Dossy's Blog » Open Source

Getting ActiveState’s “teacup” working on MacOS X

Dossy Shiobara — Wed, 21 Oct 2009 19:31:16 +0000

ActiveState has created a Tcl Extension Archive tool called teacup which simplifies the installation of binary extensions to Tcl. It’s included with ActiveTcl, but if you’re using Tcl from MacPorts and want to use teacup, it’s fairly easy:

1. Download teacup for MacOS X

The teacup binary can be downloaded from this location:

http://teapot.activestate.com/entity/name/teacup/index

Here is a direct link to the latest teacup binary. The file is named file.exe — simply rename that to teacup and put it in /usr/local/bin or another convenient place in your $PATH.

2. Create the installation repository

You will need an installation repository where teacup can store its data locally. The default location is /Library/Tcl/teapot and you can create it like this:

$ sudo teacup create
Repository @ /Library/Tcl/teapot
    Created

3. Patch MacPorts tclsh to handle teapot repositories

$ sudo teacup setup /opt/local/bin/tclsh
Looking at tcl shell /opt/local/bin/tclsh ...
  Already able to handle Tcl Modules.
  Already has the platform packages.
  Patching: Adding code to handle teapot repositories ...
Done

4. Link teacup to MacPorts tclsh

$ sudo teacup link make /Library/Tcl/teapot /opt/local/bin/tclsh
Ok

That’s it! You’re done. You should now be able to list available packages within TEA using teacup list and install them using sudo teacup install "packagename".

I’ve tested this on MacOS X 10.6.1 Snow Leopard with Tcl 8.5.7 from MacPorts.

Tags: HOWTO, Tcl, ActiveState, TEA, teacup

D. J. Bernstein is legendary

Dossy Shiobara — Mon, 19 Oct 2009 14:53:40 +0000

I’ve been using djbdns and qmail for many years, specifically because after reviewing its code and comparing it to other possible alternatives, I objectively decided that these two pieces of software are superior in all aspects.

Lots of people have cast aspersions on D. J. Bernstein and his software, usually with emotional and irrational claims. Of course, most of these people can’t even read code well enough to understand what it does or how it does it. However, when you encounter the opinions of actual programmers, we all tend to share a similar but different opinion.

Today, Aaron Swartz put this into words better than I could: D. J. Bernstein is the greatest programmer in the history of the world. The money quote:

[...] djb’s programs do not work like most programs, for the simple reason that the way most programs work is wrong.

Amen.

Tags: D. J. Bernstein (djb), djbdns, qmail, Aaron Swartz

Disabling service updates on SA2 TiVo’s

Dossy Shiobara — Thu, 25 Jun 2009 05:42:28 +0000

I needed to re-enable service updates on my SA2 TiVo tonight and I’d forgotten how to toggle it after having disabled them when I first hacked my TiVo, and had a tough time finding the information so I figure I’ll post it to my blog so I’ll be able to find it again.

The key command is bootpage – use “bootpage -p /dev/hda” to see the current settings. Then, use “bootpage -P "..." /dev/hda” to change them. Specifically, change “upgradesoftware=false” to “upgradesoftware=true” or vice versa.

Tags: TiVo, hacks, reference

Getting Adaptec afacli working on Ubuntu

Dossy Shiobara — Sat, 06 Jun 2009 19:26:25 +0000

In order to get afacli working on Ubuntu Hardy, I did these things:

1. Get afa-apps-snmp.2807420-A04.tar.gz from Dell.

2. Get libstdc++2.10-glibc2.2 from Debian afacli depends on libstdc++-libc6.2-2.so.3.

Since I’m running Ubuntu x86_64, I put libstdc++-libc6.2-2.so.3 in /usr/lib32. Installing the rpm package under Ubuntu provides rpm2cpio which I used to extract afaapps-4.1-0.i386.rpm like this:

$ rpm2cpio afaapps-4.1-0.i386.rpm | (cd / && cpio -iudvm)

That’s it. You now have /usr/sbin/afacli.

Tags: Linux, Ubuntu, Adaptec, afacli

Guess it’s time to wait for OAuth 1.1

Dossy Shiobara — Thu, 23 Apr 2009 15:06:43 +0000

Last week, I decided to take a stab at implementing a basic OAuth consumer in order to integrate Twitter Karma with Twitter using OAuth. I’d read through the OAuth 1.0 specification before, but never closely enough to realize that there was a serious attack vector in it. So, I mentioned this on the twitter-development-talk mailing list, hoping to get some answers on April 16th:

Also, the redirect to the callback URL has no signature. What stops an attacker from brute-force attacking an OAuth consumer, iterating through posisble tokens? Simply the large search space of valid OAuth tokens? Even if it’s only “possible in theory” … some teenager with nothing better to do is going to eventually turn that theory into practice.

My concern was met with confusion so I brought the concern to the OAuth mailing list (also) on April 17th:

Currently, the OAuth callback URL is susceptible to replay attack and token shooting. Signing it would eliminate this in a very low-effort way.

…

[...] it’s very desirable to be able to tell if the callback was legitimate or either a replay attack or a brute-force token shooting attack.

Even client-side browser cookies may not win here if a simple session fixation attack is coupled with the token shooting attack.

I wasn’t sure if I was being understood, either, but then a few days later on April 20th, Twitter yanked their OAuth support offline.

Eventually, an OAuth security advisory 2009-1 was published on April 23rd that clearly states “A modified specification to address this issue is forthcoming” as I pointed out was necessary, and Eran Hammer-Lahav writes a thorough explanation of the problem in his blog. The money quote:

If we put it all together, even if an application:

Makes sure to use the account of the user coming back from the callback and not that of the one who started

Checks that the user who starts the process is the same as the one who finishes it

Uses an immutable callback set at registration

It is still exposed to a timing attack trying to slide in between the victim authorizing access and his browser making the redirection call. There is simply no way to know that the person who authorizes is the same person coming back. None whatsoever.

This is exactly why the callback URL that the OAuth provider uses to redirect the user back to the OAuth consumer needs to be signed.

So, why am I making a big deal out of all of this? Well, I’m irked. Coincidentally, their “discovery” of this issue conveniently coincided with my raising of the issue publically on the mailing lists, yet nowhere is my name mentioned in any of this. In my opinion, that’s really poor form in an “open community” where often the only compensation for effort is recognition. It’s this kind of back-handed treatment that encourages people to demonstrate these security concerns through actual working exploits, which benefits no one but guarantees the creator their recognition.

In the end, I’m glad that this issue is going to be addressed and hopefully in a timely fashion because all of us developing applications in the public software ecosystem will benefit, but I still feel slighted. I’ll get over it, while I wait for the OAuth 1.1 specification.

Tags: OAuth, Twitter, security

AOLserver in Google’s Summer of Code 2009

Dossy Shiobara — Fri, 27 Mar 2009 16:39:32 +0000

Are you a student that meets Google’s eligibility criteria, who is interested in contributing to an Open Source project this summer? Google’s Summer of Code 2009 is on, and once again, the Tcl community has been accepted as a mentoring organization, which includes AOLserver.

Students can apply until the deadline of 19:00 UTC on April 3rd. If you have any questions about GSoC or AOLserver’s involvement in it, please ask me! I’ll try to help answer whatever questions you might have.

Good luck to all the students and mentoring organizations this summer!

Tags: Google Summer of Code 2009, Tcl, AOLserver, open source

A simple “google for” Tcl script

Dossy Shiobara — Mon, 24 Nov 2008 22:46:04 +0000

I make extensive use of Google throughout the day and I’ve always got “g” set up as the keyword for a Quick Search in Firefox. However, I also spend a lot of time at shell prompts, and sometimes I don’t want to bounce to a browser just to Google for something.

So, tonight, I wrote a small Tcl script that lets me “google for” at the prompt. Just save the previous link and rename it to “google” and move it somewhere in your PATH like /usr/local/bin, then make it executable with chmod 755.

The script requires Tcl with tDOM installed, as well as Tidy–both of these things are installed out-of-the-box on MacOS X 10.5 Leopard.

Once you get the script installed, you can do something like this:

If you notice, for Google search queries that have a special result like the one above, the script displays it separately before the results. The script also emits the search query URL so you can just Control-click on it in Terminal and then select “Open URL” and have it pop up in your browser, which also works for any of the search result URLs.

I don’t know if anyone else would find this script useful, but it’s already saved me a ton of time–especially when I’m on a slow 64 kb/s GPRS connection like I am this evening. Either way, I’m releasing this script into the public domain.

Tags: Google, Tcl, open source

SAA’s in-flight entertainment runs on Linux, apparently

Dossy Shiobara — Mon, 24 Nov 2008 13:42:24 +0000

Apparently, South African Airways runs some kind of Linux for their in-flight entertainment system.

Of course, on the leg of the trip from New York to Senegal, the flight staff kept rebooting the system trying to get it to work, with very little luck. Most of the time we just stared at the Linux boot process hanging, trying to talk to the NFS server. Fortunately, they got it working for the Senegal to South Africa leg of the trip.

Tags: South African Airways, Linux, fail

TiVo Hacking: Getting a Linksys WUSB54G working

Dossy Shiobara — Mon, 27 Oct 2008 16:12:16 +0000

So, I have a TiVo Series 2 stand-alone DVR with a Product Lifetime subscription. For years, I’ve had it connected to the home network using a Linksys WUSB11 wireless network adapter, but it finally died. I went and grabbed a Linksys WUSB54G as a replacement, but found out that the TiVo doesn’t support it. No problem, I know the TiVo runs Linux and there’s plenty of documentation on how to “hack” the TiVo so I can load my own kernel modules on it, etc.

It turns out that the Linksys WUSB54G v4 uses the Ralink 2570 chipset. Fortunately, there’s been effort on native Linux drivers for the Ralink family of wireless chipsets. The hurdle, of course, is that the TiVo’s MIPS R5432 is big-endian, so it presents a bit of a challenge porting the driver to the TiVo.

Working off the latest code for the legacy rt2570 driver from CVS, I’ve gotten it to compile using TiVo’s Linux 2.4.20 kernel. Loading the module, however, results in this:

rt2570: init
usb.c: registered new driver rt2570
rt2570: idVendor = 0x13b1, idProduct = 0xd
rt2570: idVendor = 0x13b1, idProduct = 0xd
rt2570: using permanent MAC addr
rt2570: Active MAC addr: 00:12:17:89:f5:02.
rt2570: driver version 1.0.0
Unaligned Access to 0x80230b2b in kernel mode at 0xc0217be4
Unaligned Access to 0x80230b2d in kernel mode at 0xc0217c04
Unaligned Access to 0x80357076 in kernel mode at 0xc021b3dc
Unaligned Access to 0x80357076 in kernel mode at 0xc021b408
Unaligned Access to 0x80357076 in kernel mode at 0xc021dc2c
Unaligned Access to 0x80357076 in kernel mode at 0xc021dc08
Unaligned Access to 0x80357076 in kernel mode at 0xc021cd8c
Unaligned Access to 0x80230f47 in kernel mode at 0xc0217be4
Unaligned Access to 0x80230f49 in kernel mode at 0xc0217c04
Unaligned Access to 0x80231155 in kernel mode at 0xc0217be4
Unaligned Access to 0x80231157 in kernel mode at 0xc0217c04

So, now I get to go fishing through /proc/ksyms and try to fix up all these unaligned access errors. Hopefully, I’ll be able to get through all of this and get the driver working.

Anyone out there have experience porting Linux device drivers like this? Got any tips or techniques that might help me? I’d really love any help I can get …

Update: I’m posting my debugging progress in a rt2×00 forum thread. Given enough eyeballs, all bugs are shallow, right?

Update: I’ve gotten it working! I’ve addressed the majority of the unaligned access traps and I can now use my WUSB54G as a wireless NIC on my TiVo! Here’s a patch against rt2570-cvs-2008102616 of the driver and the corresponding kernel module binary:

rt2570-tivo-mips.patch
rt2570.o.gz (1.42 MB)
MD5: 64605e019929db714d583d160a6b513c

If you have a SA2 TiVo and want to use a Linksys WUSB54G as your wireless NIC, this driver is what you want. It works for me, anyway!

Tags: Linux, TiVo, open source, hacking, Linksys WUSB54G, Ralink 2570

I cancelled my SourceForge subscription today

Dossy Shiobara — Sat, 20 Sep 2008 03:15:02 +0000

So, the AOLserver.com site, which has been hosted at SourceForge for years, is effectively “down” right now as requests to it are returning a “Error establishing a database connection” error. I’ve been a paying subscriber for SourceForge since 2004 because they claim to provide “priority support”–whatever that means.

Well, I went and opened “priority” support tickets to try and get the AOLserver.com site back online. To put it gently, the response I received was less than useful. I mean, three hours before I get a response–a canned response–which doesn’t even resolve my problem?

I recognize there’s not much I can do at this point, but what I can do is “vote with my wallet” … I’ve cancelled my SourceForge subscription today:

The clock is now ticking: they have just under a year to show that they can seriously run a valuable service correctly, or I won’t be renewing my subscription next year.

Update: Jacob Moorman, Director of Operations at SourceForge.net, emailed me to point out that the IP addresses for SourceForge’s VHOST had changed. Sadly, the DNS for aolserver.{com,net,org} had been set up as A records instead of as CNAME records. So, I’ve sent a request to have the DNS updated.

Tags: SourceForge, subscription, cancelled