Excuse me, but Oculan did a great job explaining its usefulness

I was wandering through my MT.Net archives and noticed I had linked to a Triangle Business Journal story on the revival of Oculan. The story included this quote, which for some reason I just noticed was a slap in the face to me (hey it’s only been 18 years, right?):

Where Oculan stumbled, said independent analyst Richard Ptak, of Ptak, Noel & Associates in Amherst, N.H., was in the marketing.

“They had a very nice solution and a good strategy, but were never able to communicate why it was a good product,” Ptak said. “A lot of tech entrepreneurs think all they need is a better mousetrap, but nobody buys technology for the sake of technology anymore. They buy it because it’ll solve a problem.”

Well, Mr. Ptak, Oculan did a fantastic job communicating why it was a good product. Not only did it have an outstanding team of sales engineers out pitching it, the damn product sold itself. Your quote about a better mousetrap shows your ignorance.

So there.

‘Shattered’: Inside the secret battle to save America’s undercover spies in the digital age

When hackers began slipping into computer systems at the Office of Personnel Management in the spring of 2014, no one inside that federal agency could have predicted the potential scale and magnitude of the damage. Over the next six months, those hackers — later identified as working for the Chinese government — stole data on nearly 22 million former and current American civil servants, including intelligence officials.

The data breach, which included fingerprints, personnel records and security clearance background information, shook the intelligence community to its core. Among the hacked information’s other uses, Beijing had acquired a potential way to identify large numbers of undercover spies working for the U.S. government. The fallout from the hack was intense, with the CIA reportedly pulling its officers out of China. (The director of national intelligence later denied this withdrawal.)Personal data was being weaponized like never before. In one previously unreported incident, around the time of the OPM hack, senior intelligence officials realized that the Kremlin was quickly able to identify new CIA officers in the U.S. Embassy in Moscow — likely based on the differences in pay between diplomats, details on past service in “hardship” posts, speedy promotions and other digital clues, say four former intelligence officials. Those clues, they surmised, could have come from access to the OPM data, possibly shared by the Chinese, or some other way, say former officials.

The OPM hack was a watershed moment, ushering in an era when big data and other digital tools may render methods of traditional human intelligence gathering extinct, say former officials. It is part of an evolution that poses one of the most significant challenges to undercover intelligence work in at least a half century — and probably much longer.The familiar trope of Jason Bourne movies and John le Carré novels where spies open secret safes filled with false passports and interchangeable identities is already a relic, say former officials — swept away by technological changes so profound that they’re forcing the CIA to reconsider everything from how and where it recruits officers to where it trains potential agency personnel. Instead, the spread of new tools like facial recognition at border crossings and airports and widespread internet-connected surveillance cameras in major cities is wiping away in a matter of years carefully honed tradecraft that took intelligence experts decades to perfect.

Source: ‘Shattered’: Inside the secret battle to save America’s undercover spies in the digital age

AD/LDAP authentication on Linux hosts

I’ve been working with the Lightweight Directory Access Protocol (LDAP) for 18 years now. Then Microsoft embraced and extended LDAP with Active Directory. Nowadays most companies base all of their authentication and authorization on Active Directory and for good reason. In a Windows-only world it works great. For a mixed-platform environment, it’s a bit more difficult to make work.

I recently worked out how to make Linux systems authenticate against Active Directory using only the LDAP protocol and wanted to share it here for any fellow DevOps/sysaedmins who might want to try it themselves. The goals were to do it with minimum fuss and using the native tools – no third-party apps. I also want to do it solely with LDAP and not have to worry about pointlessly “joining” a Linux host to a domain.

The modern way that Red Hat likes to connect Linux hosts to AD like to do this is to use the SSSD suite of packages, join the host to the Active Directory tree, and talk to AD directly. This seems like a lot of bloat to me when all you need is authentication. Fortunately, you can use the “legacy” means and do it all with LDAP libraries.

Bridging Active Directory and Linux hosts

One way to integrate Linux/UNIX hosts into AD is to add Microsoft Windows Services for UNIX (SFU) schema extensions. This means every AD entry would be defined with common Unix attributes like uid (user id) and gid (group id). These could sometimes get out of sync with the AD attributes and at any rate would require constant updating of the AD records.

Ideally, we won’t depend on Services for UNIX additions in AD and the complexity it brings. Instead, we’ll identify standard AD attributes and map them to Linux/UNIX equivalents. The nss-pam-ldapd package allows us to do this in the /etc/nslcd.conf file, which we’ll see in a minute.

Differences between CentOS 6/AWS and CentOS 7 hosts

One stumbling block has been that Amazon Linux (amzn) uses old, old libraries, based on CentOS 6 packages. The nss-pam-ldapd package which ships with this version of Amazon Linux is version 0.7.5; a version too old to include the mapping functionality we need to avoid using Services for UNIX.

Fortunately, we can remove the amzn version and add an updated one. I have tested one I have found at this link which updates any amzn hosts to the 0.9.8 version of nss-pam-ldapd.

The version of nss-pam-ldapd that ships with CentOS 7 is 0.8.3 and works fine with attribute mapping.

Obtaining the domain’s ObjectSID

The goal of using a directory is consistency. If a user appears in AD, that user will be available to Linux hosts. Also, that user will be treated the same on every directory-equipped server as that user will ideally have the same uid/gid. Without adding Services for UNIX, we need some way to ensure a uid on one host is consistent with the uid on another host. This is done by nss-pam-ldapd by mapping Linux uid/gids to their equivalents in AD, called ObjectSIDs. You need to obtain your AD server’s domain ObjectSID.
Continue reading →

Our car’s keyfob was hacked – the question is how?

We were out of town over the weekend and at 5:30 AM Saturday I awakened to the sound of one beep of our car’s “alarm” horn. Thinking it was the neighbor’s car and knowing our car was locked, I went back to bed. When we walked to the car later that morning, the hatch was standing wide open. Nothing appeared to be touched or taken.

I was immediately concerned that somehow our keyfob had been hacked. Kelly thought something probably bumped up against one of our keyfobs and that caused it to open. We’ve had the car for years, though, and an “accident” like this has never happened. If something pressed a keyfob button, why would it sound just one beep of the horn alarm? Why not trigger it to sound repeatedly, as would happen if it were a single press of the button? Seems unlikely an accidental press of a button would cause one clean beep and then cause the hatchback to open.

So, naturally I am fascinated with whatever technology was used for this! There are a couple of approaches.
Continue reading →

Recordings by Elton John, Nirvana and Thousands More Lost in Fire – The New York Times

This is astonishing. As an IT guy, I have been responsible for backups. How Universal could be so careless with priceless audio tapes just boggles my mind.

Eleven years ago this month, a fire ripped through a part of Universal Studios Hollywood.

At the time, the company said that the blaze had destroyed the theme park’s “King Kong” attraction and a video vault that contained only copies of old works.

But, according to an article published on Tuesday by The New York Times Magazine, the fire also tore through an archive housing treasured audio recordings, amounting to what the piece described as “the biggest disaster in the history of the music business.”

Source: Recordings by Elton John, Nirvana and Thousands More Lost in Fire – The New York Times

San Francisco’s Decline: Failed Government Policies and Cultural Paralysis | National Review

A thought-provoking piece on what’s killing San Francisco.

It’s not what celebrants want to hear when the champagne is exploding out of shaken bottles of Dom, the confetti is falling, and their stock is up 8.7 percent at the market’s close, but I have an announcement to make: San Francisco is past its prime and the fires of creation have abated.

With all the millionaires newly minted by Lyft’s IPO, and with those set to be minted by Uber’s and Palantir’s and AirBnB’s, you might expect this enclave to become the next Babylon of American capitalism. While our moralists in the media — Nellie Bowles, Emily Chang, et al. — busily tsk-tsk the greed and the lust and the hypocrisy and the hubris, there is a story here they miss: The city’s current concentration of wealth likely doesn’t represent the beginning of a golden-if-sinful era, but the end.

Source: San Francisco’s Decline: Failed Government Policies and Cultural Paralysis | National Review

The Water Hawk: in-your-face water stats

The Water Hawk.

Teenagers like to take long showers. They can easily spend 20 minutes in there, idling away their time as well as the family’s hot water. I’d done a few rounds of knocking on the bathroom door. I’d even taped photos of baby Arctic seals on the door to remind the kids of the consequences. Didn’t seem to get the point across.

When one night came where one of the kids drained the hot water from our tank I knew desperate measures were needed. I threatened to switch out the nice Delta showerhead with a miserly spray one, guaranteed to save water at the price of a miserable shower experience. Certainly that would get the point across but I knew I’d soon have to swap it out. You know, the Geneva Convention and all.

I began to ponder how a proper geek might solve the problem. I am a Site Reliability Engineer in my day job and I love gathering metrics on the computers I wrangle. What if there were a way to track my kids’ use of water? Wouldn’t it be great to show them how much water their showers actually use? I began to dream up a product I could create that would do just that but then some clever Googling showed me one was already out there: the Water Hawk.
Continue reading →

Rivendell in the cloud

I joined up with a Facebook group called Rivendell Open Source Radio Automation Users as a place to trade tips on using Rivendell. A question that comes up frequently is how Rivendell can be run in the cloud. Since I’ve been doing this for eight years or so I have a pretty good understanding of the challenges. I’ve mentioned some of it before but thought I’d go into more detail of my current setup.

I’m running Rivendell 2.19.2, the current version, and presently I’m not actually running it in the cloud though I could easily change this in a few moments. The magic that makes this happen is containerization. I have created my own Docker instance which installs everything I need. This container can be fired up virtually anywhere and it will just work.

Here’s a summery of my setup. In my container, I install CentOS 7. Then I pull in Rivendell from Paravel’s repos with a “yum install rivendell” command. Rivendell needs the JACK audio subsystem to run so I install Jack2 from the CentOS repos, too. To this I add darkice as an encoder, JackEQ for some graphical faders/mixers, a LADSPA-based amplifier module to boost gain, and of course Icecast2 to send the stream to the world.

Now, one of the problems with a CentOS-based setup is that CentOS tends to have fewer of the cool audio tools than distributions like Debian and Ubuntu have. These Debian-based distros are not officially supported with Paravel packages so you either have to hunt for your own Rivendell dpkgs or you build your own. I’ve found a few of these dpkgs mentioned on the Rivendell Developer’s mailing list but I’ve not had the time to make sure they’re up to date and meet my personal needs. Thus, for my personal setup you’ll find a few parts which I have compiled myself, rather than install from a package. A project for me to take on in my Copious Free Time is to create an entirely repo-based Docker container but I’m not there yet.

Rivendell needs a MySQL/MariaDB database to store its data. I rely on a non-containerized instance of MariaDB in my setup because I already use the database for other projects and didn’t want to create an instance solely for Rivendell.

So here’s how it all works.
Continue reading →

Russia’s passive-aggressive reaction to SpaceX may mask a deeper truth | Ars Technica

Interesting analysis of Russian reaction to SpaceX’s successful docking and return of it’s CrewDragon spacecraft.

One of the big questions surrounding the first launch of SpaceX’s Crew Dragon spacecraft was how the Russians would react. They have held considerable sway in the International Space Station partnership by controlling access to the orbiting laboratory since the 2011 retirement of NASA’s Space Shuttle. So far, the Russian response has been one of throwing small bits of shade here and there but trying not to be too obvious about it.

On Sunday, when SpaceX’s Dragon spacecraft docked with the International Space Station, the Russian space corporation sequestered cosmonaut Oleg Kononenko in the Russian segment of the station. This was, Roscosmos said, so that Kononenko could take emergency action in case the Dragon became uncontrollable and crashed into the space station.

After the successful docking, Roscosmos tweeted a Russian language congratulation to NASA, but underscored the fact “that flight safety must be above reproach.” An hour later it published a rare tweet in English, sending “its sincere compliments to the colleagues from NASA,” but without the emphasis on vehicle safety. Neither tweet mentioned SpaceX. (Later, Roscosmos said NASA ordered the ship and, therefore, deserved the congratulations.)

Source: Russia’s passive-aggressive reaction to SpaceX may mask a deeper truth | Ars Technica

S	M	T	W	T	F	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30