Older blog entries for Stevey (starting at number 132)


I updated my Debian personal page, to make it look prettier.

Those pages host the my SSP compiler packages and not very much else.

I've also been working on the new improved logcheck program which is now almost redone in perl.

Right now my biggest pain is the argument parsing. I wish to use Getopt::Long - but it's painful as the command line flags I wish to use are descriptive and do not match the old ones.

Essentially I have the choice, I can reuse the old command line args, or I can be non-backwards-compatible and just change them.

In the interests of clarity and "niceness" I wish to do the later, in the interest of least suprise and non-breakage I must do the former.

I can't bring myself to decide, I don't imagine this script is used by many people in anything other than the default manner ..


It's been satisfying working on the new LiveJournal valentine system this is my first usage of CGI::Session, CGI::Application and friends and I like them. A lot.

Already I'm very close to having it completed, although there does need to be more testing.

Matt Hope:

I believe that if you wish your password reset on Advogato you should mail raph politely and wait.

There are several password reminding patches around for the site; including a quick hack I wrote, but nothing in the main site; it's just a case of storing your cookie safely and hoping you don't forget!


I adopted the libnids1 package as it is only used by dsniff the package I maintain. libnids1 was the recently updated to cover a security problem (DSA-410) so I had to adopt this package or dsniff would become unavailable to me.

Still looking for a decent system of organising audits and getting more involvement. As time goes on I'm getting less convinced that people will help which is unfortunate.


Waiting for some more DSA's and hoping to move the Debian Auditing Project to a new location.

By some fluke I managed to register Shellcode.org which is where I've started building up a collection of shellcode examples for different platforms - more appreciated.

This is also the location where I discussed my GCC patches and kernel modules - which I must look at porting to 2.6.x.

As well as that I must make a few more package updates - it seems that I can now. There have been things holding me up, ranging from the savannah.gnu.org compromise to the alioth problems.

I'm still desperate to start working properly on the

rewrite although it's looking increasingly likely that I will have to do this alone.

I will upload my design documents to the Alioth repository and start commiting stuff to CVS - I think that's working again now.


Now that these entries are being being syndicated it might be worth the time to give a real introduction.

Normally this kind of thing is discussed in my livejournal where I ramble about things - plan pub trips with local users, and etc.

So I'll try to avoid stuff that has been recently covered in there.

(I'll also leave out anything that's rude; which is a large part of my life ;)

I'm 27 living in Edinburgh, the location of the Scottish Parliment the wonderful Edinburgh Castle and other fine attractions.

I've been living in Edinburgh for 9 years now and still think that it's a beautiful city, lots of old buildings, interesting scenery, and large chunks of greenery appear randomly inside the city.

The only city in the world that I've visitted and liked more than Edinburgh was Barcelona. I was lucky enough to work on an EU funded project which was in conjunction with The University of Catalonia, the University of Edinburgh and a commercial partner.

Day to day life for me involves waking up around 7AM, playing with my lovely cat snatching a quick cup of coffee before moving into work at around 8:30/8:45.

The walk to work is brief and takes me over a nice park/field/piece of grass and down a couple of cobbled streets.

Once at work I remain there until around 5:30pm barring a trip outside for lunch.

Upon returning home the rest of the night is usally spent in a combination of watching films, stroking Six, calling friends, going to the pub, and talking to wonderful people online.

Weekends are very different. The weekend is the time I like to spend in bed until mid morning: 11AM 1PM or later.

The weekend is also where I like to walk around the city shopping, flirting, having a nice time.

That's probably a nice summery - and I didn't even mention sadism. Oops did now... ;)


Russell Coker brought up an interesting point about the SSP patched compiler I put together - protected binaries read from /dev/urandom.

It hadn't occurred to me that this might be a sensitive issue, but apparently under SELinux access to dev/u?random is prohibitted by default.

I might see if I can make this tweakable and optionally allow rand() to be used instead - but that will weaken the randomness of the chosen numbers and may be a bad thing to do. I shall have to consider it.

Security work continues I've got some more alerts pending one waiting for clarification by the upstream author of the software to make sure I'm not misunderstanding what I've discovered.

I accidently reported one bug to wrong address - meaning that many many Debian developers saw it instead of the security team. I've removed the wrong address from Mutt's address book to ensure this doesn't happen again - but I do feel very guilty and embaressed about it.

Valentines Day

Last year I put together a quick hack - double-blind Valentines day matching aimed at LiveJournal users.

Now it's time for this years version.

It seems strange to me to be working on this in my own time, for nothing other than the slight chance that people will appreciate it. I'm wondering at my motivation and I cannot quite pin it down, but I'm having fun.

(For reference last years implementation was the result of my very definate interest in one lady, and also as a fun way to spend a weekend. Yes the lady worked out well ;)

"Large" CGI Applications

I've been working on this application for around four days now - maybe longer.

After flirting with PHP I've settled on using Perl. I like perl, perl is good.

So far I'm using a mixture of CGI::Application, HTML::Template, CGI::Session and DBI.

I haven't used all of these modules before, and using them together is proving to be interesting.

I have no idea why I've not used CGI::Application before - it does have a few flaws - but it's a wonderful framework for building "page-centric" applications. I'm having fun.

Ditto for CGI::Session, rather than rolling my own login functionality I just create a session object - and let it keep track of people being logged in, etc. Wonderful.

My code isn't wonderful and is still evolving but for the moment the site is here - and the code is here. (The code relies upon some templates).


I got some mail after my previous entry about spam getting past my Spamassassin setup - so a big thank you to all that responded.

Now I'm running pyzor and razor in addition to the spamassissin and the procmail magic.

Thing seem to be getting better :)


I'm still steadily rebuilding the core packages with my SSP enabled compiler, although I don't have the time to upload them yet - on a slow connection.

I've found a few more security holes in different packages but as the cleanup from the compromise is still occurring and the security team must be busy I've not reported them yet - nothing too serious anyway.

It's probably worth reiterating that although <code>strcpy</code> and friends are often touted as being security nightmares they don't compare to the fun you can have with a sloppy <code>popen</code>.... ;)

27 Dec 2003 (updated 27 Dec 2003 at 01:58 UTC) »
However, I'm a busy man, and I can't be bothered to punch you at the moment. 

Here is my fist.

Kindly run towards it as fast as you can.

(Yes my hands still hurt).


I'm getting inundated with spam again. *sigh*.

I think the biggest recorded day this week had just over 160 messages.

I have artificially accelerated this by having a "spam@steve.org.uk" address which has been widely distributed and recieves tons of spams.

Originally the plan was to use this source of messages (which are automatically procmail'd away) as a means of filtering out "real" spam - via a fuzzy text comparison.

However this doesn't work out so well. The spam which has been baited to my killfile address just doesn't resemble the spam I get in my daily inbox.

Now there are services such as SpamGourmet which will let you generate single use addresses which are interesting to me, as I do a similar thing manually.

There are even pre-filtered services such as Spamcop which will get given a brand new address which you can give away to people where it's filtered in advance.

Surely there must be something in the middle? Something that I can use for my existing addresses?

si20 seems to work as a proxy server between your existing accounts and present a simple wrapper around a spamassissin installation and whitelisting.

Sounds ideal?

Sadly not. I don't trust outside people to receive my mail, nor do I like the limitations of their storage allocations. (Sure I accept if they get thousands of users they need to support themselves, I've paid for some things like livejournal, but this is different. Email is too important for me to risk losing it due to things outwith my control.

For reference: I have my own dedicated server running Exim for about five virtual domains. I have a local installation of spamassassin with no bayesian stuff enabled, and I only ever read mail locally via mutt and ~/Mail under different accounts. I could setup pop3 access or imap, but I've never needed it so far and I like the idea of having minimal services installed. The box itself runs Debian stable.

I'll stop here before the ranting starts, and the wailing, and especially the gnashing!


Debian work is picking up again, I've released the patched version of GCC for Debian stable and Unstable - so SSP (propolice) protection is available for Debian packages.

So far I've rebuilt many packages and haven't seen any problems - but I've deliberately not tried rebuilding the Linux kernel. That'll be my next job.

Also Savannah.gnu.org is slowly recovering so I can start re-working on my GNUMP3d project.

Nothing else much exciting happening - I'm still waiting for all the DVD's I was recently bought in exchange for doing some small custom jobs for people to arrive.

At the moment I'm particularly looking forward to the arrival of 'The Inspector Morse' boxset. 33 discs!

John Thaw RIP. <hr>

That reminds me - anybody who wants a small piece of perl/php/c/c++ coded in exchange for books/films/music cd's feel free to get in touch ...

17 Dec 2003 (updated 17 Dec 2003 at 11:42 UTC) »

Ooops see what I've done? I mention I hate info and find a few new friends!

A lot of good points have already been made so I'll not try to keep my rant going, instead I'll simply say that it's unfortunate that info hasn't been replaced with HTML, and that pinfo is a nice lynx-like info browser that works well.

(I was going to talk about having to add new entries to a systems index to point to newly installed info, and searchability, but in the interests of flame-avoidance and sanity I'll just forget all about it!)

Saying Thanks

I have a wishlist which I mentioned in the recent "Saying thanks" article.

After reading that I totalled up some of the donations I've received.

I've now been paid a lot of times for the same work which is quite scary when you add it all up.

I think that means that this piece of code is worth 290 UK pounds.

Maybe it's time I updated it to run with VirtualHosts?


My new work is complete - I have a SSP/ProPolice patched compiler backported for Debian Stable

Read all the gory details at Shellcode.org


I've been hacking on a patched compiler suite (gcc/g++/gjc/etc) for Debian - trying to get SSP (ProPolice) buffer overflow protection working for the stable distribution.

For unstable this is trivial just downloading the dependencies needed to build gcc and then changing a couple of lines in the build scripts to enable the patch.

For unstable I've been fighting with dependencies, internal compiler errors, and all kinds of things to make the compiler build and install. (As a side note this is yet another example of why I detest info.)

Right now I've managed to backport binutils, modutils and all the other necessary programs, the only issue that's holding me back is that the built version of libstdc++ seems to depend upon a more recent version of libc6-dev. Despite my telling it not to. This means that I can't install my version of g++-3.3 without things breaking.

It's a fun game to play and makes me appreciate the work done at Apt-get.org, and backports.org an awful lot more.

10 Nov 2003 (updated 10 Nov 2003 at 16:20 UTC) »

Thanks for the link, and for the long memory.

In the end I wrote a simple "filter" program to grab a single image from a webcam and output it as a JPEG.

From there it can be manipulated/uploaded by standard command line tools. On the whole I'm happy with the solution as it's very flexible and simple to modify.

As for making movies from a collection of images that's fairly simple; I've done it in the past with the "ucbmpeg" package on Debian unstable.


More security audits in progress, I got a new DSA published, and I helped prepare a couple of updated packages for the stable distribution.

Fun stuff, I'm just wondering who's going to get DSA-400! I know I have some pending ones that have been reported, so there's a chance it'll be me ..

Source Audits

I'm still trying to think of a good way to organise the Audit Project - making it more simple to keep track of programs I've looked at, queued up for a good look, etc.

There should be something I can use, maybe one of the collaboritive online systems that the XP people use combined with a simple database of package names?

123 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!