News archive February 2010 - Koos van den Hout

antiek aan de rol

Een NS DE3 treinstel passeert heel langzaam de overweg in de Huizingalaan in het spoor vanaf Utrecht Maliebaan naar de kruising bij Blauwkapel. Bij navraag blijkt het de DE3 nummer 114 van het spoorwegmuseum te zijn.

I just noticed something: the archive of webcam.idefix.net in the Uithof in Utrecht now covers a longer period (now 3 years and approximately 3 months) than the archive of webcam.idefix.net at the Beneluxlaan in Utrecht (which stopped just a bit over 2 years). How time flies.

Lots of phishing attempts for webmail accounts flying by, at the moment it seems popular to use webform hosters to ask for account credentials. I seem to miss a part of these. Probably my spamfilters being too good or something. But at work there are some people who know I am interested in new and recurring strains of Internet abuse so I still get interesting stuff forwarded to investigate. The latest catch advertised a dot.tk domain which inlined a webform from a tripod hosted site which was a copy of an emailmeform.com form and used emailmeform.com to process it and redirected to a generic thankyou form by a new zealand printer supplies company. It takes a bit of tracing and trying to solve such a puzzle and notify all parties about their role in the abuse.

By now a lot of people in the world are aware of the case of a US, Pennsylvania school was accused of using webcams in school-issued laptops to spy on students at home without their consent (via Slashdot). A lot of theories and weird stories are going around but I found a good technical explanation: The Spy at Harrington High - Stryde Hax who as a bystander and with his technical background has done a thorough analysis of the techniques used and the stance of the people involved in this matter. Good reading material for those who are actually interested in what was really happening.
The original story seems to be turning into this 'Only in America' story: School spying scandal gets even more bizarre - Slashdot:

The student in question that was disciplined for an "improper act" was apparently accused of either drug use or drug selling. Turns out he was eating Mike & Ike candy, not popping pills.

If you want to detect LANRev Agent on a system, Network Fingerprint for LANRev Agent - Stryde Hax has the answer.

SIP scanning is active again. Sandro Gauci came with a link to And the scanning just keeps on coming I checked the logs on 2 asterisk servers for recent break-in attempts and presto... from different IPs, but the pattern I saw before in trying to find insecure SIP servers:

[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"3776548202"<sip:3776548202@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"100"<sip:100@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"101"<sip:101@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:20] NOTICE[6890] chan_sip.c: Registration from '"102"<sip:102@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found


[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"952"<sip:952@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"953"<sip:953@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found
[Feb 21 10:09:28] NOTICE[6890] chan_sip.c: Registration from '"954"<sip:954@xxx.yyy.zzz.xxx>' failed for '96.57.107.3' - No matching peer found

No damage and no costs. The other server shows attempts to use the sip guest environment again:

[Feb 13 05:27:08] NOTICE[5710] chan_sip.c: Call from '' to extension '90442075821233' rejected because extension not found.
[Feb 13 05:27:27] NOTICE[5710] chan_sip.c: Call from '' to extension '9442078493108' rejected because extension not found.
[Feb 13 05:27:38] NOTICE[5710] chan_sip.c: Call from '' to extension '0442076311117' rejected because extension not found.
[Feb 13 05:27:40] NOTICE[5710] chan_sip.c: Call from '' to extension '0011447850019298' rejected because extension not found.
[Feb 13 05:27:42] NOTICE[5710] chan_sip.c: Call from '' to extension '00011441628481177' rejected because extension not found.
[Feb 13 05:27:44] NOTICE[5710] chan_sip.c: Call from '' to extension '0001441383417547' rejected because extension not found.
[Feb 13 05:27:56] NOTICE[5710] chan_sip.c: Call from '' to extension '0000447956581268' rejected because extension not found.
[Feb 13 05:27:57] NOTICE[5710] chan_sip.c: Call from '' to extension '00011441628481177' rejected because extension not found.
[Feb 13 05:28:08] NOTICE[5710] chan_sip.c: Call from '' to extension '900442075964032' rejected because extension not found.
[Feb 13 05:28:08] NOTICE[5710] chan_sip.c: Call from '' to extension '9011441252625280' rejected because extension not found.
[Feb 13 05:28:09] NOTICE[5710] chan_sip.c: Call from '' to extension '1442074370973' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '9442078493108' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '00000447889904142' rejected because extension not found.
[Feb 13 05:28:10] NOTICE[5710] chan_sip.c: Call from '' to extension '0001441383417547' rejected because extension not found.

This time with somewhat random looking phone numbers in the UK which aren't well-known to google.

De backup tapes van BBS Koos z'n Doos waren nog leesbaar, dus ik ben nu wat aan het spelen met wat van die tapes af kwam, en dat komt on-line op http://bbs.idefix.net/.

Todays xkcd is very amusing! As a system administrator I can imagine the need for making sure important infrastructure like the blog of a cat.

Friday, time for the Friday Afternoon URL page which you can also follow on twitter as @fridayaftURL to get fresh Friday Afternoon URLs in your twitter feed!

No license to rdesktop for me: I recently got a really weird error from rdesktop:

koos@leek:~$ rdesktop -M -g 1200x900 -d something terminalserver
Autoselected keyboard map en-us
disconnect: No valid license available.

Some searching found me: License to rdesktop. Indeed, setting a different hostname from my own hostname helps:

koos@leek:~$ rdesktop -M -g 1200x900 -d something -n leeks terminalserver
Autoselected keyboard map en-us
/users/koos/.rdesktop/licence.leeks.new: Permission denied
WARNING: Remote desktop does not support colour depth 24; falling back to 16

The license file error has to do with another workaround. But maybe the running out of licenses for 'leek' is because I never give licenses back. Why is all this software very busy with making sure money is made for its maker and not busy with helping the user.

The EFF has written an article Music Journalism is the New Piracy. The music industry seems to have the intention of thoroughly destroying itself, and that destruction will be celebrated by music fans worldwide. Found via Is There Any Way To Be A Music Blogger Without Risking Takedown? at Techdirt.
Or as Boingboing put it: Music industry to musicbloggers: there's no point in obeying the law.

Some actors are annoyed by being typecast in the same roles constantly, but some cities can be typecasted too: I watched WarGames (1983) yesterday and noted in a number of shots of Seattle it was raining. Now I'm watching Firewall (2006) and I think I haven't seen an outdoor scene yet without rain.
I visited Seattle myself and it's not that bad.

Na een lezing van Arnoud Engelfriet op de recente surfnet cert (computer emergency response teams) / ibo (informatie beveiligers in het onderwijs) conferentie ben ik eens door Internetrecht aan het bladeren en hij merkt iets op waar ik me ook vreselijk aan erger: Houd eens op met dat “Bron: Youtube” of “Bron: Flickr.com”!. Het heeft dus ten eerste het aspect dat beide sites het platform zijn en dat de originele auteur prima te vinden is (mijn ergernis) maar ook dat de licentie het niet altijd zomaar toestaat (afhankelijk van de eventuele nieuwswaarde van filmpje / foto).
En prompt zie ik een voorbeeld hoe het wel moet: hln.be geeft bij de eerste foto's van het treinongeluk in België keurig aan: twitpic.com user xxxx. Alleen heb ik het toen niet bewaard en zijn de foto's nu blijkbaar wel vervangen door persfoto's.

Even with my head clouded by a serious cold I had to create my lolcaption when I saw this picture and caption at ROFLRazzi Goes Romantic…ish. My take on it: Dingdong! .. Nobody home!

Sometimes even I use that other 'operating system' which in this particular case had no acrobat pdf reader. So I went to find it.. and it is a 45 meg (!!!) download which installs its own download-manager in Firefox. This download manager advertises for more downloads from Adobe and related companies. All this while Firefox has a perfect download manager of its own and it is all the equivalent of wget $url. To put it mildly: whisky tango foxtrot.

The first friday with the friday afternoon url page using Twitter @fridayaftURL to deal out the weekly dose of Friday afternoon fun.
Technically it all worked. But with myself and only a german url shortening service following it there isn't much of an audience yet! Time to do something about that.

I did some serious web services programming (in perl) and updated the scripts powering the Friday Afternoon URL page to post new urls via Twitter on Friday. You can follow @fridayaftURL to get a weekly dose of Friday afternoon stuff from all over the web. The urls are now stored in a (postgresql) database and on Friday a script runs which searches for new urls and posts them to Twitter using the Twitter api. When urls need to be shortened it uses the ln -s_ web service to shorten them.

I found the probable cause of the not so great power saving: when I installed the first new disk I also updated the bios. And the message I get when trying to load the powernow-k8 cpu driver is:

powernow-k8: Found 1 AMD Athlon(tm) Dual Core Processor 4850e processors (2 cpu cores) (version 2.20.00)
powernow-k8: MP systems not supported by PSB BIOS structure
powernow-k8: MP systems not supported by PSB BIOS structure

So the cpu keeps running at maximum speed without throttling. Searching for the error message finds Ubuntu Bug #33116: powernow-k8 refuses to load and Ubuntu Bug #398109: powernow-k8: Your BIOS does not provide ACPI _PSS objects in a way that Linux understands suggests that I need to check the bios settings to enable "Cool'n'Quiet", enable ACPI APIC and disable MCP61 ACPI HPET Table. That's planned for the next hardware changes.

Ok, I'm usually not the flash and embedding type, but after a bit of trying this one is nice:

My first association when I heard that jingle...

I noticed that the new Western Digital WD15EADS disk spun down way too fast. After some serious testing I found: when I set the "Advanced Power Management" level (using hdparm -B) to 127 or less the "standby (spindown) timeout" (set using hdparm -S) is ignored and the drive spins down after about 5 8 seconds of inactivity. Way too soon when playing a movie, with mplayer the movie stalls about every 10 seconds because a new bit of movie has to be read from disk which causes another start/stop. The smartctl start/stop counter goes up at the same rate. Feels like a firmware bug to me or a difference of opinion between hdparm and the disk. But the hdparm report suggests that these settings should work on the disk:

ATA device, with non-removable media
        Model Number:       WDC WD15EADS-00S2B0                     
        Firmware Revision:  04.05G04

        Standby timer values: spec'd by Standard, with device specific minimum
        Advanced power management level: 126

           *    Power Management feature set

I asked Western Digital customer help about this but the first (standard?) answer is from Support for WD products in LINUX or UNIX which comes down to "we don't support anything else than jumper settings for these operating systems".

A lot of further searching with google suggests to me that the 'IntelliPark' feature is causing the drive to park its heads after 8 seconds of inactivity which is not a useful default when streaming video from it with a reasonable cache. And the 'Load Cycle Count' will go up fast, which may result in the drive reaching the 'suggested maximum' within a year. I don't need to test the warranty that fast.

As a workaround I set the Advanced Power Management level back to 128 and installed spindown which is a utility which watches the disk activity from userspace and issues a spindown command when no activity (from /proc/diskstats, so for linux at the device level) was measured over the configured period of time. Now it spins down when the filesystems have been idle for 10 minutes which is a lot more usable.
Update: Official answer from Western Digital customer help is that it's not possible to change this 8 second timeout. So I'll stick to the spindown solution.

Update 2: Robert Waldner also noted this problem and described how to change the idle timeout / "IntelliPark" time on Western Digital Caviar Green disks.

The resulting power save from adding a new sata disk, moving the data and removing the old pata disks is not spectacular (yet): the 5 pata disks (all with activated automatic spindown) had the UPS at a 40% load, the current 2 sata and 2 pata disks (also with automatic spindown) have the UPS at a 42% load. It'll be interesting to see what happens when the 2 pata disks can be removed. The main original idea was to save a bit of power and make the system less complicated, let's see if that first part works out in the end.
Update: Found the cause of the not so great power saving: probably the recent bios update.

Filesystems have been moved to the new huge sata disk in home server greenblatt and I found time this evening to remove three old ones. There may be a race condition in the startup scripts where lvm2 is not completely up and running when the filesystems are mounted from the fstab but I saw that happen only once.

My very own security incident involving China (in a way):

[Jan 28 09:55:45] NOTICE[7593] chan_sip.c: Call from '' to extension '00442078420960' rejected because extension not found.

An attempt (within the public sip context) to call a number in England. The Chinese embassy in London. All attempts failed since the asterisk which logged that has no idea how to call the big phone network. Information from a lecture on SIP security suggests that this kind of attempts is a sort of ddos attack on a phone number.

I looked at the project sundial power calculations again and did some more calculations: even when I take the parts with the lowest energy usage and get the average usage down to 5.4 Watt, the investment in solar panels to get even through December and January in the Netherlands would mean it would take somewhat over a 100 years to 'earn back' the investment in the solar panels. So maybe it is a better idea to power the weatherstation from the grid and make sure the earth connection is really good to avoid damage to the power grid at home should lightning strike it. Still using wifi for data transfer would be a wise idea.
Update: About the same goes for wind power: because we live in the city and can't put up a 10 meter high pole for a wind generator the generator would become quite expensive.

Maybe IPv6 traffic will get another boost now: for participants in the Google over IPv6 program the records for youtube now have been added:

$ host www.youtube.com
www.youtube.com is an alias for youtube-ui.l.google.com.
youtube-ui.l.google.com has address 74.125.77.100
youtube-ui.l.google.com has address 74.125.77.101
youtube-ui.l.google.com has address 74.125.77.102
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::8b
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::8a
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::65
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::71
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::64
youtube-ui.l.google.com has IPv6 address 2a00:1450:8001::66

Video is streamed from cache servers like:

$ host v1.lscache1.c.youtube.com
v1.lscache1.c.youtube.com is an alias for v1.lscache1.l.google.com.
v1.lscache1.l.google.com has address 82.94.228.144
v1.lscache1.l.google.com has IPv6 address 2a00:1450:4001::10

All reachable via IPv6. I'm almost tempted to try to try to play a youtube video via a v6-only connection and see what breaks.

In following some links about 1-wire projects I found a German Supplier of 1-wire components which can be interesting: Fuchs Elektronik sells 1-wire components at a reasonable price such as the DS18B20 1-wire high resolution thermometer. Too bad they don't sell other interesting sensors like the barometer which could help in combining an order.

Wardriving results 14 December 2009 - 1 February 2010: 4450 new networks with GPS locations according to WiGLE. In the WiGLE stats I went to 13th place and passed the 180000 networks mark.

WiGLE also did a very nice upgrade: the new WiGLE wardriving maps are based on google maps.

We volunteered ntp.cs.uu.nl for extra capacity for the Turkish ntp pool, and the results are quite visible in the ntp.cs.uu.nl statistics. Suddenly peaks are near 5000 packets per second. But ntpd (and the freebsd kernel) deal with it without problems.

And I'm back from a snowboarding holiday in Fiss in Austria. A great wintersport area, connecting Fiss, Ladis and Serfaus. We had great weather, first sun and later snow, resulting in fresh powder for the last few days. Snowboarding in fresh powder is really great. I got some much needed rest too.