Tuesday, July 14, 2015

Adobe updates Flash/Shockwave (again); Mozilla auto blocks Flash; Facebook calls for its death;

Adobe has released a security update to address critical vulnerabilities in Shockwave Player for Windows and Macintosh.
Exploitation of these vulnerabilities could allow an attacker to take control of an affected system.
You may review Adobe Security Bulletin APSB15-17 and apply the necessary update.

Adobe has released security updates to address critical vulnerabilities within the ActionScript 3 opaqueBackground and BitmapData classes of Flash Player.
Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a vulnerable system.
Versions affected include Adobe Flash Player 9 through
You may review Adobe Security Bulletin APSA15-18 and apply the necessary updates.
Additional information can be found in Vulnerability Notes VU#338736 and VU#918568

A quick way to see if you’re vulnerable is to go to this Adobe website and run the check to see if they need to update.
If you need the update you’ll get a Sorry, your computer doesn’t have the latest Flash Player installed.
You can then click the download the latest version of Flash Player link below.
If you get the Congratulations, your computer has the latest Flash Player installed, no further action is required.

I should mention that as of about 11:30 AM, Microsoft has yet to release an updated version of Flash for IE 11 on Windows 8.1
I’d expect a release either later today or early tomorrow morning.
Windows 7 users and all other browsers (e.g. Firefox) should be able to update using the links above.
Since Chrome uses Pepper Flash, it will update itself.

Mozilla’s Firefox browser is now blocking Flash across the board, until such time that Adobe can assure the product is safe.
The same article also mentions that Facebook’s security chief would like to see an End-of-Life date for Flash and all browsers to agree to stop supporting it.

FWIW, there is still too much Flash content and HTML5 isn’t being as widely embraced as content creators would hope.
However, IMHO, it may be only a matter of time before CDNs embrace the change to HTML5 or find some other DRM laden software to replace Flash altogether.
At least we can be happy that whatever does happen, CDNs won’t choose Silverlight anymore.

Wednesday, January 21, 2015

How I got started with BSD

I watch the BSDNow show, and a little while back they asked people to submit stories for how they got started with BSD.  I didn't submit my own story, but listening to the stories submitted by others I figured I'd share it on my own crappy blog.

So back in late 2001 or early 2002 I started looking into Linux and at the time the distribution I decided to use was SuSE. An uncle at the time worked for a university that actually mirrored SuSE (this was before the Novell acquistion and the creation of OpenSUSE). I want to say SuSE 7.3 was my first version and I remember he got me 3 burned CDs. I had at the time a Gateway with a Celeron, 40GB Hard Drive and 1 GB of Ram that came pre-loaded with Windows XP.  However I wanted to try Linux and decided to install it over the whole thing.  I didn't know about Gnome or KDE and I think SuSE defaulted to gnome so that's what I installed.  I used SuSE for quite some time and kept my system pretty up to date and as the releases came out I downloaded them, usually via torrent.  I think the last version I used was 10.2 or possibly 10.3 although it was OpenSUSE at that time.

Now I was in University at that time, and had been playing around with other systems. Briefly Ubuntu, but frankly I hate that and will never use it again. I had an old laptop I ran Linux Mint and it was pretty fun, but had no practical purpose other than giving life to an older laptop.

Then my junior and senior year I came work for the computer science department, as a lab assistant. Basically I just helped people print, login and a few other things, but hey it paid money.  Well the guy in charge was for a while actually running the department behind an OpenBSD firewall.  I had never heard of OpenBSD before this, and well decided to look into the world of BSD.  I tried to figure out OpenBSD, but I'll be honest I was a little scared because I was used to the GUI filled linux world.  However I also stumbled into FreeBSD and it's installer reminded me of something like slackware which I also played around with a little before then.

I didn't however end up running any BSD systems until I got into my current position.  I mostly had Windows knowledge and some Linux knowledge and they mostly used Windows and had some CentOS systems and not much else.  However then came a problem that needed an immediate fix.  A Cisco 7206 (I think that's what it was) was being DDOS'd or otherwise kept getting knocked offline and other than restarting the equipment Cisco wasn't any help because as I understood someone let the smartnet lapse and well Cisco doesn't help you much without that.  One of the other guys had this great idea - or idea anyway - he suggested getting some hardware that was just laying around  and putting OpenBSD on it.

They basically took the config of the Cisco device and made a similar config in PF and the 7206 basically became a glorified media converter for some DS3s.  Over time I eventually become more involved in the networking where I work and started learning OpenBSD.  We also started using FreeBSD leveraging the awesomeness of ZFS for storage servers, everything from email archiving to backup systems (using bacula) and even just web servers, dns servers and mail servers.  We also replaced a bunch of Cisco 2801 devices with OpenBSD firewalls mostly because we did away with T1s and most of our customers now have Ethernet connections or are provided copper pairs.  We now maintain some 35 customers with OpenBSD firewalls, plus 8 core firewalls at various locations setup in CARP pairs, plus close to 70 Soekris based devices running OpenBSD using OpenVPN to connect back to our main campus.

Perhaps the most surprising thing is is that all of this is actually happening in East Texas, an area not known for being technologically forward.

Now we are still a Windows environment on the desktop and still use Windows servers for several purposes, but whenever possible BSD is the preferred OS for simplicity of setup and use, not to mention the ease of securing and the large community of support that is available should you have a question or need something resolved.


One of the more interesting things about ZFS is the raidz functions which are raidz, raidz2 and raidz3 - and are supposed to be technically equivalent or at least similar to RAID-5, RAID-6 and well there isn't anything comparable to raidz3 that I know of, anyway I recently had to setup a system using raidz, mostly because I don't trust the hardware RAID controller I am using anymore and just setup all the disks in what the card refers to as single disk mode, which is apparently different than JBOD at least the way this card does things.

I found this google doc that someone else made that explains all the cost involved in each raidz type as far as percentage of usable space afterwards.

If you want or need a crash course in raidz or zfs in general, this guide provides a lot of good documentation.

If you're just starting out with ZFS definitely look it over, especially the VDEVs section.

In case you're curious my new setup was 3 raidz vdevs of 5 1500GB disks in making one zpool which gave me 16T of space.

        vol         ONLINE       0     0     0
          raidz1-0  ONLINE       0     0     0
            da1     ONLINE       0     0     0
            da2     ONLINE       0     0     0
            da3     ONLINE       0     0     0
            da4     ONLINE       0     0     0
            da5     ONLINE       0     0     0
          raidz1-1  ONLINE       0     0     0
            da6     ONLINE       0     0     0
            da7     ONLINE       0     0     0
            da8     ONLINE       0     0     0
            da9     ONLINE       0     0     0
            da10    ONLINE       0     0     0
          raidz1-2  ONLINE       0     0     0
            da11    ONLINE       0     0     0
            da12    ONLINE       0     0     0
            da13    ONLINE       0     0     0
            da14    ONLINE       0     0     0
            da15    ONLINE       0     0     0

Also on the other side of this if you're using hardware raid it is probably always a good idea to use a third party utility such as Nagios, PRTG or whatever utility you may use to monitor it if possible. The good news for me is that the Nagios exchange shows several options for checking zfs and zpools so I'll be implementing that shortly. It seems that even PRTG can monitor ZFS via SNMP.

Thursday, October 09, 2014

CentOS 6 on a Dell Latitude 2100

So here at work I have a Dell Latitude 2100 from 2009.
Although to be fair it wasn't mine initially I sort of inherited it.
Anyway it's a half decent system, inxi dump below (some information removed):

System: Host: 2100 Kernel: 3.17.0-1.el6.elrepo.i686 i686 (32 bit)
Desktop: N/A Distro: CentOS release 6.5 (Final) 

Machine: System: Dell (portable) product: Latitude 2100
Mobo: Dell model: 0W785N Bios: Dell v: A06 date: 07/30/2010

CPU: Single core Intel Atom N270 (-HT-) cache: 512 KB
Clock Speeds: 1: 1334 MHz 2: 1067 MHz

Graphics: Card: Intel Mobile 945GSE Express Integrated Graphics Controller
Display Server: X.Org 1.16.0 drivers: intel (unloaded: fbdev,vesa)
Resolution: 5280x877@1.0hz
GLX Renderer: NVIDIA GeForce GT 650M OpenGL Engine
GLX Version: 1.4 (2.1 NVIDIA-10.0.43 310.41.05f01)
Audio: Card Intel NM10/ICH7 Family High Definition Audio Controller
driver: snd_hda_intel
Sound: ALSA v: k3.17.0-1.el6.elrepo.i686
Network: Card-1: Broadcom NetXtreme BCM5764M Gigabit Ethernet PCIe
driver: tg3
IF: eth0 state: up speed: 1000 Mbps duplex: full
Card-2: Broadcom BCM4322 802.11a/b/g/n Wireless LAN Controller
driver: b43-pci-bridge
IF: wlan0 state: up
Drives: HDD Total Size: 250.1GB (3.9% used)
ID-1: /dev/sda model: WDC_WD2500BEVT size: 250.1GB

Anyway it took some doing, but the system is working as I want it to, the details of what I did below:

First I added some additional repositories so now I have the following repositories active:
* atomic
 * base
* centosplus
 * elrepo
 * elrepo-extras
* elrepo-kernel
 * epel
 * extras
* fasttrack
 * ius
 * remi
 * rpmforge
 * rpmforge-extras
 * rpmfusion-free-updates
 * rpmfusion-nonfree-updates
 * updates
 * webtatic

Of course after adding all the repos I did yum -y upgrade to ensure everything was as new and fresh as possible.
I did have to exclude gd from the CentALT repository by adding exclude=gd* to the end of the repo file.
I also installed the kernel-ml from the elrepo-kernel repository and modified grub in /etc/grub.conf to make sure it was the default boot kernel.
I mean there isn't anything wrong with the 2.6 kernel used by default, I just wanted a 3.x kernel

chkconfig NetworkManager on
service NetworkManager start
chkconfig network off  
chkconfig wpa_supplicant off

I soon discovered that my wifi wasn't working.
I confirmed this with dmesg.
A google search later led me to here. I just followed the directions and now wireless works flawlessly.

wget http://bues.ch/b43/fwcutter/b43-fwcutter-018.tar.bz2 http://bues.ch/b43/fwcutter/b43-fwcutter-018.tar.bz2.asc gpg --verify b43-fwcutter-018.tar.bz2.asc tar xjf b43-fwcutter-018.tar.bz2 cd b43-fwcutter-018 make sudo make install cd ..

export FIRMWARE_INSTALL_DIR="/lib/firmware" wget http://www.lwfinger.com/b43-firmware/broadcom-wl-5.100.138.tar.bz2 tar xjf broadcom-wl-5.100.138.tar.bz2 sudo b43-fwcutter -w "$FIRMWARE_INSTALL_DIR" broadcom-wl-5.100.138/linux/wl_apsta.o

modprobe -r b43 bcma

modprobe b43

I made sure everything stuff with a reboot and as expected it did.

The main downside of the 2100 is the 1024x600 resolution. In an effort to set some stuff up and get around this I decided to enable X11 forwarding.
This allowed me test what I did next on my macbook pro which actually worked quite well. 

Browsers and Plugins were next on the agenda, firefox is included by default, but I wanted Chrome.
Unfortunately Google decided that Chrome and CentOS 6 weren't gonna be friends anymore.
I can't run CentOS 7 as it is x86_64 only and this atom isn't.
Anyway after some searching around the Google I found chromium will do what I want so I set out to install it.
sudo -i
yum localinstall http://install.linux.ncsu.edu/pub/yum/itecs/public/chromium/rhel6/noarch/chromium-release-1.1-1.noarch.rpm
cd /etc/yum.repos.d wget http://people.centos.org/hughesjr/chromium/6/chromium-el6.repo
yum install chromium

I had already done an ssh -Y to my 2100 from my mac and set out to test that it worked with
/opt/chromium/chrome-wrapper %U

So next step was flash
rpm -ivh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux

yum -y install flash-plugin nspluginwrapper alsa-plugins-pulseaudio libcurl

In Firefox about:plugins showed it was installed, but unfortunately there was still no flash support in Chromium.
mkdir /tmp/working/
cd /tmp/working/
wget https://dl.google.com/linux/direct/google-chrome-stable_current_i386.rpm
rpm2cpio google-chrome-stable_current_i386.rpm | cpio -idv
mkdir /opt/chromium-browser/PepperFlash/
cp opt/google/chrome/PepperFlash/* /opt/chromium-browser/PepperFlash/

Restart chromium and flash works too!!

The next step was Adobe Reader (yes I hate myself, I know there are lots of PDF readers, but I wanted this one).
sudo -i
cd /tmp wget http://ardownload.adobe.com/pub/adobe/reader/unix/9.x/9.5.5/enu/AdbeRdr9.5.5-1_i486linux_enu.rpm 
yum localinstall AdbeRdr9.5.5-1_i486linux_enu.rpm
yum install nspluginwrapper.i686 libcanberra-gtk2.i686 gtk2-engines.i686 PackageKit-gtk-module.i686
yum localinstall AdobeReader_enu nspluginwrapper.i686

Then run acroread to open it and accept the EULA.
If you want your browsers to see it you have to copy some files:
cp /opt/Adobe/Reader9/Browser/intellinux/nppdf.so /usr/lib/mozilla/plugins/ 

Next up working Java plugin
Downloaded the RPM and followed their install instructions

Become root by running su and entering the super-user password.
Uninstall any earlier installations of the Java packages.
rpm -e <package_name>
Change to the directory in which you want to install. Type:
cd <directory path name>
For example, to install the software in the /usr/java/ directory, Type:
cd /usr/java

Install the package.
rpm -ivh jre-7u7-linux-i586.rpm

To configure the Java Plugin follow these steps:
Exit Firefox browser if it is already running.
Create a symbolic link to the libnpjp2.so file in the browser plugins directory
Go to the plugins sub-directory under the Firefox installation directory
cd <Firefox installation directory>/plugins

Create plugins directory if it does not exist.
Create the symbolic link

ln -s <Java installation directory>/lib/i386/libnpjp2.so

Then because I don't already hate myself enough I installed real player
wget http://client-software.real.com/free/unix/RealPlayer11GOLD.rpm
rpm -ivh RealPlayer11GOLD.rpm

I also installed VLC because it met all the other media dependencies I wanted installed.
yum -y install vlc

There were only two other packages I needed installed at this point SecureCRT and OwnCloud client.
That was just a matter of downloading the rpms and manually installing them.
I use OwnCloud to share my SecureCRT between PCs and I love that SecureCRT lets me access all my remote hosts regardless of my OS. I mean sure any terminal will do for SSH connections, but the convenience of SecureCRT is something I appreciate.

In case you were wondering I was using a pearson site to test all my browser plugins. This was a site I stumbled upon in my college days and it surprisingly still exists.