Here is how you do it:

• First, with you device (iPhone or iPod) go to bit.ly/eduroam_ualg (my UAlg’s student homepage). You have got to do this with your 3G connection, or other WiFi network.
• Download the eduroam_UAlg.mobileconfig file to your device
• A dialog will appear, asking to install a new profile. Click Install and after that,  Install Now (it will say that this procedure will change setting on your device)
• Once the new profile is installed and verified, a new dialog asking for your username, will appear. Input your UAlg’s credentials (normally it is your e-mail, in the form of aXXXXX@ualg.pt), and then click Next
• The next dialog will say in green Verified, you just have to click Done
• Once you are inside the campus, go to your WiFi Networks in system preferences, and click on the eduroam access point, that now shows up.
• Your e-mail should now show up, and you should insert your password.
• When joining for the first time, you have to accept the certificate, by clicking the Accept button.
• After this, you can start surfing! No need to configure proxy settings!

I hope this helps everyone to stay connected without problems. If you are having difficulty with some of the steps, leave a comment, and I will be happy to help you sorting this out. Also, if it keeps asking for the password, tell me. I think I solved this problem, but you never know….

Here are the steps necessary, this time, with some screenshots:

1. Login to your shell
2. mv blog blog_old
3. mkdir blog_new && cd blog_new && svn co http://svn.automattic.com/wordpress/tags/2.7 .
4. cd ~/blog_old/
5. cp -p wp-config.php .htaccess ../blog_new && cp -rpf wp-content/* ../blognew/wp-content
6. cd ~/blog_new/ && svn sw http://svn.automattic.com/wordpress/tags/2.7/ .
7. mv blog_new blog
   
8. go to http://<you_url>/wp-admin/upgrade.php and perform the update process

And thats it! Put it in the hoven for 10 minutes and leave to rest! After that go enjoy your new and upgraded blog! Oh, by the way, each time a new version comes out, just go inside your blog dir and do a:

• svn sw http://svn.automattic.com/wordpress/tags/2.7/ .

Pretty sweet! =)

UPDATE: in fact you can forget step 2, and just move your old directory in the end, when about to go live. Perform the all the steps in the recipe, than at the end, just change blog to blog_old (or some other name you might have) and change blog_new to blog. This way you now point to you new SVN install, and you old stuff is safeguarded. Enjoy!

Since I’m not a big windows user, except for a desktop that his only purpose is to download Linux distros using bit torrent protocol, I was not fully aware of this limitation.

So I did some quick research and realized that this limitation was not a Windows problem, but a hardware problem! You see, 32-bit systems have a limit of memory that they can use. Normally this is 4GB minus the total ammount of memory in the Video Card, the BIOS and everything inside you machine that has memory. So most of the users that now buy 4Gib ram to use with their brand new Vista machine, get stucked at 3 ou 3,5 Gib.

Even thouhg Linux also suffers from the same limitations, it is able to handle higher memory installed, since it uses correctly the PAE… What is PAE you might ask? PAE, or Physical Address Extension is a feature that allows the use of more than 4Gib of physical memory, given apropriate operating system support for this feature.

There are some things you might do to enable PAE in 32-bit Vista, but I haven’t tryed yet this.. maybe in the future…

Here are some places you can go, to read a little bit more and try for yourself:

• Enabling PAE in Vista
• Wiki on PAE
• Microsoft on PAE in Vista

In the future, this limitation will be overcome, since the use of 64-bit systems sets the memory limit much higher. If you want 4Gib, with no hassle just switch to a superior operating system like GNU/Linux or Mac OS X =)

1. Download Putty to you desktop
2. Change the name of the file, from putty.exe to ssh.exe
3. Move this file to your Windows directory (should be on you drive C:\)
4. Press Windows Key + R (shortcut for run command)
5. Type ssh user@remote.example.com (use your own user and server)

If you got everything right, you now will be asked for your user password.. You can do it even smarter, and use public key authentication, which I love so much, and no more typing would be necessary.

Very cool right? No more fiddling for Putty.exe, no more clicks, no more hassle.. Just “RUN+ssh+options” and this will get you there! Like I said, SSH on Windows… The smart way!

Enjoy!

• Changed default listen port (default is 22)
• Only allow SSH protocol 2 (there are 2 versions of SSH, version 2 is far more secure)
• Disabled root login
• Allowed only some users to login
• Disabled password login
• Set up a private/public key method for authentication
• Set a a firewall rule for those script kiddies who like to knock on my server doors

These were the steps, and believe me, it’s not that big a deal to go through them. Let’s now describe each one!

Default Listen Port
By default, the Open SSH server comes with listen TCP port set to 22. Not trying to make security by obscurity, if you change this default behavior, at least those script kiddies, who scan your port 22, and hammer you with the defaults logins, will be dropped, and your bandwidth will be spared. So head to /etc/ssh (the default directory, most distros) and edit your sshd_confing. On the line: “Port 22“, change this to something else, higher than 1024, because usually port scanners don’t go higher than this by default; for example, use port 2222. When connecting to you server, don’t forget to specify the port number (in the command line this goes by ssh -p 2222 hostname).

SSH protocol 2
In the present, there are 2 versions of SSH protocol. It’s better to go with the latest, since it’s far more secure. So, in the same file you made your port changes, the line which contains the word “Protocol“, put a lonely “2” (probably there is already one there, or 2,1) in front. Save your changes.

Disable root login
Normally for administration purposes, we use the super user (root), but it’s not safe to remote login with this user. If something gets compromised, the attacker will have full power to change anything in your system. So, force logins with other user than the root, and then when you are logged in, su to become root. Believe me, it’s safer this way. So in the same file, when it says “PermitRootLogin“, put a “no” in front. Thats it!

Allow only some users to login
Ok, you now have disabled root login, but any user account on your system will be authorized to remote login. This brings a lot of issues, because more users, means more distributed logins, more chances to security issues (imagine one of your users being kidnapped by a alien, you never know). So authorize one user (you), and if needed, other users, but only if needed. I hope you never left sshd_config, because now we have to search for the line “AllowUsers”. If this line doesn’t exist, add it, in the “#Authentication” part of the file, and specify the users you want to allow login. Example: “AllowUsers user1 user2“. Easy right? Let’s continue.

Password logins
By default, you authenticate in your remote host, by using a combination of user/password. Passwords, by it’s nature are unsafe, so why use them? Next we will set up a digital key authentication, so disable passwords for now. In the same configuration file, change “PasswordAuthentication yes” to “PasswordAuthentication no”. And we are done regarding passwords.

Private/Public key authentication (using DSA)
In the past I explained this (link to previous post). You can use a combination of private/public key to authenticate yourself in a remote host, so use this. Go through that post, and set everything up. Its just a matter of following the steps: (1)ssh-keygen -t dsa; (2)cat ~/.ssh/id_dsa.pub (3)put the output of step (2) in remote ~/.ssh/authorized_keys (chmodded to 600). After making this, edit the lines inside sshd_config, “RSAAuthentication yes”, “PubkeyAuthentication yes” and “AuthorizedKeysFile %h/.ssh/authorized_keys”. And your done here.

Firewall Rule
Would it be great if your firewall detected if someone was knocking on your firewall door? Well, you can use a fully blown intrusion detection system, like Snort (link to snort), but by using simple rules in iptables, we can accomplish some security on the number of times someone tries to login. If you don’t know what iptables are, ignore this step, else, add this rules to your firewall (run this in the CLI or add it to your firewall scripts):

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –set –name SSH

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

The ${WAN} part of the rule, is the network interface you use to connect to your ssh server. I normally export LAN and WAN in a bash script, so I always know what is going where. In the future we will discuss firewall/iptables in detail, for those who do not know about the subject.This simple 2 rules will limit to 8, the number of ssh logins your host will permit in a minute. Thats a huge improvement (only 8 against unlimited attempts).And thats it! This were the steps I made to improve security on my remote host. Combined with a good firewall script, you will get a very tight system, believe me! There are other stuff you can make, like using TCP wrappers, but in my case, I login from a changing IP addres, and this method is not very useful if your IP address changes a lot.Oh, one last thing you can do! If all this methods fail, and someone is able to login using ssh to your server, edit again the /etc/ssh/sshd_config, and in the line “Banner” add in front put “/etc/sshbanner.txt“. Now edit (create) the file /etc/sshbanner.txt and put this inside (copy/paste):

————————————————————————————————————–
WARNING! THIS IS A PRIVATE SSH SERVICE, NOT TO BE USED BY A STRANGER. IF YOU HAVE GAINED ILLICIT ACCESS ON THIS SYSTEM, A CURSE WILL BE SET UPON YOU, AND YOU WILL HAVE A SERIOUS RASH ON YOUR PRIVATE PARTS, AND SUFFER IN AGONIE! YOU HAVE BEEN WARNED!
—————————————————————————————————————

Now, each time a user logs in, he will see this message. If it’s a unwanted user, he will be so scared, that he will log off immediately! =)

Please post back comments, on more things we can use to improve security on our servers!

PS: Don’t forget, when all changes are made, to restart your ssh server (ex: /etc/init.d/ssh restart).

Once inside Disk Utility, just press the “New Image” button.

After this, put the settings that you see in the picture. Here I choose the image’s name secure, the syze 100mb (choose more if you want) and the important thing, in “Encryption“, choose AES-128. If you want to know more about this encryption, read some stuff.

Now, it’s important to choose a strong password, this can be tested by pressing the little key in the next window. This will show you a green bar, that grows, when password gets stronger. If you prefer, let the utility pick a strong password for you. One final thing to take in account: do not remember password in the Keychain, for improved security! So just uncheck that… Click OK, and you are all done!


Now eject the image, and move the secure.dmg inside your pen drive, or anywhere you want! Anytime you want to put new files, just mount the image (double click secure.dmg).

Very easy right? Enjoy simple encryption!

I came up with a name for this project, and the cool thing, is that I can use my domain as an acronym. So DBUGS stands for Digital Backup Using Gmail Storage.

So, what do I have in mind? Well, I came across some weeks ago, with Richard Jone s’s project, the GmailFS. This project, and using his words, provides a mountable Linux filesystem which uses your Gmail account as its storage medium. I read the entire site, and several other sites on the web, only to find out, that although this already can be achieved, some problems still need to be fixed, but since my project for now, exists only on paper, I hope that in the future, a more robust GmailFS, can be used.

What I propose here, is, to combine some cool open source technologies, to obtain a big, expandable online backup, but things like cost and reliability also come to my mind. Now it’s possible to create your own Gmail account for free, and all the tools I suggest using are open-source, so the cost factor, it’s only regarding your Internet connection, which by all means, must be broadband!

So, since it’s possible to mount GMail accounts locally, I started imagining the possibility, to use 2 accounts in a RAID1 setup (mirror), where Gmail_account1 would be the mirror of Gmail_account2. This way, data would be backed up twice, in two different locations. If one dies, the other remains alive, while we add a new one to the array. When I say 2 accounts (arrays), I mean n arrays, since, for RAID1 you can use 2+n arrays, this way, data is mirrored against several locations.

The next step in my theory would be size. Google already offers almost 3GB of storage, and rumors are that they will increase this for 9GB+, but what about if you want more? My thoughts went straight to a LVM setup, for the extra layer of complexity! Now we would have 2+n arrays, each made by LVM volumes, which
would be created using several (1 + N) accounts. Confused? I am! This way, each of the RAID1 array would be stripped across different accounts, and in the future, if we wanted to expand the size of our online backup disk, it was just a matter of creating new accounts, and adding those to each of the LVMs, so our RAID1 array would get bigger.

I also thought of security, and the best to do this, is using disk encryption. Another layer is added to the already tricky setup, but this is not important in the beginning, since for testing, I would not use sensitive data.

To perform the backups, I really think it’s a good idea to use some sort of rsync+cp+mv solution that performs incremental backups, without taking too much space. You can find many options for this online, but one my favorites is RSnapshot. A good source of information for this type of backup is Mike Rubel’s site on the subject.

And that’s it! Several problems must be addressed, and that’s why I started this post. I don’t know if it is either a very stupid idea, or if it can be accomplished and become a cool project. I’m working on some solutions, and I really hope I can post something on the subject anytime soon. Why should I even try this? Because I really think this is a cool idea, and perhaps I will not achieve what I intend, but in the process of failing, lies a path of learning… get it? =)

Please feel free to drop comments on this subject, with suggestions, critics or your help for the project. I’m more than happy to welcome you aboard. Let’s get this one off the paper, and make it work!

Here I will cover both the Mac and Linux, because, well, in fact they are almost the same, command line speaking I guess.

So, let’s skip the romantic part of the post, and let’s cut to the chase! =)

First go to your favorite command line client, and create or own set of digital keys. It’s very simple, don’t worry, just type ssh-keygen -t dsa (this generates a digital key, using DSA as security algorithm). It will prompt you the destination for the key, which normally resides inside folder .ssh at your home folder, and if you want to use a passphrase each time you use the keys (let’s keep it simple for now and say no). Now if you take a look inside .ssh folder, you will now see 2 files or more, but the important ones are id_dsa and id_dsa.pub. This is the pair of keys, one which is public, and the other you keep it for yourself.

Now if you look inside your id_dsa.pub, you will see a bunch of characters, which don’t mean anything to you. But copy everything to clipboard, for use in your remote server. My looks like this:

(this is all in a single line)

There is no problem on showing my public key, because, well, it’s public. You can learn more why here.

Now, login to your server, go to directory .ssh on you home folder, and edit or create the file authorized_keys; paste your public key inside, all in one line! That’s it, your done. If you use Dreamhost I found out that both .ssh folder and authorized_keys file must have 700 permissions set.

Now logout, and login again, and the remote server will match your public key, with your local private key, and if everything goes smoothly, you are in! No passwords, no hassle, no nothing!

It’s also possible to make your sftp client to use your keys, just define this in the login options, and check the “Use public keys authentication” or something similar, and choose your private key, not your public one. Next time you login, again, no passwords will be asked. Cool eyn?

I did not cover ssh inside Windows systems, but you can do the same using Putty and all the tools available. Go here to learn more about ssh authentication inside Windows, using Putty, but also for a more precise explanation on ssh authentication.

In the future it also should be important for you to set a passphrase with your keys, for extra security. But for now this is enough, so enjoy!
Oh, by the way, in case you did not understand the romantic vs chase part of this post, take a look here…

Update: By the way, this post refers to Dreamhost, but you can use this with any server you wish, just make the same steps discribed.

If you come from Linux, you probably are familiar with the Wine project, which is an Open Source implementation of the Windows API on top of X, OpenGL, and Unix. This allows you to run a great number of Windows only applications, without emulating Windows itself. And you might ask: what about Mac OS X? Doesn’t it descend from Unix? That’s right, Mac OS X kernel is called Darwin, and comes in direct line from Unix.
Wine is also implemented in Mac, and there are 2 choices. The first is a commercial one from the guys at CodeWeavers, and is called CrossOver. But if you are like me, you will use a free (both as beer and freedom), version of Wine for Mac, which is called Darwine (very clever, Darwin + Wine, AH!).

Its very easy, just grab a copy of Darwine, put it on your Applications folder and make sure you also have installed X11 that came with your Mac OS X Install DVD 1. Now grab uTorrent.exe, run WineHelper (from the Darwine folder you have just installed), and open uTorrent.exe. If everything goes smoothly, you should be seeing uTorrent client running in your desktop. There are a few problems with fonts, a some times it looks like uTorrent is “freezed”, but in fact you only have to click show/hide from uTorrent‘s tray icon, and it will come back alive and kicking!

I keep hoping that uTorrent gets ported do Mac OS X, so I can run it native, but for now this is good enough for me!

Enjoy this one, and post your feedback.

I am a big fan of GNU Linux, and other UX alike, and I recognize in the last couple of years, Linux as come a long long way, with every modern distro being able to recognize your hardware (at least most of them); I was positively surprised to install the latest Ubuntu on my girlfriend’s laptop, and just like in my Mac, I was able to connect right away to my WIFI connection with WPA TKIP security, with no hassle.

Now, in my humble opinion, I believe the industry is following Apple and their ideas. Things just work, stuff does not get in the way. You tend to feel, that everything, from instant messaging, to emailing, media organizing or just file browsing, have more productivity. Hell, even the hardware doen not get in the way! I might be wrong, but it’s a strong feeling.
I also believe Apple should follow the Open Source movement, because they have very good ideas, very good hardware, and they would win a lot more if they just shared with the rest of the world… I truly believe this, but I also know this is daydreaming (I am singing in my head, Lupe Fiasco’s “Daydreamin‘)

Getting back to the clean up! I did my backups to a external USB drive, rebooted with the Mac OS X inside the drive, and booted using the C key.
This took me inside a install “OS”, very similar to the real thing. Here, I had access to disk utility’s, log viewer. I did the full install, without answering to 100 questions! This felt very good, once again, does not get in the way. It’s simple, easy, and you don’t have to be a astronaut to get away without problems!

When everything was installed, it took me 5 minutes to put my login info, to configure my WIFI connection, and I was up and running!
When I bought this Macbook, I messed everything around, just to get to know the operating system. With time everything felt sluggish, and not snappy anymore, so now I have the full system back, and from now on, I will keep it this way, at least I’ll try! =)

Stay in touch!