Monthly Archives: July 2009

So much for unified security?

Posted on by
Reply

I’m on my way back from a trip to Kansas City and as I approached security, I saw that the guy checking IDs was private security and not TSA like I’d seen at every airport I’ve been to in awhile. As I walk past the ID checker, I see that every security person was from a private company. Well, it looks like in the government’s efforts to standardize security at airports, they left gaping holes. The The Aviation and Transportation Security Act of 2001 (ATSA) left the option open for airports, like Kansas City to use First Line Security. This seems like such a waste as the government spent a lot of money to get away from private, inconsistent security at airports.

While I can’t say that I feel more or less secure going through Kansas City, I think that the inconsistency sends a very wrong message to the flying public.

Misguided financial values?

Posted on by
3

On the news the other night, we saw a story about how the stimulus package is providing jobs for some teenagers. The teenagers get paid $10 to work in different office capacities. In order to qualify, the teenagers must come from families that live below the poverty line. I’m not going to argue the merits of this program. They interviewed a few of the kids in the program and one kid said that he’d use some of the money to help out his mother, but then said that he was going to spend some money on himself to get a new cell phone. First off, is a cell phone necessary for everyone? I don’t know and don’t have to deal with that, yet. (My 2 year old son plays with our cell phones, but he doesn’t have his own plan and doesn’t actually make calls.) Second, the kid pulls out his brand new iPhone. Let’s do a little math. With Apple’s new pricing, the lowest priced iPhone is $99. AT&T puts every iPhone on a minimum $30/month data plan in addition to at least the lowest priced voice plan which is $39.99. Let’s also assume that the kid doesn’t do any text messaging. For a 2 year contract, that is $70/month * 24 = $1680 + $99 for the initial cost of the phone. I’ve excluded taxes for this example. So at $10/hour, this kid has to work 180 hours or effectively one month full time to pay for this gadget.

It would seem to me that somewhere kids need to be taught fiscal responsibility and save money for college, a rainy day, or something else. If the parents can’t help, maybe it should be a mandatory class in high school. During the summer when I was in college, I worked full time and pretty much saved every penny I earned in order to pay for my half of college (my parents made a deal with me that they’d pay for half of my college and I had to figure out how to pay for the other half). I worked with my father to come up with a budget, put in a few things I wanted to buy including a road bike, and figure out how to pay for everything by working and taking out loans.

I know that I’m quite lucky that my father made me fiscally responsible at a young age (I started saving for retirement when I was 12). Actually, maybe I’m a bit too responsible as I’m always concerned about money when sometimes I don’t need to; however, I believe that I’ll be able to meet all my financial goals.

Leopard Server Password Reminder

Posted on by
Reply

Leopard Server’s LDAP implementation allows an administrator to set requirements about user passwords, such as length of password, what characters it must include, how often it must be changed, etc. One major oversight on Apple’s part is a facility to inform users that their passwords will expire. Maybe if users login via AFP or using Network Home Directories they’d see a message, but we’re using LDAP for authentication from a bunch of other servers. As I didn’t want to have to remember to remind people to change their passwords, I came up with a script to handle it for me. I’ve seen other scripts out their, but they made some assumptions that didn’t work for us. Our mail server is on a different machine and usernames don’t match email addresses, so my solution had to be robust. The only requirement for my script is that the email address has to be filled in for the LDAP entry. Also you must have some facility for users to change his/her own password. We’re using a WebObjects program we found to let users do this.

You’ll need to change the LDAP server name and the number of days to send out the reminder; we require password changes every 90 days, so I send the reminder seven days before. This is run via a crontab at midnight (or so) each evening.

I’m not an awk master, but this seems to be working fine

#!/bin/sh
datelogfile=/backups/datechange.log
tmpfile=/tmp/passwordchange.tmp
grep -h "changed" /Library/Logs/PasswordService/ApplePasswordServer.Server.log* | awk '{ test=$1 " " $2 " " $3 " " $4; cmd="date -j -f \"%b %d %Y %H:%M:%S\" \047"test"\047 +%s"; cmd | getline day; close(cmd); {printf day " " $13"\n"}; }' | sed s/}/' '/g >> $datelogfile
sort -r $datelogfile | sort -r -k 2 -k 1 - | uniq -f 1 | sort -r - > $tmpfile
cat $tmpfile > $datelogfile

# Walk each line in $datelogfile
# See if the date > 83 days ago. If it is, send out a password change reminder
cat $datelogfile | awk '{ cmd="date -v-83d +%s"; cmd | getline expire; { if ($1 < expire) print}}' > $tmpfile
cat $tmpfile | awk '{test=$2; cmd = "ldapsearch -x -H ldap://ldap.gruby.com -b cn=users,dc=ldap,dc=gruby,dc=com uid=\047"test"\047 mail";  while ((cmd | getline) > 0) {if ($1=="mail:") {newcmd = "echo \"From: it@gruby.com\nTo: "$2"\nCc: it@gruby.com\nSubject: Password Change Reminder\n\nYour password will expire in less than 7 days. Please visit:  to change it.\n\n\nIf you have any questions, please contact it@gruby.com.\n\n\n--\nit@gruby.com\n\" | sendmail -bm -t"; newcmd | getline; close(newcmd); break;}}  }' 

rm -rf $tmpfile

Apple, please add some polish to the LDAP server; adding a little user interface on OpenLDAP is nice, but it isn’t finished. Building in the password change ability and the reminder system would be a good start. In addition, securing it out of the box by making the “require authenticated binding” setting actually work (I’ve ranted about this in the past; this actually makes it impossible for us to expose our LDAP server to the outside world and use it for integrating outsourced services like Salesforce that will do LDAP authentication to our server.)

Linux on a cell phone

Posted on by
Reply

Like other geeks, I downloaded the Pre webOS SDK and installed it. While I don’t have time (I’m not sure where all my time goes) to actually write code (I’d have to learn Javascript which shouldn’t be too hard, but lack of time is the problem), I did want to at least kick the tires.

I didn’t quite know what to do with the SDK, but reading the “homebrew” forums over on precentral.net, led me to a program in the SDK called novaterm. I hooked up my Pre, ran novaterm, and then got a big smile on my face. Here I was executing commands on the Pre as root. I was able to use top, uptime, as well as navigate the directories. For most users, this doesn’t mean much, but I’m a huge Linux/UNIX fan and have been for years. There are just some things that you can only do on a command line or things that are faster to do with a command line. (Luckily Mac OS X gives me the best of both worlds; the beautiful GUI and a command line interface.)

Only in Santa Cruz

Posted on by
Reply

This past weekend, I was in Santa Cruz with my family for my in-law’s 40th anniversary. While we were sitting in traffic, I saw the passenger of a car get out (traffic was stopped), goto the trunk, open it, open a cooler and pull out what must have been a beer and then got back in the car. That was the first time I’d ever seen anything like that, but it didn’t stop there. A few minutes later, the passenger of the car in front of the cooler car, got out, went to the trunk of the cooler car, got something out of the cooler and walked back to his car.

My wife said “only in Santa Cruz”. I’ve only been to Santa Cruz once before, so I don’t know if other people do this. It seemed quite strange and depending on if the beverage in question was the alcohol variety and was opened, it could have been illegal.