mdeslaur

Where's Chuck 2

2011-11-18T21:30:00.000-08:00

Where's Chuck?

2011-11-18T18:13:00.001-08:00

How to disable the guest account in Oneiric

2011-10-17T08:43:00.000-07:00

Ubuntu 11.10 now ships with the guest account available at the LightDM login screen.

This new feature isn't really a security issue, since by default using it requires physical access, and it is confined with an AppArmor profile. If an attacker has physical access to your laptop, all bets are off.

The guest account can be disabled by editing /etc/lightdm/lightdm.conf and adding "allow-guest=false" to the "SeatDefaults" section.

Introducing the Pasaffe password manager

2011-09-17T05:30:00.000-07:00

For the past few years, I had been storing my passwords in an application called GPass. What I liked about it when I started using it at that time was its simplicity, and the fact that each entry in the database has a notes field that can be used for any additional information that the predetermined fields don't handle.

Unfortunately, it doesn't seem to be actively developed anymore, and has been dropped from the Debian and Ubuntu archives. What's more, I've never looked closely at how secure the database format is, and there is no way to open the database it creates on other devices, such as my phone.

I started looking for a replacement about six months ago, and I didn't like most of the ones I tried. Some of them used a cross-platform GUI toolkit which made the app cumbersome to use. Others were too complex, didn't have a place to store notes, or were no longer actively maintained.

Since I've been wanting to learn GTK programming for a long time, this presented itself as a great opportunity. I started by looking at the popular password database formats, and the one that stood out was the one used by PasswordSafe. It is well documented, well designed, and has implementations available on numerous platforms. I implemented a Python library to read and write the database format, and then proceeded to use the excellent Quickly tool to create the initial GTK user interface. Since I want my app to run on the latest LTS release, Lucid, I decided to stick with PyGTK for now instead of PyGObject. I plan on converting it to PyGObject for the next LTS release. After having developed it for a while, I feel it's in a good enough state to be used.

Introducing: Pasaffe!

You can find the upstream project page here.
You can install it from a PPA here.

If anyone wants to contribute to it, there's a list of currently unimplemented features and other things that need to be done in the TODO file.

Check your cron jobs...

2011-05-31T14:38:00.001-07:00

Yesterday, a PAM security update was released. Unfortunately, it introduced a regression which caused the cron daemon to stop working with a "Module is unknown" error.

The updates were quickly pulled from the archive, and a regression fix has been released.

If you have servers or desktops configured with unattended updates, they may have gotten updated with the broken release. If so, cron jobs will have stopped and updates will no longer be automatically installed.

You may fix this problem by performing one of the following actions:

Rebooting your machine
Restarting your cron daemon ("sudo /etc/init.d/cron restart")
Updating to the latest PAM packages (with Update Manager, or apt-get)

This is a rather unfortunate situation, and steps have been implemented to make sure a similar issue doesn't happen with PAM updates in the future.

We apologize for the inconvenience.

Self-Encrypting Hard Disks

2011-04-13T12:14:00.000-07:00

I travel a lot with my laptop, and it can contain private information that shouldn't get disclosed if it's ever lost or stolen. For this reason, I've been using various types of disk encryption over the years, such as Ubuntu's encrypted home directory feature, to reasonably assure that my data remains private.

A few things have always bothered me with software encryption though. The first thing is the fact that software encryption is non-transparent. Although slight, there is a performance penalty in encrypting every read and write to your hard disk. Some people choose to only encrypt certain things to try and reduce that penalty. Do I only encrypt my home directory? What about my swap file or the /tmp directory? If I encrypt my swap file, do I give up hibernation, or do I make it ask me for a passphrase when I boot? What happens in case of disaster? Will I be able to boot a recovery cd and gain access to my data? Will I have saved the passphrase/encryption key somewhere safe in case an emergency arises?

Another issue is the fact that the decryption key necessary to access my encrypted volumes is located somewhere in RAM. There are a bunch of reasons why this is worrisome, from “Cold Boot” attacks, to hibernation, to simply having it leaked in some other way.

But the biggest gripe I have with software encryption is the “Evil Maid” scenario. Basically, every time I leave my laptop unattended, someone could boot off removable media, or physically plug my hard disk in another computer, and alter the software that is loaded before my encrypted volumes. The altered software could send them my encryption password as I type it, or could wait around for my volumes to be mounted before installing a back door. I need to stay physically present with my laptop at all times to make sure this scenario isn't possible, something I'm not always prepared to do. Although laptops are expensive, the loss or theft of an encrypted laptop is limited to the value of the hardware, not the incalculable value of its contents. Leaving my netbook in my hotel room is an easy choice to make if all I stand to lose is a couple of hundred dollars.

Since the hard disk that came with my Lenovo Thinkpad was a little small for my taste, I decided to replace it with a bigger one. In doing so, I specifically paid $20 more to get a model with FIPS 197 certified hardware encryption. These hard disks will encrypt everything that is stored on the physical platters with AES 128bit encryption, and a random key. When the disk is powered on, a standard ATA password is required to access it, and the password cannot be reset; if it is lost, the disk is no longer usable. A master password can be set that can be used to reinitialize the random key, so the disk is usable, but the data contained is lost.

Fortunately, most ThinkPad models come with the required BIOS support for disk encryption, so simply swapping the hard disk and setting a password in the BIOS screen was enough to get it working. Not all computer manufacturers have implemented the ATA security set, so you need to check carefully. Apparently MacBooks don't have it, for instance.

For under $100, I now have an encrypted 500GB hard disk in my laptop that asks for a passphrase when I boot. Is this solution perfect? No. But, it's better than what I had before, and is perfectly adequate for my piece of mind.

Netbook screen resolution

2010-11-07T11:08:00.000-08:00

I love my Dell Mini 9.

I'm back from UDS in Orlando, and have once again spent a whole week on my Mini 9. It's got a webcam so I can call home, and has bluetooth so I can use an external mouse without plugging in a dongle when the need arises. Although I've tried netbooks with 92% keyboards, I'm not ready to sacrifice portability by adding the extra 2 inches required to fit them. The keyboard on the Mini 9 has the perfect feel for such a small keyboard, and I've gotten quite used to it.

The only thing I can't quite get used to is the native screen resolution: 1024x600 is not a lot of screen real estate to work with.

The other day I was looking at the xrandr documentation, and I noticed it supports screen scaling. I now regularly use the following command:

xrandr --output LVDS1 --scale 1.25x1.25

This scales my 1024x600 netbook screen to 1280x750, which is really cool when trying to view large web pages, or any other application that uses a lot of screen space. The downside of this is a slight blurriness that is, in my opinion, an acceptable trade-off.

Unfortunately it doesn't look like there's a way to set scaling in the GNOME Monitor Preferences tool.

Stuck on dial-up (Updated)

2010-10-07T06:43:00.000-07:00

My mother has been a happy Ubuntu user ever since I installed Dapper to solve the countless problems she was having with Windows Me. Since her computer is starting to age, and she's a 5-hour drive away, I bought her a brand new computer for her birthday, which I've been installing with Lucid this week.

Problem is, she is still stuck on Dial-Up internet access no matter how hard she's tried to get broadband from the local phone and cable companies.

Unfortunately, NetworkManager still doesn't have 56K modem support, so a few steps are necessary to setup Ubuntu for dial-up.

Since her phone line is noisy, I purchased a reliable modem that doesn't need special drivers to work in Linux, along with an appropriate USB-to-serial adaptor.

Once I made sure the modem was visible by searching through dmesg for the right serial port, and testing it with minicom, I performed the following steps:

Installed the gnome-ppp package
Added her user to the "dip" group so gnome-ppp could spawn the pppd daemon
Configured gnome-ppp with the phone number, username and password provided by her ISP

Once that was done, connecting to the Internet worked great, except for a single problem: Firefox would always start up in "Work Offline" mode. It turns out Firefox uses NetworkManager to figure out if an Internet connection is available when it starts. To fix this:

Type "about:config" in the Firefox URL bar
Search for the "toolkit.networkmanager.disable" key
Switch it to "true"

I'm looking forward to seeing her go from Hardy to Lucid this weekend!

Updated 2010-10-22:

So, I ran into a couple of extra difficulties when I actually installed her new computer. It seems her ISP uses CHAP or PAP to authenticate which wasn't the case when I tried connecting with my ISP at home. Gnome-PPP uses WvDial to perform the actual dialing, and WvDial tries to add the necessary authentication information itself to the /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files. Problem is, those files are owned by root and are 600 by default. The pppd man page states "this file should be owned by root and not readable or writable by any other user. Pppd will log a warning if this is not the case.", so this isn't an easy problem to solve. Since I didn't want her running gnome-ppp as root, I changed both files' ownership to root:dip and permissions to 660. This allowed gnome-ppp to authenticate to her ISP, even though pppd is logging a warning.

The second problem I encountered was that Evolution would always come up as offline. Like Firefox, it integrates with NetworkManager to check if the computer is online. Unfortunately, unlike Firefox, Evolution doesn't seem to have a way to disable NetworkManager integration. Since time was limited, and I knew she wouldn't be using the Ethernet port on her computer, I simply disabled NetworkManager entirely by editing the /etc/init/network-manager.conf file.

My stepfather owns a Dell Vostro laptop with Lucid on it, and uses it to connect to the high-speed wireless network at work. He asked me if I could get a modem for his laptop so he could use Dial-Up when at home. I'm not sure how I will be able to handle this for now, as disabling NetworkManager won't be an option in his case...

New GPG key!

2010-09-30T07:54:00.000-07:00

In accordance to the Ubuntu Security team's GPG key transition plans, I now have a new GPG key capable of generating SHA-2 signatures.

If you've signed my old key (40B8CCDA) in the past, I would appreciate it if you could take a look at my transition statement, and sign my new key (A744BE93).

Thanks!

Trying to switch to Empathy

2010-04-23T05:29:00.000-07:00

I try to dogfood as much as possible. I try to use the actual applications Ubuntu ships by default for everyday things like web browsing, email and IM. I believe this is the best way for applications to get tested properly, fixed, and improved. If developers don't use the default applications because they are buggy, or don't contain necessary features, how can we expect them to be appropriate for regular users?

I've been a Pidgin user for years. It's a great, but now there's a new kid in town: Empathy, which is now the default IM client installed in Ubuntu and other distros. This week, I am attempting to switch from Pidgin to Empathy. So far so good. It's working pretty great, except for one thing: I keep missing the notifications when people send me messages.

If I already have a chat window open with someone in Empathy, and the person sends me a new message, I get notified in three ways: I get a temporary notify-osd message, the Indicator Applet envelope turns green, and the window in my window list flashes for a few seconds and stays highlighted and bold.

Most of the time, I miss the notify-osd popup, as I'm typing something, and tend to always finish before looking up at the alert. Once I do, I rarely have time to read the whole thing before it disappears. My Indicator Applet envelope is green most of the day as I almost always have unread messages in my Inbox. But as soon as I finish the task I'm doing and go to switch windows with the window list, I notice the highlighted and bold window demanding attention.

The problem I have with Empathy is there is no way to tell it to open a new chat window automatically when a new message arrives and there isn't already a chat window open. When that happens, I don't have the highlighted window in the window list demanding attention, and often discover that I missed an IM an hour later when clicking on the green envelope to read my email.

What am I doing wrong?

Canadian tax software and Linux

2010-02-26T05:51:00.000-08:00

Well, it's tax time again!

This used to be the part of the year I would dread. Not because I feared how much income tax I would need to pay, but because I knew I would have to get Windows running in a VM or on a spare computer in order to use tax preparation software.

I would get heartburn from wondering if the new flavour-of-the-day copy-protection mechanism the software used would actually work in a VM, and if it would let me open up my files again after reinstalling it if something went wrong. Top that off with the fact that trusting your important data to Windows is like locking your safe with duct tape, and I'd be popping Rolaids like candy.

Are all the security updates installed?
Every time I open "Windows update", it manages to find some more.

Is my antivirus software properly installed and working?
What if I got malware while purchasing the antivirus software online, before I installed it? Which one do I choose?

Oh great, the new version of the tax software uses Internet Explorer to update itself.

Luckily, a couple of years ago I discovered UFile.ca, a web-based tax preparation application. They even officially support Linux! It's quite refreshing to see a Tux logo right next to the Windows and Mac logos. It's even easier to use than the software I was previously purchasing!

Of course, it's web-based, so it's up to you to decide if you're willing to accept handing over your tax information to a third party. In my case, the decision was easy: I get to decide who can see my tax information, which is a lot better than hoping no one could see it.

Goodbye heartburn!

Ubuntu movie sighting

2009-12-21T09:50:00.000-08:00

I was watching the Millenium movie last night, and spotted an Ubuntu desktop being used by the "Plague" character:

GNOME Keyring

2009-11-04T05:09:00.000-08:00

For the past week or so, people have been talking about a “security issue” in Seahorse. This sums up my opinion on the matter:

This isn't a security issue, and there is no good way to fix it.

There, I've said it. Now, here's some background:

Although people are talking about Seahorse, the actual application that manages passwords is called GNOME Keyring. GNOME Keyring is an application that manages a user's authentication information, such as user names and passwords. It stores the authentication information in one or more encrypted databases, called keyrings. A password, supplied by the user, is required to unlock a keyring, at which point all the information contained within is decrypted and is made available to applications via the libgnome-keyring library. It is similar to the Keychain in Mac OS X, and Protected Storage in Microsoft Windows.

Traditionally, a desktop application that needed to remember a user's password, such as an email or an instant messaging program, would store the password in a hidden config file in the user's home directory. Appropriate permissions would be set on the file to make sure other local users can't read it.

Sometimes, passwords stored in this manner would be obfuscated using a reversible scheme, as the password needs to be converted back to plain text in order to be used. This would provide a false sense of security. Users inspecting the file would think the passwords were encrypted, but a myriad of little recovery scripts and on-line converters were available to anyone who knows how to perform a Google search.

A password managing daemon, such as GNOME Keyring, increases the security of stored passwords for the following reasons:

Passwords are stored in a database that uses real encryption, not just an obfuscation scheme
A single code base needs to be audited to make sure no vulnerabilities exist in the encryption algorithms that are being used
The database is protected by a password that is known only to the user who unlocks it
Since the database is encrypted, no other user or bootable CD can recover the stored passwords if the unlock password is not known

So, if GNOME Keyring increases the security of user credentials, why can you see your passwords exposed in plain text when you open Seahorse? Because you've unlocked the keyring using your login password.

Although GNOME Keyring supports multiple keyrings, there is only one by default, called “login”. This keyring is automatically unlocked by a PAM module when logging into a GNOME desktop. When the desktop session is closed, the keyring is locked. When the keyring is in an “unlocked” state, the database files are decrypted using the decryption password and all the contents are in memory for gnome-keyring-daemon to access.

Now, the attack scenario that has been talked about this past week has been leaving your computer unattended, and an attacker using Seahorse to access your clear text passwords. This has been criticized as being a security issue, and a few “solutions” have been suggested to “fix” the issue. Here are some of the scenarios proposed:

Scenario 1: Ask for the user's password before displaying the clear text keyring contents.

This scenario doesn't work in practice. Once the keyring is unlocked, the contents are available under the user's security context. Since the GNOME Keyring daemon is under the user's security context, the intruder has every privilege necessary to simply bypass the authentication step and directly read the unencrypted keyring from memory. Even if Seahorse asked for a user password, nothing could prevent the intruder from simply downloading a “reveal passwords” application from the Internet or a USB key. There is no difference in time or skill required to open Seahorse and display passwords, or to type “gnome password revealer” in Google and execute the first application available for download. The GNOME Keyring project has a web page to explain this.

Even worse, the fact that a password would be required in Seahorse would make the user think that a password is required to see the clear text information. This would give the user a false sense of security. If Seahorse asks for a password, but a five line python script can bypass the password, bug reports would change from “Seahorse displays clear text passwords” to “Seahorse authentication can be easily bypassed”. This scenario doesn't solve the problem.

Scenario 2: Make keyring session expire automatically after a certain time.

If the keyring session expires automatically, such as every 15 minutes, it becomes useless. The purpose of the keyring is to store passwords that are needed by applications. With keyring session expiration, Evolution can't automatically check for new mail, Empathy can't auto-reconnect to instant messaging networks, the wireless connection can't re-authenticate to access points.

If you expire the keyring session every 15 minutes, you will probably need to type in your password every 15 minutes. Besides, if you leave your computer unattended, 15 minutes is long enough for an intruder to steal your passwords. This scenario doesn't solve the problem.

Scenario 3: Make the keyring daemon run as root or as a dedicated user.

The idea behind this is to have a central daemon that would authenticate users and applications before giving out passwords. Since the daemon doesn't run under the user's security context, no amount of hacking by an intruder in an unlocked desktop session would result in gaining access to the unlocked password database.

Although this scenario may seem appealing, it would probably be less secure than the current approach. If we have a central daemon that serves all users, a programming vulnerability could result in other users gaining access to your confidential information. Besides, if your desktop applications, under your security context, can gain access to the passwords they need, so can an intruder in your security context. The intruder's script can simply spoof the desktop applications themselves to get the passwords, or get them out of the application's memory. This scenario doesn't solve the problem.

Scenario 4: Stop using GNOME Keyring.

Well, GNOME Keyring was created to solve the problem of people writing down their passwords everywhere, including text files or their computer, and the problem of applications storing passwords in text files. Removing GNOME Keyring would decrease security to the state it was before. This scenario doesn't solve the problem.

Scenario 5: Locking the desktop session when stepping away from the keyboard.

Now we're getting somewhere!

Since the attack vector that's being discussed is an intruder gaining physical access to an unlocked desktop, the simplest way to prevent this from happening is to lock the desktop when you leave it unattended.

If someone gains access to your desktop, your passwords are not the only thing they can access. Who needs your email password, when they have access to your whole mail file?

Even if we assume GNOME Keyring could be made attacker proof, we would need to do the same for every desktop application. An intruder could, in a few seconds, install a Trojan horse downloaded off the Internet that runs in the background and emails him your passwords as soon as your desktop applications use them. The same application could intercept your sudo password, and become root to access the GNOME Keyring data. Absolutely no technical skill is required to do this.

Leaving your desktop unattended exposes all your confidential data to an attacker, not just your passwords.

Game Over.

Recommendations:

Always lock your screen when you leave your computer unattended. This is akin to locking your front door when leaving the house. Hit Ctrl-Alt-L, select “Lock Screen” from the user switch applet, or put the “Lock Screen” applet somewhere in your panel for easy access.
Set a low screen-saver idle timeout, for example, 5 minutes. If you forget to lock your session, it will do so automatically after a couple of minutes, reducing the time your confidential data is exposed.

And remember: This isn't a security issue, and there is no good way to fix it.

The ideal portable media player

2009-08-30T11:25:00.000-07:00

After the overwhelming response to my Goodbye Apple blog post, I have compiled a list of criteria I would like to see in a portable music player:

Linux compatibility

This is a deal-breaker for me, as I only use Ubuntu. The next mp3 player should be manageable from a Ubuntu desktop. In order of preference:

Manufacturer lists Linux support or compatibility on the box
Manufacturer lists Linux support or compatibility on their website
Device is known to work with Linux

Of course, I would also need to be able to update the device's firmware, but this isn't a must. I can probably find someone with a Windows box to do a one-time firmware update.

Video support

I spend a lot of time in airports and planes. This is where I use my player the most. I like watching videos and movies while on the move. I want at least a 2.5 inch screen, but it still needs to be light and small enough to fit in my shirt pocket. It's what I had on my 5G iPod Video, and it's the minimum I would tolerate.

Video conversion should be easy, and should not require Windows-only software. I should be able to encode video from DVDs I own, and from video podcasts I download from the Internet.

Bonus points if the manufacturer gives some example ffmpeg or mencoder command-lines in a wiki somewhere, or submits presets for their device to encoding software such as Handbrake.

Podcast support

I listen to a lot of podcasts. Since a lot of podcasts are available encoded in mp3 format, most people think they work on any mp3 player. Fact is, I want the player to be able to recognize podcasts and apply special logic to them the way iPods do. They need to:

Have a “completed” flag to be able to easily spot the ones I've listened to already
Automatically resume from where they were left off (without having to manually set a “bookmark”)
Be in a separate list from regular music files

The most important criteria for me is the automatic resume one, and is the one most media players are lacking. I don't enjoy losing my place in a podcast when I get interrupted, or want to listen to some music. Trying to locate where you were in an hour-long podcast with a fast-forward button is painful.

Standard USB port

I want a media player with a standard mini or micro USB port for syncing and charging. I hate having to spend extra on spare proprietary cables. I hate having to lug ten different proprietary cables in my laptop bag when I travel. And most of all: I hate forgetting the proprietary cable at home when I leave on a trip. Even though the iPod has a proprietary connector, at least you can purchase a spare cable pretty much anywhere.

Of course, most devices come with proprietary ports because a standard USB port can't offer all the extra features that a portable media device needs, such as TV Out, Audio Out, Line in, etc. How about this for an idea, folks: USB for syncing/charging, and proprietary port for all the rest.

User-friendly interface

My dad came over the other day with a cheap no-name 3rd generation iPod Nano knockoff he bought at an electronics store. He was raving about how inexpensive it was.

The user interface was the most horrible thing I have ever encountered. It was so complicated to simply get a song to play that I would have paid double the price difference to never see it again.

On-demand playlist support

Although this isn't something that's absolutely necessary, I really enjoy listening to music while creating a playlist on the device itself.

Adequate volume

The volume needs to be loud enough to listen to music and movies while on a plane. My Sony PSP isn't loud enough for me to listen to movies on a plane.

Open multimedia format support

It would be great if the device supported open multimedia formats and codecs, such as Ogg, FLAC and Theora.

Well, that's all I can think of for now. Based on recommendations in my blog comments, I have purchased a Cowon S9. Also, I have received a Creative Zen MX, and will be receiving a Sansa Fuse shortly. In the coming weeks, I'll be reviewing each of these (and maybe others) to try and find the ideal portable media player for Linux users.

My God! It's full of stars!

2009-08-18T14:30:00.000-07:00

Ever try hooking up a server or firewall with multiple network cards? You stand in back of it wondering which RJ45 port is eth0, which one is eth1...

Here's a little tip: you can make network card lights blink with the ethtool command:

ethtool -p eth0

You can make each card blink for 30 seconds in order with something like:

for net in eth0 eth1 eth2; do ethtool -p $net 30; done

Aide (Advanced Intrusion Detection Environment) improvements

2009-08-15T10:21:00.000-07:00

At the Karmic Ubuntu developer summit, we had a session on filesystem integrity checkers. The main purpose of the session was to see what the current state of them was, and if we needed to replace Aide in main with a newer alternative.

I don't traditionally like filesystem checkers. While they are very useful to detect files that get modified during an intrusion, an administrator needs to invest an incredible amount of time in analyzing the log files that they produce every day. This is compounded by the fact that servers don't remain static: they get security and stability software updates installed. The more that servers get updated, the more they divert from the original database that was generated by the integrity checker, and the more false positives get reported in the log.

Wouldn't it be great if the integrity checker was smart enough not to report on files that were changed by operating system updates?

I introduced this very feature in the Aide package in Karmic Koala. It is disabled by default. To activate it, simply modify the /etc/default/aide configuration file and set “FILTERUPDATES” to “yes”. I also recommend changing “COPYNEWDB” to “yes” in order to get changes reported only once.

This new configuration option will filter out files that were modified by operating system updates from the daily email sent to the administrator. It will not filter them out from the main log file.

Of course, overwriting the pristine database every day and filtering out the files changed by system updates may slightly reduce Aide's effectiveness, but I think it's a compromise worth having if the alternative is to not use Aide at all because of administrative overhead.

If you've never used Aide before on your Ubuntu server, and would like to give it a try on Karmic, here are the steps necessary to get started:

1- Install aide:

apt-get install aide

2- Create the initial database (this may take a while):

aideinit

3- Customize the MAILTO, COPYNEWDB and FILTERUPDATES parameters in /etc/default/aide

4- You should now get a daily email report on filesystem changes!

Goodbye Apple

2009-07-23T05:20:00.000-07:00

I've owned a lot of iPods. My wife has owned a lot of iPods.

Not anymore.

For the longest time, I could use gtkpod to seamlessly access my iPods from my Ubuntu desktop. It initially took some reverse-engineering effort to understand the iPod's data format to be able to access it from non-iTunes software, but it was possible. All of a sudden, Apple is trying everything they can to prohibit interopability.

First, they encrypted the firmware, blocking the use of third-party firmware like Rockbox and iPod Linux. This doesn't bother me much, as I always prefered the original Apple firmware anyway.

Then, in August 2007, they added a new hash to the database to block non-iTunes software. This was quicky reverse-engineered and support was added to gtkpod once again.

In November 2008, they changed the hash again. This time, Apple used code-obfuscation software on iTunes in an effort to complicate reverse-engineering a second time. When a wiki was put up to start documenting the new hash, Apple sent a takedown notice. Fortunately, some people found an ugly workaround to get gtkpod working again.

In 2009, Palm released the Palm Pre. It supported syncing with iTunes. Apple retaliated by updating iTunes specifically to block Palm Pre interopability. Unfortunately, this changed the iPod database structure, and the workaround for gtkpod no longer works.

While I can understand Apple not wanting the Palm Pre to be able to sync with iTunes, as iTunes integration is one of the main selling points for the iPod, I can't understand why they would actively block third party software from accessing the iPod.

Everyone is now selling DRM-free mp3 music, so it's not a question of protecting DRM. You'd think they would want to sell more iPods, not block a certain percentage of their market out.

My 5G iPod broke today. Dear Apple, the replacement I purchase won't be from you.

Launchpad search plugins for Firefox

2008-11-02T06:03:00.000-08:00

If you work a lot with Launchpad, there is a package in the Ubuntu repos that adds Launchpad integration into the Firefox search box. The package is called "firefox-launchpad-plugin":

Launchpad firefox integration
Mozilla Firefox Launchpad integration add quick search for:
- Ubuntu bugs on Launchpad
- Ubuntu specifications on Launchpad
- Ubuntu packages on Launchpad
- Ubuntu support tickets on Launchpad
- People and team on Launchpad

Adobe Reader fonts

2008-10-26T17:52:00.000-07:00

Here's another PDF tip while I'm at it: how to fix broken fonts in Adobe Reader in Ubuntu Hardy and Intrepid.

It seems Adobe Reader doesn't use font-config by default. If you open a pdf file that uses Arial or some other font that is installed in font-config, Reader will still replace it with a generic Adobe Sans font. To turn on font-config support, modify the /usr/bin/acroread launcher script and uncomment the following two lines:

ACRO_ENABLE_FONT_CONFIG=1
export ACRO_ENABLE_FONT_CONFIG

Discovering QPDF

2008-10-26T15:39:00.001-07:00

A friend of mine asked for help removing the restrictions on a PDF file he made a while ago. It seems he misplaced his original source file because of disk bloat and all that was left was a PDF file he created for the print shop. Of course, he couldn't remember the password he had used when he created the file.

A quick look through google came up with a simple solution: qpdf, available in universe:

QPDF is a program that can be used to linearize (web-optimize),
encrypt (password-protect), decrypt, and inspect PDF files from
the command-line.

Here's the command line that removed the PDF restrictions:

qpdf --decrypt infile.pdf outfile.pdf