An effect of having senders be responsible for their mail storage

Some people opine that having the email sender be responsible for its storage would reduce spam. That may be so, but I see doing so empowers DoS attackers with another means to carry their deeds.

In the proposed infrastructure change, a sender would put the message on his/her server and send a brief notification to the addressees. The addressees' clients then pulls the email from the location specified in the notification. In that world, a DoS attacker can work with a spammer to send bogus notification messages to a large number of clients. The messages direct the clients to pull an email from the victim's server. When the clients do so, they slashdot the victim's server.

I do not see a sure way to prevent clients from retrieving the email. A client that automatically heeds all notification messages is certainly not preventable. But a client that fully defers to human moderation may also participate in the slashdotting as well. After all, users are as much part of the problems as the spammers in current spam problem.

Blacklisting the victim's server is also a non-solution because that could be what the attacker wants or interferes with legitimate email retrievals. Blacklisting a mail URI is slightly better but still not a good solution because URIs are cheap.

If this infrastructure becomes common place, DoS attackers no longer have to construct a botnet because the whole Internet just becomes a super gargantuan botnet.

Bad valve stem seal -- how to tell

http://www.fordforums.com/f655/5-0-uses-oil-rings-valve-stem-seals-how-tell-103279/#post1080284

Well, there are a couple of ways to tell. If you start the engine up
and it puffs out smoke, it's the valve seals because you are burning
the oil that has leaked past the seals when the engine was off. If you
slow down by downshifting and when you accelerate again, and it smokes,
it's valve seals. Why? Because when you deaccelerate by downshifting,
your throttle plates are closed and you have a lot of manifold vacuum.
That vaccum sucks in the oil past the valve seals. Then when you
accelerate, the increased air/fuel charge sucks it into the combustion
chamber and it is burned.
Unless the maintenance was completely ignored, I'd guess that it is
valve seals. They will deteriorate with age while a piston ring will
not.

You pushed me over and I; Keep falling, keep, keep falling the cliff.

A sobering graph from my favourite site: http://calculatedrisk.blogspot.com/2008/11/comparing-stock-market-crashes.html

I am not sure that we are even half-way through this crisis. Keep falling, keep, keep falling the cliff..

One thought though: why 'Subprime Mortgage Crisis'? While subprimers made the initial appearance, it seemed people using their house as ATM had the larger role.

Adjusting my gas furnace

Disclaimer: tinkering with gas is dangerous. Below are steps I took to adjust my gas furnace for my own documentation purpose. I decided to share it to public for educational purpose. If you blow up as a result of reading this article, you are on your own.

This is my gas furnace. Manufactured in March 1990. It is 18 years old now. Its efficiency rating is output_btu_per_hour / input_btu_per_hour = 56K BTU/70.5K BTU = 79%. Modern gas furnaces reportedly have 90% or better efficiency. But mine still works and winter in northern virginia is quite mild. I see no reason to replace it yet.

It's been cycling in short interval and I wanted to see if I could do something about that.

The first thing I checked was the flame colour. It should be blue. Orange flame indicates insufficient oxygen or some contaminations. If there is not enough oxygen, the flame will produce soot.

To adjust oxygen level, adjust the air stuter (picture below):

 

The furnace was a forced air model. The flame heats a heat exchanger which quite similar to a radiator. A blower blows cold air through the exchanger. This heats the air before it comes out of the exhaust register. Adjusting this gas furnace involves balancing the heat put out by the furnace with the cooling the blower provides.

In my case, although the spec says that my furnace could generate at 56K BTU/hour, the blower was not powerful enough to cool the exchanger. My house had 3 intake registers, one on each floor. The ductings was not large enough to reduce the air flow resistance to my blower's capability. If I openned up the blower panel, the blower managed to push enough air to cool the furnace at full power. But obviously I could not run it like that for daily usage.

Adjusting the power of my furnace was done by adjusting the gas flow. Here's my final setting at 3/4 of full flow:

To get at the setting I let the furnace operate as usual while watching the fan limit control switch. I set mine to 100F,140F,200F. I've seen some set at 90F,140F,190F, or 90F,110F,190F. The spec says that the max air outlet temperature is 170F. So, my goal was to get the heat exchanger temp steady at around 170F.

I let the furnace run as normal. I reduced the gas flow if the temperature goes up to the OFF setting (200F) or increased the flow if it held steady at less than 170F. I was gentle when adjusting the flow; a small nudge may be all that's needed.

After about 1/2 hour of tweaking, I managed to have it hold steady at around 170F. It kept at that temperature until the thermostat tells the furnace to shut down. Cycling problem solved. Cost to do that: 2 hours research, 1/2 hour of staring at the control switch.

I finally found the culprit

One month ago, my wife's car had a dead cylinder. It was cylinder #3. It passed all the usual tests: spark plug sparking, compression test showed 170psi across all cylinders, fuel injector ticking, presence of fuel injector signal. But it just didn't want to start.

Peering down the cylinder hole, I noticed a pool of oil on top of the piston. A leaking valve stem seal could put too much oil into they cylinder and foiled the proper mixture for combustion. So I replaced them and cylinder #3 was still dead.

I then wanted to double check the compression test figures. It showed 170psi for all cylinders. That was a good figure, but it measured only the peak compression and did not show there was enough compression at the right time. So I bought Harbor Freight Tool's leak down cylinder tester for $30.
   

But they showed minimal leakage.

I was desperate by this time. I decided to take a look at the fuel injector. Two years ago I replaced fuel injector for cylinder #3 because it went bad. So I was very doubtful that the fuel injector could go bad again within just 2 years. But I was desperate. 

Just for the record, it's possible to remove the fuel injector harness (fuel rail) without removing the intake plenum. You need to remove the bracket that secures the accelerator cable though. The bracket is secured by 1 bolt on the cylinder head and 2 studs on the intake plenum. Remove the bolt and twist open the studs with vice grips. Doing so will damage the studs. I replaced the studs with bolts. Good riddance since I hate dealing with studs in general. 

That's when I found the culprit. Compare cylinder 1 and 3's fuel injectors:

No wonder cylinder #3 was dead. The bad o-ring must had been leaking fuel into the cylinder.

It seemed that the replacement pintle cap I used was too wide. When securing the fuel injector into the harness, the smaller opening on the harness pushed the cap against the o-ring.

Fortunately I had spare pintle caps. It was a good thing I didn't cheapen out two years ago by ordering more than I needed. I trimmed the rim of one and installed it.

That's all it took to bring the cylinder operational again.

Installing and removing recessed valve keepers

Nissan Sentra GA16DE, as is the case with many other Japanese engines, have recessed valve. As such, a common valve spring compressor design like the one below won't work.

One tool that can work (or rather be made to work) with recessed valves is Leslie 36200.

To install the valve keepers, use it without the black attachment. Just position it on top of the valve keepers and push down. It has a strong magnet at the end so as you push down the valve spring retainer,  the magnet will capture the keepers. 

A valve spring retainer and valve keepers.

But as it was, its diameter was too big for the valve cylinder. So it needed to be filed. I didn't have a grinder so  it took me 3 hours while watching Pink Panther to file it down. Oh good times.

The yellow zip tie represented my target diameter. It was set to a slightly smaller diameter than the valve cylinder's.

 

I pushed the zip tie as far down as possible and marked places that were still thick.

1.5" was deep enough for GA16DE.

I don't have a picture of using it to remove the valve keepers, but here's one of me using the installation attachment. Just assemble the valve spring, retainer and keeper, and push down with the tool. Note that I was posing for the picture because I didn't take some while I was doing the actual installation. In a real installation picture, you should see an air compressor hose going into the cylinder or a string of nylon rope to float the valves up.

 

If you do not have enough power to push down the tool with your hand (awkward position, short stature, etc.), you can try pushing down the tool with your body weight as pictured above. Use a piece of wood to spread the pressure and push down. This works for the intake valves too which are positioned further inside the engine and may not allow you to push down effectively.

Water pump old vs new

From 1994 Sentra GA16DE 1.6L:

new vs old water pump. The old one had been on the car for 5 years and was leaking.

darcs recorded modifications to ghost files

I was trying to branch out a one year old project, but got a strange error:

$ darcs get +DBMigration DBMigration.copy
Unapplicable patch:
Mon Jul 23 14:53:41 EDT 2007 Yohanes Santoso
* added sisc-1.16.6 external package
darcs: ./src/com/example/DBMigration/Frob1.class: openBinaryFile: does not exist (No such file or directory)



I checked the changelog and found that the second patch on the tree recorded modifications to files that were never added to the repository:


$ darcs changes -s | tail
Mon Jul 23 14:53:41 EDT 2007 Yohanes Santoso
* added sisc-1.16.6 external package

A ./external_package/
A ./external_package/sisc-1.16.6.zip
M ./src/com/example/DBMigration/Frob1.class
M ./src/com/example/DBMigration/Migrate.class
M ./src/com/example/DBMigration/TemplateRepository.class

Mon Jul 23 10:19:02 EDT 2007 Yohanes Santoso
* initial import

A ./src/
A ./src/com/
A ./src/com/example/
A ./src/com/example/DBMigration/
A ./src/com/example/DBMigration/Frob1.java
A ./src/com/example/DBMigration/Migrate.java
A ./src/com/example/DBMigration/TemplateRepository.java


The imported files were the java source files, but somehow that patch recorded modifications to the class files which were never imported.

I tried many ways to fix this so I can get my branch, but found modifying the patches repository directly was the only one that worked.

Patch files are stored in _darcs/patches directory. They are gzip-ed text files. Each represent a changeset (darcs record). I located all the files that contain references to these .class files, and edited them out. It worked!

Brokers meltdown

Today started with yet another rally. S&P 500 is currently at 105% of yesterday's closing, which itself was also a 105% of the closing on the day before yesterday.

Crazy. Now I'm trying to dump stocks I've been buying on the cheap, but my brokers (tradeking and etrade) websites are absolutely crawling. The tradeking one even crashed briefly.

Come on, come back up quickly, I need to sell my stocks to this frenzied people.

Which of the following is the largest?

Gish Gallop

Hah! I've been looking for this exact phrase for sometime:

Gish Gallop

it is a debate technique that drowns the opponent in bullshits, lies and half-truths. The opponent is left having to explain and correct the claims lest he is assumed to accept them.

A much easier way to access Samba share on Linux guest on Windows host

There is a much simpler solution to my earlier's one.

Steps:

1. Create a VirtualBox's HIF and attach it to the VM.
2. Set its IP address to, say, 192.168.2.1.
   
3. Start the guest OS.
4. From within the guest OS, give a static address to the HIF, say, 192.168.2.2.
5. From host OS, make sure you can ping 192.168.2.2
6. From the guest OS, make sure you can ping 192.168.2.1

This establishes a private network between the host and the guest. The guest is perceived as another node in the network hosting a Samba share.

VirtualBox: Accessing Samba share on Linux guest on Windows host

Environment: VirtualBox 1.6.4 (latest as of 2008-08-14) running on Windows XP SP3. Guest is a Debian GNU/Linux.

The goal is to have the host Windows able to mount a Samba share provided by the guest as long as the Samba instance is running. To accomplish that, we are going to create a loopback adapter interface on the host, use VirtualBox's HIF on the guest, and bridge the two interfaces together.

Steps:

1. Add a Microsoft Loopback Adapter device (through ControlPanel->Add Hardware).
2. Create a VirtualBox's HIF and attach it to the VM.
3. Go to Control Panel->Network Connections.
4. Highlight the loopback device and the HIF, and right-click 'Create Bridge'.
5. Go to the newly created bridge's property and set its IP address to, say, 192.168.2.1. The guest OS will be able to contact the host OS with this address.
6. Start the guest OS.
7. From within the guest OS, give a static address to the HIF, say, 192.168.2.2.
8. From host OS, make sure you can ping 192.168.2.2
9. From the guest OS, make sure you can ping 192.168.2.1

At this point, from the host Windows, you should be able to do this:

net use e: \\192.168.2.2\the_share_name "password_for_share" /user:username_for_share /persistent:no

Update 2008-08-14: You don't have to create a bridge. There's a simpler method.

Apheresis left me weak

Yesterday a blood donation bus came by the office for the quarterly donation drive. I'd donated whole blood twice before; but this time, the bus had an apheresis machine for doing Double Red Blood Cell process.

Human has an average of 12 units of blood (a unit is 450ml). It is composed primarily of plasma (55%) and red blood cells (45%). A whole blood donation removes one unit of this mixture. A Double Red Blood Cell procedure removes one unit of only RBC, which is about the same amount of RBC removed in 1/4.5= 2.2 whole blood donation.

I had one needle stuck into a vein on the inside of elbow. Blood was first drawn into the machine. It then separated out the whole blood to plasma and RBC. The plasma and some saline were returned to the vein through the same needle. This cycle was repeated four times. The procedure took 40 minutes vs. 30 minutes for whole blood.

When the plasma was being returned, I could feel that it was cold. My fingertips and lips were prickling because of the cold. I was at that point where I would almost start shivering.

I felt weak throughout the day, weaker than after doing whole blood donation. When I got home, I slept almost immediately. I felt good about donating, though.

Hard red clay soil

Over the weekend, I opened up a patch of the lawn for a vegetable garden. Removing the sod was easily accomplished using a square spade inserted just under the root. I then just jam the spade repeatedly along the sod-soil boundary. It peeled off readily.

After about half an hour of doing this, I realised that that meant my soil was hard as concrete. I immediately reached for the garden fork but tried hard I did, I couldn't make a dent deeper than 3 cm. A digging bar didn't fare much better either at 10 cm.

It was dried clay under the grass. How the grass could survive or how the clay got so dry under the grass was beyond my understanding. Helpful discussions in gardenweb.com pointed out that moist clay soil was easier to work on.

I was not going to waste water hosing down the dry soil. I mulched it instead and am waiting for a rain. Once it gets easier to work with, I'll insert garden fork as deep as I can and lever the soil up. This will allow some air and mulch to drop inside through the crack. The trapped mulch will entice worms to go deeper and till the soil for me.

Killing a mulberry tree

Killing a mulberry tree is hard. You can cut it down to a stump, but by next month there will be several new sprouts. It has a deep taproot so digging it out is difficult. It is made even more difficult by its propensity for growing near fences.

I have two of them (black mulberry) in my yard on a fence corner. One is quite tall, 5m, the other was about 2.5m. I cut down the shorter one to a stump a year ago because it was so near to the fence post. Earlier this year, I was surprised to see new growths from the stump. That was before I knew the tree was a mulberry tree.

I don't want to use salt to kill the tree because I feel that the salt will affect the area. After all, the salt has to go somewhere. Even if all of the salt is absorbed by the root, when the root decomposes, the salt will leach out.

So I put a thick (3mil) black plastic bag over the stump and weighted the edges. The bag will cause the sun to bake the stump and also deprive it access to sunlight. I'll open it up in October to see if it does the trick.

The taller one will stay for now because it bears fruit and provides shade. I need to ruminate on its fate.



PS.

I had been trying to identify all the trees on the property ever since I bought it. The basswood out front was quite easy to identify and so was the holly tree (it was so distinctive). I used various online tree identification sites to no avail. It was not until wife remarked on the berry-like fruit that I finally know where to start searching: berry trees.

BTW, I found a post in gardenweb site explaining why they grow alongside fence while searching for a way to kill it.

3rd run

2.72 miles at 35 minutes. 314 calories.

4 days later, ran longer

This is the second time I went running. This time I managed to do 2.5 miles in 30 minutes.
It was such a marked improvement. Last time, I stopped after 23 minutes because of exhaustion. This time, I actually sprinted in the last minute and could still go on for a long time if I wanted. But I didn't want to force myself yet, so I stopped at 30 minutes, just as I planned.

This is such a nice surprise. I regularly ran 9 years ago for 6 months but could never break the 2 miles or 20 minutes ceiling no matter how hard I tried. Back then I was still smoking 1 pack a day too.

Now, 9 years older at 32, I am doing better than ever!

Aching body -- starting to exercise

This coming Winter, I want to be fit enough to ski through Whitetail Mountain's Exhibition in the middle of February from top to bottom without stopping. The moguls will be big and the trenches deep. I've never been able to do it without stopping at least once.

So, I started running last Thursday. 1.75 miles in 23 minutes. I followed up with various weight exercises: wirst curl, bicep curl, tricep curl, shoulder dumbell shrug, back extension, bench press.

My body was sore the whole Saturday, but the pain has abated today. I'll do another one tomorrow.

Vote Verification by Internet

http://ask.slashdot.org/comments.pl?sid=575131&cid=23673725

"
Vote Verification by Internet (Score:4, Interesting)
by srobert (4099) on Thursday June 05, @04:33PM (#23673725)

This is admittedly a little off-topic as it doesn't answer the original poster's questions, but I'd like to see a national system where, when I vote I'm issued a random number. When I get home I can look up my number on the net and it will show how I voted. That way I at least know how my own vote was counted.
"

All it shows is that the system can remember your vote. It does not show that your vote counts.

Katherine Heigl and Ashley Judd look similar?

I found that in many scenes in 27 Dresses, Katherine Heigl looks similar to Ashley Judd, at a glance. May be it's just me.

Neighbour complained about cat

My neighbour complained about my cat, 'item, digging in her garden. She
wanted me to keep it indoor. Since I can't train it to stay off her
garden, I have no choice but constraint it within mine. I need a
cat-proof fence.

These pages are the ones that interest me most:

http://www.hsus.org/pets/pet_care/cat_care/fence_me_in.html
http://www.purrfectfence.com/default.asp
http://www.catfence.com/index.htm
http://www.feralcat.com/fence.html

Unfortunately, the lowest rate for commercial fencing, at $2/foot, is
still higher than what I am willing to spend.

The do-it-yourself route (last link) seems cheap. I'll go to local
hardware store and calculate the total cost for the materials. If it
is cheaper than $2/foot, then I'll go that route. And if I were to
succeed, I'll post photos.

Samba error message

Samba error message leaves a lot to be desired.

I spent 2 hours tracking down the cause of:

$ smbclient //berbagi.3/berbagi
Password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Turned out it was caused by a parent directory to the real path being not world-readable.

XP hanging when opening files

XP seems to hang when opening files. It does not actually hang; it is just doing file browsing very slowly because of certain settings. Below are the settings you can change to make file browsing faster.


From http://forums.pcpitstop.com/lofiversion/index.php/t121312.html

Go to Start - Run
type gpedit.msc
hit enter

ENABLE User Configuration select Administrative Templates - Start Menu and Taskbar-"Do not use the search-based method when resolving shell shortcuts"
ENABLE User Configuration select Administrative Templates - Start Menu and Taskbar-"Do not use the tracking-based method when resolving shell shortcuts."
ENABLE User Configuration - Administrative Templates - Windows Components - Windows Explorer-"Do not track Shell shortcuts while roaming"



From http://www.ss64.com/nt/slow_browsing.html

Removing all shortcuts from 'My Network Places' will return the system response to normal.
Prevent XP from placing shortcuts under 'My Network Places' by changing registry HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsNetHood to 1.


More information http://support.microsoft.com/?kbid=841978

An actual restoration from Drive Snapshot backup

I had to restore a disk encrypted with PGP Whole Disk Encryption from a DriveSnapshot backup. I posted about the general idea, but the following are the steps of a real one:

# /dev/sda is the drive I needed to restore
# /dev/sdb1 contained the backup files and fullcd.iso

mount /dev/shm
mount -o ro /dev/sdb1 /media/sdb1
qemu -hda /dev/sdb -hdb /dev/sda -cdrom /media/sdb1/fdfullcd.iso -boot d
snapshot show hd2
snapshot show file.sna
snapshot restore hd2 mbrall file.sna
snapshot restore hd2 auto file.sna

xfdisk -> install boot manager (overriding pgp bootloader) -> create new menu entry pointing to the partition.

reboot.

Accessing USB printer under OpenVZ VE

To access USB printer from within OpenVZ Virtual Environment (VE), you need to allow the device to be visible and accessible by doing the following from the Host Environment (HE):

vzctl set 999 --devices usb/lp0:rw

cat /proc/vz/devperms
#Version: 2.7
# 0 b 016 *:*
# 0 c 006 *:*
# 999 c 006 180:0

If there is any trouble with printer access from within VE, verify that there is none from HE .

In my case, CUPS within VE correctly detected my printer at ``usb://Samsung/ML-1740``. Yet it couldn't push any job to the printer. I spent hours trying to get it work to no avail. What I should have done was to verify if CUPS in HE could do it successfully. It couldn't. But CUPS-in-VE in another machine could push the job successfully. The problem, then, probably was with the hardware.

So, I settled with specifying the printer location (DeviceURI) at ``file:/dev/usb/lp0``. It works, except that it can't read printer status because it requires two-way communication which ``file`` protocol does not support.

Shorewall and OpenVZ

A pretty basic Shorewall configuration can consume about 190 iptent (iptable entries) and the default limit is 128. So, if you are getting 'iptables: Cannot allocate memory' error message, check your /proc/user_beancounters because you might have hit the numiptent (number of iptable entries) limit.

OpenVZ VE's private and root directories must be on the same device

Files in a VE are stored under /var/lib/vz/private/${veid}. There is also /var/lib/vz/root/${veid} which is empty if the VZ is not alive and populated with what the VE sees when it is alive.

If you are moving the VE storage to another device, make sure to move both the private and root directories.

mount /mnt/newlocation
ln -s /mnt/newlocation/private/999 /var/lib/vz/private/999
ln -s /mnt/newlocation/root/999 /var/lib/vz/root/999

Otherwise you'll be getting this erronous error message:

> vzctl start 999
Starting VPS ...
vzquota : (error) Quota on syscall for 999: Device or resource busy
vzquota on failed [3]

qmail in resource-constrained environment

An important thing to note when using virtualised environment
such as OpenVZ is that resources are artificially constrained. This can cause various funny and head-scratching behaviours.

My OpenVZ VE (plan VZ 128) from quantact.com, runs apache2 and qmail (as spooler).
I had to adjust tcpserver connection limit to 3 (tcpserver -c 3), and qmail-send's concurrencyremote to 1 (echo 1 > /var/qmail/control/concurrencyremote).

Each incoming SMTP request triggers an RBL lookup and may trigger a spamassassin check. The default tcpserver's incoming connection limit is 40 and there just isn't enough resources to support 40 spamassassin instances (1 spamd with 40 spamc processes). Instances will fail with various puzzling error messages. The only clear indication that they are failing because of resource constraint is by comparing the content of /proc/user_beancounters before and after failures.

Furthermore, if the remote host, where the real mail server is, is down for a period such that enough mails are queued up, when the remote host is up again, qmail-send will start 20 qmail-remote processes (the default) to send the mails all at the same time. Each process will send email to the real mail server through a stunnel connection. But there just aren't enough resources to support 20 qmail-remote processes along with 20 stunnel connections. Again, the only way to know this for certain is by comparing the content of /proc/user_beancounters before and after failures. Otherwise, all you are getting are error messages like below which could have been caused by various things like network or firewall problem:

2008-03-11T06:53:02.78164 2008.03.11 02:53:02 LOG3[11407:3058117552]: SSL_accept: Peer suddenly disconnected

Once the concurrency level is brought down, force qmail to resend the queue:

qmail-qstat; qmail-tcpok; pkill -ALRM qmail-send; qmail-qstat

OpenSSH: Hashed Known Hosts

Read more at https://itso.iu.edu/Hashing_the_OpenSSH_known__hosts_File.

To hash every user's known_hosts files and delete the known_hosts.old:

for username in `cut -f 1 -d : /etc/passwd`; do echo $username; sudo -u $username ssh-keygen -H; rm `sh -c "echo ~$username/.ssh/known_hosts.old"`; done

Restoring Drive SnapShot from Linux

I use Drive Snapshot to archive our Windows machines. It is a Windows backup/disk imaging tool that does not require you to interrupt your other work in other applications. It is a good tool and has repaid its cost (US$ 57.56 in 2007 May) many times over.

Compared to other similar tools at the time, it was really the quickest and simplest one. However, its main downside was that it required DOS or Windows for restoring from scratch. DOS is troublesome to setup. There may be special drivers needed to be able to access the harddrive to be restored and also the backup files themselves. Restoring from Windows is slightly better, but only if you have another Windows machine and go through the hassle of hooking up the target drive to that machine.

Here is a method that I find easy enough for in-situ restoration. You need Live-CD Linux, QEMU and FreeDOS ISO image. I use Knoppix 5.11 since it includes QEMU.

1. Boot Knoppix to GUI mode for QEMU UI.
2. Make sure FreeDOS ISO image is accessible on a different partition/disk than the Snapshot image files (.SNA).
3. The SNA and snapshot.exe filesmust be in a FAT32 volume
4. qemu -cdrom freedos.iso -hda /dev/${fat32-partition-containing-sna-files} -hdb /dev/${target-harddrive} -boot d
5. Follow the DOS restoration instruction. For example: snapshot.exe restore HD2 MBR image.sna which restores the MBR record from the image.sna (the CWD is assumed to be C:\ which corresponds to the fat32-partition-containing-sna-files device) to HD2 (the QEMU's hdb device which is the target-harddrive).

Hope this helps.


20080904 UPDATE: A step-by-step instruction
http://gnomicnotes.blogspot.com/2008/04/actual-restoration-from-drive-snapshot.html

ntpd in openvz ve

ntpd needs to change the system time. In OpenVZ, VEs share the host's system time. The VE running ntpd needs to be given the CAP_SYS_TIME capability:
vzctl set 101 --capability sys_time:on --save

Brake pedal needs to be adjusted after master cylinder replacement

After replacing the master cylinder in my sis-in-law car, I found that the braking performance didn't improve much. The pedal still went to the floor and the wheel could not be locked up.

I consulted with my brother who was an actual certified mechanic. He suggested that that the brake pedal free play needed to be adjusted because of depth differences of the piston cap in master cylinders. At first I was skeptical. True, the replacement part was a remanufactured one; but was it really that different than the old one?
I measured and found that the freeplay distance was out of spec: 12.7 mm instead of 5 mm. But what could a 7.7 mm difference do to the braking performance?

After adjusting the freeplay distance, I found that I couldn't floor the pedal anymore. Although the wheels still won't lock up, the brake is now good enough for everyday usage. I attribute the inability of the brake to lock up the wheel to older (weaker) brake hose and moderate glazing on the front rotors and pads.

Replacing brake master cylinder

My sis-in-law's car, a 1993 Nissan Sentra, had not been maintained by its previous owner. Since its purchase two years ago, I have been doing incremental maintenance on it. The last one I did was a brake fluid change.

Apparently, the brake fluid had not been changed in a long time. After changing it, the brake pedal became soft, mushy and the pedal could go to the floor. The car became dangerous to drive. Even with pedal on the floor, the wheel would not lock up. Repeated bleeding didn't help.

Then I stumbled on an explanation somewhere in the Internet (I forgot to note the URL). The old brake fluid could have been saturated with water. It caused the rubber seal within master cylinder to swell. Because brake fluid (DOT3&4) is hygroscopic, when the fluid was changed it pruned the seal, leaving it wrinkly like your fingers when you have been swimming for too long.
This causes the master cylinder to have an internal leak: instead of forcing the fluid along the brake lines to the slave cylinders, the seal allows the fluid to leak past them to the unpressurised region.

Symptoms of a master cylinder with an internal leak:

• You can push the pedal to the floor with light continuous pressure even without the help of brake booster.
• The pedal slowly sinks to the floor under its own weight (by itself).

Since diagnosing brake failure cannot be done with 100% certainty, if you have one of the above symptoms and you cannot attribute it to anything else (leaky slave cylinders, leaky brake lines, weak brake hoses, various other kinds of external leak), you need to replace the brake master cylinder.

Special Tools & Parts:

• Replacement brake master cylinder. I got a rebuilt/remanufactured one for $60.
• Flare-Nut wrench (see picture to see the difference).
• Strong strings (optional. to help seat the reservoir in the new unit).
• Aluminium foil / plastic food wrap / plastic bag / any barrier suitable for containing brake fluid.
• Bench vise. Bench bleeding is much easier with one. Much much much easier.
  

Procedures:

• Lift car on all wheels with wheels off.
  
• You need some space around the brake master cylinder.

• So, start by clearing up the area surrounding it.

• Clean the area around master cylinder with brake part cleaner and wiping (physically). You want to get the area as clean as possible to prevent contaminant in your brake system. Use tooth brush (not the same one you used this morning) to clean tight spaces.
  

Do you know that brake part cleaner (Tetrachloroethylene) is a carcinogen? Do not let it drip to the floor. Do not let it free in the environment. I find an oil drain pan suitable to contain brake part cleaner liquid run-off. It's wide and short and can fit under various areas of the car. Don't use the same one as the one you use for engine oil. The chemical in the cleaner will render the oil unsuitable for recycling back as engine oil. It will force the recyclers to use it as fuel.

• With the master cylinder is still fastened to the brake booster, loosen the brake line nuts using flare-nut wrench. The reason you need to use flare-nut wrench is because they are made of soft material and tighten pretty tight (13-20N.m or 10-15 ft/lb). Don't open them, don't let fluid drip. Just loosen them and tighten loosely back with finger.

• Remove the master cylinder from the booster.

• Now that you can manoeuvre the master cylinder slightly, put aluminium foil or fluid barrier under and to the sides of it because next you'll be removing the brake lines. Put some towels (that's the white thing on top of the aluminium foil in the picture below) too so the caught fluid is not sloshing around on the barrier. When the brake lines are separated, they won't drip fluid, but the master cylinder will. So, put it in a plastic bag as you carry it over the car.
  

• Empty the master cylinder and reservoir of brake fluid.
  
• Mount the master cylinder on the bench vise.
  
• Remove the reservoir by moving it left and right while pulling it up. It's going be hard but it won't break as long as you are using your hand. The bench vise allows you to use both hands for pulling.
  
• Pry off the filter screen in the reservoir
• Clean the filter and the inside of the reservoir with brake part cleaner. Don't forget to do it above the drain pan to increase your karma. Afterwards, rinse with fresh brake fluid. Pour in some fluid into the reservoir, put on the cap and cover the ports with your fingers. Shake shake shake and let the fluid out. Repeat as necessary. Don't install the the filter yet, but clean it as well.

Here is a picture of the old and new master cylinders with the reservoir and metering valves removed.

• Install the reservoir, metering valves and the bench bleed plugs (the green plug screwed to the metering valves and ports in the picture below). If the plug does not fit well, do not use it because it won't help in eliminating air during bench bleeding. You need to be prepared for getting messy during the bench bleeding, or do a long painful re-bleed session on all wheels (good thing you already have the car up, right?)
  

Putting back the reservoir was hard for me as I was not powerful enough to press it in. So, I used a long piece of string to help convert torque to pressure. Make sure that the string form a wide band so the pressure will not damage the nylon reservoir.

• Install clear tubings from the plugs back to the reservoir. My green plugs takes 3/16" ID (internal diameter) tubings.
  
• Fill reservoir with fluid.
• Use a long screwdriver or a socket extension to push the piston repeatedly until you see no more air bubble. If there is a port without a plug (because it does not fit well), cover the port with your finger to prevent air being sucked in before releasing the pressure on the piston.
• Installation is the reverse of removal. Do not forget to put the master cylinder in a plastic bag during transport as it will be dripping fluid. Take your time in screwing in the brake line nuts. Do not cross-thread the master cylinder (the nut is soft, but the master cylinder is softer). Do not get panicky because the fluid is dripping. That's why you put the barrier underneath, right?
  

If you did a good bench bleeding, you don't have to do anything else beside putting the car down. Otherwise, go bleed the brake. Yes, new master cylinder means you can push the pedal to the floor without damaging the seal.

Make sure to test drive it and check for external leak.

Keep checking for five days for any fluid level drop in the reservoir and for external leak. Some leaks are very small. I found a very small leak on the third day on one of the the brake line nuts that was not there previously.

Test, test, test

It turns out that the best way to prepare for a test is by doing practice tests.
At some level, I have known this subconsciously. Want to have a successful Math exam? Do practice questions until you're bored to death. Having a 5-chapter History exam tomorrow? Do practice questions until dawn.

I think this also applies to things in general: expertise comes from repeated doings. In other words, expertise comes from experience.

Disabling LKM in Debian GNU/Linux

This instruction is applicable to Etch (4.x).
You may want to do this on your public servers to help keep off LKM trojan.

apt-get install lcap
lcap -c CAP_SYS_MODULE

There are more tips at Taking Advantage of Linux Capabilities.

What is in a machine name?

As I started to play with OpenVZ, it dawned on me that the cost of
machines are cheap. It is very cheap to have a specific (virtual)
machine for a specific purpose.

Already, I had several specific functionalities I wanted to have
implemented: intranet-wide (read: home) file server, intranet-wide
access to scanner, public-facing web server, public-facing mail
server, fresh OS base to test installation procedures on, etc.

Now they can each be implemented in its own machine. There will be
enough machines for me to justify entertaining some
system-administration practices, like impersonal machine naming.

I had always been naming my machines by the name of people I liked,
had crushes with, or dated. I cannot continue with that schema without
jeopardizing my marriage and lying to myself as I cannot start liking
someone just because I need to name a new machine.

A machine naming convention that I've always liked is one that encodes
the purpose and asset ID into the name. For example: WWW001 is a web
server machine, MAIL001 is a mail server machine, and WS001 is a
workstation machine. Some even go further by including physical
location information: DC06MAIL001 could be a mail server in data
center #6 in Washington DC.

My need for my simple system is simple. I choose the simple prefix "M"
which stands for machine. The names will be M01, M02, M03, and so on.
Reaching M99 is a strong indication that the system is no longer
simple and is a justification to use a more sophisticated naming
convention.

The machine name forms the basis for the canonical DNS name. Machines
with a single IP have similarly named DNS entries under the 'machine'
subdomain, e.g.: m01.machine.example.com.

Multi-Homed machines (having multiple IPs) also have similarly-named
DNS entries pointing to each of its interface. The entry names should
be descriptive enough to identify the interface, e.g.:
m01-internet.machine.example.com and m01-lan.machine.example.com if
m01 is an Internet-facing firewall machine.

Each interface may be assigned additional alias DNS name (CNAME
records). For example, if m01.machine.example.com is originally a
machine in LAN and is being upgraded to serve as an Internet-facing
firewall machine, then m01.machine.example.com then cease becoming
the canonical name. It may be dropped or added as an alias.

Publicly-Accessible servers also benefit from having an alias DNS
name, e.g.: www.example.com may be an alias for
m54.machine.example.com.

Publish Post

LKM in my server. Rootkitted.

 From: root@example.com (Cron Daemon)
 Subject: Cron test -x /usr/sbin/anacron || ( cd / && run-parts
 --report /etc/cron.daily )
 To: root@example.com
 Date: Sun, 27 Jan 2008 09:25:10 -0500

 You have 1 process hidden for readdir command
 You have 1 process hidden for ps command
 chkproc: Warning: Possible LKM Trojan installed

When I received that email from one of my public servers, two
questions popped up: did I just get rootkited again?

I had been rootkitted about three years ago. At that time the only
network-accessible services on the computer was a stock apache 1.3
serving static pages and an unpatched qmail. I didn't have tripwire
setup and ended up reinstalling the system from scratch because I
didn't know which files had been compromised.

This time, I had tripwire (AIDE, actually) setup and was able to
identify the infected files. Yet I still ended up reinstalling the
system from scratch partly because things were too easy for me and
mostly because I just found the excuse I needed.

Firstly, the compromiser didn't take out the regular chkrootkit
report. Secondly, subsequent chkrootkit report didn't report any
warning. Did the chkrootkit itself was compromised? Later verification
with an uncompromised AIDE data file showed that it was not, but
still, you wouldn't know that then. Thirdly, the same question for the
AIDE binary itself. Fourthly, it was really painful trying to do an
off-line verification on a remote system. Fifthly, was it apache 1.3
again?

One thing I discovered was that Linux allows you to disable loadable
kernel module (LKM) which supposedly makes it impervious to LKM
Trojan, like the one I had. No use crying over spilt milk.

The server was a Xen virtual machine hosted by quantact.com. It was
setup two years ago. This break-in gave me an excuse to reorganize my
hosting choices. Around last year, they started offering a cheaper
hosting option on OpenVZ. So I tried it and found that I liked it. I
liked it so much I installed one at home.

OpenVZ does not allow virtual machines to load kernel modules. I hope
that is enough to circumvent the same attack vector.

New site

My web server got rootkitted (see next post) and I got my excuse to
reorganise.

I had been thinking of using a public blog site, like blogger.com, for
my infrequent writings but had hesitated because of the perceived lack
of a decent editor to compose the entries with. I did not know about
the publish-via-email capability only until recently.

This capability allows me to keep using my favourite editor to create
a new email, do the compositions and send it to blogger.com for
publishing.

The ability to compose entries using the web interface is not
something to discount either. In my travelling, I have found hotels
with an over-eager filtering mechanism that restricted access to my
own web site because of its 'pornographic nature'. Yes, it is
pornographic only if you are turned on by boring technical writings.