Older blog entries for wardv (starting at number 29)

21 Jan 2004 (updated 4 Nov 2004 at 16:31 UTC) »
Debian install CD

Rolling your own Debian (net) install cd is not difficult. If you ever need to install Debian on a machine but need special drivers for some of its hardware (say, a raid controller or a network card), you can make your own install cd with custom kernel like this:

  • Start from David Kimdon's bf2.4-3.0.23-mini.iso image (2.4.18 rescue/boot set with base system; 37MB)
        mount -o loop bf2.4-3.0.23-mini.iso /cdrom
        mkdir /cd2; 
        cd /cd2
        (tar cvf - /cdrom/* /cdrom/.disk /cdrom/.xlp | tar xvf -)
        mv cdrom/* .
        mv cdrom/.disk .
        mv cdrom/.xlp .
        rmdir cdrom
  • in the 'boot' subdirectory you will find rescue.bin. This is a bootable floppy image. It contains the kernel + root file system (which will be loaded in ram).
        mount -o loop rescue.bin /floppy
  • replace config.gz with a gzipped copy of the .config of your custom, tweaked kernel
  • replace linux.bin with your arch/i386/boot/bzImage (make sure it is not too big - it needs to fit on the floppy image!)
  • replace sys_map.gz with a gzipped copy of your System.map
  • Edit the 'install.sh' file, and update the VERSION parameter on line 10 to reflect the version of your kernel
  • Also edit 'debian.txt', update the kernel version
  • Unmount the floppy image
        umount /floppy

  • The last step is to modify dists/woody/main/disks-i386/current/bf2.4/drivers.tgz. First extract that file:
        tar xzvf drivers.tgz
    The modules.tgz file needs to be replaced with a tgz archive of the /lib/modules/your-kernel directory. Make the archive:
        tar cvzf modules.tgz /lib/modules/your-kernel
    Then recreate the drivers.tgz file and remove the other files:
        rm drivers.tgz
        tar cvzf drivers.tgz install.sh modconf.tgz modcont modules.tgz pcmcia.tgz type.txt
        rm install.sh modconf.tgz modcont modules.tgz pcmcia.tgz type.txt
  • Time to make a new bootable el-torito image of the new boot cd:
        cd /
        mkisofs -r -b boot/rescue.bin -c boot.catalog -o debian-bf24-2424.iso /cd2/
  • burn it - don't be wasteful and use a CD-RW rather than a CD-R!
  • boot it, sit back and enjoy !

    Remote Debian Install

    I needed to install Debian on a couple of HP BL20p's in a colocation thousands of km away. Enter the iLO (integrated Lights-Out) that these blade servers come with - complete with a remote console and 'virtual media'. Both are Java applets - and both work fine from a Debian workstation. The virtual media option allows the mounting of a floppy (image) or a cdrom in a machine with web browser, which shows up as a usb floppy/cdrom in the blade server. Brilliant concept, right?

    I couldn't get the virtual media to work with Firebird or Konqueror and my JVM 1.4.2. With the static Opera .deb's from opera.com, it works fine - provided you run Opera as root in order to access your cdrom.

    The remote console worked in all browsers I tried.

    Doing a dual-floppy boot/root install from stock Woody install images doesn't work - the kernel on the boot disk doesn't recognize the floppy change. But with the bf2.4 iso image it worked fine - though I had to swap its kernel for a 2.4.24 with support for the SmartArray 5i controller and the Broadcom 5700 gigabit ethernet card.

    There's something amazing about doing an OS install from another continent...


    If you ever need to drive a truck through Boston, avoid Memorial Drive. It's got lots of height restrictions - not necessarily indicated before it is too late to take an alternative road. Trust me, backing op on Mem Drive is not fun. And as I found out afterwards, driving a truck there is apparently illegal - though in typical Bostonian fashion, that was not indicated in any clear way...

  • 9 Dec 2003 (updated 15 Apr 2004 at 16:05 UTC) »

    This guy is unbelievable (warning: broken English ahead):


    I had no idea there are such Microsoft zealots.

    Check out this blog entry particularly about Microsoft's shared source initiative:


    This is my answer to that page:

    Do you _really_ believe all this? That is most scary. I mean, great software, great vision on software? Using standards?

    Microsoft abuses standards (XML, Java, HTML, ...) by taking them and changing them ever so slightly that things don't work unless you're on their proprietary operating system.

    Great software? Well, except for all the blue screens, the inexplicable hangs, and the hundreds of serious security problems every year.

    Great vision on software? Don't make me laugh - MS has no vision on software other than 'make more money'. Name one innovative software product that has originated from Redmond? Right; there aren't any - when other companies or people innovate, Microsoft imitates. When that is too hard it buys the competition.

    And this one made me laugh hardest: "The danger to create two systems on 'almost the same engine' which are completely incompatible".

    I'm so glad that this doesn't happen with Microsoft software because they control the source. I mean, imagine that you would be able to create an ordinary text document on MS Word XP and save it in the default file format, and then not be able to open it on, say, MS Word 97! That would be so bad.

    28 Mar 2003 (updated 28 Mar 2003 at 20:27 UTC) »
    Warriors of the Net

    This is just quite cool. It's also educational, and large, and an Mpeg movie about the travel of packets on the 'net. It plays very well with Mplayer on Linux. Haven't tried any other players.

    An Atlas of Cyberspace

    If you want to know more about how this whole internet is linked up, have a look at The Atlas.

    Broken Music

    Or rather, broken CDs. There are many lists of crippled, handicapped, 'copy-protected' CDs out there, but this one started by the renowned German CT magazine seems just a little more thorough than the average one. Deutsche Grundlichkeit, I suppose. In German, of course, but that shouldn't scare you as long as you click on the 'Datenbank abfragen' link.

    Looking at this, it does feel good to boycot the music industry.


    OK, I got curious. I'm trying to figure out what software the 13 root DNS servers run. With this little shell script:

      for i in a b c d e f g h i j k l m;
        do echo $i.root-servers.net; dig +short -c chaos -t txt version.bind
          @$i.ROOT-SERVERS.NET.  | grep -v "^;;" | grep -v "^$" | grep -v ";vers";

    One can compile this list:

      a.root-servers.net "VGRS2"
      b.root-servers.net "8.2.5-REL"
      c.root-servers.net "8.3.3-REL"
      d.root-servers.net "8.3.1-REL"
      e.root-servers.net "8.3.3-REL"
      f.root-servers.net "9.2.2rc1"
      h.root-servers.net "8.3.4-REL" / "9.2.2" (try a couple of runs of the script)
      i.root-servers.net "8.2.3-REL"
      j.root-servers.net "VGRS2"
      l.root-servers.net "BIND-8.3.1-MA-PATCH-JMB-01"
      m.root-servers.net "8.3.4-REL"

    Given that we know that K switched to NSD, we can ask it:

      dig +short -c chaos -t txt version.server @k.root-servers.net
    and see:
    That leaves us with one mysterious server, G.

    A and J are the Verisign servers, and according to this article they may actually be running the proprietary ATLAS software Verisign developed (why is beyond me given djbdns exists, but hey they are a Big Corporation TM). However, I'm not convinced they actually are.

    I used the (crude) dns fingerprinting tool available at darklab.org to look at the size of the packet returned after a query for and 'localhost'. This is what I saw:

    A  VGRS2                  104  102
    B  8.2.5            ->    111  102
    C  8.3.3                  104  102
    D  8.3.1                  104  102
    E  8.3.3                  104  102
    F  9.2.2rc1               104  102
    G  ?????                  104  102
    H  8.3.4                  104  102
    H  9.2.2                  104  102
    I  8.2.3                  104  102
    J  VGRS2            ->    256  102
    K  NSD-1.0.2              104  102
    L  8.3.1-MA-PATCH-JMB-01  104  102
    M  8.3.4                  104  102
    Using ethereal to capture the responses, I looked at the result for the query about only (since all the 'localhost' response have the same size, and the couple I checked said NXDOMAIN). Here is what I found:
    • All servers except B respond with NXDOMAIN, and point to A as authoritative.
    • B kindly tells us that is LOCALHOST, which explains the slightly larger packet it returns. (Dig confirms this with dig @b.root-servers.net PTR
    • J also responds with NXDOMAIN, but returns all root servers except itself as list of authoritative nameservers (!)
    • K returns the authoritative information entirely in lowercase, all other servers respond entirely in uppercase. Potentially a way to distinguish NSD from BIND?

    Given all this, my suspicion is that A and G are running BIND 8.x or 9.x. J, however, puzzles me. Maybe it is running that proprietary Verisign software. Maybe just some version of BIND. I guess I need better tools/more time to figure that out.

    That is as far as I got. Any insights welcome :) And if you have pointers to better DNS fingerprinting software, I'd be grateful.


    Last entry of the year! It's been a busy month, December, with an exam, lots of travelling, and a paper to write. I've been in the US for a couple of weeks, we were visiting my girlfriends' family. It was nice - and I even got to work some on my paper about the copyright legislation and its influence on innovation. I'm not quite finished yet, though.


    I've just posted an Advogato Article, my first one :) It's about the Last Call Working Draft of the W3C Royalty-Free Patent Policy, for which the deadline for comments is tonight. Have are read and comment if you can...

    18 Dec 2002 (updated 18 Dec 2002 at 05:27 UTC) »

    Shudder. I helped my girlfriend's parents get a new machine, and it came with XP - no way around it. I wanted them to get an iMac, but they really wanted a PC...

    The coolest part of this computer is no doubt the screen. It's a Samsung SyncMaster 171v, a 17" viewable LCD, and it's amazing. Crisp image, giant screen surface, 1280x1024, contrast ratio 400:1. And only $400, too (after $150 mail-in rebate)!

    So my first real experience with XP (yes, I had been lucky so far :) Their machine has a P4 2.4GHz, 512MB RAM, and a 60GB 7200rpm hdd. You would expect it to fly. Well, not really. XP is slow. I'm currently looking at a tweaking guide, maybe that will help.

    What blew me away, though, was when I selected 'Windows update', giving me no less than 26 'Critical updates and service packs', and another 20 or so less critical fixes. Wasn't XP supposed to be Redmont's safest OS ever? Yeah, right.

    What a piece of crap.

    27 Nov 2002 (updated 27 Nov 2002 at 00:06 UTC) »

    OK, I need to rectify something here. I wrote yesterday that I was not aware of any coordinated action in Belgium against the crazy laws the WIPO is trying to make us swallow.

    That is not entirely correct, I had forgotten about the AEL, as Liam R. E. Quin, Joao Miguel Neves and MJ Ray helpfully pointed out. Thanks, guys, much appreciated!

    Time to start doing things - as far as that is possible from the UK.

    25 Nov 2002 (updated 25 Nov 2002 at 20:56 UTC) »

    I just finished listening to/watching the Flash version of Lawrence Lessig's 'free culture' talk. 31 minutes, HIGHLY recommended - and a transcript and MP3 (should really be Ogg/Vorbis) version are available.

    One of his main questions to the audience (OSCON 2002) is 'What have you done?'. A very, very good question. I think the Campaign for digital rights is doing good work here in the UK. In Belgium, my home country, I'm ashamed to say that there is no coordinated action regarding this nonsense. So what am I doing? I'm going to try summing up here, not necessarily in order of importance.

    First of all, I'm a member of EFF.

    Secondly, when I write software, I GPL it.

    Thirdly, after a happy couple of years working, I am now doing a masters in public policy. I am focussing my attention on intellectual property and its threats to innovation, freedom and democracy (amongst a few other things). As much as I prefer just writing code and being a unix sysadmin, I feel we need more people who understand the issues at stake (that's people like us) stepping from behind the screens, and more actively trying to influence the debate. I have to write a dissertation next summer - guess what that will be about.

    The last thing I do is talk about intellectual property and its effects to people I know. Friends, family, classmates, etc. My girlfriend calls me a 'computer activist' - something she says she didn't know existed until she met me.

    I've also written a few articles about the issue for a now defunct Belgian computer magazine (corporate.net).

    All of this is something, but not enough. I want to do more - time permitting of course. Maybe more precisely, I want to be more effective. I would like to hear and learn from you what you are doing! E-mail me...

    7 Sep 2002 (updated 8 Sep 2002 at 21:07 UTC) »

    So now the IPSec tunnel I've been working on finally works. In the end we ditched the Symantec Firewall/VPN appliance 200, got a Cisco 1710, and it worked at once.

    Frustrating. I am not happy with these Symantec things. They are really OEMs of a company called Nexland, and I suspect they are built on FreeSWAN - the log entries are identical, so...

    But try to connect them to a Checkpoint FW/1 NG on the other side, and you can't even get the IKE to work properly. Connect them to a Cisco on the other side, and all seems to work (pinging through the tunnel works fine, etc), until you send some larger http packets, at which point the Symantec doesn't encrypt them properly anymore, the Cisco logs lots of errors when trying to decrypt them, and you get serious packet loss. Tunnel unuseable. Symantec posted a firmware update for the thing on August 26th, which has lots of bugfixes for things that sound rather serious. Even one to do with large packets. But it didn't fix this problem.

    If this had been a GNU/Linux box with FreeSWAN, I wouldn't have lost as much time, I think. Hmmmm. I'll think twice before considering using these yellow boxes ever again.


    I must say I've refreshed my knowledge about Cisco a bit with all this IPSec stuff. One of the more curious things I found out is that Ciscos work with standard PC RAM. Or at least the (old-ish) 3620 that I was using works just fine with old 'Compaq' 72 pin RAM. Interesting.


    I'm leaving coming Monday, to spend some days in Oxford/London, and then move to Brighton with my alter ega. Can't wait! That same day I have an interview at the university - still looking at that MSc in Science and Technology Policy (STP). I hope I'll be accepted - if not I'll have to find something else to do!

    1 million dollars

    Someone donated 1 million dollars to Duke University to fight abusive copyrights. Now that's good news. The person is 'anonymous' - but if you add 1 and 1... Where is Duke University? Durham, North Carolina. Where is RedHat? Right, Raleigh, North Carolina. That's really close. Well maybe it is a coincidence...


    Our good friends in Redmont are mystified about a mysterious wave of successful breakin attempts to Windows machines of all kinds that do not appear to be the result of a worm or virus. Backdoor, anyone?

    26 Aug 2002 (updated 26 Aug 2002 at 22:51 UTC) »

    So I've been playing with IPSec lately. More specifically with a Symantec Firewall/VPN appliance 200.

    The good
    It boots blazingly fast (3 seconds).
    It has a nice web interface.
    I suspect it's built on Freeswan.

    The bad
    It doesn't interoperate well with other IPSec implementations. With FW/1 4.1 alledgedly it works, but I can assure you that with FW/1 NG it doesn't. A VPN between two of these beasts works just fine as well, of course. It also seems to work with a Cisco router on the other side.
    It's a 'black box' - well technically a yellow one. The logs are not very extensive, and the web interface, however nice, gives me a limited feel. I guess I just want a prompt, I'm a bit oldfashioned.


    Setting up a VPN tunnel through a NAT device (in this case a Cisco 827) turns out to be slightly troublesome. The problem is the Port translation done by the NAT - IPSec doesn't really like that. But here's an article that tells you which line to add to your config to make it work. Beware, however, you might need to update your IOS....

    Life, the universe,...

    Last week at work. I'm getting my paperwork together for my application to the University of Sussex. It's complicated and involves translations of my diploma and transcript. I also need references - luckily I have built enough social capital to get a few of those.

    20 older entries...

    New Advogato Features

    New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

    Keep up with the latest Advogato features by reading the Advogato status blog.

    If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!