the answer for me is no.

many thanks to our security team for ignoring critical SSP bugs. the answer for me is no.
many thanks to our QA lead for replacing his head with a tomato. the answer for me is still no.

and many thanks to our council for supporting names like vapier and halcy0n (and wolf*lotsofnumbers*, i never knew he was into that kind of business) with their aggressive, destructive and pervasive notions of how people should conform to their fascist little black and white one in the stink two in the pink world. i still think the answer is no.

at least you got all the rotten tomatoes in one boat now and it's slowly sinking.
I'll be happy to leave you here with what you have. There have been no innovations hosted by Gentoo Linux on the security sector of host-based systems hardening for 5 years now. You fight people leaving faster than you can hire noobs to fill redundant positions because you fuckups still keep all your puppets in the right positions to decide what the public opinion is and what the people using Gentoo should "think" about your little /usr/portage experiment there.

well fuck you then, bitches.

whatever.

as always i'll have my last curtain with a song i loved when i was young- and maybe still do.
and now i have to admit- the answer to the above question for Gentoo Linux is definitely yes.

CAKE - The Distance

Reluctantly crouched at the starting line,
Engines pumping and thumping in time.
The green light flashes, the flags go up.
Churning and burning, they yearn for the cup.
They deftly maneuver and muscle for rank,
Fuel burning fast on an empty tank.
Reckless and wild, they pour through the turns.
Their prowess is potent and secretly stearn.
As they speed through the finish, the flags go down.
The fans get up and they get out of town.
The arena is empty except for one man,
Still driving and striving as fast as he can.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's driving and striving and hugging the turns.
And thinking of someone for whom he still burns.

He's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse,
He's going the distance.

No trophy, no flowers, no flashbulbs, no wine,
He's haunted by something he cannot define.
Bowel-shaking earthquakes of doubt and remorse,
Assail him, impale him with monster-truck force.
In his mind, he's still driving, still making the grade.
She's hoping in time that her memories will fade.
Cause he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
The sun has gone down and the moon has come up,
And long ago somebody left with the cup.
But he's striving and driving and hugging the turns.
And thinking of someone for whom he still burns.

Cause he's going the distance.
He's going for speed.
She's all alone
In her time of need.
Because he's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's racing and pacing and plotting the course,
He's fighting and biting and riding on his horse.
He's going the distance.
He's going for speed.
He's going the distance.

may the source be with you and your guards never fail at entropy.

Alex

PS: the next time you write bullshit about me in profiles/default/linux/package.use.mask, make sure you remove my name so i don't feel offended by your blatant ignorance of the problem itself.

okay here we go

>>> Regenerating /etc/ld.so.cache...
>>> sys-libs/gxslibc-2.6.1-r2 merged.

>>> No packages selected for removal by clean
>>> Auto-cleaning packages...

>>> No outdated packages were found on your system.
* Regenerating GNU info directory index...
* Processed 87 info files.

TMPFS chroot001 miranda ~ # export STATIC="-fstack-protector-all"; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o vuln-stack vuln-stack.c && file vuln-stack && readelf -s vuln-stack | egrep "__guard|__stack_smash"; ./vuln-stack 1234567891234567; einfo "return code: ${?}"; echo; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o ssp_entropy ssp_entropy.c && file ssp_entropy && ./ssp_entropy
vuln-stack: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, dynamically linked (uses shared libs), not stripped
2: 08049698 4 OBJECT GLOBAL DEFAULT 23 __guard@GLIBC_2.3.2 (3)
4: 00000000 30 FUNC GLOBAL DEFAULT UND __stack_smash_handler@GLIBC_2.3.2 (3)
78: 08049698 4 OBJECT GLOBAL DEFAULT 23 __guard@@GLIBC_2.3.2
80: 00000000 30 FUNC GLOBAL DEFAULT UND __stack_smash_handler@@GL
* return code: 46

ssp_entropy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, dynamically linked (uses shared libs), not stripped
__guard: [[0x288a2b8c]]

TMPFS chroot001 miranda ~ # export STATIC="-static"; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o vuln-stack vuln-stack.c && file vuln-stack && readelf -s vuln-stack | egrep "__guard|__stack_smash"; ./vuln-stack 1234567891234567; einfo "return code: ${?}"; echo; gcc-3.4.6 "${STATIC}" -fstack-protector-all -o ssp_entropy ssp_entropy.c && file ssp_entropy && ./ssp_entropy
vuln-stack: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, statically linked, not stripped
1346: 0804f810 18 FUNC GLOBAL DEFAULT 3 __stack_smash_handler
1554: 080bc370 4 OBJECT GLOBAL DEFAULT 16 __guard
* return code: 46

ssp_entropy: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.18, statically linked, not stripped
__guard: [[0xe686ece4]]

i invented return code 46 as SSP failure because i could not find a list of valid exit codes (unless segfault which is 127) at google.

-Alex

well it looks like i can go to bed with a smile on my face...


gcc -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c
./ssp_entropy
__guard: [[0x353275b9]]




gcc -static -g -ggdb -fstack-protector-all -o ssp_entropy ssp_entropy.c && ./ssp_entropy
__guard: [[0x3687e720]]




TMPFS chroot001 miranda ~ # cat ssp_entropy.c
#include stdio.h

extern unsigned long int __guard;

int main(void) {
printf("__guard: [[0x%x]]\n", __guard);
while(1) { ; }
return(0);
}


for learning about the whole story: http://bugs.gentoo.org/show_bug.cgi?id=182231

have fun and good night!



pappy@h1339985 ~ $ ssh root@miranda -p 22001
Last login: Mon Apr 28 12:46:52 2008 from dev.extreme-security.net
TMPFS chroot001 miranda ~ # emerge --info
Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.1, hardened-glibc-2.6.1-r1, 2.6.24-hardened i686)
=================================================================
System uname: 2.6.24-hardened i686 Dual Core AMD Opteron(tm) Processor 280
Timestamp of tree: Mon, 28 Apr 2008 01:45:01 +0000
app-shells/bash: 3.2_p17-r1
dev-lang/python: 2.4.4-r6
dev-python/pycrypto: 2.0.1-r5
sys-apps/baselayout: 1.12.9
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.61-r1
sys-devel/automake: 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i486-pc-linux-gnu"
CFLAGS="-O2 -mtune=i686 -pipe"
CHOST="i486-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -mtune=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl berkdb cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl ssl tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY




Today one of my biggest dreams got shattered by technical deficiencies.

Phreak helped me to experiment with the virtuals in my new experimental toy profile on miranda chroots. I learned alot about catalyst and finally found out about my mistake that you need to roll up the portage tree (where you have added the created test profiles) into a portage-XXX.tar.bz2 and give this XXX name to the catalyst specs file before building the stages.

Otherwise it cannot find the profile in portage snapshot and print out an erroneous message about your profile being broken, simply because it cannot find it in the portage snapshot that was unpacked.

So, while experimenting with stage building and seeing to it that it works to create a masking of sys-libs/glibc and a virtual/libc mapping to my own testing version of sys-libs/hardened-glibc, for covering my future wanted changes for SSPx and AT_ENTROPY without touching the holy sys-libs/glibc grail of our toolchain team, it suddenly turns into a full fledged uphill battle that is impossible to win.

I am talking about reworking all affected packages in the tree to not depend on sys-devel/gcc any more but on virtual/cc or something like that- because we currently don't have a virtual for gcc. Good job, team.

Short spoken: our toolchain is currently maintained by a single person, happily monolithically aimed at glibc (and a bit of uclibc) and gcc.

Which in turn gives all the power of control over the base system, the standard lib and the compiler into the hands of one or two people without users or other devs being able to plug in or attach another modular approach to it.

Which basically means you don't have another choice but to use the glibc and gcc provided by our distribution. A distribution that was about choice, at least the last time i read it on our homepage.

I still remember the support and the backup of our gcc and glibc hackers when in 2002 and 2003 the hardened toolchain was still a young project compared to the other projects of Gentoo and how we were all working together on a shared vision... all gone.

Today it's about software quality and keeping your hands on your packages which in turn control the behaviour of a complete GNU/Linux distribution.

Thank you very much.

Alex

http://www.amazon.com/Ambient-Findability-What-Changes-Become/dp/0596007655

good book, if you leave aside the obnoxiously evident google-fanboyism

today it's the birthday of Edmund Stoiber and Bushido- lmao

-Alex

old but true...

Thu Jul 26 15:39:49 CEST 2007

In der griechichen Mythologie, oder war es die lateinische, oder ist das beides das gleiche, trug Atlas die Welt auf dem R

when you suddenly wake up at half past four in the night you know you have been doing a good job getting your life sorted out and all of that.

lots of things are happening in my life at the moment.
i found a new job which is great because i am confident that this will bring me through the final year of my bachelors degree without financial problems plus i am forced to spend time with a good friend and the atmosphere there (four developers and one coffee machine) feels like working in a corporate living room.

The only drawback: it's a C# and Visual Studio 2005 job with .NET 3.0.

This stuff feels more professional and pays the rent, a step forward from that silly undermanaged Java project i worked at school for two years- it paid the rent but didn't feel professional

So what about the open source compiler hacks i am contributing, which from a neutral point of view nobody needs to continue maintaining or wants to benefit from anyway- take a look at the gorgeous project management of our all beloved toolchain maintainers and hardened toolchain maintainers and add 1 to 1. What has happened during the last year and what is happening in the next year? In my eyes in the last year nothing useful has happened to the 3.4.x to 4.x transmission shift but we all saw the fruitless try to offload the integration of maintenance, integration and implementation work of the hardened toolchain suite to an overworked baseline toolchain team at Gentoo and that this didn't really benefit the hardened team. Together with a leadership vacuum we're in a master/slave role now waiting for our fellow developers to give way to our glibc/gcc modding stuff finally being visible by the users of our distribution- or have them forced to use a locked up overlay that has no real status or integration with the baseline either. Get your act together. My plans for SSPx are still valid and justified. And PaX userland development is not sleeping, and when it comes knocking at the door, we should have an answer how to make room for it in our hardened project. And you better have a good answer and not "let's see how toolchain devs think about all of this".

Alex

Woran erkennt man eine funktionierende Fernbeziehung- jetzt mal von der gegenseitigen Sehnsucht und den ab und zu aufkommenden emotionalen Schmerzen abgesehen?

An der immens hohen Telefonrechnung zum Beispiel.
An der j

http://dev.gentoo.org/~pappy/ssp/AT_ENTROPY/linux-2.6.21.5_AT_ENTROPY.patch

just waiting for upstream glibc and linux-kernel to assign the numbers, then we can go bughunting why the repetitive call to get_random_int() yields the same values for both calls...

but perhaps this is a feature and not a bug and we need a pax-like function...

Alex

everybody who has a glibc-2.5-r3 please test the following program:


#include LESS_THAN_SIGN stdio.h GREATER_THAN_SIGN

extern unsigned long int __guard;

int main(void) {
printf("__guard: [[0x%x]]\n", __guard);
while(1) { ; }
return(0);
}


compiled with gcc -static and single stepped with gdb, it should show that the guard is randomly inizialized.

but compiled without -static, it shows for my tests that the __guard is always 0x0... bad bad cow.

but there is good news too: the AT_ENTROPY patch

this is a stub for 2.6.21 kernel source

falcon linux # grep -A2 -B2 -ri "deadbeef" fs/binfmt_elf.c
NEW_AUX_ENT(AT_CLKTCK, CLOCKS_PER_SEC);

NEW_AUX_ENT(AT_ENTROPY, 0xdeadbeef);

NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff);



the glibc patch is "done" (leave out the 0x0 problem)



diff -Nru glibc-2.5.ORIG/csu/libc-start.c glibc-2.5/csu/libc-start.c
--- glibc-2.5.ORIG/csu/libc-start.c 2007-06-16 15:23:50.000000000 +0200
+++ glibc-2.5/csu/libc-start.c 2007-06-16 16:01:19.000000000 +0200
@@ -165,8 +165,16 @@
#endif

# ifndef SHARED
- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/elf/dl-support.c glibc-2.5/elf/dl-support.c
--- glibc-2.5.ORIG/elf/dl-support.c 2005-05-11 19:27:22.000000000 +0200
+++ glibc-2.5/elf/dl-support.c 2007-06-16 16:13:33.000000000 +0200
@@ -155,6 +155,8 @@
#ifdef HAVE_AUX_VECTOR
int _dl_clktck;

+uintptr_t _dl_entropy;
+
void
internal_function
_dl_aux_init (ElfW(auxv_t) *av)
@@ -172,6 +174,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_PHDR:
GL(dl_phdr) = (void *) av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/dl-sysdep.c glibc-2.5/elf/dl-sysdep.c
--- glibc-2.5.ORIG/elf/dl-sysdep.c 2005-12-14 09:36:14.000000000 +0100
+++ glibc-2.5/elf/dl-sysdep.c 2007-06-16 16:12:38.000000000 +0200
@@ -160,6 +160,9 @@
case AT_CLKTCK:
GLRO(dl_clktck) = av->a_un.a_val;
break;
+ case AT_ENTROPY:
+ GLRO(dl_entropy) = av->a_un.a_val;
+ break;
case AT_FPUCW:
GLRO(dl_fpu_control) = av->a_un.a_val;
break;
diff -Nru glibc-2.5.ORIG/elf/elf.h glibc-2.5/elf/elf.h
--- glibc-2.5.ORIG/elf/elf.h 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/elf.h 2007-06-16 16:01:48.000000000 +0200
@@ -977,6 +977,8 @@

#define AT_SECURE 23 /* Boolean, was exec setuid-like? */

+#define AT_ENTROPY 24 /* kernel entropy */
+
/* Pointer to the global system page used for system calls and other
nice things. */
#define AT_SYSINFO 32
diff -Nru glibc-2.5.ORIG/elf/rtld.c glibc-2.5/elf/rtld.c
--- glibc-2.5.ORIG/elf/rtld.c 2007-06-16 15:23:49.000000000 +0200
+++ glibc-2.5/elf/rtld.c 2007-06-16 16:01:28.000000000 +0200
@@ -1838,8 +1838,16 @@
tcbp = init_tls ();
#endif

- /* Set up the stack checker's canary. */
- uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+ /* Set up the stack checker's canary, optional kernel entropy */
+ uintptr_t stack_chk_guard;
+
+ if (GLRO(dl_entropy) != 0) {
+ stack_chk_guard = GLRO(dl_entropy);
+ }
+ else {
+ stack_chk_guard = _dl_setup_stack_chk_guard ();
+ }
+
#ifdef ENABLE_OLD_SSP_COMPAT
__guard_local = stack_chk_guard;
#endif
diff -Nru glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h glibc-2.5/sysdeps/generic/ldsodefs.h
--- glibc-2.5.ORIG/sysdeps/generic/ldsodefs.h 2006-08-24 22:27:05.000000000 +0200
+++ glibc-2.5/sysdeps/generic/ldsodefs.h 2007-06-16 16:04:02.000000000 +0200
@@ -558,6 +558,9 @@
/* CLK_TCK as reported by the kernel. */
EXTERN int _dl_clktck;

+ /* ENTROPY provided by kernel */
+ EXTERN uintptr_t _dl_entropy;
+
/* If nonzero print warnings messages. */
EXTERN int _dl_verbose;



cya,

Alex

big ups to the man

here we go


y %MODES;

${MODES}{"op001"}{function} = \&startChroot;
${MODES}{"op001"}{data} = \$start;

${MODES}{"op002"}{function} = \&stopChroot;
${MODES}{"op002"}{data} = \$stop;

${MODES}{"op003"}{function} = \&resetChroot;
${MODES}{"op003"}{data} = \$reset;

${MODES}{"op004"}{function} = \&deleteChroot;
${MODES}{"op004"}{data} = \$delete;

## side effect: commandline arguments are reordered
## alphabetically before they are processed

for(sort(keys(%MODES))) {
my $mode = $_;

if (defined(${ ${MODES}{$mode}{data} }) && ${ ${MODES}{$mode}{data} } ne "") {
my @CHROOTS = split(",", ${ ${MODES}{$mode}{data} });

for (@CHROOTS) {
my $name = $_;
if ($name =~ /all/) {
foreach my $user (keys(%CHROOT)) {
foreach my $chrootname (keys( %{ ${CHROOT}{$user} } )) {
&{ ${MODES}{$mode}{function} }($user, $chrootname) or die "operation failed for $user:$chrootname";
}
}
} else {
foreach my $chrootname (keys( %{ ${CHROOT}{$name} } )) {
&{ ${MODES}{$mode}{function} }($name, $chrootname) or die "operation failed for $name:$chrootname";
} } } } }


this is the new building block for devel-chroots 2.1.0

xml based config file

improved chroot management utility (devel-chroots --start --stop --reset --delete)

I will code it up the rest of this week, as always have fun and enjoy,

Alex

Sometimes it feels like time is burning under my fingernails.

Phreak is kind of a cool chap. And his brother is the police or the secret service *g*.

I have met so many new people in my life, and i have lost contact to so many others. Maybe this is the reason i begin to think life is about changes and adopting to new situations is very important for me nowadays. I forgot how it feels not to love this woman i am spending my life with. I cannot even say what would be if i would not have met her. The only thing i can say is: i cannot find words for how much i miss her which would nearly qualify for expressing my emotions when i'm all alone and she's not here.

School is going on like it has always been: i know i should learn more but somehow i'm a lazy bastard and still think i can get along with it. And if not: then not. Life is more.

Work is fading out, finishing my time in August.

Normally people are supposed to sleep at 3am in the morning.

This week i started catching up with my Gentoo timeframe and looking at the realization plans for some of my favourite slacking projects again.

* new hardened-sources 2.4 version

* looking at hardened gcc and glibc status

* AT_ENTROPY for glibc SSP
** still have to write emails to kernel devs regarding the AT_ vector additions (dunno how to write it...)
** need to find out where to put the code for the initialization of SSP (external global variable at_entropy_ssp?)

* SSXP mockup for hardened toolchain
** need to put the code in TLS (who manages the memory numbers in TLS space?)
** amd64 demo code works
** need RTL fixes for x86 return address location calculation (and other 32 bit arches?)
** regression suite for benchmarking and SSXP code auditing
** rewrite documentation into a professional and beginners edition (latex source)
** write gentoo-ssxp.xml introduction for the hardened project

* devel-chroots improvements
** /var/lib/init.d/ initalization to make using /etc/init.d/ possible
** sshd (port offset) and sysklogd starting with chroot
** mounting of /proc and /dev/pts inside chroot
** screen sessions will only be started inside the chroots via connecting with ssh
** external screen session running from the host OS is a security risk

Altogether my plans for devel-chroots are to produce a complete development solution without putting the host operating system in danger (i.e. wrecking a glibc or a hardened gcc).

The solution covers virtually every aspect of Gentoo development, the only thing out of reach is low level kernel testing...

And by the way. Does anybody have a good idea how to get rid of flies shitting on my TFT screens? Those little bitches seem to love the plastic coating of my screens. Or is it just the lights...

Nevermind, trying to catch some sleep!

Have fun and enjoy,

Alex


#!/usr/bin/perl -w
## this program implements the bf2 rcon password login
### and provides a simple commandline based interface
use strict;
use IO::Socket;
use Digest::MD5;

my $host = shift or die "no hostname";
my $port = shift or die "no rcon port";
my $pass = shift or die "no bf2 rcon password";

my $cmd = join(' ', @ARGV) || 'list';

my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp');

$sock or die "no socket :$!";

while($sock) {
my $line = scalar SMALLER_SIGN $sock GREATER_SIGN;

if (!(defined($line) && $line)) {
close($sock); exit(0);
} else {

## find the Digest seed to login
if ($line =~ /\#\#\# Digest seed: (.*)/) {
my $digest = $1;
my $md5value = Digest::MD5->new();
## this is the digested password
$md5value->add($digest); $md5value->add($pass);
## login with the digested password
print $sock "login " . unpack("H*", $md5value ->digest()) . "\n";
## send the command and logout
print $sock $cmd . "\n"; print $sock "logout" . "\n"
} else {
if ( ($line =~ /^\#\#\#/) || ($line =~ /^$/) ||
($line =~ /Authentication successful, rcon ready/) ||
($line =~ /Logout successful/) ) {
next;
} else { print $line; }
}
}
}

close $sock;


This code is connecting to the rcon port of a bf2 server and expects a command.
It then returns the output of this command.

Bear in mind that punkbuster console commands like "pb_sv_plist" are only returned to the server console and will not be returned to the rcon output.

Generally, it's called this way:


#!/bin/bash

grep -v "^##" "$(dirname ${0})/bf2rcon.cfg" | \
while read host port pass
do
echo "updating $host:$port"
"$(dirname ${0})/bf2rcommand" $host $port $pass \
exec game.sayAll \"SYS load: $(cat /proc/loadavg)\"
done


while bf2rcon.cfg is a simple list of hosts, ports and passwords for executing rcon commands.

This sample tool is just printing the current load average of the server to the console of the game servers.

Of course you could print teamspeak users online or other nifty jokes.

-Alex

This song has been dubbed from the original version of a big hit.
It can be performed to the similar named song from Britney 'Sinnead' SpearS.

Disclaimer: it's a joke and you aren't supposed to take it serious.

I'm not a dev, not yet a bug-wrangler

I used to think
I had the answers to everything
Mm but now I know
That life doesnt always go my way. yeah
Feels like Im caught in the middle
Thats when I realize

Im not a dev
Not yet a bug-wrangler
All I need is time
A moment that is mine
While Im in between
Im not a dev

There is no need to protect me
Its time that i
Learned to face up to this on my own
Ive seen so much more than you know now
So dont tell me to shut my eyes

Im not a dev
Not yet a bug-wrangler
All I need is time
A moment that is mine
While Im in between
Im not a dev

But if you look at me closely
You will see it in my eyes
This man will always find his way

Im not a dev
Im not a dev dont tell me what to believe
Not yet a bug-wrangler
Im just tryin to find the man in me, yeah
All I need is time
Whoa, all I need is time...
A moment that is mine
... thats mine
While Im in between
Im not a dev
Not quite a bug-wrangler
Not now
All I need is time
A moment that is mine
While Im in between

Im not a dev

Ooooh, not yet a bug-wrangler

hey you!

happy birthday, phreak!

-Alex

... they are all around me.

This is the sentence (one of the more politically correct ones) that comes to my mind when i see the current press campaigns on the usual websites going on. Some people are actually trying to do "professional" online journalism and look at and compare Gentoo as if it were

a) an overfinanced silly Debian ripoff with no future but playing nice to the hustle and bustle that's called shareholder value

b) an underfinanced monolithic cult of moonshiners with no future either

c) the next big thing and we owe it to the public that we are the coolest and fantastic hippie shit on earth

None of this is true.

As long as i have been a Gentoo developer, i have learned one important thing about the real people bringing this distribution forward: they are doing it no matter what you do to them. You can put technical problems in their way, you can make their hardware break, you can curse at them, you can insult them, you can talk bad about them in blogs, emails, in google search results and phony news portals. You can cram their inboxes with 500+ spam mails each day cuz their bloody address shows up in changelogs. But i have yet to see one of those Gentoo developers give up. I won't talk about names here but those people know who they are and why they are.

During time, various Gentoo developers retire or suspend their activities for a multitude of reasons, the most common reason i have seen being a change in real life (new woman, new wife, new dog, new kids, finishing university with a degree, new job with less time for open source fun stuff, ...). Draw your own conclusions but there is also some people who carry their disappointments and unsuccessful careers like a stigma and who later will tell you how bad and lowly we the normal mortal developers deal with offensive behaviour in here. It takes two, one to piss you off and one to be actually pissed off. No offense intented. I'm not promoting offensive behaviour. I'm just saying that it takes two people to go that route.
I am not talking about politics or control or entities like devrel or userrel or council here. I'm talking about my impressions and experiences as a normal Gentoo dev who is sometimes pissing people off and sometimes getting pissed off by other people.

If you are asking some of the developers i am forced to daily work with, they just keep their mouth shut on several occasions where they actually _could_ and would say stfu to the words spreaded by some of our less, well, comfortable fellows, including myself. However, they prefer to let the other one have the last word, knowing that they (and the other one) give a fuck either way.

For two reasons. I elaborate at one's own risk.

First reason being time.

Some people just don't care because they got better things to do than worry about your or my rants. Yeah, it's true. Even this blog post could never have been written without daylight saving time making my biorhythm go nuts all over the place.

Second reason being pride.

For some people it's unbearable to let someone have the last word over their own because it's the fucking false pride that's getting in the way.

If some people would let things be. And they would realize the internet is 80% noobs with low profile bullshit mass media information generators and 20% porn. The whole internet consists of and lives by the ways of deception, misinformation, simply incorrect technical documentation and descriptions and other atrocities. This is just how it is. We are not living in a perfect little soap bubble at Gentoo. However, and this is a lesson i have learned, you are not making it better by dropping a thermonuclear bomb of bullheaded vigilantism on it. You are just spreading it out and make yourself long-term inveterate foes.

You cannot fuck for virginity. And you cannot make war for peace. The same holds true for winning an argument against people who are as retarded as you when it comes to defending your bollocks. You are not winning the argument. You were just having the last word. There ya pride goez!

It's fun though, i have to admit. Not the foes. The bullshit and the buzzing i mean.

However, sooner or later, you wake up one day and you will realize it was not worth it. Not a single bit of it. You could have swallowed your pride. You could have just let things be, for an hour or a day. Or a week or a month. Or a couple of months. Or a couple of years. We are getting older and some of us become wise and eventually wind down to a moderate and temperate character. Call it school of life or learning by doing or whatever you want to call it. I have been taught by many people i'm the most immature and uneducated piece of white shit they have come across in their life. Nonetheless those are the people who also like me somehow. Cuz i may be retarded and rampant, but i'm trying to be in a naive nonhazardous way without harming people all the way. Like wet explosives or a dog without teeth or something like that.

However, back to what this post is about...

If you like ranting and spreading incoherently reflected half-truths: just hit it, it's a free internet and everybody is supposed to fill the heap with bullshit bullshit bullshit as good as you can! If you think Gentoo sucks and you can do it better: do it better.

Gentoo Linux is still the most versatile, barebone, extensible, secure, configurable, top-notch source meta distribution that is

a) available
b) successful
c) useful
and
d) sexy

Call me a fanboy now or whatever you want but time will show and i will learn that your articles are neither helping nor harming. The good and the bad thing about the current problems is that the community of Gentoo developers cannot be described as a single unit nor can it be handled as such one. You can tell some common things about all Ubuntu developers and all Debian developers: like all Ubuntu developers love to be pricks and copycats while all Debian developers love to pretend it's cool to adhere to their "just in time" releases of three year old software as "stable".

I think that's like mummy is dancing to Vanilla Ice (Vanilla Ice getting jiggy with it!) and doing audition at American Idol: just in time.

Comments for this post are not welcome and i'll not discuss it.
If you don't get the message: swallow your pride and resist hacking a wily reply into your mail client, forum entry, blog post or whatever your anarchy friendly information society attack vector is. I will not jump on it.

If you don't like what you have read: don't read it again and try to get over it. Maybe tomorrow you will not be angry or upset any more.

If you are a Ubuntu developer reading this: sorry for offending you on the internet, we all know you are just gorgeous looking role models with too much free time.

If you are a Debian developer reading this: sorry for offending you on the internet, we love you and we love to work with you and share your "experience".

There is a bad thing about Gentoo: the lack of sustainability.
There is a good thing about Gentoo: the lack of sustainability.

Think about that and make up your own mind about the two sentences.

-Alex

PS: You had it coming.

Blogs are widely known as positive multiplicators (or catalysators) of new technologies and sensors for next generation "in crowd" must-haves.

But blogs also put the focus on negative aspects of some new developments and buzzing internet hotspots. This has also been the case with some student portal in germany, which recently became notoriously 'famous' for it's weak and ineffective security setup.

In this case we are not talking about physical site security or host based intrusion deterrence and prevention. This student portal was just giving away too much of it's internal informations to outsiders without proper credentials.

Now everybody could argue: if you sign up, you will get the information anyway.
But the argumentation of the owners, and even the users, seems to go even further: the information is not classified, hence it's not an important cornerstone of their business portfolio to protect it.

People continue to use this website. Which is justification enough to stop thinking about the outcome. Some of the students using the website even ridicule the 'improvised' amateur penetration testing by their collegues as immature, geekish prank. Now, to them it's some kind of hard earned scar they are, chuckling proud, showing off to their mates: hey, we got hacked, what a funny experience!

A lesson can be learned from all of those things happening: on the internet, nobody knows you are a dog plus your personal identity information and the contents of your communication will always be free. Free as in freely accessible.

It is either freely accessible for those who pay for it- the portal and all of it's consumer profiling ready data got sold to a big publishing company soon after it hit through the roof with it's ever increasing number of user accounts.

Or it is freely accessible for those who manage to either circumvent basic obfuscation techniques by unskilled webmasters (linear serials or otherwise reproduceable tokens for session state management and data access), or just hack the system from outside- or inside for what it's worth.

Your data is not secure. Do not store it on the internet.

Now, what really makes me wonder is that people accept it.
They are getting informed about it, always the thing you hear is: oh, really?
But then no things change and they take it into account.

Perhaps just because you don't have to pay for a website that acts as a transactional hub for personal communications and as a global meeting point, you don't have or can't have to worry about security- because if you would do, your world would suddenly turn black.

Gentoo Hardened cannot protect content that is not secured by a seriously developed information security policy and technology that implements it.
What our project is about is giving basic toolchain tools and MAC systems for protecting the underlying machines, giving a basic level of trust into the integrity of the operating system, a hostile environment to possible intruders and a valid starting point for putting an information security policy dealing with the data on top of this.

And i think that's the next big deal: if you are a content provisioner or community platform provider interested in your users enjoying the privacy they are supposed to have, it will cost you a damn lot of money. And you cannot even go bragging about it while playing golf with your homies from the automotive. Cuz they don't give a fuck about user profiles getting read by cross site scripts and used for relaying viagra commercials and stock exchange zeroday trading information to them.

Hardened technology is protecting a lot of machines nowadays.
It prevents intrusions and makes it hard to benefit from a successful exploit because the machine treats intruders hostile and is supposed to make a lot of noise when touched by strange things coming from the internet.

But it cannot solve your information technology problems and cannot protect your high level security requirements for information integrity and confidentiality.

Protecting the private content and personal identity data of users should be important for people. However, it is apparently not.

There is no bad thing about this.

The bad thing to me is: the users accept it.
Which means for me: it's your, the users, own fault then.
If you can't demand and choose your websites based on their history of bad security incidents, then you should also be prepared to live with the outcome.

You don't even have the choice? Well *shrug* not my problem either. Nobody expects you to be the golden digital transparent boy. But you are it. It's your problem.

Now you draw parallels to things like camera surveillance in London.
The massive increase in digitally monitoring content and internet activity in germany. Everywhere around the world things are getting hectic all the sudden.

People do not stand up against it. The people who support it can freely propagate the advantages of those solutions: nobody is taking a pee in the streets of Walthamstow any more.

Nobody speaks up against it because you are sooner or later subject to the suspicion of being a terrorist sympathiser or worse, a liberal.

Now put aside all the proverbs about security and freedom.
And put aside all you learned by now about those things.

What remains for me is: people accept it.
As long as there is no difference in using an unprotected insecure system without a basic level of privacy. And even using a secure system that actually tries to protect the personal data of their users can still be hacked.

But too many people draw the wrong conclusion from that:

It's like saying: fastening your seatbelt does not prevent you from getting squashed by a truck coming through your windshield.

However, the argumentation rather should be: fastening your seatbelt surely does not prevent you from getting turned into ketchup on the tarmac by a beer truck with an (ironically) drunk driver- but in case of a normal, and statistically likely to happen, frontal crash accident with something less intrusive it prevents you and your kids from becoming a dead meat cannonball that is trying to break the speed barrier of low altitude ballistic subsonic flight.

We can't protect you from your life. And you have to die one day. That's the facts. But you got to do it with style- the life, not the death.

Using secure websites and becoming aware of the importance of your privacy on the internet is sexy. Not using them and using their insecure counterparts because you see no alternatives is not.

By the way, it's exactly the same with operating systems, but we won't talk about that now, okay?

Have fun and enjoy,

-Alex

You can't always get what you want.
But if you try very hard, or harder, or hardened, you will perhaps get what you need.

Now, serious, i don't want to die.
I want to have 10 kids. Or 20. Or while at it, 30 should be a reasonably sized figure

In the past days i have been thinking too much about death and my life.
Turning thirty and not knowing what comes next is awful if you are like me and think too much about those things- i don't remember much about my childhood either...

To be more precise, nothing has ever been that good for me like the things happening now. I have found this woman who makes me feel so good and i still know that i can never explain to her how much i would miss her if i would not be there any more or if she would not be there any more. This is what makes me scared- and what probably forms the foundation for whole religions where it is forbidden to give your heart away just to find out how much it hurts when you love your life (and living this life of yours) so much that you cannot control your emotions any more.

I have been in love a couple of times and i never felt anything like that for somebody before.

It's like your life is absolutely perfect and complete and you want to immediately come to a full stop and say: that's it, don't go back or forward now, don't get old, don't die, don't continue with your life, just stay here forever and enjoy, enjoy, enjoy. If there would be something like an eternal entity where my conscience is stored after i have stopped living, i would like it to remain in this state. Of course this is nonsense

So, here i am- full of gratitude, thankful and blessed.
I don't know where to go from here. Because everything i do, it can only get worse. I will turn old, grey and slowly fade away in about 50 or 60 years, 70 if i'm lucky.

Status updates from school and real life:
- my tax declaration has to be redone
- still no result from my final math school test
- i think i can drive to FOSDEM (90% sure)
- on monday i am writing my last test this february (business process design/engineering)
- i don't know what to say about my job, it's still a "so so"
- my bf2 career is fine, i found a new clan =KSS= those guys are awesome and i'm having the time of my life (see above)

Finally, i would like to wish all of you a good year of 2007, this will be your year and you will only live your life once, so take the BEST out of it and make it worth it!

Cheers and thumbs thumbs up and don't get lost!

Alex

So my first born son is turning seven today.
And not to forget it's Valentines day!

So give a hug or two to your better half and be happy that you're alive.
Still no sign from the math test outcome, which means i still don't know about the result...

Anyway, time for a nap

Alex