Tuesday, January 20, 2009

Linux Security

I would like to share this post on Linux Security. I would place it in my shared items but I thought that if I left it there it would go largely unnoticed.

The author has written a fantastic entry about the User effect on security within a Linux environment. He makes points about users running arbitrary code as root, installing unsigned packages and a lot more. It is well worth a read!


I would like to note that I am merely trying to introduce a great piece of writing by another blogger.

Saturday, January 17, 2009

Bash Progress Bar

Ever wanted to show a progress bar on your bash scripts? I am talking specifically about the progress of file transfer or raw read scripts. It might be easier to explain with an example:

I have a script that reads raw data from a CD or DVD ROM disk and pipes that data to md5sum or sha1sum to find if the data on the disk matches the published md5sum or sha1sum checksums published by the vendor. I download ISOs and verify them before I send them to my customers.

I wanted to have the script show a progress bar so I started searching...

Here is how I have implemented clpbar

Installation instructions ( Fedora 10 x86_64 )
  1. Download and install clpbar ( bar-1.10.9.tar.gz ) -- See references at the end of this script.
  2. tar xvfz bar-1.10.9.tar.gz
  3. cd bar-1.10.9
  4. ./configure
  5. make
  6. su -c "make install"

Usage example


# Start with verifying CDs

# pass the type of checksum into the script. (md5sum|sha1sum)

#Find details of the device
blocksize=`isoinfo -d -i $device | grep "^Logical block size is:" | cut -d " " -f 5`
if test "$blocksize" = ""; then
echo catdevice FATAL ERROR: Blank blocksize >&2
exit 1

blockcount=`isoinfo -d -i $device | grep "^Volume size is:" | cut -d " " -f 4`
if test "$blockcount" = ""; then
echo catdevice FATAL ERROR: Blank blockcount >&2
exit 1

command="dd if=$device bs=$blocksize count=$blockcount conv=notrunc,noerror status=noxfer"

# find the mount point of the disk. In fedora we need to know this to get the exact
# size of the disk in bytes. Note: /dev/sr0 is the optical disk drive on my system.

mountpoint=`mount | grep /dev/sr0 | sed "s/\/dev\/sr0 on //g" | sed "s/\stype.*//g"`

# find the expected size of the media. In order for bar to display a progress
# bar we need to know the expected size in bytes.

expected_size=`du -bs "$mountpoint" | sed "s/\s.*//g"`

# execute the command to read the disk and
# pipe through bar with the size option set and
# pipe through md5sum or sha1sum

result=`$command | /usr/local/bin/bar -s $expected_size | $checksumtype`

# get the checksum only. ( get rid of the '- ' on the output. This is required
# for the python tool that actually executes this script and compares against
# my database of checksums. -- I use python to call this script and compare the results
# against those in database. Another option would have been to bash script the mysql portion too.

checksumresult=`echo $result | cut -d " " -f1`

echo $checksumresult


Tuesday, January 6, 2009

The New Paymex

I had a crack at installing Paymex on my osCommerce website this evening. I will try to summarise the experience:

Paymex provide an osCommerce module for download from their website. It is mind numbingly simple to install. A simple upload of files is all that is required. There is absolutely no php editing required. This is always a plus for me. osCommerce code is painful enough and in a production environment any update that does not require php code editing is very useful.

5 out of 5 for installation.

There is only one item of identification required by the Paymex module config. A business id. This looks remarkably like a windows uid. I just copy pasted it from the Paymex website while logged in there.
There is the option to have the paymex module enabled or disabled, Test mode or Production mode, set the acknowledged order status and the sort order.

So not much to configure really and very simple to understand.

4 out of 5 for configuration. Not enough detail. Concerns around security especially with regard to certificates on IPN.

Functionallity ( osCommerce Module Specific )
I would have liked to see something there about enabling or disabling IPN ( instant payment notification ) and the URL for the IPN. This made me wonder about what Paymex do about IPN. Those of you with osCommerce websites you will know that IPN is critical. The site has to be notified on successful completion of a sale. Without it the products stock count doesn't get updated and the order is left in a pending / preparing state.

Paymex offer do provide autmatic IPN for either RETURN URL, HTTP POST or HTTP GET. The provided osCommerce module has the IPN option set to RETURN URL. This means that if the web browser is closed or the customer navigates away from the site, then the site will NOT BE NOTIFIED of the successful completion of a sale. The merchant will, however, still receive an email from Paymex with information on the sale so all is not lost.

2 out of 5 for Functionality. Once the osCommerce module included HTTP POST based IPN and details on how ssl is implemented throughout the IPN process, I will gladly upgrade this to a 4 or a 5 out of 5.

Sadly, Paymex has a very poor reputation right now. I am not really convinced that it is all deserved. From what I understand, one of their merchants was involved in some kind of fraud and the resulting card scheme charge-back brought the business into massive debt. Unfortunatley the damage has been done. The problem for merchants was that their funds in the Paymex account was compromised.

To fix the situation the new Paymex ( not sure if its new owners or what ? ) have done a deal with a big New Zealand bank to set up a trust account that will hold the merchants' funds. Are they saying that this bank will secure all funds in that account?

Lets hope that the merchants' money will actually be deposited there. I wonder if merchants can request from the bank, a statement showing the funds in the trust account.

I will be watching Paymex closely and deciding if they should process my transactions.

I do like the simplicity of their solution. I also like that they are in New Zealand.