You can get the packages by running the following commands in a terminal:

$ sudo add-apt-repository \
    'http://blog.blackdown.de/static/debian/rhythmbox/ main'
$ wget https://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install rhythmbox rhythmbox-plugins lastfm

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also note that my plug-in requires the lastfm client to work correctly.

If you are using Ubuntu Unity and you are missing the last.fm client’s systray icon, then take a look at Whitelisting the Last.fm Tray Icon in Ubuntu Unity.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

Many UNIX and Linux systems actually have cron jobs that check for world-writable files. On Apple’s OS X there is no such safeguard and many vendors do not seem to care about file permissions much at all. Several well-known applications are either installed with world-writable files or create them when used:

World-writable files in system directories

The following applications install world-writable files in shared directories (/Applications, /Library, …):

• Adobe CS 4, CS 5: Some uninstallers + several files and directories in /Library/Application Support + various stuff in other locations
• Adobe Media Player: directory + some files in Contents/Resources
• Adobe Flash Player: directories (including AddIns und AddIns/airappinstaller)
• Amazon MP3 Downloader: some directories
• EPSON (Scan, TWAIN data source, Easy Photo Print, …): pretty much everything, including executables
• Eye-One Match 3: complete app, including executable
• eMusic Download Manager: complete app, including executable and JavaScript (the application is based on Mozilla)
• Telltale games: complete apps including executable and libraries
• Apple OS X: some plist and cache files, including at least one LaunchDaemon plist file
• Google+Growl Utility (not a Google product): whole app including executable
• HP Scan Pro (plus supporting files): everything including executables
• DivX Converter: resource files
• Apple Remote Desktop: some plist files
• Apple GarageBand: several plist and data files
• Apple ColorSync: some profiles
• Microsoft Office 2011: directory in /Library Application Support
• Elgato EyeTV: several plist files
• ABBYY FineReader Sprint 8.0: several data files
• ArcSoft (Connect Suite, MediaImpression 2): all files, including executables
• Extensis Suitcase Fusion 2: all files, including executables

World-writable files in user directories

The following applications install world-writable files in user directories (/Users/$USER):

• GoogleGrowl.plugin: whole plugin including executable
• 3rd-party extensions for Apple Safari: some extensions (e.g. AdBlock) install world-writable files
• Apple iPhoto: the whole library seems to be world-writable
• Adium add-ons: several add-ons install world-writable files
• eMusic Download Manager:some preferences files are world-writable
• Adobe (CS 4, CS5, Flash, …): several preferences files
• Apple MobileDevice: crash logs are world-writable

The lists have been compiled by inspecting my own systems and those of several friends by running

sudo sh -c \
  "find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print0 | \
   xargs -0 ls -dl 2>&1 | \
   tee world-writable-files.txt"

and analyzing the output.

Note that running Disk Utility‘s “Repair Disk Permissions” does not have any influence on the issues described here.

Most OS X installations are probably single-user systems in reality but the situation is still somewhat ugly.

You can get the packages by running the following commands in a terminal:

$ sudo add-apt-repository \
    'http://blog.blackdown.de/static/debian/rhythmbox/ main'
$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -
$ sudo aptitude update
$ sudo aptitude install rhythmbox rhythmbox-plugins lastfm

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also note that my plug-in requires the lastfm client to work correctly.

If you are using Ubuntu Unity and you are missing the last.fm client’s systray icon, then take a look at Whitelisting the Last.fm Tray Icon in Ubuntu Unity.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

Run the following command in a terminal:

$ gsettings set com.canonical.Unity.Panel systray-whitelist \
    "$(gsettings get com.canonical.Unity.Panel systray-whitelist | \
       sed -e "s:\[:\['Last.fm' ,:")"

After logging out and back in, the last.fm client will show up in the systray again.

Facebook’s FAQs (1, 2) have not been updated accordingly yet.

Firefox’s built-in search capabilities still use the unencrypted search, though. To remedy this I built an OpenSearch plug-in which makes Firefox use the HTTPS-based search:

Install Google Secure Search Plug-In

(Read more about Google’s SSL Search here)

||facebook.com$third-party
||facebook.net$domain=~facebook.com,third-party
||fbcdn.com$domain=~facebook.com,third-party
||fbcdn.net$domain=~facebook.com,third-party

Instead of adding the rules manually, you can subscribe to this Adblock Plus filter subscription: Facebook Connect Opt-Out.

That happened a few days later when I tried to use Apple’s Back to My Mac — it just didn’t work. After some network tracing I found out that the Apple machine sent DNS SOA requests but never got a reply back. It turned out that all SOA request got blocked somewhere. Sending requests to my own name server (host -t soa blackdown.de ns.blackdown.de) and tracing DNS there showed that no packet ever arrived.

I put the Speedport back into router-mode at this point and, who would have guessed it, SOA requests worked fine again.

After fruitless discussions with Deutsche Telekom support (it was impossible to find anyone who even remotely understood what I was talking about) and sending a bug report to AVM (the 701V actually is a FRITZ!Box) which never got an answer, I finally solved the problem by putting a Freetz firmware on the Speedport. This firmware had an option to disable the PPPoE-Filter. After disabling the filter the device worked flawlessly in modem-mode.

Now, a few days ago, I switched to VDSL and got a new router: a Speedport W920V.
First thing I did was to put it into modem-mode. And there it was again, the DNS SOA problem!

Knowing what the problem was, I found a simpler fix this time:

1. Download the configuration from the device
2. Manually change dnsfilter_for_active_directory = yes; to dnsfilter_for_active_directory = no; in the pppoefw section
3. Manually change ipnetbiosfilter = yes; to ipnetbiosfilter = no; in the pppoefw section
4. Insert a NoChecks=yes line after the Country=… line in the header to make the device accept the modified file although its checksum is wrong now
5. Upload the modified configuration to the device

(If you have a local NTP server, you also might want to add it to the server_list in the ntpclient section while editing the configuration of the Speedport.)

You can get the package by adding

deb http://blog.blackdown.de/static/debian/rhythmbox/ karmic main
deb-src http://blog.blackdown.de/static/debian/rhythmbox/ karmic main

to /etc/apt/sources.list.
After adding those lines, do:

$ sudo aptitude update
$ sudo aptitude install rhythmbox

The repositories are signed with my GPG key which can be imported into your apt keyring with

$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also please note that my plug-in requires the lastfm client to work correctly.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

• Apple killed the third mouse button! I am conditioned to open tabs in browsers with the a middle click, so this is quite some problem for me. (I still hoped for an Open-in-a-New-Tab gesture for Apple’s touch pads but I guess it is unlikely now.)
• You have to press down the entire mouse to generate a click. Not really new but on this mouse I instinctively try to use Tap-to-Click like on a touch pad. It just does not work that way. Bummer.
• Right click still requires you to lift your left finger like with the Mighty Mouse. This requires some time to get used to and also means that it is impossible to press both “buttons” at the same time.
• Scrolling with one finger works fine but touch pad conditioning kicks in again here: I tend to try scrolling with two fingers.
• There are no gestures for Exposé and Spaces. Would have been nice.

And it is flat. Almost too flat for my hands.
My conclusion is that Apple can always come up with interesting mouse concepts but still fails at actually building usable mice.

More on Flickr and Polanoid.

You can get the package by adding

deb http://blog.blackdown.de/static/debian/rhythmbox/ jaunty main
deb-src http://blog.blackdown.de/static/debian/rhythmbox/ jaunty main

to /etc/apt/sources.list.
After adding those lines, do:

$ sudo aptitude update
$ sudo aptitude install rhythmbox

The repositories are signed with my GPG key which can be imported into your apt keyring with

$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also please note that my plug-in requires the lastfm client to work correctly.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

The plug-in, called Contact Album, stores all the icons that your contacts use over time and comes with a viewer for the icons.

click for larger view

After installation of the plug-in, the album will slowly fill with icons as your contacts change them. You can open the album viewer with the Contact Album entry in Adium’s Window menu and with the View Album entry in the context menu for contacts.
Currently the plug-in comes with English, Dutch, Finnish, French, German, Portuguese, and Swedish localizations. Further translations are welcome.

Install the plug-in: Contact Album
Please note that the plug-in requires Adium 1.3 or newer and Mac OS X 10.5 Leopard.

Get the source code. It’s available under the GNU General Public License, version 2.

Ubuntu Hardy user can get the package by adding

deb http://blog.blackdown.de/static/debian/rhythmbox/ hardy main
deb-src http://blog.blackdown.de/static/debian/rhythmbox/ hardy main

to /etc/apt/sources.list. Ubuntu Intrepid users should use

deb http://blog.blackdown.de/static/debian/rhythmbox/ intrepid main
deb-src http://blog.blackdown.de/static/debian/rhythmbox/ intrepid main

instead.
After adding those lines, you can install the package with:

$ aptitude update
$ aptitude install rhythmbox

The repositories are signed with my GPG key which can be imported into your apt keyring with

$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -

Please remember to disable the old Last.fm plug-in before enabling mine (New Style Last.fm Scrobbler). Also please note that my plug-in requires the lastfm client to work correctly.

Read more about the plugin and get the source code at Last.fm for Rhythmbox – New Style.

• 040-decorator.patch
  This patch implements metacity-like raising and lowering of windows by pressing the left or middle mouse button on a window’s decoration. Useful if you don’t use raise-on-click or auto-raise.
  References: Ubuntu bug, OpenCompositing bug
• 041-shadow_offset.patch
  This patches makes the shadow x/y offset settings work, they had no effect up to now. The patch also pushes the upper limit for the shadow radius to 48.0 because that is what the decorator can handle.
  References: Ubuntu bug, OpenCompositing bug
• 042-smart_placement.patch
  This patch fixes the client size calculation for smart window placement. Without this fix smart placement insists on keeping about 17 pixels of free space on the right viewport edge.
  References: Ubuntu bug, OpenCompositing bug

All patches are for Ubuntu’s current compiz packages for Hardy Heron.

As for my original plan, I will post the Compiz article on the weekend!

I still don’t understand why it is so problematic to get a US keyboard from Apple as a German customer. Anyway, I am happy now!

I want one with a US keyboard!

Unfortunately Apple seems to be unable to provide US keyboards to European customers : (

The German webstore offers an International-English keyboard but that is different from US style keyboards: narrow Return key, additional key between left Shift and Z.

Several phone calls and emails didn’t help: No US keyboards for German users!

I never had this problem with other notebook manufacturers like Dell, Toshiba, and IBM. It can’t be that hard to put a different keyboard on that thingie when assembling it.

June 14th, 2007: Also read the follow-up to this post: Apple Praise : )

You can get it by adding

deb http://blog.blackdown.de/static/debian/rhythmbox/ feisty main
deb-src http://blog.blackdown.de/static/debian/rhythmbox/ feisty main

to /etc/apt/sources.list. If you are using Ubuntu Gutsy, just replace feisty with gutsy in these two lines.
Then upgrade/install rhythmbox:

$ aptitude update
$ aptitude install rhythmbox

The repository is signed with my GPG key. The key can be imported into your apt keyring with

$ wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -

If you are going to use the Last.fm integration of Rhythmbox, make sure you only enable one of the two plug-ins! If you want to use the new-style plug-in, you need the lastfm client. The latest beta package for Ubuntu is available on the Last.fm beta forum.

• Start the last.fm client in the system tray
• Try to start last.fm (beta client) before lastfm (stable client)
• Reduce bogus RESUME/PAUSE commands
• Miscellaneous small bug fixes

Read more about the plugin and get the source code or an Ubuntu package at Last.fm for Rhythmbox – New Style.

If the Rhythmbox developers are interested, I’ll start to merge this new plug-in with the old one that is bundled with Rhythmbox.

I have written a new last.fm plug-in for Rhythmbox today. Instead of scrobbling directly like the old one, it submits tracks via the lastfm client application. The client displays additional information about the currently playing song and you can love and tag the song with it.

The source code is available as a patch against Rhythmbox 2.90.1 (git snapshot 20120108): scrobbler-v3t.patch
You can apply this patch with:

patch -NEp1 < ~/scrobbler-v3t.patch

Ubuntu Oneiric Ocelot users can get precompiled packages from my APT repositories by running these commands in a terminal:

$ sudo add-apt-repository \
    '/static/debian/rhythmbox/ main'
$ wget /static/gpg.asc -O - | \
    sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install rhythmbox rhythmbox-plugins lastfm

To enable the new plug-in go to Edit » Plugins. Disable the “Last.fm” plug-in and enable the “New Style Last.fm Scrobbler”.
If you enable this scrobbler plug-in, you have to disable the old Last.fm plug-in! Otherwise you will have two plug-ins which will both submit to last.fm at the same time. Only use one at a time!

Note that this first version of the plug-in does not start the lastfm client automatically! It will scrobble only if you start the client manually. I will fix this in the next version.

Feedback, postive as well as negative, is very welcome. If you want to report a bug, please include the output of “rhythmbox -D rb-scrobbler-plugin” and the tags of the song you wanted to scrobble.
If you want to report a crash, providing a gdb backtrace would be nice.

You might also want to take a look at this thread on the last.fm development forum.

May 20th, 2007: v2 of the plug-in is available now. lastfm gets launched automatically now.
May 22nd, 2007: v3 is available. The patch and the Ubuntu package have been updated: Changes since v2
May 25th, 2007: v3a: Updated patch and deb for the new Ubuntu Gutsy version of Rhythmbox.
May 29th, 2007: v3b: Updated patch and deb for the new Rhythmbox release.
May 31st, 2007: Updated patch Ubuntu package.
June 1st, 2007: Added APT repositories for Ubuntu Feisty and Gutsy.
June 28th, 2007: v3c: Updated patch and debs for the new Rhythmbox release.
August 16th, 2007: v3d: Updated patch and debs for Rhythmbox 0.11.2.
November 14th, 2007: v3e: Updated patch and debs for Rhythmbox 0.11.3. Add Hardy repository.
November 30th, 2007:Updated gusty and hardy builds. Include fixed Croatian po file from Franko Burolo.
February 7th, 2008: v3f: Updated patch and debs for Rhythmbox 0.11.4. (Thanks to Iain Buchanan for notifying me of the missing patch!)
May 31st, 2008: v3g: Updated patch to apply cleanly to Rhythmbox 0.11.5. (The debs for hardy have been at 0.11.5 for quite a while).
October 15st, 2008: v3h: Updated patch to apply cleanly to Rhythmbox 0.11.6. Ubuntu packages are available for i386, amd64, and lpia now.
October 20st, 2008: v3i: Updated patch to apply cleanly to the real Rhythmbox 0.11.6 release. v3h was for a later version from SVN.
April 24th, 2009: v3j: Update patch to apply cleanly to Rhythmbox 0.12.0. Provide debs for Ubuntu Jaunty.
November 4th, 2009: v3k: Update patch to apply cleanly to Rhythmbox 0.12.5 and provide debs for Ubuntu Karmic.
November 29th, 2009: v3l: Update patch to apply cleanly to Rhythmbox 0.12.6 and provide debs for Ubuntu Lucid too.
April 25th, 2010: v3m: Update patch to apply cleanly to Rhythmbox 0.12.8. Provide debs for Ubuntu Lucid.
Jun 3rd, 2010: v3n: Update patch to apply cleanly to Rhythmbox 0.12.8git20100602. Provide debs for Ubuntu Maverick Meerkat 10.10.
Jun 13th, 2010: v3o: Update patch to apply cleanly to Rhythmbox 0.12.8git20100611. Updated debs for Ubuntu Maverick Meerkat 10.10.
October 10th, 2010: v3p: Update patch to apply cleanly to Rhythmbox 0.13.1. Provide updated debs for Ubuntu Maverick Meerkat 10.10.
April 4th, 2011: v3p: Update patch to apply cleanly to Rhythmbox 0.13.3. Provide debs for Ubuntu Natty Narwhal 11.04.
October 16th, 2011: v3r: Updated patch for new plug-in infrastructure in Rhythmbox 2.90.1. Provide debs for Ubuntu Oneiric Ocelot 11.10.
December 23rd, 2011: v3s: Updated patch. Provide debs for Ubuntu Precise Pangolin 12.04.
January 14th, 2012: v3t: Update patch and debs for Ubuntu Precise.

It may be a good idea for the WordPress developers to sign their releases with a well known and trusted PGP key. This would allow people to verify that downloaded files are really what they should be!
This is a well-established practice used by other projects, for example by the Linux kernel.

Read the complete SSL setup guide here: Securing WordPress 2 Admin Access With SSL

Regarding WordPress security, please note that there still is a possible exploit for 2.0.6: New WordPress exploit also affects version 2.0.6
Make sure you use safe a PHP version and set register_globals = off.

• Prepare the chroot directory. It’s recommended to use an extra partition/filesystem for it. I will use /srv/mysql (which is an LVM2 partition with an ext3 filesystem on my system) for the rest of the text.
• Stop MySQL:

  /etc/init.d/mysql stop

• Copy the databases to new location:

  mkdir -p /srv/mysql/var/lib
  cp -a /var/lib/mysql /srv/mysql/var/lib

• Copy this script to /etc/default/mysql-chroot
• Edit /etc/init.d/mysql:
  • Source the mysql-chroot script somewhere at the top:

    …
    test -x /usr/sbin/mysqld || exit 0
    
    . /etc/default/mysql-chroot
    
    SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
    …

  • Fix the disk space check:

    …
    # check for diskspace shortage
    datadir=`mysqld_get_param datadir`
    if LC_ALL=C BLOCKSIZE= df --portability $CHROOT_DIR$datadir/. | tail -n 1 | awk '{ exit ($4>4096) }'; then
      log_failure_msg "$0: ERROR: The partition with $datadir is too full!"
    …

  • Run setup_chroot right in the start section:

    …
    if mysqld_status check_alive nowarn; then
      echo "...already running."
    else
      setup_chroot
      /usr/bin/mysqld_safe > /dev/null 2>&1 &
    …

  • Somehow /var/run/mysqld/mysqld.pid disappears after each start. We have to create it each time, otherwise the stop command won’t work properly:

    …
    if mysqld_status check_alive warn; then
      log_end_msg 0
      ln -sf $CHROOT_DIR/var/run/mysqld/mysqld.pid \
                     /var/run/mysqld
      # Now start mysqlcheck or whatever the admin wants.
      output=$(/etc/mysql/debian-start)
    …

• In /etc/mysql/debian.cnf, change the two socket lines to:

  socket = /srv/mysql/var/run/mysqld/mysqld.sock

• In /etc/mysql/my.cnf:
  • Change the socket line in the [client] section to:

    socket = /srv/mysql/var/run/mysqld/mysqld.sock

    Don’t change the socket lines in the other sections!

  • Add

    chroot = /srv/mysql

    to the [mysqld] section.

• Prepend /srv/mysql to the log files listed in /etc/logrotate.d/mysql-server
• Make /usr/bin/mysql_upgrade_shell use the chrooted socket. Note: Currently these changes must be made each time mysql gets upgraded because upgrades override this file!

  …
  --password=*) password=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
  --socket=*) socket=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
  --ldata=*|--data=*|--datadir=*) DATADIR=`echo "$arg" | sed -e 's/^[^=]*=//'` ;;
  …
  fi
  $bindir/mysql_fix_privilege_tables --silent --user=$user --password=$password --socket=$socket $args
  exit 0
  …
  check_args="--check-upgrade --all-databases --auto-repair --user=$user --password=$password --socket=$socket"
  …
  $bindir/mysql_fix_privilege_tables --silent --user=$user --password=$password --socket=$socket $args
  …

• Start MySQL:

  /etc/init.d/mysql start

• Check /var/log/syslog for errors ;-)

As a result of this move, there are now packages of Sun’s Java for Debian and Ubuntu.
The packaging code is largely based on the code we are using for Blackdown Java for some years. The code is available under the MIT license from the jdk-distros project on java.net. (More info on Tom Marble’s blog.)

I’m glad Sun finally opens Java up a bit after years of restrictive licensing.

After some searching I found out that you apparently need lvm2 2.02.01 or later and devmapper 1.02.02 or later to successfully remove snapshot volumes now. Unfortunately neither of these versions is available for sarge from Debian or backports.org yet, so I had to make my own backports.
As it turned out (see below), it is also necessary to use 2.6.16.12 or to apply the patch from this email to older 2.6.16 versions in order to reliably remove snapshots.

If you are brave enough, you can get the backported packages by adding

deb http://blog.blackdown.de/static/debian/lvm/ sarge main
deb-src http://blog.blackdown.de/static/debian/lvm/ sarge main

to /etc/apt/sources.list.

The repository contains debs for devmapper, dlm, lvm2, and lvm-common. The Release files is signed with my GPG key. If you have a recent apt version, you can authenticate the packages after importing the key with apt-key:

wget http://blog.blackdown.de/static/gpg.asc -O - | \
    sudo apt-key add -

April 15th, 2006: In about 40 backup cycles I’ve seen three lockups with 2.6.16.2 now. Until snapshots get fixed in 2.6.16, I’d recommend to stay with 2.6.15. I’m using 2.6.15.3 again now.

April 24th, 2006: Added note about “dm snapshot: fix kcopyd destructor” patch from Alasdair G Kergon. With this patch snapshots work fine for me again.

May 2nd, 2006: Alasdair G Kergon’s patch has been included in 2.6.16.12.

The built-in sound card is completely unsupported at this time. As I did not feel like writing a driver for it, I plugged in an old USB sound device (Creative Sound Blaster Audigy 2 NX). At first this did not work, I just got oopses. But with a small fix (included in the kernel since 2.6.15.5) it started to work.

Next I tried to set up ALSA‘s dmix plug-in with S16 which resulted in horrible crackling: The byte swapping code was broken.

Also, ALSA’s softvol plug-in (not strictly necessary but nice to have with GNOME’s volume control applet) didn’t work, it did not support any format available with snd-usb-audio on big-endian machines.

Here are the fixes for these two problems (against alsa-lib-1.0.11rc3):

• alsa-dmix-fix.patch
• alsa-softvol.patch

If somebody is interested, here is the USB-Audio.conf I use with my Audigy 2 NX.

By the way: Is it normal that the dmix plug-in consumes 100% CPU?

April 9th, 2006: The patches have been integrated into alsa-libs 1.0.11rc4, the 100% CPU issue is fixed in that version too.
There’s also a ALSA driver for the chip in the PowerMac Quad now, see this mail from Johannes Berg.

The situation has not changed much since WordPress 1.5: WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP and I still do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:

The Goal

All communication involving passwords or authentication cookies should be done over HTTPS connections. wp-login.php and the wp-admin directory should only be accessible over HTTPS.
Normal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.

The Plan

• Add an HTTPS virtual host that forwards requests to the HTTP virtual host
• Modify WordPress to send secure authentication cookies, so cookies never get sent over insecure connections accidentally
• Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password. If someone manages to get your password, he still can not login because he does not have a valid certificate.

The Implementation

Note: This documentation assumes a Debian sarge installation with Apache 2. Some things, in particular Apache module related ones, will be different on other systems.
The server used throughout the instructions is example.org/192.0.34.166. The server’s DocumentRoot is /blog and WordPress resides in /blog/wp. The value of WordPress’ home option is ‘http://example.org&/#8217; and the value of its site_url option is ‘http://example.org/wp’.

• Prepare the SSL certificates:
  • Generate your own certificate authority (CA) if you don’t have one already (I’m using the makefile from OpenSSL Certificate Authority Setup for managing mine) and import it into your browser.
  • Generate a certificate for the SSL server and certify it with your private CA.
  • Generate a certificate for your browser and certify it with your private CA. Most browsers expect a PKCS#12 file, so generate one with

    $ openssl pkcs12 -export -clcerts \
        -in blogclient.cert \
        -inkey blogclient.key \
        -out blogclient.p12

    Then import blogclient.p12 into your browser.

• Make WordPress SSL-ready:
  Apply this patch to the WordPress code. It makes the following changes:
  • Use secure authentication cookies in wp_setcookie()
  • Make check_admin_referer() work with HTTPS URLs
  • Use HTTPS URLs for notification mails
  • Use HTTPS URLS for redirects to wp-login.php
  • Only allow XML-RPC logins from the local host (ie. the HTTPS proxy)
  • Add the Mark-as-Spam feature from trunk

  The patch is against svn version 3825 of WordPress (ie. WordPress 2.0.3), when you apply it to a newer version, you will likely get some harmless ‘Hunk succeeded’ message. If you are getting ‘Hunk FAILED’ message, just send me note and I’ll update the patch.

• Enable the necessary Apache modules:
  • Install mod_proxy_html. It will be used to replace absolute ‘http://example.org&/#8217; HTTP URLs in the WordPress output with ‘https://example.org&/#8217; HTTPS URLs:

    $ aptitude install libapache2-mod-proxy-html

    The module gets enabled automatically after installation.

  • Enable mod_proxy and mod_ssl

    $ a2enmod proxy
    $ a2enmod ssl

    Debian provides sane default configurations for both modules. You might want to take a look at the configuration files (ssl.conf and proxy.conf) nevertheless.
    I have changed SSLCipherSuite to

    TLSv1:SSLv3:!SSLv2:!aNULL:!eNULL:!NULL:!EXP:!DES:!MEDIUM:!LOW:@STRENGTH

    in ssl.conf in order to just allow TLS v1 and SSL v3 ciphers which provide strong encryption and authentication (see ciphers(1)).

  • If you are compressing WordPress output (that is if you enabled the ‘WordPress should compress articles (gzip) if browsers ask for them’ option) then also enable mod_headers:

    $ a2enmod headers

• Configure Apache to listen on the HTTPS port

  $ cat > /etc/apache2/conf.d/ssl.conf << EOF
  <IfModule mod_ssl.c>
  	Listen 443
  </IfModule>
  EOF

• Modify the blog virtual host to limit access to wp-login.php and wp-admin to the local host. Also completely deny access to files which should never be accessed directly. Here is an example: 10-wp2-example.org
• Now setup the HTTPS virtual server: 20-wp2-example.org-ssl
  If you are compressing WordPress output you have to enable the RequestHeader line.
• Enable the site and restart Apache

  $ a2ensite 20-blog-ssl
  $ /etc/init.d/apache2 restart

• Remove the old WP cookies from your browser
• Test the new setup!

February 1st, 2006: wp2-ssl.patch updated for WordPress 2.0.1

March 11st, 2006: WordPress 2.0.2 has been released, fixing some security issues. The HTTPS patch still applies fine to that version.

March 19th, 2006: Updated wp2-ssl.patch. Changes: Fix bug in list-manipulation.php, use HTTPS for ‘Login’ and ‘Register’ links, backport ‘Mark-as-Spam’ feature from trunk

May 1st, 2006: WordPress 2.0.3 has been released. Here is the updated wp2-ssl.patch.

July 29th, 2006: WordPress 2.0.4 has been released, fixing some security issues. Here is an updated version of the wp2-ssl.patch.

January 12st, 2007: wp2-ssl.patch updated for 2.0.6 and 2.0.7-RC1

January 15st, 2007: WordPress 2.0.7 has been released. The patch still applies fine to that version.

• Build a udev rule to give the mouse device a static name: I’m using

  ACTION=="add", \
    KERNEL=="event*", \
    SUBSYSTEM=="input", \
    SYSFS{manufacturer}=="Logitech", \
    SYSFS{product}=="USB Receiver", \
    NAME="input/mx1000"

  in /etc/udev/rules.d/010_local.rules.
  After restarting udev and replugging the mouse, you should see a device named /dev/input/mx1000.

• /etc/X11/xorg.conf:

  Section "InputDevice"
   Identifier "MX1000"
   Driver     "evdev"
   Option     "CorePointer"
   Option     "Device"    "/dev/input/mx1000"
  EndSection

• ~/.xbindkeysrc:
  (You have to install xbindkeys and xvkbd for this; I’m starting xbindkeys in ~/.gnomerc)

  # Backward and Forward buttons
  "xvkbd -text "\[Alt_L]\[Left]""
    m:0x10 + b:8
  "xvkbd -text "\[Alt_L]\[Right]""
    m:0x10 + b:9
  
  # "Cruise Control" disabled:
  #"xvkbd -text "\[Page_Up]""
  #  m:0x10 + b:11
  #"xvkbd -text "\[Page_Down]""
  #  m:0x10 + b:12
  
  # "Cruise Control" enabled:
  # Work-around extra events
  "~/bin/click 4"
   m:0x10 + b:11
  "~/bin/click 5"
   m:0x10 + b:12
  
  # Application-Switch button
  # A-Tab doesn't work
  # Use it as another Forward for now
  "xvkbd -text "\[Alt_L]\[Right]""
    m:0x10 + b:10

  Using the Application-Switch button for switching windows in GNOME doesn’t work because it would require holding down the Alt key while pressing Tab several times, xvkbd can’t do that. I’m using the button as another Forward now, it’s easier to reach than the real Forward button.
  Defining actions for the Cruise Control buttons only makes sense when Cruise Control is disabled (you can disable it with lmctl or the Logitech Mouse Applet). If it is disabled, the buttons generate 11 and 12. When it is enabled, they generate a single button 11 or 12 event and then a series of button 4 or 5 events just like scrolling the wheel does.
  I have no idea why the mouse generates 11 or 12 before starting normal scrolling in Cruise Control mode. I’m mapping 11 and 12 to a little utility (click by Jeremy Nickurak) which replaces these bogus events with normal scroll events.

• At this point the Backward and Forward buttons should work in GNOME, KDE, and Mozilla-based browsers. Horizontal scrolling should work in GNOME and KDE.
  Mozilla-based browser like Firefox need two additional changes to get horizontal scrolling working with the tilt wheel: Open about:config and set

  mousewheel.horizscroll.withnokey.action = 0
  mousewheel.horizscroll.withnokey.sysnumlines = true

January 18th, 2006: The evdev driver in XOrg 6.9 is broken on big-endian machines like powerpc. Here’s a fix.

The issue isn’t Blackdown-specific. Sun released an advisory too.

Thanks to Matthias Klose, Debian packages for 1.4.2-03 are available too. Just add something like

deb ftp://ftp.tux.org/java/debian/ sarge non-free

to your /etc/apt/sources.list.

The Release files are signed with the Blackdown Java-Linux Package Signing Key. If you have recent apt version you can use this key to authenticate our Debian packages. Just import the key with apt-key:

$ wget http://www.blackdown.org/java-linux/java2-status/gpg.asc
$ apt-key add gpg.asc

The lack of security support was one of the main problems with “testing”. You had to pull security fixes from “unstable” or even build your own packages to keep it secure.

I hope they have the manpower to keep up with security issues. Debian’s main security team, which only provides updates for the “stable” distribution, had some problems over the last months.

Stefan Esser reports that there are two WordPress 1.5.2 versions. The first one, which didn’t fix the problem it was supposed to fix, was available for download for several hours before it silently was replaced by the fixed second version.

It’s hard to understand why the version number wasn’t bumped for the second release and why the WordPress developers didn’t inform users about the mistake.

The comments from the WordPress crowd are a bit weak in my opinion. If there’s FUD about WordPress’ security it’s the sole fault of the WordPress developers!

I, myself, am perfectly able to figure out what was broken and how it was fixed. That’s not the point. I was commenting on the handling of security announcements by the WordPress developers.

I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.)
Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional.

The often used argument that more specific information only helps hackers is just plain naïve: WordPress is open source, its code and even nicely formatted svn changesets are freely available on the web. Hackers are not stupid, they’ll find the issues.

Note, I’m not saying you should post sample exploits publicly. Just give enough information that administrators can determine whether their systems are vulnerable and how severe the problem is. Again, go around the net and look how other projects handle security announcements.

I hate that kind of silly security by obscurity. Vague vulnerability descriptions are almost useless for administrators, just saying “we’ve fixed some security problems” is even worse!

August 15th, 2005: See this article for a reply to some comments I’ve received.

August 18th, 2005: The WordPress developers seem to have problems with release management too: There are two different 1.5.2 versions, read more in WordPress Security Annoyances.

The official sarge installer still uses a 2.4 kernel by default but includes a 2.6 kernel that can be used by booting with "install26" or "expert26". But even that kernel, 2.6.8, is too old for the Inspiron 9300. It still doesn’t recognize the hard disk.

Ubuntu’s installer, which uses a 2.6.11 kernel, works fine on the machine. Although Ubuntu is a nice distribution, I like pure Debian better. Unfortunately I wasn’t able to find any 2.6.11 based Debian installer on the net, even a question on debian-boot yielded nothing.

Anyhow, I finally had the time to build one myself:
debian-2.6.11-i386-businesscard.iso (GPG signature)

The image is basically a sarge businesscard ISO with a 2.6.11 kernel from Debian testing instead of the original 2.6.8 kernel.

Unlike with Ubuntu, installation on the Inspiron 9300 still doesn’t work out of the box but with a few tricks I was able to install Debian sarge:

• Boot with expert26
• When the installer starts up, switch to the second console (Alt-F2) and enter these commands:

  ~ # modprobe ide_generic
  ~ # modprobe ata_piix

  Without this the installer won’t find the CD-ROM.

• If network configuration via DHCP fails, just retry — worked for me
• When asked what version of Debian you would like to install, choose stable. Installing testing or unstable directly doesn’t work.
• It doesn’t matter which kernel you choose to install, we have to replace it with a 2.6.11 kernel later anyway
• Just before the first reboot, that means right after the installer ejects the CD-ROM, switch back to console two. Now download and install the latest available Debian kernel. I’ve used 2.6.11-1-686:

  ~ # mount -t proc proc /target/proc
  ~ # chroot /target
  sh-2.05b# cd /root
  sh-2.05b# wget http://blog.blackdown.de/static/debian/kernel-image-2.6.11-1-686_2.6.11-7_i386.deb
  sh-2.05b# dpkg -i kernel-image-2.6.11-1-686_2.6.11-7_i386.deb
  …
  sh-2.05b# exit
  ~ # umount /target/proc

• Reboot (using the kernel just installed) and complete the installation
• Upgrade to testing or unstable
• Build a custom kernel (2.6.12 or newer). It’s probably a good idea to include some additional libata patches. To get the DVD drive working you have to apply this patch.

deb ftp://ftp.tux.org/java/debian/ sarge non-free

to your /etc/apt/sources.list.

Upgrading is recommended as 1.4.2-02 contains an important security fix.

Users of other Java implementations based on Sun’s code should check for updates too.

I didn’t want to use the Symantec tools that came bundled with the system due to previous experiences, so I had to look for another antivirus & firewall solution. After reading a few reviews I decided to try G-Data AntiVirusKit InternetSecurity 2005 first. Installation went smooth but after the next reboot the taskbar didn’t repaint anymore and Explorer was unresponsive. The system was in pretty unusable state.

After booting into Safe Mode, I’ve changed the Data Execution Prevention (DEP) settings to only cover core Windows programs. Another reboot and G-Data started working! Well that’s quite disappointing, x86 processor with No-Execute (NX) and Execute Disable (XD) bits are available for more than two years now and XP SP2 isn’t exactly new either — still G-Data hasn’t managed to fix its code!

Lesson learned: If you have a processor that supports NX or XD (same thing, just different marketing names from AMD and Intel) and you plan to actually take advantage of that feature, you better should check twice which software you’re going to use — especially when using closed-source software. (Linux users should be on the safe side, I haven’t see an application having problems with NX for a long time.)

I’ve removed G-Data AntiVirusKit InternetSecurity 2005 and installed F-Secure Internet Security 2005 which seems to work fine with DEP enabled globally.

Read more on the shorewall-devel list.

It is sad to hear that, Tom did a great job. Shorewall is one the best firewall tools available for Linux. I sincerely hope somebody will pick up the project and continue development. If I had the time I would do it myself.

As one can guess from the look of this site, I’m using WordPress as my blog engine. At this time WordPress does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP. This is a bit unfortunate. I do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:

The Goal

All communication involving passwords or authentication cookies should be done over HTTPS connections. wp-login.php and the wp-admin directory should only be accessible over HTTPS.
Normal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.

The Plan

• Add an HTTPS virtual host that forwards requests to the HTTP virtual host
• Modify WordPress to send secure authentication cookies, so cookies never get sent over insecure connections accidentally
• Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password. If someone manages to get your password, he still can not login because he does not have a valid certificate.

The Implementation

Note: This documentation assumes a Debian sarge installation with Apache 2. Some things, in particular Apache module related ones, will be different on other systems.
The server used throughout the instructions is example.org/192.0.34.166. The server’s DocumentRoot is /blog and WordPress resides in /blog/wp. The value of WordPress’ home option is ‘http://example.org&/#8217; and the value of its site_url option is ‘http://example.org/wp’.

• Prepare the SSL certificates:
  • Generate your own certificate authority (CA) if you don’t have one already (I’m using the makefile from OpenSSL Certificate Authority Setup for managing mine) and import it into your browser.
  • Generate a certificate for the SSL server and certify it with your private CA.
  • Generate a certificate for your browser and certify it with your private CA. Most browsers expect a PKCS#12 file, so generate one with

    $ openssl pkcs12 -export -clcerts \
        -in blogclient.cert \
        -inkey blogclient.key \
        -out blogclient.p12

    Then import blogclient.p12 into your browser.

• Make WordPress SSL-ready:
  Apply this patch to the WordPress code. It makes the following changes:
  • Use secure authentication cookies in wp_setcookie()
  • Make check_admin_referer() working with HTTPS URLs
  • Disable login over XML-RPC
• Enable the necessary Apache modules:
  • Install mod_proxy_html. It will be used to replace absolute ‘http://example.org&/#8217; HTTP URLs in the WordPress output with ‘https://example.org&/#8217; HTTPS URLs:

    $ aptitude install libapache2-mod-proxy-html

    The module gets enabled automatically after installation.

  • Enable mod_proxy and mod_ssl

    $ a2enmod proxy
    $ a2enmod ssl

    Debian provides sane default configurations for both modules. You might want to take a look at the configuration files (ssl.conf and proxy.conf) nevertheless.

  • If you are compressing WordPress output (that is if you enabled the ‘WordPress should compress articles (gzip) if browsers ask for them’ option) then also enable mod_headers:

    $ a2enmod headers

• Configure Apache to listen on the HTTPS port

  $ cat > /etc/apache2/conf.d/ssl.conf << EOF
  <IfModule mod_ssl.c>
  	Listen 443
  </IfModule>
  EOF

• Modify the blog virtual host to limit access to wp-login.php and wp-admin to the local host. Also completely deny access to files which should never be accessed directly. Here is an example: 10-example.org
• Now setup the HTTPS virtual server: 20-example.org-ssl
  If you are compressing WordPress output you have to enable the RequestHeader line.
• Enable the site and restart Apache

  $ a2ensite 20-blog-ssl
  $ /etc/init.d/apache2 restart

• Remove the old WP cookies from your browser
• Test the new setup!

A closer look at ipt_recent.c revealed that the time tests did not work like intended if one of the last hits was more than LONG_MAX jiffies ago or if the list of last hits contained empty slots and jiffies is greater than LONG_MAX.

To fix this, I replaced jiffies with seconds since ’00:00:00 1970-01-01 UTC’. I have sent the patch to linux-kernel and netfilter-devel. The patch also includes some 64-bit fixes.

May 12th, 2005: The patch has been added to Linux 2.6.12-rc4-mm1

September 8th, 2005: Please note that only the 64-bit parts of my patch have made it into 2.6.12. I’m working on an updated fix for the time comparison problems which will hopefully get accepted for 2.6.14 or later.

September 12th, 2005: These issues have CAN numbers now: CAN-2005-2872 and CAN-2005-2873 (which supersede CAN-2005-2802)

July 10th, 2006: The jiffies issue is fixed in the vanilla kernel now. Also note that 2.6.18 will contain a rewrite of ipt_recent.c.

Yes, we are working on porting HotSpot and J2SE 5 to both ppc and ppc64!
There is no sponsor for this port, so nobody is working on it full-time currently. That means work is progressing slowly (but steadily), not much is working at this point.

I have not found a bug in these patches yet but I am pretty sure that it is no GCC bug.

Now if 2.6.12-rc kernels were just a tiny bit more stable on my G5…

As my old work-around (providing a uname command that returns ‘ppc’) didn’t work anymore, this forced me to look at the root cause of the problem.

I’ve finally found two issues with the PER_LINUX32 personality:

• uname(2) didn’t respect PER_LINUX32
• Child processes didn’t inherit PER_LINUX32

This patch for 2.6.12-rc1-mm4 fixes both issues:

$ uname -m
ppc64
$ linux32 uname -m
ppc
$ linux32 sh -c "uname -m"
ppc

Without the patch all three commands return ‘ppc64’.