On certification

While googling for something completly different, stumbled apon this letter from a 1999 issue of USENIX’s ‘;login:’ magazine by Sergey Babkin, in which he shares his view on Certification, which I mostly agree with. An exerpt below, click the link for his full comment:

I believe that certification benefits neither the professionals nor their clients. Does it benefit anyone? Of course it does. It benefits two social groups: the bureaucracy that conducts the certification and the people who can’t stay in the business without being protected by a shield of certificate. We can easily find numerous examples in current life.

Take, for example, the Microsoft certification programs. No doubt, Microsoft makes very nice money from selling the materials for a high price and charging thousands of dollars for the certification itself. But that means that the professionals lose this money, and their clients lose this money too because they have to compensate these expenses. Does the presence of certification mean that its owner really knows something about the subject? I doubt it very much. I do not have much respect for the people I know who have this certification. I would not recommend them for any job requiring any intelligence. They are most enthusiastic about getting these certificates.

I also have experience from another side. It happened that I got a Novell NetWare Administration certificate. Does that make me a good NetWare administrator? I doubt it. Attending the courses gave some interesting knowledge. And I’m probably not a really bad NetWare administrator, at least I have seen a number of worse ones. But that’s not because of this certificate but because UNIX administration and NetWare administration have things in common and most of the time I’m able to figure out or quickly find in the manuals the details I don’t know, based on the basic knowledge I have. And yes, I would recommend the same caution when hiring the bearers of Novell certificates as for Microsoft certificates, or any other certificates, such as CISCO or HP or Oracle.

Based on all this experience, my opinion is: “Certification Considered Harmful.”

Update: On a side-note… I did pass my LPI-201 exam… 1 more to go for LPIC-2 certification

Shell weirdness

Habbie pointed me to this one, but I thought it would be wise to write this down for future reference. The shell source command (.) in bash (and others) works like exec, not like open, (which you might be confused to think) in that it searches your $PATH for the argument, and if it can’t find the argument in the $PATH, it looks in $PWD

Demo:

PATH=/home/username/bin:/usr/bin:/bin:/usr/local/bin:…

$ echo “bin/meuk” > ~/bin/meuk
$ echo “home/meuk” > ~/meuk
$ cd ~

$ . meuk
bin/meuk
$ source meuk
bin/meuk

Update: Tested with bash / dash / ash / pdksh
All give the above result

From the manual:

source filename [arguments]
Read and execute commands from filename in the current shell
environment and return the exit status of the last command exeâ
cuted from filename. If filename does not contain a slash, file
names in PATH are used to find the directory containing fileâ
name. The file searched for in PATH need not be executable.
When bash is not in posix mode, the current directory is
searched if no file is found in PATH. If the sourcepath option
to the shopt builtin command is turned off, the PATH is not
searched. If any arguments are supplied, they become the posiâ
tional parameters when filename is executed. Otherwise the
positional parameters are unchanged. The return status is the
status of the last command exited within the script (0 if no
commands are executed), and false if filename is not found or
cannot be read.

Enabling the posix option in bash doesn’t change it’s behaviour, disabling sourcepath does:

$ shopt -u sourcepath
$ . meuk
/home/meuk

SpamKarma2

Due to the Akismet advisory that was released today I had to disabled it. I installed SpamKarma2 as a replacement spam-filter (until akismet is fixed).

So far I’m really impressed by SpamKarma2. Installation is a breeze (unzip, done) and it already caugt a fair number of spams without blocking any legitimate comments. It also includes captcha‘s when it isn’t certain about a comment and checks if people actually visited the comment page and how long then spent there before submitting.

You can even see how much spam was eaten at the bottom of the blog, at the time of writing this post it’s at 13 🙂

Update: Akismet fixed, and re-enabled, now working besides SpamKarma2

Power management in Linux

Intel released Linux PowerTop, a tool to monitor power-usage. It still won’t display anything on my core2duo mobile board (in a server), but I think that’s because I’m still missing some required kernel options (still running 2.6.18). They also have a long list of tips and patches to limit power-usage. A recommended read for all laptop-users using linux on laptops.

Copilot promotion

Just spotted the following on Joel On Software. They are making CoPilot available for free on mothersday (and fathersday). I’ve always liked CoPilot, so if you’re not familiar with it, this sunday you can try it for free. So go help your mothers or computer-illiterate friends without even having to leave the house ;).

Also still looking to set something like this up myself… shouldn’t be too hard, as it’s basically vnc over https with a connecting proxy in the middle. The pre-configured client is a nice touch for noobs though 🙂

Write down: “09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0″

Yup… there’s been attempts at censoring / abolishing the above number from the intarwebs… It appears to be the HDDVD Processing key for all current released HDDVD’s. Thank goodness the DMCA doesn’t hold any ground outside of the US of A… If I receive any take-down notices, this could be fun :), as trade secrets are not secrets anymore, and have no legal protection.

Some interesting links:

Update: Freedom To Tinker.com has a nice view on the subject. And also some explanation for non-techies:

While it’s obvious why the creator of a movie or a song might deserve some special claim over the use of their creation, it’s hard to see why anyone should be able to pick a number at random and unilaterally declare ownership of it. There is nothing creative about this number — indeed, it was chosen by a method designed to ensure that the resulting number was in no way special. It’s just a number they picked out of a hat. And now they own it?
© Freedom To Tinker

Experimenting with Pandora since the non-US shutdown

As an avid Pandora.com listener I was quite miffed by the news that pandora would be shutting out non-us users of their service. I was also a bit pissed earlier when I found out that my squeezebox only included 90 days of free pandora and I couln’t get a non-free account because I was living on the wrong side of the big pond (so much for that major selling-point).

But being the computer geek that I am, I wasn’t going to let simple IP-geolocation stop me from listerning to my favorite tunes… First I played around a bit with Pandora to see what filtering happened, and when I would be blocked. Then I tried some publicly available proxy-servers, and some of them would allow access. Most of these proxy servers however are too unreliable, and way to slow for audio-streaming.

The next attempt meant re-enabling Tor, something I’ve used before but didn’t really have a serious need for before. It’s an onion-routing system meant to anonymize/obscure your traffic. This would still block my access to pandora most of the time, as it seems most exit-nodes are germany- and france-based.

I decided to work through the tor nodeslist my server had collected, filtering on nodes in the US by looking at IP-adresses, hostnames and whois info. I came up with a list of .us nodes and fed this list to my tor server.

This allowed me again to load up pandora.com and get music going… but very slowly, too slow for listening. While googling some more for options and alternatives I disabled tor again (proxyswitch plugin for firefox), and clicked a new station in Pandora. Surely enough it started playing, without hickups and delays… It seems audio-data isn’t filtered by the geo-ip filter, only the flash applet and metadata requests.

Hmm… seems I was wrong, as I can’t reproduce it… but it seems I’ve just been getting some better tor exit-nodes… the quest continues…

Fonero

This weekend I received my new FON accesspoint. The idea of FON is that they ship you a cheap or free wifi 802.11bg accesspoint, and if you promise to leave it running and allow other users to access the network, you can in turn access the network from any other FON accesspoint.
The FON accesspoint, called ‘La Fonera’ is about the size of a packet of sigarettes, weighs less then 100 grams and eats little power. It’s stylishly white and conveniant in use, just plug in power and ethernet (only 1 port) and it’s good to go. A cool feature ‘La Fonera’ provides is that it uses 2 ESSID’s, 1 called Myplace (for private use), and one called FON_ for public use.
It also features WEP, WPA and WPA2 and keeps statistics for who logged on, when they did, and how much they transferred. It allows the owners to throttle the bandwitdh used/shared with other users “Fonero’s”.

‘La Fonero’s’ network rage is very nice, it seems to outperform the other accesspoints I’ve used over the years. So next time people come and visit I should have decent wireless connectivity.
By the way… you can find FON accesspoints using a google-maps interface at maps.fon.com

Sudo with LDAP

Most people who use *nix systems are probably familiar with sudo. At a customer I’ve been working for there used to be a vast machine park with sudo installations, all slightly different in configuration. Maintaining these configurations was not an easy task. Enter LDAP. Using LDAP for storing the sudo configuration we can now have a single point for configuring sudo, with instant updates on all machines.
I’ll explain what needs to be done to ldap-i-fy your sudo configuration below.
sudo cartoon xkcd

Put the following schema in your ldap config


dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )


Restart your ldap server(s) to include the schema

Build sudo with the configure options ‘–with-ldap=<path$gt;’ and –with-ldap-conf-file=/etc/sudo.ldap

Put new sudo binaries on your system(s)

Create /etc/sudo.ldap with the following contents, replacing the ip’s and dc’s


host 10.20.30.40 10.20.30.50
sudoers_base ou=SUDOers,dc=example,dc=com

Create an ldif file with your sudo config (see below for an example)



dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
description: SUDO Configuration Subtree
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=example,dc=com
cn: defaults
sudooption: ignore_dot
sudooption: !mail_no_user
sudooption: !root_sudo
sudooption: log_host
sudooption: logfile=/var/log/sudolog
sudooption: !syslog
sudooption: timestamp_timeout=10
objectClass: top
objectClass: sudoRole
description: Default sudoOption’s

dn: cn=Rule1,ou=SUDOers,dc=example,dc=com
cn: Rule1
sudooption: !authenticate
objectClass: top
objectClass: sudoRole
sudohost: ALL
sudocommand: /some/command
sudocommand: /some/other/command
sudouser: ALL
description: Allowed without password for ALL users


The first block of code contains the container for the rest of the sudo configuration, just leave this as-is. The second block contains the default options for sudo. Configure these to your liking, they are the same as for the non-ldap config, and are documented in the manual-page.

The third code-block lists a sample sudo rule. Repeat these as often as needed. The fields ‘sudohost’, ‘sudocommand’ and ‘sudouser’ are required, ‘sudooption’ is optional, and can override the defaults specified above.

Sudocommand should be repeated for every single executable (or use wildcards, not recommended) you want to enable via sudo. Sudouser can take regular usernames, or unix-group names when prefixed by a percent sign (%).

Please note that although commands can be negated (!/some/binary) there are work-arounds, so please think before acting. Users and Hosts can NOT be negated using ldap-configs… this is a current limitation.