[57north-announce] Summer Newsletter

Tom Jones jones at sdf.org
Mon Jun 15 23:05:08 BST 2015

₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀ 57North Hacklab Newsletter ₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀| ||  |\                           |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀| ||--|+\   57North Hacklab        |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀| ||  |  \                         |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀|     |   >----------------------o |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀|     |  /                         |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀|     |-/    Newsletter            |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀
₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀|     |/                           |₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀₀

Hello Hackers,

Welcome to the Summer 2015 Issue of the 57North Newsletter. 

In this issue we have a report from our man in Prague straight from the ground
at Joomla Con. A retrospective from one of the spaces directors and technical
articles concerning distributed name serving and the wonders of building Debian

This newsletter could not happen without submissions from members of 57North.
If you love or hate the newsletter you can help shape its direction by
submitting articles.
–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----


April:      15
May:        15
June:       11

Current Account Balance: £1,474.92
–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

Since the last newsletter:

Mar 14th:   Radio Field Day

Apr 16th:   AGM[1]

May 31st:   May Fest

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

Pan European Open Sorcery

Last weekend I went to J & Beyond, a 3 day European conference about the Open
Source CMS Joomla.  This is kind of my thing, I've been working with Joomla
(professionally and as a member of the community) for maybe 10 years.  

I've been to 5 UK Joomla conferences, volunteered at 3 and spoken at 2, they're
just nice, a friendly community getting together and hanging out. Although J &
Beyond has been going for several years, I've never made it. Usually it is in
Holland or Germany, alternate years, but this year it was in Prague. So I went

Joomla, as an organisation, is great really, very well structured and
democratic, with no individual or corporate overlord (as is the case with
Drupal or WordPress respectively). However, in the last few months, things have
been more complicated than usual. There were reasons to document and legislate
for a code of conduct due to some toxic behaviour in the organisation. Also
there was a vote on restructuring, which although fine, caused some divisions.
It was really a good time for folk to get together and get some face-to-face
time. If you can't solve problems over Czech beer, then it is probably not

There were about 230 attendees from maybe 30 different counties. There was lots
of specific Joomla talks, but also lots of more general talks, particularly the

The Keynotes were...  

Christian Heilmann[1] 
    Chris is now at MicroSoft and was previously at Mozilla. This was a good
    talk on general trends in web and mobile. He was quite excited about M$'s
    new Edge browser, and fairly down on mobile Apps. Chatting with him later,
    he seemed nice, a funny punk, and more approachable than you might expect.  
Michael Babker[2] 
    Michael is a key Joomla developer from the US. He's a good guy, and a
    skilled developer on several levels. His talk, "Integrating Joomla with
    the PHP community" was good, quite Joomla centric. US Army vet, but you'd
    never guess really. 
Rafael Dohms
    Rafael is a leading PHP developer and PHP thought leader from Holland. His
    talk "Journey into your lizard brain" was really nice, about the mind, and
    the programmer mind, in the context of his wife having a bad head injury in
    a car crash.
Tony Perez[3]
    Tony's talk was a 101 on web security in 2015.
Kayla Daniels[4]
    This was a frankly inspiring talk about diversity in the developer
    community. Many, including myself, gave her a standing ovation. There were
    several parts of the talk that had me welling up.
Jessica Dunbar[5]
    It's a tough shift, first one on Sunday Morning, but Jessica, addressed the
    future direction of the Joomla! project.
Nic Dionysopoulos[6]
    Nic is a well know Joomla developer, and has contributed a hugely to the
    project over the years. His talk was nice and technical, with lots of code
    tips and tricks. I made sure I got a seat at the front so I could read all
    the code in his slides.

Keynote speakers by nationality, USA 4, Denmark, Greece and Holland, 1 each.
The next version of Joomla will probably have an API. This will be great for
Apps, IoT, OpenGov and many other applications. There was lots of free beer in
the evenings, thanks to sponsors, Czech beer is awesome :) Joomla is talking
about using composer PHP package management stuff.

My talk on Apps went OK, the punters seemed happy. It was a modified version
of the one done at TechMeetup, thanks for all the feedback, that was really

The conference video team were really good, all sessions were recorded
in a really usable format, and they had the content uploaded to YouTube in a
few hours. Really well organised and effective. Conference video at scale is
hard to do, so this is pretty impressive. I went to good talks on Informatics,
UI/UX, NoSQL as well as lots of more Joomla centric ones.

Friday evening there was an x-factor type thing, which was ok due to the free
beers. One guy, Soren Beck Jensen, did a Joomla version of Leonard Cohen's
Hallelujah, which everyone sang along too, quite a bonkers moment, Halejoomla
indeed! Saturday evening there was a geeky pub-type quiz in evening, which our
team won, despite more FREE BEER. Team was called "root" and had, I think, 3
Brits, 1 Spaniard, 4 Germans and 2 Poles in it. Not much sleeping happened.

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

The Decentralised DNS Server

This is a project I have been working on for the past few weeks, I started
using cjdns a good while ago and the one thing it misses Is a decent
Decentralised DNS system. So instead of waiting for someone else to come up
with one I thought I would give it a shot, so far progress is good, I am close
to getting a very rough system(messy as shit code) working and ready for Alpha

The Todo list is just as long as the code its self, but I hope to get help once
a working version is out there, so if your interested or just want to point out
bad coding and tell me how I could do it better it would be very much

DDNS Basics:

First off when DDNS[7] starts up it does a quick check to see if there are any
servers it can see on cjdns and it then requests to to sync databases for the
lastest lists of domains then starts up the main server.  The server takes a
request from a client, checks if it exists and then checks cjdns to see what
other nodes its connected to then probes those servers to see if they are
running ddns if so any requests are propogated to those servers and those
servers will do the same and pass the data on to any servers they find, this
allows dns updates to spread fast. The server updates a simple file which lists
in plain text the domains, the reason for plain text is so you can use a script
or another program to pick up the data and process it quickly for use in the
hosts file or something else of your own making. How ever this will change to
sqlite or json later on.

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

Lets blame the curious

As a first year at secondary school, I was already pretty keen on messing about
with the command line. The major difference from before was the introduction of
a networked environment. Since Linux came to me later in life (my second job
after uni) this was exclusively DOS 7 at this point.

Many hours were spent in the IT room fungineering some qbasic
collision-detection code into crap and noisy games. A side distraction to this
was exploration of the small Novell network environment that our school IT room
and adjoining library shared. In those days, Novell logins were executed from
the command prompt via LOGIN.EXE which ran a large script to map the relevant
resources. Fun could be had by investigating the executables the script called,
although all you could really do was map more drives and folders to items that
the Novel eDirectory knew you already had access to.

Next door, the Library machines displayed a 24/7 curses-based gui that allowed
you to search the book database. Only the search feature worked o/c; all
visible administration buttons were not navigable. These machines were just
regular PCs with logins that ran scripts to set various local vars and launch
the library gui, all under a login name and password 'booklook'. Exiting (or
even crashing) the gui killed the login straight away, so it appeared to be
locked down well. Crucially, user 'booklook' could be used over the entire
network, so you could also login and browse the library from the IT room.

Playing late one evening, I noticed that I could use ATTACH.EXE from my own
login to co-login and access user booklook's resources and executable rights.
The attach command is used to gain a licensed connection to another NetWare
server without having to use login.exe and without having to logout of the
server a user is currently attached to. User booklook appeared to be on a
different, older Novell server, so this attached without a problem and gave me
mappable access to the library gui's executabe whilst bypassing user booklook's
login script. Admin gui items were still unselectable for some reason but I was
able to view a history of in-program commands, which opened the admin gui
popups just fine. From here I confirmed I was able to see who had what book on
loan and reissue books as I saw fit. It was here that I made my error.

To test if I had found a stupid security gap, I asked a fellow explorer buddy
if I could assign a book to him and return it, which he agreed to allow not
believing it would work at all. It did and we had a chuckle at how the sysadmin
had ballsed up. 

Now, I never showed explorer-buddy the process I undertook but either he
figured it out and went too far or something else just happened. Either way, 2
days later the librarian suddenly found that her admin credentials stopped
working. My ex-buddy cowardly referred the 'Head of boys' to my exploration
efforts which led the sysadmin to the copies of the login script on my user
drive. This seemed to clearly implicate me as the cause (?!). I explained that
yes I had found a flaw and had showed the ex-buddy/fresh-enemy, but no I did
not reset any password. True, I had not disclosed what I had found asap, but I
just somehow knew it would be seen as system abuse rather then positive
exploration. We both received a token punishment called a 'dinner duty' whereby
purps shamefully collect trays in the very public canteen. I also earned the
scorn of the head librarian for a few months after.

I am occasionally reminded of this story when I read about major infosec
breaches. This is not because someone nasty broke/stole something, but because
before that, someone curious probably hid something to avoid the blame/shame
from those overseeing.

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

The Raspberry Pi 2 launch a few months back was cause for great excitement. A
refresh to the ubiquitous platform was long overdue, and the fact the
announcement came out the blue added to the hype. I was comfortably on the hype
train by 0930 - for some reason, I just had to have one.

After an agonising wait (next day delivery to Westhill is never next day) it
arrived and I was much happier. 

A quick boot into raspbian confirmed what was expected - it's noticably faster
and hums along admirably, running everything up to and including XBMC - that
menu lag is finally gone!

The story is boring, though, if it's just plug in and play - news at 10, new
version of a platform beats the old version. The thing that makes the raspi2
really interesting is that its architecture is ARMv7 - the minimum requirement
for Debian's armhf (hardware floating point) port.

So, how does one port Debian to a new platform? This is what I set out to learn
- what I'll present below is a quick overview with keywords for you to look at
and search for, not a how-to guide. 

There are a few moving parts that have to be captured here - first off is the
Debian user space, the Linux kernel and the storage medium. There's also the
raspberry pi's unorthodox method of booting to wrap your head around. 

Storage is quick and simple: Raspi boots from an SD card and it holds a minimum
of two partitions - boot and system. Boot's where your kernel lives, System is
where your `/` partition lives. My boot is 64MB, to give me some breathing room
and / is the rest. I've got no swap because that would be daft and wear out the
SD card faster than the raspi already does.

Debian userland can be easily built in two main ways: Multistrap[8] or
debootstrap[9]. Initially, multistrap looked like the way forward, and
honestly still does - it can be reproducibly, easily configured via a config
file and it's easy to add extra repos and packages so all you need to do is
call multistrap from the command line and have a heavily customised user space
straight away. Unfortunately for me, this produced errors I couldn't wrap my
head around. The solution was debootstrap - it's not quite as elegant as
multistrap in my eyes, but worked a whole lot better. 

Once debootstrap has been run for your target architecture and release of
debian (stable/testing/etc) the next step is configuration!

I configured this through the use of a chroot and qemu - configuration
consisted of populating /etc/fstab, /etc/hostname, /etc/network/interfaces,
/etc/modules with the raspi specific sound module.

That's the userspace config more or less complete, give or take a few wee
things here and there - root account and password and the like.

The kernel is a pretty simple step at this stage, but with a caveat. I spent
some time agonising over the kernel - i cloned the rpi kernel git repo and
fannied about with building it for a while. That was a terrible idea, don't do
this unless you know more about kernels than me (not hard).

It proved much easier to use hexxeh's rpi-update tool to download a prebuilt
image. Naturally, there may be trust issues on your part, but I've used
hexxeh's kernels for a while, and I'm willing to trust them based on their
prior work.

Pulling in the hexxeh kernel is as simple as mounting the previously used
chroot and using curl to pull down the script from githib (I know it's
potentially unsafe, but it's in wide use. We're all in this together). Marking
it executable and running rpi-update will pull down the latest built kernel
image to your boot partition. It also copies the required firmware to boot the
system so you're not left looking at a blank screen.

I made a massive mistake in my initial version of fstab - I forgot to define
`/` as the mmcblk0p1 partition. Nothing could write and I couldn't log in. This
was pretty sad for me! I had to install curl, git and binutils for rpi-update
to work, also. I kept forgetting that I'd built an completely virgin,
unconfigured system from scratch. 

Outside of that I didn't fall down too may holes, really. The usual
frustrations of Linux.

Of course, I go through this process manually and bang my head off a wall for
weeks on end and it turns out someone's scripted it. It was a nice thing to
discover - it validated much of what I'd learned and added to the overall
lessons, so I took more away from it than I thought I would.

I gave the script a wee edit and brought it up to date and the link can be
found at the bottom with reference [10]

This project took me a good amount of time to wrap my head around - OS building
is a totally new world to me, and it's been a worthwhile investment of my time
and energy. I now know a little bit more about how all of these weird things
interact, and that's the reason I got the pi in the first place.

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

Upcoming Events:

17    Jun: TechMeetup
20,21 Jun: Code the City 4[11]
17-19 Jul: Yak party[12]
13-16 Aug: CCCamp Somewhere north of Belin[13]

–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

EDITOR:                 tj
WRITERS:                Andy, yakamo, Hibby
INSPIRATIONAL MUSIC:    Chipzel, MisfitChris
–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----


[1]:  http://lists.57north.co/pipermail/57north-announce/2015-April/000131.html
[2]:  https://twitter.com/codepo8
[3]:  https://twitter.com/mbabker
[4]:  https://twitter.com/perezbox
[5]:  https://twitter.com/kayladnls
[6]:  https://twitter.com/JessicaDunbar
[7]:  https://twitter.com/joovlaki
[8]:  https://github.com/yakamok/ddns/
[9]:  https://wiki.debian.org/Multistrap
[10]: https://wiki.debian.org/Debootstrap
[11]: https://gist.github.com/Hibby/a25cacf348874c3d074b
[12]: http://codethecity.org/aberdeen/2015/04/02/ctc4/
[13]: http://lists.57north.co/pipermail/57north-announce/2015-June/000141.html
[14]: https://events.ccc.de/camp/2015/wiki/Main_Page
–---- –---- –---- –---- –----  ----- –---- –---- –---- –---- –----

More information about the 57north-announce mailing list