Canonical failed to distribute Ubuntu 8.10 for AMD64

Today I just wanted to give Ubuntu 8.10 for AMD64 a try but when I downloaded the iso image, burned it on cd and tried installing it, I got a I/O error during setup so I re-downloaded the iso image but I got the same wrong md5 sum so again downloaded the iso from a different mirror and I again got the same wrong md5 sum :/.

Several other users also argued about it in the irc channel.

Perhaps they distributed a corrupt iso image to all mirrors? Or is it just because servers are on high load? But how does that explain that I always got the same wrong md5?

The wrong md5 sum is: f9cdb7e9ad85263dde17f8fc81a6305b

The correct md5 sum is: 82dc538278c54912f5b4f5da2bb9f17d577081d2

See you,

Andreas.

GPS/GNAT Programming Studio for Ada on Ubuntu Hardy amd64

Today I downloaded GPS or the GNAT Programming Studio 2.1.0 for Ada from https://libre.adacore.com/gps/ and when I started it I got the following error message:

andreas@mierda-laptop:~$ gps

Execution terminated by unhandled exception
Exception name: STORAGE_ERROR
Message: stack overflow (or erroneous memory access)
Call stack traceback locations:
0×89d8508

I then found out that Hardy himself is providing a gps package which is called “gnat-gps” but that doesn’t work either as it throws an error like this:

raised SYSTEM.ASSERTIONS.ASSERT_FAILURE : glib-graphs.ads:352

I then downloaded the source code of gnat programming studio so I can compile it manually. The file I downloaded was the following: https://libre.adacore.com/gps/gps-2.1.0-academic-src.tgz

You first have to install libgtkada-2.8 and libgtkada2-dev but what’s worse is that you can’t even install libgtkada-2.8 which you’ll need for gnat programming studio. You’ll get the following error:

The following packages have unmet dependencies:
libgtkada-2.8: Depends: libgnat-4.2 (>= 4.2.4-1ubuntu3) but 4.2.3-2ubuntu2 is to be installed
E: Broken packages

Solution:

• add “deb http://archive.ubuntu.com/ubuntu/ hardy-proposed restricted main multiverse universe” to /etc/apt/sources.list
• create a /etc/apt/preferences with the following content:
  • Package: *
    Pin: release a=hardy-updates
    Pin-Priority: 900

    Package: *
    Pin: release a=hardy-proposed
    Pin-Priority: 400

• sudo apt-get update
• sudo aptitude install libgtkada-2.8 -t hardy-proposed
• sudo aptitude install libgtkada2-dev -t hardy-proposed
• mkdir /home/andreas/packages/gps
• cd /home/andreas/packages/gps
• wget https://libre.adacore.com/gps/gps-2.1.0-academic-src.tgz
• gzip -d gps-2.1.0-academic-src.tgz && tar -xf gps-2.1.0-academic-src.tar && rm gps-2.1.0-academic-src.tar
• cd gps-2.1.0-academic/
• delete everything between lines 3940 and 4086 (checks what platform you are running but fails at that) in the “configure” script
• set the following variables…around line 3942
  • opsys=’gnu-linux’
    machine=’intel386′
• before the they are being used here…
  • machfile=”‘\”machine/${machine}.h\”‘”
    opsysfile=”\\\”system/${opsys}.h\\\”"
• ./configure –prefix=/usr
• make

And after a short time you’ll get something like this:

/usr/include/gtk-2.0/gdk/gdkcolor.h:30:19: error: cairo.h: No such file or directory

And no, I don’t know how to go on from here :P…sorry…if you know any solution to this, I’m glad to hear/read it.

Kind regards,

Andreas.

//Update November 2th 2008

On Ubuntu Intrepid (8.10) you can install the gnat programming studio with “sudo apt-get install gnat-gps” and it even works :). That doesn’t mean it’s worth installing it…I tried it at work on a windows workstation and I’m not that teased…really, not worth it imho.

Servage developed a new webhosting Linux distribution

ServageOS is the name of the new linux distribution optimized for the shared hosting provider Servage especially tailored for web hosting. The intent of developing such a distribution is probably because Servage has undergone a long and hard way fighting spam, exploits and bad users defacing other users’ websites but now they seem to care and I really appreciate their step forward to develop their own secure linux distribution but I’m curious if they can afford the development and testing that is involved in such a complex task.

They also even admit that in the past users on the same cluster could affect other users’ websites in a negative way and I really appreciate that as well because they seem to admit their failures.

The distribution itself offers of course more security, better separation of users’ processes so they can find out potential bottlenecks more efficiently and of course separating the users’ processes means no dumb scriptkiddie can deface your website just by cd’ing to your webroot and viewing your script files (for more info on that: http://blog.as.tl/2008/10/15/servage-security-issues/). This appears to be the only specific information on what they’ve added as an extra feature to that distribution.

However, if they now really care about security, it’s a good step forward.

Servage security issues

Servage is a big internet service provider that offers webhosting for the mass and for quite some time I used it because I thought that the price is ok for what they offer and for what I need. What I noticed throughout the whole time I was a servage customer is the lack of speed. You always have busy web and mysql servers which are in general on high load or unavailable but that’s not the point here.

My point here is that Servage has several security issues they are not willing to listen nor to fix it.

Servage probaly faced security problems with their login form in the past so they implemented a captcha mechanism which is basically a scrambled graphic with letters the user has to identify and enter into a textbox beside username and password to successfully login to the servage control panel.

This is how the theory describes the process but in practice this shit doesn’t work. In fact if you enter the captcha correctly your login _will_ fail. If you enter _no_ captcha at all, your login will _succeed_ :).

Another issue is when you decide to register an international domainname (idn) with special characters in its name. The good thing is that you can successfully add such a domainname to the servage control panel but you can’t use mail nor any other service with it and if you decide to delete this domainname from your portfolio you can’t :). If you click on “Remove Domain” a window pops up and asks for confirmation but it won’t delete it from the control panel.

Another big issue imho is the behaviour when you are adding a new virtual host or adding a new existing domainname because Servage uses by default the option to turn on register_globals for every newly added vhost which can be a big problem for you as the “webmaster” if you aren’t aware of this and using php.

What’s worse is that the enemy exploiting this issue or wrong setting isn’t someone grepping the web for websites to be exploitable but a user on the same server which is a customer of servage itself.

You simply have to produce a script error which gets indexed by google. So what’s the catch you might think…the catch is that you can identify parts of the directory structure servage is using on their servers and you simply have to search for it via google. So if you e.g. search for “/mounted-storage/home105a” which is a directory name you can easily find via a simple php script that uses the “system” command (system(”ls /”) etc…HINT: you have to turn php-safe-mode off to make this work, servage allows it), you will find several results listing websites that have faulty php scripts running outputting some sort of error which in most cases also includes the full path to the script that errored.

Now that servage customer or the script kiddie simply have to change to that directory (with the opensource php shell e.g.) he extracted from the errormessage before and read that php file…yes…he is allowed to read that file…the default rights allow any user to read your files _if_ they know where they are located. You can’t cd to “/mounted-storage/home105a” e.g. but you can cd to “/mounted-storage/home105a/sub006/sc4711-LCNB” where the last part seems to be a unique-identifier nobody should be able to find out but I as I’ve shown you it’s simple to.

The script kiddie now can easily inspect your file and look for exploits which is easy as you have register_globals turned on by default. Even worse if you set the wrong permissions the scriptkiddie can create new files or at least edit the existing one.

When I searched at google I found a lot of websites already being hacked or defaced and guess where they were hosted at…servage…

In my time as a customer of servage they moved my complete account twice to a complete different cluster and I now know why. Because of compromised systems.

I asked Servage to set register_globals to off by default but the guys you are talking to at the support are slaves with no rights. They aren’t the decision makers apparently so no luck at all.

In fact I asked for many things like an update to dbd::mysql which is still version 3.x something or to fix the captcha problem, or to fix the security issues etc.

I now cancelled my account at servage because it’s a big security hole at all. I don’t need that.

Insecure Wordpress Plugins

I’m not a daily blogger simply because this is just a technical blog mixed with some offtopic things but today I have to warn you to install as many plugins as you can find on wordpress.org because many are insecure by default and by insecure I mean that they could be a back door for crackers that could deface your blog.

So be careful and always ask yourself if you really need a certain plugin.

Dell Vostro 1000 complete disassembly to fix overheating

I own a Dell Vostro with an AMD Turion64 X2 TL60, 2GB DDR2, WD Scorpio etc…and after 5 months I got the impression that the fan spins up far too often so I checked the temperature of both the cpu cores and I found out that, even in 800Mhz mode, they became hot very fast.
From 27°C to 58°C in less than 5 minutes. Under Vista the fan never stopped spinning at all.

When I turned around the notebook I saw that there is a lot of dust at the back where the fan is getting its air to cool the cpu so I decided to disassemble the whole thing though it’s still in warranty…I simply didn’t want to wait for Dell to do whatever they think would fix this problem.

I have made pictures while I disassembled the Vostro 1000 and it was quite easy though I had some problems with the case at all. You have to take care especially of the flatband cable of the keyboard, the display connector, the wlan antennas and the touchpad connector. If you damage one of them you really have a problem :). However, they are easy to disconnect.
Before I opened it up I removed the battery and pressed power once.
If you plan to do it as well please be aware that it can damage your entire notebook. I guarantee for nothing.

Read the rest of this entry »

new project called “gsmtp” released

Mornin’,
today I accidentally deleted a mailscript I wrote back in times that could send mails out via smtp and I used it for reporting and stuff like that but now that I have deleted it, I needed a replacement so I did it. I wrote a perl smtp mailer that sends mails via gmail’s smtp server using tls. It supports multiple attachments, doesn’t need any configuration and also supports google apps set up for mail.

You’ll find the project page here: http://code.google.com/p/gsmtp/

I’m sure it’s of some use for someone.

Kind regards,

Andreas.

urlom.at, bookmarks.as.tl, Extjs and JSON

Howdy,

today I migrated my old bookmarking script at urlom.at to bookmarks.as.tl so I can drop the name “urlom.at” because it’s mainly me using this project/script and I’m not going to pay for names I don’t really need. It’s the same as with world-discount-domains except I still use “urlom.at” extensively…that’s the reason I “created” bookmarks.as.tl. My future plan is to unite all projects under the name *.as.tl so I simply have to pay the costs for as.tl :P.

However! I created a “new” webdesign for bookmarks.as.tl and I also added a new logo I did with inkscape. Under the hood I changed some bugs that I never fixed before and for the better user experience I “extified” the list of links which basically means that I’ve added a grid from the Extjs project.

To show your links somewhere else I implemented a JSON export which displays the latest 20 additions. To be honest I just implemented it to show off some of my links on the frontpage of my personal website but that doesn’t matter. It works for any user registered.

You may have a look at my bookmarks at: http://bookmarks.as.tl/user/avarus

And the JSON export looks like this: http://bookmarks.as.tl/export.php?id=4

If you like it, you can register there for free, of course: http://bookmarks.as.tl

Kind regards,

Andreas

Pound is a real reverse proxy and loadbalancer

Some time ago I wrote about setting up lighttpd as a reverse proxy and came up with several problems like its mod_proxy module that caches every request in ram and thus screws up the servers’ ram whenever a big file is requested so I was looking for another solution and I found one.

The software is called pound which is developed by a swiss company called APSIS and its only purpose is to act as a pure reverse proxy and loadbalancer for http and https. Its configuration is very straight forward and done in a minute if you know what you want. The man page is well written and easy to understand.

I love it ;).

Kind regards,

Andreas.