Older blog entries for jfs (starting at number 8)

30 Jul 2002 (updated 30 Jul 2002 at 13:27 UTC) »

Not too much to say, but I haven't written for a long time. Guess what, I got married June 29th (no online pictures currently, move along...). It has brought a lot of changes, but all for good (YMMV).

I did three interesting things on the same month: getting married, ascending, and submitting an entry to the Honeynet challenge (after all the ork wI didn't win though :( )

OTOH, I will hopefully get Internet access at home soon, and probably would be able to fix the huge number of bugs I currently have open (help is appreciated :)

I do have, however, an almost finished 3.0.1 release of Tiger which should fix a lot of Solaris issues (hopefully cleaning the code and making it easier to port and spot issues too). One of the reasons I'm testing it in a non-free platform is to check out how easier would be to port to other platforms (and hopefully document it soon). I promised the guys at LinuxSecurity an article about Tiger (which will hopefully also draw some attention to the new developments I included). I have only a draft written but I expect to have it finished by the end of the month...

If time permits I should test also the latest pre-release of Bastille (pre BETA 2.0) in Debian, but I haven't setup a proper environment to work (and not mess up with my environment). I'm looking at bochs and plex86 to make it (instead of using vmware). I learnt about (and tested) them while writting an article (in Spanish, not yet online, sorry) featuring Emulators for linux.

Funny, I just read mjcox entry after writting mine and found out that he's working trying to have a full CVE mapping of RedHat's advisories.

Just recently, on the debian-security mailing list Phillip Hofmeister asked if there was some way to retrieve stats easily regarding security. Well, it's not easy IMHO, but I did so (manually) for Debian some time ago (on december last year) and answered this same question in a section of the Securing Debian Manual.

However, I have recently automated the way DSAs get published on the web (here) and there are automatic ways to link DSAs to many security databases. (It's all in the web source code at the secrity template, see a DSA sample here). It should be pretty easy to automate references now (but they have to be kept uptodate).

There needs to be, in any case, a way to automatically link all the security databases like Bugtraq, CERT, CVE, ICAT. That's one of my pet projects, I will try to have an automated tool working Very Soon Now (tm)....

Been quite busy lately, hopefully, I am now back at the office after finishing an installation of a high availability active-active firewall cluster, along with DNS, LDAP services and load balancing. A cool project overall, although I loathe Solaris 2.6, and Solaris 8 they have cool things but not for the power user.

Fortunately for the free software :) they asked me to install two load balanced RADIUS servers with Linux. After studying different possibilities, since the main problem is that it needs to be LDAP-enabled, I have found FREERADIUS based on Livingston's radius but with much more capabilities.

I am currently trying to get a nive debian package built that would make installation easier, since they are going now to beta stage, I have also offered them Debian's BTS. I pretend to have them ready so that when they go beta (or even now, in alpha stage) Debian packages will be provided. So, I've cleaned up the (old) Debian subdirs which were related to cistron's radius... I'm very excited about this. This will be the first proyect in SGI that will allow me to put two hardened Debian GNU/Linux server offering Radius and DNS services, in an installation for a client (as a matter of fact my first installation!)

Anyhow, I have investigated the HA options in Linux and I found the Linux-HA project, Legato Cluster, the tool I used is also ported to Linux, but not having VRRP brings out a lot of problems.

I will try to write an article (in spanish) on HA soon, if I find a magazine that can publish it without having any problem with me publishing it also on the internet, on magazines like OpenResources and with a free license.

Working on LDAP for two days, first day waiting for a guy from Intel to do a demonstration on Shiva (not worth giving an URL, even if simple, since they just have a Solaris and NT version) Access Manager. I was quite fired up, because

  1. the guy was not prepared for the questions regarding LDAP integration we were going to make him, although we sent them a week in advance. Moreover, it took me thirty minutes to see how to make it work and he was not able even to find it on the help
  2. The versions are supposed to provide the sam stuff but there is no documentation in the Solaris version, whileas the NT Console comes with many help files. I do not say that they have to port the Administration GUI (even if it would not be difficult) but for heaven's sake, give me the documentation to configure it by myself (i.e without the GUI).

I was quite disappointed of commercial support.

Today I've been working with Netscape's LDAP, trying to build a new schema, I did not find a lot of documentation, until I looked at iplanet instead of NDS. The point is, I do not want to use the Java console for administration... just vi :)

I've had time to make a new package, or rather, adopt it. It seems that sac had not been updated in Debian, and I read in the wnpp that it was orphaned, so I took the latest version, updated it and sent it to the University's server in order to upload it to master today...

I've been to a Newlink group of conferences, and product presentations... nice to see that many are going to the appliances market (easy to install, configure, hardware boxes) and that some of them work with Linux. Even though the guy said it run on Linux 2.0 and didn't know what to answer when I asked: is it based on any distribution or is it home-brewed? (BTW, it was Watchguard's Firebox.. small and red).

Nice to see too that Checkpoint has more throughput on Linux even if the guy from Nokia insisted that it was better with their own propietary OS. They put Linux (Redhat 6.1) the last of the table, Nokia the fist, NT, Sun in between, but Linux gave the best througput of the lot. Anyway, I don't like comparatives that are done on different OS and different hardware.

The technical guy at from Aladdin, when talking about etoken (using bus cards for authentication) said they had developed PAMs for Linux and Solaris, as well as 2000, NT et al... although in their web page there is no mention of Linux systems... oh well.. I am checking with proyects are there for USB cards, it seems that linux-usb.org might be worth checking as well as linuxnet.com.

And after doing it I've found here that Aladdin's etoken is not supported (yet). I might be thinking on downloading the SDK and do it myself but there's already someone working on one.. so we'll see...

Another day at work.... I have for the moment been able to post a new notice in barrapunto (spanish version of slashdot) regarding Microsoft's latest and worst client vulnerability. If someone told you that NetBIOS and SMB was secure, you will think it twice after reading bugtrack and Network Security Focus. announce. I tackled smbclient's sources, but was unable to properly code an exploit, alas, the Nsfocus team posted an exploit last monday (which worked perfectly BTW).

I find it fun that I can work with Debian GNU/Linux 100% of the time and contribute with bug reports (for example xfig strange, but at the same time, understandable behavior with WMaker, description here, and make new packages. I have just submitted to the upload queue:

  • libexpect-perl_1.08-1_all.deb
  • libio-stty-perl_0.02-1_all.deb
  • libio-tty-perl_0.04-1_i386.deb
  • libnet-snmp-perl_3.6-1_all.deb

Taken from CPAN, which I needed in order to make Vlad work. BTW there are a lot of CPAN packages, someone should try to check automatically which are not yet packaged in Debian.

I'm seriously thinking on joining Debian's security team, since I keep track of bugtrack now (spend at least 1h a day reading advisories) they are overloaded, and I find it fun to play with the source in order to find a reasonable exploit... Another good thing of my work is that you need to learn a lot (I read yesterday an article on buffer overflow, wirtten by mixter, boy was it good!)

I'm doing search within a proyect in order to define and develop access to a LDAP database. Did'nt know much about LDAP up to last friday :)

I'm impressed, however, on how easy to install OpenLDAP is vs. other commercial directories (Netscape's Directory Server) on Linux. The later seems to have an installer compiled against *old* libraries and I can only get it to "core dump", the former is installed nicely using debconf :)

Also, there are a number of useful open source proyects:

  • Of course openLDAP.
  • gq: VERY nice gtk LDAP client (tried it against OpenLDAP, Netscape's Directory Server and Sun's)
  • Frood a Gtk+Perl interace using Mozilla's Libperl
  • libnet-ldap-perl easy to use Perl Modules, not be confused with
  • Mozilla::LDAP which is another implementation using Netscape's C SDK.

Well... back to coding in Perl to test LDAP features...

Well, my box just crashed... not really (had to do a soft reboot) but I did not like those "kswap cannot free page..." messages (it was, more exactly kernel: VM: do_try_to_free_pages failed for kswapd (I've checked and it seems to appear in many mailing lists at least comes up in a security announcement).

I have been able to do all my work without having to switch to M$ 2000. Navigator does fine for mail+web (I like it's addressbook although I do not like it being stored in binary format...), and StarOffice does fine for all the documents they send my in doc and xls format.

For the rest of stuff, you guess: many gnome-terminals.

I have (finally) all the Debian binary Cds, but only 1 source yet. Maybe Debian should find a way to send source+binaries out (like when Linux Central sent it) when a release is done. Thay way I could do some contributing in work (and not lose that much time downloading+toasting it)

Strangely enough, I do not find some packages in the Cds I downloaded... oh well..

I have started checking LDAP for a proyect, I will see how many free implementations are out there, curiously, when I checked for Radius stuff I saw that one of the most used has been made by Miquel (and I met him a while back :)

I have also had time today to start coordinating the translation of the CVS book in Lucas (the spanish group of translators of GNU/LDP/FDL documentation).

This is one of the things that pisses me off...people starting work and then leaving it as we say in Spain "manga por hombro", there's no record whatsoever of who volunteered in the proyect and how where the chapters given out.

Ironically, in LuCAS CVS repository, only three chapters are available, no much info to start with so I had to mail the full list in order to get some backup from people that might be working on chapters and are reading the list...

I'm not really sure what a diary entry is ... but I guess I could just put here what I can do in my spare time on free sw which now is, since I started working, less than I wanted.

I have just updated the security.debian.org spanish page which was way out of date, just in time to read the thread on debian-www regarding the program I wrote about a year ago but which was not yet adopted.

It seems that neither Josip nor James understand the point of translation-check.wml since it might turn around the flow of information, the problem is they are not aware that translators not always keep their senses and check their pages, they might be away... very busy....

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!