July | 2007 | arfore dot com

I you have read my previous post, GPG Best Practices, you will know that I am a fan of setting expiration dates on my GPG keys.

This has not always been the case. As with many computer users I tend towards the lazy, and if I can keep from having to re-learn a password by never changing it, then I have been guilty of doing so.

Recently, however, I have decided that this is not the best thing to do when it comes to computer security. So while restoring my computer this weekend after a rebuild of the OS to get rid of some cruft that had built up, I decided I needed to add expiration dates to all of my GPG keys.

Now I had already established one for my work e-mail at the time I created the key, but now I needed to go back and add ones to my personal keys. After reading the man page on GPG, it looked pretty easy. Just go into edit mode for the key I wanted to change, the add an expiration date. Simple enough, right? Wrong.

Turns out the what I wanted to do was feasible, just not readily apparent. I didn’t just want to set a date relative to the current date in day, months, weeks, or years. What I wanted to do was use a specific date.

Well, after some diligent searching on Google, I found the following in a post on the gnupg-users list:

>>Is it possible to set an explicit date (e.g. 31 Dec) rather than a >>duration? I suppose I could compute the number of days, but that’s

>>annoying.

Problem solved, mission accomplished.

Like many people who have some concerns over security on the Internet, I have started to use digital signatures for all of my mail sent from my regular e-mail client on my Mac.

While there are several avenues for this, I chose to use GPG. While I know that this means jumping through a couple of extra hoops in configuring my mail client, I decided that it was worth it, because unlike the Thawte Freemail certs, using GPG on my computer also means that I can encrypt files in addition to my mail messages, should I choose to do so.

I am wondering what the thoughts are on best practices when it comes to using GPG.

Here are a couple that I have come up with (learned through hard experience):

1. Backup your keys.

I cannot stress this strongly enough. If for some reason you have a catostrophic computer failure, you will need those backups in order to decrypt your e-mail once you restore your data backup. (You do back your data up, right?)

And when you make those backups, do not rely on just a digital backup. Backup both your public and secret keys in an ASCII-armor file and print the darned thing out. Digital backups are subject to data rot and any number of other technological snafu’s, but I have printed material that is perfectly readable after more than 20 years.

2. Make a revocation certificate.

The GPG mini-howto gives a couple of excellent reasons for doing this:

For instance: the secret key has been stolen or became available to the wrong people, the UID has been changed, the key is not large enough anymore, etc.

Just remember that revoking a key is not reversible.

3. Set an expiration date for your keys.

Just like changing passwords, you should regularly change your GPG keys. Don’t worry about losing track of the data that was encrypted with a key that has expired. You’ll still be able to open that data, it just means that someone won’t be able to encrypt with the old key unless they ignore the warnings about it being expired.

What this also means is that you should hang on to the expired keys, since you might need them to access some older encrypted files. (See best practice number 1)

4. Add commentary to your keys.

If you are like most heavy computer users, you have more than one e-mail address. And if you create a GPG key for each one of those, it would help to keep things orderly if you commented on the individual keys.

For example, the key I use for my work e-mail has a comment of:

Work Address

So, do you have anymore best practices?

Sad news came to me today by way of another member of the Yahoo! Group I am a member of. For those of you who may not know this, I lost my wife, Patricia Grace Fore, on August 16, 2004.

After Pattie died I joined a Yahoo! support group for young widows. They are a great group of people, whose numbers unfortunately grow way too fast.

One of the members of the group, Dusty, was a great guy who excelled in being tremendously optimistic about his life, even in the face of his own loss and his own health problems. He never failed to make us feel better about the situation we were in, even though his own was ofttimes worse than our own.

Dusty passed away last Sunday from his ongoing health problems.

There just aren’t words enough to express how sad this is and how much he will be missed. You are gone but not forgotten my friend, and you gave help and comfort to many of us along the way with your friendship and understanding.

Another member of the group wrote the following poem for Dusty some time back:

Grief is Like a River

“My grief is like a river I have to let it flow But I determine where the banks will go Some days the current takes me into waves of Guilt and Pain But there are quiet pools Where I can rest again I crash on the rocks of anger My faith seems faint indeed But there are other swimmers in here Who know what I need Loving arms around me. When the waters are to swift And I just seem to drift Someone kind like Dusty Listens to my broken Heart beat. Grief’s River is a process of Relinquishing the past By swimming into the Channel of Hope I’ll reach the shore

At last.”

— SF1

As many of us have said, you were our special angel, Dusty. Wind to thy wings, my brother and friend.

When trying to sort my cthub XML file recently I found out that my code from the post on sorting the role listing had stopped working.

Turns out that there was an error introduced into the format of this file when upgrading from Contribute 3.11.

As you are no doubt aware, when at least one admin upgrades to Contribute 4 or Contribute CS3 (aka 4.1) all the admins have to since there are upgrades made to the XML files that control the site. Well it appears that this upgrade makes the cthub file non-valid XML.

Take a look at this file and look for the tag font_use_css inside the group_list_item child node of the group_list node. In a copy of the cthub file that was upgraded you will find that this standalone tag is missing the appropriate closing slash. If you compare this against a copy of the cthub file from before the upgrade, assuming you made a backup, you will find that the tag is properly closed.

Since this file is the master file with all of the role information for the site, I wonder if this XML error is causing unknown instability in the system somewhere.

While this is an easy fix, I will be posting some code that you can run to fix this, since editing a file like this by hand can be a real pain.

While changing some things on my computer setup today I decided to change the name of my harddrive and computer to match my local DNS entry.

Having done this many times before I knew that there would be certain applications that would be looking for an absolute path that would have issues, such as Dreamweaver sites and the root folder locations for them.

Adobe Contribute (formerly Macromedia Contribute) has the same problem with the stored sites that you have setup prior to the name change.

Here is how to fix Contribute after changing the harddrive name:

  1. Open up the Contribute preferences file located in /Users/USERNAME/Library/Preferences/

    (in my case the filename was Contribute 4.1 Preferences, this will be different for other versions) in your favorite text editor.

  2. Start searching at the top of the file for each instance of the old harddrive name.
  3. Replace each instance with the new harddrive name.
  4. Save and close the file.

Now the next time you start Contribute, you won’t get the any error messages related to having missing site files.

Oh, and don’t forget to backup the file first. You do back up your data right? icon_smile-1504517

March | 2008 | arfore dot com

Today we have a trio of performances by one of my favorite artists, Nina Simone.  I was first introduced into her work on the soundtrack for the film Point of No Return (a remake of one of my favorites, the 1990 French film La Femme Nikita).  Her rendition of the American spiritual song Sinnerman was also featured in the 1999 remake of The Thomas Crown Affair.  Two of today’s videos are from the Montreux Jazz Festival which is held each year in Montreux, Switzerland.  The third one is of her performance in 1968 at the Bitter End Cafe in Greenwich Village.

Feelings

from the Montreux Jazz Festival (1976)

My Baby Just Cares For Me

House of the Rising Sun and Go To Hell

Today we have trio of videos from one of my favorite groups from the UK, Massive Attack.

Massive Attack was founded in Bristol in 1988.   While you may not have heard of the group themselves, their music has been featured in a number of television shows and movies, including House, Prison Break, The Matrix, and Sliver.

The songs featured here are Teardrop, Angel, and ProtectionTeardrop, featured on the album Mezzanine and used in the television show House, features vocals by Elizabeth Fraser, the lead singer for the Scottish pop band the Cocteau Twins.  Angel, also from the album Mezzanine, features the vocals of roots reggae artist and songwriter Horace Andy.  You might find this song familiar as it was featured in a wide variety of television episodes and movies, including The Matrix, Firewall, The West Wing, and Third Watch.  Protection from the album Protection showcases the vocals of Tracey Thorn, best known as part of the duo Everything But the Girl.

Teardrop

Angel

Protection

A friend of mine took this photo of the Apple Store Tokyo, during a recent trip.

At work I am in charge of running our Macromedia Adobe Contribute Publishing Server.

Since I like to duplicate my work environment on my laptop for local development, I needed to install JBoss 4.0.5.GA.  I won’t go into why we are running such an old version, that’s all Adobe’s fault.

Installing JBoss

  1. Download the JEMS installer for 4.0.5.GA from the JEMS Installer Downloads page at jboss.org.
  2. Execute the installer:
    java -jar jems-installer-1.2.0.GA.jar
  3. If you get asked to allow java to talk through the firewall, choose Allow.
  4. The default installation location is: /Applications/jboss-4.0.5.GA

    It will create the directory if it doesn’t exist already.

  5. During the install process choose the Advanced install method.  This allows you to pick your database environment, as well as making the process of securing the JMX Console and JBoss Web Console much easier.

Starting JBoss

  1. Open a terminal
  2. Goto the install location binary directory (I used the default)
    /Applications/jboss-4.0.5.GA/bin/
  3. execute run.sh
    ./run.sh -b 127.0.0.1 &
  4. You will see the output of the startup process show up in the terminal window.

Stopping JBoss

  1. Open a terminal
  2. Goto the install location binary directory
    cd /Applications/jboss-4.0.5.GA/bin
  3. Run the shutdown script (don’t forget to authenticate!)
    ./shutdown.sh –server=localhost:1099 –shutdown -u admin -p password

Notes

  • The default port for the HTTP connector is 8080
  • The SSL connector is disabled by default

Today’s video is a collage of various scenes from a whole slew of anime shows. If you watch it closely you will see some scenes from Akira, Wolf’s Rain and Witch Hunter Robin, to name just a few.

The music used is Best of You by the Foo Fighters. This song appeared on the album Skin and Bones, which was released on Rosewell/RCA label on 2006-11-07.

July | 2010 | arfore dot com

A few weekends ago I had the privilege of being assigned to evaluate an iPad for use as a support tool by my boss. (thanks Ike!)

The first order of business was to figure out some basic tasks that we would need to accomplish as sysadmins that we could realistically use the iPad for.

Remote control via ssh for a unix server

For ssh I already had the iSSH application by Zinger-Soft [iTunes]. Fortunately they updated the application to be a universal application for both the iPhone and the iPad. I had used it with a fair amount of success on my iPhone in the past to reboot several servers over both WiFi and 3G data, most notably when I needed to reboot a MySQL server will on the way to Atlanta on I-75.

I was pleased with the changes that they made for the expanded screen real estate of the iPad. The split screen function when in portrait mode is quite useful when you need to juggle two connections at the same time, even if it can be a bit confusing at first.

The ability to handle X11 forwarding is also a nice touch, because there are some administration activities that require the GUI even on a unix system (think that favorite Oracle installer that we all know and love).

Remote access via RDP to Windows servers and desktops

Generally this is actually an easier task to sort out, due to the number of RDP clients that exist of the iPad. There are more clients out to handle this than you can shake a stick at, however they don’t all have the same features. The fly in the ointment with RDP support is the ability to work with the widest variety of server and desktop os installations, with encryption, etc. The large majority of them did state that they supported Server 2003, 2008 as well as Windows XP, Vista and 7.

What took some doing to was to find a client that would work in our security environment. Currently we require that all off-site RDP connections be tunneled through SSH. It turns out that none of the RDP clients out there support this yet. One of the most promising from this standpoint looks like iTap RDP by Honeder Lacher Wallner Softwareentwicklung OEG [iTunes]. This client supports FIPS and NLA. They have a nice compression algorithm that makes the connection work well even on a 3G network. While they don’t currently support RDP over SSH tunnels this is a planned feature in a future release.

Another possibility, depending on where we go with our VDI initiative is Wyse PocketCloud by Wyse Technology [iTunes]. PocketCloud for iPad supports both VMWare View connections and standard RDP connections.  This is the application I ended up testing, and I must say, I was pretty happy with it.  The manner in which it handles the mouse functionality is superb.  The support for the application seems a little subpar, but there is a fairly active forum.

Currently the only solution that I was able to find was to use iSSH for a tunneled VNC connection, since iSSH supports this. Of course, this means that you will need to install a VNC server on your desktop or server, but in my testing it did seem to work fairly well if a little sluggishly. One advantage to this is the fact that Mac OS X includes a VNC server by default, making connections to Mac servers and clients a fairly easy thing to accomplish. With WIndows 2008, it was a little more challenging due to the changes in security that were added by the UAC system from MS. I was unsuccessful in getting RealVNC Enterprise trial to work properly, however the beta of TightVNC worked nicely.  The latest version of iSSH does support ssh tunnels.  When you combine this with multitasking support on iOS 4 you then have ability to access a remote machine through a perimeter firewall without the need for VNC server. Unfortunately, this support is useless on the iPad until we get iOS 4, but it is nice to know that it is there.

Access to various web-based support services

This is not really much of a challenge, however it is worth mentioning that there are a number of web-based systems that don’t cooperate easily with Mobile Safari for various reasons. Some of them are Flash-based, which obviously won’t work, others are just not designed to work properly on a touchscreen device. Your mileage may vary.

Password storage

As is the case with most system admins, I have way too many passwords to keep up with than I can easily remember. When you combine that with the necessity of locking accounts after a certain number of failed attempts, it becomes rapidly necessary that I have a secure method of carrying passwords with me.

On my iPhone I have been using Lockbox Pro by GEE! Technologies [iTunes] for a while now, however in investigating an app for the iPad I spent a fair amount of time playing around with SplashID by SplashData [iTunes]. (Also, it looks like GEE! Technologies is having issues, since the company website link for their app in the AppStore doesn’t work and the support website looks fairly similar to the myriad of web-squatter websites that are out there.) Now if you use password managers, you most likely have run into SplashID before. One of the major points in it’s favor is the use of both 256-bit Blowfish encryption. New for the iPad version is the ability to use a swipe pattern to unlock the application, similar to the process that you can use to unlock some Android-based devices. It also supports numeric and alpha passwords for unlocking the database.

One of my favorite features of Lockbox Pro is the ability to have a large number of additional fields for an entry, not just a username and password. SplashID also has this feature. Also, another great advantage to SplashID is the ability to have a desktop application (both Mac and Windows) that you can sync your mobile device to. Not only does SplashID support the iPhone, iPad and iPod Touch, they also have clients for Android, WebOS, PalmOS, Blackberry and Series 60. The simple fact that I can sync my password data between multiple devices as well as my desktop makes this an ideal application. SplashID also supports auto-fill for websites, if that is your thing.  Of course, if you want it all on your the iPhone, iPad and the desktop your are going to have to fork out a lot of money, since each application is a separate charge.

Access to notes, procedures and documentation

As an admin, one of the most useful applications is one that allows me to have notes, procedures and documentation available when I need it. It can be difficult the juggle a keyboard, serial cable and a big fat, dead tree manual when in a datacenter, so having the essential docs on hand in a mobile environment is a must.

I think there are actually more possibilities in this particular category than any other I researched for this post. I have been a big fan of Evernote by Evernote Corp [iTunes] since it was released. It syncs to both the iPhone and iPad, as well as to the client on my desktop. Combine those abilities with web-clipping functionality in both Safari and Firefox on the desktop and you have a great tool for support.

Of course, sometimes you will need to store large documents, and unless you feel like paying for storage with Evernote, it might not work to upload the entire Solaris 10 reference, or the latest edition of the PHP function reference. To begin with I started searching for the perfect sysadmin application in the App Store, then I realized that I already had it, iBooks [iTunes]. With iBooks 1.1, Apple made PDF storage easy. Just drag the PDF into your Books section in iTunes and sync. Voila! Of course to make the docs more useful, they need to be converted into eBook format so that you can use the highlighting and search features, but in a pinch a raw PDF is quite handy.

I wish I could do that

There are still somethings that I wish I could do with the iPad, however I doubt I will get them.  One item on my wishlist would be a mechanism to allow me to use the iPad as a serial terminal.  Frequently I have to use a laptop with a serial port (or USB-to-serial adapter) to connect to a server in order to access the console.  It would be really nice to be able to do this from the iPad.  Another feature that would be nice would be something along the lines of the certificate management that you have in the Keychain Access application on the Mac.  I can see where it could come in handy to be able to import and export SSL certs from the device.

December | 2009 | arfore dot com

For some of you that have just upgraded to the shiny new WordPress 2.9 release, you may have noticed a nasty little message that states that Simple Tags won’t work with the version of WordPress that you now have installed.

The issue at hand here is that the code for the plug-in contains a hard-coded check for the version number to ensure compatibility. It doesn’t appear on the surface that there will be any issues with this plug-in and the new WP code. Continue reading

In the old days of the Internet search engine business you had a vast multitude of places to visit. There was Excite, Yahoo!, WebCrawler, Lycos, and many others. You had the search engine aggregators, such as Dogpile and HotBot.

What you didn’t have was a single source to use to search the whole of the web. When Google came along they created a way to analyze the relationships between pages to produce more useful results. The search results were no longer just a mishmash based on how many times a word existed in a page, now the results had a certain relevancy.

Then Google added advertising into the mix, providing users with a way to find products or vendors that had some correlation with the keywords entered. This was a great tool for the layperson and researcher alike. Along the way Google has added shopping results, images, news, videos, and maps. However they seem to have forgotten their core product: a clean, easy-to-use, clutter-free search engine.
Continue reading