Audit your debian uploads

My bank is sending me an e-mail every time I log into the home banking system, so that I can spot malicious logins.

My credit card is sending me a SMS message every time it gets charged, so that I can spot mailicious charges.

Can I get a notification of every Debian upload done with my key, so that I can spot if my key has been stolen?

Let's work on that. As a start, thanks to Ganneff, here is how to do a one-off audit:

# go to merkel to access projectb, which is the postgresql database
# with all dak information
$ ssh merkel
merkel$ psql projectb
# look up the database id of my fingerprint
projectb=> select id, fingerprint from fingerprint where fingerprint like '%797EBFAB';
 id  |               fingerprint                
    -----+------------------------------------------
     394 | 66B4DFB68CB24EBBD8650BC4F4B4B0CC797EBFAB
    (1 row)
# get a list of all uploads done with my key, sorted by date
projectb=> select * from source where sig_fpr=394 order by install_date desc;

First you get to do it (done); then you document it (done); then you automate it. It's quite trivial at this point, so enjoy the new Debian upload monitor.

It's got search as you type to find your full fingerprint, then you get an HTML page with the log of your uploads in the last 2 months, and the page has an RSS feed that you can use to track your own uploads.

Also, generating all this static content is acceptably fast:

merkel$ time ./deb-key-audit 

real    0m7.145s
user    0m4.244s
sys 0m0.384s

If you want to see the code, you can git clone http://merkel.debian.org/~enrico/keylog.git

Currently it wrongly encodes UTF-8 characters: I suppose the strings come out of the database as ASCII instead of UTF-8. A patch would be welcome to fix that.

I will now contact QA to see what we can do with it; if it ends up fitting in some bigger picture then it may be that the RSS links will change, but I'll post about it in that case.

Meet the Italian income agency

The Italian income agency decided to publish online all the income levels for each and every single citizen and company in the country.

I did not manage to see the actual data, because the entire income agency website was swamped with request and timing out all the time. You should have heard the comments of my accountant, who every day needs to access other parts of the website for work.

That service is supposed to have been taken offline now, after the Italian privacy watchdog issued a polite What The Fuck! Why Didn't You Tell Us Anything About This? sort of note. The minister defended himself by saying "I can't see what is the problem, it's the same in all the world: if you want proof just watch any American TV series". What a wise man. I should watch some of The Greatest American Hero again.

Since I could not see the actual data, I could not verify if what people were saying was actually true, that is that income information were published together with the full home address, providing a nice shopping list for house robbers, kidnappers and the other kind of professionals that would politely wait next to your door for you to come home late in the night.

But fear not, the website was protected from bots: it used a captcha.

Not only that: in order to comply with standard accessibility rules, the website used a perfectly accessible captcha:

You can't get more accessible than that: the captcha is displayed in plain text, so any accessibility technology will be able to read it. Plus, anyone can easily copy and paste it into the text box. And if someone needs to do it often, it's even trivial to write a script that does it for you!

But it's unfair to say that it was just plain text: it was cleverly encrypted:

<div class="educaptcha"><label for="educaptcha">I<!-- id9113507 -->nser<span>ire </span><span>nel c</span><span>ampo</span> di <!-- id5058508 -->v<span>erific</span><span>a suc</span><!-- id2643358 -->ces<span>sivo i</span><!-- id2500023 -->l valore <span>695</span><span>8571</span>4<!-- id3588853 -->:</label>
<input id="educaptcha" type="text" name="ucaptcha" value="" maxlength="10" size="20" /></div>

For your convenience, here is the version cracked with a malicious :%s/<[^>]\+>//g in vim. If you do not speak Italian, you can still look for this phrase in the screenshot above:

Inserire nel campo di verifica successivo il valore 69585714:

The meaning is of course:

Insert the value 69585714 in the following verification field:

It's been a fun day for Italians online.

How to not start a service by default

Use case: in my laptop, I sometimes need MySQL, PostgreSQL or Apache in order to test some software that I'm developing, but I do not want them on all the time.

The solution is: rm /etc/rc*.d/S*mysql* (thanks to Wouter)

update-rc.d will not touch your symlinks as long as there is at least one still around for a package. Also, this leaves the stop symlinks around, so that when I start one of these services for development, it will still be properly stopped on shutdown.

Laptop stolen

Last thursday I flew from Italy to Manchester as usual, and while walking home from Levenshulme railway station my laptop has been snatched off me by a gang of thieves.

I've managed to give the police all the details of the laptop including the serial number. I could also precisely describe to them the dynamics of the incident pointing at places over satellite maps in google maps. And give them the time of the theft with 10 seconds accuracy. And show them pictures of all stolen goods with a few simple internet searches. They were impressed.

All sensitive data in the laptop are protected with one or two layers of strong encryption, and I have fresh backups, so the only work that I've lost was the work I did on the train and airplane on my way to the UK.

If anyone around Manchester or Stockport happens to see, in a Cash Generator or second hand shop, a suspicious looking white ASUS laptop with a Taiwanese keyboard (US-style keyboard with extra Traditional Chinese and Bopomofo glyphs on it), please quietly walk out of the shop, alert the police and send me an e-mail.

The day after the theft I managed to talk with a pub owner in the area, and there I learnt that pubs are networked and alert each other when suspicious people are roaming around. Lesson learned: if I see suspicious people around the street whem I'm walking home with my laptop, it's a good idea to go inside a pub and ask how's the situation. That night, for example, they've been alerting their customers of the danger. I wish the railway station had done the same.

OpenStreetMap party at Kaohsiung, Taiwan

Apparently, yesterday we had the first OpenStreetMap event in Taiwan!

We met in a café/restaurant equipped with power plug, wireless network and overhead projector and we had a bit of an introduction, chat and lunch.

Then we split in groups and exploited the fact that the newly built underground (KMRT) system is still free of charge, to spread around and map around the stations.

Finally, we reconvened at someone's house to see how to put the data together, draw roads, tag and upload.

Highlights of the day:

• How to turn a serial GPS into a data logger with 6 hours battery life . Then attach it to your bike using magnets from broken hard drives. Totally rocks!
• Previous OpenStreetMap data was collected by only one person, who took the fancy new High Speed Rail from the opposite side of the country and joined the party. This also made discussion about standardising tags for Taiwan rather easy.
• A group of people appeared wielding a number of "totally insane in every regard" Garmin GPSMAP units: it turns out they are with a civil action group that goes around mapping historical trails, abandoned railroads, aboriginal routes and mountain crosses and so on. Apparently, they did not know about OpenStreetMap: hopefully they'll join in.

Technical bits:

• The eeePC was very popular, and very handy for going around storing tracks, as you can just chuck it in one bag. JOSM runs fine, although it could really use an interface redesign to fit in the small screen. In fact, it could really use an interface redesign to fit in the standard 1024x768 screen of my laptop.
• We could not use the tracks made with the Garmins because we did not know we had to do "Setup -> Map -> Lock On Road = Off" and it was on by default. Now we know it for next time.
• Something like a SirfStarIII really helps in a city made mainly of very tall buildings with lots of steel and glass. My Sony-based cheap gps receiver that worked ok in the Bolognese countryside was next to useless here, continously losing the fix and producing a crazy zigzagging track of doom, only useful to figure out big long straight roads.
• Geocorrelation of digital camera pictures rocks! Who needs to store waypoints when you can just take pictures with the digital camera and have them show up as waypoints in JOSM? The trick of taking a picture of the GPS time and use that to compute time offset is great. Also, we found it easier to just fire up gpscorrelate to do the geocorrelation rather than figuring out how the tools in JOSM work.

Issues to address:

• There is a strong need for a zh_TW translation plugin of JOSM; I'll try to find out how to do it and pass on the information to who can do it.
• Road names could be written either in English or in Chinese characters. Currently English has been used for the name tag because osmarender cannot render Chinese characters. There is some planining to create an OSM mirror in Taiwan which renders twice, and allows to choose the rendering language for the map. I will try to get a planet.osm extract for Taiwan that people can use to experiment with this; thanks to people in #osm for giving me names of people to contact. I will try later after Europe wakes up from this even-earlier-than-usual sunday morning.

Glitches in the Matrix

Korean car with Taiwanese license plate (edited to anonymise it) over EU license plate with (Portuguese??) numbers on the right, and Korea as country code.

Italian pasta sold by a British supermarket, in Taiwan.

Also, "Messicani" is not a kind of Italian pasta. Google for it, and you'll only find it mentioned in British websites.

How to freak out a Frenchperson

The way to freak out an Italian, instead, is to show them a bottle of "Lambrini" in the UK.

Italian National Anthem

Christian mentions that he likes the Italian National Anthem, although not the words.

No Italian in their right mind likes the words; luckily we are generally not forced to learn them, so we can allow ourselves to not give a damn about it. Which is our general strategy to deal with all the insanity we get every day.

What's the point of a nationalist anthem anyway, when the people who care most about the country are wishing for the Germans to invade us?

Anyway, here's my attempt at national anthem lyrics that suck less, for the benefit of those, like Christian, who like the music but not the words.

Fratelli d'Italia
L'Italia s'è desta,
Chi cazzo è sto Scipio
Che ci han messo in testa.
Non c'è la Vittoria
che porge la chioma,
Siam schiavi di Roma
E del Vatican.
Scongiuri alla sorte
Si rischia la morte
Si spera di no.

Noi siamo da secoli
Calpesti, derisi,
Perché siam mafiosi
ladroni e collusi.
Si rischia di nuovo
di aver Berluscone
Dell'emigrazione
Già l'ora suonò.
Scongiuri alla sorte
Si rischia la morte
Si spera di no.

Uniamoci, amiamoci,
l'unione, e l'amore
Ridanno alla gente
Il suo buonumore;
Giuriamo far sesso
sul suolo natío:
Chiaviamo, perdío,
Chi dice di no?
Scongiuri alla sorte
Si rischia la morte
Si spera di no.

Dall'Alpi a Sicilia
Noi ti condoniamo,
Ogn'uom di Bettino
Ha il core, ha la mano,
I bimbi d'Italia
Fan calcio balilla,
Bastardo chi frulla
Gancin non si può.
Scongiuri alla sorte
Si rischia la morte
Si spera di no.

I nostri politici
Son tutti venduti:
Si sente dall'Austria
L'odor dei rifiuti.
Lavora in Italia,
Il nero, il Polacco,
In nero, perbacco,
Io lo pagherò.

Scongiuri alla sorte
Si rischia la morte
Si spera di no.

make distcheck and LaTeX

When building LaTeX documentation on a VPATH build, if your .tex file includes other files in the same directory, LaTeX will complain that it cannot find them. The reason is because in a VPATH build, latex is invoked like this:

latex ../../doc/manual.tex

What we need here is an equivalent to cc's -Idir for latex.

latex --help doesn't mention of such an option, nor of useful environment variables.

Googling a bit seems to suggest --include-directory=dir, but that gives me: unrecognized option '--include-directory=../../doc'

The manpage doesn't list commandline options. It however says:

The complete documentation for this version of TeX can be found in the info file or manual Web2C: A TeX implementation.

Without saying where that manual is, if it's installed and where, or what package installs it, or if instead should I look it up on the web.

info latex gives the manpage itself, of course.

Googling the title of that manual finds it, and it's a long one. Reading through, it points at the kpathsea manual, which then mentions you can set TEXINPUTS_latex, which however doesn't add but overrides, so your document will find the includes maybe, but not the LaTeX styles and other stuff.

But then later on it mentions that in the env variable you can use "default expansion", and it's another page of manual to read which tells you to put an extra colon in the end of the env var.

After half an hour of googling and trying things and cursing loud, here is the solution, which I hope will save others from this ugly search.

%.aux: %.tex
    TEXINPUTS="$(srcdir):" latex $<

# Oh, yes, and bibtex requires BIBINPUTS instead
%.bbl: %.aux
    BIBINPUTS="$(srcdir):" bibtex `basename $< .aux`

Fields used by an LDAP Unix user database

Some notes about LDAP for Unix user management:

Meaning of fields for objectClass posixAccount:

• uid contains the username
• uidNumber contains the numeric UID
• gidNumber should have the numeric GID
• cn should contain the user's full name (optional)
• homeDirectory and loginShell contain what you think they contain
• gecos contains the gecos from passwd (optional)
• userPassword contains {crypt} followed by the encrypted password from /etc/shadow (md5 password hashes are ok as well) ({SASL} is an interesting alternative)
• sn is the surname (optional)
• givenName is the given name (optional)

Meaning of fields for objectClass posixGroup:

• gidNumber is the group id
• cn is the group name
• memberUID attributes contain posixAccount.uid values

For objectClass inetOrgPerson: what you put there can be used as if it were a vCard by mail programs and contact lists.

Now, the name of people could potentially be split in cn,givenName,sn,gecos and displayName (possibly more): how would normal user tools deal with the redundancy? To show a gecos field, pam_ldap will search for a gecos field first, then automatically fallback on building a gecos field out of the other suitable info it finds. To show a name, sane programs try displayName first and if it's not present they guess using the rest.

Then there is the issue of how to chose the dn to identify users, groups and so on. Users usually go in uid=$USERNAME,ou=People,$SUFFIX, while groups would usually go in cn=$GROUPNAME,ou=Groups,$SUFFIX.

Should you need to create the People and Groups organizational units, this could be the proper bit of LDIF:

dn: ou=$NAME,$SUFFIX
ou: $NAME
objectClass: organizationalUnit

To add fields that are not already part of a schema, one needs to create their own schema. To do that, one needs to first obtain (free of charge) a Private Enterprise Number that is used in various places in the schema definition. Making up your own one means risking conflicts if you eventually grow larger. But it is rarely needed, because for most things there are already schemas available.

Many thanks to Wouter and noshadow for allowing me to crudely extract all this content from their brains.