Much of the content in this blog is pretty old (10y+) and likely outdated, either because the world has moved on or because I would approach things differently today. I’m still keeping the articles around because why not… Maybe someone will find something useful in here.
Blog
ICQ 7 Update Security Issue
Update: ICQ 7.4 is still vulnerable. Also have a look at the clarification on the security issue’s impact.
Since the first news website googled me and found my seldomly used blog, here’s a collection of links:
my Bugtraq post (with broken indentation for the proof of concept code; see below for the original posting) entry in SecurityFocus Vulnerability Database Vulnerability Note @ US-CERT In the news:
heise online: ICQ lässt sich präparierte Updates unterschieben The H: ICQ can be fed crafted updates Golem: ICQ 7 als Sicherheitsrisiko Read on for my original mail to the Bugtraq mailing list:
Blog
Adding Playlists to Sansa Fuze using Rhythmbox
I use a Sansa Fuze music player that I’m quite happy with. It supports the USB Mass Storage protocol and thus can be used (and filled with music) just as any other USB flash drive. This means it is fully supported by all operating systems since it doesn’t need proprietary software running on a PC.
However there’s one thing that tools such as Windows Media Player or iTunes are capable of that might be quite useful: managing playlists on the computer and transferring them to the media player.
Blog
Converting from or to Unix timestamps
Unix timestamps (sometimes also called epoch) encode date and time in a single number, counting the seconds since January 1, 1970, 00:00 (UTC). The format is used througout a lot of software, but how can it be decoded to our common format?
Naturally, there are web services like Epoch Converter, but how to decode it using the common GNU command line tools? Here’s a short summary:
Epoch -> Human time:
Blog
Kostenloses Backup für Windows XP
Windows Vista und Windows 7 bringen ein einfach verständliches und gut funktionierendes Backup-Programm bereits mit (im Startmenü nach “Sichern” suchen), das man einem Nutzer ohne große Computererfahrung einfach an die Hand geben kann. Bei Windows XP ist die Situation leider eine andere: Es gibt zwar das Programm ntbackup, das sich auch bei WinXP Home nachinstallieren lässt, aber es ist der Bedienphilosophie nach anscheinend noch in der Zeit steckengeblieben, in der man für Backups ein Bandlaufwerk benötigte…
Blog
Merkwürdiges Verhalten von Lichtschaltern
Wechselschalter ermöglichen es, die gleiche Lampe durch zwei Lichtschalter steuern zu können. Wenn alles korrekt verkabelt ist, funktioniert das ungefähr so:
Wechselschalter, korrekt verkabelt
Zwischen den beiden Wechselschaltern bestehen zwei Verbindungen. Wenn beide Schalter auf die gleiche Verbindung schalten, fließt Strom (rot), sonst nicht. Wenn man einen beliebigen Schalter umschaltet wird der Zustand der Lampe (an/aus) geändert, so wie man das von einem Lichtschalter erwartet.
Wenn aber einer der Schalter defekt ist und ersetzt werden muss, hat man beim Anschließen der Kabel eine Chance von zwei Dritteln, dass hinterher die folgende Schaltung herauskommt:
Blog
Recovery of passwords from Draytek Vigor routers
Recently, I needed to recover a DSL password that only persisted in an old router (Draytek Vigor 2500/We). Since the web interface only shows the username, I tried the backup feature that dumps the entire configuration to a file that you can download. Unfortunately, this data comes in an encrypted form… which makes an excellent exercise for a student of computer science.
I don’t know whether a secure encryption algorithm is in use, but it was used in ECB mode with a block length of one byte… which makes it degenerate to a simple substitution cipher that can be easily broken, no matter how secure the underlying encryption function is.
Blog
Remove items from Ubuntu's indicator applet
Ubuntu 10.04 (Lucid Lynx) features new panel applets called “indicator applets”. If you want to get rid of some of them, they can be removed by removing the corresponding package(s) using your favourite tool (Synaptic, aptitude, apt-get, …):
indicator-me provides the menu with your avatar and your availability status indicator-messages provides the menu for email/Evolution, social networks/Gwibber etc. indicator-session provides the menu with the shutdown/logout button (if uninstalled, this functionality will be provided by the “System” menu) indicator-sound provides the sound/audio settings menu For more information, have a look at the Launchpad page and the Ubuntu Wiki page for the indicator applets.
Blog
Automated MySQL backup for shared webhosting
What to do if you want to use mysqldump in a shared hosting environment without being able to access the shell (SSH…)? You could use a Perl CGI script:
#!/usr/bin/perl -w use strict; use CGI::Carp qw(fatalsToBrowser); print "Content-type: text/plain\nContent-disposition: attachment; filename=\"db_backup.sql\"\n\n"; print qx(mysqldump -uUSERNAME -pPASSWORD DATABASE 2>&1); Replace USERNAME, PASSWORD and DATABASE with the configuration data for your database and drop the script into your cgi-bin directory. Don’t forget to make it executable (chmod +x) and apply some form of access restrictions!
Blog
Dell Preboot Authentication: Deleting smartcard associations
Laptops from the new Dell Latitude E series come with an OEM version of Wave Embassy Trust Suite. This software can be used (amongst others) for configuring BIOS and hard disk “passwords” based on smartcard authentication.
This is a nice feature, but what if you try to turn this off again after trying it out? There is just no such option; once configured, the smartcard login can no longer be turned off properly.
Blog
ionice: Controlling the Linux I/O scheduler
Linux is quite good at scheduling the CPU time of running programs: Even when a process is running which constantly uses up all processor power, it is still possible to use another (interactive) program nearly as fast as on an idle system. But if a process is doing heavy I/O operations (i.e. backup software), the response times of interactive programs can be heavily increased.
A possible solution for this problem is the command line tool ionice which can be used to control the I/O scheduler.
Blog
Clean MySQL backup using mysqldump
If you need to configure a backup of a MySQL database server, you shouldn’t simply copy it’s database files from /var/lib/mysql since they might be inconsistent (due to simultaneous changes). mysqldump is a safe choice for this task. I wrote a simple script for Debian that uses the pre-configured “debian-sys-maint” account and compresses the output:
#!/bin/bash BACKUP_FILENAME=/var/backups/mysql/mysql.dump mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases --lock-all-tables --result-file=$BACKUP_FILENAME gzip $BACKUP_FILENAME Please take care of creating the output directory (/var/backups/mysql in the above example) first!
Blog
java -jar ignores classpath — Workaround
When you want to run a Java class wich needs additional libraries, you usually run java -cp mylib.jar MyClass or you specify the environment variable $CLASSPATH before running the class.
When you have a JAR file you want to run, you usually do this by issuing java -jar myjarfile.jar
Maybe you’ll think: Hey, I want to run a JAR file with some additional library so I issue java -cp mylib.jar -jar myjarfile.