korki’s corner

In the past month I shopped from 4 different online stores various electronics. After a while I decided to post my experiences about them in a greek froogle like “forum” / price search engine named skroutz (totally misspelled, pronounced in Greek “scrooge” with the exact same meaning).

The skroutz system

First of all the classification and the evaluation done by skroutz is peculiar.  The are in the eshop business and probably they are protecting their customers, in the sense, that they have to verify whether  one is a legit customer of a shop or not (the actual verification is. I am not sure how well this work (I am pretty sure that things might turn bad) but so far in my experience no censorship has happened in order for a shop (their customer) to be protected.

How to evaluate the presales “engineering”?

This is a tough one. There are some obvious metrics (ie no damaged goods, no used goods, solid handling, and timeframe keeping). I have all those years huge amounts of experience on all fields (torn books from amazon due to incorrect handling, etc) but all in all I don’t have to say much about my critique on these shops. Some where delayed more than they should, but all arrived in excellent condition.

The Rant

For the only shop (I won’t name it of course) that I had bad experiences is the one that went off the time frame, they indicated in their site. I didn’t mind waiting a few days more (I waited ~15 business days) or less, the items I ordered were not high priority. What irritated me the most was the fact that every now and then those people were calling me in my cellular phone, to state the fuckin’ obvious: “Your shipment is going to be delayed, we are really really really sorry… blablabla“. Why didn’t they sent me an(some) email(s) instead? Why did they wasted precious communication resources instead of sending me an email? Why did they waste my time (they were calling business hours) in meaningless conversations? 

Some times I wonder what kind of business policy is that. I really do adore the shops that are quiet and call only in ultra emergencies (ie a Greek online book store once called me to tell me that the book I ordered is going to be reprinted with some updated info and whether I would like to order that instead the one I had ordered. - I REALLY APPRECIATED THAT CALL! I Love protoporia.gr)

Final thoughts

It is not good customer relationships to call me every second day. Good customer relationships are to have the goods in time and in order. please keep that in mind. The best virus -they say- is the one that gets the job done, while you have never heard of. IMHO this quote applies almost everywhere.

First of all it is doable. In order to understand why this doesn’t work you need to have moderate knowledge of basic binutils[and this] usage.

1) your app doesn’t play because the morons at Arobas aka the guitar-pro developers, didn’t QA their product for AMD64 (this includes also EMT64 - and in general can be referred as x86_64 problem). HOW frakin hard is it to build against a 64bit system? Do you expect people to pay 60Euros and spend 1/2 - 1 - 2 or 6 hours* just to (re)install a non 64bit linux OS in order to use your product? How arrogant are you?

2) Ok after the flamethrower back to our business. In order to use guitar pro it is probably a good idea to create a separate use in order to run it (If these people can’t cross build then who knows how many security issues exist in their product).

Read more

It’s been a while since I’ve started using pfsense (almost 2 and a half years) and prior to this last month it operated flawlessly. This month though, it started having some hiccups, which led to random reboots (R). These days I have some spare time, and I feel uber productive (wrote 2 patches for pdfcrack and other minor work) I thought that this would be a nice opportunity to contribute some code to pfsense since I wanted to give something back to the tool.

I had ruled out any problems in hardware; I tested memory for 12 hours (memtest86 - during this period I had no internet :S) and another 6hours to check my disk using badblocks. I also wrote a something like a “watch” script that was calling mbm and threw most of its output to syslog (via logger). Then I had configured syslog to deliver logs to a remote host in order to overview it. Unfortunately nothing critical came out of the syslog, so I guessed that had something to do with the other components (kernel/packages)

I started looking the code and at the same time I logged in at their irc channel at irc (freenode / #pfsense) I had some minor issues with the tools especially some scripts that in my opinion caused the problem (1 change-set). Also some other minor issues were fixed like the relative reference of index.php at fbegin.inc etc. In total I had 4 change sets and a brand new recompiled FreeBSD kernel, which stabilized my system and made router not  randomly rebooting. At the same time I wrote to the irc about various stuff, when I understood that some pfsense packages couldn’t be uninstalled via the web-gui. That would be normal, since I was already getting my hands dirty, I got some guidelines from the pfsense irc channel (many thanks to operator jim-p-work) and then I tried to solve it my way (btw one may use the pfsense dev shell and there he can write a strange mixture of php and shell commands and execute them using an exec statement . Ugly I guess but probably useful.)

When I tried to use the shell things got messier. I was keeping an eye at :

1. authgui.inc
2. guiconfig.inc
3. pkg-utils.inc
4. pkg_mgr_install.php

and trying to find a solution to my problem. the idea was simple run similar things like the webgui but at the same time having an overview of the process. As I kept looking at the pfsense code of the above files a simple thing was coming to mind CSRF/XSS. People at the channel told me that it was the second time one reported such problems, and obviously enough everyone that has even worked for a month as a web-developer knows and can easily identify such a problematic code. To tell a long story short this happens by running server side scripts using variables passing via GET requests. The simplest scenario that comes to mind is that a misbehaving user can lure the admin to firstly open a pfsense webgui tab and then ask him to connect to one of his pages. Then by knowing simply the ip address of the router that the admin is connecting (on the private side ie 192.168.1.1)  is sufficient to mount the attack. In my review I looked only at pkg_mgr_install.php which a remote user could easily enough by having the above knowledge to uninstall snort and other mission critical packages. Currently there are at least 620 GET variable references in the pfsense and I am not quite sure on the security impact. I haven’t reviewed the whole codebase, and to be frank I am not willing to.

Why? The code is simply a mess. I am not sure if this is the effect of working with paranoid perfectionists in the past or if the code is simply ugly and unreadable. I wondered many times how someone can maintain such a codebase. I shared my concerns with GeekGod (aka sullrich @ pfsense) but the conversation was private and I intend to keep it that way unless he doesn’t mind sharing. After the small code review (less than 4hrs spent) in my opinion pfsense currently is “an accident waiting to happen” especially if you have some kind of open infrastructure.

Currently I am searching for something new to kick out pfsense, and for the first time, in my life besides the feature sets, I also review the code, to see if the project can be entrusted. So far I think ClearOS is better, with a much cleaner code base, but I will get back on that sooner than later with a small review on the webgui routing distros I’ve tried (I hope :P)

After all this is what open-source is all about, right?

Αυτή η εβδομάδα (μάλλον το τέλος της προηγουμενης μέχρι την δευτερα) βγήκα και πήγα σε πολλά public events, και στα οποια θα ήθελα να αναφερθώ σε επόμενα posts.

• Escape Lanparty
• Artware festival
• Η ΚΙΝΗΣΗ ΠΟΛΙΤΩΝ ΠΑΤΡΑΣ ΕΝΑΝΤΙΑ ΣΤΙΣ ΚΕΡΑΙΕΣ ΚΙΝΗΤΗΣ ΤΗΛΕΦΩΝΙΑΣ

Στα επόμενα post θα αναφερθώ μερικώς η διεξοδικά στα παραπάνω events

Η ιστορία επαναλαμβάνεται, σε άλλο πεδίο. Δεν θέλω να εκφράζω συναισθήματα και λέξεις για τους καραγκίοζηδες που επιλέγουν κρατικοδίαιτους τραγουδιστέ/αστέρες και όλο το συναφές στερέωμα PUBLIC RELATIONSHIPS και δεν συμαζεύεται από τα γαμμημένα τα χρήματα που με αναγκάζουν να πληρώνω κάθε μήνα στην κωλοΕΡΤ μέσω της κωλοΔΕΗ.

Για αυτό που λυπάμαι είναι οτι με τα ίδια χρήματα 1000-1500 άνθρωποι θα είχαν μια υποτροφία για να συνεχίσουν τις σπουδές για 2-3 χρόνια τους και να προάγουν τον πολιτισμό όχι της μορφής του κιτς πανηγυριού της φιέστας των κουφιων lifestyle symbols αλλά στο πεδίο της έρευνας και της ανάπτυξης πολλών και διαφορετικών επιστημονικών πεδίων

ΠΡΕΠΕΙ ΝΑ ΑΝΤΙΤΑΧΘΟΥΜΕ ΣΤΗΝ ΜΑΛΑΚΙΑ ΚΑΙ ΤΗΝ ΣΑΠΙΛΑ ΤΩΝ LIFESTYLE SYMBOLS.

ΑΜΦΙΣΒΗΤΗΣΗ, ΑΠΕΙΘΕΙΑ, ΑΝΥΠΑΚΟΗ - ΚΛΕΙΣΤΕ ΟΛΟΙ ΤΗΝ TV

Το LifeStyle ειναι μαγικό γιατί μετατρέπει τα μηδενικά σε νούμερα…

ΥΓ το τραγούδι για το EURO έχει αρκετές ομοιότητες με την ελληνική συμμετοχή στην σκατό EUROVISION, μπορείτε να τις βρείτε;

Το Πανεπιστήμιο Πατρών [1] έχοντας σκοπό να υποστηρίξει τους φοιτητές του που δεν διαθέτουν μέσο μετακίνησης εισήγαγε τον θεσμό των πανεπιστημιακών λεωφορείων[2].

Όπως κάθε χρόνο έτσι και φέτος τα πανεπιστημιακά λεωφορεία δρομολογήθηκαν μετά το πέρας του χειμερινού εξαμήνου (επί 4 και πλέον μήνες οι φοιτητές ήταν υποχρεωμένοι να ανέχονται το ΑΣΤΙΚΟ ΚΤΕΛ ΠΑΤΡΩΝ με το πανάκριβο εισιτήριο και την άθλια αξυπηρέτηση - για να μην πω οτι μέχρι και αυτό το σημαντικό για κάποιους από εμάς ζήτημα αποτέλεσε χώρο μικροπολιτικής αντιπαράθεσης). Και όπως κάθε τι γίνεται σε αυτό τον τόπο από τους πολιτικούς δυνάστες μας έτσι και αυτή η υπηρεσία που υποτίθεται θα αποτελούσε το αντίπαλο δέος στο ΑΣΤΙΚΟ ΚΤΕΛ ΠΑΤΡΩΝ αυτή την στιγμή αποτελεί τον καλύτερο διαφημιστή του.

Με χρόνο αναμονής στην στάση από 40λεπτά μέχρι 2 ώρες , με αραιά και ανοργάνωτα δρομολόγια, και χωρίς να προγραμματίζει αυτά με γνώμονα τους φοιτητές και τα μαθήματα που αυτοί παρακολουθούν επάξια κατακτά την τιμητική διάκριση ΜΟΥΤΖΑ 2009.

Η απορία μου είναι απλή: δεν υπάρχει κανείς που να μπορεί να υπολογίσει πόσοι περίπου άνθρωποι θα είναι στην στάση κάθε δεδομένη ώρα; Τόσοι μπακαλίστικοι πολλαπλασιασμοί υπάρχουν για να κάνετε μια προσέγγιση. Θέλετε πιο ακριβή αποτελέσματα; Κρατάτε στατιστικά στα λεωφορεία.  Ζητήστε ΟΥΣΙΑΣΤΙΚΟ feedback από τους οδηγούς (πχ που γεμίζει το λεωφορείο και τι ώρα). Αν δεν μπορείτε να το κάνετε ευχαρίστως να σας βοηθήσω (κόβω και τιμολόγια παροχής υπηρεσιών)

Μέχρι τότε:

These days I am violating my shiny new pc in many ways (huge matlab datasets processing, with multiple concurrent vms running at 100%) so I would like to check out (without rebooting and entering the bios) some shit about my machine. Since I am totally F/OSS as far as the OS is concerned I don’t have the luxury of windows apps like cpuid, or whatever. So in order to check out about the o/c I had to find another way. And there is another way, two to be exact.

• The first is the lshw [1] progie (you know the drill gentoo fans ) emerge -vuDtN sys-apps/lshw

It is a good idea to build the frontend also (via the gtk USE flag). lshw is great. it provides you with tons of information, the cli’s ouput may passed as input (piped?) for anykind of shit you have in mind in anykind of enviroment, and is open source code. lshw (also known as Hardware Lister) is a small tool to provide detailed information on the hardware configuration of the machine. It can report exact memory configuration, firmware version, mainboard configuration, CPU version and speed, cache configuration, bus speed, etc. on DMI-capable x86 and amd64 (tested on both works flawlessly). For instance,

phenom2 ~ # lshw -class cpu
*-cpu
description: CPU
product: AMD Phenom(tm) II X4 940 Processor
vendor: Advanced Micro Devices [AMD]
physical id: 4
bus info: cpu@0
version: AMD Phenom(tm) II X4 940 Processor
serial: To Be Filled By O.E.M.
slot: CPU 1
size: 3400MHz
capacity: 3400MHz
width: 64 bits
clock: 200MHz
capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp x86-64 3dnowext 3dnow constant_tsc rep_good nopl pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt

• The second one is  a tool [2- 64bits]  [3 - 32bits] [4 - link to the amd’s search page] build by amd and for amd compatible cpus (haven’t tested it in intel archs though it would be funny) but unfortunatelly amd (what a surprise!) doesn’t provide exactly what one may want.

What I mean by that? If you download one of these distributions you  will find out that these are rpms [for those stuck with ebuilds and gentoo you can read more about rpm there 5] for two specific distros; Suse and Redhat! No gentoo, no slack no nothing… Not even a static build… Who the hell is the software release engineerer in amd? Of course there is a bypass to the rpm shit .

• One may extract the files out of the stupid rpms easily though;
  1. rpm2cpio CPUInfo-2_2_0_42-SUSE10364bit-Public.bin.rpm | cpio -idmv
  2. if you don’t have cpio (for gentoo users that’s impossible since its in the system) install it and proceed as advised
• and of course the extracted files are dynamically linked (YOU M#*$#@)DUMB*#$#*$)@# PLEASE PROVIDE US STATICALLY LINKED BINARIES OR GIVE OUT THE DAMNED SOURCE,s o it may or may not work in your platform depending on the libraries you have installed… sigh… (For me every single one worked)
  • CPUInfo is the "fantastic” executable the amd provides
phenom2 dumb-developers # ldd CPUInfo
linux-vdso.so.1 => (0×00007fffd35fe000)
…[many libraries including kdemultimedia!!!]…
libuuid.so.1 => /lib/libuuid.so.1 (0×00007f0dc65a9000)

Instead of a conclusion;  Linux users do yourself a favour and use truly opensource software. Not some binary shitty thing that a 13yr old kiddo written… And if you haven’t got the clue, USE lshw.

PS. If you dl’ed the amd’s rpm’s then you should see something similar to :

phenom2 amd # ls -l
σύνολο 6470
-rw-r--r-- 1 root root 611293 2008-11-18 10:52 CPUInfo-2_2_0_42-RedHatEnterpriseServer4U464bit-Public.bin.rpm
-rw-r--r-- 1 root root 1075290 2008-11-18 10:52 CPUInfo-2_2_0_42-RedHatEnterpriseServer564bit-Public.bin.rpm
-rw-r--r-- 1 root root 656880 2008-11-18 10:52 CPUInfo-2_2_0_42-SUSE102OSS64bit-Public.bin.rpm
-rw-r--r-- 1 root root 671294 2008-11-18 10:52 CPUInfo-2_2_0_42-SUSE10364bit-Public.bin.rpm


In my last blog post I commented dev-c++[1] to be way problematic! It is time to justify my saying.

So this article sums up to : why dev-c++ sucks! Remember that the dev c++ in question is the 5 beta version!

• Ancient platform
  • last updated: something in the last decade
  • gcc 3.4.3 (WHAT??? - I am currently 4.3.3-p1 on my gen2) while the dev c++ stable -version 4 [2]- has gcc 2.95
  • gdb 5.1.2 (lol - currently I am using 6.8)
  • using cygwin (no winapi for native windows runtimes)
• Totally immature
  • yeah right! after 5 years in beta stage this thing still crashes! yuppie!
  • cryptic project development
  • lack of standarized build tools (autotools, make, etc)
  • the way the gui controls the gdb seems problematic

The real question when you are about to choose your devenv is why having the wannabe devenv while you can have the real deal! Even the most unattended linux (i.e. slackware [3] :-P)  distro, have a decent gcc [4] accompanied with uptodate binutils [4] and coreutils [5],thus providing at least stable development enviroment.

If instead you insist on developing apps on windows make yourself a favour and choose a well adapted tool. i.e. Eclipse [5], netbeans [6] or Codeblocks [7]

(or teaching undergrads how to code in C)

Last semester I was asked to support a class of undergrads for an introductory course in programming languages (namely plain old ansi C). During the semester various problems made the students underestimate C and its capabilities (maybe even hating the lang), making the course not just boring but also incomprehensible;

One fact worth mentioning is the “educational approach” taken by one of the tutors [1]; He created a small intresting game app (battleship), that arouse the students curiosity and intrest to create the application (in fact some were intrested in using ncurses for the term handling), and during the app build up he introduced some important aspects of the C programming (i.e. datatypes, var scope, functions , pointers , arrays, dynamic mem allocs, etc…). At many levels students of this class had many chances to stimulate their creativity using C, and some did so.

During this quest of getting familiar with a sturdy programming language like C many people had “enough” issues (issues that somehow are not usually addressed and are carried along the programming lifecycle for ages, even after graduation ). Some of the important ones are:

• You shouldn’t create dynamic arrays. Period
  • Whille the following code is valid on some compilers (namely gcc) the programming concept is inconsistent with the primitive language ideas


...
int a;
scanf("%d",&a);
int arr[a];
...


• The implicit declaration of function xyz is not just a trivial warning that can cause no harm. This warning identifies a flaw in the programming habbits. When you use a function YOU must include the corresponding header where the prototype of this function lives!
  • For instance if you are using the <code>system</code> function, you ought to include the <code>stdlib.h</code> header. Of course usually there are no different implementation of the system function in the same arch but what about with the <code>malloc</code> directive? [hint: <removed the hint> ]. You may run into real trouble if you let the compiler decide the malloc behaviour.
• Casting! What can one say about casting… (incorrect) Casting is usally a reason for runtime errors (i.e. segfaults), so students should be extra carefull when casting
• Free the damned memory (I guess this is minor since when a programmer builds a memory intensive program he will take into account the needed memory but hey one should keep in mind that this may be a problem at one point)
• using the wrong tools building their apps
  • Well let me tell you… Using the stupid DevShed is the single worst IDE for C/C++ i’ve ever seen. If you are about to learn programming, you should use a tool that may be reusable at some point later (like all software components should do); So why not using some wonderful opensource multiplatform dev IDE like a) eclipse [2] b) netbeans [3] c)or even sun studio [4]. Why bother with something so immature like devshed?
  • CC. A developer should be able to use some command tools at some point. things like {c,g,’ ‘}make, ld, ar, gcc ,icc mayor may not need some finetuning at some point. so why not messing around with them a bit.
  • DEBUGGING: Mandatory! -g, -Wextra, -Wall maybe type checking for even stricter code (-pedantic and/or -ansi and/or -c99 and/or …)
    • Some use of gdb (do just a backtrace mate)
    • strace (if the students get a glimpse of system calls during the classes )
    • some other cool debugger that I haven’t heard of (please comment about it if it’s F/OSS)

This is the short version of the issues (certaintly I forgot lots of other minor cases) but in my opinion these are major issues a class should emphasize on (if you have any other on mind please elaborate)!

The police authority in Greece, has grown stronger and less controllable by the state. Yesterday (Saturday 6/12/2008) a cop belonging in some special police force called special guard, killed a teenager (16 years old) with his weapon.

As described by many capitalist media rooms [1 - greek] the teenager throw a bottle ,while being in a larger group of protestants, against the cop’s car, then the cop came out of the car and in cold blood he shoot the youngling, after firing two rounds in the air.

The indymedia network in greece [1-greek][-2-greek] reported that after the bottle throw incident, the cop talked with the teenager, and when the dispute seemed resolved, he got psyched up, and declared that he is the law and he will say when the dispute was over. Afterwards he pulled his gun and started firing against the protestants which in turns lead to the murder of the child.

The secretary of internal affairs, and the vice secretary of internal affairs  resigned, but their resignation wasn’t accepted by the prime minister.

On the other hand many anarchists and leftists marched against the police/state oppression in numerous Greek cities, and protested against the police violence and the unlimited authorities the police forces have been given. During these protests the police tried once again to suppress these acts of free speech with chemicals, and flashbang grenades. Some people reported that firing with elastic bullets took place in some situations,though not confirmed at the time.

It is time for the people, to understand, that police brutality is something existing, and even the smallest trigger may lead to death. All of us shouldn’t put up with such situations and should fight back. All collectives (left or anarchic) have declared that protests will take place today at 1230, so GET INFORMED, GET INVOVLED.

…The clans are marching against the law,

bagpipers play the tunes of war,

death or glory I will find,

rebellion is on my mind…

(Grave Digger - Rebellion)