No longer a red Hat stockholder

The old Red Hat corporate logo

Shadowman, the old Red Hat Logo

For years, I’ve posted disclaimers when talking about Linux distributions that I owned a “teeny” share of Red Hat stock, mostly to read their annual reports, but also because I was a supporter of Open Source and commercialization of OS. But, sadly, as of Tuesday, I am no longer. IBM has purchased Red Hat, and as part of that deal, bought all of the outstanding stock. So, now I’ll be rolling over my investment to pay for a few months of my retirement. It was a good ride.

new Red Hat logo, no shadowman

The New Red Hat logo, no Shadowman

 

 

Please excuse our dust

… while we undergo a renovation. Upgrading PHP from the ancient version 5.4 to the shiny new 7.2 and moving PHP handlers to the new FPM model has proven… tricky. Stay tuned, we should be back up and running any time now.

… And we’re back! A learning experience in Linux sockets, permissions, systemd and the new PHP FPM handler. It takes a few tricks to configure Apache and FPM, but the performance improvements are worth the effort.

A name is what we call something

Recently, I worked with a client that was trying to find the “right” way to ask for a person’s name. It’s title, first, middle, last, suffix, right? Perhaps ‘maiden’ although that sounds rather medieval. AKA sounds like it should be on a wanted poster, a bit criminal. Formerly known as? “What other aliases do you go by, or have you used in the past?” Yikes. What it says on your driver’s license, good for checking at the polls, is probably different from how you prefer to be addressed by your friends. Names have code- and context-switching.

Years ago, I read an essay pointing out the idea that you could break down names into different atomic parts, and reassemble them again without a loss of information, as the nonsense it is. I couldn’t locate it at the time, but I’ll post it here for a good reminder:

https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/

The killer quote: “I have never seen a computer system which handles names properly and doubt one exists, anywhere.

Highly recommended.

HDD Repair, not for the faint of heart

Salvaging and scrubbing hard drives from a couple of retired machines, one threw hard disk drive errors repeatedly and ended up in the “Repair” pile. Got to it this week, following the instructions at linoxide.com (search for ‘bad blocks’) and was successfully able to mark the bad block and force the drive to work around it. New large-capacity drives have “spare” sectors allocated for this purpose and all drives will have a few flaws, so this drive can be put back into production, as long as it is monitored and any future problems dealt with quickly. As always, all hardware will fail, and a thoughtful backup strategy (on another spindle, on another machine, in another location, in a different time zone, on a different planet) is important.

FireFox’s built-in screengrab utility

Eric Meyer points out a great little utility for taking screengrabs, screen-sized or full-page, using one of the two consoles built into FireFox’s included Developer Tools.

Essential Tool: Firefox’s screenshot Command

Update: With FireFox 67 (and likely a few previous versions), a screenshot tool is available off the drop-down menu that appears when you click the ellipsis (…) at the left end of the address textbox. Options include a full-page save, the visible window save, or a region of the screen.

What’s on your network?

This article in ZDNet points to flaws in Microsoft’s SMB file sharing systems (“Windows networking”) that are, unfortunately, faithfully reproduced in Samba:

http://www.zdnet.com/article/its-not-just-windows-anymore-samba-has-a-major-smb-bug/

See also:

https://access.redhat.com/security/cve/CVE-2017-7494

This means that an old Samba server you have could be be misused as a vector for malware to get a foothold on systems where local Windows machines could get infected. Over the weekend, I went through and cleaned out, updated, reconfigured, or blocked access at some of my client sites.

I also took a long look at our in-house dev network for stuff that could be a problem and found a couple of issues:

– An old Western Digital NAS device was running an *ancient* version of Linux and Samba, and unfortunately is no longer being supported by the manufacturer (last update, 2012). In addition to basic SMB file serving, it supplied media streaming over various protocols and offered ftp (turned off). Despite being in fine shape, mechanically and electronically, I had to turn it off, because, even though the source code is available (yeah, GPL), cross-compiling and rebuilding an ARM 2.6 kernel and utilities into a modern version, and getting it to work on an unsupported device is more effort than I have time for.

– A couple of our networked printers shipped from the factory with all their protocols turned on, even if not configured nor active: SNMP, Web server,  SMB, FTP, tftp, LPD, Raw port, IPP, AirPrint, Web Services, Google Cloud Print, SMTP, mDNS and LLMNR, several of which I had to look up. Surely, there could be no flaws there! And, to boot, two of them were running older versions of firmware, also worth updating.

I am a strong skeptic of the IOT marketing that drops devices into your home/office network that communicate with “the cloud” and can be run from your cellphones, or likely anyone else’s. Unlike PCs with firewalls, intrusion detection, malware scanners and intentionally secure devices like routers, IOT devices are trying to “Just Work” and security might not be in mind.

I knew this was the case for things like “Smart” TVs and voice-recognition devices, but it hadn’t dawned on me that printers would also be in that category.

Be careful out there.

Managing broken links

My WordPress site has thousands of links to other web servers. Inevitably, these links grow old and many get lost. I use the excellent and highly recommended Broken Link Checker for WordPress to scan all the blog posts, and flag the links that aren’t working. It sends me an email each morning. There are many reasons why a link wouldn’t work, and a variety of error messages that can result: the request could time out because the web server is down, the network is having a bad day, or the site is no longer available. The request for the link could be rejected, redirected, of forbidden with a variety of error results, some transient and some permanent. If I think the link is down permanently, I can try to find an archive.org archive of the page (which the plugin helps to find) or remove the links as irretrievably gone.

A broken link displayed visually.

Broken Link

When the plugin discovers a broken link, it wraps the link in an HTML element that allows you to highlight the error in a variety of ways. I’ve chosen a red wavy underline to highlight the broken link, and automatically added the text “(Broken link)” to the link. For links that I’ve reviewed and decided they are not only broken, but gone forever, I use a different highlight: an orange dotted underline followed by “(link removed)”. If the reader floats their mouse over the removed link, it will display a caption showing where the link used to go.

All this magic is performed thanks to the plugin, and a little bit of styling. The plugin allows the author to specify their own styles, and I’ve chosen to use the following CSS to create the effect:

.broken_link, a.broken_link {
    -webkit-text-decoration-line: underline;
    -webkit-text-decoration-color:red;
    -webkit-text-decoration-style: wavy;
    text-decoration-line: underline;
    text-decoration-color:red;
    text-decoration-style: wavy;
}
.broken_link::after, a.broken_link::after {content: ' (link broken)';}

How do you learn to type such gobbledegook? Search the web, view other sites whose styles you like, and do your research. In this case, the text-decoration advanced styles (line, color and style) are fairly recent additions to most browsers. You can check on the appropriateness of using new styles at sites like caniuse.com, which can tell you which browsers and browser versions support the styles you’d like to apply. At the link above, you’ll s

Removed Link

Removed Link

ee the style won’t work in Microsoft’s Internet Explorer and Edge, which are another good reason not to use them. The style is supported in the most recent version of FireFox and Chrome, which is good enough for me. I also recommend looking at the “Usage relative” link on caniuse.com, as that shows what version people are actually using, rather than the latest cutting edge version. In this case, caniuse tells me that Google Chrome and IOS’ Safari work better with the -webkit- prefix, so that’s why the style is repeated with and without the prefix.

(Yes, the text-decoration has a shortened form which combines the color, line and effect in a single shortcut line:

.broken_link, a.broken_link {-webkit-text-decoration: red wavy underline;}

but I prefer the longer form, at least until I’m more familiar with the new styles, and the browser compatibility issues.)

ddclient fails with timeouts or errors

Recently, I’ve had to move around some of the TR&A infrastructure, and I’m testing out a couple of dynamic DNS providers. I’m using the classic ddclient software on Linux to update the providers with the IP address of these resources as they change. I ran into a couple of kinks getting ddclient to work properly on modern, recent Linux distros:

1. SSL errors: everything on the internet ought to be in SSL these days, to eliminate entire classes of Man-in-The-Middle attacks. Verifying that the SSL certificate is actually valid requires additional software not always available on some client sites, so this post has a work-around to silence the error:

https://sourceforge.net/p/ddclient/mailman/message/30409393/

2. Timeouts: some network infrastructures just don’t seem to be willing to access the same web site every ten minutes to check on the external IP address., and return a timeout. To work around this, I used the simple hack described here:

http://mcqueeney.com/blog/working-around-ddclients-bad-hostname-and-network-is-unreachable-problems/

Finally, I’ve set up the dynamic DNS names (something like, but not: example.no-ip.com ) as CNAME synonyms to one of my utility domains that has excellent DNS support. This way, any code I used in batch files, scripts or configuration files can reference the stable example.mydomain.com even if I need to change the CNAME from one dynamic DNS provider to another. This is so much easier than having to scramble around a dozen different client installations to see where I may have used a DNS provider that’s no longer working for me.

A couple of quick references

Handy to have a blog to post bookmarks to. A little security research last week brought up:

6 Free Ransomware Decryption Tools

and:

The Ultimate Malware Removal Guide: 

The wonderful Boing-Boing posted an article on “How to prepare to join the Internet of the dead” — no, not a fun zombie adventure, but a sobering look at the online chaos that occurs when someone dies, and some good suggestions on how to prepare for the inevitable. Read it, and think about building a plan. Or a legacy drawer. In the referenced Locus article, Cory points out that “by 2050 more than half of the Internet’s users will be dead.” Be one of the happy ones.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.