gnegg: August 2004

How journalism should not be done

I am subscribed to the german “Linux Magazin” (it’s articles are translated and published to the english “Linux Magazine”) and today I received their anniversary edition (10 years Linux Magazin).

With great interest, I read the article “Insel Hüpfer” on page 56 and later. It’s about the author telling his story of finding security holes in the setup of a big german hosting provider

The author goes into great details when describing what he did and full of pride he actually tells the reader the MySQL-Root password of one of the compromised servers:

Und dann entdeckte ich erstmals etwas Erfreuliches: Das Passwort für MySQL-Root lautet: xxxxxx. So sollte ein sicheres Passwort aussehen.

Which means in english: Finally, I discovered something good: The mysql root password is: xxxx. This is what a secure password should look like. In contrast to the article in the Linux Magazin, I am definitiely not naming the password here!

All this would not be worse enough for me to blog about here if only they would not have been so stupid to actually show the user the name of the provider!

While all URLs are left out and the article does not name the provider, they made two bad mistakes:

On page 63, there is a screenshot of a compromised FAQ page. While they cleared out Mozillas the URL-field, they did not do that with the big visible title of the page containing the domain name in the top left corner. Additionally if they had grayed out the text, googling with the contents of the rest of the page would too have led me to the providers address
On page 64, they have a screenshot displaying the URL of the compromised phpMyAdmin, graying out the domainname, but leaving the URL intact otherwise. Too bad that the name of the provider is no secret anymore (see above).

All this would not be so bad (it certainly is bad for the publisher of Linux Magazin as this will get them in trouble with the provider), it really is catastrophical that the provider has not changed the password printed in the article!

This means that any reader of the Linux Magazin (currently only subscribers – I really hope they stop further delivery of this issue) can access the MySQL-Databases of many customers of said provider!

Posting stories like this is really nice and is what gets you the readers actually, but if you do this, please take care not to publicly post compromised passwords that continue to be working when your edition goes to press. And don’t leave clues like URLs and other stuff that points to the victim in question! Please!

Comments working again

OK… there was this… embarassing… problem with the pilif.ch-Domain. Talk about forgetting payment for the registration ;-)

The problem is fixed. so the comments and the search function should be working again…

No more blur

When reading my Think Pad T42p review the other day, you may have seen that my only problem I had with the fine machine was that the DVI port of the docking station supported only the 1280×1024 resolution. This forced me to use the analog video otput to power my cool 21 inch 1600×1200 LCD at my workspace.

My problem with this solution: The picture was blurry and a bit unsharp. While it got way better after upgrading the VGA cable to something better than what came with the display, it still did not get as sharp and crisp as the image I had on a 1280×1024 18 inch display I had connected via DVI. Actually it was still quite blurry – at least for me, used to the sharper display.

A comment in my blog entry (many thanks – comments like this are the only thing keeping me deleting all those SPAM-comments while still not disabling the comment function) pointed me to this forum entry which in turn pointed me here.

Omegadrivers provides a hacked version of ATI’s Catalyst driver that enables the Think Pad’s DVI port to support the 1600′ resolution (Actually, the driver is optimized for gaming-performance, but that’s not so important for me)! Very nice!

Now the image is clear and crisp, just as I always wanted it to be. Cool

Now… if someone could tell me what I have to do to un-break the OpenGL-Support, I’d really appriciate that… Whenever a program is using OpenGL it immediately crashes using those new drivers.

Mountains

This is what I’m going to see for the next seven days. Yes. Finally, I will once again travel to a small cottage in Pontresina, enjoy the great landscape and do nothing businessish at all.

So don’t expect any postings next week. While I will have extremely limited internet connection (GPRS), I will use it only if something bad should happen.

IBM Thinkpad 42

Quite exactly one year ago, I reviewed my then new IBM Thinkpad T40. To save you from going there and have a look: I really liked the device.

In the year that has passed, I had some things that began to bug me me, though they are somewhat minor. I have not noticed them back when I made the review:

The harddrive is slow. And when I say slow, I really mean it. Windows has a tendency to swap, regardless of available memory. And those times when my TP was swapping made it nearly impossible to work with it. The boot time after entering my password and before the system really gets responsive (you know: The GUI is drawn, but does not really react to input yet) was quite long – stripping down the installation and defragmenting the drive did not really help, which – considering 1 GB of available RAM – lead me to the conclusion that the drive really was quite a bottleneck.
The display had a resolution of just 1400×1050. I would really have liked the 1600×1200 one
Soon after I got my T40, the T41 was released with a feature to automatically park the heads of the harddrive and spin it down when the laptop is shaken. This feature was absent in my T40 and this march, I had to learn this the hard way: The drive died (I was very lucky: It only had tons and tons of bad blocks on the system partition – my data was not affected). This was when I really wanted this drive-spin-down feature
Graphics-Performance was somewhat behind of what I would have whished for. Especially it was not possible to run epsxe at sufficient speeds. Certainly not something I would need in a computer I use mostly for work, but it would have been nice. Doom 3 comes to mind, too, though I don’t think any laptop existing today is actually powerful enough for that game – at least no portable one ;-)

And that’s about it: Minor issues. I am a really big fan of my T40. Really. Believe me. And continue to believe me when I tell you this: IBM has announced the T42 model which finally comes with the 1600×1200 screen resolution. And not only that: The built-in Fire GL Chip from ATI should definitely provide enough juice for epsxe (though I’ve not tested that yet because of the lack of PSX-CD’s here in the office). I could not resist getting one

I mean, 1200×1600 resolution is just great for anything you do beyond just surfing the web. While you can use more than one monitor, it’s always more convinient to have everything on just one screen. Just think of Delphi with all it’s palettes and stuff. Very convinient

And this harddrive spinning down feature. Very convinient too.

So, I’m writing this blog entry on my brand new IBM ThinkPad T42p. Time for a review, don’t you think?

From the outside, IBM has not changed much: With it’s 15 inch monitor, the whole thing got a bit bigger (and a little bit thicker, if I’m not mistaken), but else they have left the outside unchanged from my T40 model.

On the inside, when installing Windows XP (while the IBM preinstallations are quite un-intrusive, I still prefer a completely un-customized installation of Windows and downloading just the drivers I need. That way I could even test my slipstreamed SP2 installation), I noticed the immense power this thing had. After just about 15 minutes, the installation was completed (excluding the drivers, of course). Boot time was much shorter than what I had on my T40 – even considering the emptyness of the harddrive. And it remained to be that short after copying over my profile. I really think, they finally used a better harddrive. Because the new computer is just 100 Mhz faster than the old (1.6 -> 1.7 GHz), I think that it must be the drive performing better.

The display is great. Highly readable and very bright. I really like the resolution. Display-related, though is my one big problem I have with this wonderful toy (why oh why must everything have at least one flaw?):

The DVI-Port (provided by my docking station) is (still) limited to 1280×1024 pixels, so I have to use the analog output to power my 1600×1200 monitor, giving me a somewhat suboptimal performance. Too bad. Maybe tey’ll fix that later.

Now I’m looking forward to check the computers 3D-performance. If there’s something unusual about it, I’m going to post it, of course.

Overall, I think, if you don’t need the 1600×1200 resolution, you can live without upgrading. If you really like (or even depend on) that big resolution (and consequently high DPI count), you should maybe consider updating. Was there not that problem with the DVI port, this would be the perfect notebook. With this flaw, it’s just the best one existing on the market. ;-)

UPDATE: Jepp. ePSXe works. It works extremely well, actually. I’m using Pete’s OpenGL GPU plugin with nearly everything turned on and I’m still not getting any lag. This is nice.

SUCON ’04

I will certainly be there. Will you?

Working with subversion

I’m currently making first steps using Subversion and it’s going quite well. It took some time to get the $Id$ expansion to work though, but this article helped me in the end.

The next thing I’m going to do is trying to migrate a simple project (no braches, no tags) from CVS to subversion. I know there are some tools out there which promise being able to do that for you, so I hope it’ll work.

The final step would be to migrate over PopScan, which has gotten quite complex these days: About 5 branches, countless tags and three years worth of history data. If that too goes well, it’s “welcome subversion” for me. If not, I think, I’ll postphone the migration until the tools get better. I absolutely don’t want to have my code in different source management systems.

I’ll keep you posted.

PHP 5

As you surely know, PHP 5 has been released. Actually, it’s already 5.0.1.

What you also may know is that Gentoo’s dev-php/mod_php package was promoted from -x86 to ~x86. This means from broken to unstable in Gentoo-terms.

This means that I can now make some tests with PHP5 which I already began doing: I’ve upgraded PHP on our developement server to 5.0.1 and it’s working quite well so far. The only problem I’ve come across is this stupid code in a osCommerce installation:

class something{
  function something{
    // do something
   $this = null;
  }
}

New or old object model in PHP: This is just something you don’t do. Not in PHP, and certainly not in any other language. You should not assign anything to this, self or even Me (or whatever the implicit pointer to your own object is called in your language).

My new toy

New year, new iPod. They made so many small usability enhancments with those new models, that you actually ask yourself, whether the predecessors are really made by Apple (because if they would be, there weren’t that many usability flaws in the first place)

Playback stops when you plug out the headphones. Oh an speaking of headphones, I’m using these. They are a great compromise between extremely expensive and good-sounding
The menu item where the Music is stored is called – surprisingly – Music now. This is much better then the “Browse” in the older models.
The click wheel is the best user interface they created so far. I hated those soft keys in the 2nd genration: They were extremely inprecise and fired ofthen when I did not acutally want them to.
It’s faster. My old model paused quite a while when entering the artists list. The new model does this instantly.

Convinience-wise, the jump to the third generation of iPods was the biggest step. Thanks, apple.

Oh and the Music I’m playing on the photo is this CD. The music is difficult to describe. A bit jazz-ish, but not really. I really like it – especially as a passionate gamer of the Chrono series and Xenogears, where the music is inspired from. Consider buying it. It’s great!

SSH daemon on installation CD

First, my apologies for not posting for quite some time now, but I have a hell of a lot of things to do. One of those was setting up yet another IBM xSeries 345 Server. And yet again, I deceided to install Gentoo Linux on it and yet again this distribution does not stop to amaze me:

On their current livecd (used for installing the distribution), they have actually installed an OpenSSH-Server ready to be started, allowing you to do the whole installation procedure remotely. This is incredibly nice.

So I could put the server in our basement where its noise did not annoy anyone and still do the installation from my comfortable chair in my office. This is great!

But then I widened my thoughts: Imagine, you modify the CD just a little bit: Preconfigure the network with the IP of your server somewhere in a remote location, set a non-random root password and configure the SSH-daemon to automatically start on boot.

Then configure the server to boot from CD, if one is there.

Now, if your server (somewhere in a remote location where getting into is difficult or at least time-consuming) should crash and fail to come up properly after a reboot, just ask someone at the housing center to insert the CD and reboot. The rescue system from the CD will boot and the SSH daemon will start. Now you can try to fix your system remotely.

When you are finished, your customized reboot-script will eject the CD after unmounting it, allowing the server to reboot normally from it’s (hopefully) fixed installation. This would even allow to completely fresh-install a compromised system remotely, without forcing you to do that on-location.

This is extremely nice and just another reason why I prefer the seemingly simple and anachronistic installation procedure of Gentoo. I mean: Just try doing this with either Fedora or SuSE…