18 September 2013

Admiral General Aladeen's Rationale For a Dictatorship

I was watching the movie 'The Dictator' again on the plane a couple weeks ago. Although I had seen it before and knew it was funny, I was reminded all over again how hilarious it is to watch Sacha Baron Cohen poke fun at life. Here is Admiral General Aladeen's final speech in the movie on dictatorship vs. democracy, too damn funny:


Imagine if North America was a dictatorship:
  • You could let 1% of the people have all the nation's wealth
  • You could help your rich friends get richer by cutting their taxes and bailing them out when they gamble and lose
  • You could ignore the needs of the poor for healthcare and education
  • Your media would appear free but would secretly be controlled by one person and his family
  • You could wiretap phones
  • You could torture foreign prisoners
  • You could have rigged elections
  • You could lie about why you go to war
  • You could fill your prisons with one particular racial group and no one would complain
  • You could use the media to scare the people into supporting policies that are against their interests
Ahhh, the irony! 

04 September 2013

FizzBuzz in Perl One-Liner

Last week something caused me to remember the Obfuscated Perl Contest that used to take place back in the 1990s in The Perl Journal (all issues available here.

Here is FizzBuzz in a Perl one-liner. Why? Because I can.

perl -e 'for (my $i=1; $i<100; ++$i) {($i%3==0 and $i%5==0) ? print "FizzBuzz\n" : (($i%3==0) ? print "Fizz\n" : (($i%5==0) ? print "Buzz\n" : print "$i\n"))}'

25 July 2013

Bug/Feature

It's not a bug, it's a feature ;-).

02 July 2013

Ack is Better Than Grep

_   /|
\'o.O'
=(___)=
   U    ack!
Several years ago I discovered ack from hackernews or somewhere like that. If you are a grep user, then you will love ack. Check out Better Than Grep to learn all about it. Ack written in Perl and, therefore, uses Perl regular expressions so it's damn fast compared to grep. So fast it's actually shocking. Below are some steps I used to install it via MacPorts. Please note that I was unable to find it after it was installed so I had to resort to manually creating a symlink to it in my ~/bin directory.
$ sudo port install p5-app-ack
$ which p5-app-ack
$ # No output from which -- so where is it??? 
$ sudo port list p5-app-ack
p5-app-ack                     @2.40.0         perl/p5-app-ack
$ # Well it did install something, so let's look at the contents of the package 
$ sudo port contents p5.12-app-ack
Port p5.12-app-ack contains:
  /opt/local/bin/ack-5.12
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/ConfigDefault.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/ConfigFinder.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/ConfigLoader.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/Default.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/Extension.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/FirstLineMatch.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/Inverse.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/Is.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Filter/Match.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Resource.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Resource/Basic.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/App/Ack/Resources.pm
  /opt/local/lib/perl5/vendor_perl/5.12.4/darwin-thread-multi-2level/auto/ack/.packlist
  /opt/local/libexec/perl5.12/ack
  /opt/local/share/perl5.12/man/man1/ack.1pm
$ # Aha! There it is in /opt/local/libexec. I will just symlink to it and be done. 
$ ln -s /opt/local/libexec/perl5.12/ack ~/bin/ack
$ ls -l ~/bin/
total 8
lrwxr-xr-x  1 bruce.snyder  128844131  31 Jul  3 15:32 ack -> /opt/local/libexec/perl5.12/ack
$ ack --version
ack 2.04
Running under Perl 5.12.4 at /opt/local/bin/perl5.12

Copyright 2005-2013 Andy Lester.

This program is free software.  You may modify or distribute it
under the terms of the Artistic License v2.0.
$ # Now I'm good :-) 
Happy Ack'ing.

07 June 2013

Remove/Reinstall of MacPorts

After trying to upgrade Mercurial to the latest version via MacPorts, I ran into some compilation issues with a couple dependencies that I could not resolve at all. After realizing that there were dependency resolution issues amongst different versions of dependencies for different ports, I decided to remove and reinstall MacPorts from scratch. This provided a clean slate and everything worked without a problem, though I was annoyed that I had to take this drastic action and spend the time to get MacPorts working again.

Bash Completion For Git

One thing that I ran into was another change to the bash completion and prompt for git. As I mentioned in a previous post about this topic, the location of the location for the git-prompt.sh file had changed but this time I discovered that I had to source both the git-completion.bash file and the git-prompt.sh file to get things working. Below is what worked for me.
if [ -f /opt/local/share/git-core/contrib/completion/git-completion.bash ]; then
  . /opt/local/share/git-core/contrib/completion/git-completion.bash
fi

if [ -f /opt/local/share/git-core/contrib/completion/git-prompt.sh ]; then
  . /opt/local/share/git-core/contrib/completion/git-prompt.sh
fi

Bash Version 4.x

As I was reinstalling ports I noticed some logging that flew by in the terminal stating something about a requirement to use Bash 4 for the bash completion functionality to work properly. So I decided to utilize the newer version of Bash installed by MacPorts and here's how:
  1. Add the path to the new bash (/opt/local/bin/bash) to /etc/shells
  2. Use the chsh utility to change the shell to the new bash: chsh -s /opt/local/bin/bash
  3. After closing the terminal and opening a new one, check the bash version using either of these methods:
    $ echo $BASH_VERSION
    4.2.42(2)-release
    
As long as the version displayed is the newer version from MacPorts, you should be ready to go.

Just for my own sake and in case I need it in the future, I'm going to list a number of items that I had to reinstall:

$ sudo port install git-core +bash_completion +doc +svn
$ sudo port install tig 
$ sudo port install mercurial +bash_completion
$ sudo port install gnupg curl wget ncftp tree pstree watch screen proctools mtr cowsay
$ sudo port install postgresql90-server
For more info about installing and configuring PostgreSQL, see my post titled 'Installing PostgreSQL 9.0 on Mac OS X 10.6.8 via MacPorts' that walks you through many steps to get PostgreSQL up and running.

09 May 2013

How To Switch From AT&T to T-Mobile

Just recently I made the switch from AT&T wireless to T-Mobile using my own iPhone 4s. Beyond some administrativa, all I had to do was purchase a T-Mobile SIM card and I was ready to go.

Somewhere back around 1999 or 2000, I switched to Voicestream Wireless (switching away from Airtouch Wireless). Sometime after that, T-Mobile acquired Voicestream and I stuck with this service until 2008 when I switched to AT&T so that I could get an iPhone. I always had great customer service from T-Mobile and I had excellent roaming in Europe where I traveled often at the time. Now that T-Mobile is supporting the iPhone I have decided to switch back. Given that T-Mobile recently announced its lack of requirement for a contract and better rates than AT&T, this only made it easier to drop AT&T.

I did experience some headache with the whole iPhone unlocking requirement, but it only cost me about two hours of time. Given that my iPhone from AT&T was a GSM phone, there was no requirement for me to purchase a new phone. I could have purchased a new iPhone 5 but based on some friends telling me that the battery life on it is pretty miserable, and the fact that there is not a compelling reason to upgrade, I decided that I don't really need it. (In fact, I have been toying with the idea of switching from an iPhone to an old school cell phone. The cost savings to be had by doing this is amazing. But, in the end, I opted to stay with my iPhone 4s.) Once the iPhone starts providing an embedded NFC chip, I might consider upgrading.

Here are the necessary steps to switch from AT&T to T-Mobile:

  1. Unlock your phone - You must submit a request to AT&T to unlock your phone. This can take a few days so make sure to allow for ample time. This is where I had trouble but because I was outside of any contract with AT&T and I was in good standing, the operator I dealt with was able to unlock my iPhone 4s instantly while I was on the phone with him.
  2. Unlock your account - Remove any password from your AT&T account so T-Mobile can take it over.
  3. Transfer your phone number - If you plan to keep your phone number, then just transfer it to T-Mobile.
  4. Purchase a T-Mobile SIM card - If you are utilizing the BYOD plan (Bring Your Own Device), then you need to purchase a SIM card from T-Mobile. The cost is only US$10 so no big deal.
  5. Sync your iPhone - Before making the SIM card change, make sure to sync your iPhone with iTunes so that everything is backed up.
  6. Swap the AT&T SIM card for the T-Mobile SIM card - Pop out the SIM card slot and swap the SIM cards.
  7. Re-sync your iPhone - After inserting the T-Mobile SIM card, a message popped up on the iPhone stating that the card was not activated. After re-syncing the iPhone via iTunes, this went away and I immediately received a welcome SMS message from T-Mobile.
  8. Set up your voicemail - The last thing to do is set up your voicemail and you should be good to go.
  9. Request to have visual voicemail enabled - For whatever reason, visual voicemail must be manually enabled by T-Mobile and you need to call in to request that this take place.
Now I'm on the T-Mobile network and I have no contract whatsoever. Furthermore, the plan I signed up for is only US$50/month with unlimited talk and text + 500mb of data. I can upgrade to unlimited data at any time for an additional US$20/month which I will probably do (and it provides tethering capability). I'm just curious to know if I will actually exceed 500mb of usage/month before I make that change.

I'm hopeful that this information will help others understand the steps to making this switch.

07 May 2013

On Eliminating Passwords

It seems to me that authentication in general needs to change. The requirement to remember a password for every online service you use has proven to be a daunting task not only for users but also for businesses that must store the credentials to authenticate those users. Considering the dramatic increase in data security breaches in recent years, it's no wonder that the competition amongst password management software continues to increase.

Personally, I use a password manager that supports all the devices I use (MacOS X, iOS and Android) and has the ability to sync across them. Not only does a password manager store your username/password pairs in a secure file, but it also has the ability to generate passwords with a high entropy to guard against a brute force attack. But even this is a game of chase. Just like in the world of anti-virus software, it's kind of a reactionary game. That is, only as new viruses are discovered can the signatures of those viruses be added to the anti-virus software. The same applies to passwords -- as the ability to crack stronger passwords only becomes easier, the requirements for passwords become more strict. At some point the whole idea of passwords will become a counterintuitive exercise. Many services also require the use of security questions for password recovery but this is also a losing game given that most of the security questions offered are largely the same across many unrelated services. It makes me wonder if eventually the use of a text based password is simply an invitation for a security breach (e.g., 'Oh this person is using a text-based password only, no problem we'll just crack it').

Beyond the cracking of passwords, consider how much companies spend to support usernames and passwords. Just the other day I was locked out of a system and had to actually call the help desk for assistance because there was no online password recovery offered. Now think about the fact that the help desk I contacted supports many thousands of users all over the world. In fact, my need for support with a password is such a common request that there is a category in the phone tree dedicated to password support. I hazard a guess that the investment to provide this support alone is probably fairly high.

To protect against simple password cracking we've seen the rise of multi-factor authentication (MFA) whereby a password plus some other out-of-band methods are used for authentication such as a text sent to your mobile device, a phone call to your phone number of choice, etc. Financial institutions typically provide this capability and even Amazon provides a MFA feature to secure an AWS environment. Many companies provide employees with a small two-factor authentication device -- I'm sure you've seen a SecureID token from RSA, a similar device from Symantec or smart cards from various companiesj, but even these have been breached and/or have been proven to be flawed. Furthermore, these solutions are aimed at the SMB and enterprise markets for distribution to employees, not at the general consumer market. And beyond that, I've even been locked out of a SecurID token before which required a phone call to a help desk!

Earlier this year, a new group named Fast IDentity Online Alliance (FIDO) launched to bring forth a new type of multi-factor authentication and new usage models. From the FIDO website's description of What Makes FIDO Different?:

The range of technologies supported by the FIDO protocol will include biometrics such as fingerprint scanners, voice and facial recognition, as well as existing authentication solutions such as Trusted Platform Modules (TPM), Near Field Communication (NFC), One Time Passwords (OTP) and many others.
To learn more about FIDO, check out the How FIDO Works page describing the protocol, here's an image about it:



The short story is that a three-way binding occurs between the user, the device and the vendor's back-end system and it requires all three need to be present to use the system. What is intriguing to me is that this protocol is aimed at end users/consumers -- people like you and me.

The first company to be considered FIDO certified is Nok Nok Labs in Palo Alto, CA. This company provides a commercial solution to implement the FIDO protocol and is currently testing it at about 15 companies. What's really needed is adoption of such a solution by popular online services and Nok Nok Labs is already testing it's solution with PayPal.

Not only would it be more comforting to know that my payments and my funds are secured by more than a username/password pair, but it would also be more convenient not to have to remember a password for every website I use. But until something like the FIDO protocol becomes ubiquitous, we must continue to live with what we've got today.

02 April 2013

MacPorts Upgrade Changes Bash Completion

After upgrading Macports recently to version xxx, I started seeing the following error in the terminal when the .bash_profile is loaded:
__git_ps1: command not found
Upon investigation, I discovered that the bash completion for git has been split into more than one file. Previously, all that was needed in the .bash_profile was to source the single file for git like so:
if [ -f /opt/local/etc/bash_completion ]; then
  . /opt/local/etc/bash_completion
fi
Since the update to Macports, now I also need to source the second file like so:
if [ -f /opt/local/share/git-core/contrib/completion/git-prompt.sh ]; then
  . /opt/local/share/git-core/contrib/completion/git-prompt.sh
fi
After closing/creating the terminal tab, the error is gone.

12 March 2013

Simplify SSH Setup on Remote Machines With ssh-copy-id

If you're not aware of the ssh-copy-id command to copy your SSH keys to a remote server, then you should really check it out. It seems to be prevalent on Linux but it's not available in the BSD world (which means it's not part of Mac OS X).

Just last week I encountered some folks who were not aware of this handy little utility and it's definitely not the first time. So I thought I'd just mention it here in the hope that others might like the info as well. The ssh-copy-id utility is a shell script that, quite simply, copies your SSH keys to a remote server, sets up the permissions correctly and appends the keys to the remote-host’s .ssh/authorized_key file. For those folks like me on Mac OS X who want this script, here's a port of the script from Linux.

Here's a quick example of using ssh-copy-id from Linux:

bsnyder@ubux:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub 172.16.82.150
The authenticity of host '172.16.82.150 (172.16.82.150)' can't be established.
ECDSA key fingerprint is 83:df:ca:af:61:ab:59:cc:a5:08:28:f3:ac:72:87:18.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.82.150' (ECDSA) to the list of known hosts.
bsnyder@172.16.82.150's password: 
Now try logging into the machine, with "ssh '172.16.82.150'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

bsnyder@ubux:~$ ssh 172.16.82.150
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-17-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

bsnyder@ubuntu:~$ 
Notice that first I used ssh-copy-id and then I immediately logged into the machine using the key (i.e., without a passphrase).

This task is certainly something that's relatively easy to do manually, but why expend the effort on a manual solution when there's something pre-built for the exactly problem?

15 January 2013

How To Grab a SSL Certificate From a Host

Again, lately I've been working on a project that requires the use of SSL and therefore certificates. This is just a note for my own posterity more than anything, but if you ever need to grab a SSL certificate from a host so that you can import it into your keystore, here's how to do so using the OpenSSL s_client:
$ openssl s_client -connect <host>:<port> > foo.cert
Just make sure to substitute the <host> with the DNS name of the host and the <port> with the actual port number. Once you have the foo.cert file, you will need to manually clean up the foo.cert file a little bit, but it works. Here's a quick example:
$ openssl s_client -connect yahoo.com:443 > yahoo.cert
depth=0 /serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo  Inc./CN=www.yahoo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo  Inc./CN=www.yahoo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo  Inc./CN=www.yahoo.com
verify error:num=21:unable to verify the first certificate
verify return:1
^C
$ 
$
$
$
$ cat ./yahoo.cert
CONNECTED(00000003)
---
Certificate chain
 0 s:/serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo  Inc./CN=www.yahoo.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6jCCBFOgAwIBAgIDEIGKMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwNDAxMjMwMDE0WhcNMTUwNzAzMDQ1MDAw
WjCBjzEpMCcGA1UEBRMgMmc4YU81d0kxYktKMlpENTg4VXNMdkRlM2dUYmc4RFUx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5u
eXZhbGUxFDASBgNVBAoTC1lhaG9vICBJbmMuMRYwFAYDVQQDEw13d3cueWFob28u
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZM1jHCkL8rlEKse
1riTTxyC3WvYQ5m34TlFK7dK4QFI/HPttKGqQm3aVB1Fqi0aiTxe4YQMbd++jnKt
djxcpi7sJlFxjMZs4umr1eGo2KgTgSBAJyhxo23k+VpK1SprdPyM3yEfQVdV7JWC
4Y71CE2nE6+GbsIuhk/to+jJMO7jXx/430jvo8vhNPL6GvWe/D6ObbnxS72ynLSd
mLtaltykOvZEZiXbbFKgIaYYmCgh89FGVvBkUbGM/Wb5Voiz7ttQLLxKOYRj8Mdk
TZtzPkM9scIFG1naECPvCxw0NyMyxY3nFOdjUKJ79twanmfCclX2ZO/rk1CpiOuw
lrrr/QIDAQABo4ICDjCCAgowDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBSmrfKs
68m+dDUSf+S7xJrQ/FXAlzA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdl
b3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDCCAVsGA1UdEQSCAVIwggFOgg13
d3cueWFob28uY29tggl5YWhvby5jb22CDHVzLnlhaG9vLmNvbYIMa3IueWFob28u
Y29tggx1ay55YWhvby5jb22CDGllLnlhaG9vLmNvbYIMZnIueWFob28uY29tggxp
bi55YWhvby5jb22CDGNhLnlhaG9vLmNvbYIMYnIueWFob28uY29tggxkZS55YWhv
by5jb22CDGVzLnlhaG9vLmNvbYIMbXgueWFob28uY29tggxpdC55YWhvby5jb22C
DHNnLnlhaG9vLmNvbYIMaWQueWFob28uY29tggxwaC55YWhvby5jb22CDHFjLnlh
aG9vLmNvbYIMdHcueWFob28uY29tggxoay55YWhvby5jb22CDGNuLnlhaG9vLmNv
bYIMYXUueWFob28uY29tggxhci55YWhvby5jb22CDHZuLnlhaG9vLmNvbTAfBgNV
HSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAp9WOMtcDMM5T0yfPecGv5QhH
RJZRzgeMPZitLksr1JxxicJrdgv82NWq1bw8aMuRj47ijrtaTEWXaCQCy00yXodD
zoRJVNoYIvY1arYZf5zv9VZjN5I0HqUc39mNMe9XdZtbkWE+K6yVh6OimKLbizna
inu9YTrN/4P/w6KzHho=
-----END CERTIFICATE-----
subject=/serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo  Inc./CN=www.yahoo.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1392 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 6385A37EF8BA3E886A242E4F835C453BBE6740C2C240BF9C0F80ED7E0586500B87007EB839C57A8E5539C7CF21387C9F
    Key-Arg   : None
    Start Time: 1358267053
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed

How To List All Certificates in the JDK cacerts File

Lately I've been working on a project that requires the use of SSL and therefore certificates. While working though the necessary tasks, I became curious about the number of certificates that exist in the default truststore in the JDK for Mac OS X (it's named cacerts). Well using Java's keytool utility it's easy to take a peek at them. Here's how to list them:
$ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name cacerts) | grep 'Owner:'
Enter keystore password:  Owner: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Owner: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU
Owner: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Owner: CN=Wells Fargo Root Certificate Authority, OU=Wells Fargo Certification Authority, O=Wells Fargo, C=US
Owner: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Owner: CN=Global Chambersign Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Owner: OU=RSA Security 2048 V3, O=RSA Security Inc
...
This results in a tremendous amount of output hence the grep to list just the owner. According to this method of listing the certs in the default truststore, there are 183. I just glanced through the list and they seem to come from CAs all over the world. I wonder how it was determined which certs to place in the default truststore?