Wednesday, November 14th, 2007
I didn’t know it, but (Open)SSH supports setting up a Socks5 proxy:
-D [bind_address:]port
Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura-
tion file.
Socks5 is pretty neat, as it allows you to proxy stuff without the server having to know anything about the way the client works. For instance, if we give the following command:
$ ssh -N -D 127.0.0.1:8080 todsah@sharky.electricmonk.nl
We can now tell all kinds of clients such as web browsers and instant messaging clients that there is a Socks5 proxy running on the localhost at port 8080. SSH will forward all connections made to port 8080 to the sharky.electricmonk.nl host (all encrypted of course).
So, say we tell Pidgin that it should connect your MSN account through the Socks5 proxy at localhost:8080 by opening the Accounts (Ctrl-A) → Click MSN account → click Modify → Advanced tab → Proxy options → Proxy type = SOCKS5 and setting it to Host: localhost, Port: 8080. Now, when we reconnect to our MSN account, all MSN traffic will be routed over an encrypted SSH tunnel to the sharky.electricmonk.nl host, and will enter the public Internet from there.
This works great if you don’t trust the network you’re currently on, but don’t have access to a VPN for instance. You also don’t have to specify a single forward for each application/port like you have to do when you use ssh -L. You can use the same SOCKS5 proxied port with multiple applications, as long as they understand SOCKS5.
Monday, November 12th, 2007
Android is here.
There’s been a lot of rumours about a Google mobile phone. Now, it appears that there is no gPhone (thank god), but there is a Google Mobile Phone Software Development Kit!
The SDK appears to have everything you need to build third-party applications for your mobile phone. The SDK is created in Java, has rich 2D and 3D graphics layers and, naturally, the default Google API stuff such as Google Maps. There’s also an emulator that allows you to test your application. Why can’t all SDK’s be as cool as this one? And the best thing: it’s Open Source!
So, here’s the homepage; the presentation by Sergei Brin and an overview of the architecture (Part 1, Part 2, Part 3).
Not only is Google providing this SDK for free and as Free/Open Source Software.. they’re also offering a total ten million dollars in sponsoring to the best and most original mobile applications built with it! Put that in your pipe and smoke it Apple!
Now, all we need is a phone that runs Android. Are you listening mobile phone builders? Nokia? HTek?? We need a phone that can run Android!
Monday, November 5th, 2007
Well, the big day is finally here. I revamped my homepage.
Saturday, November 3rd, 2007
According to many, Wikipedia’s biggest problem is that it can’t be trusted because anybody can edit it. Personally, I feel that the problem is that experts are allowed to edit it.
Hypercholesterolemia
Conditions with elevated concentrations of oxidized LDL particles, especially “small dense LDL” (sdLDL) particles, are associated with atheroma formation in the walls of arteries, a condition known as atherosclerosis, which is the principal cause of coronary heart disease and other forms of cardiovascular disease. In contrast, HDL particles (especially large HDL) have been identified as a mechanism by which cholesterol and inflammatory mediators can be removed from atheroma. Increased concentrations of HDL correlate with lower rates of atheroma progressions and even regression. The relation of cholesterol to CHD, termed the “lipid hypothesis,” is still hotly debated.
This is from the article on Cholesterol – from the ‘clinical significance’ section. I mean, really, is there anybody who hasn’t got a PhD in biology that understands all this? All I want to hear is if/why cholesterol is bad for you. ‘Hypercholesterolemia‘?? Why not just say ‘high blood cholesterol’?
Now, this is one of the easier articles (I picked it because I happened to have it opened in my browser), but there are tons out there that are a million times more complicated. (for instance, check out this section which has no introduction and almost no explanation. Compare it to the section before it, which is much better). That’s the problem with experts: they tend to lose sight of the overview and can only focus on details. But Wikipedia is an encyclopaedia, not a textbook on transfinite recursion.
Then again, Wikipedia hasn’t been an encyclopaedia for a long time. Wikipedia’s is quickly becoming the largest collection of human knowledge there is. It’s got information on traditional encyclopaedic topics, movies, books, comics, everything. I guess having all this information available in one place is better than not having it available at all or having it available in a million different places.
Come to think of it.. Wikipedia is what the Internet should have been: A big collection of information. The Internet, instead, has become something entirely different: A big collection of advertisements. I guess Wikipedia isn’t so bad.
Saturday, November 3rd, 2007
I needed to write a little application which would be accessible from a remote client, and which wouldn’t need any custom software running on the client. I needed a web application. But I didn’t feel like setting up a whole Apache web server with mod_python and whatever.
Of course, there’s CherryPy, but it feels a bit heavy for the very simple application I required. So I wrote TinyWAPP: Tiny Web App. A tiny web application server in Python in only 48 lines.
(more…)
Monday, October 29th, 2007
The ANGRY Whopper, with ANGRY onions and ANGRY jalapenos!
Hey, BurgerKing?! Your ANGRY advertisement just caused you to loose an ANGRY customer. Angry onions? Spare me. There’s no way this ad wasn’t made up by an American advertisement company. Well, guess what? I don’t like companies making me feel stupid when buying their products, so I’ll never buy one of your products again.
Monday, October 29th, 2007
Hof veroordeelt bedreiger Balkenende tot celstraf.
Ik vraag me af waarom deze man wel celstraf krijgt, en iemand als Theo Maassen, die toch ook zo’n beetje heel de wereld al heeft bedreigd met de dood, niet. Lekker kieskeurigheid weer in Nederland. “Straf optreden, zolang we maar geen slechte publiciteit krijgen!”. Want het is natuurlijk meer dan duidelijk dat Theo Maassen alleen maar vrijheid van meningsuiting vertoont, maar dat deze man een werkelijk grooootte bedreiging vormt voor Balkenende..
Als het zo door gaat in Nederland met de burgerrechten, dan zou het me niet verbazen, noch spijten, als er eens een paar mensen omgebracht worden. Balkenende moet dood, omdat zijn kapsel me niet bevalt. Zo, eens kijken of ze ook achter mij aankomen; heb gehoord dat het goed vertoeven is in zo’n gevangenis. Gratis eten; beetje tv kijken, en als ze je slecht behandelen, dan zoek je gewoon even de media op. Helemaal top.
Nederland holt achteruit. Nog even, en het is hier net zo gesteld met de burgerrechten als in die fijne U.S. of A.
Monday, October 29th, 2007
(The latest version of this introduction to IPython can always be found here)
Python has an interactive shell, which you can start by simply starting
python:
[todsah@jib]~$ python
Python 2.4.4 (#2, Apr 5 2007, 20:11:18)
[GCC 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> print('hello')
hello
This is a nice and very powerful way of using Python, but it’s a bit
limited. So you might want to check out IPython.
IPython is also an interactive Python shell, but with lot’s of stuff added,
such as tab completion, colors, dynamic object introspection, sessions,
command history, etc.
To start it, simply run the IPython command:
[todsah@jib]~$ ipython
Python 2.4.4 (#2, Apr 5 2007, 20:11:18)
Type "copyright", "credits" or "license" for more information.
IPython 0.8.0 -- An enhanced Interactive Python.
? -> Introduction to IPython's features.
%magic -> Information about IPython's 'magic' % functions.
help -> Python's own help system.
object? -> Details about 'object'. ?object also works, ?? prints more.
In [1]:
You’ll be dropped at a prompt (In [1]:) where you can enter python
commands, just like in the normal interactive python interpreter. Let’s walk
through a couple of IPython’s best features:
(more…)
Sunday, October 28th, 2007
If you’re trying out Mako (the templating language) and you happen to get this error:
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/CherryPy-3.0.1-py2.4.egg/cherrypy/_cprequest.py", line 551, in respond
cherrypy.response.body = self.handler()
File "/usr/lib/python2.4/site-packages/CherryPy-3.0.1-py2.4.egg/cherrypy/_cpdispatch.py", line 24, in __call__
return self.callable(*self.args, **self.kwargs)
File "./pua.py", line 82, in index
return Template('index', {'title': 'Title!'})
File "./pua.py", line 35, in Template
return(t.render(**vars))
File "/usr/lib/python2.4/site-packages/Mako-0.1.8-py2.4.egg/mako/template.py", line 114, in render
return runtime._render(self, self.callable_, args, data)
File "/usr/lib/python2.4/site-packages/Mako-0.1.8-py2.4.egg/mako/runtime.py", line 287, in _render
_render_context(template, callable_, context, *args, **_kwargs_for_callable(callable_, data))
File "/usr/lib/python2.4/site-packages/Mako-0.1.8-py2.4.egg/mako/runtime.py", line 304, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "/usr/lib/python2.4/site-packages/Mako-0.1.8-py2.4.egg/mako/runtime.py", line 337, in _exec_template
callable_(context, *args, **kwargs)
File "index_html", line 20, in render_body
TypeError: 'int' object is not callable
Check if your template lookup default_filters has an decoding for utf-8:
template_lookup = mako.lookup.TemplateLookup(
directories=[path_templates],
output_encoding='utf-8',
encoding_errors='replace',
default_filters=['decode.utf-8']
)
If it does, change ‘decode.utf-8’ to ‘decode-utf8’ (remove the dash). This will fix the error. No idea where it comes from, probably the utf-8 decoding doesn’t exist. Me and Michiel now have both suffered from this problem, so there’s bound to be more.
Thursday, October 25th, 2007
Theo de Raadt on virtualisation security:
> Virtualization seems to have a lot of security benefits.
You’ve been smoking something really mind altering, and I think you
should share it.
x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can’t write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.
> Anything we can do to increase security, *including* setting up VMs (of any
> flavor) is an improvement [that also increased hardware utilization].
This last sentence is such a lie.
The fact is that you, and most of the other fanboys, only care about
the [that also increased hardware utilization]. The yammering about
security is just one thing — job security. You’ve got to be able to
sell increased harwdare utilization in a way that does not hang you up
at the end of the day.
Of course, de Raadt is right… in his own tiny little world at least. Running services which would normally run on multiple machines on multiple hypervisored instances on a single host machine would indeed be less secure than running them from multiple physical machines.
But running multiple applications on virtualized machines which would normally run on a single machine is more secure, simply because it adds another layer of protection.
But, as usual, de Raadt’s complete ineptitude when it comes to communications totally negates any point he’s trying to make and only serves to rile up people against his cause.
It’s the chrooted story all over again. Yes, chroot isn’t completely secure. Yes, chroot isn’t meant as a security construction. Yes, running multiple services on a single machine that would normally be run on several separate physical machines is less secure. That doesn’t mean chroot (and virtualisation for that matter) can’t add an extra layer of security if used properly!
Theo de Raadt’s problem is that he views security the way cryptography experts view cyphers: as an absolute. But security isn’t like math. It’s not absolute. There are right and wrong ways of doing security. De Raadt is like that security consultant who says: “You must have randomly generated passwords consisting of at least eighteen characters, lower and upper case, numbers and symbols, nothing repeated twice, completely unique and changed every week, or your being insecure!”, all the while ignoring the fact that that kind of password policy will only force people to write down passwords on a yellow-note under their keyboards. In theory, they’re right. In practice, they’re wrong. These people become blinded by their own viewpoint. Just as these so-called security consultants are blinded by their belief that strong passwords equal security, so is Theo de Raadt blinded by his belief that virtualization doesn’t improve security.
Perhaps it’s time to stop listening to de Raadt, and start listening to people with a broader overview of the situation.
The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.
