Planet Sysadmin               

          blogs for sysadmins, chosen by sysadmins...
(Click here for multi-language)

October 09, 2015


The Best Mac OS X Screen Savers: 2015 Edition

After installing, setting up and checking out over 50 Mac Screen Savers (!!!), we’ve narrowed our “best of” list down to our favorite 7. Each of them has been tested to ensure they work in the latest version of OS X (El Capitan, 10.11). They are all free and rather unique from each other.

the ios lockscreen screen saver with ios9 wallpaper

1. UberNES

Play classic Nintendo games from within your screen saver! This one is so awesome we wrote an entire guide on how to install and set up UberNES (link will open in a new tab/window).

click to enlarge

You can “jump” right into games and play them from where they left off in the screen saver. Or start from the beginning.

click to enlarge

Download: UberNES

2. iOS Lockscreen Screen Saver

This one is a replica of your iPhone’s “Lock Screen”. It displays the time and a (slow) moving background image, in addition to the ‘Slide to Unlock’ bar that we’re all so familiar with. As it happens, we have a whole bunch of the iOS 9 Wallpapers and Lock Screen images for you to download and use to make this screen saver even more realistic.

click to enlarge

You can customize the screen saver in quite a few ways, from changing the wallpaper to formatting the time and text.

the ios lockscreen screen saver options

Download: iOS Lockscreen Screen Saver

3. Skyrocket

Skyrocket is remarkably hypnotizing. It’s a never-ending “fireworks show” that takes place in a football field. Imagine yourself on a flying-carpet, zooming through a fireworks-filled night sky.

click to enlarge

Download: Skyrocket

4. Apple Watch

The name pretty much sums it up. Your monitor(s) will turn into giant “Apple Watch” clocks, which actually look pretty cool, especially when displayed on a large screen in a shared area.

Download: Apple Watch

5. Flux

If you like Apple’s built in screen saver “Flurry” – Flux is for you. Flurry was my go-to screen saver for years – until I discovered Flux. It’s more colorful and has a whole slew of Options you can tinker with.

click to enlarge

Download: Flux

6. Euphoria

Euphoria is one of those “fractal/geometric” screen savers. With a whole bunch of presets and the ability to customize everything, it’s my favorite of that type.

click to enlarge

Download: Euphoria

7. Webview

This one has amazing possibilities if you’re willing to do some research and a bit of trial-and-error testing. In a nutshell, Webview allows you to view webpages, including “live updating” sites, as your screen saver. Visit the Webview’s home page for a list of sites and URLs that work really well with Webview. It’s easy to customize and add your own web sites. My favorite way of utilizing Webview is to use this URL:

and get a constantly updated list of what’s trending on Google.

click to enlarge

Download: Webview

by Ross McKillop at October 09, 2015 03:18 PM

Aaron Johnson

Links: 10-8-2015

by ajohnson at October 09, 2015 06:30 AM

October 08, 2015

Trouble with tribbles

Deconstructing .pyc files

I've recently been trying to work out why python was recompiling a bunch of .pyc files. I haven't solved that, but I learnt a little along the way, enough to be worth writing down.

Python will recompile a .py file onto a .pyc file if it thinks something's changed. But how does it decide something has changed? It encodes some of the pertinent details in the header of the .pyc file.

Consider a file. There's a and a foo.pyc. I open up the .pyc file in emacs and view it in hex. (ESC-x hexl-mode for those unfamiliar.)

The file starts off like this:

 03f3 0d0a c368 7955 6300 0000 ....

The first 4 bytes 03f30d0a are the magic number, and encode the version of python. There's a list of magic numbers in the source, here.

To check this, take the 03f3, reverse it to f303, which is 62211 decimal. That corresponds to 2.7a0 - this is python 2.7, so that matches. (The 0d0a is also part of the encoding of the magic number.) This check is just to see if the .pyc file is compatible with the version of python you're using. If it's not, it will ignore the .pyc file and may regenerate it.

The next bit is c3687955. Reverse this again to get the endianness right, and it's 557968c3. In decimal, that's 1434020035.

That's a timestamp, standard unix time. What does that correspond to?

perl -e '$f=localtime(1434020035); print $f'
Thu Jun 11 11:53:55 2015

And I can look at the file (on Solaris and illumos, there's a -e flag to ls to give us the time in the right format rather than the default "simplified" version).

/bin/ls -eo
-rw-r--r-- 1 root  7917 Jun 11 11:53:55 2015

As you can see, that matches the timestamp on the source file exactly. If the timestamp doesn't match, then again python will ignore it.

This has consequences for packaging. SVR4 packaging automatically preserves timestamps, with IPS you need to use pkgsend -T to do so as it's not done by default.

by Peter Tribble ( at October 08, 2015 06:27 PM

Server Density

5 API Security Risks and How to Mitigate them

October is Security Month here at Server Density. To mark the occasion we’ve partnered with our friends at Detectify to create a short series of security dispatches for you.

Last week we covered some essential Website Security checks. In this second installment, we turn our focus on API security risks.

Best of Both Worlds

Openness and security are two opposing priorities. Intelligent API design is a balancing act between the two. How do you open up your application and integrate with the outside world without presenting an attack surface that jeopardizes your security?

A good API creates possibilities, but it also creates boundaries. What follows are 5 design pitfalls you need to be aware of when securing your API.

1. Lack of TLS/SSL

Encryption at the transport layer is the first step towards secure APIs. Without the use of proper transport security, an eavesdropper will be able to read and tamper with your data (Man In The Middle attack).

Acquiring a TLS certificate is inexpensive and straightforward. We wrote about transport layer security (HTTPS) in last week’s dispatch, and we’ve also touched on it here.

2. Encryption does not imply Trust

In order for encrypted communication to commence, a web client requires an SSL certificate that needs to be validated. This validation process is not always straightforward and if not planned properly it creates potential certificate validation loopholes.

If exploited, this vulnerability allows hackers to use fake certificates and traffic interception tools to obtain usernames, passwords, API keys and—most crucially—steal user data.

Here is how it works. An attacker forges a malicious certificate—anyone with an internet connection can issue ”self-signed” SSL certificates—and gets the clients to trust it. For example, a bogus certificate could have a name that closely resembles a trusted name, making it harder for an unsuspecting web client to tell the difference. Once this “weak validation” takes place the attacker gains read / write access to user data, in what is otherwise an encrypted connection. Instapaper, for example, recently discovered a certificate validation vulnerability in their app.

Make sure the clients are properly validating certificates (pertaining to the specific sites they access) with a trusted certification authority. You can also look at key pinning as an additional measure (we do this for our iOS app). This process associates a host with a particular certificate or key, so any change in those—when the client is attempting to connect—will trigger a red flag.

3. SOAP and XML

SOAP is a messaging protocol that relies on XML as its underlying data format.

The main problem with SOAP is that it’s been around for far too long. It’s also based on a complex data layer, XML. Taken together, it is a complex stack mired by numerous attack vectors including XML encryption issues, external entity attacks (XXE), and denial of service (Billion Laughs), among others.

Part of the problem is that SOAP tends to stay in production for a long time because numerous systems rely on it, and little to no effort is spent investigating the security implications of such arrangements.

The good news is, server-side vulnerabilities are just as easily spotted in a SOAP endpoint as in any other part of a web app.

So make sure you don’t overlook SOAP when auditing your security. A professional 3rd party can search for vulnerable endpoints throughout your stack and advise on how to patch them.

If you’re starting out now, you may also want to consider JSON/REST as an alternative. Over the last few years, this protocol has prevailed over the more complicated SOAP/XML for most scenarios, except perhaps legacy systems and corporate environments. We chose JSON for our server monitoring app.

4. Business Logic Flaws

Official API calls are designed to provide access to a subset of endpoints, i.e. data is supposed to be touched in a very specific manner. That’s the raison d’etre of APIs. To create structure and boundaries.

Attackers, however, can try alternative routes and calls to obtain data outside those boundaries. They do this by exploiting Business Logic Flaws in the design of the API. A few noteworthy organizations that fell victim to business logic flaws attacks are Facebook, Nokia, and Vimeo.

The best way to prevent such unintended loopholes is to manually audit your API’s. A good general practice is to expose the minimum amount of data possible (principle of least privilege).

When mission-critical information is at stake you may need the help of 3rd party experts that can help spot any loopholes. An affordable solution is to crowdsource the pentesting of APIs to companies such as BugCrowd, HackerOne, Synack or Cobalt.

5. Insecure Endpoints

API endpoints are often overlooked from a security standpoint. They live on for a long time after deployment, which makes developers and sysadmins less inclined to tinker with for fear of breaking legacy systems relying on those APIs (think enterprises, banks, etc). Endpoint hardening measures (hashes, key signing, shared secrets to name a few) are, therefore, easier to incorporate at the early stages of API development.

What’s Next

Our next security dispatch will look at some of the top server security checks you need to be aware of. To make sure you don’t miss a beat, . You should also:

  1. Register for our upcoming security webinar to watch Server Density CEO, David Mytton, discuss SaaS security with a team of experts from Detectify. There will be plenty of war stories, tried and tested practices, and ample time for questions.
  2. Scan your website for vulnerabilities. All you need to do is sign-up for a free 42-day trial with Detectify. Once the scan is complete, you will receive a security report together with findings and recommended solutions to work with.

The post 5 API Security Risks and How to Mitigate them appeared first on Server Density Blog.

by David Mytton at October 08, 2015 01:12 PM

Yellow Bricks

Dell FX2 platform certified for VSAN with storage blades!

Advertise here with BSA

A couple of weeks ago the Dell FX2 disk controller was added to the Virtual SAN Compatibility Guide and shortly after the Ready Node configurations were added. For those who haven’t looked at the Dell FX2 platform, it is (in my opinion)  hyper-converged on steroids. Not only can it provide you with 4 compute nodes in 2U it also packs a 10GbE switch and can hold two storage blades with each 16 disks in it. What? Yes indeed, that is a lot of horse power in a single system.

I am working with a customer right now who is designing a new cluster configuration leveraging the Dell FX2 platform. In this case they are planning on 16 hosts in total. In their case after assessing their current workloads they are going with the FC430 E5-2670 v3 series with 12 cores (dual processor). Each host will have 256GB of memory and uses SD to boot from.

From a storage perspective they are looking to use the FD332 storage blades. Two per FX2 chassis, fully maxed out with 32 drives in total, which is 8 drives per host. All-flash by the way, leveraging 1.6TB devices for the capacity tier and 400GB devices for the write cache. Yes that is 38.4TB raw capacity per FX2 chassis, times 4… ~153TB.Not a coincidence that the configuration is very similar to the “AF-6 Series – Dell FX2 Platform”, they prefer to use a certified and tested solution instead of picking their own components, which makes sense if you ask me.

One of the key reasons for them to go with all-flash is the beta which is coming up. They want to get their hands dirty with functionality like deduplication, checksumming and RAID-5/6 (aka erasure coding) as soon as possible. All 4 chassis will run in one site first for testing purposes for now and they are considering after the initial tests to deploy them across two sites in a stretched configuration. They asked me what the big benefit was of RAID-5 or RAID-6 over the network (aka erasure coding) and it definitely is the lower raw capacity requirements it will lead to. If you look at the current FTT=1 implementation it means that a 20GB disk requires an additional 20GB for availability reasons, which means 40GB in total. With an RAID-5 implementation instead of RAID-1 this 20GB disk would only require 26.6GB of disk space, that is a savings of almost 14GB immediately. And that is before any type of space efficiency (dedupe) is enabled. Anyway, back to the FX2.

So far only “all-flash” has made it to VSAN Ready Node list, and of course components are also listed as in the disk controller “FD332-PERC” (single and dual ROC) and I’ve seen the 1.8″ flash devices also on the list. Waiting to see what one of these boxes would cost in an all-flash configuration, and hoping to also see a hybrid configuration soon. I’m a fan of the Dell FX2 systems, that is for sure.

"Dell FX2 platform certified for VSAN with storage blades!" originally appeared on Follow me on twitter - @DuncanYB.

by Duncan Epping at October 08, 2015 12:53 PM

Everything Sysadmin

Usenix LISA: Early Bird Pricing ends Oct 15!

This year LISA is in Washington D.C., from Nov 8-13. If you are on the east-coast, this is a good opportunity to attend the premiere system administration conference.

Register now.

This year's schedule is packed with amazing talks. I'd like to point out...

  • "Go for Sysadmins" from Chris "Mac" McEniry, Sony Network Entertainment
  • "Neighborly Nagios" from David Josephsen, Librato
  • "systemd, the Next-Generation Linux System Manager" from Alison Chaiken, Mentor Graphics
  • "Software Defined Networking: Principles and Practice" from Nick Feamster, Princeton University
  • "How to Not Get Paged: Managing On-call to Reduce Outages" from Thomas A. Limoncelli, Stack Overflow

Register now.

October 08, 2015 05:28 AM

Daniel E. Markle

2015 Honda Rebel Rally

From Motorcycle Adventures
The annual Lake Hope Rebel Rally was held September 11-13, 2015. To ensure I would be there early, I planned to head out September 10. Unfortunately, storms in my area made that idea unpalatable; although I often ride in rain, I don't find hours riding in thunderstorms to be inside my acceptable risk profile.

Fortunately it cleared up on Friday the 11th, so I headed out at my usual time. It was a gorgeous ride out with clear skies and nice weather; until I got within a few hours of Lake Hope. As I approached it became clear storms and rain were prevalent over the park; a particular issue for someone planning on setting up a tent, compounded by the fact that it would be both raining and dark when I arrived. I contemplated the idea of camping to the east where it wasn't raining, but the forecast made it clear that wouldn't help as it would be raining Saturday. So for the first time on one of these trips, I stayed in a hotel in Parkersburg, WV.

It was still raining in the morning, but with daylight to ride, in I proceeded to Lake Hope. When I arrived I didn't find any Rebels; it turns out I missed the pack leaving by 50 minutes. After enjoying a fine meal at the lodge and generally puttering the park around for a few hours, the rain finally relented so I headed to my campsite to set up. Afterwards, I went for a ride to Ash Cave, a few trips on the Zaleski roller coaster, and a few of the other wonderful motorcycle roads around the park.

By then evening had arrived, the party had returned to the cabin area and had a campfire going, so I joined in. Although the party was small; the rain had scared off most of the riders it seems; there was plenty of fun conversation and Guba's famous chili to enjoy.

Sunday we enjoyed Lake Hope Lodge's breakfast buffet which includes their delicious brisket. Afterwards, I hung around the park, explored the campground and some trails around it. Guba stopped by with a large pile of firewood, and B.O.B. the bear. After dark, DNC stopped in and we enjoyed a fine campfire on a glorious clear night full of stars; a fun change from year's past where I'm usually the only one still there.

B.O.B. the bear (shown in the picture) has been riding around the country on Rebels for 10 years. Apparently I was the only one at the Rally who hadn't ridden with him yet, so he accompanied me on the ride home. Now to plan some trips with B.O.B. before I hand him off to the next Rebel rider . . .

by (Daniel E. Markle) at October 08, 2015 01:21 AM

October 07, 2015

Ubuntu Geek


Nintendo Fans: The Greatest Screensaver Ever

If you’re even a slight fan of Nintendo games, this is hands down the coolest screensaver, ever. You can play games from within the screensaver itself. It’s free, it works in both Windows and OS X, and it will drastically lower your productivity :)

Nintendo screen saver

This guide will take you each and every step of the way through installing and setting up this amazing screensaver. It works in Windows Vista, 7, 8 and 10. It works in OS X “El Capitan” (10.11) – though I’m not totally clear on how far back it works. Unless you’re using a shockingly old Mac, it should work just fine. Special note for Mac Users: you can also check out our Best Of: Mac Screen Savers 2015 Edition for some other pretty cool screen savers, though none top this one :)

The steps and screenshots in this guide are specific to Windows 10 but are nearly identical for previous versions. Mac users should be able to follow along, and we’ll include as many ‘tips’ for you along the way. Let’s get started!

  1. Head over to the UberNES download page (link will open in a new window/tab) and download the .zip file specific to your Operating System. Once the download has completed, unzip the file.
  2. Copy or move the Nintendo Saver.scr file to your (C:) > Windows > System32 directory. If you’re using an older version of Windows, you may not have a System32 folder. If that’s the case, copy it to your (C:) > Windows > System directory.

    Mac Users: Unzip the file and double-click Nintendo Saver.saver to install the screensaver.

  3. Open up your Control Panel and select Appearance and Customization.

    Mac Users: Open your System Preferences and then select Desktop & Screen Saver

  4. From the Personalization section, select Change screen saver
  5. Click/tap the Screen saver menu, and choose Nintendo Saver 2015
  6. Once Nintendo Saver 2015 has been selected, click/tap the Settings… button.

    Mac Users: Select Nintendo Saver and then the Screen Saver Options… button.

  7. From the General tab, click the button in the Movie folder: column (see screenshot below).
  8. Now you’re going to select a folder to store all of the files that the screensaver needs in order to function. If you have a folder that you already store your Nintendo game .rom files in, use that one. If you don’t know what a .rom file is, don’t worry – we’ll get to that later. For now, just select or create a folder for the files.
  9. Click the Download… button in the Movie folder: column
  10. The Online Movie Gallery window will open. Click the Download all movies button. Note: don’t be deterred or worried about disk space – the files are very small.

  11. click to enlarge

  12. When prompted, select the folder you created back in step #8, and click OK
  13. All of the Nintendo ‘movie’ files will begin to download.

  14. click to enlarge

  15. Once completed, click the Close button.
  16. Now it’s time to download some .ROM files – the actual games themselves, as they are not included in the screen saver itself. Head over to FreeROMs and hunt down your favorite Nintendo games. You’ll probably have to endure a lot of ‘clicking around’ – but the games are there. Each game (.rom file) will be zipped – so unzip the .rom file and move/copy it to the directory with all of your other Nintendo screen saver files.
  17. Once you’ve downloaded, unzipped and copied enough games – click the Create… button in the Game List: column. Note: you can always add more .rom/game files later. All you have to do is repeat this and the next 3 steps again.

  18. Yet again you’ll be prompted to select a folder. Use the same one.
  19. When you’re prompted to name and save the “Game List” file, give it a name (doesn’t matter what) and then click the Save button.
  20. Click OK after your Game List has been successfully created.
  21. Almost at the fun part! Click OK to close the Nintendo Saver 2015 Settings. Note: after you’ve tested everything to confirm it’s working, you’ll want to return to these Settings and customize them to your liking.

  22. click to enlarge

  23. The moment of truth: click Preview
  24. A “wall of games” will be displayed (see screenshot below). Now the fun begins. Each video represents a game you have installed. As those videos play, you can use your keyboard to interact with them. Use the Up, Down, Left and Right arrow keys on your keyboard to move the red cursor from game to game.

    To “jump into” any of the games, hit the F3 button on your keyboard (Mac Users: use the 3 key on your keyboard).

  25. click to enlarge

  26. As soon as you jump in, you actually begin where the movie left off. If you want to go back to the beginning of the game, hit the F1 button (Mac Users: hit the 1 key). To control the game, your keyboard is matched to each Nintendo game controller button. The Up, Down, Left and Right arrows on your keyboard correspond to the controllers ‘pad’. The A and S keys represent the B and A buttons on the controller. The Enter key represents the Start button, and the Right Shift key (the shift button on the right side of your keyboard) represents the Select button. NOTE: if you move your mouse/cursor or click any of the other buttons on your keyboard – the screen saver turns off and you’re back at your desktop.

  27. click to enlarge

  28. Before you go back and look at the other Settings you can change, you may want to change the default time your screen saver kicks in.
  29. Have fun! Thanks to this screen saver, I put off writing this overview for 2 days, so be warned :)

by Ross McKillop at October 07, 2015 09:46 AM

October 06, 2015

Everything Sysadmin

Beyond Blame: Learning From Failure and Success

You're gonna want this book. Pre-order it now.

(Pre-orders are paper right now; it should be available on Kindle soon. Official release date is Oct 25)

This is the best book I've ever read about Postmortems and creating a Blameless operations culture.


October 06, 2015 09:28 PM

Trouble with tribbles

Software directions in Tribblix

Tribblix has been developing in a number of different directions. I've been working on trimming the live image, and strengthening the foundations.

Beyond this, there is a continual stream of updated packages. Generally, if I package it, I'll try and keep it up to date. (If it's downrev, it's usually for a reason.)

In the meantime I've found time for experiments in booting Tribblix in very little memory, and creating a pure illumos bootable system.

But I thought it worthwhile to highlight some of the individual packages that have gone into Tribblix recently.

The big one was adding LibreOffice, of course. Needless to say, this was a modest amount of work. (Not necessarily all that hard, but it's a big build, and the edit-compile-debug cycle is fairly long, so it took a while.) I need to go back and update LibreOffice to a more current version, but the version I now have meets all of my needs so I can invest time and energy elsewhere.

On the desktop, I added MATE, and incorporated SLiM as a login manager. Tribblix has a lot of desktop environments and window managers available, although Xfce is still the primary and best supported option. I finally added the base GTK engines and icon themes, which got rid of a lot of errors.

In terms of tools, there's now Dia, Scribus, and Inkscape.

Tribblix has always had a retro streak. I've added gopher, gophervr, and the old Mosaic browser. There are other old X11 tools that some of you may remember - xcoral, xsnow, xsol, xshisen. If only I could get xfishtank working again.

I've been keeping up with Node.js releases, of course. But the new kid on the block is Go, and that's included in Tribblix. Current versions work very well, and now we've got past the cgo problems, there's a whole raft of modern software written in Go that's now available to us. The next one up is probably Rust.

by Peter Tribble ( at October 06, 2015 09:27 PM

Fun with SPARC emulators

While illumos supports both SPARC and x86 platforms, it would be a fair assessment that the SPARC support is a poor relation.

There are illumos distributions that run on SPARC - OpenSXCE has for a while, Tribblix and DilOS also have SPARC images available and both are actively maintained. The mainstream distributions are x86-only.

A large part of the lack of SPARC support is quite simple - the number of users with SPARC hardware is small; the number of developers with SPARC hardware is even smaller. And you can see that the SPARC support is largely in the hands of the hobbyist part of the community. (Which is to be expected - the commercial members of the community are obviously not going to spend money on supporting hardware they neither have nor use.)

Absent physical hardware, are there any alternatives?

Perhaps the most obvious candidate is qemu. However, the sparc64 implementation is fairly immature. In other words, it doesn't work. Tribblix will start to boot, and does get a little way into the kernel before qemu crashes. I think it's generally agreed that qemu isn't there yet.

The next thing I tried is legion, which is the T1/T2 simulator from the opensparc project. Having built this, attempting to boot an iso image immediately fails with:

FATAL: virtual_disk not supported on this platform

which makes it rather useless. (I haven't investigated to see if support can be enabled, but the build system explicitly disables it.) Legion hasn't been updated in a while, and I can't see that changing.

Then I came across the M5 simulator. This supports a number of systems, not just SPARC. But it's an active project, and claims to be able to emulate a full SPARC system. I can build it easily enough, running it needs the opensparc binary download from legion (note - you need the T1 download, version 1.5, not the newer T2 version of the download). The instructions here appear to be valid.

With M5, I can try booting Tribblix for SPARC. And it actually gets a lot further than I expected! Just not far enough:

cpu Probing I/O buses

Sun Fire T2000, No Keyboard
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.20.0, 256 MB memory available, Serial #1122867.
[mo23723 obp4.20.0 #0]
Ethernet address 0:80:3:de:ad:3, Host ID: 80112233.

ok boot
Boot device: vdisk  File and args:
Loading: /platform/sun4v/boot_archive
ramdisk-root ufs-file-system
Loading: /platform/sun4v/kernel/sparcv9/unix
panic[cpu0]/thread=180e000: lgrp_traverse: No memory blocks found

Still, that's illumos bailing, there aren't any errors from M5.

Overall, I think that M5 shows some promise as a SPARC emulator for illumos.

by Peter Tribble ( at October 06, 2015 09:27 PM


El Capitan Leads to More DNS Woes

FinderFor whatever reason, Apple really likes messing with how I use DNS.

I've written many, many, many times about having to modify OS X's DNS functionality to append search domains when a hostname includes a dot. Every single time I upgrade, this change is broken.

Previously, the workaround had been to add <string>-AlwaysAppendSearchDomains</string> to the list of program arguments in Today I learned that isn't so simple in OS X 10.11 (El Capitan):

Ullr:~ slap$ ls -lO /System/Library/LaunchDaemons/
-rw-r--r--  1 root  wheel  restricted,compressed 1028 Aug 22 23:40 /System/Library/LaunchDaemons/

Apparently, El Capitan includes a feature called System Integrity Protection (SIP) that prevents crucial directories from being modified. In the output above, that's indicated by the "restricted" flag. As of this writing, my research indicates the only way around this is to reboot, disable SIP, make changes, reboot, enable SIP. You can find the procedure outlined on Stack Overflow, but I'll re-print it here for ease of use.

  1. Reboot.
  2. Press Cmd+R to enter Recovery mode.
  3. Open Utilities->Terminal.
  4. Run the command csrutil disable.
  5. Reboot. You are back in OS X with SIP disabled.
  6. Make your changes.
  7. Reboot.
  8. Press Cmd+R to enter Recovery mode.
  9. Open Utilities->Terminal.
  10. Run the command csrutil enable.
  11. Reboot.

See? No big deal. /sarcasm

The NEW workaround for El Capitan is to make a change to the defaults file (see link above):

 Ullr:~ slap$ sudo launchctl unload /System/Library/LaunchDaemons/
Ullr:~ slap$ sudo defaults write /Library/Preferences/ AlwaysAppendSearchDomains -bool YES
Ullr:~ slap$ sudo launchctl load /System/Library/LaunchDaemons/

This has done the trick. Hopefully it will survive a reboot and the next upgrade!

by Scott Hebert at October 06, 2015 08:03 PM

Google Webmasters

An update on how we tackle hacked spam

Recently we have started rolling out a series of algorithmic changes that aim to tackle hacked spam in our search results. A huge amount of legitimate sites are hacked by spammers and used to engage in abusive behavior, such as malware download, promotion of traffic to low quality sites, porn, and marketing of counterfeit goods or illegal pharmaceutical drugs, etc.

Website owners that don’t implement standard best practices for security can leave their websites vulnerable to being easily hacked. This can include government sites, universities, small business, company websites, restaurants, hobby organizations, conferences, etc. Spammers and cyber-criminals purposely seek out those sites and inject pages with malicious content in an attempt to gain rank and traffic in search engines.

We are aggressively targeting hacked spam in order to protect users and webmasters.

The algorithmic changes will eventually impact roughly 5% of queries, depending on the language. As we roll out the new algorithms, users might notice that for certain queries, only the most relevant results are shown, reducing the number of results shown:

This is due to the large amount of hacked spam being removed, and should improve in the near future. We are continuing tuning our systems to weed out the bad content while retaining the organic, legitimate results. If you have any questions about these changes, or want to give us feedback on these algorithms, feel free to drop by our Webmaster Help Forums.

by Google Webmaster Central ( at October 06, 2015 12:32 AM

October 05, 2015


For the PLA, Cyber War is the Battle of Triangle Hill

In June 2011 I wrote a blog post with the ever polite title China's View Is More Important Than Yours. I was frustrated with the Western-centric, inward-focused view of many commentators, which put themselves at the center of debates over digital conflict, neglecting the possibility that other parties could perceive the situation differently. I remain concerned that while Western thinkers debate war using Western, especially Clausewitzian, models, Eastern adversaries, including hybrid Eastern-Western cultures, perceive war in their own terms.

I wrote in June 2011:

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries...

Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland.

The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Today thanks to a Tweet by Jennifer McArdle I noticed a May 2015 story featuring a translation of a People's Daily article. The English translation is posted as Cybersovereignty Symbolizes National Sovereignty.

I recommend reading the whole article, but the following captures the spirit of the message:

Western hostile forces and a small number of “ideological traitors” in our country use the network, and relying on computers, mobile phones and other such information terminals, maliciously attack our Party, blacken the leaders who founded the New China, vilify our heroes, and arouse mistaken thinking trends of historical nihilism, with the ultimate goal of using “universal values” to mislead us, using “constitutional democracy” to throw us into turmoil, use “colour revolutions” to overthrow us, use negative public opinion and rumours to oppose us, and use “de-partification and depoliticization of the military” to upset us.

This article demonstrates that, four years after my first post, there are still elements, at least in the PLA, who believe that China is fighting a cyber war, and that the US started it.

I thought the last line from the PLA Daily article was especially revealing:

Only if we act as we did at the time of the Battle of Triangle Hill, are riveted to the most forward position of the battlefield and the fight in this ideological struggle, are online “seed machines and propaganda teams”, and arouse hundreds and thousands in the “Red Army”, will we be able to be good shock troops and fresh troops in the construction of the “Online Great Wall”, and will we be able to endure and vanquish in this protracted, smokeless war.

The Battle of Triangle Hill was an engagement during the Korean War, with Chinese forces fighting American, South Korean, Ethiopian, and Colombian forces. Both sides suffered heavy losses over a protracted engagement, although the Chinese appear to have lost more and viewed their attrition strategy as worthwhile. It's ominous this PLA editorial writer decided to cite a battle between US and Chinese forces to communicate his point about online conflict, but it should make it easier for American readers to grasp the seriousness of the issue in Chinese minds.

by Richard Bejtlich ( at October 05, 2015 10:16 AM

October 04, 2015

Ubuntu Geek

Ferry Boender

Interesting links: October 4th 2015

Here's a bunch of links I found interesting in the last few weeks:

by admin at October 04, 2015 09:27 AM

Batch create new users on Linux

A while ago I had to create many new users on a Linux machine. Since I'm lazy, I opted to automate this process. The newusers command combined with pwgen (to generate new passwords) was the solution.

First I installed pwgen, a utility to automatically generate passwords:

$ sudo apt-get install pwgen

I created a file with the new user names to create.

$ cat newusers.txt

A simple shell one-liner generates a new file from this in the right format for the newusers tool:

$ for USER in $(cat newusers.txt); do 
  echo "$USER:$(pwgen 12 -n1)::::/home/$USER:/bin/bash" >> newusers.created.txt;

Finally, we create the new users:

$ sudo newusers newusers.created.txt

The newusers.created.txt file was handed over to the person in charge of notifying the users about their new account.

by admin at October 04, 2015 09:02 AM

Auto-mount external USB disk on a server

Althought modern Linux desktops generally automatically mount external USB disks when plugged in, servers usually don't do this. When I replaced my home server desktop model with a Raspberry Pi 2 (running Raspbian), I wanted it to automatically mount USB drives and, more importantly, make the same USB drive available at the same path at all times.

Enter usbmount

The USBmount Debian package automatically mounts USB mass storage devices (typically USB pens) when they are plugged in, and unmounts them when they are removed. The mountpoints (/media/usb[0-7] by default), filesystem types to consider, and mount options are configurable. When multiple devices are plugged in, the first available mountpoint is automatically selected. If the device provides a model name, a symlink /var/run/usbmount/MODELNAME pointing to the mountpoint is automatically created.

Just what I needed.

root@rasp# sudo apt-get install usbmount
# Plug in USB drive
root@rasp# ls -la /var/run/usbmount/
total 0
lrwxrwxrwx 1 root root 11 Oct  4 10:30 Seagate_Expansion_1 -> /media/usb0
lrwxrwxrwx 1 root root 11 Oct  4 10:30 ST4000DM_000-1F2168_1 -> /media/usb1

Great. Now I wanted the "Seagate_Expansion_1" disk to always become available at /storage. I could have created a symlink from /storage to  /var/run/usbmount/Seagate_Expansion_1, but I ran into a problem with SSHfs when trying to mount a server-side symlink on my client machine:

user@client$ sshfs -o transform_symlinks -o follow_symlinks Shares/timmy-storage/ Not a directory

So a symlink was out of the question. The binding option of 'mount' however, worked just fine:

# On the server
root@rasp# rm /storage
root@rasp# mkdir /storage
root@rasp# mount --bind /var/run/usbmount/Seagate_Expansion_1 /storage

# On the client
user@client$ sshfs Shares/timmy-storage/
user@client$ ls -l Shares/timmy-storage
total 72
drwxr-xr-x 1 1002 1003 4096 Sep 17 13:58 apps
drwxr-xr-x 1 root root 4096 Aug 24 09:15 backup

So I modified /etc/usbmount/mount.d/00_create_model_symlink and added the following code:

if [ "$name" = "Seagate_Expansion_1" ]; then
    mount --bind "/var/run/usbmount/$name" /storage

This is not a very clean solution, but it serves its purpose just fine. A nicer implementation would create a new file "01_mount_bind" which reads a config file to determine which model names to mount –bind where. That implementation is left as a reader exercise ;-)

With this setup the /storage path will automatically become available at boot-time or when the correct USB drive is plugged in. I can use SSHfs to mount the remote /storage on my Linux machine. Samba takes care of the Windows users.

by admin at October 04, 2015 08:50 AM

October 03, 2015


Personal Info Stolen? Seven Response Steps

Yesterday on Bloomberg West, host Emily Chang reported on a breach that affected her personally identifiable information (PII). She asked what she should do now that she is a victim of data theft. This is my answer.

First, I recommend changing passwords for any accounts associated with the breached entities.

Second, if you used the same passwords from the breached entities at unrelated sites, change passwords at those other sites.

Third, if any of those entities offer two factor authentication, enable it. This likely involves getting a code via text message or using an app that generates codes.

Fourth, read Brian Krebs' post How I Learned to Stop Worrying and Embrace the Security Freeze. It's a personal decision to go all the way to enable a security freeze. I recommend everyone who has been a PII or credit data theft victim, at the minimum, to enable a "fraud alert." Why? It's free, and you can sign up online with one credit bureau and the others will enable it as well. The downside is that it expires 90 days later, unless you re-enable it. So, set a reminder in your calendar app to renew before the 90 days expire.

Fifth, create a schedule to periodically check your credit reports. Theft victims usually get credit monitoring for free, but everyone should take advantage of, the FTC-authorized place to order credit reports, once per year, for free. For example, get one bureau's report in January, a second in May, the third in September, and repeat with the first the next January.

Sixth, visit your credit, investing, and bank Web sites, and enable every kind of monitoring and alerting you can handle. I like to know about every purchase, withdrawal, deposit, etc. via email. Also keep a close eye on your statements for odd purchases.

Last, secure your email. Email is the key to your online existence. Use a provider that takes security seriously and provides two factor authentication.

Good luck!

by Richard Bejtlich ( at October 03, 2015 11:27 AM

Administered by Joe. Content copyright by their respective authors.