Invoking Shibboleet

I’ve just come off the phone to my bank – First Direct – having asked them about a problem viewing previous months bank statements. It just doesn’t work and tells me “No statements have been produced for this account”. This is highly likely to be an account-specific of server-side problem.
Upon being asked what operating system I’m using (Ubuntu 10.10), which browser I have (Firefox 3.6.11) and who my ISP is (Andrews & Arnold), I am talked through deleting all my cookies and the browser cache, shutting down the browser, starting it again and logging in.
Hey presto, the problem has been summarily worked around since I’ve been load-balanced to a completely different server on First Direct’s network as I can clearly see from the URL bar.
I was precariously close to uttering “Shibboleet” when asked who my ISP was.

Converting OSGB36 (Eastings/Northings) to WGS84 (Longitude/Latitude) in Ruby

The excellent people at the Greater London Assembly have released a list of bus stops and bus routes in London. The coordinates of each bus stop are in eastings and northings, and I wanted to convert these to longitude and latitude for my Ruby on Rails application.
Using the proj4rb gem and some projection definitions from spatialreference.org – with some help from Harry Wood’s blog, I came up with the following code:

#!/usr/bin/ruby
require 'rubygems'
gem 'proj4rb'
require 'proj4'
easting = 529978
northing = 186491
srcPoint = Proj4::Point.new(easting, northing)
srcProj = Proj4::Projection.new('+proj=tmerc +lat_0=49 +lon_0=-2 +k=0.9996012717 +x_0=400000 +y_0=-100000 +ellps=airy +datum=OSGB36 +units=m +no_defs')
dstProj = Proj4::Projection.new('+proj=longlat +ellps=WGS84 +datum=WGS84 +no_defs')
dstPoint = srcProj.transform(dstProj, srcPoint)
print "lat=#{dstPoint.lat * (180 / Math::PI)}n"
print "lon=#{dstPoint.lon * (180 / Math::PI)}n"

To convert WGS84 to OSGB36:

#!/usr/bin/ruby
require 'rubygems'
gem 'proj4rb'
require 'proj4'
latitude = 51.5623279577278
longitude = -0.126277004538848
srcPoint = Proj4::Point.new(longitude * (Math::PI / 180), latitude * (Math::PI / 180))
srcProj = Proj4::Projection.new('+proj=longlat +ellps=WGS84 +datum=WGS84 +no_defs')
dstProj = Proj4::Projection.new('+proj=tmerc +lat_0=49 +lon_0=-2 +k=0.9996012717 +x_0=400000 +y_0=-100000 +ellps=airy +datum=OSGB36 +units=m +no_defs')
dstPoint = srcProj.transform(dstProj, srcPoint)
print "easting=#{dstPoint.x}n"
print "northing=#{dstPoint.y}n"

Facebook Data 'Leak' – it's not news, people

Security consultant Ron Bowles trawled Facebook’s public directory and published ‘data’ on 100,000,000 users. Some people are up-in-arms about the leak, crying that ‘something must be done’, but not what. Few people seem to have looked at the data and given a coherent response. In fact, there’s nothing exciting.
The data is 2.8GB and I’ve spent the last twelve hours downloading it. Good news, everybody – it’s rubbish! Your bank details, email addresses and the name of your first born child are not there. Neither is your date of birth, your location, or a photo. A telephone directory contains more information on you.
The data is simply a list of names and a large file containing URLs to entries in the directory with seemingly no relation to the names.
There’s some other data which are derived works of the original file – these are described as follows:

Filename                        Description
-------------------------------------------------------------------------
facebook.rb                     The script used to generate these files (v1)
facebook.nse                    The script that will be used for the second pass (v2)
facebook-urls                   The full URLs to every profile
facebook-names-original         All names, including duplicates
facebook-names-unique           All names, no duplicates
facebook-names-withcount        All names, no duplicates but with a count
facebook-firstnames-withcount   All first names (with count)
facebook-lastnames-withcount    All last names (with count)
facebook-f.last-withcount       All first initial last name (with count)
facebook-first.l-withcount      All first name last initial (with count)

So in summary, it’s a load of hot air.
What data appears for me? Looking through all the files – my name appears in facebook-names-unique once. And that’s it. According to Facebook’s directory, there are at least 192 people called Peter Hicks.

Importing SSL certificates on Cisco IOS

A requirement came up to use Cisco’s AnyConnect VPN on a router. For this, an SSL certificate and corresponding private key is required – I used CAcert.org.
I will deliberately skip the detail of how to generate an RSA private key, create a CSR and get this signed by a CA. Straight to the chase – here is how to import the key and certificate on to an IOS router.
Use openssl rsa -in foo.key -pubout to display the corresponding public key for your private key foo.key. This will begin with BEGIN PUBLIC KEY.
Next, ensure your private key has a password – use openssl rsa -in foo.key. If it doesn’t, encrypt it with 3DES using openssl rsa -in foo.key -3des and specify a password.
On the IOS device in question, use crypto key import rsa foo pem terminal to import the PEM encoded public key:

cr(config)#crypto key import rsa foo pem terminal strongpassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
...

Ensure there is a complete blank line after pasting the public key, and the router will then prompt:
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.

Paste in the 3DES-encrypted key – it will begin BEGIN RSA PRIVATE KEY, and type ‘quit’ on a blank line at the end.
That’s it. It’s not straightforward, and I know I’ll forget if I don’t write it down!

Reducing Nagios' CPU load when using SNMP plugins

I have a virtual machine which has 100 hosts and 600 services being monitored through Nagios. 400 of these services are monitored via SNMP plugins.
One of our system administrators mentioned that this VM was quite CPU hungry, so I set about trying to lighten things up. I found that the simple act of adding a -M MIB-NAME switch in to a service check has dropped the load average from around 1.7 to 0.8 over 15 minutes.
Here’s how to do it:
First, look for any check_snmp plugin which uses an textual OID. Convert this to a numeric OID by using snmptranslate IF-MIB::ifOperStatus -Of. Use the numeric OID shown in place of the textual OID – this will save a few CPU cycles.
Unless you need to translate the returned values back to text – for example, if an enum is returned that needs to be translated in to text – don’t specify ‘-m’ on the command line at all. However, if you do need to translate the returned values, specify -m IF-MIB, or whichever MIB name appears before the :: when translating the textual OID to a numeric OID.
I’m happy, our sysadmin team are happy 🙂

Openfire 3.6.4 on Ubuntu 10.04LTS

After installing Ubuntu Server 10.04LTS on to one of my VMs, I found I couldn’t install Openfire due to a missing dependency on sun-java6-jre. The Sun JRE has been removed from Ubuntu 10.04LTS, and its replacement, openjdk-6-jre isn’t quite up to scratch.
As reported elsewhere, here’s how to install sun-java6-jre:

  • Modify /etc/apt/sources.list and add deb http://archive.canonical.com/ lucid partner
  • Update the package database by running apt-get update
  • Install the Java runtime environment using apt-get install sun-java6-jre

Simples.

Hero to Nexus One

Despite having my HTC Hero for just shy of nine months, I’ve gone and bought a Nexus One.
The primary driver behind jettisoning what is a perfectly usable phone was HTC’s apparent lethargy to release any updates in a timely manner. Secondary to this was the fact that I’ve had what is best described as a rather busy week at work, and I needed to treat myself.
Less than 72 hours after clicking ‘Order’ and telling my credit card company that, yes, this is a valid transaction and, no, there isn’t anything else they can help me with, I had a delivery from DHL sitting on my desk at work. Without ceremony (and certainly without taking a video of The Unboxing complete with a trying-to-be-unexcited voiceover), I transferred my SIM from my Hero and set to work charging the battery.
It’s two and a bit days on now, and thanks to the Interblogs, I have Android 2.2, known as Froyo to those who prefer cuddly names to cold numbers on the phone.
Am I impressed? Yes, but not to the level at which I’d stand outside and preach about it. Is the raw Android interface better than SenseUI? No, but I’d rather not wait six months and lag behind everyone else when it comes to Android. SenseUI doesn’t make Android usable (because it is already), it just adds some polish and sparkle that I’d rather jettison to keep up with the Joneses.
It’s a mini-revolution – where Nokia’s S60 is somewhere in the dark ages compared to Apple’s iPhone. I don’t like six months of speculation and re-blogging of articles, hearsay which may or may not have come from HTC, ‘hacked’ ROMs that don’t fully work, just to be part of something I perceive as important.
Anyone want an HTC Hero? One careful owner, update in the pipeline…?

ZTE MF636 update

Despite getting home at 6am this morning after a night of clubbing, I’ve had a productive day hacking around with the troublesome modem.
I’ve produced a patch against 2.6.34-rc6 which blacklists the MF636 such that option_send_setup doesn’t send a the RTS and DTR states to the first three serial ports, ttyUSB[0-2].
Examining the contents of the Windows INF files in the files on the ZeroCD device, I’ve found the following nuggets:

  • Interface 00 is a USB Diagnostic interface, which is probably why it doesn’t respond to AT commands
  • Interface 01 is an NMEA interface, and interface 02 is an extended NMEA interface – I don’t know what this means
  • Interface 03 is a Mass Storage device which appears when you first plug in the device
  • Interface 04 is the modem itself

I’ve also made a breakthrough in the initialization string – this must be AT&F&D2&C1, which:

  • &F: Revert to factory defaults
  • &D2: Set the DTR behaviour to terminate the call gracefully upon a DTR on/off tranisition
  • &C1: Sets the Received Line Signal Detect (RLSD – is this DCD/Carrier Detect?) on until all data is received from the remote modem
  • S0=0: Do not automatically answer an incoming call

Another little gem I found – the moment you dial ATD*99#, you cannot terminate the connection unless you send a PPP LCP TermReq. You can’t send the usual escape sequence +++, then ATH, nor can you cause the modem to disconnect by sending ATH via another port. It appears it must be done via PPP. This seems a bit brain-damaged.
Finally, the best bit – if you don’t set the initialization string correctly, the modem will crash and disconnect itself from the USB bus. Very handy, and painfully difficult to debug. NetworkManager doesn’t send the correct initialization string, hence the modem crashes.
I’m hating this device less the more I learn about it. I could still do with something that ‘just works’ without all this faff – but I get a lovely warm feeling knowing I’m helping out other people who have had the MF636 imposed on them.

Mass-market USB modems and the ZTE MF636

Way back when, I had a Huawei E220. This was moderately usable under Linux, more so after a firmware upgrade and usb_modeswitch. A great little device, installation of a long USB cable meant I could put the dongle where the signal was best. I still have it, although it’s likely locked to Vodafone.
For reasons unknown, the company I worked for ceased the contract on this and gave me a GlobeTrotter iCON 7.2 modem. Again, after some fiddling, success. The only problem was its shape – like a plastic ice lolly. It wiggled in whichever USB port I used it in, and I never really got on with it. However, it worked.
The iCON broke, and I now have a ZTE MF636. This is an aesthetically pleasing device, with one big flaw – it’s utter rubbishness under Linux.
I’ve spent a considerable amount of time battling these little gems:

  • ZeroCD support – great for Windows and Mac machines as your drivers are forced upon you. It can be turned off permanently with the AT+ZCDRUN=8 command (and turned on with AT+ZCDRUN=9), or ejecting the SCSI CD-ROM device.
  • option.ko support – of the four serial ports presented, ttyUSB3 (the final one) under Linux 2.6.32 is the only one accessible. I think I have a workaround.
  • modemmanager support – right now, I can’t dial out using NetworkManager. With wvdial, I can poke commands at ttyUSB3 and connect successfully, but that’s ugly in my eyes.
  • Random USB resetsreset high speed USB device using ehci_hcd and address 33 is not a welcome message, especially when I have to unplug and replug the USB device to get it to work again.

I’m not overly comfortable with delving down to the low level of these sorts of problems – but looking on the positive side, it’s a great learning experience. Yeah 🙂

Retrocomputing

And so, dusting off my knowledge of Novell Netware from years ago, I started to install NetWare 4.11 in VirtualBox.
Apparently this doesn’t work, but with some hackery thus, it’s fine:
1. Copy all the files off the installation CD in to a directory
2. Download updated NetWare ATA drivers with UDMA support
3. Assuming you unpacked the ZIP file above to /tmp/a, and the contents of the installation CD are in the current directory, do:
cp /tmp/a/NW3X-4X/NBI.NLM ./products/nw411/_/411/syspre/nbi.nlm
cp /tmp/a/NW3X-4X/NBI.NLM ./products/nw411/_/411/boot/nbi.nlm
cp /tmp/a/NW3X-4X/NWPALOAD.NLM ./products/nw411/ibm/411/diskdrv/nwpaload.nlm
cp /tmp/a/NW3X-4X/NWPA.NLM ./products/nw411/ibm/411/diskdrv/nwpa.nlm
cp /tmp/a/IDEATA.HAM ./products/nw411/ibm/411/diskdrv/ideata.ham
cp /tmp/a/IDEATA.DDI ./products/nw411/ibm/411/diskdrv/ideata.ddi
cp /tmp/a/IDECD.CDM ./products/nw411/ibm/411/diskdrv/idecd.cdm
cp /tmp/a/IDECD.DDI ./products/nw411/ibm/411/diskdrv/idecd.ddi
cp /tmp/a/IDEHD.CDM ./products/nw411/ibm/411/diskdrv/idehd.cdm
cp /tmp/a/IDEHD.DDI ./products/nw411/ibm/411/diskdrv/idehd.ddi
This will update the drivers on the installation CD with those supporting UDMA.
4. Create an ISO image of these files using “mkisofs -D -l . > ../netware411-patched.iso”
5. Install the server. INSTALL.NLM will throw up some errors, and you will need to enter slot 10002 for the IDEATA Disk Driver, but other than that, it’s fine.
Now if you’ll excuse me, I’m off to install Word 6 🙂