Bush The Optimist?

Washington Post – Bush Says Attacks Are A Sign of U.S. Progress:

The president, speaking after attacks on police stations and a Red Cross facility in Iraq killed at least 35 people, said such attacks should be seen as a sign of progress because they show the desperation of those who oppose the U.S.-led occupation.

“The more successful we are on the ground, the more these killers will react,” Bush said as he sat in the Oval Office with L. Paul Bremer, the U.S. administrator in Iraq.

Hmm… Bush should be a motivational speaker. He seems to have lots of experience at turning obvious failures and oversights into victories in the press.

Gator is Spyware

Yep, Gator was spyware in the past and still is spyware. I’ve uninstalled the software on plenty of computers where the user was tricked into installing it or it piggybacked along with another program a user wanted to install. I’ve seen enough of it over the years to know that Gator has been spyware in the past, is currently spyware, and will always be spyware unless the unethical and evil company that produces it goes out of business. That is a fact.

But apparently the fine useless bags of skin at The Gator Corporation don’t like when people call their shit software what it is: spyware. *Waits for google to spider and cache this page*

The Dark Side Of AIM

Someone posted a small compilation of disturbing conversations held over AIM on LiveJournal. I’ve seen a couple of them before so they are not exactly new but they are still very funny.

My favorite part (copied from the above mentioned compilation):

J-Dogg: I see you in line at the supermarket. Our eyes meet.
Partner8: Who the fuck are you?
J-Dogg: I mouth the words to you, as if in slow motion:
J-Dogg: Fuck me, Fuck me.
J-Dogg: My wishes are like poetry in your eyes. We want this moment to last forever.
Partner8: OMFG are you trying to cyber me?
J-Dogg: We are like two dancers, for whom the music never stops. I Kiss the top of your hand. You are taken aback by the bulge that forms in your thigh.
Partner8: Is that like cancer?
J-Dogg: If cancer is our love, then I hope you don’t have the technology of chemotherapy.
Partner8: Good one romeo.
J-Dogg: You grab the bulge that you feel. you tihink it must be taking over your mind, theres nothing else you can think of. My tubesteak to you is like a beautiful japanese haiku.
The salmon swim at night.
Towards your room.
The snow and the moon.
Partner8: that was never a haiku.
J-Dogg: To your light bulb I am the Thomas Edison of your sex. Withought my light you would be lost in a sea of darkness.
Partner8: That made even less sense than your “haiku”
J-Dogg: So you ready to fuck then?
Partner8: You unbutton my pants, spew your load at the sight of my underwear, and your spent.
J-Dogg: …
Partner8: ?
J-Dogg: I’m spent.

Weather and Humor

I came home tonight and found that today’s wind storm did its part in making my night uncomfortable by knocking out the power. Lucky my landlord has a generator so I was able to at least plug in a couple lights that I could use to read with. I used the downtime to finish reading Queen of the Darkness, the third book in the The Black Jewels Trilogy. The series was very enjoyable and cut into my sleep quite a bit while reading it. Highly recommended to anyone who might enjoy a good Dark Fantasy story.

Once the power was restored I happened upon a rather interesting collection of complaints about a particular segment of fellow state employees. Entertaining.

We Are Watching

Apparently some folks at MIT decided that the Bush Administration and the Pentagon had a great idea when they thought up the (now apparently canceled) plan for “Total Information Awareness”. Except instead of tracking every day citizens these individuals plan on tracking the government itself.

The product? Government Information Awareness. An organized effort to track the actions of elected officials and other components of government and study their relationships with special interest groups, corporations and other entities. A great idea idea that is long overdue. And a great irony… The same technology that allows the government to track its citizens being used to track the government. I wish the project well… We definitely need it.

HOWTO: Solaris NIS Server and (Red Hat 9) Linux NIS Client

Today (errr.. yesterday) I found myself needing to set up a Red Hat 9 based server that would use a Solaris NIS+ server as its source of account information on a “temporary” basis. It is possible for Linux to use NIS+ as an authentication source but I found the idea highly undesirable considering the distribution of choice does not ship with the needed tools and documentation seemed to be quite nonexistant. There was also the risk that because the maintainers of the distribution (hence the operating system itself so to speak) did not use or test with NIS+ there may have been bugs and problems introduced into the system libc that would complicate its use.

I remembered that NIS+ on Solaris has a “NIS compatibility mode”. NIS is supported “out of the box” in pretty much every version of Red Hat since the dawn of time so this seemed the best option. Turning on this “compatibility” feature of rpc.nisd on the Solaris server would cause rpc.nisd to respond to both NIS+ and NIS requests. The Linux system could then authenticate users using NIS. Turning on this compatibilty mode is trivial (simply start rpc.nisd with the -Y flag) and is documented in the rpc.nisd man page. You will need to edit the /etc/inet/rpc script and make sure EMULYP="Y" is either uncommented or make sure rpc.nisd is started with the needed -Y flag.

The NIS+ service daemon should now respond to NIS requests. By default the passwd table in NIS+ is configured with permission settings preventing users and machines which are ‘unauthenticated’ (I really don’t want to cover NIS+ credentials here) from viewing the actual field in the table that contains the hashed password string. All “requests” that come into rpc.nisd through NIS seem to use the “nobody” permission set.

By default passwd.org_dir in NIS+ allows “nobody” to access every field in the passwd table except for the actual password string itself. This manifests itself as all password fields appearing to be set to *NP* or similar while attempting to use ypcat passwd or getent passwd on a client machine. The fix for this is to simply grant the read permission to “nobody” using “nischmod n+r passwd.org_dir“. The password field should now be viewable using the aforementioned commands on client machines.

WARNING: The password field of the passwd database is now visible to any machine able to request it. While this is not that big of a deal on systems that are legitimate clients (getent passwd by default on a NIS+ client machine allows non-root users to see the string) it can be a big deal if the machine hosting the NIS+/NIS service is not properly firewalled. If the portmap RPC service and other RPC services are exposed to the outside world it is quite possible someone could extract your passwd database from your server. If you are unfamiliar with NIS security please do some research before deploying. (Of course if you are exposing any Solaris RPC service you will most likely get hacked eventually… depressing but true).

With that warning out of the way it is now time to configure the Linux client. Red Hat 8 and later both have a text (authconfig) and GUI tool (authconfig-gtk) to allow you to configure which means of obtaining user information and authentication you wish for the system to use. Simply start one of the tools. I will use the GUI program (authconfig-gtk) for this example.

On the User Information page make sure Cache User Information and Enable NIS Support are checked. Click on the Configure NIS… button and enter the NIS Domain and IP address of the NIS server you wish to use. Click OK on the NIS Settings window and you should now be returned to the main window. Click OK on the main window. There may be a long pause before the program quits completely.

Now you will need to make sure the needed services are running. portmap, ypbind and nscd should be running. Check /var/log/messages to make sure ypbind is happy and has found the NIS server. Check /etc/nsswitch.conf and make sure you are happy with the settings the tool set up for you. (The defaults were fine for my use). To test if nsswitch and friends are working, simply use the command “getent passwd“. You should see the local passwd file scroll by followed by the contents of the passwd table in NIS/NIS+. If you see this then nsswitch.conf and friends are happy. Be Happy.

Unfortunately the PAM configuration that authconfig sets up for you in /etc/pam.d/system-auth does not seem to work when a Solaris NIS+/NIS server is the server in use. (UPDATE: You may not need to tweak the pam files at all for it to work… My problem might have been nscd caching negative responses during earlier testing.) The following is the PAM file that seems to work for me:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix_auth.so shadow nullok
auth        required      /lib/security/$ISA/pam_deny.so                                                                                                    account     required      /lib/security/$ISA/pam_unix_acct.so                                                                                                    password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix_passwd.so shadow nullok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix_session.so

The file seems to work fine for openssh’s pam.d config file and should work fine as system-auth. The only thing that will not work is the changing of passwords. Which for my use is not a problem (and actually desirable) but it may be for you. Unfortunately from my (meager) understanding this would require you to add more privileges to “nobody” on the passwd.org_dir NIS+ table and in my mind that is highly undesirable. If you find yourself needing to change passwords from NIS clients you’ll need some very careful firewalling to have any hope of keeping your account database secret.

The real solution is to use LDAP. The problem is Solaris only seems to support LDAP in a useable “out of the box” form in Solaris 9. I have been told the padl PAM modules work well on Solaris so if you find yourself needing to use Linux clients mixed in with Solaris servers and clients, it may be time to seriously consider moving to LDAP instead of playing with NIS. At most NIS should be used as a temporary emergency measure in my mind.

If I have said anything in this post that is technically wrong please feel free to let me know. Unfortunately, if the above does not work for you I’m afraid I do not have the means or time to help you diagnose the issue. At least I hope I have faced you in the right direction.

We are sooo going to Hell…

The Independent (UK) – US soldiers bulldoze farmers’ crops:

“They made a sort of joke against us by playing jazz music while they were cutting down the trees,” said one man. Ambushes of US troops have taken place around Dhuluaya. But Sheikh Hussein Ali Saleh al-Jabouri, a member of a delegation that went to the nearby US base to ask for compensation for the loss of the fruit trees, said American officers described what had happened as “a punishment of local people because ‘you know who is in the resistance and do not tell us’.” What the Israelis had done by way of collective punishment of Palestinians was now happening in Iraq, Sheikh Hussein added.

Great Job Bush! Keep this up and instead of our kids saying “… like the Americans in Vietnam” they will be saying “… like the Americans in Iraq”. Idiots.

Of course our administration really doesn’t have the time to deal with little matters like Iraq and the Economy when they are busy making sure their trophy hunting friends can slaughter and trade endangered animals.

Bush has got to go.

So wrong on so many levels…

The Onion – IBM Emancipates 8,000 Wage Slaves:

“In a move hailed by corporation owners as a forward-thinking humanitarian gesture, IBM emancipated more than 8,000 wage slaves from its factories and offices Monday.”

Unicode and Encodings

Joel on Software has a very good article covering the basics of Unicode and all of the confusing charset and encoding mess that most people bump into daily (as garbled emails or weird looking characters on various websites) but never really understand.

It is primarily a rant from Joel Spolsky directed towards programmers but the article should be interesting to anyone with an interest in computers and how modern software works with all the various human languages.

Fall In The New Paltz Area

It is now fall in the New Paltz area. The nights are getting chilly, the field mice are trying to move back into local homes, and the car takes a second or two extra time to start. The first ice storm is probably a month away with the first snowfall a couple weeks after. I’m hoping the winter is not too wet or cold though with such a wet summer I can’t imagine winter being very ‘dry’.

I spent part of the day in New Paltz having a late lunch with friend and former college roommate, ran into a coworker, and walked around town for a bit. The town was unusually crowded with towns people, college students, and people visiting all the nearby apple orchards and farms. There was a little “Apple Festival” with a small number of vendors outside an old historic church down in the stone house section of New Paltz. The temperature was in the low 70s with a light breeze and was very enjoyable.

On the way back home I stopped at a local apple orchard about a mile or so from my apartment and did the whole “pick your own apples” bit. Walked around for about an hour or so before stopping by the farm stand and picked up a small thing of apple cider. Now I just have to make myself eat all the apples I bought.