Category: Computing

Review: CrimeReports.com

Posted by Eric – July 9, 2009

Recently the Hopkinsville Police Department started publishing crime data for the city through CrimeReports.com. Among the positives for this service is the data itself which seems to be posted on a timely basis. CrimeReports.com provides two different views of the data; one is google map-based, the other uses a bar chart, pie chart, and line graph. I’d like to thank the HPD for publishing this information. If there was anything worthy of spending taxpayer dollars it would be this. I think the data is displayed in multiple formats allowing some very interesting analysis.

CrimeReports Popup

CrimeReports Popup

If this website is so wonderful is there anything wrong with it? Well, I think it falls down in two areas that could be easily fixed. The first and most annoying mistake is that the programmers have written a pop-up to appear the first time the user attempts to drag the map around. Pop-ups of any kind are flat out stupid. There is a reason why pop-up killer functionality is built-in to both Internet Explorer and Firefox. Any programmer that implements such a thing should be sent to a desolate SovietRussian prison in Siberia.

The second defect is with the crime alerts that the website wishes for everyone to sign-up for. I registered with the website soon after seeing it in the Kentucky New Era. Then a couple of days later a crime did occur within the area I specified but I received no email about it. Last night I created another crime alert in the center of the city then I did get email from both locations.

I think CrimeReports.com is an excellent service to have for the city of Hopkinsville. The police Department seems to post new crime reliably and the website provides a variety of ways to view that data. The usefulness of the website is harmed greatly though by that blasted pop-up. I’d also wonder why the email alerts don’t work reliably but that is only a mild problem. 3 of 5 stars

WP 2.7 Changes

Posted by Eric – February 11, 2009

WordPress v2.7 was released several weeks ago and I waited for compatibility news about Barthelme, my blog theme. That was until I read this post by the theme author.  The author is giving up maintainership and he wants to pass it on to someone else. So… we’ll find out what happens with that in the future.

In addition, I am able to eliminate one plug-in from my wordpress install. WordPress 2.7 now allows you to expire comments on old posts. Which makes comment timeout less necessary, even though the plug-in has more functionality than what is built-in to WordPress.

ss, com_err, e2fsprogs-libs blocking

Posted by Eric – October 29, 2008

No doubt your wondering what to do about blocking packages in Gentoo. The latest example involves a new package called sys-libs/e2fsprogs-libs. It seems e2fsprogs-libs now includes functionality that was performed by sys-libs/ss, sys-libs/com_err, and sys-fs/e2fsprogs. The solution is to unmerge sys-libs/ss, sys-libs/com_err, and sys-fs/e2fsprogs then update like normal.

ebrake@scanner ~ $ emerge -pvuDN world

These are the packages that would be merged, in order:

Calculating world dependencies... done!
[ebuild     U ] sys-apps/findutils-4.4.0 [4.3.13] USE="nls (-selinux) -static" 1,983 kB
[ebuild     U ] sys-fs/e2fsprogs-1.41.2 [1.40.9] USE="nls (-static%)" 4,263 kB
[ebuild  N    ] sys-libs/e2fsprogs-libs-1.41.2  USE="nls" 479 kB
[ebuild     U ] net-fs/nfs-utils-1.1.3 [1.1.0-r1] USE="tcpd -kerberos -nonfsv4" 793 kB
[blocks B     ] sys-libs/ss (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] <sys-fs/e2fsprogs-1.41 (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] sys-libs/com_err (is blocking sys-libs/e2fsprogs-libs-1.41.2)
[blocks B     ] sys-libs/e2fsprogs-libs (is blocking sys-libs/ss-1.40.9, sys-libs/com_err-1.40.9)

Total: 4 packages (3 upgrades, 1 new, 4 blocks), Size of downloads: 7,516 kB

The next time you update =sys-fs/e2fsprogs-1.41.2 and sys-libs/e2fsprogs-libs will be installed.

Hardcore Kernel Literature

Posted by Eric – October 25, 2008

Previously, my hard core Linux kernel news has come from free sources like kerneltrap and kernelnewbies. When I started tracking the development kernel releases. I wanted more information about the changes coming and what it meant for my hardware. When kerneltrap is writing regular updates he provides pretty good information. kernelnewbies is another good source for functional changes to the kernel. The human readable changelog is a good look at the kernel in broad strokes. The diff -u section in the LinuxJournal is another broad overview with some discussion of kernel politics thrown in. The disadvantage in reading free sources, blogs is that the author often posts in spurts then goes to sleep again. That’s the nature of blogging. The BrakeBlog was dead for several months before I revived it again.

On the spur of the moment I bought a subscription to lwn.net. I think I’m going to be very happy with it. Reading through this week’s LWN I was pleased with the twenty bucks I spent. I was so inspired that I went to work creating a LWN badge to display on my website. Read LWN Go steal it for your own use I don’t care. If you make a better one let me know.

Murder Your Virtual Husband, go to Real Prison

Posted by Eric – October 23, 2008

TOKYO, Japan (AP) — A 43-year-old Japanese woman whose sudden divorce in a virtual game world made her so angry that she killed her online husband’s digital persona has been arrested on suspicion of hacking, police said Thursday.

The woman, who is jailed on suspicion of illegally accessing a computer and manipulating electronic data, used his identification and password to log onto popular interactive game “Maple Story” to carry out the virtual murder in mid-May, a police official in northern Sapporo said on condition of anonymity, citing department policy.

“I was suddenly divorced, without a word of warning. That made me so angry,” the official quoted her as telling investigators and admitting the allegations.

The woman had not plotted any revenge in the real world, the official said.

She has not yet been formally charged, but if convicted could face a prison term of up to five years or a fine up to $5,000. [...]

The woman used login information she got from the 33-year-old office worker when their characters were happily married, and killed the character. The man complained to police when he discovered that his beloved online avatar was dead.

Bold emphasis is mine. Can somebody tell me what crime this woman actually committed? She “hacked” this guy’s account because he shared his login with her. Duh, if you share your password with other people there might be data loss. Another question, why does this man flippantly give away his password but calls the cops when this non-crime happened. I thought most online services wrote it into the TOS that users were required to keep their logins secure. His avatar is obviously not irreplaceable, if he spent any real money to outfit his character then whatever. Sue her in civil court!

The other aspect is the moral degradation present in this situation. My virtual character “marries” your virtual character. Human relationships including marriage, gender, social experimentation, personal identity, and personal consequences become unglued from reality. If Obamessiah wins the presidency in November that will be the world we’re going to be living in. Capital “L” Liberals believe there are no absolutes, no right or wrong, no consequences.

BB&T Bank Passwords

Posted by Eric – October 20, 2008

I just happened to change my password recently on my online banking. I found out that Branch Banking and Trust (BB&T) limits the maximum password length to 12 characters, cannot contain any special characters like an exclamation point, and the passwords are not case sensitive. Screenshots are below of the online banking interface.

New password screen for BBT
New password screen for BBT
Error page for BBT Online Banking

Error page for BBT Online Banking

Putting such restrictive limits on passwords seems to be very common. Multiple listeners of Security Now! have written in saying that their bank also has poor password policies. Mostly due to legacy requirements or compatibility with disparate systems.

Security Now! 162

Leo: Good luck. Jon Kuhn in Ann Arbor, Michigan has discovered that Wells Fargo is in bad company. Oh, boy. After hearing about Wells Fargo on the Security Now! podcast, I decided to try out all of my GRC Perfect Password-derived passwords, all of them alphanumeric with upper and lower case. I found that Chase, Citibank, Vanguard, and my credit union all have non-case-sensitive passwords. Just thought you might find that interesting.

Steve: So Wells Fargo is sharing the doghouse with these other people. But given that they’ve got lockout provisions, and I imagine that our listeners may now be curious to poke at their – deliberately log in incorrectly and see what it takes, verify in fact that anyone trying to guess their passwords will be shut down very quickly and then have to go through the extra reauthenticating hoop-jumping in order to get their account reactivated. Which, again, it certainly does mitigate the problem of passwords being non-case sensitive.
Leo: There’s got to be a reason they’re doing this. Is it possible that some older computers or older…
Steve: Matter of fact, if you keep reading, we will come to the reason.
Leo: Ah. I like it. I like it. Steve is always way ahead of me. Brent McLaren in Ajax, which is near Toronto in Ontario, Canada, brings up a very good point. It’s a point about case-insensitive banking passwords.
Steve: Speak of the devil.
Leo: He says: Hi, Steve. Been listening to Security Now! since Episode 1. I really enjoy the show. Me, too. Even though I work in IT and spend my days working with security and networking technology, I’ve found your insight and ability to explain complex topics very valuable. So I just wanted to pipe in on the topic of case insensitivity for Wells Fargo’s online banking log-in. I know that for my bank the password used for online banking is shared with telephone banking. As a result the password has to be limited to alphanumeric passwords with no case sensitivity. It’s also limited to six characters. I believe this is one of those tradeoffs between security and usability that is necessary. Having separate passwords for the different channels would be beyond confusing to people. That’s a very good point.
Steve: Isn’t that a good point? I liked that because you could imagine trying to explain to somebody that you’ve got, you know, what a circumflex is or…
Leo: I don’t think there’s a circumflex on my phone. Yeah, you’re right.
Steve: Or the pound sign. What? Well, it’s that number sign, the thing, you know, I mean, so if passwords were really complex, it could be difficult for them to be used, the same password to be used, essentially repurposed through different venues with the same institution. And so it’s like, okay, that makes some sense. You could imagine that trying to explain your password over the phone to somebody could be a problem, much more so than you typing in some strange concoction with shift keys and so forth on your keyboard.
Leo: And I actually remember that I got started in online banking with Bank of America in 1984 or something with phone banking. And so I think that probably it’s the same system it’s been all along. In fact, and this is what made me ask the question earlier, I remember it was almost a TTY the first time I started doing online banking. A black screen would come up with white letters on it, all uppercase. The menu structure would be, you know, type “1″ for this item, type “2.” I mean, it was very primitive. And I bet you it’s the same back end.

Steve: It may very well be that they just stuck a web server on the front of it.

On a positive note, BB&T is slowly improving it’s security because my original password only had six characters and now the minimum is eight. In the future, there is the possibility of implementing two-factor authentication because they recently launched BB&T Mobile and BB&T Alerts. Both of these systems can interact with your phone via text messaging.

Simple rsync backup

Posted by Eric – October 13, 2008

One of my goals for running a dedicated home server was for backup purposes. I already have a Simpleshare NAS that works OK but if it fails my data is still lost. Unlike previous computers, the Shuttle PC K4500 is so quiet that I can run it 24/7. From the Shuttle PC, I can mount the Simpleshare and rsync changes across.

#!/bin/bash
/bin/mount /mnt/nfsbackup
/usr/bin/rsync -a --numeric-ids /mnt/nfsbackup/ /home/backup/bkup.0/
/bin/umount /mnt/nfsbackup

The –numeric-ids option is handy because the UID/GIDs are different between the server and my laptop. I looked at different methods of doing backups. What I decided was to rsync new files to the Shuttle PC but not to delete anything. I’ll decide how I want to “prune” deleted files later. Rsync runs every six hours and now I have everything mirrored. The next step in centralizing my data is to setup icecast and stream all my music from the server. I archive all my music in FLAC already. Once I start streaming I’ll be able to remove my MP3s from the laptop.

Critical Kernel Options

Posted by Eric – October 12, 2008

The Shuttle PC K4500 had a lot of unfamiliar hardware on it when I first bought it. The most critical part being the SATA drivers.

00:1f.2 IDE interface: Intel Corporation 82801GB/GR/GH (ICH7 Family) SATA IDE Controller (rev 01)

The pertinent option in menuconfig was to enable “Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA Support” in the SATA drivers section. Important! In order for the kernel to boot, this driver must be built in or you won’t be able to mount your filesystems.

Networking is another critical component since I do nearly all of my work over SSH.

02:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8056 PCI-E Gigabit Ethernet Controller (rev 12)

The driver is called sky2. The entry in menuconfig is “SysKonnect Yukon2 support”. You have the choice to either build the driver in or modularize it. I should say that when I’m building a new config I execute “make defconfig” to create a base config that I edit later. So there might be other critical options that I don’t mention because they are enabled by default in defconfig.