A Lesson Too Late

It always happens to somebody else.  It's important, but we're always so busy.  I'm not a big target.  Whatever the excuse, there is always a reason that we can justify being lax on our security.  Well, these excuses had gotten the better of me for much too long, and it finally happened.  I got hacked.  The first indication was several "Delivery Status Notification" emails, and then several emails from concerned friends.  Luckily, I had my iPhone with me at the time, and when it started buzzing heavily, it got my attention and I went and looked into it.  When I got into gmail, I immediately went to the "Last Account Activity" and found an IP address from Tennessee had been logged into my account about 7 minutes ago, right about when the rejected emails started.  I immediately tried to change my password, but was unable to do so, as the password had been changed.  Fortunately, I had setup my phone as a recovery device for Gmail.  First lesson and thing that I would like to share with everyone: Make sure to setup the recovery methods for your email account.  Had I not had this, I may have been completely out of luck, or at the very least would've been severely inconvenienced in getting this resolved.

One benefit of being hacked, if you have to find one, is that it's a good way to clean out your address book of addresses that are no longer functional.  So I spent the evening going through each of the notification messages and removing the old addresses from my address book.  I also sent a mass email (using BCC, so that I didn't unwittingly share the email addresses of all my contacts with each of them) notifying them that I had been hacked and to not click on anything which had been sent recently.  Another benefit, if we're trying to be positive, is that I was able to reconnect with several people with whom I had not corresponded for a long time due to their responses.  I figured that this was about as far as it would go, but to be safe I went and changed the passwords to most of my web services that I use and went to bed.

After a day of work, I came home anticipating an evening of relaxing with the kids.  I sat down and checked my mail on my iPhone.  I tried to send my dad a quick note, and began getting messages telling me that I could not send mail.  I immediately went to my wife's desktop and tried to login through the browser.  No luck.  It had happened again.  I immediately did the same thing I had done yesterday and got the passwords all reset.  Two times in two days, though; something had to be done.  One of my friends, whose opinion I respect very much, had mentioned in his email letting me know I'd been hacked that he had previously setup 2 factor authentication for his Google account.  I had heard of this, but had always thought that this would be more of an inconvenience than any benefit that it would provide.  After 2 days of trying to put things back together, lesson two: Setup the two-factor authentication!  The basic concept, and this is going to severely simplify, is to login you need something that you know (your password), and something that you have (your phone).  This is similar to the VPN setup that many of you may have for work, with the RSA tokens.  I will admit, there is some pain with this method, as apparently there are many devices and applications which do not currently support the two factor authentication properly, but it's worth it for the piece of mind.  For each of the other applications, you can go in and generate a very difficult password for that application, and then enter it in once, and you again have access.

The last step that I learned is that you need to go through all your settings after an intrusion to make sure that no back doors have been left open.  Things to check are email forwarding, filters, other authorized websites and applications.  While you're in there, set your mail to always go through https.  It's a simple switch, and from my perspective, has almost no downside, but many benefits.  Google actually has a checklist that is pretty nice which goes through most of the steps that I have outlined here.

I would just like to urge each of you to take a few minutes now and setup some of these very basic security protections to prevent more serious issues later on.  It's a horrible feeling when you know somebody has access to all your friends and everything you've ever written or received in email.  Protect it!

Beginning Fly Tying

A while back, I stopped by the local fly shop and bought myself some materials so that I could experiment with tying my own flies.  It's something that I've been wanting to do for a long time, but haven't gotten around to it.  My father-in-law had a spare vise and some tools that he is letting me use, so I figured it was time to get down to business.  For my first flies, I decided to do a "Wooly Bugger", since I had heard that they were very simple to tie.  I bought some Black Marabou, and some black feathers.  They weren't the nicest feathers for tying this particular fly, but they were much cheaper, and I figured it wouldn't hurt to learn on some cheaper materials.  I also got some hooks and several different colors of chenille.  One thing that I found interesting is how many variations you could tie of the same fly with very small changes in the materials.  With the few materials I got, I was able to tie several of the variations that they had at the fly shop, and also create a few of my own.  Even though my flies didn't look nearly as neat as some of the ones in the store, I think they looked acceptable, especially for a first time.  It was very satisfying to spend some time creating something.  It was nice to be able to have something to show for a little bit of work.  I'm very excited to take some of these flies out to a reservoir or stream, and at least show the trout what I've been up to, and hopefully they're interested in a bite. 

JS Fiddle

I found a pretty neat site a while ago, and I thought I would write to share it.  It's called JS Fiddle.  http://jsfiddle.net/  Part of my job for the last several years has involved a lot of web programming, and web programming has gradually grown to include more and more javascript.  If you have ever programmed in javascript, you know it can be a frustrating and time consuming proposition.  I'm always looking for things that can make me more productive and less frustrated when I have to write JavaScript.
JS Fiddle doesn't necessarily make it easier to code in JavaScript, but it does make it very convenient to test small examples and figure out what you really want to do before you do it on a larger scale.  It has a portion of the screen dedicated to HTML, CSS, JavaScript, and one to output.  You can make all the changes that you want to the source sections, and then render it in the output section.  It's wonderful!  On top of that, it allows you to pick certain JavaScript libraries like jQuery and some others.  You can even choose certain versions of your JavaScript libraries.  This is wonderful for testing and learning.  I strongly encourage you to take a look and give it a try.

LDAP Authentication in Apache2 on Ubuntu

Today I needed to help a co-worker setup a development server that mirrored the setup of our production server as close as possible.  Our production server is Red Hat based, and the laptops that we use for development are running Ubuntu, for the most part.  On Red Hat, I custom compiled the apache installation so that we could get things exactly how we wanted them.  On Ubuntu, I wanted to just use the default apache installation, but needed to get the LDAP authentication working for the .htaccess files.  After much looking through synaptic, and browsing the internet, I stumbled upon something that pointed me in the direction of using a2enmod.  After issuing the following command:

sudo a2enmod authnz_ldap

and restarting the server, my authentication began to work perfectly.  I was very happy to find this, and I think it's a great method of enabling optional modules for certain tools.

Podcasts

Over the past year or so, several people have asked me what I listen to.  When I tell them "podcasts", some of them are a bit confused, so I thought that I would take a few minutes and enumerate some of the specifics of what I actually have on my iPod.  If you need the generic idea of what a podcast is, think of an audio blog, or go to wikipedia (I'm sure there's a great article).
The first big category of podcasts that I listen to is sports.  I have several, most of them coming from ESPN.

• PTI (Pardon the Interruption)
• Around the Horn
• Football Today
• Fantasy Football

PTI and Around the Horn are just audio versions of the television shows.  If I had to choose one, I would go with PTI.  It seems more entertaining, and they tend to cover more topics.  Football Today and Fantasy Football are fun when my fantasy football team is playing.  The Fantasy Football podcast kind of has the feel of a bunch of buddies sitting around and talking about football.

The next category is tech related podcasts.

• Buzz Out Loud
• I, Cringely
• net@night
• TWIT
• FLOSS Weekly
• The Fresh Ubuntu Podcast

Buzz Out Loud and TWIT are similar.  TWIT is much longer, and in my opinion has the better staff.  I am probably partial to TWIT because the members are mostly people who I used to watch on TechTV.  I, Cringely is just a reading of the article of the same name.  Nice and short.  net@night is a kind of look around the web.  It's fun if you're interested in finding a fun new site or service.  FLOSS Weekly is one of my favorites.  They have many prominent open source contributors and advocates to explain their positions, or how their projects are impacting people's lives.


Then I listen to some "general information" podcasts:

• Stuff You Should Know
• Stuff You Missed in History Class
• Get It Done Guy
• Grammar Girl
• Mighty Mommy
• The Dealista
• Brain Stuff

Stuff You Should Know takes a single topic and expands on it.  It gives you a lot of interesting details on the topic, along with enjoyable banter.  Stuff You Missed In History Class is another of my favorites.  They take a historical person or event and go over it.  I've enjoyed it because apparently my education was a bit lighter on history than I once thought that it was.  Brain Stuff is one of my least favorite, but it still makes my list.  It seems a bit light, but it's also very short.  Basically, it's a bunch of 3-4 minute explanations of topics.  Unfortunately, it's covered many things that I knew absolutely nothing about, so it has been kind of helpful.  Grammar Girl is a wonderful podcast about the proper usage of the English language.  Although it sounds pretty dry, it's actually a fun, upbeat podcast that has lots of good information.  Mighty Mommy has parenting tips, which I can always use.  I don't agree with everything she says, but it's always nice to have something to think about.  Dealista is a podcast about couponing and saving money, and the get it done guy targets productivity.

Then I listen to a few political / historical podcasts.

• Common Sense
• Hardcore History
• My History Can Beat Up Your Politics
• Stuff You Missed In History Class

This has become probably my very favorite category.  It contains a few podcasts that I eagerly wait to download.  Unfortunately, it also has some of the most infrequently released ones.  Common Sense and Hardcore History are both done by a guy named Dan Carlin.  I enjoy him because he seems to do a fair job of covering both sides of issues, or at least being fairly non-partisan for most things.  Common Sense is his views on politics, and Hardcore History is a collection of incredibly well done treatises on historical topics.  Stuff you missed in history class was covered above, but is included here since it also applies to the category.  My History Can Beat Up Your Politics has recently become another of my favorites.  He goes into historical topics, and tries to compare them in many cases to situations that we are going through in the present day.  Again, he seems fairly non-partisan and is very enjoyable to listen to.

I also listen to a few fishing podcasts, since I get more time to listen than to fish.

• Fly Fishing Weekly
• Fish Schtick
• Orvis Fly Fishing Podcast
• Ask About Fly Fishing
• Adventures in Fly Fishing
• Adventures in Fly Tying

Fly Fishing Weekly is a show that feels like a couple of buddies getting together to talk fly fishing.  They have a nice format and it flows well.  Fish Schtick is put together by the owners of Recycled Fish and Moldy Chum, if I remember correctly.  It focuses a little bit more on conservation and how it affects the fisheries.  It has very good production quality.  The Orvis Fly Fishing Podcast is a very thorough explanation of a fly fishing topic.  It's the type of show that would be great to have on your ipod when you were out camping and getting ready to go fishing, and wanted to brush up on some techniques.  Ask About Fly Fishing is an interview type show where they interview famous fisherman.  It's always good, and the interviews are wonderful, but the sound quality leaves a lot to be desired.  Adventures in Fly Fishing and Fly Tying are done by the same people.  The Fly Tying show is a video presentation on how to tie a specific fly.  It's very well done, but also very targeted, and so does not have a very wide appeal.
I have a little "fun".

• Dilbert (video)
• NPR: Wait Wait, Don't Tell Me

The Dilbert videos are short little 30 second clips that are funny, but seem to be repeating quite regularly.  Wait Wait is a game show where they bring on famous people to play a "news quiz" type game.  Also, they have several panelists which consist of some very good comedians and guests.

And some food.

• Munchcast

I listened to Munchcast for a long time, and then it went off the air.  Shortly after it went off the air, it received some podcasting awards.  Soon after that, it reappeared.  Funny how an award will do that to people.  This is another show on the TWIT network.  It's very well done.  They take a food topic and approach it from all angles.  It's very light and humorous.  They cover lots of things that you don't think about, so you learn a lot from it.

I'm always looking for the next big thing to add to my podcast listening on my ipod, so if somebody thinks that they have something I should add to my list, please let me know.

Compiling New GCC on Old RHEL 4

We're trying to run some new software that requires a fairly new version (4.4.2) of the gcc compiler, but we're on RHEL4. Solution? Compiling it myself. Usually, this isn't too much of a problem. Today I ran into a few snags. I thought I would post this quick and dirty solution to the problem in hopes of making it a little easier for somebody else if they ran into the same issue.
First, the new version of gcc requires mpfr and gmp. I had those installed from some previous work, so I pointed to them with the --with-gmp= and --with-mpfr= configure options. Configure seemed to work OK, but then it would bomb during the make with an error:

checking for suffix of object files... configure: error: in `/$HOME/gcc-4.4.2/i686-pc-linux-gnu/libgcc':

I was dumbfounded. After some looking, and several articles that appeared to be talking about something totally different, I decided to experiment with LD_LIBRARY_PATH, my old friend / nemesis. It seems that if I set LD_LIBRARY_PATH to the lib directories where I installed gmp and mpfr, the make works fine. For some reason, it wasn't enough to pass them as arguments to configure. Happily, this solved my problems. Go (con)figure!

Installing Firefox 3.5 in Red Hat Enterprise Linux 4

I've been struggling with this problem for quite a while now. Every time I decide it's time to do it, there's just enough pain and other things to make me decide to turn back. Today, it was time to plow through it and get things working. One of the things that made me decide is that I found rpm files for firefox 3.0, and I figured it couldn't be too much different.

To install the firefox 3.0 rpm, I needed the following rpms to be installed:

rpm -Uvh evolution28-glib2-2.12.3-6.el4.i386.rpm
rpm -Uvh evolution28-atk-1.12.2-4.el4.i386.rpm
rpm -Uvh evolution28-cairo-1.2.4-6.el4.i386.rpm
rpm -e seamonkey-nss
rpm -e seamonkey-nspr
rpm -Uvh nspr-4.7.3-1.el4.i386.rpm
rpm -Uvh nss-3.12.2.0-4.el4.centos.i386.rpm
rpm -Uvh evolution28-pango-1.14.9-7.el4.i386.rpm
rpm -Uvh evolution28-gtk2-2.10.4-25.el4.i386.rpm
rpm -Uvh firefox-3.0.7-3.el4.centos.i386.rpm

The first thing I found was that I needed to explicitly set my LD_LIBRARY PATH.

setenv LD_LIBRARY_PATH /usr/evolution28/lib:$LD_LIBRARY_PATH

Then, it was still giving me errors about some libdbus libraries, but it was just the wrong version. I tried an old trick, making soft links with the new names to the old libraries. For a moment, I thought I had won. However, after running once, if you shut down firefox, it will not start on subsequent invocations.
To get past this, I decided to install my own dbus library. I wanted to install it somewhere inconsequential, so that it would not interfere with any other tools.
I downloaded dbus-1.2.16.tar.gz, then extracted it.

./configure --prefix=/path/to/dbus/
make
make install
setenv LD_LIBRARY_PATH /path/to/dbus/:$LD_LIBRARY_PATH

This seems to have tamed the beast which is firefox 3.5 on Red Hat Enterprise 4 (RHEL4).
I will try to keep this post updated if I find other requirements.

Listing the files of an installed rpm package

Today I was working with some packages at work that needed some updated python bindings in order to work.  It was getting some old libraries that were apparently first in the path, so I needed to get rid of the old stuff.
rpm --query --filesbypkg subversion
This listed all the files that the subversion rpm had installed.  This ended up being very useful.
Hopefully this helps somebody else when tracking down a file.