Convert a .NRG file into an .ISO file

An .nrg file can be easily converted in a ISO 9660 file by skipping it’s initial 150 2048-blocks:

dd if=image.nrg of=image.iso bs=2048 skip=150

MSI WIND Webcam for Fedora 9

MSI WIND has an integrated webcam, to configure it on Fedora 9 you’d better  have the latest firmware installed, available from MSI website. I’m not sure that this is actually required, but this is my configuration.

Check now that you have an uvcvideo kernel module installed:

lsmod | grep uvc

you should get something like this:

uvcvideo              49928  0
compat_ioctl32    5120    1   uvcvideo
videodev              29824   1   uvcvideo
v4l1_compat       15876   2   uvcvideo,videodev

If such, your webcam is probed but not correctly configured. To do so, type:

rmmod uvcvideo

modprobe uvcvideo quirks=2

You can test that everything works by using mplayer to display the webcam output:

mplayer -fps 15 tv://

Now, you can make changes permanent by editing /etc/modprobe.conf to add this line (the file does not exist if you have just installed the system, so create it):

options uvcvideo quirks=2

and test that works at the next reboot.

Links:

Linux UVC Forums

Install Fedora 9 on a MSI WIND

I’ve recently bought an MSI WIND U100, it came with a pre-installed Windows XP and I started to install Fedora 9 on it, I will keep Windows as it could be useful in some environments, but my interest is in having Fedora running.

First step is in installing Fedora over it, the 80 GiB disk conveniently ha three partions, the first is for recovery, the second has Windows XP, so I splitted the third for a tiny boot partition (which is requested by Anaconda, altough BIOS is capable of booting from anywhere) and a large LVM volume, where I carved out a root partition and an encrypted home partition, a security wise solution as it’s a notebook which means that has the tendency to be shipped away from its legitimate owner. The LUKS passphrase used for the home directory was strong, so I can use a weak and distinct password for the system user.

Installation requires a Fedora respin that you can find here. I picked up a USB pen drive, then I use the livecd-iso-to-disk (yum install livecd-tools) to make it bootable. The process does not destroy any data on it, and at the installation prompt I gave linux askmethod, to choose the installation source (I opted for a HTTP based installation).

The installation went smooth, later I customized the system to have compiz installed (I can made very impressive presentation with it!) and updates are flowing. The only problem I’ve noticed is that sometimes on boot the system hangs at the ACPI discovery phase, don’t know why.

Disabling Firefox “Download Completed” notifier

It’s the clumsy, irritating window-ish and useless pop-up that appears on the right bottom corner after a download is completed.

It’s useless, because I can monitor downloads by opening a file manager window in another workspace. It’s irritating because when it appears, it prevents my to click on the workspace switcher (usually I have Firefox open on a workspace, and move to others when needed).

Thankfully, it could be disabled, by entering about:config on the address bar, then searching for browser.download.manager.ShowAlertOnComplete and setting it to false.

HTTP cannot be longer used for authenticated web sites

If you are an user of a web site that requires authentication (which means, basically, every site) you usually access it from a network you don’t have control over it, i.e. you don’t know, besides many other things, which DNS server the infrastructure guy has chosen and which version it’s running.This means that you can be exposed to the well known Dan Kaminsky’s DNS hijack attack (you can actually check for this).

Leveraging on this vulnerability (it’s still plenty of DNS that haven’t fixed) it’s possible to implement a man in the middle attack at the application level, stealing your cookies from the authenticated HTTP session: ladies and gentlemen, please welcome CookieMonster. You are exposed even if your login page is protected via HTTPS, as the auth-cookie will be passed in cleartext in every subsequent HTTP interaction.

This worst case scenario requires a flawed DNS implementation (better, a DNS implementation following the original and flawed DNS protocol) so you can be reasonably safe if you always control your DNS or at least can have some trust in the guys that are operating it, but if you are a roaming user you are completely exposed.

So, as you are a competent Linux user, you could fix this in a very simple way: install a DNS caching webserver and use, as your primary DNS, something you could trust.

If you cannot do this, you must ask to your web application provider to fix this issue (some have already done this, as an example you can force all WordPress administration pages to be accessed only via HTTPS, and I’m writing this blog entry via HTTPS so it works).

If you are a system administrator, you must check and eventually fix your DNS implementation, and probably you should take a look at an SSL accelerator, because your connection peers (i.e. users accessing web sites under your control) could be from every possible insecure networks, and my 2 cents are that this man in the middle attack will be only the first of a new kind based on an interaction of different levels on the TCP/IP stack.

How to be dishonest and live happy

It’s simple, write something like this.

The bottom line is: Debian is far more secure than RHEL and Fedora, not due to technical reasons but for their development model. When Debian’s openssl was compromised, they immediately issued a warning, told their users what to do, whilst Red Hat and Fedora were obscure, pointless and corporate-minded.

Dude, you are forgetting that it’s entirely possible that the Debian’s openssl security bug could have been the patient zero, and actual compromise of Red Hat’s server could have been happened starting from a stolen passkey. Also, you are forgetting that, being Red Hat a corporate with some billions cash (of course, they have so much money because it’s plenty of stupid people like me that pay them for their services) they were forced to work closely with law enforcement agencies such an intrusion could occur, and when FBI reaches the crime scene they are not primarily interested in sending an e-mail message on the mailing lists to tell them “ehy, we are here to save the day!”.

Fedora 9 bluetooth file sharing: I’m missing my menu

In Fedora 8, people that want to send a file from their cell phone to Linux via bluetooth have to connect their bluetooth dongle, click on the bluetooth icon to join the ad hoc network, and then on the “Internet Menu” (if I remember correctly) there was a “Bluetooth File sharing” that does exactly what it means.

Ok, it was not a very well integrated solution, but it seems to me that in Fedora 9 there’s a serious usability problem.

Here and now, there is no longer a “Bluetooth File sharing” menu item, instead you have to click on the “System Menu”, then the “Preferences” sub-menu, then the “Internet and Network” and finally you find two items, “Bluetooth” and “Personal File Sharing”, where you defines how to deal with Bluetooth.

It takes some time to figure that this is the intended procedure, i.e. that the disappeared “Bluetooth File Sharing” menu item was not disappeared due to a missing package, but as a result of a new design. Shouldn’t be better to allow for a “fake” menu item that tells the user about the new procedure? Or to add a button to the Bluetooth icon (that promptly appears after connecting the bluetooth dongle) where to fix and control how to send and receive files?

Red Hat acquires Kumranet

A terrific news.

After the acquisition of Xen by Citrix, another virtualization start-up become a part of a global player.

Kumranet develops KVM, which is still in its infantry but promises a lot more than Xen due to its tight kernel integration (see here for a more detailed explanation) and has also a desktop virtualization solution, that is clearly headed toward Citrix Metaframe.

So, they have the operating system, the in-kernel hypervisor, they just need a datacenter  virtualization-aware resource manager.

Upgrading Fedora 8 to Fedora 9: lot of pains

Today I decided that I must upgrade to Fedora 9 (lazy day…), and I choose to do that in the proper way (i.e. not using Yum but with Anaconda: this requires burning a DVD, something I feel unappropriate from an environmental point of view, as I will use that DVD only once).

Update was some of a disaster. Altough the installer didn’t complain at all, the Fedora 9 kernel wasn’t installed, and grub.conf was altered with root (hd1,0) in the place of root (hd0,0), which result in a GRUB shell after the reboot.

I fixed it, restarted the system, ran grub-install, and then see that Python has been broken, so Yum doesn’t work (with the infamous “No module named _sha256″ error). As I’m accustomed with this problem, I manage to download Pyhton and Python-libs RPMs from a Fedora 9 repository, force the removal of the old ones and then install the brand new packages, and then I was able to run a massive “yum update -y”, that downloaded 1.2 GB of binaries (638 packages), requires to manually remove some conflicting packages (lirc and qt4) and then, after one hour of work give me a working system.

It appears that, somehow, the installer wasn’t able to remove all the Fedora 8 packages, this causes the Python/Pyhton libs version mismatch, and probably stops the upgrade processes.

I can accept the Python problems (it’s not the first time I encounter them, and they could be related to something I made maybe years ago on this system, leaving it in a unconventional configuration that the installer is unable to understand and manage properly) but I find completely unacceptable that Anaconda breaks GRUB configuration. Yes, I asked to do a new configuration of GRUB during installation time, but Anaconda should understand which hard drive is hd0 and which is hd1. At least, it should allow me to manually edit the configuration file, while in fact the entire installation process appears to me too much “streamlined”, i.e. we do it for you, we know what to do, and this was too optimistic an assumption.

These are for the pains, not sure about the gains. It seems to me that Gnome takes considerably more time to start, and Firefox 3 doesn’t seem so faster than Firefox 2.

Bonding, aliasing and natting

Scenario: you want to connect a LAN to another one. Connection should be easily enabled and disabled.

At work we have a training and examination classroom with its own IP addressing schema. This LAN should be disconnected from the rest of the infrastructure when exams are in place (people should not be allowed to access Internet to find answer to questions) but we need to be allowed to do client’s operating system update when needed.

To do so, we have a classroom server that act as a NAT, DHCP and DNS server for the computers in the classroom. As availability is critical, we have grouped the two NICs on it to give a bonding interface. We have defined a bond0 interface, with an address of the external LAN, and a bond0:0 alias, with an address of the classroom LAN.

Then we have these rules for iptables:

iptables -t nat -A POSTROUTING -o bond -j SNAT --to-source EXTERNAL_IP

EXTERNAL_IP is the IP by which every client of the classroom should appear out of it.

iptables -t nat -A POSTROUTING -o bond -j MASQUERADE

To allow for IP Forwarding, we need to do this:

echo 1 > /proc/sys/net/ipv4/ip_forward

(this could be make persistent across reboot by adding net.ipv4.ip_forward = 1 in /etc/sysctl.conf). Connection will be disabled with

service iptables stop

and enabled with

service iptables start

Note that iptables rules don’t deal with interface aliasing, they need just the bare interface, and that here we are doing bonding and aliasing, and it appears working

Of course, this configuration is no way complex, but it has the property that I always forget about it, so I write this on the blog to allow to find it easily when needed.