kernel/sem).
  • SEMMNS - System wide maximum number of semaphores: policy dependent (on Linux, this limit can be read and modified via the second field of /proc/sys/kernel/sem). Values greater than SEMMSL * SEMMNI makes it irrelevant.
  • SHMALL - System wide maximum of shared memory pages (on Linux, this limit can be read and modified via /proc/sys/kernel/shmall).
  • SHMMAX - Maximum size in bytes for a shared memory segment: policy dependent (on Linux, this limit can be read and modified via /proc/sys/kernel/shmmax).
  • SHMMIN - Minimum size in bytes for a shared memory segment: implementation dependent (currently 1 byte, though PAGE_SIZE is the effective minimum size).
  • SHMMNI - System wide maximum number of shared memory segments: implementation dependent (currently 4096, was 128 before Linux 2.3.99; on Linux, this limit can be read and modified via /proc/sys/kernel/shmmni).
  • The implementation has no specific limits for the per process maximum number of shared memory segments (SHMSEG)
These numbers can be changed by writing to the corresponding /proc files. Or you can use the sysctl to do the same. To persist the settings across reboots, they have to written to /etc/sysctl.conf
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Sunday, May 27, 2007

putty+ssh tunnels

Amazing things are possible with this simple 190KB application called putty.

A simple ssh tunnel to save you lot of trouble with accessing machines on a private network behind a gateway. Assuming you can ssh into a normal user account on a gateway, you can setup a ssh SOCKSv5 proxy on your machine so that other programs can access machines on private LAN via SOCKS v5 proxy.

TortoisePlink.exe -D : -l -C -N -batch > 1.log

Note: I use tortoiseplink as it goes to background completely.

To ssh into machines on private network, configure putty to use the above configured proxy.
You can even tunnel your browser via this SOCKS v5 proxy. This can be a very useful feature if you are on a untrusted network, like wifi in airport, and want to access sensitive website via a known clean Internet connection.
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati

Sunday, March 04, 2007

DJBDNS in 2 minutes!

Here's how to setup djbdns in 2 minutes:

On a machine that has a standard Linux installation like Fedora Core, run the following commands in a script with proper arguments:


#!/bin/bash
# $1 is this server's IP address
# $2 is slave server's IP address to which you want to allow AXFR
# $3 is the domain for which you want to allow AXFR

# Installs daemontools
mkdir -p /package
chmod 1755 /package
cd /package
echo " Getting daemontools-0.76 from cr.yp.to "
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
gunzip daemontools-0.76.tar
tar -xpf daemontools-0.76.tar
rm -f daemontools-0.76.tar
cd admin/daemontools-0.76
echo gcc -O2 -include /usr/include/errno.h > src/conf-cc
echo " Starting compilation and installation "
package/install
# Installs ucspi-tcp-0.88
mkdir -p /package
chmod 1755 /package
cd /package
echo " Getting ucspi-tcp-0.88 from cr.yp.to "
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
gunzip ucspi-tcp-0.88.tar
tar -xf ucspi-tcp-0.88.tar
rm -f ucspi-tcp-0.88.tar
cd ucspi-tcp-0.88
echo gcc -O2 -include /usr/include/errno.h > conf-cc
echo " Starting compilation and installation "
make
make setup check
# Installs djbdns
mkdir -p /package
chmod 1755 /package
cd /package
echo " Getting djbdns-1.05 from cr.yp.to "
wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
gunzip djbdns-1.05.tar
tar -xf djbdns-1.05.tar
rm -f djbdns-1.05.tar
cd djbdns-1.05
echo gcc -O2 -include /usr/include/errno.h > conf-cc
echo " Starting compilation and installation "
make
make setup check
echo " Installations Done!"
echo " Configuring tinydns "
useradd -r -s /sbin/nologin -l -M Gtinydns
useradd -r -s /sbin/nologin -l -M Gdnslog
tinydns-conf Gtinydns Gdnslog /etc/tinydns $1
ln -s /etc/tinydns /service; sleep 5; svstat /service/tinydns
echo " Configuring axfrdns"
useradd -r -s /sbin/nologin -M -l Gaxfrdns
axfrdns-conf Gaxfrdns Gdnslog /etc/axfrdns /etc/tinydns $1
ln -s /etc/axfrdns /service; sleep 5; svstat /service/axfrdns
echo ':allow,AXFR=""' > /etc/axfrdns/tcp
echo $2':allow,AXFR="'$3'"' >> /etc/axfrdns/tcp
echo " Checking process "
ps fo pid,ppid,rss,bsdstart,etime,euser,args p `pgrep "svscan|multilog|tinydns|readproc|supervise|tcpserver" `
echo " Checking listening ports "
netstat -natunee grep 53
echo " Completed! "



At the end you must see an output similar to this:


Checking process
PID PPID RSS START ELAPSED EUSER COMMAND
5109 1 1080 07:55 42:41 root /bin/sh /command/svscanboot
5111 5109 356 07:55 42:41 root \_ svscan /service
6549 5111 308 07:56 41:51 root \_ supervise tinydns
7111 6549 300 08:00 37:23 Gtinydns \_ /usr/local/bin/tinydns
6551 5111 308 07:56 41:51 root \_ supervise log
6552 6551 308 07:56 41:51 Gdnslog \_ multilog t ./main
6564 5111 304 07:56 41:46 root \_ supervise axfrdns
7041 6564 316 08:00 37:58 root \_ tcpserver -vDRHl0 -x tcp.cdb -- 1.2.3.4 53 /usr/local/bin/axf
6566 5111 308 07:56 41:46 root \_ supervise log
6567 6566 312 07:56 41:46 Gdnslog \_ multilog t ./main
5112 5109 264 07:55 42:41 root \_ readproctitle service errors: .............................................
Checking listening ports
tcp 0 0 1.2.3.4:53 0.0.0.0:* LISTEN 0 7610089
udp 0 0 1.2.3.4:53 0.0.0.0:* 0 7610415


This indicates that your installation was successful. If there were any failures, let me know.

Viola, your server is up and running. It's rock solid and can easily handle lots and lots of requests and domain records.

You can install a web interface like vegadns that uses php/mysql to add/remove/modify records. But I recommend learning how to edit data file directly. It's very easy and quick to modify.
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Reddit
  • Spurl
  • StumbleUpon
  • Technorati