Turning CapsLock Into Control

 Computing, Linux, Working Notes  No Responses »
Jan 292011
 

In the dim and distant past when keyboards were enclosed in metal cases and you certainly didn’t tuck one under the arm and walk around with it (actually I don’t do now either), the placement of many keys was continually up for debate. But apart from the main QWERTY section, one of the key placements you could rely on was the Control key next to the “A” key. These days it’s been turned into one of those silly CapsLock keys.

Back when I previously did some keymapping, I neglected to mention how I mapped CapsLock into a Control key. As appropriate punishment, changing window managers has somehow meant that my previous mapping had been lost. So I had to figure out how to do it again.

First thing to do is to switch to a text console – I’ll be mapping this at a very low level.

Next thing to do is to find out the scancode of the key I want to map :-

# showkey -s

One started I have to press the key I am interested in within 10 seconds or the program will edit. I press CapsLock and I get two numbers displayed – 3a and ba (they’re in hexadecimal for the base-16 challenged). The first is the key press, and the second is the key release. We can discard the second as Linux is clever enough to figure out one from the other.

The next thing we want to do is to obtain the keycode of the key that we want to map to – in this case the left control key. It probably doesn’t matter here, but it is worth noting that the left and right control keys are different scancodes and keycodes. So you could map then to different things. Anyway, to obtain the keycode of the key we want, run :-

# showkey -k

And press the key to map to.

Lastly we want to construct the command to actually do the mapping :-

setkeycodes 3a 29

This of course has to be added to a script being run when the system boots – you want this mapped as early as possible.

Tunisia, Egypt, And The Consent Of The People

 Politics  No Responses »
Jan 282011
 

This is a general waffle in relation to the Jasmin Revolution (although the Wikipedia article concentrates on the Tunisian revolution, this phrase is beginning to be used more generally) – no news here.

We often hear that no government can survive without the consent of the people, but what does that mean ? In this case it means that a significant proportion of the people are sufficiently angry with their government to risk violence, arrest, and even death to demonstrate their need for a change. The governments involved can try a variety of tactics to deal with the protestors but their first reaction – violent repression – will only make the protestors more demanding. Ignoring the rights and wrongs of punishing protestors, violence can work if the protestors are a small enough minority, but at a certain point it becomes self-defeating.

If a government offers change, it needs to do so before it resorts to violence – the government wants to offer as little change as possible, and violence means the protestors are more demanding of change. Indeed the government needs to offer just a little more change than it wants to. Offering too little change such as President Mubarak appears to have done, does little to stem the anger of the people.

What makes people annoyed enough with the government to take to the streets ? There are a whole variety of reasons not limited to :-

  • The absence or perceived absence of a say in the composition of the government. Or in other words the lack of a genuinely democratic government. That is not to say that merely having some form of democracy means that a government is immune to this effect as even in a democratic society, there can be those who believe they have no say in their government. For example the UK democratic system can be subject to this effect as people in “safe” constituencies will often believe that they have no say in their government if they do not vote for the party that always wins.
  • A belief that their government does not act in the best interest of the people. This includes but is not limited to the perceived level of corruption within the government or society.
  • Injustice where the people are subject to arbitrary arrest and punishment for “crimes” that most would regard as completely normal activities.
  • A lack of personal freedom (closely associated above) including but not limited to freedom of expression, freedom of assembly and the freedom to go about one’s daily business without undue interference from the government.
  • How old a government is. People can put up with a bad government for a year, or even five, but sooner or later it becomes unpalatable. In fact that even applies to a good government – if it stays in power too long, not only will it be subject to strains that make it a bad government, but even if it avoids those it will be condemned simply because people want change from time to time.
  • The economy. If the economy is poor enough that people are suffering, or income inequalities reach the point where the difference between rich and poor becomes excessive, that is in itself a source of grievance.

Dictatorships are more subject to this kind of problem than democracies, but democracies are not immune.

It is perhaps unfortunate that mass protests usually descend into violence. However it is perhaps inevitable particularly when the forces of control are also violent. There are those who claim that the violence by protestors is somehow caused by “dark forces”. Nothing could be further from the truth – the violence is merely an expression of the level of anger felt. President Mubarak’s “dark forces” cannot instigate these level of protests and when they are underway have no way of controlling them.

It is likely that these accusations are themselves enough to cause the protests to continue.

Are eReaders A Security Risk ?

 Security  No Responses »
Jan 232011
 

Of course they are – everything is a security risk. The question should be whether ereaders pose enough of a risk to your organisation to justify taking some form of action to reduce or eliminate that risk. The risks that ereaders pose can be broken down into three areas :-

  1. Most ereaders are effectively USB memory sticks with a display on. As such the risk is much the same as with any USB stick – a malicious employee could steal data and remove it from your organisation. The countermeasures are the same too – implement a policy that prohibits the use of memory sticks from being used when plugged in.
  2. Ereaders have an additional danger in that it is far more likely for accidental leakage of confidential information. People are unlikely to carry out a paper document marked “COSMIC TOP SECRET”, but if they put such documents onto an ereader, they are far more likely to walk out the door with it through simple neglect – that ereader with the “COSMIC TOP SECRET” document on it also has the that harmless book “The Girl With The Dragon Tattoo” that I am reading in my spare time.
  3. Many ereaders (such as Amazon’s Kindle) device have a way of sending documents to the device over email – you email a special address on the supplier’s mail servers, and it trickles down to the ereader. Pretty convenient for the user, but not only does it make the leakage of information easier, but you also have to worry about how secure the supplier’s mail servers are.

If you need a certain level of security, that all makes it seem like ereaders should be banned at your organisation. That would be a shame because they can be useful – everyone knows how much paper can be wasted printing discussion documents and reports so they can be referred to in a meeting. An ereader means you can carry that pile of paper around far easier.

Rather than simply ban ereaders, simply provide them for the workers to use. And ban them from going offsite. Security is more palatable if it is served with a smile.

OSX, MacPorts, and DBUS

 Working Notes  No Responses »
Jan 232011
 

During a recent upgrade of the software I have installed on my work laptop, Macports managed to get a trifle confused during the process. Firstly Enlightenment suddenly started crashing at the drop of a hat, and secondly dbus suddenly started refusing connections and claiming that X11 support was not built-in.

The first problem I solved by comping Enlightenment (E16) from scratch and overwriting the Enlightenment installed from Macports – probably not the right thing to do. It turns out that the Macport version of Enlightenment is very outdated and could do with a refresh.

The second problem was a little trickier, and may have been solved in a slightly more Macport compatible manner. In fact this problem was two problems in one. First of all, any attempt to start a GNOME-based (or presumably anything wanting to talk to dbus) would give an error indicating that X11 support was missing.

I fixed this by recompiling dbus manually :-

# port mirror dbus
#   Gets a copy of the source code used to compile the source
# cd /opt/local/var/macports/distfiles/dbus
#   Change to directory where the source code is located
# gunzip -c dbus-1.2.24.tar.gz| tar tvf -
#   Unpack the source code
# cd dbus-1.2.24
#   Enter the directory that we've just unpacked.
# ./configure --prefix=/opt/local
#   Configure the package.

If you look at the last few lines of the output from this configuration process, you will see a message of the form “Building X11 code: yes” which is what we want to see – that X11 support is being built. At this point we can build and install :-

# make
# make install

The next problem was that attempting to use the automatically launched version of dbus resulted in a “permission denied” error when trying to communicate over the socket. The work-around for this turned out to be to :-

  1. To turn off the launchd control of dbus by renaming the files /Library/LaunchAgents/org.freedesktop/dbus-session.plist and /Library/LaunchDaemons/org.freedesktop/dbus-session.plist by putting a “.” in front of their name. This stops launchd from starting anything.
  2. Changing the .xinitrc to start dbus using the syntax eval $(dbus-launch –auto-syntax) (note that I explicitly ensure that this script is launched with zsh).

Adventures in Cisco IOS Land: NAT and WAN

 Cisco  No Responses »
Jan 192011
 

This is probably of less interest than most of my blog postings about Cisco routers, as it concerns something less commonly configured in the way I have done it – specifically a WAN link with a single IPv4 address and NATting to that address. However writing up my notes here is convenient to me, so you’ll have to put up with it. It is also very definitely worth bearing in mind the disclaimer here.

Basic NAT

First of all the “outside” interface needs to be configured as such from the NAT point of view :-

router#configure terminal
router(config)#interface fastethernet 4
router(config-if)#ip nat outside

This marks the interface in a way that lets the router know how addresses need to be NATted. Of course it is also necessary to configure the “inside” interfaces too :-

router#configure terminal
router(config)#interface vlan 101
router(config-if)#ip nat inside

And repeat for each VLAN of course.

In most instructions you will see that it is normal to create a pool of addresses for use by NAT which is perfectly valid for a number of addresses to NAT to, and even when there is a single address. But there is an easier way … NAT to the address of the interface.

router#configure terminal
router(config)#ip nat inside source list 7 interface FasterEthernet4 overload

The next task is to specify an access list to match the addresses that need to be NATted.

router#configure terminal
router(config)#access-list 7 permit 10.0.0.0 /8

Port Forwarding or Static NAT (for Servers)


If you run your own servers you will need to arrange for incoming connections to certain tcp or udp ports to be ‘forwarded’ to a specified address. This is known in the domestic router scene as “port forwarding” which is as good a term for anything – given that the concept of NAT is fundamentally broken.

This is done quite simply by the following :-

router#configure terminal
router(config)#ip nat inside source static tcp 10.0.0.14 80 interface FastEthernet4 80

This of course says that there should be a static rule to map tcp/80 (http for the web) on the server with the address 10.0.0.14 to tcp/80 on the ‘outside’.

A Basic Firewall

Next task is to bring up the WAN connection to check it works ? Not at all; whilst it may be somewhat unhelpful to connect things up after having made multiple changes, it is important to have some kind of firewall running. If you happen to have the IOS firewall feature, there is little point in bothering with the ordinary ACL feature – it sucks in comparison.

But strangely it seems we do need a basic ACL in place to :-

  1. Allow server traffic into the network.
  2. Deny all other traffic.
  3. And to allow the inspect engine to extend the ACL to allow session specific rules.
router#configure terminal
router(config)#ip access-list extended AllowIn
router(config-ext-nacl)#permit tcp any any eq www
router(config-ext-nacl)#deny ip any any log DenyIn

The use of a named ACL here is to allow for greater self-documentation – it is easier to see what an ACL should be used for when it is named. This becomes more important the more ACLs are in use.

We then need to create a set of inspect rules to allow traffic out. This is a very open set of rules, and will dynamically create temporary rules to allow the inbound replies to the allowed outbound traffic. The ordering of this is very important as we need to most specific inspections first – so “inspect tcp”, etc should appear at the end.

router(config)#ip inspect name allow-out bittorrent
router(config)#ip inspect name allow-out ftp
router(config)#ip inspect name allow-out ftps
router(config)#ip inspect name allow-out gnutella
router(config)#ip inspect name allow-out h323
router(config)#ip inspect name allow-out http audit-trail on
router(config)#ip inspect name allow-out https audit-trail on
router(config)#ip inspect name allow-out icmp router-traffic
router(config)#ip inspect name allow-out tcp
router(config)#ip inspect name allow-out udp

The ‘router-traffic’ on the icmp rule is to allow the router to send ICMP traffic to the outside interface and for it to be inspected. For some strange reason, Cisco configured the default to not allow it – leading to any number of network administrators having a nasty panic attack. Perhaps Cisco have a nasty sense of humour?

Next, because it’s fun to see what people may be doing, we need to log whatever the inspection engine drops :-

router(config)#ip inspect log drop-pkt

Finally we apply the new rules to the WAN interface :-

router#(config)#interface fastethernet 4
router#(config-if)#ip access-group AllowIn in
router#(config-if)#ip inspect allow-out out
router#(config-if)#end

This just touches on the capabilities of firewalling with a Cisco and is well worth checking in greater depth. For instance, it is clearly possible to inspect incoming traffic as well as outgoing traffic, but if you do the obvious you end up with a non-working firewall

Bringing Up The WAN

Fortunately I am in the situation where my ADSL line is bridged to Ethernet using an ADSL ‘modem’ so that I merely have to configure the external WAN interface on my router with an external address, a netmask, etc. This is so trivial it seems strange to include it here, but …

router#configure terminal
router(config)#interface FastEthernet4
router(config-if)#ip address 192.168.1.1 255.255.248.0
router(config-if)#ip nat outside
router(config-if)#ip virtual-reassembly
router(config-if)#duplex auto
router(config-if)#speed auto
router(config-if)#end

Perhaps the only oddity there is the use of ‘ip virtual-reassembly’ which is essentially used to protect the router (and in effect the rest of the network) from fragmented packet attacks. And if you prefer to leave CDP enabled, you may also want to stop that on the external interface with “no cdp enable” as well.

 Older Entries  Newer Entries