From time to time it annoyed me that the double-click selection in XTerm/UXTerm on the Ubuntu desktop differed from what I was used to before: 1 click is a letter, 2 clicks is a word, 3 clicks is a line. The definition of 'word' seemed to differ a lot with mine, I want to be able to select parts separated by @ and : characters. Inspired by xterm Regex Matching for Cut Selection by Sean ReifschneiderI tried with 'regex' but that did not work as I wanted, because extending a selection fails unexpectedly in that mode. Solution: updating the definition of a 'word' by modifying the XTerm*charClass. My current settings:XTerm*on4Clicks: line XTerm*on3Clicks: regex [^ \n]+ XTerm*on2Clicks: word XTerm*charClass:That's a tab in the regex: now I can use triple-click to select a url, e-mail address or something likewise all at once, and double-click selects a word in the way I like it. Duplicated for class UXTerm.
Lesson learned today: certain dell rackmount servers signal loss of power in one power supply by running the cooling fans at maximum speed. The power supply in the most unreachable corner of the rack. And finding the source of the noise is hard when you have a rack full of them ("Somewhere in the area of adonis..").
And here I was looking for the airflow obstruction I created when changing some kvm cables.
With IPv6 I have enough address space to select a 'nicer looking' address on outgoing connections from home server greenblatt. The assigned endpoint, 2001:888:10:11::2 resolves to tunnel17.ipv6.xs4all.nl which is an ok name, but something of my own is better. So, I have set up /etc/network/interfaces to add another address of my own and use this as source in outgoing traffic:iface xs4allipv6 inet6 v4tunnel endpoint 220.127.116.11 address 2001:888:10:11::2 netmask 64 up ip tunnel change xs4allipv6 ttl 64 up ip -6 addr add 2001:888:1011::13/128 dev xs4allipv6 up ip -6 route add unreachable 2001:888:1011::/48 up ip -6 route add default via 2001:888:10:11::1 src 2001:888:1011::13 down ip -6 route del unreachable 2001:888:1011::/48I add the address I prefer, 2001:888:1011::13 with such a netmask that it doesn't clash with the fact that address is part of the range on the wired network at home and I add a default route using that as source. 2001:888:1011::13 resolves to outgate.idefix.net
This works... except when I visit addresses in the xs4all IPv6 IP space (my best guess: in the same /32). This must be an artifact of the IPv6 source address selection policy, but I can't find the way to manipulate this policy. It seems to be related to Linux 2.6.recent.
Update : I learned from Jeroen Schot that the address selection is an implementation of RFC 3484, explaned in RFC 3484 on Linux by Ulrich Drepper. The destination address choice is configured in /etc/gai.conf, for as far as I can see gai.conf is mostly destination selection, the source is a kernel matter.
Update 2009-11-18 : Solution found: working IPv6 source address selection the way I want it.
Neat: a webbot via ipv6!
2001:da8:7007:100:20f:1fff:fe6d:c250 - - [29/Mar/2009:12:33:08 +0200] "GET /robots.txt HTTP/1.1" 200 212 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
Doesn't really identify itself as a bot but it requests pages at such a rate that it must be an automated script.
Just seen in the Slashdot RSS feed.. An advertisment which does not look that relevant to slashdot or to the story Graphic Artists Condemn UK Ban On Erotic Comics : Dating for seniors
I'm not going to make the joke about carbon dating.
I noticed a few malformed characters in the RSS feed of my homepage that weren't there in the original database entries and showed ok in the web version. Again, utf-8 problems showing, although all data (postgres - script - xml - browser) should be utf-8. Lots of testing and searching, finally I found The Perl UTF-8 and utf8 Encoding Mess by Jeremy Zawodny. He is right: it is a mess. And the post itself demonstrates it by being filled with � characters.
So to make sure everything in the RSS generating process understand that what comes out of PostgreSQL is valid utf-8 and should be imported in the XML::RSS module as the same valid utf-8, I need to recode it to utf-8. Uh.. ok. The bit of code:my $body = Encode::decode('UTF-8', $row);And now I can use ÜTF-8 çħáräćtërs!
I had trouble reaching the other end of my Hurricane Electric IPv6 tunnel so I mailed the support address telling them about the issue I saw in routing. Within minutes I had a reply that an engineer was looking into the matter and that it would be up and running again within an hour.
Lots of paid Internet services will take longer to acknowledge and fix a problem. Kudos to Hurricane Electric for offering IPv6 connectivity for free with such a high level of support.
The tale of Trying to set up a windows domain controller behind a firewall continues: the server at the receiving side runs Windows server 2008 and has a whole new idea of dynamic port numbers for RPC services. Although it is documented as port numbers for 'outgoing connections' in The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008, we see them used and negotiated for incoming connections. An explanation is in this technet article: Dynamic Client Ports in Windows Server 2008 and Windows Vista (or: How I learned to stop worrying and love the IANA) although I would call the use of the term 'client ports' confusing because processes are be listening on those ports. From that server:TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING TCP 0.0.0.0:49163 0.0.0.0:0 LISTENING TCP 0.0.0.0:49164 0.0.0.0:0 LISTENINGSo the Microsoft documentation is broken. No thanks for that.
Update: A somewhat better explanation at How to configure a firewall for domains and trusts where indeed the entire range 49152 - 65535 range can be used for RPC and should be configured in the firewall.
I like my home server usually boring and stable, but virus prevention should be at the bleeding edge, especially when it handles mail for multiple domains where other people can receive it. So I don't like messages in the clamav logfile:WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.92.1 Recommended version: 0.95Using the Ubuntu backports I was able to get a less older version of clamav running. I updated the home server greenblatt documentation with the exact details of just using the clamav backport and no other backports.
'Internetgebruiker moet beter beschermd worden' - nu.nl/Internet met een voorstel:De Europese Commissie moet snel met wetgeving komen om internetgebruikers beter te beschermen. Nieuwe wetgeving moet aantasting van de persoonlijke levenssfeer door bedrijven en overheden tegengaan.Mijn voorstel: ga eens praten met de mensen in het Europese parlement die over de bewaarplicht gaan, een serieuze aantasting van de persoonlijke levenssfeer door overheden.
Lots of unreadable news about the Conficker/Downadup worm, including the first 'end of the Internet predicted' articles. For a quite readable explanation, go read Downad/Conficker, who’s the April Fool? by Rik Ferguson from Trend Micro and for a more scientific dissection go read An Analysis of Conficker by Phillip Porras, Hassen Saidi, and Vinod Yegneswaran at SRI International.
Source: Final countdown to Conficker 'activation' begins - The Register.
Apache the webserver can be configured to use multiple authentication servers to find the one that knows a given user. We needed this for our new subversion server and it took me some searching to find the right way to configure it. It is one of those 'easy when you know it' items. We want our new subversion server to allow all our normal (ldap) users access and a set of guest users. There will always be guest users for projects hosted with us. The relevant part of the Apache documentation Authentication, Authorization and Access Control - Apache HTTP server isn't very clear on using multiple authentication sources but Apache Module mod_authn_alias shows that it is possible and a nice way to make readable authentication configurations using multiple sources. The AuthnProviderAlias needs to be in the global configuration so I created /etc/apache2/conf.d/authconfig with:# the general authorization config <AuthnProviderAlias dbm svnlocal> AuthDBMUserFile /etc/apache2/subversion/guestusers AuthDBMType DB </AuthnProviderAlias> <AuthnProviderAlias ldap svnldap> AuthLDAPURL ldap://ldap.cs.uu.nl:389/dc=cs,dc=uu,dc=nl?uid </AuthnProviderAlias>And now to use these for SVN access:# the subversion access config <Location /repos> DAV svn SVNParentPath /data/svn/repos # our access control policy AuthzSVNAccessFile /etc/apache2/subversion/svnaccessfile # try anonymous access first, resort to real # authentication if necessary Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthBasicProvider svnlocal svnldap </Location>The Satisfy Any is because we do have repositories with full public access. The choice of first checking local users and then checking ldap users is because the number of local users should be limited and the ldap server should not be overloaded with traffic. The complete access rules are set up in the AuthzSVNAccessFile which is documented in the SVN book, httpd, the Apache HTTP Server - Server Configuration SVN
Pub is closed by Monty Python grenade - Evening Standard You can't make this stuff up: a 'suspicious object' turned out to be the original Holy Hand Grenade of Antioch from the Monty Python movie Monty Python and the Holy Grail (1975).
Via Holy Hand Grenade of Antioch Bomb Scare - Schneier on Security.
Van de volkskrant site, een [link verlopen] video over de Land Rover Defender Als ik dat zo zie blijf ik er bij dat de Land Rover Discovery meer mijn keuze zou zijn als ik er veel geld voor beschikbaar had en te maken had met het soort weg en terrein waar zo'n soort auto zin heeft. Voor de aardigheid, een promotievideo voor de Landrover Discovery er bij:
The Virtual Bookcase is back online too, and mail is flowing again for all the domains. Lots of typing, checking and everything to move the stuff to the home server. But, finished (I think).
Update: and all the web statistics are working again and updated. Finished?
I took the old powersupply from v4.idefix.net outside and opened it there. In that order, because of the smell. Maybe capacitor problems have been involved in the untimely end of this power supply too. Anyway, that one is not going to work anymore!
The good news after all the work to get my homepage reachable again is of course:koos@greenblatt:~$ host idefix.net idefix.net has address 18.104.22.168 idefix.net has IPv6 address 2001:888:1011::694 idefix.net mail is handled by 10 postbox.idefix.net.My homepage is now reachable over IPv6!
And it is back! Idefix 4 broke in a major way: the power supply let out the magic smoke in a big way: the hosting company called me to let me know the server was smelling funny and did not want to start up at all. Since the end of idefix 4 in a rack was near anyway the decision was made to move the server home. There I used another power supply to get access to my data again. The old powersupply was a 300 Watt powersupply which seems to be way underrated for a dual Xeon system. My best guess is that the instability the system had came from the powersupply anyway. So, time to move more domains home. Content from idefix.net is now here at home and virtualbookcase will be next when I find time. I had started migrating Camp Wireless so I finished that migration fast. Mail is diverted to a different place so I have a bit of time to configure all the mailing lists and other things.
Wardriving results 5 February - 13 March: 2692 new networks with GPS locations. Not much wardriving happening in this time due to holidays and busy times.
Jason Scott writes about the end of the Computer shopper magazine. One thing he notes are the big listings of BBS numbers in the small classified ads. An amazing amount of BBS history and related information is hidden in those ads.
(714)688-3204 Riverside. Baud:Ah, back when the world was divided into Atari, Amiga, Commodore 64 and other camps. Interesting is that the phone number (714)688-3204 shows up in searches with different bbs names: "The Widowmaker" (December 1991), "R.A.C.E. BBS" (undated), "Starlink Line 1" (September 1991), "Starlink" (August 1992).
3/12/24, online: 24hrs. (disk
space = 160mb) SysOp: Richard
Adkins. ATARI ONLY BBS. For
Supporting Atari-St and Atari
8 bit computers.
Trying to set up a windows domain controller behind a firewall we run into a weird error message:DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain zandbak.students.cs.uu.nl: The query was for the SRV record for _ldap._tcp.dc._msdcs.zandbak.students.cs.uu.nl The following domain controllers were identified by the query: BROADCAST.zandbak.students.cs.uu.nl Common causes of this error include: - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses. - Domain controllers registered in DNS are not connected to the network or are not running.Query successful and these are the common sources of this error. What?
Anyway, after some searching I dig out wireshark to look what is happening. And the query SRV? _ldap._tcp.dc._msdcs.zandbak.students.cs.uu.nl. and answer is followed by traffic to port 389/udp. Right. Anyway, the hopefully correct firewall setup is documented by Microsoft: How to configure Windows Server 2003 SP1 firewall for a Domain Controller.
Again, one of the cases where the actual error and the reported error message differ.
I got interested in the Collectors' Net, a network of people interested in old telephone equipment, who at one time got the idea of hooking them together using asterisk and voip links. I don't have any old telephone equipment to make available to the C*net members, but I do have some Asterisk projects for them to enjoy. So, I signed up and programmed my asterisk to route calls to the 0149- area code (A reserved area code in the Netherlands) out via C*Net after some massaging (C*Net uses enum to link the asterisk servers directly).
Some long-planned garden work today: I pruned the apple tree. Having the tree almost lose branches under the weight of the apples last year and having part of the apples hanging way to high made me decide to seriously prune it before spring really starts. Quite some work. I hope the tree will do better this year. And we have a bigger load of firewood now. I hope this summer will have some evenings to deal with the previous load of firewood.
Oh and in Paris I did bring my laptop and the dvb-t stick. Tried a scan, and found 5 bouquets with in total 29 services (18 free-to-air). Some services with 'HD' in the name, which mplayer could not play. I also saw some multilingual services. Free-to-air services seen by w_scan: Canal 21(Multi-7), IDF1(Multi-7), NRJ Paris(Multi-7), CAP 24(Multi-7), M6(MULTI4), W9(MULTI4), NT1(MULTI4), PARIS PREMIERE(MULTI4), ARTE HD(Multi 4), CANAL+(CNH), TPS STAR(CNH), CANAL+ SPORT(CNH), TF1 HD(MR5), France 2 HD(MR5), M6HD(MR5), TF1(SMR6), NRJ12(SMR6), TMC(SMR6).
I updated my homepage so it automatically incorporates my tweets. I notice I use different styles on twitter and here, probably having a lot to do with the 140 character limit at Twitter, but in the end it can be mixed anyway.
I'm in Paris at the Alcatel-Lucent Enterprise Forum. Lots of presentations about the future of IP telephony, how to save money with IP telephony in the current financial climate and lots of future visions involving UC (Unified Communications). Even realistic ones where people want to look at the organization first before deciding wheather UC is a good idea to spend money on.
Last year I was at the 2008 edition and an analyst told that TDM (digital intracompany telephony) had no future left. This year it isn't even mentioned anymore. IP telephony is the future and there is a move from proprietary protocols to SIP. One standard, pick the SIP PBX that does best what you want and pick the SIP phones that do what you want. For standard features (calling and being called) any standard SIP phone is good enough.
The conference center has wireless network for the forum guests with limited access: only port 80 and 443 seem to work. Good thing xs4all runs sshd on port 80 on the shell servers so I can still get somewhere and use my screens. My tip now for Internet access for road-warriors: bring a 2 meter UTP cable too. Wifi may be everywhere, but our hotel (Hotel California in Paris, makes me wonder how hard it will be to leave) offers free Internet access when you bring your own utp cable.
I'm typing this while sitting in the Thalys high-speed train between Antwerp and Brussels (so no 300 km/h yet). The first class has free wi-fi Internet access. I had to lower the mtu of the wireless interface to be able to use ssh and screen to access my normal home environment, so path mtu discovery is probably b0rken somewhere. I appear from a Belgian IP, no idea how they do the uplink from the train.
Update 2009-03-06: Found on the Thalys website: WiFi - Internet access for everyone! with an explanation how satellite Internet and UMTS/GPRS are used to tunnel the Internet to the train. The whole tunneling thing is probably what is causing the mtu problem.
I made my own lolcat: Tender was sleeping on the couch near the laptop charger. I first tried to setup a picture but she was annoyed at my attempts to put the cable near her but 5 minutes later she went to sleep again. Recharging: 95% complete.
Back from a week in ... Egypt. A gift from Mirjam's parents. We saw Cairo, the pyramids, El Fayoum and Alexandria. It's an amazing feeling to visit 5000 year old man-made constructions. At the same time Egypt now is a very chaotic country with noise everywhere. For the first time I found Dutch traffic calm compared to what I had seen. Especially in Alexandria you constantly hear car horns.
Lots of security theatre ofcourse, but seeing 3 man militairy police (Koninklijke Marrechaussee) on Schiphol airport with automatic weapons was more shocking than seeing truckloads of police and soldiers with automatic weapons in Egypt. I sort-of expect it in Egypt (although the travel brochures downplay it a bit). The Egyptian 'tourist police' is everywhere and most places where tourists come are guarded. Metal detectors everywhere beeping but most of the time the beeping is ignored by the guards.I could have done with less adventure: first one of our bags went missing on the flight to Egypt. Nothing really important in the bag but irritating. Then on Sunday evening we went walking in Cairo and found a police cordon in the area we wanted to visit. We had dinner in a restaurant near the cordon but it had moved a few streets back when we left the restaurant so all the international press was gathered and tried to get a statement from the obviously European tourists leaving the area. But we had no idea at that time what happened. Some of the group asked the reporters what happened and got a bit of idea: a bomb attack. Friends back in the Netherlands alerted us to the fact that we were on TV tuesday morning. I looked quite lost, which was exactly what I felt like at that time. And only when we arrived home and browsed the newspapers we noticed that an airplane had crashed near Schiphol during the week.