Ubuntu One filesync service exports a ton of DBus methods that are then used for the Control Panel, nautilus plugin, rhythmbox music store plugin and others. All the communication between the clients and the service on Ubuntu is based on DBus.

So, let’s make a client that asks syncdaemon for a list of all published files and prints it out. Before we start, we need to find out what methods and signals are actually exported.

Launch D-Feet and find com.ubuntuone.SyncDaemon bus name:

As you can see, there is a get_public_files() method which does not return anything. We need to refer either to the documentation for the method in the introspection XML data by invoking Introspect() method on org.freedesktop.DBus.Introspectable interface, on the developer website and if nothing else helps, grep the sources and look at the code.

In Ubuntu One case, Introspect() works:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<node name="/publicfiles">
  ...
  <interface name="com.ubuntuone.SyncDaemon.PublicFiles">
    <signal name="PublicFilesListError">
      <docstring><![CDATA[Report an error in geting the public files list.]]></docstring>
      <arg name="error" type="s" />
    </signal>
    <signal name="PublicFilesList">
      <docstring><![CDATA[Notify the list of public files.]]></docstring>
      <arg name="files" type="aa{ss}" />
    </signal><method name="get_public_files">
    <docstring><![CDATA[Request the list of public files to the server.

        The result will be send in a PublicFilesList signal.
        ]]></docstring>
    </method>
  ...
  </interface>
</node>

So, when we call get_public_files(), the “output” is sent back in PublicFilesList signal. So far so good.

We start writing publicfiles.vala with using statements (as you may know, Vala syntax is based on C#), which provide us with DBus functionality and collection objects (such as HashTable). Also, we declare our DBus service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

using GLib;
using Gee;

/* Interface name */
DBus [(name = "com.ubuntuone.SyncDaemon.PublicFiles")]
interface PublicFiles : Object {
    /* vala converts symbol_name to SymbolName for DBus symbols. This
     * preserves the name */
    [DBus (name = "get_public_files")]
    public abstract void get_public_files() throws IOError;

    /* This is converted to PublicFilesList*/
    public signal void public_files_list (HashTable<string, string>[]
            files);
}

Since we are writing a client which needs to react to DBus signals, we need to use glib mainloop and provide the handler for the signals we are expecting.

But first, how do I know what GObject types are mapped to what DBus types?

Look at the Introspect() output above, and notice that PublicFilesList signature is aa{ss}. This translates to an “array of dict of string,string”. Look at the DBusServerExample to find out how types map. In our case, aa{ss} is HashTable<string, string>[]. GObject does not support deserialization of DBus dict to HashMap, you need to use HashTable for that.

1
2
3
4
5
6
7
8
9
10
11
12

MainLoop loop;

/* Handler for PublicFilesList signal */
void on_public_files_list( HashTable<string, string>[] files) {
    foreach (var file in files) {
        stdout.printf("%s -> %s\n", file["path"], file["public_url"]);
    }
    stdout.printf("%d files published\n", files.length);

    /* We have nothing else to do so quit */
    loop.quit();
}

All that is left is to get the DBus proxy, and connect the signals. This has proven to be a bit time-consuming. The code was written fast but my application was not receiving any signals. I verified the code several times and started debugging the generated C code (vala -C ...). Should I have read this warning in the DBusServerExample code, I’d complete it a lot faster:

1
2

/* Important: keep demo variable out of try/catch scope not lose signals! */
Demo demo = null;

Yes, I was declaring my proxies within try/catch block and by the end of the try block they were all gone and signals were never processed. Here’s the correct code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

int main(string[] args) {

    /* This is extremely important:
     *  If you put this in try/catch block, then the signals will _NOT_ be
     *  delivered as the object will go out of scope.
     */
    PublicFiles public_files = null;

    try {
        public_files = Bus.get_proxy_sync(BusType.SESSION,
                                            "com.ubuntuone.SyncDaemon",
                                            "/publicfiles");

        /* Connecting the signal*/
        public_files.public_files_list.connect(on_public_files_list);

        /* requesting public files, the "response" will be delivered via DBus
         * as a signal since it can take a lot of time.  */
        public_files.get_public_files();

    } catch (IOError e) {
        return 1;
    }

    loop = new MainLoop();
    loop.run();

    return 0;
}

That’s it, time to compile the resulting file and run it, making sure that Ubuntu One syncdaemon is connected.

1
2
3
4
5

$ valac publicfiles.vala --pkg gee-1.0 --pkg gio-2.0
$ ./publicfiles
...
/home/rtg/Ubuntu One/passwords.txt -> http://ubuntuone.com/7LwB9iLAXvVKQbCbsbmxRT
402 files published

The most widespread attack vector for *nix machines is SSH brute-forcing. I once became a victim of such attack and now all my machines are using SSH public key authentication only. I was curious what passwords the attackers were using so I came up with a simple idea of password collection.

If you wanted to have it the quick way, using PAM storepw, then this is not going to work that good, you will need to create a local account for every account used to brute-force you. This can end up being a lot of work.

Alternatively you can patch OpenSSH to store the passwords in the log files. Since I did not want to set up a new machine for the sole purpose of password logging I decided to go an easier route.

Twisted is a python-based framework for programming network applications. And it turns out that they have implemented a SSH protocol too.

So my starting point was the blog post by George Notaras about RapidSSH. I only needed the passwords to be stored so I removed chunks of code that dealt with keys and added the code that writes logins and passwords to a gdbm database.

Here’s the code:

As you can see, the database is created in /home/rtg/ which is my home directory, you will want to change the path.

The script itself runs on port 5022 and I redirected the access to 22 port on the router to go to port 5022 and redirected the real SSH port on WAN. This way my LAN machines are still able to access the regular SSH port.

The database is created but it is in a binary form, we need to make it readable:

This outputs the whole database in a plaintext format, the usage is simply

1

$ dump-passwords.py /path/to/passwords.db > passwords.txt

And this is what gets into passwords.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Updated: 2012-02-19T01:00:01.626648
# SSH creds for attack attempts on my server.
# If your password is listed here, CHANGE IT RIGHT NOW
#
# 16508 entries
#
!@#$%:!@#$%
!@#$%^&*:!@#$%^&*
!@#$%^&:!@#$%^&
!@#$%^:!@#$%^
*:*
.com:.com
.http:.http
0987654321:0987654321
0:0
100:100

This file is updated every day with the new entries of user:password that were attempted on my fake SSH server. Feel free to use this list for any purpose (e.g. compiling a cracklib dictionary).

As the old joke goes, “you cannot lose an android phone because it is always near the power socket”. For me this is exactly what I am experiencing with my Acer Liquid E. Whenever I am using it for browsing the Internet via WiFi or 3G, I can discharge it completely in 2 hours.

So right before we went on a bus trip to Norway I decided to find out what are my options to get extended battery life for my phone.

Of course, there are high capacity battery for all normal phones. Unfortunately, not an option for mine.

My wife is also using an Android-based HTC Desire Z, so charging different devices is definitely a plus.

Also, we have cameras that take AA batteries and the ultimate choice would be able to charge external batteries too.

Well, Varta USB Charger from their “professional” line is that ultimate device.

It can:

• Charge USB devices using the power from AA/AAA batteries installed or the power outlet (effectively making this unit a wall outlet USB charger).
• Charge 1-4 AA/AAA batteries from USB devices using a USB-to-5V cable (included)
• Charge those batteries from the wall outlet adapter.

So, your capacity basically depends on what batteries you chose. The unit I purchased came with 4xAA batteries of 2700mAh. I purchased another set as a backup.

It turned out that one set of these batteries can charge a phone and a half completely. Also, we were able to charge 2 phones simultaneously using an USB hub - pure awesomeness!

It is worth noting that when the unit functions as a USB charger from wall outlet, it does not charge the batteries. When functioning as AA/AAA charger it tracks every single battery charge separately.

The only minor issue I found so far is that when the batteries are almost depleted the current converter starts producing a long squeaky sound until it shuts down.

После поднятия кеширующей прокси все изображения будут загружаться только на Ubuntu One. Спасибо, Яндекс, было интересно.

Следующая строка нужна для верификации:

61907928.151477480.1329402715.380ef704279a887b61bf013c237d7ad8

At the moment there is no commenting functionality attached, you can send me a notice via identi.ca, twitter, google+ or email instead for now.

All the links to previously published blog posts will continue working, including the main RSS feed, additionally this blog is now accessible over IPv6.

Currently the blog is using a standard Octopress theme.

Здравствуйте.

В последнее время в моей жизни участились случаи использования бумажных носителей информации. Записи на уроках испанского языка, идеи в метро. Все это было бы удобнее сразу хранить в удобном цифровом виде, однако запись на бумажный носитель имеет следующие преимущества:

1. Легкость: ввиду того, что таким носителям не требуются элементы питания и клавиатура, блокнот получается достаточно тонким.
2. Instant-on: Вы не тратите время на загрузку файлов, достаточно открыть блокнот. В некоторых случаях, обложка блокнота может также быть использована для записи данных, что многократно увеличивает скорость доступа к ним.
3. Надежность: Падение блокнота на бетонный пол не вызовет значительного повреждения данных. Конечно, как и электронные аналоги, блокнот (а точнее бумага из которой он сделан) боится воды, однако в других случаях надежность хранения записей выше.

К сожалению, у бумажных блокнотов есть свои недостатки:

1. Скорость записи: Скорость записи ограничена скоростью письма владельца.
2. Отсутствие поддержки rich-media: Вставить видео или аудио-ролик практически невозможно, для вставки изображения потребуется физическая модификация исходного материала (вырезание и вклейка).
3. Невозможность работы без стороннего источника освещения. Этим грешат сейчас и электронные книжки, так что мы уже привыкли.
4. Отсутствие поиска. Наверное, это самый большой недостаток. За годы работы с электронными носителями информации мы привыкли, что можем найти любую запись по ключевым словам. Здесь же поиск отсутствует. Придется учиться организовывать записи.

Так как я в некотором роде связан с компанией Canonical, которая выпускает операционную систему Ubuntu, я решил посмотреть, какие есть предложения в сфере аналоговых носителей информации.

Ubuntu A5 Notebook

Доступен для заказа в Canonical Store. Стоимость - $9.74 без доставки.

Данный блокнот выполнен в стиле Ubuntu. Обложка содержит логотип.

Спираль блокнота выполнена из прозрачного пластика.

Блокнот содержит 5 секций, каждая из которых разлинована в различном стиле:

• Обрамление страницы
• Клетка
• Горизонтальные линии
• Редкие точки
• Нечто похожее на диалог (страница содержит два “окна”)

Замечу, что разлинованы страницы с обеих сторон.

Между секциями присутствуют вставки с пиктограммами Ubuntu.

Эти вставки сделаны из картона.

Бумага достаточно яркая, поэтому проблем с контрастом текста, написанного карандашом не будет.

Обложка блокнота с каждой стороны состоит из листа картона, сложенного вдвое и гнется достаточно просто, однако все равно способна защитить внутренности от повреждений.

Блокнот удобно держать в руке, пластиковая спираль мягкая, однако при перелистывании страниц между секциями картонные вставки могут незначительно мешать.

Этот блокнот у меня первый день и я планирую использовать его для записей на уроках испанского языка. Посмотрим, сколько он сможет прожить без ухудшения качеств.

До встречи!

My Acer Aspire 5520’s video board failed after 3 years of slow scrolling and 2D rendering of nVidia driver. This time I decided to avoid Acer and nVidia machines altogether and went to a complete different land of Lenovo.

Initially I wanted to get a 13.x” display, however the only models available locally were Dell Vostro V131 and Dell Vostro 3350, which were small enough, had a matte screen but various sources suggested that the hinges may have not been  strong enough in V131 and I was not able to find any reliable info about switching to intel-only graphics on 3350 in Dell user manual.

Then I switched to Lenovo machines (after watching this impressive Stress Test video) and found that E420 is being sold here (in Ukraine) and most of the resellers don’t have the 13” version. I think 14” was a good decision.

The model I have is Lenovo Edge E420 1141PZ5 which is powered by quad-core Intel® Core™ i5-2450M CPU @ 2.50GHz with 4GB of DDR3 RAM and 500GB HDD.

First of all, it is Ubuntu Certified, not exactly the same model (integrated video only), but it is pretty close. I don’t have any MMC devices and the fact that proprierary Sony Multi-media storage cards are not readable is not an issue at all.

lspci

BIOS had "Switchable graphics" enabled (which is AMD Radeon HD 6600M).

00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port (rev 09)
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)
00:16.0 Communication controller: Intel Corporation 6 Series/C200 Series Chipset Family MEI Controller #1 (rev 04)
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 6 Series/C200 Series Chipset Family High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 1 (rev b4)
00:1c.1 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 2 (rev b4)
00:1c.2 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 3 (rev b4)
00:1c.3 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 4 (rev b4)
00:1c.7 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 8 (rev b4)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation HM65 Express Chipset Family LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 6 Series/C200 Series Chipset Family 6 port SATA AHCI Controller (rev 04)
00:1f.3 SMBus: Intel Corporation 6 Series/C200 Series Chipset Family SMBus Controller (rev 04)
01:00.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI Whistler [AMD Radeon HD 6600M Series]
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 06)
04:00.0 System peripheral: Ricoh Co Ltd Device e823 (rev 07)
09:00.0 Network controller: Intel Corporation Centrino Wireless-N 1000

lsusb

With bluetooth controller on

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 003: ID 5986:03b3 Acer, Inc # (webcam) 
Bus 002 Device 003: ID 147e:1002 Upek # (fingerprint reader)
Bus 002 Device 004: ID 0a5c:217f Broadcom Corp. Bluetooth Controller

At the moment I am using the laptop with Unity3D on Precise Pangolin (soon to be 12.04). The battery installed is 47520 mWh (4400 mAh x 11.1V) and it allows the machine to stay online with wifi working for 3 hours (integrated Intel HD only) which does not look impressive after my 8 hours Acer Aspire One 9cell battery, yet the battery can be replaced.

One commenter reported that the bluetooth stack is not compatible with some bluetooth mice, such as A4tech BT-630. I have exactly the same model and it works properly, so no problems with this.

I am using built-in Intel HD 3000 video only, there are no tasks that require me to fire up a dedicated radeon hardware for now. I switched to integrated video in BIOS setup and I had to blacklist radeon kernel module to prevent it from initializing. I am not sure whether that turned off its power consumption though (it did not — set "Integrated Graphics" in BIOS Setup). The built-in video board is quite powerful to drive 1920x1080 screen via HDMI connection with unity3d running on both screens (discrete nVidia 8400G with proprietary drivers could not do that without even more text drawing performance degrading).

Matte screen does not sport great viewing angles but it can be used outside, the backlight is pretty bright so things are quite visible in direct sunlight.

Upek fingerprint reader was not tested, but it looks like it can be used with Fingerprint readers integration project, not out-of-box.

The web cam is a standard UVC camera, no problems with it.

I found touchpad a little bit too sensitive for me, clicking on things I was not going to, so I disabled clicks. Maybe I got used to a broken low resolution random sensitivity Alps device on my Aspire 5530, don’t know.

I was surprised that there is only one jack to connect your headset. They have merged the mic and headphone jack and it is definitely compatible with HTC wired headset pinout I borrowed from my wife’s HTC Desire Z. The regular headphones work properly in this jack.

Ubuntu 12.04 does not provide the option to hibernate the laptop and when I forced it to, it did not finish hibernation, I guess I will need to look into it a bit more.

The laptop looks simple and stylish, there are no metal parts in the exterior except the hinges, however it is all matte and does not look cheap at all.

So far I had 1 lockup for unknown reason, but since I am running a bleeding edge OS this is expected. Should any issues arise I will update this blog post with my findings.

If you have any questions regarding this particular model feel free to comment the post.

I have some internal web sites running on my home server. Earlier I configured WebAuth with WebKDC to create SSO-like experience. This was working well, but I wanted to use some 3rd party solution to be able to use auth on remote services even if local WebAuth host is not accessible.

The requirements were:

• Specify the list of users which are allowed to login
• Don’t require server-side scripting

Since Ubuntu SSO is already used for Launchpad, Ubuntu One and various other services I decided that it is good enough for my small network.

Ubuntu hosts are using python-apache-openid python module and it has a very nice feature of being able to restrict access to some launchpad teams. It is not yet critical for me so I decided to look around in the archive and found libapache2-mod-auth-openid

This is a packaged version of mod_auth_openid from http://findingscience.com/mod_auth_openid/ - that web site contains the documentation for the module as well as examples.

The version in Oneiric is 0.5 which did not contain the feature I was after, the ability to restrict the access to some set of OpenID users without resorting to external script. So I went forward and updated the package to 0.6 and for the first time I was so pleased with the resulting package that I decided to send the updates to Debian maintainer. The updated package was successfully built in my ppa:rye/ppa and can be installed on Oneiric with

sudo apt-add-repository ppa:rye/ppa
sudo apt-get update
sudo apt-get install libapache2-mod-auth-openid

apt-add-repository is available from python-software-properties package.

$ apt-cache policy libapache2-mod-auth-openid
libapache2-mod-auth-openid:
  Installed: 0.6-0ubuntu1
  Candidate: 0.6-0ubuntu1

Configuration

I started with the following in my /etc/apache2/sites-available/default and marked the changed parts in bold

<VirtualHost *:80>
   ServerAdmin webmaster@localhost

   DocumentRoot /var/www
   <Directory />
     Options FollowSymLinks
     AllowOverride None
   </Directory>
   <Directory /var/www/>
     Options Indexes FollowSymLinks MultiViews
     AllowOverride None
     Order allow,deny
     allow from all
   </Directory>

  <Location />
    AuthType OpenID
    Require valid-user
    AuthOpenIDTrusted ^https://login.ubuntu.com/\+openid
    AuthOpenIDLoginPage /openid/
    AuthOpenIDCookiePath /
  </Location>

  <Location /openid>
    Order allow,deny
    Allow from all
    Satisfy any
  </Location>

  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log combined

  Alias /doc/ "/usr/share/doc/"
  <Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
  </Directory>

</VirtualHost>

I am using a custom login page since I don’t need to enter my identifier every time. I am using a single provider so I am submitting an OpenID request automatically to Ubuntu SSO.

The /var/www/openid/index.html page is simple:

The query string parsing is actually needed to display the error that has been passed to the page in case the request is canceled on the provider or something else has happened.

Now the module needs to be enabled (this was not working in 0.5 out of the box) and apache needs to be restarted:

sudo a2enmod authopenid
sudo service apache2 restart

Now you have OpenID enabled for your virtual host root directory. The thing is it is enabled for everybody with Ubuntu SSO account so we need to restrict the access.

To find your OpenID identifier, log into your system using OpenID and browse the logs:

192.168.1.114 - https://login.ubuntu.com/+id/hPQWPsH ↩
  [12/Nov/2011:12:24:54 +0200] ↩
  "GET / HTTP/1.1" 304 210 "-" "Mozilla/5.0 ↩
  (Ubuntu; X11; Linux x86_64; rv:8.0) 

Accounts that exist in launchpad can find out their +id/… value from the https://launchpad.net/~yournick, the openid.delegate will have this info. Launchpad login service and Ubuntu SSO service are currently using the same database, but we are targeting SSO.

<link rel="openid.delegate" href="https://login.launchpad.net/+id/hPQWPsH" />

The OpenID value needs to go to the apache config

  <Location />
    AuthType OpenID
    Require user https://login.ubuntu.com/+id/hPQWPsH
    AuthOpenIDTrusted ^https://login.ubuntu.com/\+openid
    AuthOpenIDLoginPage /openid/
    AuthOpenIDCookiePath /
  </Location>

Restart apache, and only the user specified in the Require user directive will be able to access the resource

Limitations

This module can be used only for ID authentication. While it is technically possible to request the OpenID provider to reply with user email or any other attributes, the module does not provide any protection from changing the values as they are traveling as a GET request back to the original form target page.

I have a fileserver at home. It contains a backup of some photos, various Linux CD/DVD image, runs my virtual machines, serves as a Kerberos domain controller, printer server… well, pretty much everything I do has something to do with my home server.

Half a year ago I decided to move all my home directory to the server over NFS. I quickly configured NFSv4 with kerberos by following an extremely well-written community help article, created all the bind mounts and…

Well, I could transfer only half of my photos (6Gb) until the connection hung. I repeated this experiment for several more times and the worst part that any application that visited the mount point was unable to recover. I tried with various intr modes, various buffer sizes, TCP and UDP transports.

I swapped network cards, dropped Kerberos, switched to IPv4-only mode, switched to 100Mbps network instead of gigabit but it was still hanging.

I could transfer all my files over the same link using rsync over SSH, Apache WebDAV, and pretty much everything except NFS.

Today I gave up and set up Samba server on the same machine. And I could transfer everything I needed at the speed I expected without any issues.

I wanted to file the bug on Launchpad, but the kernel server runs at the kernel level, so it’s not very comfortable for me to debug on a headless machine. And filing a bug w/o followup does not make sense. According to tcpdump, the server simply stopped answering at some point and according to my Google searches I am the only one experiencing this type of issue.

I am still keeping my NFS server running, but it feels a bit weird to use CIFS one a network of Linux-only machines.

tl;dr version: Do not use ChatON on the public WiFi networks. The communication between client and server is not encrypted.

Update: Yesterday I found myself unable to sniff the packets properly but today plaintext messages are back, looks like there is something wrong with 46.137.191.242.

shortly after posting this (within an hour or so) my attempts to capture the plaintext messages started to fail, something has changed, continuing my investigation. Images are still going via HTTP though.

Two days ago Samsung launched their new IM service ChatON. ChatON Android application was released and its UI is definitely awesome. Having obtained my copy from Android Market I decided to check what protocol it is using for communication.

I launched tcpdump on my (rooted) Acer Liquid and started listening for the messages.

Among the lines of https (encrypted) messages flowing back and forth I found the following:

21:05:01.146225 IP 46.203.98.114.42914 > 46.137.191.242.5223: P 118:345(227) ack 1 win 5600 
 0x0000:  4500 0117 30e8 4000 4006 8940 2ecb 6272  E...0�@.@..@.�br
 0x0010:  2e89 bff2 a7a2 1467 ab45 ae43 4473 fdf8  ..����.g�E�CDs�
 0x0020:  8018 15e0 fab9 0000 0101 080a 00db c787  ...���.......��.
 0x0030:  0ba8 7d12 6264 3530 6263 3337 2d65 6532  .�}.ba50bc37-ee2
 0x0040:  382d 3432 6366 2d61 6531 352d 3133 3731  8-42cf-ae15-1371
 0x0050:  3334 3466 3363 3464 0104 00bb 08cd f7ef  344f3c4d...�.��
 0x0060:  87d8 e820 1000 1800 2248 3462 3064 6365  .��....."H4b0dce
 0x0070:  6638 2d64 3733 322d 3464 3038 2d62 3062  f8-d732-4d08-b0b
 0x0080:  612d 6536 3862 3263 3931 3066 6662 6264  a-e68b2c910ffbbd
 0x0090:  3530 6263 3337 2d65 6532 382d 3432 6366  50bc37-ee28-42cf
 0x00a0:  2d61 6531 352d 3133 3731 3334 3466 3363  -ae15-1371344f3c
 0x00b0:  3464 2a0c 3338 3039 3133 3532 3930 3539  4d*.380913529059
 0x00c0:  320c 3338 3039 3337 3532 3539 3836 3a24  2.380937525986:$
 0x00d0:  6264 3530 6263 3337 2d65 6532 382d 3432  bd50bc37-ee28-42
 0x00e0:  6366 2d61 6531 352d 3133 3731 3334 3466  cf-ae15-1371344f
 0x00f0:  3363 3464 420f 3335 3335 3039 3033 3132  3c4dB.3535090312
 0x0100:  3536 3238 354a 1068 692c 2068 6f77 2061  56285J.hi,.how.a
 0x0110:  7265 2079 6f75 3f                        re.you?

21:05:07.236157 IP 46.137.191.242.5223 > 46.203.98.114.42914: P 228:422(194) ack 345 win 62 
 0x0000:  4500 00f6 af74 4000 3206 18d5 2e89 bff2  E..��t@.2..�..�
 0x0010:  2ecb 6272 1467 a7a2 4473 fedb ab45 af26  .�br.g��Ds�۫E�&
 0x0020:  8018 003e b6d2 0000 0101 080a 0ba8 8550  ...>��.......�.P
 0x0030:  00db c787 6264 3530 6263 3337 2d65 6532  .��.ba50bc37-ee2
 0x0040:  382d 3432 6366 2d61 6531 352d 3133 3731  8-42cf-ae15-1371
 0x0050:  3334 3466 3363 3464 0106 009a 0a48 3462  344f3c4d.....H4b
 0x0060:  3064 6365 6638 2d64 3733 322d 3464 3038  0dcef8-d732-4d08
 0x0070:  2d62 3062 612d 6536 3862 3263 3931 3066  -b0ba-e68b2c910f
 0x0080:  6662 6264 3530 6263 3337 2d65 6532 382d  fbbd50bc37-ee28-
 0x0090:  3432 6366 2d61 6531 352d 3133 3731 3334  42cf-ae15-137134
 0x00a0:  3466 3363 3464 1000 1a4a 0a0c 3338 3039  4f3c4d...J..3809
 0x00b0:  3337 3532 3539 3836 120c 3338 3039 3133  37525986..380913
 0x00c0:  3532 3930 3539 1884 d185 fb9e c816 221b  529059..�.�.�.".
 0x00d0:  6920 7761 6e74 2061 205b 686d 5d20 616e  i.want.a.[hm].an
 0x00e0:  6420 6120 5b35 286c 6c29 5d28 c3e5 bb98  d.a.[5(ll)](���.
 0x00f0:  b126 3000 2800                           �&0.(.

Do you see something?

Here’s what you see:

Basically, connection to the server is not encrypted

The client is using Google Protobuf protocol to send messages back and forth between client and server and the communication is not encrypted in any way. After more careful examination I found that the session initiation IS encrypted, so that it may not be possible to find whom exactly with you are talking to but all the messages will be visible to everybody around you if you are using an unencrypted open network such as you can find at the local cafe shops, restaurants, shopping centres etc.

You may not be in that amount of danger if you are using your cell phone carrier for the internet connection, that communication is encrypted between your phone and the cell towers, however you might not always realize that you have switched to open WiFi network and keep using ChatON.

I don’t have a Bada-powered device nearby to verify whether that uses the same servers so I will assume that the same unencrypted protocol is used on all Bada devices and Samsung featurephones that have ChatON installed unless I have the proof that it is doing otherwise.

Interesting geeky detail - the servers are running on port 5223 which is usually associated with XMPP over SSL but it is actually a proprietary protocol (well, based on Google’s protobuf). The chat servers are running on Amazon AWS hosts.

File uploads are also running over plain HTTP/1.1 without encryption:

POST /file?uid=bd50bc37-...-1371344f3c4d¶m=7daffaa462b802b...92e37870 HTTP/1.1
content-type: image/jpeg
content-length: 48401
User-Agent: Dalvik/1.2.0 (Linux; U; Android 2.2.2; Liquid Build/FRG83G)
Host: eu.file.samsungchaton.com
Connection: Keep-Alive

...

GET /4b/0d/ce/f8/d7/32/4d/08/b0/ba/e6/8b/2c/91/0f/fb/4b0dcef8-d732-4d08-b0ba-e68b2c910ffb/
       1318879486269_239.jpg?AWSAccessKeyId=AKIAIXENATYOW4T2DJSQ&
       Expires=1319052296&Signature=6UFD%2FYS9Vlls9X7WJov8GcH7EGs%3D HTTP/1.1
User-Agent: Dalvik/1.2.0 (Linux; U; Android 2.2.2; Liquid Build/FRG83G)
Host: eu.chaton-file.s3.amazonaws.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: PNglgPsPAkR7SvhFPHk2bkl901Q6MGedePoaCRf/RGArSM36lZgtkMWLN10nmzZK
x-amz-request-id: E25D27220B372F64
Date: Mon, 17 Oct 2011 19:24:58 GMT
Last-Modified: Mon, 17 Oct 2011 19:24:51 GMT
ETag: "3ec7437168455698b4367ed303bfcfad"
Accept-Ranges: bytes
Content-Type: image/jpeg
Content-Length: 738
Server: AmazonS3

...

Yeah.

Ah, when user is not properly registered (ChatON on Android Emulator) the message returned is…

13:56:58.562553 IP 46.203.53.202.59299 > 46.137.191.242.5223: P 216:450(234) ack 185 win 3456 
 0x0000:  4500 011e df2c 4000 4006 079d 2ecb 35ca  E...�,@.@....�5
 0x0010:  2e89 bff2 e7a3 1467 38a3 84e8 4513 9da9  ..����.g8�.�E..�
 0x0020:  8018 0d80 2c9f 0000 0101 080a 001a 66c4  ....,.........f
 0x0030:  0c05 21a6 6264 3530 6263 3337 2d65 6532  ..!�bd50bc37-ee2
 0x0040:  382d 3432 6366 2d61 6531 352d 3133 3731  8-42cf-ae15-1371
 0x0050:  3334 3466 3363 3464 0104 00c2 088a e2a2  344f3c4d...�..
 0x0060:  fea5 8004 1000 1800 2248 6264 3530 6263  ��......"Hbd50bc
 0x0070:  3337 2d65 6532 382d 3432 6366 2d61 6531  37-ee28-42cf-ae1
 0x0080:  352d 3133 3731 3334 3466 3363 3464 6366  5-1371344f3c4dcf
 0x0090:  6662 3933 3939 2d63 3935 332d 3462 6465  fb9399-c953-4bde
 0x00a0:  2d39 3266 352d 6639 6435 3136 3862 3562  -92f5-f9d5168b5b
 0x00b0:  3764 2a0c 3338 3039 3133 3532 3930 3539  7d*.380913529059
 0x00c0:  320c 3338 3036 3336 3137 3038 3335 3a24  2.380636170835:$
 0x00d0:  6264 3530 6263 3337 2d65 6532 382d 3432  bd50bc37-ee28-42
 0x00e0:  6366 2d61 6531 352d 3133 3731 3334 3466  cf-ae15-1371344f
 0x00f0:  3363 3464 420f 3335 3335 3039 3033 3132  3c4dB.3535090312
 0x0100:  3536 3238 354a 174e 6f77 2069 7420 6973  56285J.Now.it.is
 0x0110:  2077 6f72 6b69 6e67 2061 6761 696e       .working.again
13:56:59.643944 IP 46.137.191.242.5223 > 46.203.53.202.59299: P 185:369(184) ack 450 win 62 
 0x0000:  4500 00ec 8237 4000 3206 72c4 2e89 bff2  E..�.7@.2.r�..�
 0x0010:  2ecb 35ca 1467 e7a3 4513 9da9 38a3 85d2  .�5�.g��E..�8�.
 0x0020:  8018 003e a34b 0000 0101 080a 0c05 2a79  ...>�K........*y
 0x0030:  001a 66c4 6264 3530 6263 3337 2d65 6532  ..f�bd50bc37-ee2
 0x0040:  382d 3432 6366 2d61 6531 352d 3133 3731  8-42cf-ae15-1371
 0x0050:  3334 3466 3363 3464 0105 0090 088a e2a2  344f3c4d......
 0x0060:  fea5 8004 1248 6264 3530 6263 3337 2d65  ��...Hbd50bc37-e
 0x0070:  6532 382d 3432 6366 2d61 6531 352d 3133  e28-42cf-ae15-13
 0x0080:  3731 3334 3466 3363 3464 6366 6662 3933  71344f3c4dcffb93
 0x0090:  3939 2d63 3935 332d 3462 6465 2d39 3266  99-c953-4bde-92f
 0x00a0:  352d 6639 6435 3136 3862 3562 3764 1a13  5-f9d5168b5b7d..
 0x00b0:  0a0e 3436 2e31 3337 2e31 3137 2e32 3334  ..46.137.117.234
 0x00c0:  10e7 2820 96cc b5b5 b126 2a20 08f2 2e12  .�(..̵��&*..�..
 0x00d0:  1b4d 6573 7361 6765 2052 6563 6569 7665  .Message.Receive
 0x00e0:  7220 6973 2049 6e76 616c 6964            r.is.Invalid

Notice: To run real Ubuntu One syncdaemon in headless mode, see Ubuntu One Headless wiki page.

rtg@lucidity:~$ ./ubuntuone-rest-files-client.py --oauth a:b:c:d
Welcome to Ubuntu One!
User id: 52053, name: Roman
Usage: 26.1 GiB/65.0 GiB
> ls
/~/Pictures                                        - -
/~/.gpass                                          - -
/~/Music                                           - -
/~/Pictures - Liquid                               - -
/~/Backup                                          - -
/~/Public                                          - -
/~/Documents                                       - -
/~/.ubuntuone/Purchased from Ubuntu One            - -
/~/Videos                                          - -
> cd ~/Documents
/~/Documents> ls
Articles/                                             2011-04-05T20:07:40Z
Certificates/                                         2011-04-18T07:32:28Z
CV/                                                   2010-12-01T11:14:08Z
DVD Labels.odg                                  13332 2011-03-06T20:38:50Z
eBooks/                                               2011-08-05T15:08:03Z
_image_vab-document.png                        145336 2011-04-30T10:15:33Z
...
/~/Documents> get _image_vab-document.png
Downloading 145336 bytes to _image_vab-document.png...  Done
/~/Documents> cd ../Ubuntu\ One
/~/Ubuntu One> put desktopcouch_0.6.4.orig.tar.gz
Uploading desktopcouch_0.6.4.orig.tar.gz to https://files.one.ubuntu.com/content/~/Ubuntu%20One/desktopcouch_0.6.4.orig.tar.gz
Content size: 105609
/~/Ubuntu One>

Where to get and how to use

$ ./ubuntuone-sso-login.py
Creating new entry for buzz
SSO login: Your Ubuntu One SSO e-mail
password: Your password
Using SSO URL: https://login.ubuntu.com/api/1.0/authentications?ws.op=authenticate&token_name=%22Ubuntu+One+%40+buzz%22
OAuth info:
a:b:c:d
Ping result: ok 1/7

Warning! This OAuth string should be treated as secret, since it is composed of your OAuth consumer key:consumer secret:token:token secret. This string enables anybody who knows it to access your files, and CouchDB databases, think of it as a login/password pair that you can remove when needed. If you suspect that somebody else has that string, go to Ubuntu One web site and remove the corresponding entry. Then you can run ubuntuone-sso-login.py again and get a new set of credentials for the script.

./ubuntuone-rest-files-client.py --oauth a:b:c:d
Welcome to Ubuntu One!
User id: 52053, name: Roman
Usage: 26.1 GiB/65.0 GiB
> 

• get remote [local] - download the remote file as local, in case local name is omitted it will use the original name
• put local [remote] - upload the local file, same rules for omitting the remote name
• mget remote1 [remote2 remote3 ... remoteN] - download the files to the current working directory
• cd folder - change remote directory. Please remember to quote the path if it contains spaces or escape them - "/~/Ubuntu One" or /~/Ubuntu\ One
• quit or Ctrl+D - terminate the script
• ls - list folder contents, in case some file is published the URL will be printed
• publish remote - publish an already uploaded file. Will print public URL
• unpublish remote - take down the published file

Update: Еще раз перешил модем, уже поправив дату для программы и убрав невозможность разблокирования. В принципе, это активатор голоса для life:) украина, 255-06, требуется только добавить свой IMEI. Скачать можно с Ubuntu One или Яндекс.Народа.

Загорелся я идеей подключить свой life:) модем еще и для голоса. Первый вариант, dc-unlocker пока был отложен в сторонку т.к. я еще не готов был платить за вещь, которая, возможно, мне не будет нужна.

После того, как я произвел процедуры, описанные в активации голоса на модемах HUAWEI E1550, E1750, Е156, E160 и подобных, мой модем больше не захотел подключаться к сети life:) и настаивал на переезде в Россию к МТС. AT^CARDLOCK возвращали “+CME ERROR: 16”. Похоже, что в патче к nvram SIM LOCK сделался неснимаемым для моего модема.

В Resource Hacker, который будет в том-же архиве по инструкции нужно сменить IMEI. Но для того, чтобы все заработало мне пришлось менять и SIMLOCK_RANGE_0 на значения life - 25506. На всякий случай оставил 25506|25506|2 - для чего еще раз идентификатор и что значит “2” - я не знаю.Возможно это и есть флаг, который указывает на то, можно ли снимать привязку. После изменения любого значения в ресурсе, программа будет ругаться на несоответствие CRC. Над чем именно вычисляется CRC я не докопался, поэтому пошел в лоб - отлавливать значение CRC, которое программа хочет увидеть.

После скачивания в IDA ставим breakpoint на text.00403853 (в районе CRCSlow), запускаем программу через отладчик, когда сработает breakpoint в регистре ESI будет значение контрольной суммы, которое нужно прописать в [CRC] VALUE. Переводим значение из шестнадцатеричного в десятичный, еще раз идем в Resource Hacker, меняем значение суммы, Compile Script, Save и запускаем PatchDataCard снова.

Фух. Я думал, что придется возиться долго.

Кстати, там еще есть и ресурс с датой, до которой программа может работать, думаю, можно тоже подправить. И, возможно, полностью снести SIM LOCK. Не знаю, результатом доволен. Модем снова зарегистрировался в сети life:)

AT+CREG?
+CREG: 0,1

OK
AT^CVOICE?
^CVOICE:0,8000,16,20

OK

Версия прошивки - 11.030.01.07.388

You can install Color Help application from Android Market.

I’ve always had problems identifying the colors. I kept avoiding color-related talks because I felt uncomfortable not being able to name the color, even though I saw that it was different. In 2007 I was finally diagnosed with a partial color blindness and my inability to identify the colors started making sense

The strange part of this is that given two cards of dark green and brown I had problems identifying which is which but when those cards were shown together I could name the colors. Then I found out that sometimes gray color is seen as purple and different light colors were really hard to identify.

But the world is full of colors and sometimes it is really required to tell the other person the color of an object, and it’s better to be a correct one.

Fast-forward to today, now I have a mobile phone which can be programmed, the API is available and there are lots of examples. So I decided to write my own version of real-world color picker that will help me with my color problem

I wanted it to be a real-time application and it should have been as simple as possible. I also wanted it to be Open Source so that other people with the same issues as I could add/fix/propose something. And I wanted to test Android Market account.

You can get the Color Help application from Android Market for free and browse the source code in Launchpad

Planned features include better NV12 to RGB conversion that is using less CPU, fixes for occasional color detection hanging after returning to Color Help from another application and probably transformation of the stream to color-correct the image to finally be able to pass these crazy color blindness tests :)

I am now aware of the Color ID and Color Find applications, but being able to create something that scratches my own itch in a way I need it and make the source open is a nice exercise too!

You may be interested in this if you:

1. are using Tomboy or Gnote^* to store your notes;
2. want to publish your note easily

Well, it is not that far away from now. I’ve spent this weekend building a simple yet useful django application called tomblog.

First of all the idea to publish the notes from Ubuntu One is not new but at the moment this is not possible via the official web interface. Since CouchDB HTTP access is open for everyone with correct credentials, this is pretty easy to do as a 3rd party service.

Screenshot

Installation notes

The project is quite new and it is currently a single-user installation. You can grab the code from lp:tomblog. It is easy to add Disqus-powered comments too, there is a JS code snippet in the template for that.

Please note that the code will allow displaying any note you have stored in your Ubuntu One database if the note UUID is known. The code will create links to the notes only if the target note is published, though.

In order to run tomblog on your server you will need to fill in your OAUTH_* credentials in settings-example.py and rename it to settings.py (I just took ones from my keyring), configure the templates dir, create the corresponding CouchDB views from data/views.js, install the following:

• python-oauth
• python-django
• python-lxml

Under the hood

When you sync your Tomboy notes with Ubuntu One server, the notes are stored in CouchDB on the server side.

This web application is basically a http client which fetches your notes tagged with some specific tag (in my case - Tomboy notebook called "Publish"), performs XML to HTML conversion and displays the published note.

It uses my OAuth token to retrieve the documents and my token can only be used with my CouchDB databases.

Live Example

The current trunk is running on notes.rtg.in.ua and looks to be pretty working. Drop me a comment if you find this idea useful too.

^* GNote is not currently syncing using Snowy protocol. There is a script to sync GNote notes to local CouchDB called gussie, you can grab it from lp:~rye/+junk/gussie.

Что огорчает предпринимателя на едином налоге в Украине? То, что каждый квартал нужно сдавать отчет в Налоговую, а сейчас потребовалось ежемесячно сдавать пустую декларацию.

Раньше это означало, что несколько дней в году нужно провести в налоговой инспекции, стоя в очередях. По какой-то причине в один прекрасный момент это перестало быть интересным нашей налоговой администрации, и было решено разрешить предпринимателям сдавать отчеты в электронной форме.

Для этого требуется получить ключ и сертификат в одном из авторизованных центров сертификации, принести этот сертификат в налоговую, заключить с инспекцией договор о том, что отныне документы, подписанные Вашим ключом, будут приравниваться к оригиналам, скачать ПО для создания (возможны различные варианты) и шифрования (зависит от центра сертификации) отчетов и начать им пользоваться.

Единственным неудобством для меня является необходимость использования Windows, т.к. HTML Application “ОПЗ” отказывается запускаться под Wine. Однако приложение для шифрования отчетов спокойно запускается в Wine и все красиво показывает, если ему передать LC_ALL=uk_UA.UTF-8.

Как все происходит

Сдача отчетов проходит следующим образом:

1. Создаю документ в OPZ в виртуальной Windows.
2. Копирую результат на основную машину в папку, которая синхронизируется с Ubuntu One.
3. Программа для шифрования подписывает мой отчет и шифрует его публичным ключом налоговой администрации.
4. Результирующий файл я отправляю по E-Mail на шлюз электронной отчетности.
5. В течении нескольких минут мне приходят несколько зашифрованных сообщений, в которых говорится о статусе обработки отчета.

Почему-то первой реакцией моих коллег на то, что я сдаю отчетность в электронном виде, было непонимание, зачем мне для четырех раз в год этим было заниматься, да еще и платить 48₴ в год. В качестве примера удобства данного механизма я начал приводить свой отчет, отправленный 2010-01-04 в 00:18. Через несколько минут отчет был принят, и у меня был регистрационный номер. В час ночи.

Об ошибках

Пока единственной проблемой, с которой я столкнулся,​ было следующее сообщение от шлюза отчетности:

Блок даних. Невірний підпис - сертифікат відсутній в базі сертифікатів

Как оказалось, сертификаты ИВК имеют свойство менять свой тип на “печатка” вместо “підпис”. После звонка в налоговую и (как ни странно) приятного и результативного общения с сотрудницей отдела, занимающегося электронной отчетностью, я смог отправить декларацию без каких-либо проблем, попивая чай у себя дома.

So, I finally got an Android-based Acer Liquid S100 (Liquid E, with 512Mb RAM). I’ve spent some time to get accustomed to the Acer changes to the UI and apps and finally found that I can not use Funambol Sync properly on that device. Acer simply replaced the Contacts application with their own version which does not ask for the application to edit the contact. Basically Funambol Contacts are read-only on that device. So I started looking around to find how android is being built.

Liquid E does not have any flash LED (the only thing I am missing that was in my Nokia 5530). The flashlight is rather important to have so every time I reflashed the device to stock state I had to go to Android Market and pick the simplest app possible. At some moment I realized that I cannot find that application anymore.

How hard is it to build a blank screen/full brightness app?

AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
      package="com.errormessaging.screenlight"
      android:versionCode="1"
      android:versionName="1.0">
    <application android:icon="@drawable/icon"
                 android:label="@string/app_name"
                 android:theme="@android:style/Theme.NoTitleBar.Fullscreen">
        <activity android:name=".ScreenLight"
                  android:label="@string/app_name">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
</manifest>

src/com/errormessaging/screenlight/ScreenLight.java:

package com.errormessaging.screenlight;

import android.app.Activity;
import android.os.Bundle;
import android.view.WindowManager;

public class ScreenLight extends Activity {
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        WindowManager.LayoutParams lp = getWindow().getAttributes();
        lp.screenBrightness = 1f;
        lp.flags |= WindowManager.LayoutParams.FLAG_KEEP_SCREEN_ON;
        getWindow().setAttributes(lp);
        
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
    }
}

That’s it.

Source

Full source code for this awesome application is available in Launchpad Bazaar:
bzr branch lp:~rye/+junk/screenlight-android
You can download the compiled Screen Light.apk (signed with debug key) from Ubuntu One

I’ve been thinking about this since the day Ubuntu One team announced public file sharing. If Ubuntu One is able to provide public access to virtually any type of content then writing the automatic publishing tool and attaching it to in-browser gallery should be pretty trivial.

So the code started to be written…

After a couple of hours the following emerged: Ubuntu One Gallery proudly powered by Galleria.

The files are served from Ubuntu One except of jQuery which is downloaded from Google Content Delivery Network (CDN). Here’s how the gallery above got created on my machine:

$ python ubuntuone-gallerize.py --title "Estonia Pics" \
  -o ~/Public/estonia.html \
  /home/rtg/Pictures/Estonia\ Gallery/*.{jpg,JPG}

/home/rtg/Projects/ubuntuone-gallerize/data
Root is /home/rtg/Ubuntu One
on_public_files_list
publish_galleria
publish_files
publish_images
publish_files
build_gallery

The code for the script that tries to publish the files, creates HTML file and makes your own private copy of galleria is available from lp:~rye/+junk/ubuntuone-galleria. Please use the code only if you feel adventurous and note that it is nowhere near alpha quality. It works for me and I’d like people to have access to that code as early as possible. By the way, it will not publish the resulting file for now (rev 2).