All posts by Kyle Bubp

Brightness Adjustment for Yoga 13 – Ubuntu

You may have noticed that even though the brightness icon is appearing on your screen, it’s not actually adjusting the brightness. Here’s how to fix it.

From command line, run the following:

sudo gedit /etc/default/grub

Add the following lines to the end of the file.

#For adjusting brightness on Yoga 13
acpi_blacklight=vendor

Save and close the file.

From terminal, run:

sudo update-grub

Finally, blacklist the other device:

sudo gedit /etc/modprobe.d/blacklist.conf

Add the following lines to the end of the file. Save and close it.

#For adjusting brightness on Yoga 13
blacklist ideapad_laptop

Now, save your work and reboot.

Wireless Drivers for Yoga 13

I have a Lenovo Yoga 13 and love it, except for the fact that I couldn’t get wireless working on Ubuntu. That is, until now. Thankfully, a github user by the name of lwfinger has a solution. If you have an internet connection, via a USB dongle, simply perform the following in the terminal:

apt-get install git
git clone https://github.com/lwfinger/rtl8723au
cd rtl8723au
make
sudo make install
sudo modprobe 8723au

If you don’t happen to have internet connection, just grab this package and copy it to your home folder, then run the following:

tar xzvf yoga13realtekwireless.tar.gz
cd yoga13realtekwireless
make
sudo make install
sudo modprobe 8723au

lwfinger also has the Bluetooth driver if you visit his github site.

Use Java Whitelisting To Further Secure Your Organization

If you were to ask any sysadmin what their biggest vulnerability is at the desktop level, they are most likely to say “Java.” In fact, Java has such a bad reputation for being exploited that it’s the butt of many IT jokes. Typically, if you mention Java to a sysadmin, you will very quickly hear a disappointed sigh in response.

Unfortunately, it’s almost impossible to get rid of across the organization because so many business processes rely on Java-based applications. Thankfully, starting in Java 7u40, Oracle has allowed sysadmins to control Java with a whitelist. The whitelist acts almost like a firewall in that the default rule is deny-all. You can whitelist Java applets based on domain or signing key.

This new capability allows sysadmins to secure their organization with a few .vbs scripts, some GPO, and a .jar file.

Software Prerequisites: Java JDK, Java JRE

Disable Java Cache

Throughout my testing, it has become apparent that disabling Java cache yields the best results. I would recommend doing this prior to starting the implementation of the Java whitelist. Below are User Login .vbs scripts that will disable Java Cache for XP and Windows 7. I am by no means a .vbs expert, so you may be able to tweak this into one script to handle both operating systems.

Link to XP

Link to 7

Generate a Code-Signing Certificate & Java Keystore

You will need to sign your white list .jar file in order for it to be processed by Java. I was able to generate a code-signing cert from our local CA in our Windows Domain. Getting that cert into a Java Keystore is a little tedious, but not difficult. Here’s what I did:

  1. Use Certificates MMC Snap-In to export certificate with private key (Example: C:\Users\username\cert-and-key.pfx)
  2. Open cmd.exe, navigate to the JDK bin directory (C:\Program Files\Java\jdk1.7.0_45\bin)
  3. Import .pfx to Java keystore with the following command
    1. Keytool -importkeystore -srckeystore C:\Users\username\cert-and-key.pfx -srcstoretype pkcs12 -destkeystore C:\Users\username\mykeystore.jks -deststoretype JKS
    2. Make note of the alias (something like le-codesigningcertificate-*) and copy it to a safe place.

Create the whitelist (DeploymentRuleSet.jar)

Now comes the fun part: creating the actual whitelist. The whitelist is basically a .xml file, packed into a .jar file (think tarball) and signed with your certificate. Oracle has a great example of said .xml file here: https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

I’ve found it easiest to create the ruleset.xml file in the JDK bin directory as to avoid any issues with absolute paths in the following commands. Once you have your ruleset.xml created, it’s just a matter of creating the .jar file, signing it, and sticking it in the right place. The following commands assume you are in the JDK bin directory, and your ruleset.xml is also in that directory.

  1. Create the .jar file by issuing the following command:
    1. jar -cvf DeploymentRuleSet.jar ruleset.xml
  2. Sign the .jar file (you will need the alias from the previous section for this step):
    1. jarsigner -verbose -keystore C:\Users\username\mykeystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar <paste alias from previous section here>
  3. Copy whitelist to correct location:
    1. Windows: copy DeploymentRuleSet.jar C:\Windows\Sun\Java\Deployment\
    2. Mac: cp DeploymentRuleSet.jar /etc/.java/deployment/

Confirm whitelist is being applied

The whitelist should get applied as soon as the .jar file is copied to the correct location. To test this, open the Java Control Panel and navigate to the Security Tab. You can then click on the “View the active Deployment Rule Set” link to see what whitelist is taking effect.

javasecuritytab

Further Notes

This took me a couple of tries to get right, so don’t get discouraged if you don’t get it right the first time. One very valuable piece of the Java whitelist is that it allows the sysadmin to specify which version of Java to run on each site. Therefore, if your organization has an application that is limited to a specific Java version, you can now lock down that version of Java to that specific application, while allowing all other applications to run the latest version of Java.

sudo /usr/bin/vim: Not a Good Idea

I’ve seen this configuration in /etc/sudoers before, but I wanted to explain a little more about why it is not a good idea to do this. First of all, you are editing your sudoers file with visudo, right? (RIGHT?!) If not, you should be. The reason being is that when you use visudo, it does a syntax check on the /etc/sudoers file before comitting. If you have it bunked up, it will let you know, and will allow you to fix the problem before you commit (you always want to fix before you commit). If you simply edit /etc/sudoers file, bunk up the syntax, and commit it anyway, there’s a good chance that NONE of your sudo config will work.

Now, lets get on with putting /usr/bin/vim in the sudoers file. I can see why one would do this, perhaps you have web admins that don’t use a code repository and simply make backups on the dev box and edit the configs on the machine. Probably not the best idea, but it happens everyday. You likely have a group in /etc/groups called something like “webdevs” populated with the names of your web developer accounts:

webdevs:x:599:jsmith,plawrence,ljames,mpayne

Thus, your sudoers file might have a line in it that is similar to (this assumes you have a host alias for the development web servers set to DEVWEB):

%webdevs    DEVWEB = /usr/bin/vim /docroot/index.html

This seems like an innocent thing right? I mean, how much damage can they do? You’ve locked them down to just being able to edit the index.html file in /docroot, right?

WRONG!

The funny thing about vim is that you can press the escape key, then type:

:shell

And it will drop you to a shell, and when run in sudo, it’s not just any shell, it’s a root shell. Now everyone in your webdevs group can get a root shell!

So, how do we fix this? Well, we use the program “/usr/bin/sudoedit” in place of /usr/bin/vim. Now, if the user tries the same :shell trick, it drops them to a non-elevated shell.

tl;dr:

  • Use visudo when editing /etc/sudoers
  • If users are allowed to utilize /usr/bin/vim with sudo privs, you’ve just given them a root shell
  • Use /usr/bin/sudoedit in place of /usr/bin/vim when attempting to allow users to edit privileged files

 

 

 

Double-Hopped Jamaican Hot Chocolate IPA

It’s been a while since I’ve brewed a batch of beer (or updated this blog for that matter), my kegs are empty, it’s cold outside, so what better way to spend a few hours than brewing a beer? My favorite kind of beer is an IPA. I’m a hop head and I’ve found that it’s best just to brew what you enjoy the most. I also enjoy a good spicy dish, and since a good friend of mine has recently been making his own hot sauces, I figured I would combine the two tastes in one awesome beer.

I was initially going to try to do a Habanero IPA, but my buddy convinced me to try a different style of pepper that is a little more fruity. He brought me a Red Savina and a Jamaican Hot Chocolate and asked me to smell both. After doing so, the choice was clear, I was going to use Jamaican Hot Chocolates for this recipe (however, I threw in a Red Savina because I didn’t want to see the one he cut open go to waste).

First step, steep the grains (1 lb. Caramel 20L) and make wort. Basically, just steep the grains while you are heating your water. I steep mine for ~20 minutes at 155°-160° F.

Steeping Grains
Steeping Grains

After the steeping has commenced, you will have some of your fermentable sugars in the form of wort. The rest of the fermentable sugars in my brew will from adding liquid malt extract (LME).

Wort after grains had been steeped
Wort after grains had been steeped

Hops are a funny thing. Some are for bittering, some are for aroma, and both can be altered based on how long you boil them . I have Cascade Hops for bittering and Willamette for aroma.

Beautiful Things
Beautiful Things

I added the Cascade hops (I purchased an extra bag in addition to what came with the kit) at the beginning of the boil because I want the full 60 minutes to really bring out the hoppiness of them.

Cascade Hops
Cascade Hops
All 84g of them
All 84g of them

 

After adding the hops
After adding the hops

After adding the Cascade hops and 3.3 lbs of LME, I boiled for 40 minutes. At the 40 minute mark, I added an additional 3.3 lbs LME. It was starting to look lovely. At this point, I decided to pour myself a little bourbon.

Hops & LME
Hops & LME
A little bourbon for sippin'
A little bourbon for sippin’

With 10 minutes left in the boil, I added three Jamaican Hot Chocolate Peppers and one Red Savina. They smelled absolutely awesome while boiling.

Peppers
Peppers

With 5 minutes left, I added the Willamette hops. After terminating the boil, I cooled the wort and pitched my yeast. Today, I went to check the beer to see if the yeast was doing its thing yet, and sure enough, she was bubblin’.

Bubblin'
Bubblin’

A month from now, I’ll get to see how it turns out. A friend made a good point about the peppers: “If it’s not good for drinking, it will make excellent beer cheese.”

Now we wait.
Now we wait.

Let’s hope I don’t end up making 5 gallons of beer cheese.

 

Moving VMs in VMware Fusion

I ran into an issue with my VMware Fusion implementation where I needed to move my VMs off of my local hard drive and on to an external drive. I am currently running a single SSD in my laptop, and as you know, SSD storage ain’t cheap. The VMs are just test machines, so I am willing to take the performance hit. If you are running into the same issue, or just want to know how to safely move your VMs to a new disk, follow this (hopefully) simple guide:

1. Turn off your VM! This means to shut down your VM completely, even if it’s in a current state of suspension. You could probably just save state and be ok, but it’s better than to be safe than sorry.

2. Find your VM bundle. This is relatively simple. With VMware Fusion as the active application, select Window > Virtual Machine Library. Then Ctrl-Click your VM and select Show in Finder (it’s most likely in /Users/<your name>/Virtual Machines).

3. Drag and drop, it’s that easy, kinda… Ya see, Mac’s default action is to copy. To move, like we want to do, hold the Command key while you drag and drop. Your dialog box should say “Moving “<your vm name>” to “<new location>”.

4. Completing the process. After the file move process is complete, you are gonna want to start your VM. To do this, with the Fusion app active, click File > Open… and select your VM in its new location. When VMware asks you if you moved or copied the file, tell it that you moved it. If you tell Fusion that you copied the VM, it will generate a new UUID and MAC address, which can cause configuration problems.

5. Clean up. I like to tidy up after myself in my projects, and I’m going to assume you are no different. Now that your newly moved VM is up and running (you started it to make sure it works, right?), you’re gonna want to remove the old one. With the Fusion app active, click Window > Virtual Machine Library and simply two-finger (right click) the old VM shell and delete it.

That’s it! Now you have reclaimed some of your HD space for more important things, like cat photos.

Fixing Stuck Pixels on an LCD TV

I recently noticed that a column of pixels on my TV was becoming more and more noticeable. I did some research and it appeared that a column of pixels was simply “stuck.” I stumbled upon UDPixel and figured I would give it a shot, as the alternative is to purchase a new TV. It works by flashing the primary RGB colors as well as white and black. I ran it for about 2 minutes and it seemingly fixed the problem.

 

Check it out: http://udpix.free.fr/index.php?p=dl

Charter Filters MAC Addresses

A couple of days ago I noticed that my internet was no longer working. I tried to ping 4.2.2.2 with no avail. My network setup consists of a Motorola Surfboard Cable Modem and a Netgear WNR3500L Wireless-N router. I connected my laptop directly to the cable modem and it worked perfectly. I thought that perhaps it was just a power-cycle issue, so I connected the router back to the cable modem and rebooted both. Still, no internet access from the wireless network.

I did a little more digging and found that the cable modem wasn’t assigning the wireless router an IP address, yet if I plugged my laptop directly in to the modem, DHCP worked flawlessly. It then dawned on me that perhaps Charter was doing some type of MAC address filtering to determine which devices to authorize DHCP to use.

MAC (media access control) addresses are the physical address of network cards, both wired and wireless. The first three octets of the MAC address specify the manufacturer of the network card. This allows Charter to differentiate between a wireless router and a laptop computer.

If you are having this issue, there is an easy fix. First, determine the MAC address of your wired connection. If you are on a Windows machine, open a command prompt and type “ipconfig /all”. You will get the following prompt:

The MAC address is the line that says “Physical Address.”

If you are on an Apple/Mac computer, open a terminal window and type “ifconfig”. The local wired connection is en0. The MAC address is the field that says “ether”:

Next, log on to your router and determine where you can set the MAC address, it will look something like this:

Input your physical MAC address and apply your settings. After that, you should be able to obtain an IP.

The only reason I suspect Charter does this is to force you to buy their “Wireless” bundle.