August 2007 Archives

4.0 came out over a week ago, doesn't look like there's any major problems, and I just tested exporting this site and importing it into an MT4 setup - looks ok, so I might do the upgrade tonight while I'm working late.

With any luck, my next post will come from the new platform - and maybe my RSS exports won't get all screwed up and cause all my old posts to become new again, like I've seen in the past...

It's hard to disagree with this:

It's up to leaders to set an example that this kind of behavior is not tolerated. And in this case, it isn't enough to merely abstain from attending the cock-fight, so to speak. Leaders need to speak out against academic cock-fighting, and let would-be perpetrators know it won't be tolerated. Otherwise the discriminators and harassers will believe that the sheriff might just be stopping by to join in the fun.

Well, yeah. I respectfully suggest that if leaders need to be told that they ought to lead by example (and it's no good to say "do as I say, not as I do") they should attend a Junior Leadership Course or an Infantry Section Commander Course as put on by the Canadian Forces. That is absolutely one of the most basic truths about leadership. Armies figured it out as long ago as Alexander the Great. Nobody will follow somebody who doesn't do as they ask others to do, and nobody respects a hypocritical leader.

(I will refrain from making the obligatory quotation from Sun Tzu, since a) I'm not sure he had much to say on that particular subject, and b) I hate that fashion.)

And yes, I included that blockquote just so I could use the word "cock-fight" in a post and get away with it. If you think that's immature, neener on you, you perv.

This is *hockey* news? I mean yeah, it's the Toronto Sun and asking them to not talk about Mats Sundin at least once a week or so is like asking them not to breathe, but really... you can tell it's August.

Can we just skip the next month or so?

Richard Bejtlich has an article up at Information Security Expert Tips about how one can test Snort. It's an introductory-level article, but introduces a tool called IDSWakeup that was new to me.

When I was much younger, my dad used to show me things in the night sky. He isn't really an amateur astronomer - we didn't own a telescope, for instance, although we had some damned good binoculars - but he has a good idea of what's what up there, especially considering he makes his living looking mostly downwards. (A friend, the son of one of dad's co-workers, used to scandalize his father by saying "dad digs holes for a living" - they're soil scientists.) Dad also loves maps, which is good, again considering how he makes his living.

I have nowhere near as good an idea for what's what, either in the sky or on land maps, but I still appreciate things like Google Earth for the coolness they represent, and the night sky still holds some interest. Thus, OSXPlanet ranks right up there with Google Earth.

Even the best of us need the occasional reminder about the best ways to write papers (and abstracts, which is something at which I have very little practise). Via Light Blue Touchpaper, Markus Kuhn tells us how not to write an abstract, and via his own Cambridge Labs home page, he gives us some tips for effective electronic publishing using LaTeX and PDFs.

I found the section in the latter regarding titles illuminating; I'd previously noticed that Europeans tend not to capitalise as much as us North Americans, and it actually bugged me. I can see the reasons for it, although I'm not sure that I'd switch - while many of my users are European, none of my fellow staff members are, and I don't want to confuse my bosses.

Apropos of not much, this paper drove me batty with poor layout and its use of "impact". Looks interesting, but dang. I hadn't been going to say anything about it til I'd read it in full, but then I came to this post and thought it would serve as a useful example for one of the things that makes me crazy. Its abstract isn't bad though, beyond the mere language. The table of contents, however, is just begging for some LaTeX love.

Again courtesy of darknet, I found ftester, a Perl tool for testing firewalls and IDSen. I figured I'd give it a quick test run.

All my security machines are FreeBSD, so I hoped to find it in ports - no such luck. Figuring I'd test from a machine in our firewall's untrusted zone to a machine that was, I grabbed the sources to there first. I lacked all the required Perl packages, but p5-Net-RawIP, p5-Net-PcapUtils (and its several dependencies), and p5-NetPacket are all in ports. I installed those on both machines using pkg_add -r. I also had a quick look at ftest and ftestd, didn't see anything in there that looked like it would hose me. I also changed the shebang line to call /usr/local/bin/perl - looks like at least one of my perl installs didn't make the links in /usr/bin for me.

I had a quick look at the README and set up an ftest.conf on source machine that looks something like this (IP addresses changed for "privacy"):

sourceip:1025:destip:1-1025:S:TCP:0

and ran ftestd on the dest machine:
dest# ./ftestd -i em0 -v
Firewall Tester sniffer v.1.0
Copyright (C) 2001-2006 Andrea Barisani

default system TTL =
replies TTL = 200
listening on em0

Then I let fly with ftest on the source machine:
source# ./ftest -f ftest.conf -v -d 0.01
Overriding command-line flags => flags: -d 0.01 -s 1
Overriding command-line flags => flags: -e ttl1 -p 4
Restoring command-line flags => flags: restore
1 - sourceip:1025 > destip:1 S TCP 0
lots more
1026 - sourceip:1025 > destip:3128 S TCP 0
source#

And the output on the dest machine looked like this:

22 - sourceip:1025 > destip:22 S TCP 0
113 - sourceip:1025 > destip:113 S TCP 0
407 - sourceip:1025 > destip:407 S TCP 0

(which gives away no information that we haven't already published, by the way). So at first glance, it appears to behave exactly as advertised; even if the IDS stuff doesn't work, it's still useful for seeing exactly what's sent vs what's received through a firewall or a proxy.

I usually use Recovery Is Possible as my catchall Linux rescue CD, mostly for fixing up hosed GRUB installations but sometimes just for taking a look. Going through old RSS feeds I haven't touched in a while though, I found a pointer to Trinity Rescue Kit (via darknet via Andrew Hay).

Next time I need a rescue CD or to reset a Windows administrator password, I'll have to give it a try.

The gals over at Interchangeable Parts are doing a tremendous series of reasons why they love hockey. I've only picked up on their site recently, forget where I saw it first, but you really must run over and read their reasons. Rather than submit my own to them, as it's rather brief and, well, I need content here, I thought I'd write it here.

Reason why I love hockey: national anthems. Where else are the national anthems of the teams involved both played? Granted, that's only one or both of the Canadian and US national anthems, the players generally seem to be waiting only for it to end so they can get to the game already, and some fans ruin it with jingoism and general idiocy, but still.

One late spring evening in 2006, I was watching the playoffs, and Paul Lorieau did that thing with his microphone, and we heard 17,000 people singing O Canada as one. My wife, doing dishes in the next room, came in to watch, and I'm not ashamed to admit that I get a little misty-eyed just thinking about it now, over a year later.

And that is a reason why I love hockey.

This past week we went to Swiss Chalet - our usual one at 267 Weber N Waterloo - since it was about 10 jillion degrees out (Celsius, Fahrenheit, Kelvin, take your pick) and nobody felt like doing anything in the kitchen. My wife got a glass of water and a coffee. She was slurping away on her water, then all of a sudden stopped, spat something out into her hand, and showed it to me. A little tiny dull piece of glass.

We didn't fuss, but the next time our waitress (Lina) came by, my wife showed the glass to her. She looked concerned, apologized, and took it and my wife's drinks away, returning a minute later with fresh drinks and another apology. We resumed eating, but about 5 minutes later Lina returned with some plantation sugar in her hand, saying maybe that's what my wife had found. My wife was quite clear: no, it was definitely glass. Lina looked disappointed, but left.

Once we'd finished, Lina asked if we wanted free dessert: no thanks, we're full. She left, returned with our bill - 20% off, which came to about $7.

Not a lot, but enough - we'll return. Swiss Chalet is one of my favourite restaurants (white chicken on a kaiser and a monkey milkshake for me, I don't need a menu thanks), and we've usually had great service there. I left a larger-than-usual tip.

Maybe we should have made a scene, held out for more, sworn to never return, but to hell with that. Stuff happens, and no harm, no foul - my wife is perfectly fine. I prefer quietly acceptable to good customer service over browbeating waiters and waitresses into giving better service (at the cost of probably worse next time). Contrast to the one time we went to a different SC (525 Highland West, Kitchener), I ordered my usual, and got a pina colada shake instead of my monkey milkshake. I hate pina colada. I told the waitress, and she assured me no, that's not pina colada, that's banana, she made it herself. No, I said, that's definitely pina colada. She actually turned her back and left. I barely touched my drink, which she noticed but didn't comment on when the bill arrived, so she got no tip, and we'll never ever return to that restaurant. Again, I could have made a scene, but why? My blood pressure's quite high enough as it is, thanks.

Next Life post, an example of some of the worst customer service I've ever personally witnessed, never mind gone through.

Given this, does Penner's contract seem so bad now?

I have a rant about this article festering, this is more fuel for the fire.

I don't want to rant, so you'll have to take my word for it: the default ntp.conf for OS X sucks, particularly if you have a laptop that's often off-net.

Fortunately, Apple have a technical document for how to fix it.

This is partially for my own reference, and partially for the benefit of Googlers out there.

I've a load of SuSE 10.1 boxes, 58 times SunFire X4100 boxes, as it happens, running in three clusters. I'd like to be proactive with regards to monitoring them for hardware failures, as it's a pain in the butt to run upstairs and look at them every day, then try to cipher out what that particular flashy light is trying to tell me. We have a Nagios installation already (one monitoring the head nodes, and each cluster has or will get its own installation on the head nodes to monitor the compute nodes), so naturally I'd like to make use of that.

I found check_ipmi_sensors.pl (nagiosexchange is a great site, despite its unfortunate nomenclature), so that takes care of the server side. I had some difficulty interpreting its output at first, but eventually sorted it out. My primary Nagios server runs FreeBSD, so "pkg_add -r ipmitool" helped there, and for the SuSE boxes, "rug install ipmitool".

SuSE doesn't load the IPMI sensor modules by default, nor did I find an init script, but for 10.1, the following commands worked:

# modprobe ipmi_msghandler
# modprobe ipmi_devintf
# modprobe ipmi_si

After that, some useful commands to know are:
ipmitool sensor
ipmitool sdr list
and (for instance)
ipmitool sensor get pdb.t_amb

The Nagios perl plugin could use some work - it returns CRITICAL when the sensor says "nc". For instance:

# ipmitool sensor get pdb.t_amb
Locating sensor record...
Sensor ID : pdb.t_amb (0x1b)
Entity ID : 19.0
Sensor Type (Analog) : Temperature
Sensor Reading : 32 (+/- 0) degrees C
Status : Upper Non-Critical
Lower Non-Recoverable : 0.000
Lower Critical : 0.000
Lower Non-Critical : 0.000
Upper Non-Critical : 32.000
Upper Critical : 37.000
Upper Non-Recoverable : 42.000
Assertions Enabled : ucr+ unr+
Deassertions Enabled : ucr+ unr+
#

But:

# perl check_ipmi_sensors -H myhostname -u myuserid -p mypassword
IPMI_SENSORS CRITICAL - pdb.t_amb: nc
#

Methinks that should return WARN. Once I get a better handle on how to fit everything together, I'll either fix the script myself and send patches to the author, or just make the suggestion to him.

(Updated to fix typoes.)

I don't have much to add to this, beyond saying, "Preach it."

We have tens of thousands of full time and about a hundred thousand reservist soldiers, and so few civilians seem to know very much at all about them. My wife and I recently purchased some yellow ribbon type stuff from the CANEX, although to be honest, for me it was more about the financial support of the troops they allow rather than the moral support.

To anybody who may feel that it's a show of support for war itself, or for a specific immoral war - take a hike. While it's true that some soldiers are war fiends (I served with some), it's also true that some civilians are (I know some), and again, also true that many soldiers are some of the most pacifistic people you'll ever meet. Don't believe me? Go down to your local recruiting centre, sign up to carry a rifle for three or four years, and you'll see what I mean. Only psychos like to kill people, and while we in Canada like to call our soldiers "peacekeepers", the rifles aren't for show. They shoot real bullets and make real people be dead, everybody who serves knows that.

Pull out of Afghanistan because soldiers are dying? Newsflash: soldiers die, no matter what. It's a dangerous profession. Soldiers die in training too. A buddy of mine died, right at home, in peacetime, and I'm far from unique. Horrible accidents happen during training all the time too. It sucks, but you close ranks and carry on. Should we stay in Afghanistan? I happen to think so, although I can see the reasons for pulling out - but because our own have been hurt or killed should not be one of them.

This quick introduction to regular expressions has been making the rounds lately. He also has a follow-on and some 'extreme regex foo'.

As my militia buddies might have said, yum yum, get it in ya.