Monday, September 20, 2010

The 10 best IT certifications: 2010

I stumbled upon a three week old article at TechRepublic The 10 best IT certifications: 2010. What a load of crap. The "article" was written by some fool named Erik Eckel, who even states in the article that its a load of bull:
There’s no double-blind statistically valid data analysis run through a Bayesian probability calculus formula here. I’ve worked in IT long enough, however, and with enough different SMBs, to know what skills we need when the firm I co-own hires engineers and sends technicians onsite to deploy new systems or troubleshoot issues
In other words: I made all this up, based on my personal opinions.

And what qualifies me to question his greatness? After all, he:
...is president of two privately held technology consulting companies. He previously served as executive editor at TechRepublic.
Me? I'm a nobody.

Well... I maybe a nobody, but at least I'm smart enough to do enough basic research before attaching my name to an article. News flash: there is no such certification as the RHCP. Its RHCE, you ass-clown.

Have you guessed that his article talked down the value of the RHCE, yet? He also questioned the worth of VMware and ITIL. What is his logic?
Microsoft owns the market.
In other words, this guy one of those people that walks in, sells you a bunch of Microsoft crap, then walks away midway through the project, leaving those of us that have actually stayed current with technology, to come in a clean up his mess.

Well, TechRepublic just made my proxy server's blacklist.

Thursday, September 16, 2010

Perl Taint Mode Regex

I think I finally have a handle on Perl's taint mode as a result of a couple scripts I've been working with. I stumbled upon taint mode after reading an article that said that most web based exploits are the result of programmers (or developers, as the kids like to say) fail to validate input. What taint does is to cause the script to fail, if inputs are not validated. To invoke taint mode modify the shebang to read:
#!/usr/bin/perl -T
Now input's must be laundered:
$validate=$form{"code"};
if ($validate =~ /^(\w*)(3|5|7)(\d{3})$/){
$validate=$1.$2.$3; }else{
die "can not validate"; }
The first line reads the input, but the input is untrusted. In the conditional, we compare the variable against a pre-defined, expected format. If the input matches the format, the variable is set back to an value. If the validation fails, the script befalls a brutal and senseless death... Which is better than being compromised or exploited.

The trick to this process is understanding how to format the Regex and understanding how it is laundered. First, the format pattern is not regex. Sure, all the docs say it is... but its not. So, here's what you need to know:
the format sits between / /
the ^ and $ are anchors, as regex
the ( ) encloses checks
the checks are numbered
the first check is $1, second is $2, etc
if there is an | in a check, its and "or"
the * is a wildcard count
but {3} says exactly 3 characters
Let's look at the example above:
^(\w*)(3|5|7)(\d{3})$
Start at the beginning, get an infinite number of \w characters and assign them to $1. Look for a 3 or a 5 or 7 and assign it to $2 (second set of parens, thus second check.) The last check ensures that the last three characters are digits. Remember that regex is "greedy", so effectively, this expression is evalutated backwards.

Now that you validated the input against the pattern, reassign the checks ($1.$2.$3) back to the variable. This nukes whatever badness the evil doer tried to impose on you. Do this for every variable you read in, and then destroy the input array, to ensure that no lazy developer slides a new form value into the script without validating.

To test match patterns from Bash, try this one-liner:
perl -e 'if("test01" =~ /^(\w{4}\d{2})$/ ){ \
  print "+ $1.$2.$3.$4.$5"}else{ \
  print "- $1.$2.$3.$4.$5"}'; echo
Simple, huh? Let's do an e-mail address:
perl -e \
'if( "xxx\@yyy.us" =~ /^(\w{1}[\w\-\.\_]+\w\@)(\w{1}[\w\-\.\_]+\.)(us|com|net)$/ ){\
  print "+ $1.$2.$3.$4.$5"}else{
  print "- $1.$2.$3.$4.$5"}'; echo
Ouch! (BTW: Bash made me escape the @ symbol.)

For a break down on all the pattern matches check out Steve Litt's Perls of Wisdom.

Monday, September 06, 2010

Apache Modules for Basic Autehtication

I think I've identified the minimum modules for Apache basic authentication:
auth_basic
authn_file
authz_user
authz_default
You'll also need authz_host, but that's probably already in place to support Allow/Deny.

Thursday, September 02, 2010

Elegant Log Compression

Here's an elegant little one liner that I didn't expect to work. I partition pushing 99% space used, the largest culprit being daily log files. Hey weren't mine so I couldn't delete them, but I could compress them. But what about next month?

How about this:
cd /some/path/logs
for J in `ls *log?$(date +%Y)-*(expr $(date +%m) - 1)-*`; do
  ls -lh $J; tar -czf $J.tgz $J; ls -lh $J.tgz; mv $J /dev/shm;
done
The beauty of this is the embedded execution statements.

Within the backticks, are a pair of executions, one of which nests an execution.

This particular incarnation compresses last months logs. It shows the original size and the compressed size, then moves the file to a holding directory. On a real machine, I'd probably change the middle line to:
tar -czf $J.tgz $J; rm -f $J
Pop this in a cronjob and run it at "1 2 3 * *".