Open Applescript Editor. Put in:

tell application Terminal

do script "ssh hostname"

set bounds of front window to {63, 640, 1212, 1022}

end tell

File | Export … and save it as an application. Put it on your desktop, giving it a reasonable name. Done. If you want to later edit the script (say, to set boundaries :) ), right click, Show Package Contents, then go into Contents\Resources\Scripts and edit the main.scpt file you’ll find. The “set bounds” statement places the window at the bottom-left-ish and makes it 160×25 at my current resolution and font size. I can’t figure out how to tell Terminal to just set itself to 160×25 without also moving it, and I expect that the actual characters displayed depends on font, size, etc.

I used to care a lot about Enigmail. For various reasons, I care less about it now. There are, however, a few things that I would miss about it. Oddly, the one that I kind of missed the most is the most whimsical – I like having my default signatures rotate. So I did a bit of digging, and came up with some applescript (courtesy clapper.org‘s post on the subject) only slightly modified.

Also, being a complete Mac-centric scripting n00b, I wasn’t sure how to make things go. Save the Applescript into a file called… anything. Run osacompile against it. You can call the resulting compiled script from your .bashrc with osascript, something like

osascript /Users/foo/bin/sigrot.scpt

Another relatively minor irritation is the default behaviour of never marking mail as read, or marking it as read instantly. You can theoretically fix that with

defaults write com.apple.Mail MarkAsReadDelay 4

but that didn’t work for me (10.8.1). Instead, I used TruePreview.

Now, if only I could convince it to show me messages most recent at the top, but when they’re threaded, show them most recent at the bottom.

1) I got it working, hurray! Run away before it breaks.

2) I got it working, hurray! And I took notes while I was getting it working, so I’m good. Run away before it breaks

3) I got it working, hurray! And I took notes while I was getting it working, so I’d better start from scratch and make sure my notes work.

#1: chkconfig. That funny line in the init script that says something like “# chkconfig: 23456 88 22″. It’s easy to find out that the first batch of numbers is runlevels, but less easy to find out the meaning of the second set. They’re priorities; the higher the first number, the later in the boot process it starts. The higher the second number, the later in the shutdown process it’s killed. Also, if you change those numbers – this is obvious in retrospect, but I forgot – you need to re-run “chkconfig on servicename”.

This is apparently all defined in the LSB. Back in my day, there was no that thur LSB, never mind chkconfig. You just put scripts in /etc/rc.d and crossed your fingers.

#2: misamchk. This worked fairly well on my 72GB RAM server with a ~25GB database:

myisamchk --fast --update-state --force --sort_buffer_size=1G \

--key_buffer_size=2G --read_buffer_size=512M --write_buffer_size=512M \

/path/to/db/*.MYI

The myisamchk manpage talks about “a lot of memory” being 512M so obviously it could use a bit of modernizing. That, or it really is MyFirstDatabase.

And this kind of stuff reminds me that while I need to keep my hand in, I’m just as happy to no longer be a sysadmin for a primary job duty.

(Edited Aug 2012 – neither should typing be, chkconfig on, not chkconfig start.)

Normally I build with –prefix=$HOME/app/name-maj.min then link app to whatever version I want to be the default. In $HOME/bin I make links to $HOME/pkg/app/bin and mostly everything just works. Except then I started running into problems with man pages, and setting this environment up can be a pain in my login shells. So I went looking for something that automated this. There’s just no other sensible way to do this on a Unix system.

By the way, at (the University of) Waterloo we have a(n) (in)famously obtuse packaging / configuration management system called xhier. Any time I think about this, I wish I had the GOOD parts of said system available. It has lots of nifty toys to automate building, configuration, and managing links, as well as a utility called showpath that helps you to manage both your PATH and MANPATH variables. And I’ve often declared that anybody who thinks about automating, including things like Stow, is at risk of re-inventing xhier.

Stow is a bit of an annoyance in that it, itself, requires Perl. The entire reason I like having my own separate Perl instance, in particular, is because of a long history of CPAN screwing me over. So I put my own version aside, run CPAN, and no operating system update blows my stuff away, and no CPAN will touch my OS stuff. I tried the MacPorts version of Stow and just couldn’t make it cooperate in integrating into my above flow – it would make links just fine in $HOME/stow, but it wouldn’t remove apps.

What finally worked was using my own $HOME/pkg/perl CPAN utility to install Stow. Then I was able to:

cd ~/pkg

stow -t ~/stow ruby-1.9.3

stow -D -t ~/stow ruby-1.9.3

and everything seems to work as expected. The above did not, with the MacPorts version, but it’s still at 1.3 and perhaps there’s issues with the older version, I don’t know. I don’t really like Perl very much any more, so I’m not inclined to delve into the whats wherefores and whys. I thought about looking at how the MacPorts version differed (in configuration) from mine, but then I cracked another beer, drank it and a few more, then laid down for a while and the feeling passed.

(Edited to account for Giles’ grammar correction and general persnickitiness. Thanks, Giles!)

Symptoms: I couldn’t add new host keys to my known hosts file, nor could I remove old ones.

Directory listing:

-rw-r--r--@ 1 me  staff  16588 10 Mar 20:59 .ssh/known_hosts

The trailing @ means the file has extended attributes. After some work with a search engine, I found out I wanted to use the xattr command, or perhaps “ls -lO@”. Either way, the attributes preventing me from modifying the files were:

com.apple.metadata:_kTimeMachineNewestSnapshot

com.apple.metadata:_kTimeMachineOldestSnapshot

Running the appropriate incantation of xattr -d on the affected files (it wasn’t just my known_hosts file) worked a treat.

Depending on context, I have a lot of other names to which I might respond. Depending on the context, I might also not respond, as they tend to be, well, contextual.

At work I’m usually just Mike, but I might be mpatters. That used to be my email address and it will still work, but I now tend to publish mike.patterson. I also use that for email addresses elsewhere, sometimes; my alumni forwarding account, for instance. Since my name is published in our directory as Michael though, some people do call me that, and I don’t bother correcting them. I might not immediately respond though.

On Twitter, I’m snowcrashmike, but nobody uses that anywhere else. Some very old IRC hands might know me as kraig, and I used that on MUDs. I also go by kraig on LiveJournal and Dreamwidth, and some people who met me first through those communities tend to use it as my name, even in voice conversations. In some web communities and games (Forumwarz, for example) I’m generally kraig or kraigu, but sometimes kraigus.

In the very long ago, I used to use BlackSpy as a BBS handle, but that was too overloaded when I switched to IRC. Nowadays on IRC networks I tend to use kraigu. My Steam name varies, I usually set it to earless wondercat, but I often play with it: earless wunderkatze, earless dyingcat (I do a lot of dying in online games), fearless wondercat, feared blundercat, beerless wondercat… well, you get the idea. But usually people call me just earless or wondercat in in-game voice chat, it makes things easier.

Sometimes, in certain circles, I might be just [. I don’t even remember what my FIDONet handle was.

I’m old enough that things like IRC were fairly new when I was coming of age, and young enough that identity is really a fairly slippery thing. I’m old enough to still value some privacy and think that for some people it matters quite a lot, young enough to realise that not using your real name doesn’t mean you can’t be found. I’m experienced enough to know that a middle ground is very difficult to find, wordly enough to know that different cultures approach “true names” in vastly different ways, and finally, practical enough to not really care what name it is that people actually prefer – I try to find out what it is, and use that.

I think realnameonly policies are unnecessarily invasive, don’t do what proponents claim they do, and insensitive. In short, I think they’re misguided at best, generally no better than security theatre, and at worst, just flat-out stupid. Nobody else has the right to tell me who I am, nor do they have the right to tell anybody else who they should be.

Fortunately, a lot of the hoops I had to jump through previously are now non-issues; using gem to install pcaprub and packetfu itself made it dead simple. Even more fortunately, I didn’t bother trying it on my Mac initially, guessing – correctly, as it turns out – that RAM usage would go through the roof. I ^C’ed my test ruby script, pasted from my first post on the subject, after it hit 7.5GB resident on my 8GB test machine. I have Ruby 1.9.1 on that box, so I don’t think there’s much more I can do to optimise. Sadly, I guess I’m stuck with tcpdump and looping shell scripts for the time being, and I’ll try to follow up with the author, although I don’t know what help I can provide.

A driveby download is when you inadvertently or mistakenly download software. It may or may not actually execute, and it may or may not actually leave a persistent installation behind post-execution. Whether it does either or both of these things can depend on your user’s permissions on your computer, and also on the presence of software vulnerabilities. Driveby downloads may take advantage of vulnerabilities in your operating system or installed applications in order to perform a privilege escalation attack, where they can gain greater control over your computer than your current user actually has permissions for.

The most common way to fall victim to a driveby download is to visit an otherwise-innocent website that has been somehow compromised by an attacker. Like privilege escalation, there are many ways an attacker may do this, but the common feature is generally some Javascript in the page that causes your browser to redirect to a new website, often without you being aware that it’s happened. Javascript is not the only attack method; some attackers may also or instead use Java applets or ActiveX controls to deliver software.

Even if a driveby does not actually permanently install software, it can still cause damage. It may execute in memory only, and be used to send spam, conduct network scanning, or any other activity that a normal user of the system might perform. Some malware might, for example, connect to all your network drives and enumerate files you can see while logged in, evaluating them for confidential or personal information of a certain sort, and deliver those files back to the attacker.

The information on STS is correct, so far as I know – I don’t use the plugin myself – but it was with a bit of horror that I noted the author recommended using a VPN as partial mitigation against this attack.  We considered and rejected this advice for our own advisory (my own nearly identical blog post on it is here) when discussing Firesheep.

A VPN may be configured with a split tunnel – that is, traffic destined for the organisation hosting the VPN goes through the secure tunnel, but other traffic does not.  In other words, a split tunnel VPN does nothing to protect you against credential theft of the sort being discussed.

Our own VPN will be configured in such a manner, which is counter to the practise at many large companies, but which we believe is the only workable way when scaling out to thousands of users with uncontrolled access points.  The last thing we want is for our VPN to be hammered by BitTorrent traffic the instant somebody forgets, or for people to complain to us that their home network stops working as soon as they fire up the VPN.

Before following Mr. Coates’ advice, find out how your VPN works.  The illusion of security is worse than none at all.