The ZX Spectrum Book – 1982 to 199x

The ZX Spectrum Book – 1982 to 199x

“‘The ZX Spectrum Book – 1982 to 199x” by Andrew Rollings covers over two hundred of the best games for the Sinclair ZX Spectrum.You can download it here.

Integrating Squid with Active Directory

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.

In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOURDOMAIN = {
kdc = yourpdc
admin_server = yourpdc
default_domain = YOURDOMAIN
kpasswd_server = yourpdc
}
[domain_realm]
.yourdomain = yourdomain
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#####################################################

smb.conf

[global]
workgroup = YOURDOMAIN
server string = SQUIDPROXY (or any other name you want)
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = yourpdcIP
realm = YOURDOMAIN
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

#####################################################

squid.conf

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
emulate_httpd_log on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
acl interneton external ADS InternetOn

acl blocksites url_regex "/etc/squid/squid-block.acl"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access deny blocksites
http_access allow interneton
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

#####################################################

Start samba, winbind and squid by this order.

Synchronize your squid server with the AD

ntpdate yourprimarydomaincontroller

Initialise Kerberos

kinit administrator@YOURDOMAIN

Test Kerberos connection

klist

Join Squid Server to AD

net ads join -S yourpdc -U administrator

Validate Trust

wbinfo -t

Validate if the wbinfo_group.pl script is working

echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d
(it returns OK or ERR if the user is in the InternetOn group or not)

You might have some problems with the winbindd_privileged directory. If that’s the case:

cd /var/cache/samba
chgrp squid winbindd_privileged
chmod 750 winbindd_privileged

The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.

clearcache.sh

#!/bin/bash
/etc/init.d/smb stop
/etc/init.d/winbind stop
rm -f /var/cache/samba/*.tdb
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/squid reload

Test this at your own risk. 🙂

LAN IPs on Mail.app Email Headers

Dear Apple,

please explain why is my computer (added to not be mistaken with the router’s IP) LAN IP address showing on the email headers of the mails I send with Mail.app.

Thanks!

Bellow, in red, my computer’s private LAN IP Address. In green my Router’s Public/WAN IP address which is “normal” to be included on most email headers.

Return-Path: <rsaramago@gmail.com>
Received: from ?XX.XX.XX.XX? (pa6-XX-XX-XXX-XXX.netvisao.pt [XX.XX.XXX.XXX])
 by mx.google.com with ESMTPS id 7sm502355eyb.8.2009.11.13.01.07.07
 (version=TLSv1/SSLv3 cipher=RC4-MD5);
 Fri, 13 Nov 2009 01:07:08 -0800 (PST)
Subject: Teste
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-1-623152288
From: Ricardo Saramago <rsaramago@gmail.com>
To: Testy McTest <test@test.pt>
X-Mailer: Apple Mail (2.1077)

Update: I’ve clarified some descriptions above after some user comments, I realized that It wasn’t clear what IPs I was referring to.

It seems that this is common on most email clients, except for Outlook. This “issue” triggered my attention when I was looking into the mail headers from a mail I sent from Mail.app in response to a mail from Outlook and they were indeed different in this aspect.

The client’s computer Local IP address and the Router’s / Firewall / Modem / whatever public IP address are added by the SMTP Server to the Envelop’s “Received” line, which it probably gets from the EHLO.

Still, this isn’t secure as it allows malicious attackers to map a victims network very easy.

The Art of Community – Now Free

Jono Bacon has released his book “The Art of Community” under a Attribution-Noncommercial-Share Alike Creative Commons license, which means you can download and read it legally.

If you like it, follow the author’s advice:

  • Firstly, buying a copy sends a tremendous message to O’Reilly that they should continue to publish books (a) about community and (b) under a Creative Commons license.
  • Secondly, it will encourage O’Reilly to invest in a second edition of the book down the line, which will in turn mean that communities around the world will have a refreshed and updated edition that is available to them.
  • Thirdly, aside from the voting-with-your-feet side of things, it is just a really nice book to own in print. It is really well made, looks stunning and feels great to curl up with in a coffee shop or on the couch.

Via Pedro Custódio

Asus EEE PC 1008 HA SeaShell

Asus EEE PC 1008HA

Until a few weeks ago, the netbook market / scene was a bit of a unknown thing to me. I lacked the information mainly because I was never attracted to small notebooks and netbooks felt into that “class”.

What made me change my mind? Well, my wife often mentioned she would like to have a smaller notebook than her 15.4″ Dell to take to school. That and a trip we made this vacation 🙂 I needed to take a computer and my 17″ Macbook Pro was out of the question since I would need it to check maps, info and e-mail on the go. So, a few days before this trip we went to take a look on the local Vobis / Worten and evaluated the offer.

The Asus EEE PC 1008HA was indeed the most balanced of them all, taking in perspective what we both needed: a light netbook. I was still split between the Asus and an Aspire One, but the Asus had Wifi N and a bigger hard drive, not to mention the screen quality that is amazing.

But enought chit chat, here’s my take and notes on the Asus 1008HA:

Pros

  • Very light, only weights 1.1 Kg
  • Stylish design, similar to a MacBook Air
  • 160Gb HD
  • WiFi Draft N and Bluetooth v2.1
  • Functional Keyboard
  • Multitouch Touchpad
  • 6 hours unplugged computing with Super Hybrid Engine (Asus’s energy managment app)

Cons

  • Plastic sheel feels cheap and fragile in some areas
  • Windows XP bundle
  • Non Removable Battery
  • No easy access to RAM and HD
  • 1.1 Mpixel Webcam has a crappy framerate

The Netbook behaved very well on the go, the battery time is amazing and it seems to last forever, and it’s a good thing because there’s no way to use a second battery. Due to the Seashell design, Asus limited all the expansion on the machine. The battery is not user removable neither is the RAM or HD. To replace these three components you need to disassemble the machine.

One of my frustrations was that there was no bundle with Linux, Asus seems to be kissing Microsoft’s ass again with Netbooks, so the first thing I did after getting home from the trip was to try to find a decent operating system for the Netbook. The candidates were:

  1. Windows 7
  2. Fedora 11
  3. Jolicloud
  4. Ubuntu Netbook Remix

Windows 7 installed very well, the only problem I had was with the ACPI and graphics card. Flashing the 1008HA with the latest bios solved the latest problem, and the other one was solved with a hacked ACPI driver I found on the web. There are still no Asus drivers for Windows 7 but the ones the system installs work rather well. The problem with 7 is that with a default configuration it ran slower than XP, consuming a hefty 450Mb of RAM without no other application loaded. Oh and it was slow as hell to boot. So, on to the next.

Fedora 11 looked beautiful for the first 5 minutes. It all seemed to work out of the box, even wireless and it booted rather fast from the CD I was using. One of the first problems I noticed was that the it wasn’t optimized for netbooks, Gnome dialog boxes were huge and often the OK / Cancel buttons were offscreen. When I tried to install it to the hard drive it failed afer creating the partitions and exited the installation program, leaving me with a damaged installation. I might try it another time but for now… next!

I was very eager to try Jolicloud but the alpha is still invitation only, and since no one on the Interwebs was kind enought to send me an invite, I only managed to try the OS without the cloud part… It seemed like a heavily modified Ubuntu Netbook Remix. It worked very well out of the box and the eye candy is very cool. Sadly for me the most interesting part of this system is the cloud… so, on to the next one.

Enter Ubuntu Netbook Remix, a netbook oriented Ubuntu, which seems to be the most common base of a boatload of netbook linux distros. I installed UNR 9.04 and guess what? Wireless and Ethernet didn’t work. It was Google time and I finally found this guy’s post on the 1008HA and exactly the same problem I had. Three commands and a reboot and Networking is back, my luck is that I also had an USB Ethernet adpter that UNR immediately recognized. After taking it for a quick spin, it seems I found a suitable OS for this netbook.

Of couse I’m not stoping here, as I’m writing this I’m installing UNR 9.10 Alpha to check if there are some significant improvements over 9.04. After that I’ll probably try another 2 or 3 distros, but I think it will be hard to surpass UNR 9.04. Unfortunately not everything works with UNR as well as it works with Windows XP, since there are no Asus drivers for Linux either. So don’t count with some keyboard combos and the Super Hybrid Engine on Linux, at least for now.

Ending this loooong post: The more I play with this netbook the more I wish that Apple would release a netbook or a smaller version of the Air (still I wouldn’t mind having an Air). I think that once you go Mac it’s hard to look back.

Notes

To get wireless working on UNR 9.04:

sudo apt-get update

Reboot

then:

sudo apt-get upgrade

Reboot

sudo apt-get install linux-backports-modules-jaunty

Reboot only needed after modules installation. (Thanks Tiago!)

Google Chrome OS – Was I right or what?

Last year, when Google released Chrome I wrote this.

Some might say it was futurology, but I say it was the most logical step of evolution. The fact is, I think I was really close on Google’s plans for Chrome.

Life Saver – Upload iPhone Carrier Settings

If you want to upload modified or standard operator carrier settings to your iPhone, just type this in your terminal:

defaults write com.apple.iTunes carrier-testing -bool TRUE

This way you can upload the settings via iTunes without having to install the previous beta versions that allowed this by default.

Facebook Vanity URL’s Hysteria

Facebook

Much has been said since Facebook allowed the new “vanity URL’s” (or user url’s like I rather call it, since vanity urls is purely an american expression adopted from the vanity plates they have in their cars).

Most of the posts about this are from users bitching about the way Facebook roll out this feature, allowing the users to choose any alias to be used in http://www.facebook.com/whateveryouchoose regardless of their username, unlike Twitter that has http://www.twitter.com/username. Others rant about the fact that Facebook should have provided something like http://user.facebook.com, forgeting that Facebook has milions of users and something like that would have a termendous weight in their DNSs…

But, as always, there’s something good to learn. One of the posts I read about this subject (no link, sorry, can’t find it) mentioned a cool way to give your Facebook, Twitter, Flickr, [insert your favorite social network here] URL’s to other people, that is, if you have your own domain.

In my case, my domain is odrakir.com, so I created some subdomains redirecting to the social networks I use the most:

This way, I can give an url that’s easy to memorize and always mentions my “brand name”, cool enough to use on a visit card 🙂

The Konami Code

A few months ago I wrote an article about the Konami code on 8-Bit Revolution which surprisingly is become an Internet trend / meme. If you don’t know what is the Konami Code, well, I’ll give you the light version.

The sequence of keys on the image above is the Konami Code, and is probably the most popular video game cheat code of all times. Most games from Konami have almost always a cheat or a small easter egg triggered by this code, but the most interesting is the number of publishers besides Konami that still today include this code in their games, as a “nod”, a small tribute to the Konami Code.

The Konami Code was created by Kazuhisa Hashimoto, the developer responsible for the port of Konami’s Gradius for the NES in 1986. After finding the game very difficult to play during the tests, he created a code that allowed the player to have all power-ups that would normally be acquired during the game. When the final version of Gradius was released on the market, the code was included by mistake.

The code would only become famous in Contra for the NES. The difficulty of Contra was too high but with this code the player could have 30 extra lives and playing the game became a possible mission.

Even today, all iterations Gradius react to the Konami Code, each in its own way. For example, Gradius III destroys the ship when you load the code.

Today, Konami Code is more than a simple “cheat code” is a cultural icon of a generation. A generation of retrogamers easily recognizes and identifies the code, many are proud to recite in the code by heart 😀

There are references to the Konami Code / Contra Code in music lyrics, t-shirts and even in some sites like Digg and Google Reader, and it’s becoming more and more used, to a point that Konami Code Sites was created to track all sites that use this code. So, don’t forget to enter the Konami Code when visiting a site, you’ll never know what might happen. I’ll even give you an extra tip: 8-Bit Revolution is Konami Code enabled since 2007 🙂