So, if you haven’t heard, there’s a flaw in the WPA2 protocol. Read about it if you don’t know.
Since have a specific model of Ubiquiti UniFi WiFi AP, I figured they’d have an update quickly, which they did. However, I didn’t anticipate trouble in updating to latest firmware (18.104.22.16837). It took a LONG time to finally get it updated. Essentially, the update via the controller would fail to update, even though it would say it was going to update to the right version. The AP would blink happily, then reboot on the same version of the firmware, over and over. I tried other means, including trying local and ssh/scp update methods. Same result. In then end, this and this and this helped me diagnose a very odd situation:
- Controller or other udpates failed because it was using https:// URLs to download the update
- SSL verification built in fails because the time on the AP was not updated (was December, 1969)
- Time on the AP was not synced (via NTP) because my local NTP server (on my router) was not functional.
- my local NTP server was not functional because I had my DNS server pointing to non-standard (non-logging, private) DNS servers.
- Those private DNS servers were failing to resolve some things, AFAICT, including pool.ntp.org
After updating my DNS servers (now using google again – not my first choice since they log my queries), which fixed NTP server, which allowed me to upgrade the firmware on my PFSense router (which wasn’t getting updates because of the DNS issues) which made NTP happier yet, which allowed the WiFi AP to get the correct time, which allowed the upgrade to happen properly.
In the past I’ve used “raw”
pf on FreeBSD as a firewall for a variety of situations both large and small, but this week I started playing with an inexpensive, fanless, multi-NIC box as a potential firewall and router running pfSense. Interestingly, the first thing I realized is that I could not find in pfSense any completely user-friendly (read: single checkbox) option to turn all but the WAN-designated NIC into a single bridged “LAN”. Seems like a pretty basic thing someone would want to do as a home router, or simply avoid the switching overhead of packets amongst different subnets. A quick search for other solutions didn’t turn up one that I thought was really complete, hence this guide.
For a number of reasons, I’ve been playing with OneTimeSecret, a nice little service that allows you to share a secret with someone else and know that it can only be viewed once. Additional features such as Time To Live (TTL) and Encrypted secrets, plus direct email to the intended recipient are nice bonuses.
However, I was wanting to incorporate the sharing of secrets into a shell script, and while the RESTful API is helpful, and I could have used
curl, I decided that I could easily provide a simpler interface with functions for scripts and a command line interface. Check it out on GitHub.
So, you’ve got a nice large 30″ display (e.g. Apple 30″ Cinema Display or Dell 3007WFP) that can render 2560×1600 @ 60 Hz, but it has a Dual-Link DVI connector. And, you have a nice new MacBook Pro 2016 with only USB-C connectors. You might think it would be easy to connect, but this might turn out as a total PITA, because any straightforward solutions (involving simple adapters with physical compatibility) won’t cut it – it’s more complicated…
So, you’ve ignored those SMART errors for a while now, haven’t you. Now you realize that there might actually be something going wrong with your hard drive. You try to naively copy data off, but it fails. But, no worries, there is an option to
dd that can help you get most of the data off:
dd if=/dev/sdc of=/home/me/sdc.dd conv=noerror,sync
or, if using
dd if=/dev/vg0/failing-lvm of=/dev/vg0/new-lvm conv=noerror,sync
conv options specify that
dd should ignore read errors, and to synchronize the read position with the write position when those errors occur. The file
sdd.dd or new
lvm volume could now be mounted:
mount -o loop -t ntfs /home/me/sdd.dd /mnt/old
Hopefully you can recover (most of) the files now.
Got VMs? Have local servers at home? Connecting to a VPN? Want to do ALL at the same time and still be able to use typical DNS name resolution to reach the local domain hosts and your VMs? Doing this from a Mac?
To solve the problem of having different, local-only DNS/resolver lookups on Mac, e.g. for a set of local VMs for experimentation, you could encode the hosts into the
/etc/hosts file, but you could also run a local instance of
dnsmasq. But then how do you tell your Mac to get addresses from that local server or any other (local network) server.
Today, I tried to setup
ssh public keys on our Dell PowerConnect Switches, figuring that good key authentication should be more secure and easier than simple password auth, right? Clearly someone is in the camp of “fallor ergo sum” on this one, and I suppose it might be me.
If you’ve ever added a
ProxyCommand directive to your
ssh config file, sometimes you might be on a portable computer only need that directive sometimes. Other times you might be behind that nasty corporate firewall or on the network with the proxy server? Since the
ProxyCommand configuration item can be just about anything you like, as long as it reads from standard-input and writes to standard-output, we can use that fact and write a wrapper around to only invoke a proxy connection when needed. I’ve written such a script and use it regularly to tunnel through HTTP Proxy servers or to jump through intermediate hosts.
Can’t use SSH on the standard port 22? Need to tunnel through a proxy server? Work behind a draconian firewall and can’t SSH directly? No problem. This document will hopefully show you how to tunnel through an http-proxy server without any server-side modifications.