Colin Harrington

I recently installed Ubuntu 9.04(Jaunty Jackalope) on a 17" Macbook pro and as a part of that process, I had to install a bootloader called rEFIt.  You could think of EFI is just a next-gen BIOS.

Even though the bootloader looks decent, I don’t like the look of silver/grey color, so I decided to customize it.  The process to customize rEFIt was relatively straight forward and the result is beautiful.

This is what I came up with:

This is what it looks like with a Windows Partition:

I love the simplicity of it!!

Here is a closeup of the icons / OS Choices:

I don’t really know where the icons came from, but they look tasty  On Linux there is a decent package for working with mac icons (.icns) or sudo apt-get install icnsutils  which will get you some useful tools (png2icns and icns2png)

I did have to make a few modifications to the Tux icon [os_linux.icns] to give him a ‘glow’ so that he doesn’t fade into the black on black:

This windows Icon [os_win.icns] is the stock version I think (send me a link to the author if you know):

I did add a slight ‘glow’ to the apple icon [os_mac.icns] (send me a link to the author if you know):

I tried a number of custom ‘selected’ themes but gradients didn’t look right, so I went with the simple plan.  The selection bitmap can be found here:

the process is simple once rEFIt is installed:  modify the refit.conf with the icons in place, and you are done!

Here is what I came up with for my refit.conf (comments removed):

timeout 5
banner hostname.bmp
selection_big   selection-big-ring.bmp
hideui tools shell funcs hdbadges label
legacyfirst

The original comments in the refit.conf file are helpful!  Its straight forward if you can read

• timeout = the number of seconds before it automatically chooses for you
• banner = the bitmap of the upper part of the screen (top left pixel = background color)
• selection_big = the grey ‘ring’ that indicated the selection
• hideui = Hide elements of rEFIt so we can get a clean interface
• legacyfirst = Legacy OS first (Linux)

Use at your own risk!!

If I had the time, it would be fun to build/enhance rEFIt to have an all-black fill instead of the grey/silver.

I’ve had a good experience with Ubuntu 9.04 on a 17" Macbook Pro, and I’ll Blog about it – and see what I can do to help update the documentation – look for an upcoming post.

The Keynote for iPhone 3.0 just got over and I thought I should share a tiny greasemonkey script that I put together to reload http://live.gizmodo.com/ much sooner than the 90 seconds that one would wait.

It is too bad that macrumorslive.com is out of buisiness since they got hacked this past January.  Their application wasn’t too hard to mashup either.  It was simply changing a timout var in one version and then changing an obfuscated function later.

So the Greasemonkey script is really a breeze, it simply loads jQuery, hides the banner/space-waster and sets a timer to reload the page after 15 seconds (15000 milliseconds…) 

// ==UserScript==
// @name           live.gizmodo.com
// @namespace      live.gizmodo.com
// @description    live.gizmodo.com
// @include        http://live.gizmodo.com/
// ==/UserScript==

// Add jQuery
var GM_JQ = document.createElement('script');
GM_JQ.src = 'http://jquery.com/src/jquery-latest.js';
GM_JQ.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(GM_JQ);

// Check if jQuery's loaded
function GM_wait() {
    if(typeof unsafeWindow.jQuery == 'undefined') { window.setTimeout(GM_wait,100); }
else { $ = unsafeWindow.jQuery; letsJQuery(); }
}
GM_wait();

// All your GM code must be inside this function
function letsJQuery() {
	$('#header_container').hide()
    setTimeout(function(){ window.location.reload(true);}, 15000);
}

Sierra Bravo is putting on an overnight website challenge tomorrow featuring 12 teams and 12 non-profits.  The challenge is a great way to give back and strut our stuff.

I’m on a team called the Groovy Goolies and we plan to use Grails to deliver a powerful web-app.  Our team has an excellent lineup with a broad range of experience and talent.  I’m sure we’ll do great – we’ll definitely get to beat my friends on the Inetium Team.   The rich set of Grails plugins, excellent testing support and the power of Groovy will go a long way.

Checkout another post from another team-member or follow us on twitter.

Why is everything so slow?  Why does it take forever for the laptop to go to sleep? 

Holy thrashing platters Batman — Firefox is taking up 1.25GB of Memory.  I guess it is partially my fault.  Having 126 Tabs open isn’t the nicest thing that you can do, but thats what I did during some intense research.  After I brought it down to about 30 tabs, it still held 1GB.  That is a little too much if you ask me. 

I’ve been a fan of Firefox for a while.  Its attractive because of its extensibility, flexibility, W3C dom, and rendering standards.  I’ve been a fan of good add ons like greasemonkey, Firebug, Better Gmail, View Source Chart, Fullerscreen.  I enjoy using these tools regularly.

I use IE7, and Safari 3, and rarely opera.  Usually its just to make sure my css and javascript are cross-browser compatible.  Each one has it’s strength’s and weaknesses.  Obviously with Firefox, Memory usage is not its strength  

http://dotnetperls.com/Content/Browser-Memory.aspx

I’m hoping that Firefox 3 will help with the Memory usage.  I hope they can adhere to a different model; Weak references please?

I’m also excited to see what the IE8 team is cooking up.

Update:  I’m not so excited to see what IE8 is cooking up for Microsoft’s business plan.  Firefox 3 is Doing great on Mac, Windows and Linux for me.  Yea I wrote this a while ago, but thought it was still worth putting out there.  I don’t use Opera or IE7 much anymore now that I am primarily on Linux (home) & OSX (work)

I’m trying to restart MySQL from the command line in Mac OSX.  The GUI tool in the Preference Pane wouldn’t work for me, so its time to go back to the Command Line roots.  I knew that there was a way to restart MySQL from the commandline, but I was looking in all of the wrong places, (no /etc/init.d/ or others).  I fired off a few quick Web Searches with Google and found many hints.

Most of the articles I found online were not very helpful.  They all contained information that didn’t work for me and OSX 10.5.3 with MySQL 5.0.51a MySQL Community Server (GPL). Maybe Mysql changed their installer recently, maybe its a Mac Update thing, but the I ended up finding the solution in a comment of this article.  A comment by someone named Russell proved to be very helpful.

Basically it came down to knowing where to find these commands:

Start – sudo /usr/local/mysql/support-files/mysql.server start
Stop – sudo /usr/local/mysql/support-files/mysql.server stop

Thanks Russell – You rock!!

Big news today about a large security whole that affects the backbone of the Internet; DNS.  The Domain Name System or DNS is basically what translates readable names like colinharrington.net to its corresponding IP address.  It is cornerstone to just about everything that we do on the internet.  This news is larger than the Debian, OpenSSL fiasco that I blogged about earlier.

I first came across this when I read this article which was posted to Digg.com.

When I first logged into Ubuntu, I was notified that there were very important security updates by the bright red warning icon in the gnome panel.  I was quite happy not to have annoying balloon pop-ups or tricky log-out buttons that hijack the computer to automatically install important updates.  The Ubuntu security updates notified me that I needed to update bind9-host, dnsutils, libbind9, among others. 

We have known that DNS poisoning was an issue, but recent findings combining multiple attack vectors revealed a gaping security hole.  It was interesting to note that this ‘bug’ was a design descision and had to be patched across the board.  I guess design bugs can be quite hairy since its baked into everyone’s implementation.  All major vendors have to patch this hole due to the design nature of this bug.

According to the initial article, The details of the attack will be revealed in 30 days "at the Black Hat security conference in Las Vegas".  It is very interesting to note the current DNS issues that have made headlines recently.  Apparently ICANN itself had lost its own domain name according to this story care of MSNBC.  According to that article icann.com and iana.com were both hijacked.  This sounds more like proof of concept work to me. 

I am not an expert in this area but from the bit that I do know, the possibilities are scary; Naming authorities being compromised, man in the middle attacks, etc.  What if someone were to gain control of major certificate authorities like VeriSign? It is a little scary to think about what someone could accomplish unknown to the user.  Online Banking, Corporate Communications, Secure Service Bus communications, what if these could be spoofed into being sent to the wrong place, or *through* the wrong place?

This could very well make it into our history books.  I guess we will know more in 30 days.

Here is some extra reading on the subject:

• http://www.us-cert.gov/cas/techalerts/TA08-190B.html
• http://latimesblogs.latimes.com/technology/2008/07/major-computer.html
• http://www.doxpara.com/
• http://www.kb.cert.org/vuls/id/800113
• http://digg.com/security/Massive_Internet_security_flaw_uncovered
  
• http://www.hackaday.com/2008/07/08/major-dns-issue-causes-multivendor-patch-day/

The initial article ended with these words: "This is about the integrity of the Web, this is about the integrity of e-mail," Kaminsky said. "It’s more, but I can’t talk about how much more."  which sounds very similar to Rusty Ryan’s line in Ocean’s Twelve "Look, it’s not in my nature to be mysterious. But I can’t talk about it and I can’t talk about why."

Yea I know… PHP.  Please don’t shoot me.  Its not as groovy as say … Groovy or Ruby, but it can get the Job done.  I just found out how to configure PHP per virtual host. I guess I knew that it was possible, I just did not know how to do it.  Tomorrow I’m planning on forgetting how to do it and have to look it up again, which is exactly why I’ll blog about it .

So Basically you can set specific PHP.ini settings in the virtual host definition.  There are other ways of configuring PHP, but this one seems to be aligned to virtual hosts and is the right tool for the job I had to do.

PHP alania tipped me off to PHP.net’s article on the subject.  It would look similar to:

 <virtualhost>
    DocumentRoot "C:\non\aya\business\public_html"
    ServerName www.somesite.com
    ServerAlias somesite.com
    <directory>
        Allow from all
        php_admin_flag short_open_tag off
    </directory>
</virtualhost>

Don’t forget that you could also configure PHP on the fly (while its running/executing) by utilizing the ini_set() function.

Happy PHP-ing!

This last week (the 13th of May 2008) they announced a jaw-dropping security hole in the Debian OpenSSL package.  This Bug was introduced on May 2nd 2006 (relased in September?) and fixed on May 13th 2008.

What was the Bug?  Basically the randomness of the key generation processes was severly inhibited, thus making it feasible to guess (by brute force) the private keys.  Someone commented out a block of code that was nessesary to guarentee the randomness of the key that was to be generated.

#ifndef PURIFY   /*    * Don't add uninitialised data.     MD_Update(&m,buf,j); /* purify complains */    */  #endif 

Ok what does that mean?  It means that someone could listen in on your communications that you thought were secure.  Sniff passwords, ssh into machines you don’t own, etc.

I was happy to get an urgent update from the Ubuntu update manager in such a short amount of time.  I like that I was able to patch my systems so quickly.  I am floored that this bug was allowed to happen for the last 2 years

Many people have explained the fiasco/bug in more depth; here are some of my favorites 

• Good Technical explaination — http://metasploit.com/users/hdm/tools/debian-openssl/
• Thread explaining the Comic – http://forums.xkcd.com/viewtopic.php?f=7&p=670397
• The actual annoucement — http://www.debian.org/security/2008/dsa-1571

I explained in a previous post on distributed computing, that one of my parallel programming courses in college required us to find the seed and depth of a sequence of random numbers (very similar to the generation of rainbow tables or brute force password/key checking).  I’m sure that a few slight modifications to that code and I would have a workable, scalable and efficient brute force attack.  Am I going to do this?  no.  Can you have the code?  Yes…and by yes I mean no.  Realistically anyone skillful enough to capture and stage an attack would have the skills to formulate this on their own.

H D Moore over at metasploit – calculated that it would take his 31 Xeon cores approximately 2 hours to brute force 2048bit RSA Keys, and ~ 100 hours (3100 CPU hours) to brute force a 8192 bit RSA key path, and 100,000 hours (3,100,000 CPU Hours) to brute force a 16384 RSA Key assuming the max-breadth to find the pair. 

With a tool like Amazon’s Ec2, this would allow you to scale this application as far as your pocket book would allow   Well there is an actual limits, but it could be expanded by Amazon to handle your requests. 

I’m thinking something along the lines of 10,000 Extra large instances.  So that would be 80,000 cores, which would handle the 3,100,000 CPU hours in just 38.75 hours (yea, I know Ec2 core != Xeon … its just for illustration).  3,100,000 hours of computing could be completed in just over 3 days!!!!  with Amazon’s current pricing model, it would end up costing you $8000 per hour to run those 10,000 Large instances.  So the total bill (not including storage or testing time) would be around $310,000 to complete the processing.  I guess I have better things to do with $310k.  $310 is the most that you would pay, statistically you’d end up paying ~ $160k if you had to average it out. and that for 16384 bit RSA key pair.  the most common would be 1024 or 2048 bit RSA keys.

For a large organization such as the government, this would be cake money.  I’d be willing to bet that they already have much more computing horsepower than Amazon has at the disposal of EC2.   I love open source projects, but with so much going on at many levels, open projects can leave themselves open to bugs like this.  I guess thats why many projects go for the benevolent dictator approach.  Someone has to understand, and coordinate the project as a whole.  It will be interesting to see the fallout of this issue. 

This definitely got me to further my thoughts on Open Source Software.

What do you think?

When I was studying at Bethel College (now Bethel University) located in Arden Hills, Minnesota, I took a class called on Parallel Programming taught by Dr. Brian Turnquist.  I have to say that this class was my favorite.  I would stay up late just to solve the problems and projects that were presented to us.  I loved it!!!

We had a 40 CPU Beowulf cluster that we were able to work with.  It was a pretty standard AMD Dual Processor Configuration on a 10/100mbps ethernet network (which was usually the bottleneck).  Several students had the opportunity to help design and setup the cluster.  The cluster had its own housing inside one of the Computer Science labs. 

We ended up writing C++ programs that utilized MPI to communicate.  We ran calculations, rendered fractals, and simulated breaking passwords in a distributed form; Well maybe not passwords, but finding the seed and depth of how to replicate a series of "random" number’s generated by the stock random number generator could be easily substituted with other code .  I won’t get into how important the RNG (Random Number Generator) is to our modern systems (1,2) but it was a fun exercise none-the-less.  I ended up using the cluster briefly to render some intensive POV-Ray Fractals (See the contest results). 

I’ve always loved the concept of distributed computing.  I was really excited when I learned of Amazon’s Elastic Compute Cloud (EC2).  The concept of Pay as you go applied to Distributed computing is an interesting one!  And having a top-tier datacenter and Simple Storage Services (S3) makes it an attractive solution.  The concept of building scalable web applications is one that has caught my eye. 

I have some good ideas on how to utilize this service but haven’t made time to finish the concepts.  The Amazon Web Services crew have really started to round out ther services with the announcement of Persistent Storage for EC2 and SimpleDB.  Persistent Storage is, in my humble opinion, one of the last things that they needed to solve to service a fully viable, scalable, pay as you go/grow computing platform.  

I really enjoy using Firefox.  I have recently re-imaged my laptop after a hard drive upgrade.  I use Firefox quite Heavily.  I will frequently have one hundred of tabs open especially when I go through my reading materials for a week. 

I noticed on both Windows and Linux (Ubuntu) that my firefox sessions would hang after I crossed a certain threashold.  I have other browsers that I popped open to check to see if it was application or network specific.  Epiphany IE and Safari all worked flawlessly so it had to be specific to Firefox.

my first reaction was to pop open about:config (more) and start poking around the network settings, network.http.max-connections and the like seemed to have no effect.  Alas google remided me of the network.http.pipelining (more)  it basically allows for multiple requests to be executed at once.  This is especially important when using both Gmail and Google Reader and Digg which all utilize ajax calls in the background.