May 152015
 

… or how to emulate Red Hat’s RPM dependency hell in Debian with Python.

There are times I love open source systems and times when it’s a real love-hate relationship. No more is this true than trying to build Python module packages for Debian.

On Gentoo this is easy: in the past we had g-pypi. I note that’s gone now and replaced with a gsourcery plug-in called gs-pypi. Both work. The latter is nice because it gives you an overlay potentially with every Python module.

Building packages for Debian in general is fiddly, but not difficult, but most Python packages follow the same structure: a script, setup.py, calls on distutils and provides a package builder and installer. You call this with some arguments, it builds the package, plops it in the right place for dpkg-buildpackage and the output gets bundled up in a .deb.

Easy. There’s even a helper script: stdeb that plugs into distutils and will do the Debian packaging all for you. However, stdeb will not source dependencies for you. You must do that yourself.

So quickly, building a package for Debian becomes reminiscent of re-living the bad old days with early releases of Red Hat Linux prior to yum/apt4rpm and finding the RPM you just obtained needs another that you’ll have to hunt down from somewhere.

Then you get the people who take the view, why have just one package builder when you can have two. fysom needs pybuilder to compile. No problems, I’ll just grab that. Checked it out of github, uhh ohh, it uses itself to build, and it needs other dependencies.

Lovely. It gets better though, those dependencies need pybuilder to build. I just love circular dependencies!

So as it turns out, in order to build this, you’ll need to enlist pip to install these behind Debian’s back (I just love doing that!) then you’ll have the dependencies needed to actually build pybuilder and ultimately fysom.

Your way out of this maze is to do the following:

  • Ensure you’ve got the python-stdeb, dh-python and python-pip packages installed.
  • Use pip to install the dependencies for pybuilder and its dependencies: pip install fluentmock pybuilder pyassert pyfix pybuilder-external-plugin-demo pybuilder_header_plugin pybuilder_release_plugin
  • Now you should be able to build pybuilder, do pyb publish in the directory, then look under target/dist/pybuilder-${VERSION} you should see the Python sources with a setup.py you can use with stdeb.

Any other dependencies are either in Debian repositories, or you can download the sources yourself and use the stdeb technique to build them.

Apr 112015
 

To whom it may concern,

There have been reports of web browser sessions from people outside China to websites inside China being hijacked and having malware injected.  Dubbed “Great Cannon”, this malware having the sole purpose of carrying out distributed denial of service attacks on websites that the Chinese Government attempts to censor from its people.  Whether it be the Government there itself doing this deliberately, or someone hijacking major routing equipment is fundamentally irrelevant here, either way the owner of the said equipment needs to be found, and a stop put to this malware.

I can understand you wish to prevent people within your borders from accessing certain websites, but let me make one thing abundantly clear.

COUNT ME OUT!

I will not accept my web browser which is OUTSIDE China being hijacked and used as a mule for carrying out your attacks.  It is illegal for me to carry out these attacks, and I do not authorise the use of my hardware or Internet connection for this purpose.  If this persists, I will be blocking any and all Chinese-owned websites’ executable code in my browser.

This will hurt Chinese business more than it hurts me.  If you want to ruin yourselves economically, go ahead, it’ll be like old times before the Opium Wars.

Feb 202015
 

All,

As an update on this…

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.

To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

Mark Hopkins, Lenovo Support

That’s alright Mark, I’ve permanently removed Lenovo from my list of future suppliers. If I buy a Lenovo product, I’m going to insist the machine is delivered to me completely formatted of hardware and supplied with media to do a clean installation since it is clear you cannot be trusted to put an OS on a computer and not botch it in some manner.

I think there should be a law against this sort of bundling: too long machines have been delivered with crippling bloatware that either wastes system resources, causes security headaches or both. Sure, bundle some software, BUT ASK THE CUSTOMER BEFORE YOU INSTALL IT!

Feb 012015
 

How do software companies get things so wrong?  I aim this at both Google and Apple here, as both are equally as guilty of this.  Maybe Microsoft can learn from this?

So you see something on an “app store” that might be useful on the device you’re using.  Ohh, a free download, great!  Let’s download.  You click the link, and immediately get asked for a login and password.  There’s no option to proceed without.  They insist you create an account with them even if it’s the one and only thing you’re interested from them.

In the past my gripe has been with the Google Play store.  Even the “free” apps, require you to log in.  Ohh, and to add insult to injury, the Google Play store doesn’t just expect any Google account, it has to be one of their Gmail accounts.  Back in the late 90s I had an email address with most providers as the average quota was about 5MB.  I’ve had a mailbox of my own with a multi-gigabyte (actually limited only by disk capacity) “quota” since 2002, I have no use for Gmail, and only keep my old Yahoo! address (created in 1999) for historic reasons.

I have an Android phone (release 4.1: thanks to ZTE’s backward thinking and short attention span), and thankfully there’s the F-Droid store which has sufficient applications for my use.  So I can work around the Google Play store most of the time and so far, haven’t needed anything from there.

Today, my gripe is at Apple, and the “app” in question is MacOS X, which cannot be obtained anywhere else.

With all the high-profile attacks on websites that store user accounts, one has to ask, why?  It’s one extra username and password, which given the frequency I’m likely to use it, will have to be written down and stored somewhere secure as it won’t get sufficient use to commit it to memory.  Before people point out password managers, I’d like to point out one thing: it’s still writing it down!

There’s absolutely no need for an “app store” to know your email address, usernames, passwords, or any details.  If you are actually purchasing an application, they only need enough information to process a payment.

Usually this is by a debit/credit card, so they need to know the details on the card.  An alternative might be direct deposit through a bank, at which point they need to supply you with details on how to make the payment — details that include the information they need to match your payment in their ledger to your store purchase.  At no point do they need anything else.

For convenience an email address might be supplied so they can confirm your order or contact you if there’s a problem, however for debit/credit cards, this happens so quickly that it can be achieved via the web browser.

Despite this, they insist on you providing just about everything.

I’m no stranger to the “app store” concept.  Linux and BSD distributions have had this sort of concept for years.  BSD has had ports for as long as I can remember.  Debian had apt since 1998, Gentoo has had portage since its inception in 2003 and RPM-based distributions have had yum for some time too.

None of these actually need to know who you are in order to download a package.  Admittedly none of these are geared toward commercial sales of software, and so lack the ability to prompt for credentials or payment information.

Since both Google Play and the Apple App store have solved the former problem, I see no reason why they couldn’t solve the latter.  I don’t want to post anything to the site, I don’t want to leave feedback as I can hardly comment on something I haven’t received yet, and I don’t know when I’ll next visit the site.

If I was going to be back repeatedly, sure, I’ll make an account.  It’ll make everyone’s lives easier. (Including the blackhats!)  But I’m not.  I have a late-2008 model MacBook, probably the oldest machine that Apple support for their latest OS.  The machine dual-boots MacOS X 10.6 and Gentoo Linux, and spends 99% of its time in the latter OS.

Given the age of the machine and the frequency at which I use its native OS, it is not worth me spending a lot of time or expense updating it.  A 2GHz Core 2 Duo with 8GB RAM and a 750GB HDD is good enough for many tasks under Linux, but is the bare minimum to run OS X 10.10.  The only reason this machine doesn’t grace my desk at work anymore is the fact the lack of ports (USB in particular) proved to be a right pain.

Why update?  Well, applications these days seem to expect at least MacOS X 10.7 now.  I either have to build everything myself or update the OS, so I’m investigating the possibility of updating the OS to see if it’s feasible.  Apparently it’s a free download, so why not?

Well, why not indeed!  Instead of having a simple http, https or ftp link to the file in question (maybe a .dmg image) for software they’re not actually selling to me in the traditional sense, they instead insist on making me jump through hoops like requiring their “app store” client — so I can’t just grab the link, tell the web server here to download the file then grab it from there when I’m ready.

Since I can’t do the download any other way than via their “app store” client, I have to remain booted in MacOS X in order to download it regardless of what I might otherwise wish to do the machine and what OS that requires.

However, before I can even think about starting the download, I’ve got to register an account, supplying a username and password for something that will probably be used exactly once.  Details that they have to pay people big money to store securely.

Instead of spending some money paying someone to add an extra one-off button and form to their “app store” clients, they instead spend significantly more on infrastructure designed to meet the privacy requirements of various laws to store user information that simply is not necessary for the transaction to proceed.

In light of the sophistication of the modern cracker and the cut-throat nature of the mobile market, is this such a wise use of company funds?

Dec 102014
 

This afternoon we started getting some unusual calls.  Now I hate those survey calls, or telemarketing calls wanting to sell you some kind of service.  I especially hate them when they’re delivered by a recorded voice, and there’s a special place in HELL for those which claim to have found “problems with your computer”.

My troubles started earlier this afternoon.  Having gotten home from work around 3PM, I make a call to my father to find out what was happening tonight, got no answer, and so I just hung up rather than leaving a message (it wasn’t important).  He rang back and we had a quick discussion.

Some time later, the phone rings.  Now, normally when the phone rings, it’s two bursts, then silence, then two more bursts, then silence … etc.  This had a different initial rhythm: one long burst, then silence, then the usual pattern.  I answered, only to be greeted by silence, then an automated voice.  I hung up straight away.

Normally that’d be the end of it.  Then history repeats itself, after 5 minutes the phone ring again.  Same pattern.  I answer, and get the same silence, followed by a voice recording.  I hang up, again.

Cue this happening about 3 or 4 times.  So I look up the Telstra website and found their help-desk number.  I also paid a visit to the Do Not Call register for good measure.  (We had done it before, but maybe it had expired?).  A computer system answers (typical), and after answering a few prompts, I’m told there will be a 7 minute wait.

Well, 7 minutes turned out to be 25 minutes, but who’s counting?  I guess Steven Travalgia is right about the “variable viscosity of time” theory, it certainly applies to help-desk queues!  That said, at least I wasn’t getting nuisance calls.

I explain the situation to the operator.  Naturally, not being the account holder, they cannot do much, but at least there’s a record of me calling, they mention they can enable tracing to find out what’s going on.  They give me a direct line for their unwanted calls department, and I reply stating I’ll take some logs of what happens and call that number when I have some evidence.

17:04 4 rings, dial tone on pick up
17:05 3 rings, stopped ringing before answer
17:12 2 rings, dial tone on pick up
17:52 Answered and recorded.

I recorded this (apologies for the clipping, my mic gain was up a bit high):

Now it’s worth noting that nothing currently plugged into the phone line can receive SMS messages.  Our phone line terminates in our garage at a ADSL2+ central splitter (installed by yours truly).

One CAT5e cable is divided into one ADSL circuit and 3 voice circuits and runs into the office, providing service for the ADSL router/modem, a multi-function fax/printer/scanner, a General Electric speaker phone (with corroding AA batteries, so maybe that phone will go in the bin now), a (Telstra-branded) cordless phone base station and a 56k modem.

The other feed coming out of the splitter box is original house wiring, and terminates upstairs with an old Telecom Australia Touchfone 200 that probably remembers the days of our house having a 6-digit number.  (Our line is that old.)

Nothing that will receive messages, or confuse the hell out of the delivery centre.  It seems if there’s nothing on the line, they just keep ringing persistently, making the service a very cheap and efficient way to harass someone at all hours of the night!

Sadly, a quick search does not tell one how to disable this service.  I have no reason to receive SMS messages on a land-line, I have a mobile for that.  If I find out how, I’ll be updating this.

Nov 052014
 

Just because I effectively turned down offers to work for you doesn’t mean I’m okay with your customers having a crack at my server:

Hi,

The IP 107.167.183.204 has just been banned by Fail2Ban after
3 attempts against SSH.


Here is more information about 107.167.183.204:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=107.167.183.204?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       107.167.160.0 - 107.167.191.255
CIDR:           107.167.160.0/19
NetName:        GOOGLE-CLOUD
NetHandle:      NET-107-167-160-0-1
Parent:         NET107 (NET-107-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google Inc. (GOOGL-2)
RegDate:        2014-01-24
Updated:        2014-01-24
Comment:        *** The IP addresses under this netblock are in use by Google Cloud customers *** 
Comment:        
Comment:        Please direct all abuse and legal complaints regarding these addresses to the 
Comment:        GC Abuse desk (google-cloud-compliance@google.com). Complaints sent to 
Comment:        any other POC will be ignored.
Ref:            http://whois.arin.net/rest/net/NET-107-167-160-0-1

OrgName:        Google Inc.
OrgId:          GOOGL-2
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2006-09-29
Updated:        2013-10-18
Comment:        *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
Comment:        
Comment:        Please direct all abuse and legal complaints regarding these addresses to the
Comment:        GC Abuse desk (google-cloud-compliance@google.com).  Complaints sent to 
Comment:        any other POC will be ignored.
Ref:            http://whois.arin.net/rest/org/GOOGL-2

OrgAbuseHandle: GCABU-ARIN
OrgAbuseName:   GC Abuse
OrgAbusePhone:  +1-650-253-0000 
OrgAbuseEmail:  google-cloud-compliance@google.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/GCABU-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000 
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

OrgNOCHandle: GCABU-ARIN
OrgNOCName:   GC Abuse
OrgNOCPhone:  +1-650-253-0000 
OrgNOCEmail:  google-cloud-compliance@google.com
OrgNOCRef:    http://whois.arin.net/rest/poc/GCABU-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Regards,

Fail2Ban

Geez, you’re getting as bad as another mob I could mention, although in your favour, you at least make it clear from the WHOIS data that it’s a guest on your network that’s stirring up trouble.

Aug 192014
 

Well, it has been a long time since I last logged in on the Atomic MPC forums.  Years in fact.  I was at one time, quite active, particularly in what was the “Unix, Linux and Open Source” forum, back in the days when their forum software was an entirely in-house production.

Lately, my work has been very IT intensive, and while some days things go great, other days it’s a struggle.  And when it’s a struggle, the last thing one wants to look at is a computer.

Now when I was active on the Atomic forums, the threads used to move rather fast.  In their move to VBulletin we gained the ability to subscribe to threads and get notified of replies.  A feature I made quite extensive use of.  It was a useful way to keep track of what was happening.

One day I decided I had enough, rather than draw attention to myself with a leaving thread, I just quietly left.  I continued to watch the threads from a distance, and over time, the replies got less and less frequent as the threads slipped off the front page.  I hadn’t seen an email from Atomic for well over two years, until the other day.  Bam!  I had over 200 emails in one hit!

I thought this was just a one-off glitch, so I ignored it.  Then Bam!  A few days later it happened again.

I suppose it’s happened 4 or 5 times now.  What does it look like?

Atomic MPC spam

Atomic MPC spam

Yes indeedy, that’s my email inbox, and there is more crap from old threads that are old enough to be stored on wooden platter hard drives than legitimate email in my Inbox.

I’ve just recovered my account and hopefully unsubscribed myself from these notifications.  However, to the Atomic MPC mods, be warned, if this continues I will be taking this up with the ACMA as the constant barrage my server is copping is getting beyond a joke.

Jul 192014
 

Oi, Microsoft, yes You!

See this?  Now Bugger Off!  Your lack of self-control was pushing my poor server’s CPU through the roof, so I blocked you.  Now I see you’re back and after the 403 you still aren’t taking the hint!

Search just about anywhere else on this site, no problems.  But the git repositories, those are both CPU and I/O intensive.  Had you noticed how long it was taking, and backed off, I might’ve put up with you, but 5-minute CPU load averages in excess of 80 on a dual-core Intel Atom are no fun.

Go bing up someone else’s host!

Jun 012014
 

Just a quick note. I’ve been getting a lot of spambots registering on this site of late. Probably at least 3 an hour.

Thus I have implemented a new policy. Inactive accounts older than a week 3 days old who have posted no comments will be deleted. I will quarantine the account, and can re-instate it should an account be mistakenly deleted.

The comment doesn’t have to be approved, it can be in moderation. If the comment is spam, the account and comment will be deleted upon discovery. So spambots, go ahead, it’ll let me hunt you sooner. Or don’t even bother creating the account, no one will see it so it’s a waste of time anyway.

May 282014
 

Entered into an eBay contact form.

Hi, Just a short note.

I am closing my account: the form that asks why didn’t really capture the true reason why I’m closing.

It’s not quite “identity theft”, but it is security-related.

I haven’t been using my eBay account, so I thought I’d set the password to something nice and *strong*. On the password change form, I noticed a 20-character maximum limit.

This was red flag no. 1.

Then I pasted a randomised password from a generator. The site complained I had forbidden characters.

This was red flag no. 2.

By placing limits on the size of password and its content, it is clear to me that eBay is *not* serious about making its systems truly secure, and that breaches like the one experienced recently will be a recurring event.

By hiding behind “proprietary encryption” it isn’t even serious about reassuring the public: good crypto doesn’t need secret algorithms to work well.

As there’s now very little I buy off eBay, I feel the time has come to say goodbye. If you ever do get your act together, I might consider returning, but until then, farewell.