Run #9 around Centennial Park. Two rounds again, this time during noon with some nice sun and a whopping 30°C :-)

Centennial Midday Run 2x

Run #8 around Centennial Park. Two rounds again, and with some rain :-(

Centennial Morning Run 2x

Run #7 around Centennial Park. Only one round, but the fastest one so far.

Centennial Morning Run

Run #6 around Centennial Park. Two rounds this time, with a slower pace though.

Centennial Morning Run 2x

Run #5 around Centennial Park. Didn't have the patience to wait for the GPS to lock onto the signal, thus the late start.

Centennial Morning Run

Run #4 around Centennial Park, this time a bit later and thus with more sun:

Centennial Morning Run

Another run around Centennial Park, this time counterclockwise:

Centennial Morning Run

Next run around the beautiful Centennial Park:

Centennial Morning Run

The nice thing of being in Sydney during December is that you can go running during christmas time and it is 22°C :-)

Centennial Morning Run

Regex Crossword (via)

The UNIX System: Making Computers More Productive, 1982, Bell Laboratories

SixSpotting, a funny little game where you collect points by logging in from as many IPv6 enabled providers as possible.

Lately the requests trying to exploit the Shellshock vulnerability are getting annoying. Of course my hosts are patched — even before the first such request arrived — and they are using Dash as /bin/sh anyway.
But this does not stop attackers from sending those requests. Some even seem to have programmed a loop which sends request after request even though their exploit is not working.

Since most of the requests are for valid URLs, the webserver just replies with a 200 status code and serves the content. As this gives no indication to the attacker whether his exploit worked or not, he has no reason to remove the host from his target-list and thus continues to send requests.

To break this pattern and signal that the host is not vulnerable to Shellshock, I came up with the nginx config snippet below. It recognizes Shellshock patterns in a request and replies with a '403 Forbidden' status code, thus indicating to an attacker that his request was blocked.

if ( $http_referer ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_user_agent ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_cookie ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $http_host ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $args ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $content_type ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $remote_user ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $request ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}
if ( $request_body ~ ^\s*\(\s*\)\s*\{ ) { 
        return 403 "Blocked by Shellshock protection (https://blog.x-way.org/Show-Shellshock-the-door).";
}

Before sending a CSR off to your CA, it is worth checking that all parameters are correct.
Especially you should make sure that the requested signature algorithm is SHA256 and not the deprecated SHA1.

This can be done with the following OpenSSL command:

openssl req -noout -text -in <your_CSR_file>

Spot-on representation of every IKEA store's layout:

SEASONS of NORWAY - A Time-Lapse Adventure from Rustad Media on Vimeo. (via)

The Cisco SMB SLM2008 Smart Switch does normally not support SNMP and there is also no setting in the configuration interface which would enable SNMP.

But nevertheless the firmware does actually contain a SNMP daemon. Thus it is not surprising that a smart guy on to the Cisco support forum found out how to manipulate the proprietary config file such that it enables the SNMP daemon:

1. Configure your switch with everything you need
2. Download enable_snmp.pl
3. Run # perl enable_snmp.pl <IP of your switch>
4. Enjoy the SNMP export from the SLM2008 :-)

As this is a non-official hack, there are some limitations:

• The embedded SNMP daemon only supports read accces and no SNMP Traps.
• Changing a setting on the 'System' configuration tab disables the SNMP daemon again (thus the script will need to be run again).

The Cyborgs is a two man 'elektrock' boogie band.
Thank you Sat Rocks for showing me their music :-)

Today I did some cleanup of my legacy infrastructure. The repositories formerly located at cvs.x-way.org and svn.x-way.org have been converted to Git and are now available at git.x-way.org.

Also is git.x-way.org now no longer served by the old gitweb.cgi but by the fantastic GitBucket (a lightweight, self-contained GitHub clone written in Scala).

Since last week Netflix is also available in Switzerland. The future has arrived one could say.
Not only gives this easy access to TV shows and movies but also is this access provided via IPv6.

As you can see on the graph below, this brings IPv6 out of slumber and into primetime :-)
Swiss providers are probably seeing quite an increase in IPv6 traffic this month.

Octave Minds (via)

The about page now features some fancy blog statistics, check it out :-)

The statistics are created with the help of Cal-Heatmap which allows to easily create calendar heatmaps similar to the activity heatmap of GitHub.

Update: couldn't stop playing around and thus added another chart, this time with the help of C3.js (a D3.js based reusable chart library).

SPA901 and SPA3102 phones can be rebooted by calling the following URL (which triggers an automatic config resync after the reboot):

http://<PHONEIP>/admin/reboot

The current configuration of an SPA901 phone can be downloaded like this:

http://<PHONEIP>/admin/spacfg.xml

For SPA3102 devices the URL is different:

http://<PHONEIP>/admin/config.xml

Yesterday I switched our DSL Link to green.ch. Now we not only have a higher bandwidth (thanks to VDSL) but also native IPv6 connectivity!
Especially nice is that it all works out of the box. After plugging in the pre-configured FritzBox, it automatically gets an IPv6 prefix via Prefix Delegation and announces it to the clients in the LAN.

08:05 [ aj @ actuarius : ~ ] % mtr -rc5 www.open.ch
Start: Fri Jul 25 08:06:42 2014
HOST: actuarius.fritz.box         Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- fritz.box                  0.0%     5    0.8   0.8   0.7   0.8   0.0
  2.|-- 2a01:2a8::121              0.0%     5    8.6   8.7   8.5   9.2   0.0
  3.|-- 2a01:2a8:0:5a::1           0.0%     5    8.4   8.2   8.0   8.4   0.0
  4.|-- 2a01:2a8:1:7::4            0.0%     5    8.1   8.6   8.1   9.6   0.0
  5.|-- 2a00:db0:9:a06::5          0.0%     5    8.8   8.6   8.3   8.8   0.0
  6.|-- www.open.ch                0.0%     5    8.9   8.7   8.6   8.9   0.0

12 years ago I started this weblog with a link to www.2advanced.com.
It's now 555 posts later and I think what is most unexpected (besides that this weblog is still existing 12 years later), is that this first link from my first post is still valid (and still pointing to some Flash-only website...).

So far this weblog has survived 2 different domains, 3 different servers, multiple versions of a self-made blogging-engine, about 6 different layout designs, a database-crash, recovery via archive.org and a migration to Jekyll.

No guarantee that it will last another 12 years, but for the meantime: Cheers, and enjoy the ride!

Wandtelefon Modell 50 from January 1970 now talks SIP (and it only took two converters, a bit of cable-fiddling and some luck :-)

There is currently a bug in Mac OS X 10.9 which causes that ssh-add is no longer able to read SSH key files in PKCS#8 format.

Fortunately ssh-add still reads PKCS#8 keys when provided through STDIN and openssl is able to decrypt PKCS#8 keys.

Thus the following workaround so that PKCS#8 SSH keys can be loaded again:

openssl pkcs8 -in ~/.ssh/id_rsa | ssh-add -

Great presentation by Paul Saab about the IPv6 introduction at Facebook: The Road To IPv6

(via)

1. Properly shutdown the guest:

   guest# poweroff

2. Create an LVM volume of the same size on the new machine:

   newmachine# lvcreate -L 120G -n myguest myvolgroup

3. Copy the disk from the old machine over to the new one:

   oldmachine# dd if=/dev/vg_foo/lv_bar | ssh newmachine dd of=/dev/volgroup/myguest

4. Wait for the transfer to complete (on a 100Mbit/s connection it took about 3.5 hours to transfer the 120GB).
5. Copy /etc/libvirt/qemu/myguest.xml from the old machine over to the new machine and adapt the LVM path for the disk.
6. Reload the libvirt configuration:

   newmachine# /etc/init.d/libvirt-bin reload

7. Start up the guest on the new machine:

   newmachine# virsh start myguest

1. Boot from a helper system and get a root shell (I used the rescue mode of the Debian installer)
2. Check the filesystem of the partition to resize:

   e2fsck -f /dev/vg_foo/lv_bar

3. Resize the filesystem (make it a bit smaller than the target size, to have a safety margin when resizing the logical volume):

   resize2fs /dev/vg_foo/lv_bar 180G

4. Reduce size of the logical volume:

   lvreduce -L 190G /dev/vg_foo/lv_bar

5. Grow the filesystem to the new size of the logical volume:

   resize2fs /dev/vg_foo/lv_bar

6. For good measure run another filesystem check:

   e2fsck -f /dev/vg_foo/lv_bar

When renewing certificates it is a good idea to verify that the newly installed SSL certificate matches the newly installed private key (eg. to make sure no mixup between the new and old files occurred).
This can be done by comparing the modulus of the two files:

openssl x509 -in <certificatefile> -noout -modulus|sha1sum
openssl rsa -in <privatekeyfile> -noout -modulus|sha1sum

Loading the configuration from http://config.server/configfile.xml (provisioning has to be enabled on the phone):

http://<PHONEIP>/admin/resync?http://config.server/configfile.xml

Upgrading the firmware with the image from http://upgrade.server/firmware.bin:

http://<PHONEIP>/upgrade?http://upgrade.server/firmware.bin

Create the PKA DNS record:

# localpart=andreas domain=jaggi.info url=http://andreas-jaggi.ch/1C6AC951.asc
# LANG=C gpg --fingerprint ${localpart}@${domain}|awk -v local=$localpart -v domain=$domain -v url=$url \
'/fingerprint/{printf("%s._pka.%s. TXT \"v=pka1;fpr=%s;uri=%s\"\n",local,domain,$4$5$6$7$8$9$10$11$12$13,url)}'
andreas._pka.jaggi.info. TXT "v=pka1;fpr=1073501542F38352FC85788207A32EAB1C6AC951;uri=http://andreas-jaggi.ch/1C6AC951.asc"

Test DNS resolution:

# dig +short -t txt andreas._pka.jaggi.info.
"v=pka1\;fpr=1388580990F38352FC85788207A32EAB1C6AC951\;uri=http://andreas-jaggi.ch/1C6AC951.asc"

Test with GPG:

# gpg --auto-key-locate pka -ea -r ${localpart}@${domain}

Detailed explanation of the different DNS publication mechanisms for PGP Keys:
Publishing PGP Keys in DNS

(via)