What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.
Going to be in London next weekend?
Over the years there have been many times when we've thought about stopping production, usually when a competitor announced some other Apache magazine that we thought would do a better job than we do. But most of them gave up. They probably realised that there wasn't any money to be made from an Apache httpd journal.
UK Web became C2Net which became Red Hat, and Apache Week is still going strong. We'll have to think of something exciting to do for our tenth birthday.
So to spread some good Karma my OTP OPIE S/KEY client thingy is free, with source. Although I have to admit that it's probably about 40 lines of code linking to existing libraries, and it probably took me longer to write the web page and draw the icon than write the app.
Now I can get back to doing the work on the system that I needed to use the OTP calculator to log into in the first place ;)
Spare time over the last few weeks has been a bit limited what with the OpenSSH and Sendmail issues, and I guess I need to finish off my talk for ApacheCon.
I toyed with several ways of dealing with the home automation system. Misterhouse looked very impressive and was written in Perl so easy to extend, but it also liked to take control directly itself of any hardware. I wanted each bit of home automation hardware to have its own intelligence, it's own bot, allowing the hardware to exist on separate machines and architectures. So I started out writing bits of custom perl for each of the bits of hardware (with some C for things like serial interfacing which was hard for me to get to work perfectly with Perl). I then heard about the XAP project which looked quite interesting but seemed to have a number of weaknesses - it mostly relied on udp broadcast packets for the components to talk together (I wanted components on different network segments, some on wireless, some on links I share with video traffic - udp broadcast packets just are not reliable enough), the other problem was that the components already written were under a license that prohibited commercial use at all. Not that I intend to sell this, but if I'm going to work on software I want that sofware under a BSD-style license or failing that GPL. So my requirements were to have a lightweight messaging system ideally using XML that could run over a security layer (for the wireless network) that I could extend and easily write a custom client for. The answer of course was Jabber. With the Net::Jabber module I can easily write bots and clients in Perl for speed, and with the Perl Tk interface writing user interfaces takes no time at all and they work across platform: Linux or even Windows.
The nice thing about Jabber is that clients for Jabber exist for just about every platform. It's simply to take the source code for a Jabber client and add some buttons and things to make it control any aspect of the home automation system. And if no source exists you can simply chat to the lighting bot and tell it "lights living 18". The plan is to be able to control this all from a wireless PDA too.
The big test; would Perl and Tk and a Net::Jabber client run okay on a AMD 100MHz processor running in 800x600 256 colour mode? The startup time is about a minute, but then once it's done it happily refreshes the screen with no real visible delays and sends and receives (and parses) messages without a hitch. Here are some pics from the initial interface written over Christmas vacation 2002.
Figure 1: Lighting interface (a Jabber x10 bot)
Figure 2: TiVo interface (a Jabber TiVo bot communicating with a custom tivoweb module that returns XML status information)
Figure 3: Heating interface (a Jabber to one-wire bot that talks to the one-wire temperature sensors, logs data using rrdtool, and talks to the one-wire heating switch)
Figure 4: Misc stuff interface (the DSL bot talking to the cable modem and the UPS bot talking to the UPS device. Alerts also come in here)
Figure 5: Caller ID interface (a Meteor caller id bot with pop-up pics for most of the people we know)
Figure 6: Interface to front door camera (rear only goes into the MV1000 so far)
Each hardware component has it's own bot that can be queried for status and can also be made to broadcast status information either when something changes or every minute. The client simply parses every message it receives and displays it in the right place. Software will be here soon.
Inspiration hit when looking at the back of the Fujitsu and finding a large number of circular sticky covers - covering really nice screw points. So a couple of drywall fixings into the wall and custom brackets later and here is the result. The custom brackets were made from spare PC expansion card slot covers, nice and thin but quite strong)
3 CAT5 cables to most rooms in the house. Fortunately the builder ran some extra cables through the house for me before it was too late and the final fix happened. I found some cunning 3-outlet sockets from BKA which look good and blend into a domestic environment.
Wireless network (802.11g) that reaches through most of the house, but on an untrusted part of the internal network. This generally gets used by web tablets as the coverage isn't great.
Satellite-grade coax to most rooms. This allows the cable modem and cable tv box to all be in separate rooms and away from their entry point. Some of the internal cameras use these connections.
UPS for all the important bits, highly necessary since the house voltage is regularly over 250 volts and a little tempremental sometimes.
Various networking stuff: transparent firewall, second firewall+NAT, one of those D-Link multi-protocol print servers serving a laser and inkjet
Home automation server. In early 2005 my old 400MHz PC finally gave up. It was running Red Hat Enterprise Linux 2.1 (it was running Red Hat Linux even before I started working for Red Hat). Machine was replaced with a dual-AMD machine. This machine runs the Jabber server and the various HA bots.
Cable internet and TV from Telewest. The Telewest termination point is in the garage, see photo (Feb 2002). The cable goes to the central patch panel where it's split to the cable modem and runs back to the living room where the decoder lives at the moment.
A german LW11G X10 dimmer switch controlling 10 25W recessed lights in the main room, the switch *just* fits in the drywall backbox. I spent many hours working out where to put the computer control unit, a CM12U, so that it managed to send signals to reach all the rooms in the house - nearly everywhere I put it there was a blackspot where things wouldn't work. Anyway having the CAT5 meant it doesn't matter where the CM12U is as the CAT5 provides a serial link back to node0. An AD10 and LW10 finish off the X10 stuff, controlling two sets of Christmas lights right now. X10 stuff from Laser
Control of the central heating system (it had a 240v switched input which we control with a relay from a 1-wire switch.
A set of one-wire temperature sensors from Maxim together with a 1-wire usb interface to allow logging of temperature from around the house. We recently added a 1-wire hub so we could use a star network of more than a couple of sensors. Anyway the raw data goes into rrdtool and the output graphs get uploaded via DAV here.
TiVo with a Turbonet ethernet board from 9th Tee - allowing remote control from any machine in the house
Control of a plasma screen
Five Fujitsu Point 1600 webpads mounted on the wall to control everything.
Meteor Caller ID unit that logs incoming and outgoing calls. This is hooked to a Linux box with a bit of C software to decode the strange format
Caller ID displayed on the TiVo by using the jabber system
Alarm system. The communicator outputs are also wired to a Linux box which triggers various events based on the state of the alarm
SMS alerts. The main linux box is hooked to a dedicated mobile phone used to send alerts from the UPS, alarm etc. (and allow remote control of various things). Since phone cables here are above ground they're too easy to cut!
Plans (as time and money permits)
Control the external lighting and curtains (I installed pull-cord curtains already to make this easier)
Work out a system for distributed TV. At the moment the TiVo's RF output feeds up to a distribution amplified in the loft, need to work out how to watch DVD's (RGB out only) and work on an IR distribution system (currently a single 'One For All' remote extender)
Maybe move the TiVo and cable box to the node0 and send the signal up to the lounge over CAT5
House modifications are coming along well, with updates to the Home Automation security software (a few suprises for any intruder), and some large black marble balls on a rockery out the front. Tracy has been spending a few days pressure-washing the driveway which is fun apart from the occasional lump of sand that gets blasted at random parts of your body. Sand in your nose is quite annoying.