yaleman.org

A B2 Super Battle Droid

This is the second B2 Super Battle Droid we’ve been given, the first one was on Day 21 of the 2012 Star Wars Advent Calendar 🙂

A young man off to the post office

So, the last couple of years I’ve been posting the Advent Calendar set of the day from the LEGO Star Wars and LEGO City box sets. The most mind-numbing part of this was creating the page and tagging it each day, so this year I decided to pre-populate the system with the posts ahead of time.

I leveraged some information on the net and a terrible PHP script, listed below. Whatever you do, I wouldn’t recommend using this on a production system without FIRMLY understanding what’s going on 🙂

In the process of locking down our servers we’ve been setting up host-based firewalls on one of our internal FTP servers.

The default thing was to deny access to everything but ICMP and SSH, good start.

Our first command was to only allow a given host access to port 21, FTP:

sudo iptables -I INPUT 1 -s 10.1.2.3 -p tcp -m tcp --dport 21 -j ACCEPT

This allows the client to connect:

Here’s an annoying one when building a custom splunk search command using the python SDK:

"Error in 'script': Getinfo probe failed for external search command 'testscript'"

This mean you have:

1. "supports_getinfo = true" set in commands.conf for that particular command
2. failed to set a docstring for one of the splunk elements within the command.
   1. Check your instances of Option and set doc=""
   2. Set a docstring for the class itself, but you already did that anyhow, didn’t you? 🙂

Another issue that may occur is this one:

So, when you have services available to the world through your external address/hostname, it’s nice to be able to access them via that as well. “Hairpinning” or Hairpin NAT is the term for the NAT redirection required to make this work.

Update 14/3/16: It’s been raised to me that it’s best to use split-DNS for this particular example, but it’s designed to be a simple one for documentation purposes. There’s much better ways of solving the problem, but:

1. you don’t always control DNS,
2. the service might be entirely IP-based - like IPsec,
3. the service might have different internal ports to what’s externally facing (and can’t be reconfigured)

Amongst a whole host of other reasons. Just trust me 😉

Paul Blackburn - Julio Cortázar from Cronopios and Famas “The Instruction Manual”

(A Spanish Text)

Preamble to the Instructions on How to Wind a Watch

Think of this: When they present you with a watch they are gifting you with a tiny flowering hell, a wreath of roses, a dungeon of air. They aren’t simply wishing the watch on you, and many more, and we hope it will last you, it’s a good brand, Swiss, seventeen rubies; they aren’t just giving you this minute stonecutter which will bind you by the wrist and walk along with you. They are giving you—they don’t know it, it’s terrible that they don’t know it—they are gifting you with a new, fragile, and precarious piece of yourself, something that’s yours but not a part of your body, that you have to strap to your body like your belt, like a tiny, furious bit of something hanging onto your wrist. They gift you with the job of having to wind it every day, an obligation to wind it, so that it goes on being a watch; they gift you with the obsession of looking into jewelry-shop windows to check the exact time, check the radio announcer, check the telephone service. They give you the gift of fear, some­one will steal it from you, it’ll fall on the street and get broken. They give you the gift of your trademark and the assurance that it’s a trademark better than the others, they gift you with the impulse to compare your watch with other watches. They aren’t giving you a watch, you are the gift, they’re giving you yourself for the watch’s birthday.

I had a friend trying to download the IOS 7.1.2 image for his iPhone 4 (which he’d just about bricked installing IOS8 on) and was having a weird issue.

It looks like if the server sends the content-type “application/octet-stream” it’ll try to download it with the extension .zip instead of the original extension. This is because of MIME sniffing, which only reads the first 200 bytes of the file to try and guess - rather than just trusting the server and not being a tool about it.

Getting an error like this one?

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

1. Open the registry editor as a local-administrator level account.
2. Look for the folder {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2} which is under HKEY_CLASSES_ROOT\Wow6432Node<wbr>AppID
3. There should be an entry matching the following:
   • Name: RunAs
   • Type: String
   • Value: Interactive User
4. Rename this entry to _RunAs so it doesn’t apply any more. This will likely require you to add permissions to the folder giving you full control.

Voila, it should be working - remember to revert your permissions changes, they’re inconsequential.