## Record Stream Using VLC

I just needed to record a video stream. Usually, I use mplayer for these kinds of jobs, but this time it failed. However, on the internet I found a way to do it using VLC, which apparently has quite a command line interface.

This comment revealed that the VLC media player comes with some command line magic. Of course, not much is documented in the man page, but the user guide on their website seems to be useful.

Long story short, I ended up with the following command to save the stream http://STREAM.mp4 to /tmp/file.mkv :

Cool.

For the records, here are some alternatives:

## New GPG Key

It was time to finally replace my old GPG key. I created the key in 2008 and from today’s perspective a 1024 bit DSA key is really weak. Thus, today I decided to move to a new key and created a 4096 bit RSA key.

My old key was

And the new key is:

For those of you who already trust my old key I created a transition note which is signed by both my old and my new key.

To import my new key to your key chain you can use the following command:

The new key is already signed by the old key. Those of you trusting my old key may verify the signature using:

To sign the new key execute the following command:

And it would be nice if you upload the signed to one of the key servers:

You are of course free to give me a call in order to verify the fingerprint ;-)

## Gajim idling error

Just stumbled upon a small bug in Debian’s version of Gajim (0.15.4-2 – currently in testing and sid).

The following error occurs when Gajim starts to idle:

This results in a dis- and a subsequent reconnection. As the traceback already suggests the error can be found in /usr/share/gajim/src/common/connection_handlers.py on line 2009. This is the corresponding function:

Obviously, there is no variable obj : The passed argument is called iq_obj … To fix that mistake just substitute the function definition with (replace iq_objobj in line 2006):

Btw. I’m not sure why, but this error just affected one of my four machines which are running Gajim.

## Challenge is over.

About 6 or 10 moths ago we were searching for a student to work with us in the SEMS project. In order to reduce the number of applications I started a challenge. To solve this challenge you had to show some understanding for basic techniques and programming languages, so we didn’t waste our time with people not able to write a single line of source code.

And what should I say? It was successful! We’re now a great team with three students :D

However, currently this challenge seems to spread over the internet. And lot’s of people try to solve it (and many submit a wrong answer^^). But even worse, some of you guys try to exploit it by submitting something like

In general I don’t care. It was just some lines of PHP that send me an email in case of a correct answer. There is no database and the worst that can happen is a full inbox, but now I decided to close this challenge and instead forward users to this article.

Thus, if you arrive here feel free to apply for a job! I guess all of my readers, even if they didn’t solve this challenge, are perfect fellows…

If you nevertheless want to give it a try you can download the challenge.

## Extended MyTinyTodo

MyTinyTodo is a self-hosted todo-list which convinces by its simplicity. It allows to maintain several different lists, you can assign tags, priorities and due dates to certain tasks. I used it myself for a long time and decided to fork the project in order to implement some stuff I missed in the original version.

I do not intend to talk about MyTinyTodo a great deal. Very tiny, does nothing that isn’t necessary. No Dropbox/Facebook/Instagram etc integration. I really like this kind of software :D

But I was missing an essential feature: Creating tasks via mail. Lucky us, MyTinyTodo is distributed under the terms of GPLv3 license. Thus, I hg clone d and extended the tool with desired functionality. And since the IDE was already opened I added a tiny authentication (now: username + password; previously: .htaccess ) and secured the API by introducing a signature. Nothing special or complex, but it had to be done.

Long story short: I’m now able to submit tasks via e-mail. That means, a mail containing the following:

will result in something similar to Figure 1. All possible attributes that are recognized in the mail body are listed at the wiki on GitHub.

Find out more on GitHub.

## Integrating Tomcat with Apache

You can configure the Apache web server to forward requests to Tomcat. Thus, you can speak to both servers on ports 80 or 443 and get rid of the :8080 for your Tomcat applications. I’m somehow doing that very often, so here is small how-to for copy&paste purposes.

## Install jk

As you might know, while Tomcat is Java stuff Apache is written in C. So in general it’s not that easy to get them talking to each other. The key to achieve an integration is called mod_jk (see The Apache Tomcat Connector). So first of all you need to install it:

If it is installed you can configure an AJP worker in /etc/libapache2-mod-jk/workers.properties  :

As soon as this is done the bridge is ready to close the gap between Apache and Tomcat.

## Configure Tomcat

We need to configure an AJP connector on port 8009 . So open /etc/tomcat7/server.xml and add another connector next to the other ones:

If you’re lucky there is already such a connector defined in the comments. So just remove the comment…

## Configure Apache to speak through jk

Here I’ll show you how to setup a virtual host. For example, copy the following to /etc/apache2/sites-available/012-yourapp.conf :

Ok, let me shortly explain what I did there.

1. Everything that arrives at this vhost gets forwarded to our previously defined AJP worker (line 9)
2. I assume your Tomcat webapp is running on server:8080/YourApp , therefor I configured a substitution of the URL to insert /YourApp (line 7). Of course you need to have mod_rewrite installed and enabled. (You may skip this line if you’re fine with having /YourApp in all your URLs)
3. The rest should be clear. The vhost is available at http://yourapp.yourserver.tld , as well as at http://ya.yourserver.tld (lines 3&4). You can also use SSL, just configure line 1 to listen at *:433 and add the SSL stuff to the body of your vhost. (SSL exmaple)

Afterwards, enable the vhost to populate it:

## Give it a try

If this is done just restart everything:

Now Apache forwards all requests to http://yourapp.yourserver.tld to your Tomcat webapp at http://yourserver.tld:8080/YourApp .

## Find all Text Files, recursively

Because I was thinking of something like that for a long time.

In bash/zsh (add it to your .rc ):

Using this function it’s possible to open all text files of a project at once:

## Change Title of moderncv Document

Once again I had to prepare a CV for an application. I’m using the moderncv package to create the CV in $\LaTeX$ and I was always bothered about the title of the document. Today I spend some time to fix that.

Using moderncv you can produce really fancy CV’s with very little effort. But unfortunately, by default it produces an ugly title (see the screenshot taken from Okular). As you can see, there is some character that cannot be displayed by certain tools.

I guess most of my “CV-reviewers” don’t care about this little issue, if they recognize it at all, but it bothers me whenever I have to create a resumé. I already tried to override it using the hyperref package, but wherever I put the statement it seems to have no effect.

However, since moderncv is open source (yeah! lovit) I took a look at the code to see how they produce the title. It was quite easy to find the concerning statement (in my case /usr/share/texlive/texmf-dist/tex/latex/moderncv/moderncv.cls:96 , texlive-latex-extra@2012.20120611-2):

As expected the pdftitle contains a double-hyphen that is converted by latex to a dash. Apparently a problem for some programs. To fix this issue you could sudo:modify this file, but that’s of course messy. Better add something like the following to the end of the header of your document:

This will override the broken output of the package.

## Check if certain Port is Open

Just needed to get to know whether something listens at a certain TCP port on a particular host.

Here is my workaround using Perl:

Works at least for me. Any concerns or better solutions?

Earlier this week I had a very small conversation with Pedro Mendes on twitter (well in terms of twitter it might be a long dicussion). It was initiated by him calling for suggestions for a password safe. I suggested better using a system for your passwords, which he thought was a bad idea. So lets have a look at both solutions.

You all know about these rules for choosing a password. It should contain a mix of lower and upper case letters, numerals, special characters, and punctuation. Moreover, it should be at least eight characters long and has to be more or less random. Since our brain is limited in remembering such things we tend to use easy-to-remember password (e.g. replacing letters using leet). But of course hackers are aware of that and it is quite easy to also encode such rules in their cracking algorithms. Equally bad is using one strong password for all accounts. So, how to solve this problem?

The second idea is using a system to generate passwords for each account. You have to choose a very strong password $p$, and a function $f$ that creates a unique password $u$ for every account using $p$ and the (domain) name $n$ of the related service: $u = f (p, n)$. You just need to remember this very good $p$ and $f$. Depending on your paranoia and your mind capabilities there are many options to choose $f$. An easy $f_1$ might just put the 3rd and last letters of $n$ at the 8th and 2nd pos in $p$ (see example below). More paranoid mathematicians might choose an $f_2$ that ASCII-adds the 3rd letter of $n$ to the 8th position of $p$, puts the $\lfloor\sqrt{n} * 10\rceil/10$ at the 2nd position in $p$, and appends the base64 representation of the multiplicative digital root of the int values of the ASCII letters of $n$ to $p$. Here you can see the examples:

$p$ $n$ $f_1 (p, n)$ $f_2 (p, n)$
u:M~a{em0 twitter ur:M~a{eim0 u2.6:M~a{eW0Mi4yNDU2MjFlKzE0Cg==
u:M~a{em0 google ue:M~a{eom0 u2.4:M~a{e]0MS40MjU4MjNlKzEyCg==

So, you see if the password for twitter gets known the hacker isn’t able to log into your google account. To be honest, I guess that nobody will choose $f_2$, but I think even $f_1$ is quite good and leaves some space for simple improvements.

However, as expected this solution also has some dramatic disadvantages. If one of your passwords gets compromised you need to change your system, at least choosing a different $p$ and maybe also an alternative for $f$. As soon as a hacker is able to get two of these passwords he will immediately recognize the low entropy and it is not difficult to create a pattern for your passwords making it easy to guess all other passwords.

## Conclusion

This is not to convince somebody to use one or the other solution, its more or less a comparison of the pros and cons. In my opinion the current password mechanism is sort of stupid, but we need to find the least bad solution until we have some alternatives. So what about creating a small two-factor auth system? You could combine the two above mentioned solutions and use a password safe in combination with a password system. So keep a short lock in mind which is necessary to unlock the passwords in the safe. Maybe something like 29A which you have to add to every password (on some position of your choice, e.g. just append it). Thus, if a hacker breaks into one service only a singe password is compromised and you just need to update this entry in your safe, and if your whole safe is cracked all passwords are useless crap. Of course you have to create a new safe and update all your passwords, but the guy who knows your old “passwords” doesn’t know how to use them. However, we are discussing on a very high level. The mentioned scenarios are more or less just attacks against a particular person. I am a sysadmin, so I would already be very glad if users won’t use passwords like mama123 and stop sending passwords in clear-text mails!

## Supp: The Conversation

just for the logs (in twitter chronology: new -> old):

Pedro Mendes @gepasi at 1:13 PM - 30 May 13
@binfalse I agree, but using 30 character completely random ones seems to be the best.

martin scharm @binfalse at 5:40 PM - 29 May 13
@gepasi either using a password safe (which also has drawbacks) or a system with a strong p and a complex f.

martin scharm @binfalse at 5:39 PM - 29 May 13
@gepasi however, i support the attitude seeing every pw as compromised. so the most important rule is using unique pws for every service.

martin scharm @binfalse at 5:39 PM - 29 May 13
@gepasi even after reading this article i’d say that ur:M~a{eim0 is quite strong and i’d expect to find it within the 10% uncracked.

Pedro Mendes @gepasi at 1:18 PM - 29 May 13
@binfalse but thanks for the tip on KeePassX

Pedro Mendes @gepasi at 1:18 PM - 29 May 13
@binfalse a system is not recommended. Anything a human can remember is broken within 24h. Read http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

martin scharm @binfalse at 1:03 PM - 29 May 13

martin scharm @binfalse at 1:03 PM - 29 May 13
@gepasi quite easy to remember (when you know p), very hard to guess and brute-forcing the related hash really takes some time.

martin scharm @binfalse at 1:03 PM - 29 May 13