Warren Myers : new service – free, secure password generation

May 01, 2016 04:53 PM

Today, I am formally announcing a brand-new service / website for secure password generation.

Go visit password.cf

Get yourself random passwords of commonly-required lengths and complexities*.

Password Varieties:

  • 4 of 4
  • upper & lower alphanumeric
  • lower alphanumeric

Lengths generated: 12, 16, & 24 characters

Visit the GitHub project page ..

.. if you want to run the site on your own server.

You can view the source “live” ..

.. if you’d like to see how it works without visiting GitHub – and verify nothing is saved anywhere by the code: it’s just a script with no filesystem / database access.

It’s fast ..

.. load times tend to be under 0.15 seconds!

It will always be linked from my Projects page, and from the ‘External’ links menu on this blog.


*Also findable at password.ga – same server, same code

Mark Turner : Neighborhood joy

April 30, 2016 01:08 PM

As sad as it is that Miss Ruth has moved away, our changing neighborhood ain’t all bad. In fact, there is lots to celebrate. Over the winter, Kelly and I finally bought a storm door for our front door, which gives us a look at what goes on outside. With the arrival of beautiful spring weather, I’ve been delighted to see all the neighbors out walking, running, pushing strollers, walking their dogs, and being neighborly. Last Friday evening alone I must have watched a dozen people passing happily by our home.

I’ve always considered as a sign of the health of a community how many people you see out interacting with each other. I’m thrilled to see so many of my friends and neighbors out getting to know their community.

Mark Turner : Miss Ruth moves away

April 29, 2016 02:19 PM

Miss Ruth Gartrell poses with the Turner family, February 2016.

Miss Ruth Gartrell poses with the Turner family, February 2016.

I knew the day would ome day come and about two weeks ago it did: the day our wonderful next-door neighbor “Miss Ruth” Gartrell moved away. Her once-bustling home is now empty and it makes me sad.

We first found out about her impending move over New Year’s when a for sale sign appeared in her yard. She told me that she was unable to keep up with her large home the way she used to and also felt she should move back to California where she could be closer to more of her family. A few months then went by before her packing began in earnest and one morning about two weeks ago she and her family left for good.

Living next to her was like living next to an angel. We always looked out for each other. She once wrote one of the most humbling things anyone has ever said about me when she delivered a thank you note to me for something I’d done. In it she had written “I thank God that you are my neighbor.” Wow.

The Empty Gartrell Home

The Empty Gartrell Home


We will all miss her friendly smile, the stories she would tell, the cookies she would bake for the kids, and the hugs she was always happy to share. She’s invited us to come see her in California anytime and I’m hoping we may one day be able to accept. We miss having her next door but someone in California just got an awesome neighbor.

Her empty home won’t stand as a memorial for long. A developer plans to raze it and replace it with three upscale homes. This work might take place as early as next week. It’s progress, I guess, but it just won’t be the same without the comforting presence of Miss Ruth.

Magnus Hedemark : state of the nerd

April 29, 2016 11:26 AM

It’s been awhile since I’ve written, and much has changed. I thought it was time to lay down some updates. Since my last post, I’ve made some big career decisions.

Career

The elephant in the room. Let’s tackle that first.

Happiness is important. And it’s been a little while since I’ve had happiness in my career. I think the last time I was truly happy was the first time that I actually enjoyed being in a leadership position.

[a 3,000+ word essay about the last five years of my career was here]

I’m really happy to announce that I’ve resigned my role as Principal Software Engineer at NetSuite/Bronto to take on a role in the leadership team at Optum. I started on Monday as Manager of Continuous Delivery. And I’m hiring.

The last few years of my career, coinciding with when I switched from Management back into Engineering, have not been very fulfilling or challenging. The happiness has been missing for awhile. I’ve not had stake in influencing the kind of organizational growth and change that really make me want to come to work every day and do my best work. So I’m now back in Management, and I’m already getting access to influence the kinds of things that I’m really passionate about.

 

Reading

My reading habits had actually been hurt the last few months. My love for reading took a hit based on some other big changes that happened, mostly around my career path. I did read but I didn’t find joy in it. I don’t think I have any books that I want to single out right now as being wonderful. I know I’ve hit a couple of turkeys, but I’m not going to shame them here.

I’m looking at a stack of ten books on my desk that I’ve singled out for reading. The last time I was a manager, I read a lot of books that were meant to help me better understand the discipline and help me to imagine better solutions. When I went from Management to Engineering a few years ago, I’d found that my input was discouraged without the leadership title attached. This was true to the point that I even got a formal reprimand when I was at Red Hat for tweeting praise of Ricardo Semler’s book “Maverick“. So I’d drifted back into reading, and writing, fiction during my time as an Engineer.

The ten books I’ve singled out for reading that are sitting on my desk now:

  1. The 5 Languages of Appreciation in the Workplace: Empowering Organizations by Encouraging People
  2. Winning Teams, Winning Cultures
  3. The 7 Habits of Highly Effective People: Powerful Lessons in Personal Change
  4. Up The Mood Elevator: Your Guide to Success Without Stress
  5. The Practice of Management
  6. The Open Organization: Igniting Passion and Performance
  7. The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses
  8. Business Stripped Bare: Adventures of a Global Entrepreneur
  9. Leading the Transformation: Applying Agile and DevOps Principles at Scale
  10. Designing Delivery

I’ve also re-started my digital subscription to Harvard Business Review on my Kindle. I tend to use the Kindle only for things that I don’t feel I’ll want enduring hard copies of.

All of these books were picked specifically because they will help me to understand the existing leadership culture at Optum, or because they will help me to better focus my own individual leadership values.

Writing

Back in February I took a week off with my family and went to Clearwater Beach, Florida. I spent a little bit of that time on the balcony of my hotel room, overlooking the Gulf of Mexico, (re-)beginning the manuscript for a very existential science fiction story that’s been kicking around in my head. Unlike the last manuscript I wrote, which was done 100% electronically, this time I’ve been writing with a fountain pen on paper. Neither way is better than the other, but I will say that writing with a pen does change the cadence and does change the quality of writing.

I’ve been a badly behaved writer. Or perhaps I’ve been a typical one. I came home from Florida to a job that I was feeling really sad about, and this story that I’m writing is meant to be one of hope. I’d put down the pen and stopped writing. I haven’t touched the project in the last two months.

Perhaps now that I’ve so thoroughly rearranged my life, maybe I’ll get back to it. Though I’m still trying to figure out what my new routine is going to look like. I’m now part of an international organization. I have meeting requests for time slots outside of the traditional 9-5 which need to be respected because, well, there are no times that are convenient when you have attendees everywhere from Utah to Minnesota to India.

One of the things that worked well for me when writing My Love, My Slave was taking a Macbook Air everywhere with me. I’d chip away at that story any time I had five or ten spare minutes to call my own. I might need to do that again. That would mean abandoning the pen & paper approach to writing. Or maybe just putting that project away and starting with one of the others in my backlog that could better accommodate my hectic new schedule.

Fitness

I’ve been trying… again… to reclaim my fitness. I’m using apps to help me out now. Mostly MyFitnessPal and MapMyWalk. Since I’ve been so overweight for so long, I’m using a Schosche Rhythm+ armband heart rate monitor to help me find a cadence that lets me get to an aerobic workout without pushing too hard. I’m down eight pounds so far.

I’ve also splurged and picked up a Bowflex Max Trainer M5 for the house. It kind of scares me, to be honest. Even on the easiest setting, my heart rate shoots up to a level higher than I think is probably safe. I can only last a minute or two before my knees grind to a halt and can go no further. It’s going to be a long time before I can get a full fourteen minute workout out of this thing.


Mark Turner : Puerto Rico

April 28, 2016 05:39 PM

metric system
Spanish
beaches/urban
driving
small
no voting for president
cannon-fodder citizenship
coqui frogs
expensive electricity
abandoned Roosevelt Roads
three days getting back
old san juan
drinking and driving
hike up waterfall/rappelling/ziplining
gas prices (liters)
beaches in every direction
governor’s beachhouse
Hallie new friends (Kristen and James?)
star-filled skies
rough waters for Vieques
snorkeling off the beach
Mayoral races
iguanas like squirrels
cops on every corner in Old San Juan

Mark Turner : Tallying up electric vehicle savings

April 26, 2016 01:07 AM

I was showing off my electric car to an engineer friend when he asked me a very engineer-like question.

“So, how much money have you saved?” he grinned. “I know you’ve figured it out, right?”

“Well, yes and no,” was my response. I went on to briefly explain fluctuating electric and gasoline costs and how the solar panels must also factor in. It’s not so simple to say “I have saved x dollars.”

That said, I do have a record of my electricity usage, both before and after EV. I can figure out my cost of charging during off-peak hours and extrapolate that over the time we’ve owned the car. Perhaps I can find a resource that shows the average price of unleaded gasoline for the past year or so. Finally, I can say for certainty how many miles I’ve driven. Putting all of this into a spreadsheet ought to give me a ballpark figure on how much it has cost to drive. Then I can factor in the skipped oil changes and other unneeded mechanical work and get a decent guess as to what we’ve saved.

This might be a fun Saturday afternoon project.

Warren Myers : turn on spf filtering with postfix and centos 7

April 25, 2016 08:44 AM

After running my new server for a while, I was noticing an unusually-high level of bogus email arriving in my inbox – mail that was being spoofed to look like it was coming from myself (to myself).

After a great deal of research, I learned there is a component of the DNS specification that allows for TEXT or SPF records. Sender Policy Framework was developed to help mail servers identify whether or not messages are being sent by authorized servers for their representative domains.

While there is a huge amount of stuff that could be added into a SPF record, what I am using for my domains is:

"v=spf1 mx -all"

Note: some DNS providers (like Digital Ocean) will make you use a TEXT record instead of a dedicated SPF record (which my registrar / DNS provider Pairnic supports).

If they require it be via TEXT record, it’ll look something like this: TXT @ "v=spf1 a include:_spf.google.com ~all"

Starting with this old how-to I found for CentOS 6, I added the policy daemon for Postfix (though it’s now in Python and not Perl) thusly:

yum install pypolicyd-spf

(I already had the EPEL yum repository installed – to get it setup, follow their directions, found here.)

Then I edited the master.cf config file for Postfix, adding the following at the bottom:

policy unix - n n - 0 spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf

Note: those are actually tabs in my config file – but spaces work, too.

When you’re done with your edits and record additions, restart Postfix:

systemctl restart postfix

Then you’ll see messages like this in your /var/log/maillog file:

Apr 23 18:58:59 khopesh postfix/smtpd[18199]: NOQUEUE: reject: RCPT from unknown[197.27.40.169]: 550 5.7.1 <warren@datente.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=warren@datente.com;ip=197.27.40.169;r=warren@datente.com; from=<warren@datente.com> to=<warren@datente.com> proto=ESMTP helo=<[197.27.40.169]>

And if you follow the directive to go visit the “Why” page on OpenSPF, you’ll see something like this explanation:


Why did SPF cause my mail to be rejected?

What is SPF?

SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider’s setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.

Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient’s mail server detected this and blocked the message.

warren@datente.com rejected a message that claimed an envelope sender address of warren@datente.com. warren@datente.com received a message from 197.27.40.169 that claimed an envelope sender address of warren@datente.com.

However, the domain datente.com has declared using SPF that it does not send mail through 197.27.40.169. That is why the message was rejected.


Tarus Balog : Welcome Ecuador (Country 29)

April 22, 2016 03:49 PM

It is with mixed emotions that I get to announce that we now have a customer in Ecuador, our 29th country.

My emotions are mixed as my excitement at having a new customer in a new country is offset by the tragedy that country suffered recently. Everyone at OpenNMS is sending out our best thoughts and we hope things settle down (quite literally) soon.

They join the following countries:

Australia, Canada, Chile, China, Costa Rica, Denmark, Egypt, Finland, France, Germany, Honduras, India, Ireland, Israel, Italy, Japan, Malta, Mexico, The Netherlands, Portugal, Singapore, Spain, Sweden, Switzerland, Trinidad, the UAE, the UK and the US.

Mark Turner : Is Facebook secretly snooping on my photos to serve ads?

April 22, 2016 02:59 PM

I’ve been taking part in an experimental drug study at the local Veterans Administration hospital. Now that the study is wrapping up, I thought it might be wise to take a photo of my medicine bottle for future reference. So, during a break in traffic on my way to my appointment the other day, I picked up my work Android phone and snapped some photos of my medicine bottle, like this one.

Until this blog post I hadn't shared this photo with anyone.

Until now I hadn’t shared this photo with anyone.

All seemed well until I logged into Facebook on the same phone yesterday. That’s when I was astonished to see this targeted ad show up in my Facebook feed.

Holy shit! What are the odds that Facebook would just happen to serve up an ad that matched a photo I took less than 24 hours earlier, a photo that I hadn’t shared with anyone? Call me paranoid but I can’t even fathom the odds that this is coincidental. I don’t post any medical stuff on Facebook, have never mentioned medicine or bottles or … anything. No keywords. There is nothing I’ve shared voluntarily on Facebook that could have summoned an ad that just happens to match a photograph I had just taken but never intended to share.

Did my Facebook app spy on my private photo to serve me this ad?

Did my Facebook app spy on my private photo to serve me this ad?

The simplest explanation is that Facebook is snooping on my phone’s photos and using them without my knowledge to send me targeted ads. There is just no way this can be coincidental.

This makes me furious. That Facebook monetizes the content that I willing share isn’t the issue, after all I’ve long understood that if something is free then that makes me the product. The issue is whether Facebook may be making use of the content that I am not willing to share, behind my back! It certainly looks like it is.

So, can Facebook do this? Certainly Facebook Messenger has raised privacy issues, one of the many reasons I don’t use it. Back in November, Facebook added a feature to Messenger called “Photo Magic,” which automatically scours your phone’s photos, allegedly to automatically tag and alert any Facebook friends it finds. Says Yahoo Business News:

In a bit of “Photo Magic,” Facebook is testing a new feature to make it easier to share your photos with friends — before you even upload them to the social network.

Using facial recognition, Facebook Messenger will look through your newly taken photos in your phone’s camera roll to identify your friends in them.

If Photo Magic recognizes one of your friends, Messenger will immediately send you a notification to send it to the person in the photo, so you don’t have to go the extra step to message or text them later.

Is tagging friends the only thing Facebook is doing when it’s snooping through your photos, or is it also using your photos to send you targeted ads? And what about the regular Facebook app? Did Photo Magic get quietly slipped into it as well?

To double-check what permissions I granted the Facebook app, I checked the listing on Google Play:

This app has access to:
Device & app history: retrieve running apps

Identity: find accounts on the device, read your own contact card, add or remove accounts

Calendar: add or modify calendar events and send email to guests without owners’ knowledge, read calendar events plus confidential information

Contacts:
find accounts on the device, read your contacts, modify your contacts

Location:
precise location (GPS and network-based), approximate location (network-based)

SMS: read your text messages (SMS or MMS)

Phone: read phone status and identity, write call log, read call log, directly call phone numbers

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Microphone: record audio

Wi-Fi connection information: view Wi-Fi connections

Device ID & call information: read phone status and identity

Other: adjust your wallpaper size, receive data from Internet, download files without notification, control vibration, reorder running apps, run at startup, draw over other apps, send sticky broadcast, connect and disconnect from Wi-Fi, create accounts and set passwords, change network connectivity, prevent device from sleeping, set wallpaper, install shortcuts, expand/collapse status bar, read battery statistics, read sync settings, toggle sync on and off, read Google service configuration, view network connections, change your audio settings, full network access

Pretty all-encompassing list, isn’t it? For comparison, I looked up the permissions to Facebook Messenger:

This app has access to:

Identity:
find accounts on the device, read your own contact card, add or remove accounts

Contacts: find accounts on the device, read your contacts, modify your contacts

Location: precise location (GPS and network-based), approximate location (network-based)

SMS: edit your text messages (SMS or MMS), receive text messages (SMS), send SMS messages, read your text messages (SMS or MMS), receive text messages (MMS)

Phone: read phone status and identity, read call log, directly call phone numbers, reroute outgoing calls

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Microphone: record audio

Wi-Fi connection information:
view Wi-Fi connections

Device ID & call information: read phone status and identity

Other: receive data from Internet, download files without notification, control vibration, run at startup, draw over other apps, pair with Bluetooth devices, send sticky broadcast, create accounts and set passwords, change network connectivity, prevent device from sleeping, install shortcuts, read battery statistics, read sync settings, toggle sync on and off, read Google service configuration, view network connections, change your audio settings, full network access

You can see that Messenger has a few extra things that one would expect for a messenger app, such as more SMS rights, but look at the storage and camera rights:

Facebook:

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Messenger:

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

As you can see above, the rights both the standard Facebook app and Facebook Messenger use to read your photos, videos, and camera are identical, thus there is nothing from Android’s point of view that prevents the Facebook app from spying on your private photos the same way Messenger’s Photo Magic does.

So, am I being paranoid? Perhaps, but I am highly suspicious that something underhanded is going on here. The chances of this ad being shown to me are just too high not to be nervous. Further investigation is warranted.

A few parting thoughts:

  • I never opted in to allow Facebook access to photos I did not explicitly share (i.e., Photo Magic).
  • I cannot find any settings in the Facebook mobile app that might disable this feature.
  • If Facebook has access to my private photos, then state security organizations can, too.
  • Android 6.x offers the ability to fine-tune app permissions. It can’t get deployed to my phones fast enough.

Mark Turner : KeePass2Android password manager

April 20, 2016 01:29 AM

keepass2android

At $WORK, I use a commercial password management tool that seems to fit my needs as well as the company’s. For my home use, however, I prefer open source.

My password manager of choice has been KeePass. I like it’s open nature and wide variety of supported platforms. As I began to use it regularly, though, I realized that keeping all these password databases in sync is a huge challenge. Earlier this week I went searching to see if another open source password manager might do the trick and thanks to this post on the excellent Linuxious blog I discovered KeePass2Android.

KeePass2Android is a fork of KeePass and uses KeePass’s same libraries to manipulate its databases. The big win for KeePass2Android, though, is its extensive support for remote files. It supports databases hosted on popular file-sharing tools such as Google Drive, DropBox, Box.com, as well as SFTP-and-WebDAV-hosted files. It’s also been rewritten from Java to Mono for Android, which seems to be snappier than the Java version.

Now I have KeePass2Android installed on all of my devices and pointed to the same database! That’s one big feature now no longer solely the domain of commercial password managers. Score one for open source!

Mark Turner : The mystery of place memory

April 20, 2016 12:17 AM

Yesterday, I was leaving my desk for a meeting when I realized I had my high-tech, shiny Macbook Pro in one hand and a low-tech notepad in the other. There was no reason I needed a notepad when I had my laptop and yet it didn’t seem right not to attend a meeting without it.

After pointing out my absurdity to my coworkers for a laugh, I pondered how writing something down with a pencil or pen seems to strengthen my recall of it. I could easily type whatever I’d be jotting down and do it much faster with a computer, yet I’m certain I would not retain it as well as if I had used a pen or pencil.

Watching my dog make his rounds to all of the neighborhood pee spots got me thinking of how a dog’s world must be organized. Smells act as a dog’s map. If a dog finds a treat somewhere in the house, the dog will continually check that spot long afterward. Even if that treat was there only once. Dogs seem to create memories based on place (and reinforced with one of the strongest memory-making senses, the sense of smell).

I also thought of how we humans tend to organize our memories based on place. When recalling a fact or replaying a memory in our heads, we often instinctively look up to a particular place in space, as if that spot in physical space somehow holds the answer. Another example is how walking into a new room sometimes instantly erases the memory of what you were looking for. Or how a visit to old stomping grounds can ferret out long-lost memories.

We are oriented to operate in 3D space, so it makes sense that our memory process might be similarly designed. Check out some fascinating research on this topic and the role that the brain’s retrospenial cortex plays.

Warren Myers : helping a magpierss-powered site perform better

April 19, 2016 11:52 PM

I rely on MagpieRSS to run one of my websites. (If you’d like to see the basic code for the site, see my GitHub profile.)

One of the drawbacks to Magpie, and dynamic websites in general, is they can be bottlenecked by external sources – in the case of Magpie, those sources are the myriad RSS feeds that Datente draws from.

To overcome some of this sluggishness, and to take better advantage of the caching feature of Magpie, I recently started a simple cron job to load every page on the site every X minutes – this refreshes the cache, and helps ensure reader experience is more performant. By scheduling a background refresh of every page, I cut average page load times by nearly a factor of 10! While this is quite dramatic, my worst-performing page was still taking upwards of 10 seconds to load a not-insignificant percentage of the time 🙁

Enter last week’s epiphany – since RSS content doesn’t change all that often (even crazy-frequent-updating feeds rarely exceed 4 updates per hour), I could take advantage of a “trick”, and change the displayed pages to be nearly static (I still have an Amazon sidebar that’s dynamically-loaded) – with this stupidly-simple hack, I cut the slowest page load time from ~10-12 seconds to <1: or another 10x improvement!

“What is the ‘trick’,” you ask? Simple – I copied every page and prefixed it with a short character sequence, and then modified my cron job to still run every X minutes, but now call the “build” pages, redirecting the response (which is a web page, of course) into the “display” pages. In other words, make the display pages static by building them in the background every so often.

If you’d like to see exactly how I’m doing this for one page (the rest are similar), check out this stupidly-short shell script:

(time (/bin/curl -f http://datente.com/genindex.php > ~/www/index.php)) 2>&1 | grep real

(The time is in there for cron reporting.)

Mark Turner : Parks board past

April 19, 2016 11:06 PM

While fueling up at the gas station this morning, I recognized the gentlemen behind me as Ed Morris, the former chair of the Mordecai Historic Park board on which I served for four years. Ed was happy to see me and we caught up for a bit as we haven’t seen each other in far too long.

I was touched when Ed told me I was missed over at Mordecai. Serving on Mordecai’s board was not only a committee assignment for me while I was on the Parks board but it was also a personal treat. I am proud that I participated in the project to create an Interpretive Center at Mordecai and worked with the community to build consensus for the plan. It was a fun group to serve with, and then in a flash it was over.

I’ve turned my attention to other endeavors but I will always be proud of Raleigh’s parks. I hope to continue getting Dix Park designed, which would pretty-much top it all.

Tarus Balog : Agent Provocateur

April 19, 2016 03:31 PM

I’ve been involved with the monitoring of computer networks for a long time, two decades actually, and I’m seeing an alarming trend. Every new monitoring application seems to be insisting on software agents. Basically, in order to get any value out of the application, you have to go out and install additional software on each server in your network.

Now there was a time when this was necessary. BMC Software made a lot of money with its PATROL series of agents, yet people hated them then as much as they hate agents now. Why? Well, first there was the cost, both in terms of licensing and in continuing to maintain them (upgrades, etc.). Next there was the fact that you had to add software to already overloaded systems. I can remember the first time the company I worked for back then deployed a PATROL agent on an Oracle database. When it was started up it took the database down as it slammed the system with requests. Which leads me to the final point, outside of security issues that arise with an increase in the number of applications running on a system, the moment the system experiences a problem the blame will fall on the agent.

Despite that, agents still seem to proliferate. In part I think it is political. Downloading and installing agents looks like useful work. “Hey, I’m busy monitoring the network with these here agents”. Also in part, it is laziness. I have never met a programmer who liked working on someone else’s code, so why not come up with a proprietary protocol and write agents to implement it?

But what bothers me the most is that it is so unnecessary. The information you need for monitoring, with the possible exception of Windows, is already there. Modern operating systems (again, with the exception of Windows) ship with an SNMP agent, usually based on Net-SNMP. This is a secure, powerful extensible agent that has been tried and tested for many years, and it is maintained directly on server itself. You can use SNMPv3 for secure communications, and the “extend” and “pass” directives to make it easy to customize.

Heck, even Windows ships with an extensible SNMP agent, and you can also access data via WMI and PowerShell.

But what about applications? Don’t you need an agent for that?

Not really. Modern applications tend to have an API, usually based on ReST, that can be queried by a management station for important information. Java applications support JMX, databases support ODBC, and when all that fails you can usually use good ol’ HTTP to query the application directly. And the best part is that the application itself can be written to guard against a monitoring query causing undue load on the system.

At OpenNMS we work with a lot of large customers, and they are loathe to install new software on all of their servers. Plus, many of our customers have devices that can’t support additional agents, such as routers and switches, and IoT devices such as thermostats and door locks. This is the main reason why the OpenNMS monitoring platform is, by design, agentless.

A critic might point out that OpenNMS does have an agent in the remote poller, as well as in the upcoming Minion feature set. True, but those act as “user agents”, giving OpenNMS a view into networks as if it was a user of those networks. The software is not installed on every server but instead it just needs the same access as a user would have. So, it can be installed on an existing system or on a small system purchased for that purpose, at a minimum just one for each network to be monitored.

While some new IT fields may require agents, most successful solutions try to avoid them. Even in newer fields such as IT automation, the best solutions are agentless. They are not necessary, and I strongly suggest that anyone who is asked to install an agent for monitoring question that requirement.

Mark Turner : Exercise Is ADHD Medication – The Atlantic

April 17, 2016 10:10 PM


Mental exercises to build (or rebuild) attention span have shown promise recently as adjuncts or alternatives to amphetamines in addressing symptoms common to Attention Deficit Hyperactivity Disorder (ADHD). Building cognitive control, to be better able to focus on just one thing, or single-task, might involve regular practice with a specialized video game that reinforces “top-down” cognitive modulation, as was the case in a popular paper in Nature last year. Cool but still notional. More insipid but also more clearly critical to addressing what’s being called the ADHD epidemic is plain old physical activity.

Source: Exercise Is ADHD Medication – The Atlantic

Mark Turner : Russia’s military rejects U.S. criticism of new Baltic encounter | Reuters

April 17, 2016 01:58 PM

The USS Donald Cook (DDG-75) was buzzed earlier this week by a pair of Russian SU-24 Fencer bombers as the Cook transited the Baltic Sea. The Fencers flew an attack profile and flew within 100 feet (and some say within 30 feet) of the Cook in what the Cook skipper CDR Charles Hamilton called an unsafe and unprofessional manner.

While the incident was unusually unsafe, this kind of response from Russia is no surprise. Russia has long been irked by the U.S. Navy’s stubborn insistence on exercising its right of free passage through international waters, including the Baltic and Black Seas near Russia’s coast. Russia has a history of aggressively challenging the U.S. Navy as it operates in these areas, behavior which has sometimes resulted

in collisions.

While some old-salt Navy shipmates have criticized the Cook’s response as “weak,” the truth is that the Cook is extraordinarily capable of defending itself and could have easily handled the Fencers. However, given the history of operating near Russia, the Cook was almost certainly prepared for this aggressive response to its presence and did not take Russia’s bait by refusing to escalate the confrontation.

Given the close call of this latest incident, though, I don’t know if the U.S. Navy will be so willing to play nice the next time around. I would not be surprised if any future Russian bombers that pretend-attack a U.S. Navy warship operating near Russia get pretend-lit-up by that ship’s weapons radars.

Overall, though, the Russian military remains a shadow of its former self. The plunging oil prices have gutted Russia’s military funding. These highly-publicized dangerous confrontations are nothing more than propaganda used to prop up Russian nationalism.

In short, nothing to see here. Move along.

Russia’s military rejected criticism by U.S. European Command on Sunday that a Russian jet had made aggressive maneuvers near a U.S. reconnaissance plane over the Baltic Sea, a second incident in the region between the Cold War-era foes in the past week.

Source: Russia’s military rejects U.S. criticism of new Baltic encounter | Reuters

Mark Turner : Too busy to blog

April 16, 2016 10:21 PM

I’m hoping to catch up at some point with documenting all of the stuff that’s been going on lately. We’ve had a trip to Savannah, a trip to Puerto Rico, and a work trip to Boulder. I’ve been pretty exhausted in-between, too. Hopefully tonight and tomorrow I’ll have time to properly write it all down. Stay tuned.

Warren Myers : how did i never know about .ssh/config?

April 14, 2016 12:56 AM

I’m sure folks have tried to explain this to me before, but it wasn’t until today that it finally clicked – using .ssh/config will save you a world of hurt when managing various systems from a Linux host (I imagine it works on other platforms, too – but I’ve only started using it on CentOS).

Following directions I found here, I started a config file on a server I use as a jump box. In it I have an entry for my web server, and I’ll be adding other frequently-accessed servers to it as time goes on.

Thanks, nerderati, man pages … and whomever else tried to explain this to me before but I didn’t grok.

Jesse Morgan : Puppet Enterprise + firewall = pain.

April 12, 2016 06:11 PM

I’ve been tasked with setting up puppet enterprise. For numerous reasons it’s shaping up to be the project from hell (some the fault of puppet, but many that aren’t), but I’d like to share this little tidbit for posterity.

The main issue I’ve run into is that our puppet server is in a highly restricted vlan with no internet access. Since puppet pulls its modules from puppetforge, this becomes problematic.  The solution we came up with is to explicitly state the git repo to use for each module in the Puppetfile.

Problem 1: Naming conventions.

I can’t keep 100% fidelity on the projectnames when we migrate them over- for the puppetmodule KyleAnderson/consul, I don’t want to create a KyleAnderson user, so I have to mangle it to merge the user and project name together (since project names alone may not be unique; e.g. if bob/ntp wrote his module for windows and kevin/ntp wrote his module for linux, we can’t just call either puppet/ntp or we’ll get a collision.

We go from this:

forge "http://forge.puppetlabs.com"
mod "KyleAnderson/consul", :latest
mod "arioch/redis", :latest
...

to

forge "http://forge.puppetlabs.com"
mod "KyleAnderson/consul", :latest
  :git => 'https://internalgit/puppet/KyleaAderson-consul'
mod "arioch/redis", :latest
  :git => 'https://internalgit/puppet/arioch-redis'
...

In order to do this, we needed to get the git repo for each and mirror it. Well, that was the intent.

Problem 2: Names don’t match

KyleAnderson/consul does not exist on github. After manually searching the forge, I see his URL is actually solarkennedy/consul. So this means we need to get the project URL for each module to be able to clone the git repo. After much experimentation with puppet help module, I realized I can search for the module name, export as yaml and grep out the project name. I end up using the following command to check out the 51 modules I need:

for i in `cat .file |sed -e 's/.*"\(.*\)".*/\1/'`; do puppet module search ${i} --render-as=yaml |grep project_url |sed -e 's/.*: //' |xargs git clone ; done;

Problem 3: Inconsistent project URLs

…except that only works for about 80% of the modules- the rest have bad urls. Oh well, 43 is better than nothing.

ok, I have the modules now, time to check them into my git repo…

Problem 4: can’t check modules into git without the project existing first.

I have to create all 43 projects in the github enterprise web interface; that’s painful. I search and find documentation that eventually leads me to this little nugget:

for i in `ls` ; do curl -u "jmorgan3:$token" http://internalgit/api/v3/orgs/puppet/repos -d '{"name": "'${i}'"}' ; done

which creates 43 glorious repos. Then, I set the origin URL to my server:

for i in `ls` ; do cd $i ; echo $i ; git remote set-url origin git@internalgit:puppet/${i}.git ; cd ~/Projects/puppetmods/ ; done

and finally push them up

for i in `ls` ; do cd $i ; echo $i ; git remote -v ; cd ~/Projects/puppetmods/ ; done
for i in `ls` ; do cd $i ; echo $i ; git push ; cd ~/Projects/puppetmods/ ; done

Now I have all 43 modules checked into my internal git server.

 

I need to match up repos with modules (since the names may not match).

Problem 5: Repos were horribly named.

By using the repo names from the project URL, I still ended up with names like realmd, puppet-wordpress, and sssd. Hopefully this won’t bite us later.

 

I’ve commented out the remaining 7 unmatched projects, committed and pushed my Puppetfile changes, and am now rerunning “r10k deploy environment -pv”

 

Fingers crossed that this will work.

 

Problem 6: Bad syntax, I guess?

There were 100 little syntax issues with the Puppetfile. While I fixed most, this one was not resolvable:

# r10k deploy environment -pv
INFO -> Deploying environment /etc/puppetlabs/code/environments/master
INFO -> Environment master is now at 2481f9677469711705bcdb20dd9f0260466b955d
ERROR -> Failed to evaluate /etc/puppetlabs/code/environments/master/Puppetfile
Original exception:
wrong number of arguments (3 for 1..2)
INFO -> Deploying environment /etc/puppetlabs/code/environments/production
INFO -> Environment production is now at a6a7d5eda88334b0293d8534de81191a1375cf06
ERROR -> Failed to evaluate /etc/puppetlabs/code/environments/production/Puppetfile
Original exception:
wrong number of arguments (3 for 1..2)

Problem 7:  The control Repo changed!

Between originally checking this out 3 weeks ago and now, they have gutted and rebuilt the example I was using. The rationale makes total sense (it was over-opinionated previously), but now the new version is incomplete, so I’m left twisting in the wind.

 

I have a call with our puppet reps scheduled shortly and will pick up there.

Warren Myers : wordpress plugins i use

April 11, 2016 10:46 PM

As promised last time, I now have a page dedicated to the WordPress plugins I use.

Check it out, here.

Warren Myers : use prettypress if you’re running a wordpress blog

April 04, 2016 09:12 AM

Like my list of used Chrome Extensions, I’m building a list of recommended WordPress plugins.

But until I get it done, I have to give some pretty big props to PrettyPress. It’s a plugin that lets you edit in Visual, Text, and Markdown – the markup format of sites like reddit, GitHub,, GitLab, and the Stack Exchange family.

prettypress-screenshot

Warren Myers : a couple months late – but my prediction was pretty close

April 02, 2016 06:06 PM

Tesla’s Model 3 is debuting at $35,000.

That is distinctly in the range of most “normal” people to obtain.

It should be shipping sometime in 2017. I’d buy one.

Warren Myers : improve your entropy pool in linux

April 01, 2016 09:34 AM

A few years ago, I ran into a known issue with one of the products I use that manifests when the Red Hat Linux server it’s running on has a low entropy pool. And, as highlighted in that question, the steps I found 5 years ago didn’t work for me (turns out modifying the t parameter from ‘1’ to ‘.1’ did work (rngd -r /dev/urandom -o /dev/random -f -t .1), but I digress (and it’s no longer correct in CentOS 7 (the ‘t’ option, that is))).

In playing around with the Mozilla-provided SSL configurator, I noticed a line in the example SSL config that referenced “truerand”. After a little Googling, I found an opensource implementation called “twuewand“.

And a little more Googling about adding entropy, and I came across this interesting tutorial from Digital Ocean for “haveged” (which, interestingly-enough, allowed me to answer a 6-month-old question on Server Fault about CloudLinux).

Haveged “is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.”

And twuewand “is software that creates hardware-generated random data. It accomplishes this by exploiting the fact that the CPU clock and the RTC (real-time clock) are physically separate, and that time and work are not linked.”

For workloads that require lots of entropy (generating SSL keys, SSH keys, PGP keys, and pretty much anything else that wants lots of random (or strong pseudorandom) seeding), the very real problem of running out of entropy (especially on headless boxes or virtual machines) is something you can face quite easily / frequently.

Enter solutions like OpenRNG which are hardware entropy generators (that one is a USB dongle (see also this skh-tec post)). Those are awesome – unless you’re running in cloud space somewhere, or even just a “traditional” virtual machine.

One of the funny things about getting “random” data is that it’s actually very very hard to get. It’s easy to describe, but generating “truly” random data is incredibly difficult. (If you want to have an aneurysm (or you’re like me and think this stuff is unendingly fascinating), go read the Wikipedia entry on “Cryptographically Secure Pseudo Random Number Generator“.)

If you’re in a situation, though, like I was (and still am), where you need to maintain a relatively high quantity of fairly decent entropy (probably close to CSPRNG level), use haveged. And run twuewand occasionally – at the very least when starting Apache (at least if you’re running HTTPS – which you should be, since it’s so easy now).

Mark Turner : How one programmer broke the internet by deleting a tiny piece of code – Quartz

March 30, 2016 10:50 PM


This is a fascinating story of how one programmer’s deletion of 11 lines of his code wound up breaking the Internet. Yes, we are really that interconnected.

A man in Oakland, California, disrupted web development around the world last week by deleting 11 lines of code.

The story of how 28-year-old Azer Koçulu briefly broke the internet shows how writing software for the web has become dependent on a patchwork of code that itself relies on the benevolence of fellow programmers. When that system breaks down, as it did last week, the consequences can be vast and unpredictable.

Source: How one programmer broke the internet by deleting a tiny piece of code – Quartz

Tarus Balog : OpenNMS is Sweet Sixteen

March 30, 2016 03:15 PM

It was sixteen years ago today that the first code for OpenNMS was published on Sourceforge. While the project was started in the summer of 1999, no one seems to remember the exact date, so we use March 30th to mark the birthday of the OpenNMS project.

OpenNMS Project Details

While I’ve been closely associated with OpenNMS for a very long time, I didn’t start it. It was started by Steve Giles, Luke Rindfuss and Brian Weaver. They were soon joined by Shane O’Donnell, and while none of them are associated with the project today, they are the reason it exists.

Their company was called Oculan, and I joined them in 2001. They built management appliances marketed as “purple boxes” based on OpenNMS and I was brought on to build a business around just the OpenNMS piece of the solution.

As far as I know, this is the only surviving picture of most of the original team, taken at the OpenNMS 1.0 Release party:

OpenNMS 1.0 Release Team

In 2002 Oculan decided to close source all future work on their product, thus ending their involvement with OpenNMS. I saw the potential, so I talked with Steve Giles and soon left the company to become the OpenNMS project maintainer. When it comes to writing code I am very poorly suited to the job, but my one true talent is getting great people to work with me, and judging by the quality of people involved in OpenNMS, it is almost a superpower.

I worked out of my house and helped maintain the community mainly through the #opennms IRC channel on freenode, and surprisingly the project managed not only to survive, but to grow. When I found out that Steve Giles was leaving Oculan, I applied to be their new CEO, which I’ve been told was the source of a lot of humor among the executives. The man they hired had a track record of snuffing out all potential from a number of startups, but he had the proper credentials that VCs seem to like so he got the job. I have to admit to a bit of schadenfreude when Oculan closed its doors in 2004.

But on a good note, if you look at the two guys in the above picture right next to the cake, Seth Leger and Ben Reed, they still work for OpenNMS today. We’re still here. In fact we have the greatest team I’ve every worked with in my life, and the OpenNMS project has grown tremendously in the last 18 months. This July we’ll have our eleventh (!) annual developers conference, Dev-Jam, which will bring together people dedicated to OpenNMS, both old and new, for a week of hacking and camaraderie.

Our goal is nothing short of making OpenNMS the de facto management platform of choice for everyone, and while we still have a long way to go, we keep getting closer. My heartfelt thanks go out to everyone who made OpenNMS possible, and I look forward to writing many more of these notes in the future.

Warren Myers : can you disable encryption on a windows server?

March 30, 2016 09:40 AM

This was asked recently on Server Fault.

I’m asking if there’s a way to prevent files from being encrypted. I’m referring to some extent to ransomware, but specifically I want the following scenario:

  • Windows File server w/ shares (on the E: drive)

I want a way to tell the above server “don’t allow files on the E: drive to ever be encrypted by anyone or any software/process.”

And, of course, the answer to this question is “no”, as I and others said:

No, you cannot prevent files from being encrypted. How is the OS supposed to know if a file is encrypted vs being of some format it doesn’t “know” about?

You can disable OS-level encryption, and perhaps some programs from running via GPO, but that cannot stop every program, nor users uploading already encrypted files.

What you want to do is ensure users are only putting files where they are supposed to – and no where else.

But more interesting is why you would even ask something like this: is it because you really only want “plaintext” files on the share? (Even when the “plaintext” is a binary format (like an EXE, PNG, etc?) I suppose there could be “value” is disallowing even the concept of encrypted files .. but since encrypted files look like files (albeit ones that are not readably openable).

And I think this really belies an exceptionally-poor understanding of what encryption is – and what it is not. Encryption is meant to protect (or hide) specific content (the “specific content” might be the entirety of your phone or hard drive, or an email, or a trade secret, etc) from eyes who shouldn’t be allowed to see what is happening. Yes, there is ransomware that will encrypt or obfuscate files or file systems and demand payment to be decrypted – but attempting to solve for that corner case by attempting to disallow even the concept of encrypted data is highly misguided: the way to prevent/mitigate ransomware is by a combination of good system management practices, solid IDS and IDP software/appliances, sane anti-virus policies, and general good user behavior. (And, maybe, by using OSes less targeted by ransomware authors.)

Warren Myers : how to turn a google+ community into a quasi “mailing list”

March 22, 2016 03:53 PM

Spurred by a recent question from an acquaintance in town, I asked on Google+ whether or not you can enable emailed notifications for a Community. This led to the elaborate Settings page for G+.

It turns out that if you combine enabling a Community’s “Community notifications” vertical-ellipsiscommunity-settings (under the specific Community’s settings (which you find by clicking the vertical ellipsis button on the Community page) with the following tree in your general Google+ settings, Notifications -> Email -> Communities -> Shares something with a community you get notifications from, notifications-emailyou get a “mailing list” of sorts from your Community, which, niftily enough, also allows you to comment on the post via email (at least on the first notification of said post)!

Mark Turner : Reliable Sources under new ownership

March 21, 2016 12:57 AM

ReliableSources.com’s transfer to CNN is now complete, as the screenshot below shows. Sniff.

CNN-ReliableSources-screenshot-20160320

Mark Turner : Why Bernie Sanders Is Adopting a Nordic-Style Approach – The Atlantic

March 21, 2016 12:51 AM


Good article taking issue with those who say Bernie Sanders’s healthcare and college proposals won’t work
here like they do in Nordic countries.

Bernie Sanders is hanging on, still pushing his vision of a Nordic-like socialist utopia for America, and his supporters love him for it. Hillary Clinton, meanwhile, is chalking up victories by sounding more sensible. “We are not Denmark,” she said in the first Democratic debate, pointing instead to America’s strengths as a land of freedom for entrepreneurs and businesses. Commentators repeat endlessly the mantra that Sanders’s Nordic-style policies might sound nice, but they’d never work in the U.S. The upshot is that Sanders, and his supporters, are being treated a bit like children—good-hearted, but hopelessly naive. That’s probably how Nordic people seem to many Americans, too.

Source: Why Bernie Sanders Is Adopting a Nordic-Style Approach – The Atlantic

Mark Turner : How I almost invented Wikipedia

March 18, 2016 12:25 PM

Wikipedia Logo

Wikipedia Logo

I sold one of my domain names this month, reliablesources.com. I had that domain longer than I’ve had kids, registering it on 17 January 2000. Two months ago the domain became old enough to drive.

I remember just where I was when I decided to register the domain. I was in my entrepreneurial phase at the time, working with some extremely talented friends at NeTraverse and while I was on a business trip to Austin I dreamed up what I thought would be an innovative website.

I was a regular reader of the Slashdot (which was recently sold) nerd news website back then and was intrigued by its “karma” system of ranking posts. I wanted to apply this karma ranking to the people in the news, giving users the ability to rank what someone in the news says based on that person’s known credibility.

It was inspired by President Bill Clinton’s time in office. The Office of the President carries a lot of built-in credibility, for instance, so right away you’re going to listen to what the President says. But what if the President is caught lying (i.e., “I did not have sexual relations…”)? That should make one skeptical of whatever that President says, knocking down his or her karma score.

When TWA Flight 800 inexplicably blew up upon leaving Manhattan, the President’s statements now had to be weighed against the laws of physics, the statements of over one hundred witnesses, and collected evidence. Who wins when the President goes up against the laws of physics? Physics wins. Or at least physics should win, because if it’s wrong then our basic understanding of reality goes with it, but many people still fall for the “who are you going to believe, me or your lying eyes” line. My mythical Reliable Sources site would’ve given physics, being scientifically proven over thousands of years, a nearly unassailable karma score compared to a known lying President.

The site would’ve given news junkies like me a way of ranking people’s truthfulness, and encouraged others to provide evidence of that truthfulness so that everyone could work with the same evidence.

Sadly, though, I am not a website developer and never decided to focus on making this happen. The domain name sat unused since its registration until earlier this year when I began to get very eager inquiries to buy the domain from a domain broker. I considered ignoring him but he persisted until I had to concede that I was never going to do anything with the domain myself.

Once the deal went through I learned that the buyer was Time Warner, picking up the domain to use for its weekly media-critic show by the same name. I was not surprised that Time Warner was interested as I have known about the show for a long time. I’m actually surprised they didn’t approach me sooner as I might have sold it to them 10 years ago, but somehow no one asked until just now. I’m happy they will do something with it as I like the concept behind the show, though the media judging the media isn’t exactly what I would call subjective.

So I bid farewell to the domain, though maybe the idea behind it is still worth pursuing. I suppose that part of my idea has been implemented in a different way by Wikipedia with its peer-reviewed articles and insistence on citations. Had I been more motivated sixteen years ago, I might have invented Wikipedia a year before Jimmy Wales did.

Eric Christensen : Security Team Post-FAD Notes

March 16, 2016 03:05 PM

On 11 March, some of the Security Team met in Washington, D.C. for a day-long FAD where we discussed several issues.  Zach Oglesby released his notes from the meeting and I’ll be using those to describe my take-away from the meeting.

Security Updates

Right now Fedora has a couple of problems with getting security fixes onto people’s systems quickly.  The first has to do with embargoes.  Because Fedora isn’t part of the trusted network, we don’t get advance notification of vulnerabilities before their embargo is lifted.  This means that when we are notified of an urgent security vulnerability the public also has the information and we’re left scrambling to find the fix (patch, new version, etc) and ship it.  Some other flavors of Linux will have had advance notice and will have these patches or new versions packaged up and ready to ship with the embargo is lifted.

The other problem deals with the Fedora Mirror network.  Because there are many mirrors it could take many hours or days(?) to get a security update out to all Fedora users.  This has to do with the mechanisms involved for keeping the Mirror system efficient; not necessarily fast.  We discussed potential solutions for this problem as well.

Working with embargoes

Our solution to working with embargoes is to create a trusted team, with the appropriate tools, to deal with these issues so we can get a head start on urgent security vulnerabilities.

20160311_104450Right now the infrastructure isn’t in place to be able to handle embargoed vulnerabilities.  Red Hat’s Bugzilla instance is currently designed to hold embargoed information, which is good and we definitely want to leverage that resource, but we need our build system and perhaps even Bodhi to be able to support private builds.  The idea is to have the packages built and ready to ship before the embargo expires.  When the embargo is lifted we would just need to push the big red button and the packages would ship.

It would also be hoped that the fix would have gone through QA before the end of the embargoed period so that we’re fairly sure that we’re not breaking anything (other than the vulnerability) in the process.  For this part, we’re going to need trusted individuals to work on these issues.

Oh, and make no mistake, we aren’t trying to hide information forever.  To maintain transparency that Fedora has been build on all of our tools we use to handle embargoed information should be able to make that information public at the end of the embargo.  Bugzilla tickets would be opened up to the public and builds should be made available as well.

Trust

20160311_121055Trust is a difficult thing to define.  How do you establish trust and how do you penalize a break in that trust?  Simply put, we need a way to do both before we start handling sensitive information.  We might be able to show that we have the systems and the procedures for handling this information but the first time there’s a leak and it comes from inside Fedora it’s quite likely we will lose access to this information and be back to where we are today.

We will be working with legal and Fedora management (FPL, FESCo, and Release Engineering) to devise a plan and determine the best way to involve package maintainers, proven packagers, and QA.

Faster access to Security Fixes

Waiting hours or days for urgent security fixes to become available on mirrors really isn’t acceptable.  Recent critical vulnerabilities have seen exploits in the wild shortly after the vulnerability being made public.  We need to be able to get fixes out to users faster.

Debian uses separate servers to deliver security fixes until those fixes have propagated out to their normal mirrors.  This could work, especially with diff packages being used which are usually much smaller than the full package, but would increase the infrastructure needed to support disseminating packages.

There may also be a way to tweak our existing infrastructure to improve the time it takes to push these urgent packages out.  Either way, the Security Team will be working with Release Engineering to help figure out a solution.

Training

Another big topic we covered is training.  Many people turn to the Security Team to learn.  From a team point of view, we want to make sure our members have a common base of knowledge from which to work.  We decided to launch Apprentice and Journey level certifications to will provide this base of knowledge.

Apprenticeship

20160311_143800.jpgWe worked through what we would want to see in a new member and created the Security Team Apprenticeship.  While not fully complete, we hope to have it ready in the coming months.

We also talked about mentors and what it means to be a mentor.

20160311_145049.jpgWe didn’t put down many hard and fast rules and that’s okay.  We want people to be active and participate.  Hopefully the mentors won’t have a heavy lift and neither will the mentees.

Obligatory GPG Key Signing

Of course, a security FAD can’t end without the obligatory GPG key signing.  This was completed with two new members of the team.

The End

So what I’ve documented represents a day of work.  Thanks to all that participated, even if you only had a chance to pop in, virtually, and lend your opinions or support.  Hopefully we can do this again in a few months and work on new tasks.


Mark Turner : Hillary’s “tough bitch” problem

March 16, 2016 12:59 PM

Democratic Presidential Candidate Hillary Clinton Campaigns In Las Vegas
Hillary Rodham Clinton had some big wins during yesterday’s Super Tuesday primary elections, including North Carolina. Last night, a female Clinton supporter had this today about her on a Facebook thread of a mutual friend:

[A friend] asked me today if I thought HRC could take on Putin. I told him “Oh yeah, she’s one tough bitch. No problem!”

This is precisely my problem with Hillary Clinton, that this would even be a consideration. Clinton’s desire to be “caught trying” often means she skips right over the “speak softly” part to the “carry a big stick” part. The last thing our country needs is a leader far too eager to look tough.

I wore the uniform in the early 1990s and served during Desert Storm. Since then I have cast a jaundiced eye towards unnecessary military adventures with dubious goals and shadowy benefactors. I’ve also become a parent of two kids. Maybe that makes me little more sensitive than others to the possibility of dropping bombs on somebody else’s kids, usually for the benefit of the arms industry, the oil industry, or some other big-bucks special interest group that sees nothing but dollars in destroying foreign people and places.

Any trust I had in Clinton being a good leader was severely eroded with her ill-conceived vote authorizing war in Iraq and she has done little to restore it. I have no doubt she is intelligent, so why couldn’t she see what so many others could see about Iraq, that it was a sham? When the chips are down you see what a person is really made of. She failed that test.

Why does this champion of women crow gleefully when we sold tons of military equipment to Saudi Arabia, weapons almost certainly to be used to help suppress its own people? Saudi Arabia is not exactly known for its support of women’s rights, you know. It seems that for Clinton, supporting the sisterhood quickly took a backseat to defense contractor profits (and millions of dollars in donations to the Clinton Foundation from the Saudi Kingdom). And why did Hillary not support the efforts of Saudi women to even have the goddamn right to drive? Saying she felt she would hurt the cause doesn’t cut it. To her credit she finally came around, but only after public outcry here in America.

I don’t want a President who feels he or she has to act tough simply because it will hurt his or her image if not. I want a President who will use all the tools at his or her disposal to get a job done, with the military ones being last. I want a President who wants to be caught not just caught trying but caught trying to do what’s right. I hope Hillary Clinton can be this person should she become President but don’t blame me if she’s given me reason to be skeptical.

Tarus Balog : OpenNMS Horizon 17.1.1 Released

March 14, 2016 02:49 PM

Probably the last Horizon 17 version, 17.1.1, has been released. According to TWiO, the next release will be Horizon 18 at the end of the month, with Horizon 19 following at the end of May.

This release is mainly a maintenance release. It does contain one fix I used (NMS-8199), which allows for the state names in the Jira Trouble Ticketing plugin to be configured. This helps a lot if Jira is not in English.

If you are running Horizon 17, this should help it run a bit smoother.

Bug

  • [NMS-7936] – Chart Servlet Outages model exception
  • [NMS-8010] – Groups config rolled back after deleting a user in web UI
  • [NMS-8034] – Adding com.sun.management.jmxremote.authenticate=true on opennms.conf is ignored by the opennms script
  • [NMS-8048] – org.hibernate.exception.SQLGrammarException with ACLs on V17
  • [NMS-8075] – vacuumd-configuration.xml — Database error executing statement
  • [NMS-8113] – Overview about major releases in the release notes
  • [NMS-8153] – Can't modify the Foreign ID on the Requisitions UI when adding a new node
  • [NMS-8159] – When altering the SNMP Trap NBI config, the externally referenced mapping groups are persisted into the main file.
  • [NMS-8161] – Tooltips are not working on the new Requisitions UI
  • [NMS-8165] – OutageDao ACL support is broken causing web UI failures
  • [NMS-8177] – Install guide should use postgres admin for schema updates
  • [NMS-8199] – Allows state names to be configured in the JIRA Ticketer Plugin

Enhancement

  • [NMS-6404] – Allow send events through ReST
  • [NMS-8148] – Create pull request and contribution template to GitHub project

Task

  • [NMS-8151] – Remove all jersey artifacts from lib classpath

Mark Turner : Trump Rally No Joking Matter

March 12, 2016 05:00 PM

Trump_Rally_No_Joking_Matter

Scary first hand account of the meanness inside a Trump rally.

I almost missed it. I saw this photo of 2 young men holding a Trump sign at a Trump rally in my Facebook feed, which disappointed me, and I was ready to move on to better things, when I saw that the fella posting the photo (Jordan Ray Correll) had written: “DO NOT JUST SCROLL PAST THIS PICTURE WITHOUT READING THIS POST FIRST. THANK YOU.”

As a result of his comment I decided to take the time to read what he had posted about his experience, and I realized that my initial assumptions about the photo had been incorrect.

Source: Trump Rally No Joking Matter

Mark Turner : Al Franken to GOP, ‘Scientists tell us there are 10 and a half months left in this president’s term’

March 12, 2016 04:33 PM

Man, I love Al Franken. Here are his comments on YouTube.

Sen. Al Franken (D-MN) sat through all of the statements made by all of the Republicans in the Senate Judiciary Committee’s “debate” Thursday, and he had a lot to say to set the record straight.He started out responding to Sen. David Vitter (R-LA) who railed about “activist judges” and making sure that the court kept its ideological balance and that President Obama wouldn’t nominate another justice who would “legislate from the bench.” That definitely set the good senator from Minnesota off:

“This idea of nine unelected justices making law from the bench, that is what we have seen with the Roberts court. […] We had 100 votes in the Voting Rights Act. Unanimous vote by the United States senate. And what did Justice Scalia say? He said that, well, the senators voting for it because it was named to the Voting Rights Act. Remember that? […] I mean, this is insulting. To hear that. It is just insulting.”

Source: Al Franken to GOP, ‘Scientists tell us there are 10 and a half months left in this president’s term’

Warren Myers : more ad blocking extensions

March 10, 2016 08:05 PM

The list of ad blocking extensions I have installed has grown.

Add to the previous two these two:

Mark Turner : How I built a hoverboard company and then blew it up | TechCrunch

March 09, 2016 12:59 AM

This story has captivated me since I read it a few days ago. It has inspired me to maybe actually do something with those little side projects I’m always dreaming up.

I was first introduced to Hoverboards while watching Casey Neistat’s daily vlogs on YouTube. I thought, “Wow. That’s pretty cool!” and started searching online to purchase one myself. When I looked at the cost of an IOHawk at $1,800 or the Phunkeeduck at $1,500, I thought there had to be a cheaper way. That’s when I found out how cheap they would be if you bought them online in bulk straight from the manufacturer.

That was an intriguing idea, so I decided it wouldn’t hurt to order straight from China. I thought I would keep one and sell one, and if I could sell one, then maybe I could sell more. So I began the process.

Source: How I built a hoverboard company and then blew it up | TechCrunch

Warren Myers : an even cleaner facebook most recent feed

March 08, 2016 08:04 PM

Several months ago, I wrote-up a brief how-to on just showing the most recent news feed on Facebook.

I added a new Chrome extension today that helps speed-up your Facebook experience – Facebook Flat. It makes your Facebook views “flat” from a design perspective (no pun intended, but the extension falls a little flat when on highres screens with a fully-expanded browser window): it removes ads, reduces the color scheme, and generally makes it smoother.

If you combine this extension with loading https://m.facebook.com/home.php?sk=h_chr as your Facebook view (the mobile web edition in chronological order), the posts no longer fully-fill the screen, but instead stay centered as just a news feed in the middle of your screen.

Combine with something like Auto Refresh, and you can automate a clean view for your Facebook feed.

Mark Turner : Does Raleigh make room for innovation?

March 07, 2016 02:22 PM

Now that I’ve lived half of my life in Raleigh I’ve been thinking more about how Raleigh grows. There seem to be two fundamental camps, one that welcomes innovation and the trying of new things, and the other that is very cautious about new things.

I’ve always been the kind who prefers when people play by the rules. But what if the rules aren’t really necessary? What if the rules make a situation worse?

My wife and I recently spent a delightful weekend alone in the City of Savannah. Savannah has long recognized the value of tourism (being a sea town. Duh.) and allows people to carry their open containers of alcohol anywhere they please. Savannah apparently does not have restrictions on outdoor seating at restaurants. Now, I was only there for one weekend but it seemed to me that chaos had not broken out. No souls were apparently lost. In fact, people seemed to be getting along just fine. On the other hand, Savannah does have strict laws against panhandling, which seemed to be respected. Overall, though, Savannah seems pretty laissez-faire about rules and restrictions and it looks like it works for them.

I couldn’t help but think of Raleigh while we walked the streets of Savannah, and how “loosening the reins” and seeing what happens doesn’t really come naturally to Raleigh. It’s like we have to be against something before we can be for it. This does not help to spur the innovation that we need to attract and grow world-changing businesses here. We are more reactive rather than proactive.

I imagine what Raleigh could accomplish if, rather than asking “why?”, instead asking “why not?”

Mark Turner : Highlights of 2015: Aunts Linda and Mary

March 07, 2016 03:04 AM

Unfortunately, 2015 had its share of sorrow. In May, my Aunt Linda passed away after a long battle with cancer. I took bereavement leave from my job, hopped the southbound Amtrak, and went to the funeral in Winter Park, Florida. While the occasion could have been better, it was good to pay my respects and nice to see my cousins again. My Aunt Mary was married to my dad’s brother, Donald, and was quite active in her church.

In August, my Aunt Mary also passed away. Aunt Mary was married to my mom’s brother, Bub, and lived in Panama City. Unfortunately, I was unable to attend her funeral.

Both of my aunts were the sweetest women. It’s still hard accepting that they’re gone.

Mark Turner : Highlights of 2015: Family time

March 07, 2016 02:49 AM

At Hanging Rock State Park

At Hanging Rock State Park

We had a lot of good family time in 2015. The biggest family time item was our trip to Alaska, which will be discussed in a future blog post. But we also didn’t have to go far to have a fun time together.

Thumbs up for Thunder Road

Thumbs up for Thunder Road

In May, we took a family trip over to Charlotte for a day at Carowinds. Hallie’s friend Suzanna joined us for a day of roller coasters and water flumes. It was fun showing the kids around the park where I once worked, though it’s changing rapidly. Many of the attractions have been removed to make room for others. Also, we discovered after we left that the park’s premier wooden roller coaster, Thunder Road, would be dismantled later that summer. I’m so glad the kids got a chance to ride it while it was still around. For the record, they really enjoyed it, proclaiming it their favorite. The apples don’t fall from the tree, do they?

Hiking Umstead Park

Hiking Umstead Park


In June, we spent a few days in a cabin in one of North Carolina’s best parks, Hanging Rock State Park. We hiked the trails, swam at the lake, played games back in the cabin, and generally had a great time. Both kids hiked this park like champs. We wore ourselves out but there’s no better feeling than going all-out in nature. Look at those smiles if you don’t believe me!

Skipping over Alaska trip in August, we next hit the road for our “Cabin Christmas” at Fairy Stone State Park in southwestern Virginia where we met Kelly’s family for the holiday. It was unseasonably warm at Christmas so rather than snow activities, we hiked and biked around the park and played football in a field. Though it was a drizzly, foggy time while were there, we appreciated the outdoor time and family time.

Mark Turner : Highlights of 2015: Health investment

March 07, 2016 02:12 AM

Back to my Highlights of 2015 (it’s March, right?).

I made a lot of investments in my health in 2015. Working on Centennial Campus, I began to take regular walks around campus during lunchtime, often clocking 20 minutes or more of walking that way. When I took my new job in October, my office was within easy walking distance of my home. I began walking to work on a regular basis. Add this to a morning dog walk most weekday mornings and an occasional evening dog walk and I routinely clock over an hour of walking each day.

I also got on board with the Veterans Administration healthcare. This was spurred on by my ususal health issues that I suspect are related to my Gulf War service. As I mentioned recently, the VA has taken pretty good care of me. I am also now in the middle of a drug trial for prednisone for treating Gulf War illness, but that started in February and not 2015!

For the first time ever I had a colonoscopy, taking place right before Thanksgiving. Can’t say it was a lot of fun but it did find two precancerous growths. The prep was the worst part; the procedure itself was a breeze. Because of the discovery of two growths I’m due back for another exam at the end of the year. What’s more, my immediate siblings are also at risk for unusual growths, so they also should get examined soon. Again, can’t say it is a lot of fun but it’s sure more fun than cancer!

Finally, as my health care plan was changing at the end of the year, I scheduled a septoplasty to fix my deviated septum. This was finally acting on something I first considered back in 2007. The same ENT doctor I visited in 2007 did the surgery in December, taking out an extra right sinus and moving my septum back towards the middle. Recovery wasn’t as painful as I expected but there were moments when breathing sub-freezing air caused my nose to sting so badly my eyes watered. Fortunately that didn’t last long and I was soon able to go on vigorous walks in the cold with no need to breathe through my mouth. Success!

I hope to invest even more in my health this year. I continue to walk to and from work, I still walk the dog most mornings before sunrise, I track my movement through Google Fit, and I am paying closer attention to what I eat. I want to be around to write the Highlights of 2016, you know.

Tarus Balog : Speeding Up OpenNMS Requisition Imports

March 04, 2016 07:32 AM

One thing that differentiates OpenNMS from other applications is the strong focus on tools for provisioning the system. If you want to monitor hundred of thousands of devices, to ultimately millions, the ordinary methods just don’t work.

Users of OpenNMS often create large requisitions from external database sources, and sometimes it can take awhile for the import to complete. Delays can happen if the Foreign Source used for the requisition has a large number of service detectors that won’t exist on most devices.

For example, the default Foreign Source for Horizon 17 has about 15 detectors. Of those, only about 4 will exist on networking equipment (ICMP, SSH, HTTP and HTTPS). When scanning, this can add a lot of time per interface. Assuming 2 retries and a 3 second timeout, that would be 9 seconds for each non-existent service. With just 1000 interfaces, that’s 99000 seconds (9 seconds x 11 services x 1000 interfaces) of time just spent waiting, which translates to 27.5 hours.

Now, granted, the importer has multiple threads so the actual wait time will be less, but you can see how this can impact the time needed to import a requisition. This can be reduced significantly by tuning service detection to the bare minimum needed and perhaps adding other services later on a per device basis without scanning.

Warren Myers : on ads

March 03, 2016 10:03 PM

My colleague Sheila wrote a great, short piece on LinkedIn about ads recently.

And this is what I commented:

I held off for years in installing ad blockers/reducers.

But I have finally had to cave – been running Flash in “ask-only” mode for months now, and just added a couple blocker/reducer extensions to Chrome recently (in addition to the ones on my iPhone for Safari).

I like supporting a site as much as the next guy (I even run a few highly unobtrusive ones on my sites) – but I agree: when I cann’t tell whether it’s your content or an ad, or even get through all the popovers, splashes, etc, I’m leaving and not coming back

I hate the idea of ad blockers/reducers. But it is coming to such a point where you can’t read much of what is on the web because of the inundation of ads.

And mailing list offers. Oh my goodness the mailing list offers. Sadly, the only way to block those seems to be to disable javascript … which then also breaks lots of sites I need it to work on – and whitelisting becomes problematic with something like javascript, since it’s usefully ubiquitous (in addition to being uselessly ubiquitous).

For Safari on iOS 9, I have three blocker/reducer apps installed (they’re free, too: AdBlock Pro, AdBlock Plus, & Refine (App Store links)). It’d be nice if they worked for Firefox, Opera Mini, and Chrome, too – but alas they do not (yet).

Also run two blocking/reducing extensions in Chrome (my primary web browser) on my desktop – Adblock Plus & AdBlock).

Shame the web has come to this. Schneier’s written about it recently. As has Brad Jones & Phil Barrett.

Wired and Forbes even go so far as to tell you you’re running an ad blocker and ask to be whitelisted or pay a subscription.

Forbes’ message:

Hi again. Looks like you’re still using an ad blocker. Please turn it off in order to continue into Forbes’ ad-light experience.

And from Wired:

Here’s The Thing With Ad Blockers
We get it: Ads aren’t what you’re here for. But ads help us keep the lights on.
So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.

If you’re detecting my adblocker, maybe instead of telling me you won’t do anything until I whitelist you (or subscribe), you think about the problem with ads first.

Just a thought.

Mark Turner : The Case for Bernie: 5 Reasons the Vermont Socialist Deserves Your Vote | News | Indy Week

March 03, 2016 12:41 PM

Bob Geary on Bernie Sanders. I wholeheartedly agree.

Decimated. I’m watching Bernie Sanders following the South Carolina primary, and he’s not putting any gloss on the rout he suffered. Decimated is the word he uses.

So here’s where we are, Bernie fans. We had a tie and a close loss in the first two caucus states. We won big in the New Hampshire primary. We lost twice as big in South Carolina. This is all-too-familiar territory for those of us in Wolfpack Nation. Some early-season successes. Blown out by our first tough opponent. What did legendary N.C. State basketball coach Jimmy Valvano advise in such circumstances? “Too bad,” I think he said. “We’re hosed. We can’t win. We should drop out and root for Carolina.

”No! He didn’t say that! He said never give up! Never, ever give up! You know, like Hillary Clinton said this country will never, ever figure out how to ditch the insurance companies and save everybody money with Medicare for All—Bernie’s plan.

Well, Hillary has her never, ever, and Bernie supporters should have ours. We should vote for our guy if we want to, knowing he’s unlikely to win, but so was the ’83 Wolfpack—until they reeled off nine upsets in a row to take the national championship.

Notice, I am not trying to persuade Hillary’s fans to vote for Bernie. That would be like asking people in light blue shirts to put their thumb and middle fingers together while holding up the other two. Can’t happen.

Hillary’s voters have a right to their belief that the way the country’s going is the best we can hope for—and so what if we’re moving steadily to the right, ceding more and more power to corporations and the wealthy few? Because if the Republicans take the White House, we’d be worse off, and besides, Hillary has experience.

But for those not sold on Hillary, I offer these five reasons to vote for Bernie in the March 15 Democratic presidential primary.

Source: The Case for Bernie: 5 Reasons the Vermont Socialist Deserves Your Vote | News | Indy Week

Eric Christensen : Fedora Security Team FAD 2016

March 02, 2016 05:05 PM

In a couple of weeks (March 11th) the Fedora Security Team will be meeting in Washington, D.C. to hack on training, security fixes, and other issues.  All Fedora contributors are welcome to stop by if you’re in the area.

All the information is available on the Security Team FAD 2016 wiki page.  Please go there and RSVP!


Magnus Hedemark : William Hannah: paper tough enough for fountain pens?

March 01, 2016 02:15 AM

Fountain pens are brutal on paper. Moleskines are among the first to fall, paper failing in some disgusting combination of feathering, shadowing, and bleeding through when subjected to the abuse of a fountain pen. When the William Hannah Limited fan page on Facebook led a status update with the following, I expected them to fail:

Ever since our notebooks came to the attention of the Fountain Pen community, the attractiveness of our incoming mail has increased significantly….

The gauntlet had been dropped. These guys thought their paper was good enough for my juicy pens and their destructive inks. I wanted to get my hands on some of their paper, if only to issue an I told you so. We had a few public facing comments back and forth in short order, and it wasn’t long before we had the good laugh of private messages being fired off to one another at the same time. They were suggesting I might like to try a paper sample. I was suggesting they send me a paper sample. Well that was easy!

Less than a week later, a package had reached my door in North Carolina from their offices in the UK. I pretty much immediately got to digging through it. What I saw next surprised me.

If you want lined paper, they will have a color that will coordinate with your ink. Probably. Most likely. I mean, they sent me one each of many different colors of lined paper: grey, navy, royal blue, kingfisher, orange, lime, petrol, violet, fuchsia, crimson. They have those colors available in 5mm dot grid and 5mm grid (aka graph). They also included some plain unlined paper. Not included were some other filler page types they offer, like week to page diaryto do list, and weekly planner.

The weight of the paper feels similar in weight and texture to my 90gsm A5 Clairefontaine Triomphe stationery. I could not immediately find specs for the paper. The Clairefontaine is great stuff. I wouldn’t be surprised if they were the upstream manufacturer for William Hannah. This holds promise!

Shut up and tell us if it works!

I set loose upon one of the test sheets with a few pens, giving extra attention to my very juicy TWSBI Vac 700 that has been upgraded with a Goulet broad steel nib. I loaded most of the pens with my own ink blend, which I’m calling Purple Nurple, Mk I. Just for giggles and extra sadism, I mounted a titanium Zebra Comic G nib onto one of my 99 cent Jinhao X450 pens. I loaded it with Noodler’s Lexington Gray, which I’ve found to be among the first inks to feather or bleed through a paper with any weaknesses.

The results will be given as a simple scan, front and back.

Front:

Back:

Closer look:

Bottom line?

This paper is good stuff! It’s punched out to work in William Hannah’s own notebooks, which are far from cheap. At current exchange rates, it looks like one notebook would cost a little over $130 in the US market, but the paper refills for it are in a much more reasonable ballpark: about $13 for a 100 sheet refill.

Does anybody know if these pages are notched in the right way for any other commonly available notebooks? That might be the hot ticket.

Disclosure: This paper sampler was sent to me for free (gratis) without any expectation or promise of anything other than a brutally honest opinion. I wasn’t otherwise compensated for this review.


Warren Myers : putting owncloud 8 on a subdomain instead of a subdirectory on centos 7

February 29, 2016 05:41 PM

After moving to a new server, I wanted to finally get ownCloud up and running (over SSL, of course) on it.

And I like subdomains for different services, so I wanted to put it at sub.domain.tld. This turns out to be not as straight-forward as one might otherwise hope, sadly – ownCloud expects to be installed to domain.tld/owncloud (and plops itself into /var/www/owncloud by default (or sometimes /var/www/html/owncloud).

My server is running CentOS 7, Apache 2.4, and MariaDB (a drop-in replacement for MySQL). This overview is going to presume you’re running the same configuration – feel free to spin one up quickly at Digital Ocean to try this yourself.

Start with the ownCloud installation instructions, which will point you to the openSUSE build service page, where you’ll follow the steps to add the ownCloud community repo to your yum repo list, and install ownCloud. (In my last how-to, 8.0 was current – 8.2 rolled-out since I installed 8.1 a couple days ago.)

Here is where you need to go “off the reservation” to get it ready to actually install.

Add a VirtualHost directive to redirect http://sub.domain.tld to https://sub.domain.tld (cipher suite list compiled thusly):


<VirtualHost *:80>
ServerName sub.domain.tld
Redirect permanent / https://sub.domain.tld/
</VirtualHost>

Configure an SSL VirtualHost directive to listen for sub.domain.tld:


<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/sub.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sub.domain.tld/fullchain.pem
DocumentRoot /var/www/subdomain
ServerName sub.domain.tld
ErrorLog logs/subdomain-error_log
CustomLog logs/subdomain-access_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerAdmin user@domain.tld
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# allow .htaccess to change things
<Directory "/var/www/subdomain">
Options All +Indexes +FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Comment-out every line in (or remove) /etc/httpd/conf.d/owncloud.conf.

Move /var/www/html/owncloud/* to /var/www/subdomain.

Make sure permissions are correct on /var/www/subdomain:

  • chown -R :apache /var/www/subdomain

Run the command-line installer: /var/www/subdomain/occ maintenance:install

Fix ownership of the config file, /var/www/subdomain/config/config.php to root:apache.

In config.php,

  • change trusted domains from ‘localhost‘ to ‘sub.domain.tld
  • make sure ‘datadirectory‘ is equal to /var/www/subdomain/data
  • change ‘overwrite.cli.url‘ from ‘localhost‘ to ‘https://sub.domain.tld

Navigate to http://sub.domain.tld, and follow the prompts – and you should be a happy camper.

Mark Turner : Hallie to the rescue

February 29, 2016 03:02 AM

During a recent school event, one of Hallie’s classmates suffered a medical emergency. While her other classmates stood around and watched, gripped with panic, Hallie leaped into action and performed first aid (the amusing thing is that up until now she considered the first aid class she took to be a waste of time). Once her friend had recovered, Hallie continued with the event as if nothing happened, and didn’t even mention it to us afterward. We were clueless when the child’s parent passed on her praise Hallie for her reaction, not knowing anything about our daughter’s quick thinking (and acting). It was only last night that we managed to pry the details out of her. To Hallie it was no big deal.

But it is a big deal. Too often, something happens to someone and the people around don’t react. They become gripped in fear. Paralyzed with indecision. What is happening? What do I do? Maybe someone else will help.

Maybe someone else will help. But not everyone is willing to jump in and do what they can, even if it isn’t enough. Even if they don’t know what they’re doing. For Hallie to act, for her to roll up her sleeves and dive in when others did not, that makes me enormously proud as a parent. My girl has done a lot of remarkable things in her life but hearing that she took this kind of initiative ranks right up there with the best of them. I’m enormously pleased that she saw what needed to be done and she did it.

I have to say, being a dad in this family is pretty darn awesome.

Mark Turner : Raleigh’s accent

February 26, 2016 07:52 PM

Some friends were discussing accents the other day. A buddy who was born and raised in Raleigh was told his accent sounded Midwestern. As a Raleigh resident who was raised all over the South, I have to say I don’t hear much of a Southern accent around Raleigh.

Maybe it’s because of the way Raleigh draws residents from all around the country and world. Companies like IBM set up shop here in the early 1960s, bringing new residents in from all over (and particularly the North). As these groups assimilated the accents all blended, too. Raleigh is a melting pot of people and accents. So I suppose one could say that Raleigh does have its own accent but it’s indistinct. Maybe boring. And boring might not be a bad thing.

On a related note, last night I met with a group of very friendly transplants from the North. For all the grief my daughter gives me about suddenly sounding Southern when I’m around my Southern friends, last night I caught myself actually slipping into a New England accent. :-)