/System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security

To see what certs are in the store, you can use this command

keytool -list -keystore ./cacerts

the password by default is ‘changeit’

Unfortunately, the list is not much use because they’re all listed as ‘keychainrootca-##’ where ## is a number from 1 – 109 (at the time of this post)

Hope this helps someone.

What the fuck are you guys up to? Get your shit together and start outthinking the “slash mobs”. If you don’t have any plans right now to tackle the situation, may I make a recommendation?

1. Catch up to three people involved in a slash mobs
2. Clone their phones and or get a court order to monitor their phones. (you could even use private agencies for this. think outside the box)
3. Create and practice a generic sting operation and then practice it some more
4. Monitor messages on each of these phones from previously caught criminals
5. Await instruction/messages of next organized slash mob
6. When the next message arrives, put your sting operation into effect with innocent looking ipad/iphone users
7. Profit! AKA beat the living shit out of those fucking kids and teach them a god damn lesson!

I hereby volunteer to help you put this plan together and even stand by innocently with a iphone/ipad (that you will need to provide).

Sincerely,

Anoop

Here’s what i’m taking with me.

• My bike. Motobecane Vent Noir 2010 from Bikes Direct
• Helmet, shoes, gloves, multitool, spare inner tubes, patch kit, tire levers
• Camelbak M.U.L.E (3 L/100 oz)
• Sunscreen, toothbrush, toothpaste, deodorant (important), aleve
• Bike computer, head/tail lights
• Clif bars (6)
• Energy gel packs (6)
• Bike U Lock
• Ipod/iphone + spare phone + charger + mobile charger
• camera (because iphone sucks)
• jeans, t-shirt, underwear
• Wallet, keys,
• blackberry playbook (really really optional)

All my routes can be found at http://mapmyfitness.com/profile/anoopbhat

BONUS! If you want to track my progress live, go to http://mapmyfitness.com/profile/anoopbhat/live

Wish me luck

After trying to write something in applescript and quickly giving up, I found an article that would allow me to write a custom action in Ruby.

Create a custom ruby script and put it into ~/Library/Application Support/Quicksilver/Actions (you may have to create the Actions directory)

This is what my script looks like. It’s ‘addTodo.rb’ I used this as an opportunity to try and pick up some ruby too so please forgive any newbie faux pas. This script creates a CSV and appends to it so I can open it in Excel or something similar.


#!/usr/bin/ruby
# writes to a file with a date

todo = ARGV[0]
now = Time.now
filename = "/Users/anoop/Documents/todos/todo.csv"

if !File.exists?(filename) then
filehandle = File.open(filename, "w")
filehandle.puts "Week Number, Time of Update, Update"
else
filehandle = File.open(filename, "a")
end

# format the date so that we have the week #, the current date and then the buffer
todobuff = now.strftime(“\”Week %U\”, \”%a %m/%d/%Y %H:%M:%S\”,”) + “\”" + todo + “\”"
filehandle.puts todobuff
filehandle.close

Save this file and restart Quicksilver (I had to restart it twice)

Activate Quicksilver, and type in

.your item for the todo list

In the action window, simply type search for ‘addTodo’ and you should see your newly added action. Execute and then confirm that the script was executed successfully.

Enjoy!

I only recently realized that Flash Builder’s Content Assist also uses the same ‘ctrl’ + ‘space’ key combination to make things easier when writing applications.

In order to utilize it, I modified my Quicksilver shortcut but just couldn’t get the hang of it. The muscle memory is harder to let go of I suppose.

Finally, with a bit of free time, I found out where the short cuts are configured and changed them. If you’re like me, then you know how painful Eclipse preference navigation can be.

To change the shortcuts, do the following

Preferences -> General -> Keys

Search for “Content Assist” and you’ll be able to easily modify that shortcut.

I changed mine to “option” + “space”

• You will feel the urge to flip off cabbies and will feel entitled to do so. Do it.

• You feel like you’re riding against the wind. Both fucking ways.

• You will pass up many mountain bike riders, runners, walkers, and children. Damn right. Fuck them for being slow. Enjoy it. It’s the little things that count.

• Experienced riders will smoke your ass. Women, children, old guys with shit loaded on their bikes, everybody. They have “endurance”. Faith is your only friend. And perseverance.

• You WILL fall off your bike if you bought clipless pedals and have never used them. Fuck what everyone says and keep at it. It’s all about practice. I’m still learning.

• Your neck will hurt like hell. Take a look at the seat position and maybe even the stem on your bike. Adjust that if needed

If you want to see my workouts and routes, they’re all on mapmyfitness.com. [Link]

The benefit of using something like AD for authentication is that users are less likely to share passwords with each other for one off generic accounts created on boxes as well as easier account management.

Start by installing samba3x packages for your respective architecture


yum install samba3x-winbind.x86_64


This will install winbind and any other dependencies.

Next, verify your /etc/hosts and /etc/resolv.conf and make sure it’s correct. Hosts should not have something like


127.0.0.1 FQDN_OF_HOST localhost.localdomain localhost


it should be


127.0.0.1 localhost.localdomain localhost
REAL.IP.OF.HOST FQDN_OF HOST HOSTNAME


Next, check the date and time and make sure that’s correct and extremely close to the time on the server.

Next, run this command to add the host to the domain, configure samba, etc.


/usr/sbin/authconfig-tui \
--enablewinbind \
--enablewinbindauth \
--enablemkhomedir \
--enablepamaccess \
--enablelocauthorize \
--smbsecurity=ads \
--smbrealm=DOMAIN.EXTENSION \
--smbworkgroup=DOMAIN \
--smbservers=DOMAINCONTROLLER1.DOMAIN.EXT,DOMAINCONTROLLER2.DOMAIN.EXT
--winbindtemplatehomedir="/home/%U" \
--winbindtemplateshell="/bin/bash" \
--enablewinbindusedefaultdomain \
--kickstart \
--winbindjoin=ADMINISTRATORACCOUNTNAME


Provide your password for the account above and watch the error messages that appear. This command will also restart winbind for you.

Ensure that it’s still running with


service winbind status


or look for errors in the log files. Possibly /var/log/messages or /var/log/samba/wb-DOMAIN.log

If that’s working, you should be able to login now over ssh


ssh username@host


Access Controls

You can control which groups/users can login from /etc/security/access.conf. The ” –enablepamaccess” instructed PAM to look at access.conf whenever anyone tries to login. Watch for spaces in the group/usernames. It doesn’t work as well


+ : GROUP_NAME or USER_NAME : IPs or ttys or ALL
- : ALL : ALL


+ says that a user can login.
- says that a user cannot. The second line says deny everyone.

Sudo privileges

You can use the same group above to setup sudo privileges as well using ‘visudo’ as root

NOTE: these instructions may differ a bit if you’re trying to login with an account in a subdomain.
NOTE: You may or may not want to setup DNS for this host in AD prior to joining the domain. I recommend doing it prior to. Creating a computer account for it is not necessary prior to joining.

In any enterprise level application environment, you’ll find that your tiers are segregated by a firewall.

In some cases, you may see this type of architecture

FIREWALL -> WEB -> FIREWALL -> APP -> FIREWALL -> DB

or even

FIREWALL -> WEB -> FIREWALL -> APP/DB

In both designs, which are somewhat similar, you may potentially run into keepalive issues.

Keepalives are essentially messages sent between two devices on a specified interval to verify the state of the connection between them. If a message is not acknowledged by the receiving device, then the transmitting device assumes the connection is down and then will find another way to route data until that connection is re-established (if it does which usually, it doesn’t)

Keepalives are essential in environments where you’re using connection pools. Web servers may sometimes use a connection pool to talk to an application server like tomcat or weblogic. Application servers frequently use database connection pools to ensure that the performance is optimal.

Most connection pools will have a keep alive setting so you should leverage that when you can. Some connection pools do not. Mod_weblogic for example doesn’t have it’s own keep alive value. It can be enabled or disabled but by default, it will use the system keepalive interval which on RHEL/CentOS systems is set to 7200 seconds (two hours).

To check your current system keepalive settings

# sysctl -a | grep net.ipv4.tcp_keepalive
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200


net.ipv4.tcp_keepalive_intvl is the frequency by which keepalive messages are sent.
net.ipv4.tcp_keepalive_probes tells your system how many unacknowledged keepalive messages should be ignored before considering the connection to be dead.
net.ipv4.tcp_keepalive_time tells your system how long to wait before sending the first keepalive message after the last packet. This is the biggie!

I don’t understand why 7200 seconds was chosen as a number. In my environment here, the firewall can drop idle connections after one hour and sometimes even less depending on how big the connection table can get (I’m looking at you checkpoint).

So I normally trim these down so that the keepalive time is less and the number of probes is more. The interval is also reduced by a bit but that’s not really important. You would normally make these changes on the server that is initiating the connection. A webserver, or an application server. Sometimes a DB server but not always.

in /etc/sysctl.conf, add these lines (or modify them if they’re already there)


net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 20
net.ipv4.tcp_keepalive_time = 300


To put these settings into effect, run


sysctl -p /etc/sysctl.conf


and now retest with sysctl -a

Once set, you will need to restart your webserver or app server so it sees the new settings. This allows you to start with a fresh set of connections that you can actually monitor using netstat.

You should be able to corroborate on both ends of the connection, the ports, state and number of connections which tells you that things are A-OK!

Hope this helps.


syntax on  
set hlsearch
set incsearch
set ruler
set showmatch


syntax on is pretty obvious. If you’re writing code, it’s pretty smart about highlighting the code so it’s easier to read. It can be odd at first but I find it really useful and after a while, it becomes second nature.

set hlsearch highlights your search terms so they’re easy to see. I like this option a lot. not everyone does.

set incsearch searches as you type. It’s new to me so I’m still getting used to it but I think I can already see some uses for it.

set ruler shows you where your cursor is at all times. I like this option a lot if only to tell me what line number I’m on. set number will also do this but I also find it irritating because it also interferes with my copy/paste habits.

set showmatch is really useful if you’re a coder. If you’ve got somewhat complicated conditional statements or loops, this feature will show you where brackets match so you can find missing brackets and close the proper blocks.

Hope these help. I’ll update these as I find more.

Once you get spacewalk up and running, you’ll be amazed by some of the things it does. It can push config files, packages, inventory systems, group them and allow you to work exclusively with those groups in a very easy way. That’s only scratching the surface of what spacewalk is capable of.

I like it because I can setup custom channels where I can push custom software to each of my servers. From time to time though, I notice that the repos don’t really rebuild automatically. If you look at the “details” section of your channel, you’ll notice something like this

The times don’t match. It probably means that the taskomatic daemon is not running or is running but isn’t really pulling tasks from the database.

To verify, login to sqlplus and run this query

sqlplus spacewalk/spacewalk@xe

ORG_ID TASK_NAME
---------- ----------------------------------------------------------------
TASK_DATA PRIORITY EARLIEST
---------- ---------- ---------
1 update_errata_cache_by_channel
122 0 13-NOV-10


Notice how some tasks are older? This table should almost always be empty or only have data for a small period of time as the name suggests.

Restarting taskomatic is as simple as


[root@spacewalk init.d]# ./taskomatic stop
Stopping RHN Taskomatic...
Stopped RHN Taskomatic.
[root@spacewalk init.d]# ./taskomatic start
Starting RHN Taskomatic...


Wait about 10 minutes, because that’s the polling time for taskomatic, and then check the database again. There should be no rows


SQL> select * from rhnTaskQueue;

no rows selected
SQL>


Also check the spacewal UI and look for something like this

or

Spacewalk is still very much in its infancy but it shows great promise and there is a great community of people who are willing to help and are dedicated to making it a rich and feature full product. Spacewalk 1.1 was released recently and we haven’t had a chance to upgrade yet but I continue to see great things coming from spacewalk and that makes me happy.