The not so secret diary of Aragorn Alexander son of Arathorn Andreas:

Day 4064 of my quest work at $PlaceAcrossThePark: after uncounted years of hard graft the managers, marketeers and other minions of Mordor Mammon have finally succeeded in strategizing Hobbiton the IT school into oblivion.

It's now called the "Department of Business Information Systems" and a few hardy hobbits non-technically oriented academics will likely remain for a while but for the rest of us it's off to the Grey Havens.

So, as of christmas I'll have to look for a sysadmin/netadmin/security/dev job again (the uni education sector seems deadish, and anyway I've had enough of that). I just hope I don't have to move house, Bree Brisbane is a bit far for daily commuting, and the idea of moving to super-busy places like Isengard Sydney is a bit of a turn-off.

A few days ago SBS showed a weird but really cool Hungarian movie named Kontroll. It's about ticket inspectors in the Budapest subway, of all things. Very nice, very weird, very much recommended. It hasn't surpassed Hukkle on my list of Hungarian favourites, and it isn't quite as weird as Taxidermia but weird enough.

One of the more memorable scenes: some paramedics scrape the bits of a (non-)suicide from underneath a subway carriage while discussing the finer points of cooking a gulyas :-)

My Voice-over-IP to analog gate is fully visible on the net, because I like it if people with working SIP phones can directly call me without going through any commercial provider at all.

That's all fine and well, except when folks start hammering my systems with sipvicious/friendly-scanner: the damn thing doesn't wait and listen for responses but rather blasts out gazillions of (doomed) REGISTER or OPTIONS messages.

Here's my fix for this annoyance: if an inbound SIP message looks like REGISTER or OPTIONS, drop it. I don't run any VOIP server, so nobody is supposed to register with me, ever.

That's actually pretty straightforward to achieve with iptables: iptables -A INPUT -p udp --dport 5060 ! -f -m u32 --u32 "0>>22&0x3C@8=0x52454749,0x4f505449" -j DROP

The u32 match module is low-level but really efficient and precise, and this cryptic instance will simply look for REGI or OPTI at the beginning of the UDP packet payload. The iptables string match isn't as flexible, and could quite easily wrongly match the words in the body of the request (and SIP responses are pretty verbose and full of echoes...).

...but not necessarily/exactly you.

nothing more to see - i'm just being silly, move along, move along.

Ever since I stopped using a Sun SparcStation as desktop (around 94 or so) I wanted a decent Type 4 or 5 on my pc - alas, the Type 4/5 are serial keyboards and hence not directly supported by normal pcs.

Getting the Type 5 to work under Linux wouldn't have been too hard (it's serial after all), but that isn't good enough: I wanted a decent solution that also work for BIOS interaction and in Windows (and even the Linux-only solution would have required soldering up a TTL inverter). So why not build a converter?
click here for the rest of the story...

The Linux in-kernel secret store (aka "key retention service") is a cool thing and not just useful to the AFS and Kerberos implementers. Actually, it works perfectly well as a general-purpose passphrase store, but the userland tools are somewhat idiosyncratic. Here are some extra bits and tricks that I use to make this more convenient.
click here for the rest of the story...

Kuvert was recently featured on the debaday blog, and somebody asked me to put the manual pages on the web.

So here they are, ugly as sin (because I couldn't convince groff or any other converter to render -mdoc manual pages in HTML without breaking them completely):

manpage for kuvert
manpage for kuvert_mta_wrapper

The manpages have been updated for kuvert version 2.0.7: Manpage for kuvert
Manpage for kuvert_submit