Skip to main content

Las ventas online y ‘los de legal’

No es raro que, en cualquier tipo de sitio de venta online, haya departamentos enormes de asuntos legales, para asegurarse de que hasta el último punto y coma de los contratos, términos y descripciones de los productos se ajustan a la legalidad vigente o a las características reales del mismo. Pero a veces a alguien se le olvida revisar el texto que les ha mandado el departamento comercial y pasan cosas como esta: “No se si deja legal poner esto”

/images/microondas.thumbnail.png

Si, es una captura real, de un microondas Samsung en Amazon. Aquí tenéis el enlace al producto (sin referers, no gano dinero) y aquí debajo la captura completa, por si lo arreglan. 😉

/images/microcompleto.thumbnail.png

Hidden user with default password in P2000 MSA G3 storage

I was doing an emergency night intervention on a client storage, a HP P2000 G3 MSA just to find a surprise: Nobody knew the password for the administrator user, which happens to be called ‘manage’ on that storage unit, and the default password was changed.

Being late in the night, so no options for trying to find the technician who installed this machine, I tried to find a way for restoring or resetting it. Imagine my surprise when I found this: HP P2000 users, change the admin account password.

The admin user for a P2000 G3 is called ‘manage’, but, apparently, as a heritage from an older model (the G2), they left the old admin user in, which is called ‘admin’. And it also was left with its default password, ‘!admin’.

So I log in with this ‘admin’ user (it works!), and try to list users and find it:

# show user
Username             Roles                            User Type    User Locale            WBI   CLI   FTP   SMI-S SNMP  Authentication Type Privacy Type
  Password                         Privacy Password                 Trap Host Address
---------------------------------------------------------------------------------------------------------------------------------------------------------
ftp                  manage,monitor                   Standard     English                            x
  ********                         ********
manage               manage,monitor                   Standard     English                x     x     x     x
  ********                         ********
monitor              monitor                          Standard     English                x     x
  ********                         ********
---------------------------------------------------------------------------------------------------------------------------------------------------------
Success: Command completed successfully. (2012-11-27 09:31:56)

But it’s not in! So how did I log in, then? Then again, for my surprise, the user is hidden, so if you specifically look for it, then it will show the info:

# show user admin
Username             Roles                            User Type    User Locale            WBI   CLI   FTP   SMI-S SNMP  Authentication Type Privacy Type
  Password                         Privacy Password                 Trap Host Address
---------------------------------------------------------------------------------------------------------------------------------------------------------
admin                admin,manage,monitor             Advanced     English                x     x     x
  ********                         ********
---------------------------------------------------------------------------------------------------------------------------------------------------------
Success: Command completed successfully. (2012-11-27 09:32:15)

I don’t know if newer units will have this problem (this one was bought like a year and a half ago), but if you happen to have one similar model to this, please, check your admin user.

Protecting Airtime web admin with SSL

Airtime is a wonderful open source tool by Sourcefabric that allows you to create run both streaming and fm radios, allowing you to program, automate, record and stream your content very flexibly, and everything via web. It’s really a must for every community or free radio. They even offer a hosted service called Airtime Pro.

But some of us miss a feature, that, by some technical issues, isn’t available yet: SSL access to its web admin. Some internal config related to RabbitMQ and other things apparently prevents Airtime functioning properly if we just change Apache config to serve https through port 443, as we would do with any normal web server.

Edit: Seems that’s not true for recent versions, and it should work adding a ssl vhost to apache and not removing the port 80 regular one, as not to break RabbitMQ communication. Anyway, this is still a nice and fast way of doing it without ever modifying default Airtime config, which is a plus. :D. And for me, it’s even faster than doing it with Apache, both in terms of how long does it take to configure it, and on performance.

To avoid this we’ll use pound. pound is a load balancer and https frontend. It will sit in front, receiving ssl requests, and re-sending them locally to our web server.

So, for this, I’ll assume:

  • You have debian or ubuntu (although, if you know some linux, you can probably extrapolate it to your distro).
  • You have admin capability on your server, so you can install packages and edit config files.
  • Everything is on its default settings.
  • Also, we’ll use a self-signed cert, not a commercial one. A self-signed cert can be as safe as a commercial one, but browsers show some warning messages if they don’t know the entity signing them.

So, we need pound and openssl (which is needed for generating the certs) installed on your system. You’ll probably have already installed openssl, but we’ll make sure:

sudo apt-get install pound openssl

pound will warn you it won’t start until you configure it, but we’ll go with that later. Now, we need to generate a ssl certificate for pound to work, so we go to its config directory and run openssl:

cd /etc/pound
sudo openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Now it’ll ask some basic questions for identifying your certificate, as your country code and an email contact. Once the cert is generated, we should change its owner and protect it from prying eyes:

sudo chown www-data:www-data /etc/pound/server.pem
sudo chmod 0600 /etc/pound/server.pem

Now, let’s edit pound config file:

sudo vi /etc/pound/pound.cfg

If you’re intimidated or unfamiliar to vi, you may use nano:

sudo nano /etc/pound/pound.cfg

In the end of the config file you’ll find a block like this:

ListenHTTP
        Address 127.0.0.1
        Port    8080

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           0

        Service
                BackEnd
                        Address 127.0.0.1
                        Port    80
                End
        End
End

This defines where pound should listen and where to get its content. We have to substitute this with our config. Knowing that I run my server with the ip address 192.168.15.5 (substitute this with yours), It’ll change to:

ListenHTTPS
        Address 192.168.15.5
        Port    443
        Cert "/etc/pound/server.pem"
        xHTTP           0
        AddHeader "X-Forwarded-Proto: https"
        HeadRemove "X-Forwarded-Proto"
        Service
                BackEnd
                        Address 127.0.0.1
                        Port    80
                End
        End
End

Then edit the defaults config for pound:

sudo vi /etc/default/pound

and set:

startup=1

Let’s start pound and see!

sudo service pound start

Now try to connect to your Airtime putting https in the front!

If you get an unknown directive error when starting pound, make sure you have tabs and not spaces in front of each config line you copy pasted.

Now your Airtime is up and running, you may config your apache or firewall to answer only to localhost petitions, or if you are NATed, close your port 80 forwarding and activate only port 443.

Next step may be getting a “known” SSL certificate instead of a self-signed one, but that’s another story, not for today.

I’ve done this with help of two links:

Terminal problems with OS X Lion

So since I use Lion I have some problems when logging in a lot of Linux servers around.

I, for example, run the ‘screen’ command and get this:

Cannot find terminfo entry for ‘xterm-256color’.

The denomination of the terminal in Lion has changed from xterm-color (in Snow Leopard) to xterm-256color, and a lot of Linux distros still don’t recognize it.

Solution? Run this:

export TERM=xterm-color

And then, try again 😀

Bug hunting!

While finding bugs it’s not funny, best is finding them as soon as possible, to avoid further and bigger problems. Even better, knowing the solutions.

I have to say I’m very proud of myself I’ve find a nice bug in Cherokee today. Is stupid, just a slip in the code, but could get big if goes unnoticed. It’s going to be just 24 hours live, and it’s almost my first here (except for one I found in PowerPC versions that was already fixed in trunk but was late to get into Debian :P).

Ok, I’ll stop putting on medals 😀

Cherokee enters production!

So finally, after tinkering here and there with Cherokee, I’ll put some web servers in production with it.

This is going to be a big adventure since I’m testing production at the same time with Cherokee and AWS, the latter totally new for me. I’ll see if this meets all my requirements in hosting 😀

Learning Cocoa and XCode

So this week I’m learning to develop with XCode for OS X.

Will my sysadmin mind be capable of adquiring that knowledge?

I already have some small project in mind…

Installing and configuring SNMP on OS X Leopard and Snow Leopard Server (I)

Seems that most tutorials and how-tos you can find around there for running the SNMP daemon on your OS X Server are too weak or too cumbersome to be practical. Most of the times you just want to put your service to run, so you can get some stats or can experiment with it further. I’ll try to expose it clear and easy here and answer all questions that may arise on the way.

The default SNMP config file installed on OS X Server comes a little bit “small” on 10.6/ Snow Leopard and won’t give you much info, and meanwhile on 10.5/Leopard gives extensive info, we would like to customize the access and some fields, so lets first create a config file.

You won’t need any superuser permissions by now, as we are only creating the file that we’ll copy later into the right place. Go to your server and run this from your home:

snmpconf -g basic_setup

This will run a small script that will help you to configure the basics of your service. If the script finds any previous or default config file you may be asked to use one of them as a base. You are safe to say ‘none’ and begin from zero.

Then the ‘basics’. You’ll be asked to configure the identification info that SNMP returns about that system. Answer ‘y’ and enter the location of your system (e.g. ‘datacenter 1’, ‘campus building’, ‘my company’, whatever…), and later you’ll be asked for the contact info, that is, an email, a name, or whatever you would like. Third question on this section is about setting value for the ‘sysServices.0 OID’. We’ll be safe answering ‘n’ here and jumping to the next section.

Then access control. You have to know that there is two different versions of the standard to manage your security, that is, SNMPv2 and SNMPv3. SNMPv2 just uses user names called ‘communities’ as all security, no passwords, no encryption. SNMPv3 fixes this and uses usernames as well as passwords and encryption to manage access. Problem is not all software is compatible with SNMPv3 auth to ask for data, so maybe you can by now say no to SNMPv3 and stick to v2 (you’ll be asked two times, one for read/write access and another onw for read only access). Also no read-write for SNMPv2 (You’ll only need reading by now), and ‘yes’ to read-only. Then set a name for the community. For the usual read-only access is common to put ‘public’ as the community name. Choose if you want the SNMP daemon answering only to one IP address or just press return to answer on all addresses (that’s enough for testing). Press return again so we don’t get any restrictions. Then don’t add any more community lines. Also, no traps and no monitors.

Now we have our precious config file in the same folder we are now. Let’s copy it to the proper place:

sudo cp snmpd.conf /usr/share/snmp

Enter you password if requested. Then we have a basic config file put in place, so we only have to enable the service: go to your Server Admin tool, to the Settings section, to the General tab, check the Network Management Server (SNMP) option and press ‘Save’. That should start the daemon.

Test the daemon running this in a console on the same machine:

snmpwalk -c public localhost

This will ask for all the values available on the ‘public’ community on your own host. If working it will return lots of data that will begin with something like this:

leopard:~ andor$ snmpwalk -c public localhost
SNMPv2-MIB::sysDescr.0 = STRING: Darwin leopard.maniacmansion 9.0.0 Darwin Kernel Version 9.0.0: Tue Oct  9 21:35:55 PDT 2007; root:xnu-1228~1/RELEASE_I386 i386
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.255
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2884) 0:00:28.84
SNMPv2-MIB::sysContact.0 = STRING: Andor
SNMPv2-MIB::sysName.0 = STRING: leopard.maniacmansion
SNMPv2-MIB::sysLocation.0 = STRING: “ManiacMansion Datacenter”
SNMPv2-MIB::sysServices.0 = INTEGER: 76
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

You’ll be getting the kernel and OS version info, IP addresses, the bandwidth used, the space available on disk… so… Done! You can now add this host to any monitoring software that uses SNMP 😀

If this get’s enough attention I’ll write a second part on how to costumize all the available info depending on the community or client connected.

Buzzwords

Estoy arreglando mi suscripción a una lista de correo de Yahoo, y a la hora de decidir qué tipo de correos quiero recibir, en la que cualquier gestor de listas decente me habría preguntado entre “HTML” y “texto plano”, Yahoo me pregunta lo siguiente:

/images/buzzword.thumbnail.png

¿”Fully Featured”? ¿Qué ‘features’ son esas? Porque de la manera ‘tradicional’ ya se recibían correos HTML completos…

¡Nuevo y mejorado! ¿Cuál será la diferencia? ¿Vendrán hasta con javascript? ¿Qué tendré que hacer para no llenar mi buzón del móvil de basura?

¿Está la gente loca con el iPad?

Leo en la lista de correo de OsiriX, un (gran) proyecto Open Source para Mac OS X de gestión y visualización de imagen radiológica digital:

Do you have an idea when the iPad version of osirix will be released? I work for an orthopod that is very anxiously awaiting it’s release. We are purchasing 30 iPads to put osirix on.

Comprar un tablet, que cuesta entre 500 y 800 euros, capado, sin la seguridad de que vaya a poder correr tu software por mucho presupuesto que dediques a él, y además, esperando un software que aun no sabes ni qué funcionalidad va a traer…

Pero éste no es el único ejemplo, todos los días en la empresa vemos uno nuevo, como el de meter el iPad en el quirófano... Un aparato sin las certificaciones médicas, no-estéril, al borde del ridículo porque lo están sujetando otros dos asistentes (no se puede usar con una sola mano) usado para… ¡ver imágenes!. ¡Parece que no existieran los monitores de quirófano!

Pero la cosa llega al borde del ridículo en el caso del Kaweah Delta Health Care District, en California, donde han comprado 100 iPads... ¡Para ver una aplicación remota en Citrix! Creo que es el terminal Citrix más incómodo y más caro que he visto nunca…

En uno de los foros de MacTalk, alguien “que trabaja en el campo médico y habiendo trabajado en grandes hospitales” está elucubrando con las grandes posibilidades que le daría el iPad par trabajar en el hospital:

So instead of having one physical patient folder why not have a ‘virtual’ digital patient folder which is in the cloud/hospital central network. Anyone with the appropriate clearance can access it from any of the computer terminals. The iPad would be the perfect portable device for staff to carry around to access any of your patients digital file from anywhere in the hospital.

Aquí empiezo a dudar de que este hombre haya trabajado en algún hospital. Esto existe, hace muchos años ya, y está en uso hoy en día. El historial clínico digital, los informes estructurados, los sistemas de gestión digital. Existe, funciona, y no hace falta cargar con un iPad por todo el hospital (ya es pesado cargar todo el día con una carpeta y no perderla, imaginad con un equipo de más de 700 gramos).

Señores, los tablet ya existían antes del iPad, y hay decenas de equipos certificados para hospitales. Los EHR (historial clínico electrónico) también. Los monitores y ordenadores de quirófano también. Y las aplicaciones táctiles, y la radiografía digital, y los servidores, y los PACS…

La gente se está equivocando al usar el iPad como un fin, cuando es una de tantas herramientas. Se están creando aplicaciones para poder usar el iPad como herramienta, cuando lo que hay que hacer es usar el iPad como herramienta para poder usar aplicaciones.

Hay que trabajar en los estándares y poner las aplicaciones al alcance del mayor número de herramientas posibles, y en cada caso aplicar la solución más práctica, o si no un día nos cerrarán el grifo o nos encontraremos con un problema ante el cual la única solución será quedarse sentado o poner los dólares para adaptarse al sistema.