//jerrywalsh.org

coding, hacking, startups, computer security, technology and more

Your Phone Company Is Watching You

Malte Spitz, a member of Germany’s Green Party, sued his mobile phone provider to reveal what records it kept about him. The records including tracking data based on rough triangulation from the nearest cell-phone towers. Spitz then sent this information to Zeit Online, who combined it with Spitz’ personal blog and Twitter entries to produce an incredible animated map that reveals a surprisingly detailed account of his movements over a six-month period.

To reiterate, this was done all without GPS services and without Spitz requesting his movements be tracked — it was automatically generated simply by his mobile phone communicating with cell phone towers. It very much goes to show the importance of regulations that limit retention periods for this kind of data, given how detailed a reconstruction can be made of an individual’s life.

TextBuddy Is No More! It Was Fun While It Lasted Y'all

TextBuddy was created to make it easy for people to actually utilize the Webtext allowances providers gave them. In the last few weeks some providers (namely O2 and Vodafone) have begun making changes to their webtext pages in order to make it more difficult (but not impossible) for applications such as TextBuddy from operating. Unfortunately it’s just not worth trying to integrate with providers who don’t want you integrating with them.

If this move leaves you high and dry then perhaps something like Cabbage Texter will work instead?

Thanks for using TextBuddy!

HOWTO Secure Your Linux Box With IPTABLES

Okay, so this post will be brief but to the point. Today I needed to lock down a machine I administer so the only inbound connections which were allowed were SSH connections from trusted hosts. I'm using Debian so this will obviously work for other Debian based distros such as Ubuntu, Linux Mint etc.

Assuming you're running a current version of Debian or a derivative then iptables will already be present on your system. One of the first things to take note is that iptables won't hold its ruleset during a reboot so to start off this tutorial the first thing I ensured was that the ruleset will be restored when the machine is rebooted. So, as root I edited /etc/rc.local and before the exit line i added /etc/iptables-init. Because this was a fresh install my rc.local ended up looking like this:

/etc/rc.local from Debian 6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Setup iptables
/etc/iptables-init
exit 0

Next, I created the script which we've setup to be executed from rc.local:

/etc/iptables-init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/bin/sh
# ----------------------------------------------------------------------
# simple but secure iptables initialization script
# DateCreated: Thu 12 Jan 2012 00:37:04 GMT
# Author: Jerry Walsh
# ----------------------------------------------------------------------

# Put your trusted hosts/ranges here:
TRUSTED_HOSTS="1.2.3.4 8.8.8.8/24 \
  4.3.2.1 1.2.2.2 3.3.3.4 "

# flush rules
iptables -F

# Log dropped connections
#iptables -N LOGDROP

# allow localhost connections to the loopback interface 
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# allow connections which are already established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all outbound connections
iptables -A OUTPUT -j ACCEPT

# allow tcp to port 22 (ssh daemon) from trusted hosts
for GOODIE in $TRUSTED_HOSTS; do
  iptables -A INPUT -p tcp -m state --state NEW -s $GOODIE --dport 22 -j ACCEPT
done
# or you could just allow ssh access from all hosts
# NOTE: if you're going to allow ssh access from all hosts then
# it's always a good idea to put sshd on a non-standard port
# - this keeps the majority of script kid trawlers out
#iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#other optional extras:
# allow inbound http access
#iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
# allow inbound https access
#iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

# drop all other inbound traffic (including ICMP, UDP etc.)
iptables -A INPUT -j DROP
# you could also just block tcp connections..
#iptables -A INPUT -p tcp -j DROP

Finally, I set the script executable and executed the script now to load the new rules in to iptables:

finally, we mark the script executable and run it!
1
2
chmod 0700 /etc/iptables-init
!$

And that's it! Remember - it's always good to test your configuration from a remote host or better still from a 'bad' remote host and a 'good' (whitelisted) host.

REMEMBER: The above script is just an example! You should modify the script to meet YOUR needs (as it stands this met mine) but it still serves as a useful starting point. It should also be noted that ICMP ping replies will be blocked using the above setup - this may not be desirable but in my case it was!

John Cleese on Creativity

There's no doubt about it that John Cleese is a genius when it comes to comedy but his genius-ness (is that even a word?) doesn't stop there. What follows is one of my favourite videos from him. The highlight of which is this enlightening little piece of wisdom:

To know how good you are at something requires the same skills as it does to be good at those things. Which means if you're absolutely hopeless at something, you lack exactly the skills that you need to know that you're absolutely hopeless at it. And this is a profound discovery - that most people who have absolutely no idea what they're doing, have absolutely no idea that they have no idea what they're doing.

It explains a great deal of life.

...

It also explains why so many people in charge of so many organisations have no idea what they're doing, they have a terrible blind spot.

Watch the video here:

Finally, I Got My Site in Order!

I know, I know.. it's been long overdue and I've just been putting it off for far too long. A recent trip to Zell Am See, in Austria recently gave me enough downtime to focus on revamping the site which is now complete. I think everything should be working OK but if you encounter problems then please let me know. I hope the new look will get me blogging more often and with higher quality!

I plan to post again soon, this time with something more substantial until then I'll leave you with my "tune of the trip", "Black Ash Veil" by Apparat:

Google Chrome Takes the Lead

Well, it's been quite some time since my last post. I've been busy and it seems Google has been busy too.

I recently upgraded to the latest version of Chromium (aka Google Chrome) and noticed that the folks at Google have decided to drop the http:// prefix from the "omnibox":

CNet reported this back when the feature first appeared in the developer beta's but I must say I'm surprised at the results I found in the following article:

Really?  You'd prefer to see the http:// stay?

In my opinion, dropping it is one of the best damn things they have ever done because in this day and age, it's no longer necessary. It just doesn't matter anymore because the web is all about http:// now. It's implicit and the UI should mirror this - people don't need to know about it. I recall what my good friend anto once said...

This is just one of the things which makes Chrome stand out from all the others, Jeff Atwood recently wrote that

Chrome was a completely respectable browser in V1 and V2. The entire project has moved forward so fast that it now is, at least in my humble opinion, the best browser on the planet. Google went from nothing, no web browser at all, to best-of-breed in under two years.

HOWTO: Compile PDFlib for PHP on Linux

Here's a small script which you can use to compile PDFlib support for PHP on Linux. This should work on any Debian based Linux distribution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/sh
# Download the PDFLib Lite Linux source from here first:
# http://www.pdflib.com/download/pdflib-family/pdflib-lite-7/
# put the download in the same location as this script
# NOTE: you will be prompted by the pecl installation at the end
# of the process for a path - you'll need to enter /usr/local/ here
#
# Author: jbw
# DateCreated: Mon, 22 Mar 2010

# We need root privileges ..
if [ "$USER" != "root" ]; then
  chmod +x "$0"
  gksudo "$0"
  exit
fi

dpkg -l | grep -q build-essential || \
  apt-get install build-essential

tar zxvf PDFlib-Lite-7*.tar.gz && \
  cd PDFlib-Lite-7*/ && \
  ./configure && \
  make && \
  make install

dpkg -l | grep -q php-pear || \
  apt-get install php-pear

dpkg -l | grep -q php5-dev || \
  apt-get install php5-dev

pecl install pdflib

If you don't plan on using the dl() method to load this module dynamically then you may need to modify the php configuration so it autoloads the pdf.so extension.

Delaying/Ignoring Touchpad Taps While You're Typing on Linux

Okay, so it may mean my typing posture is out of line but even so, it can be incredibly annoying if your thumb just happens to hit the touchpad on your laptop while you're typing.

I'm using a Lenovo Thinkpad T400 which has a synaptics based touchpad. This fix only works if you're using a synaptics based touchpad! If you're not using a synaptic touchpad then this fix probably won't work for you.

First off, we need to edit our xorg.conf at /etc/X11/xorg.conf. I appended the following to my file since I had not Mouse based input device section:

1
2
3
4
5
6
7
Section "InputDevice"
Identifier  "Touchpad"
Driver "synaptics"
Option "Device" "/dev/psaux"
Option "Protocol" "auto-dev"
Option "SHMConfig" "on"
EndSection

if you have an input device section then you'll need to ensure it features the same Option and Driver lines as above.

Once you've made these changes you'll need to restart the X server. You can do this using

1
/etc/init.d/gdm restart

or alternatively kill the X server using ctrl+alt+backspace and let gdm bring it back up. BEFORE we restart the X server, let's setup a tapping delay. I created a xinitrc file at ~/.xinitrc and put the following in it:

1
2
pgrep syndaemon > /dev/null && killall syndaemon
syndaemon -i 0.5 -d

You can experiment with different delays once you've restarted your X server by executing the two lines above from within your .xinitrc (or simply re-execute ~/.xinitrc). Half a second turned out to be the perfect delay for me but it's entirely down to your own preferences.

Have fun!