[PCLinuxOS] Manually upgrading Bind / Named to version 9.9.2-P2 [Security patches].

Hi folks.

Latest Bind / Named version was released several days ago to patch this vulnerability.

I will try to show how to download, extract, configure and install the latest version.

Open terminal window and follow this set of instructions:

su

root's password

export PREFIX=`echo /usr/`

export PATH=$PREFIX/bin:$PATH

export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PREFIX/share/pkgconfig

cd /opt/

mkdir Bind

cd Bind

wget -c ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz

tar xvzf ./bind-9.9.2-P2.tar.gz

cd bind-9.9.2-P2

./configure --prefix=$PREFIX --sysconfdir=/etc/

You can expect missing dependencies here. I had no problems whatsoever as I have a good few “devel” packages installed – try figuring out what You’re missing if You do run into a snag, then install it from Synaptic (without closing this window) and re-run the above configure step till there are no errors.

make

make install

ls --full /var/lib/named/var/

one of the listed items should look like this:

drwxr-xr-x 7 root root 4096 2013-03-22 09:08:02.163308440 +0100 named/

ls --full /var/lib/named/var/named

chown named:named /var/lib/named/var/named/

drwxr-xr-x 7 named named 4096 2013-03-22 09:08:08.221303100 +0100 named/

Now in this terminal window type in

named -v

the reply should look like this:

BIND 9.9.2-P2

service named restart

and the reply should look something like this:

Stopping named: [ Failed ]
Starting named: [ OK ]

This should be it… You have compiled and are running latest patched version of Bind…

Regards.

Andy

Advertisements

How to verify signature using .sig file.

Hi folks.

Downloading something from the internet CAN be risky… It can be very risky. I am sure You have heard about bad guys hacking into the server of some project and replacing their original download content with something dodgy. Dodgy as in containing backdoor or something just as nasty…

There is a way to minimize the risk of getting exploited by the evil dudes… Many of the projects online that are aware of this security risk are signing their downloads. I am sure You have seen it. You are going to a ftp or http server and You find the file that You are looking for and another file next to it with the exactly same name but with the .sig extension. This .sig file is the signature. You need to verify it in order to make sure that the content that You have downloaded is what the project members wanted You to download and not some fake / infected crap.

How do we go about it?

It’s really simple.

Today I have downloaded Arch Linux iso that I will be testing so I will use it as a example.

First I went to the Arch Linux Downloads site and chose the mirror closest to me. Then I have copied the download links for the iso and sig files and wrote a short “script”.

wget -c http://ftp.heanet.ie/mirrors/ftp.archlinux.org/iso/2012.10.06/archlinux-2012.10.06-dual.iso && wget -c http://ftp.heanet.ie/mirrors/ftp.archlinux.org/iso/2012.10.06/archlinux-2012.10.06-dual.iso.sig

Next I wanted to verify the iso file using the .sig file so I ran:

gpg --verify ./archlinux-2012.10.06-dual.iso.sig

but I got an error:

gpg: Signature made Sat 06 Oct 2012 03:28:53 PM IST using RSA key ID 9741E8AC
gpg: Can’t check signature: public key not found

So I started searching for the info and after a lot of research I finally combined something that works…

First You need to download the public key that corresponds with the RSA key ID:

gpg --no-default-keyring --keyring vendors.gpg --keyserver pgp.mit.edu --recv-key RSA_key_ID

You need to replace the RSA_key_ID with the actual RSA key ID. You got it when the verification failed remember?

So in my case the command will look like this:

gpg --no-default-keyring --keyring vendors.gpg --keyserver pgp.mit.edu --recv-key 9741E8AC

And the output of the command looked like this:

gpg: requesting key 9741E8AC from hkp server pgp.mit.edu
gpg: /home/andrzejl/.gnupg/trustdb.gpg: trustdb created
gpg: key 9741E8AC: public key “Pierre Schmitz ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Now that You have this Pierre’s public key in Your vendors.gpg file we can try verifying the iso file again.

This time command looks slightly different:

gpg --verify --verbose --keyring vendors.gpg ./archlinux-2012.10.06-dual.iso.sig

gpg: assuming signed data in `./archlinux-2012.10.06-dual.iso’
gpg: Signature made Sat 06 Oct 2012 03:28:53 PM IST using RSA key ID 9741E8AC
gpg: using PGP trust model
gpg: Good signature from “Pierre Schmitz “
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
gpg: binary signature, digest algorithm SHA1

In this case the verification gave me a mixed signals… Good signature… Not certified with a trusted signature… I wasn’t sure – so just in case I popped into the #archlinux IRC channel and asked…

23:34 AndrzejL: md5sum
23:36 [andrzejl@wishmacer Arch]$ md5sum ./*
23:36 aefd90da1ee49c745101179f50afa783 ./archlinux-2012.10.06-dual.iso
23:36 b4fcd64607a532afe1880f609bbfd141 ./archlinux-2012.10.06-dual.iso.sig
23:38 AndrzejL: i just need the content of the .sig file to match
23:38 AndrzejL: seems to be matched to the md5sum.txt
23:40 ceezer: so i should be ok using those isos?
23:40 AndrzejL: yes.
23:40 AndrzejL: you should be

and the helpful crowd sorted me out.

I think that the HOWTO explains well enough how to verify the downloaded files (iso, gz, zip etc.) if sig file is provided and hope You will find it useful.

Regards.

Andy

Ok… SO…. How much electricity / money devours my computer?

Hi folks…

I was looking for an answer to this question for a while now and thanks to some websites and thanks to my colleagues on the #pclinuxos-pl channel I finally figured it out. It’s not difficult.

When You are paying for the electricity You are paying for the amount of kilowatt hours (also called “units”) that You have used in the billing period. This is all great BUT how do I know how many of those kilowatt hours is my machine using?

This is not very difficult to calculate (approximately).

First we have to know how much electric power does Your machine needs. Sometimes You know exactly (or You can read on the label on the back of Your computer) that Your machine has X Watts adapter. This is what You need. I was not so lucky with my laptop. Label on the adapter states:

Output: 16V, 4.5A

I had to calculate the power (watts) myself. To do so I had to use this formula:

P(t) = V(t) * I(t)

where:

P(t) is the instantaneous power, measured in watts.

V(t) is the potential difference (or voltage drop) across the component, measured in volts

I(t) is the electric current, measured in amperes

Ok so the output values of 16 volts and 4.5 amperes multiplied by each other will give me the power (watts) of my laptop’s ac/dc adapter:

P = 16V * 4.5A = 72W

My laptop’s power pack uses 72 watts. This is a very simplified / approximate value. Why? Because it’s a maximum power that the power pack can provide when laptop is using 100% of it. This means screen is on and on full brightness, WiFi, Bluetooth and all other devices are on…

What can I do with those watts then? I can convert to kilowatts. How? Divide it by 1000. This means that You take the power of the device in watts and You divide it by 1000:

72W / 1000 = 0.072kW

Now… Knowing the amount power in kilowatts and multiplying it by the amount of hours You will get the result in kilowatt hours. Let’s say that my laptop runs 24/7. All the time. 365 days per year… Ok… First I am gonna find out how many kilowatt hours it uses in one day. To do that I am gonna multiply the amount of kilowatts and the number of hours.

0.072kW * 24 = 1.728kWh

So my laptop is using 1.728 kilowatt hours during a one day. My bills are sent to me approximately every 60 days. This means that if I multiply the daily usage times 60 I will get the rough estimate of how many kilowatt hours this machine will eat in one billing period.

1.728kWh * 60 = 103.68kWh

So my machine will consume roughly 103.68kWh in 60 days right? Right. Now if I will multiply that with the current price of the kWh unit I will know approximately how much money will I have to pay for the electricity devoured by this little devil.

103.68kWh * €0.15 = €15.55

This means that if this machine was running full speed, with fully bright screen, with WiFi, Bluetooth etc. enabled, 24/7 then it would cost me approximately €16 / 2 months to power it up. This is a very pessimistic estimate. If You use power saving features of the laptop ie. if You disable screen when it’s not used, if You are scaling CPU frequency down and if You disable devices like WiFi or Bluetooth when they are not needed – You can bring that estimate down to 1/3.

You can use info from this post to calculate the price of electricity used by any other electric device over any chosen period of time. It will work provided that the device is not faulty and that it does not leaks power.

Regards.

Andy

Upgrade eggdrop 1.8 and force it to use UTF-8 encoding. [VIDEO]

Hi folks.

I am running my bot MISIASTY on my #pclinuxos-pl IRC channel. I am using it as a greeter, infobot, antiabuse etc. etc etc. I am using eggdrop in the 1.8 version for a couple of reasons SSL encryption being one of them. I want to keep it updated – simply because updates bring bug fixes and security patches.

Every time I was upgrading my bot I had two choices – do it manually or automatically and loose UTF-8 encoding. What is it and why do I need this UTF-8 thingy? Well here is what wikipedia has to say about what UTF-8 is. And I need it so the special characters from Polish alphabed (ie. żółćęśąźń) are properly displayed. Without UTF-8 support bot is using some weird characters (ie. 〈ש€§) in their place and the whole text becomes unreadable.

Why would I loose UTF-8 encoding when upgrading automatically? To force UTF-8 encoding support in eggdrop You need to edit the source code before compiling. My script was very simple and it wasn’t doing a very good job. Today I said enough. I re-wrote a script. I asked Enlik to help me with two commands – and He did. Thanks Dude.

Now my script is upgrading the eggdrop to the latest version and I get to keep UTF-8 support.

The script is located here. And here is a transcript of the script at work. Here is a short video of the script at work.

Regards.

Andy

NO. Thunderbird project is NOT dead / inactive / abandoned…

Hi.

I have heard something today that made my heart stop for a moment… “Thunderbird is no longer developed…”

That’s not true… I went to the #thunderbird channel on the irc.mozilla.org server and asked… As a reply I got a very interesting link.

Thunderbird’s future from the inside.

So I asked just to clarify:

14:37 pfeeeeew… so basically Thunderbird wont be adding new things unless they are really needed and will just be “developped” in the meaning of security patches and bug fixes rather then adding new shiny stuff?

14:37 AndrzejL: something like that

So… No guys – Thunderbird is not going to die anytime soon. It’s gonna be developed in a slightly different way.

Thanks for reading.

Andy

Edit 01: Another good link: About the future of Thunderbird.
Edit 02: And another one: No, that’s not “it” for Thunderbird…

Update Your LastPass to version 2.0!

Hi folks!

LastPass has just released LastPass 2.0… With new and exciting features! As they stated on their blog:

We’re super excited to announce the release of LastPass 2.0! We’re expanding the core functionality of our password manager while adding significant improvements, both on the front-end and behind-the-scenes.

LastPass 2.0 features:

– Attachment support for documents and images,
– Free credit monitoring alerts for users in the United States,

Want to read the entire blog post? Click here.

I really _do_ recommend LastPass addon for storing, managing and generating Your passwords:

For those that want to find out more about LastPass:

Our Latest Video Introduces LastPass Basics
Just getting started with LastPass? Want to recommend our product to family, friends, or colleagues? Our new introductory video gives you an overview of our essential features, including:

Logging in to your account,
Saving and autofilling a site,
Managing your sites in your Vault,
Generating a new password with LastPass,
Creating a form fill profile for online shopping,
Syncing to new computers, and
Upgrading to Premium for mobile access.

Getting Started with LastPass. [YouTube VIDEO]

I use it in my Firefox Nightly browser. Has yet to disappoint me… So far it’s been a pure pleasure.

I recommended it to many people and one of my Friends recently told me that I was right… Once You get used to LastPass it’s just irreplaceable… He hated it at first. I remember it pretty well as I was getting the “hate updates” via IM :D.

Some people in the past reacted in a weird way when I told them about LastPass… Their comments were usually orbiting around something like “Why on earth would I give my passwords to a third party…?”. The answer is – You are not giving them to anyone. The passwords ARE being stored on a LastPass servers – yes BUT they are not being sent / stored in a plain text. This would be stupid / reckless / dangerous and trust me paranoid person like myself would never ever do stupid thing like that and neither would I recommend doing so to any of You. The passwords are encrypted using state of the art crypto with the key that only You have access to and they are being sent to the LastPass server as a blob of meaningless data that no one can decrypt but You. For more technical info I invite You to watch, read or listen to Steve and Leo in episode 256 of the Security Now! podcast where Steve explains in details security features behind the LastPass project. I am sure You will be satisfied with the amount of info and technical details provided.

LastPass… _Very_ security aware, very safe, very user friendly, very very very handy.

I hope You will at least try it.

Regards.

Andy

Manually upgrading Bind / Named to version 9.9.1-P1 [Security patches].

Hi folks.

Latest Bind / Named version was released several days ago to patch this vulnerability.

The thread was started on PCLinuxOS Forum in the appropriate section to request it being upgraded but from what I can see members / devs are not really in the rush to get this version into the repository as almost no one votes for it or reports it as being looked at… Who would give a hairy rat’s behind about some stupid security patch huh? Right… Well I do.

So I have decided to just compile this thing myself. I have left the repository Bind installed and I have done this:

su

root's password

export PREFIX=`echo /usr/`

export PATH=$PREFIX/bin:$PATH

export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PREFIX/share/pkgconfig

cd /opt/

mkdir Bind

cd Bind

wget -c ftp://ftp.isc.org/isc/bind9/9.9.1-P1/bind-9.9.1-P1.tar.gz

tar xvzf ./bind-9.9.1-P1.tar.gz

cd bind-9.9.1-P1

./configure --prefix=$PREFIX --sysconfdir=/etc/

You can expect missing dependencies here. I had no problems whatsoever as I have a good few “devel” packages installed – try figuring out what You’re missing if You do run into a snag, then install it from Synaptic (without closing this window) and re-run the above configure step till there are no errors.

make

make install

ls --full /var/lib/named/var/

one of the listed items should look like this:

drwxr-xr-x 7 root root 4096 2012-06-15 23:51:43.468278052 +0100 named/

ls --full /var/lib/named/var/named

chown named:named /var/lib/named/var/named/

drwxr-xr-x 7 named named 4096 2012-06-15 23:51:43.468278052 +0100 named/

Now in this terminal window type in

tail -f /var/log/syslog

and leave it be.

Open another terminal window and run those commands:

su

root's password

named -v

the reply should look like this:

BIND 9.9.1-P1

service named restart

and the reply should look something like this:

Stopping named:                        [ OK ]
Starting named:                          [ OK ]

and in the same time in the first terminal window You should see output similar to this:

Jun 16 00:19:13 icsserver named[791]: starting BIND 9.9.1-P1 -u named -t /var/lib/named
Jun 16 00:19:13 icsserver named[791]: built with ‘–prefix=/usr/’ ‘–sysconfdir=/etc/’
Jun 16 00:19:13 icsserver named[791]: —————————————————-
Jun 16 00:19:13 icsserver named[791]: BIND 9 is maintained by Internet Systems Consortium,
Jun 16 00:19:13 icsserver named[791]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 16 00:19:13 icsserver named[791]: corporation. Support and training for BIND 9 are
Jun 16 00:19:13 icsserver named[791]: available at https://www.isc.org/support
Jun 16 00:19:13 icsserver named[791]: —————————————————-
Jun 16 00:19:13 icsserver named[791]: using 1 UDP listener per interface
Jun 16 00:19:13 icsserver named[791]: using up to 4096 sockets
Jun 16 00:19:13 icsserver named[791]: loading configuration from ‘/etc/named.conf’
Jun 16 00:19:13 icsserver named[791]: reading built-in trusted keys from file ‘/etc/named.iscdlv.key’
Jun 16 00:19:13 icsserver named[791]: statistics channel listening on 127.0.0.1#5380
Jun 16 00:19:13 icsserver named[791]: using default UDP/IPv4 port range: [1024, 65535]
Jun 16 00:19:13 icsserver named[791]: using default UDP/IPv6 port range: [1024, 65535]
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface eth1, 192.168.0.1#53
Jun 16 00:19:13 icsserver named[791]: listening on IPv4 interface ppp0, 31.200.150.65#53
Jun 16 00:19:13 icsserver named[791]: generating session key for dynamic DNS
Jun 16 00:19:13 icsserver named[791]: sizing zone task pool based on 19 zones
Jun 16 00:19:13 icsserver named[791]: using built-in DLV key for view _default
Jun 16 00:19:13 icsserver named[791]: set up managed keys zone for view _default, file ‘/var/named/dynamic/managed-keys.bind’
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 10.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 16.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 17.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 18.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 19.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 20.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 21.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 22.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 23.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 24.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 25.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 26.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 27.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 28.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 29.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 30.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 31.172.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 168.192.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 127.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: D.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 8.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: A.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: B.E.F.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun 16 00:19:13 icsserver named[791]: command channel listening on 127.0.0.1#953

This should be it… You have compiled and are running latest patched version of Bind…

Regards.

Andy