December 18, 2013

The best grep replacement: ag

It's syntax is pretty much the same as ack, but written in optimized C and is noticeably faster.

December 6, 2013

The Telnet Protocol

The Telnet protocol is often thought of as simply providing a facility for remote logins to computer via the Internet. This was its original purpose although it can be used for many other purposes. It is best understood in the context of a user with a simple terminal using the local telnet program (known as the client program) to run a login session on a remote computer where his communications needs are handled by a telnet server program. It should be emphasised that the telnet server can pass on the data it has received from the client to many other types of process including a remote login server. It is described in RFC854 and was first published in 1983.

The Network Virtual Terminal

Communication is established using the TCP/IP protocols and communication is based on a set of facilities known as a Network Virtual Terminal (NVT). At the user or client end the telnet client program is responsible for mapping incoming NVT codes to the actual codes needed to operate the user's display device and is also responsible for mapping user generated keyboard sequences into NVT sequences.
The NVT uses 7 bit codes for characters, the display device, referred to as a printer in the RFC, is only required to display the "standard" printing ASCII characters represented by 7 bit codes and to recognise and process certain control codes. The 7 bit characters are transmitted as 8 bit bytes with most significant bit set to zero. An end-of-line is transmitted as the character sequence CR (carriage return) followed by LF (line feed). If it is desired to transmit an actual carriage return this is transmitted as a carriage return followed by a NUL (all bits zero) character.
NVT ASCII is used by many other Internet protocols.
The following control codes are required to be understood by the Network Virtual Terminal.

Name code Decimal Value Function
NULL NUL 0 No operation
Line Feed LF 10 Moves the printer to the next print line, keeping the same horizontal position.
Carriage Return CR 13 Moves the printer to the left margin of the current line.
The following further control codes are optional but should have the indicated defined effect on the display.

Name code Decimal Value Function
BELL BEL 7 Produces an audible or visible signal (which does NOT move the print head.
Back Space BS 8 Moves the print head one character position towards the left margin. [On a printing devices this mechanism was commonly used to form composite characters by printing two basic characters on top of each other.]
Horizontal Tab HT 9 Moves the printer to the next horizontal tab stop. It remains unspecified how either party determines or establishes where such tab stops are located.
Vertical Tab VT 11 Moves the printer to the next vertical tab stop. It remains unspecified how either party determines or establishes where such tab stops are located.
Form Feed FF 12 Moves the printer to the top of the next page, keeping the same horizontal position. [On visual displays this commonly clears the screen and moves the cursor to the top left corner.]
The NVT keyboard is specified as being capable of generating all 128 ASCII codes by using keys, key combinations or key sequences.


The telnet protocol also specifies various commands that control the method and various details of the interaction between the client and server. These commands are incorporated within the data stream. The commands are distinguished by the use of various characters with the most significant bit set. Commands are always introduced by a character with the decimal code 255 known as an Interpret as command (IAC) character. The complete set of special characters is

Name Decimal Code Meaning
SE 240 End of subnegotiation parameters.
NOP 241 No operation
DM 242 Data mark. Indicates the position of a Synch event within the data stream. This should always be accompanied by a TCP urgent notification.
BRK 243 Break. Indicates that the "break" or "attention" key was hit.
IP 244 Suspend, interrupt or abort the process to which the NVT is connected.
AO 245 Abort output. Allows the current process to run to completion but do not send its output to the user.
AYT 246 Are you there. Send back to the NVT some visible evidence that the AYT was received.
EC 247 Erase character. The receiver should delete the last preceding undeleted character from the data stream.
EL 248 Erase line. Delete characters from the data stream back to but not including the previous CRLF.
GA 249 Go ahead. Used, under certain circumstances, to tell the other end that it can transmit.
SB 250 Subnegotiation of the indicated option follows.
WILL 251 Indicates the desire to begin performing, or confirmation that you are now performing, the indicated option.
WONT 252 Indicates the refusal to perform, or continue performing, the indicated option.
DO 253 Indicates the request that the other party perform, or confirmation that you are expecting the other party to perform, the indicated option.
DONT 254 Indicates the demand that the other party stop performing, or confirmation that you are no longer expecting the other party to perform, the indicated option.
IAC 255 Interpret as command
There are a variety of options that can be negotiated between a telnet client and server using commands at any stage during the connection.

Common Telnet options:

Decimal code Option Name RFC
0 Transmit Binary 856
1 Echo 857
3 Suppress Go Ahead 858
5 Status 859
6 Timing Mark 860
24 Terminal Type 1091
31 Window Size 1073
32 Terminal Speed 1079
33 Remote Flow Control 1372
34 Linemode 1184
36 Environment Variables 1408
All Telnet options:
Decimal Code Option Name RFC
0 Transmit Binary 856
1 Echo 857
2 Reconnection
3 Suppress Go Ahead 858
4 Approx Message Size Negotiation.
5 Status 859
6 Timing Mark 860
7 Remote Controlled Trans and Echo 563, 726
8 Output Line Width
9 Output Page Size
10 Negotiate About Output Carriage-Return Disposition 652
11 Negotiate About Output Horizontal Tabstops 653
12 NAOHTD, Negotiate About Output Horizontal Tab Disposition 654
13 Negotiate About Output Formfeed Disposition 655
14 Negotiate About Vertical Tabstops 656
15 Negotiate About Output Vertcial Tab Disposition 657
16 Negotiate About Output Linefeed Disposition 658
17 Extended ASCII. 698
18 Logout. 727
19 Byte Macro 735
20 Data Entry Terminal 732,1043
21 SUPDUP 734, 736
22 SUPDUP Output 749
23 Send Location 779
24 Terminal Type 1091
25 End of Record 885
26 TACACS User Identification 927
27 Output Marking 933
28 TTYLOC, Terminal Location Number. 946
29 Telnet 3270 Regime 1041
30 X.3 PAD. 1053
31 NAWS, Negotiate About Window Size. 1073
32 Terminal Speed 1079
33 Remote Flow Control 1372
34 Linemode 1184
35 X Display Location. 1096
36 Environment 1408
37 Authentication 1416, 2941, 2942, 2943,2951
38 Encryption Option 2946
39 New Environment 1572
40 TN3270E 2355
42 CHARSET 2066
43 RSP, Telnet Remote Serial Port
44 Com Port Control 2217
45 Telnet Suppress Local Echo
46 Telnet Start TLS
47 KERMIT 2840
255 Extended-Options-List RFC 861
Options are agreed by a process of negotiation which results in the client and server having a common view of various extra capabilities that affect the interchange and the operation of applications.
Either end of a telnet dialogue can enable or disable an option either locally or remotely. The initiator sends a 3 byte command of the form

 IAC,<type of operation>,<option>
The response is of the same form.
Operation is one of

Description Decimal Code Action
WILL 251 Sender wants to do something.
WONT 252 Sender doesn't want to do something.
DO 253 Sender wants the other end to do something.
DONT 254 Sender wants the other not to do something.
Associated with each of the these there are various possible responses

Sender Sent Receiver Responds Implication
WILL DO The sender would like to use a certain facility if the receiver can handle it. Option is now in effect
WILL DONT Receiver says it cannot support the option. Option is not in effect.
DO WILL The sender says it can handle traffic from the sender if the sender wishes to use a certain option. Option is now in effect.
DO WONT Receiver says it cannot support the option. Option is not in effect.
WONT DONT Option disabled. DONT is only valid response.
DONT WONT Option disabled. WONT is only valid response.
For example if the sender wants the other end to suppress go-ahead it would send the byte sequence


The final byte of the three byte sequence identifies the required action. For some of the negotiable options values need to be communicated once support of the option has been agreed. This is done using sub-option negotiation. Values are communicated via an exchange of value query commands and responses in the following form.

 IAC,SB,<option code number>,1,IAC,SE

IAC,SB,<option code>,0,<value>,IAC,SE
For example if the client wishes to identify the terminal type to the server the following exchange might take place

Client   255(IAC),251(WILL),24
Server   255(IAC),253(DO),24
Server   255(IAC),250(SB),24,1,255(IAC),240(SE)
Client   255(IAC),250(SB),24,0,'V','T','2','2','0',255(IAC),240(SE)
The first exchange establishes that terminal type (option number 24) will be handled, the server then enquires of the client what value it wishes to associate with the terminal type. The sequence SB,24,1 implies sub-option negotiation for option type 24, value required (1). The IAC,SE sequence indicates the end of this request. The repsonse IAC,SB,24,0,'V'... implies sub-option negotiation for option type 24, value supplied (0), the IAC,SE sequence indicates the end of the response (and the supplied value). The encoding of the value is specific to the option but a sequence of characters, as shown above, is common.                          


November 22, 2013

Adding Linux PAM

If you have an embedded Linux, but want to add Linux PAM to your system, here are some of the thing I have found out:

What you will need:
1. Linux-PAM package
2. Shadow package (Debian or Linux From Scratch has source)
3. cracklib package (sourceforge)

Linux-pam needs cracklib to test password complexity.

1. compile and install cracklib
CC=ppc-linux-gcc ./configure --host=ppc-linux
make install DESTDIR=/home/me/install

2. compile and install linux-pam
LIBS="-lcrack" CFLAGS=-I/home/me/install/usr/local/include LDFLAGS=-L/home/me/install/usr/local/lib/ CC=ppc-linux-gcc ./configure --host=ppc-linux --disable-nis --disable-selinux --disable-regenerate-docu --disable-nls --disable-rpath
make install DESTDIR=/home/me/install
(you may want to change the installed *.la files to point to the right directory. this is bug of libtools)

3. compile shadow
LIBS="-lpam -lpamc" CFLAGS=-I/home/tzhang/install/usr/include LDFLAGS=-L/home/tzhang/install/lib64/ CC=ppc-linux-gcc ./configure --host=ppc-linux  --with-libpam --without-selinux  --without-sha-crypt --without-nscd --disable-shadowgrp

you will need to transfer the following files to your target (as you go along, you may need more modules):

and then: 

create the following files under /etc/pam.d/

also login.defs:
-bash-3.00# cat /etc/login.defs
ENV_SUPATH  PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH    PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
MAIL_DIR        /var/mail

and this one:
-bash-3.00# cat /etc/default/useradd

make sure you have at least an empty shadow file 
$ touch /etc/shadow

PAM is used when adding user, changing password, login, etc. You can also hook your application to PAM authentication.

November 21, 2013

TI Sitara DM816x UART BOOT

On silicon revision 1.0 and 1.1, the BOOTROM operates at baud rate 32452.
On silicon revision >=2.0, the baud rate is 64904 baud

November 20, 2013

busybox password hash algorithm

Busybox has a command "passwd" and take an argument "-a ALG", but it does not tell you which "ALG" should be. Well, here it is:

1. "des"
2. "md5"
3. "sha256"
4. "sha512"

How to add jquery to any webpage without using a browser plugin

Option 1
Copy the following code to your browser's javascript console (under developer tools) and run it:
var body = document.getElementsByTagName("body")[0];
var script = document.createElement('script');
script.type = "text/javascript";
script.src = "";

Option 2
Go to: and copy the entire code to run in your javascript console.

To check, run the following in your javascript console:


And you should get 1.

November 18, 2013

C code to detect link connected/disconnected using RTNETLINK

RTNETLINK documentation is not very good. Here is an example of how to detect interface disconnected/disconnected using it. If you want to detect interface up and down, just check the flag IFF_UP instead of IFF_RUNNING.

November 8, 2013

How to compile Net-SNMP 5.7.2 for Windows on Linux using MinGW

Here is how to compile Net-SNMP 5.7.2 for Windows on Linux using MinGW.

In my setup, the host is Fedora Linux 19 64-bit.

1. Install MinGW:
sudo  yum install mingw32-binutils mingw32-cpp mingw32-filesystem mingw32-gcc mingw32-gcc-c++ mingw32-runtime mingw32-w32api
2. Get snmp-5.7.2 source code and untar it
3. configure it:
CC=i686-w64-mingw32-gcc ./configure --host=mingw32  --with-ar=i686-w64-mingw32-ar \
--without-perl-modules --disable-embedded-perl   \
--disable-mib-loading  --with-openssl=internal  --enable-mini-agent --with-out-transports="Callback Unix TCP" \
--disable-manuals --disable-shared
Option 1
1. Comment out RANLIB in all Makefiles
find . -name Makefile | xargs sed -i 's/^RANLIB.*/RANLIB=echo'
 make -j 20 

3. Manually do ranlib
find . -name "*.a" | xargs i686-w64-mingw32-ranlib
 make -j 20 
8. More manual ranlib
find . -name "*.a" | xargs i686-w64-mingw32-ranlib
5. continue to make
make -j 20
This time it should make all the way to the end. That's it.

I tried to directly set RANLIB in Makefile to be i686-w64-mingw32-ranlib, but then it tries to ranlib the *.la files and fail. If you know a way to directly set RANLIB in Makefiles and compile successfully, please let me know by leaving a comment below.

Option 2 
1. Point ranlib to mingw ranlib in all Makefiles
mkdir -p $HOME/bin; cd $HOME/bin;
cat <<EOF >myranlib
echo Running 686-ranlib $*
i686-w64-mingw32-ranlib  $*
exit 0;
chmod +x myranlib
ln -sf ranlib myranlib
find . -name Makefile | xargs sed -i '1s/^/PATH := $(HOME)\/bin:$(PATH)\n/'

 make -j 20 

This time it should make all the way to the end. That's it.

November 7, 2013

Tshark decode and dump packets

Suppose you have the captured file, just use the following command to dump the first frame:

tshark -r ~/hcm_stigs/snmp.pcapng -Y frame.number==1 -Vx

-V: decode and print packet details
-x: print packet payload in Hex
-Y frame.number==1: only decode the first frame

November 5, 2013

SNMP V3 password to key algorithm implementation in GoLang

package main
import (

func  password_to_key( password string, engineID string, hash_alg string) {
        h := sha1.New()
        if hash_alg=="MD5" {
                h = md5.New()

        count := 0;
        repeat := 1048576/plen;
        remain := 1048576%plen;
        for count < repeat {
        if remain > 0 {
        ku := string(h.Sum(nil))
        fmt.Printf("ku=% x\n", ku)

        fmt.Printf("localKey=% x\n", localKey)


func main(){

November 1, 2013

Conference Call Systems

GoToMeeting and Webex are mainstream ones. I used GoToMeeting and like it.

 - FreeConference
 - FreeConferenceCallHD

More others:

So for those out there who may not know that alternatives exist, here are six options to use instead of GoToMeeting and WebEx:

1. AnyMeeting

AnyMeeting has been one of the quieter players in the web conferencing sector, but it’s solid service that has been pushing forward on the innovation front. Just two weeks ago, it announced that it had added WebRTC technology to its product so you don’t have to use Adobe Flash on some browsers. It has more than 400,000 users across its free and paid offerings.

2. FuzeBox

FuzeBox offers HD video and audio conferencing across quite a few platforms, including PC, Mac, iPhone, iPad, and Android phones and tablets. While you still have to download the apps, the software is cleaner and more intuitive than WebEx and GoToMeeting — so much so that FuzeBox counts big names like Amazon, eBay, Disney, NASA, Evernote, Verizon Wireless, and Spotify as customers.

3. Google Hangouts

Yes, Google Hangouts doesn’t exactly scream business. But so what? Hangouts offers the capability to chat with up to 10 people on a video call for free. You may also collaborate on Drive documents while you talk on a Hangout. This is an especially attractive offer for all the small businesses out there that don’t want to pay for more software and for enterprises that already use Google Apps.


LogMeIn’s service is one of the strongest up-and-comers in the web-conferencing field. In my own tests, it works much faster than WebEx and GoToMeeting, but in most cases you do have to download the app once to start a meeting. If you are a participant on a call, however, you can join a meeting without a download — all the call organizer has to do is send you a link.

5. MeetingBurner

We talked with MeetingBurner last year and haven’t heard too much from the company since, but I recently spoke with CEO John Rydell, and he assures me his startup is very much alive and kicking. MeetingBurner uses the power of the cloud to make sure participants can hop on a call or webinar quickly without downloading software. You can host conference calls for up to 10 people for free without showing you ads, and if you need to conduct calls with even more attendees, it undercuts WebEx and GoToMeeting’s prices.

6. Zoom

Zoom was founded in 2011 by folks from Cisco and WebEx who wanted to make a better video conferencing product. It offers HD video or voice conferences for up to 25 people, and it supports meetings on the web, Mac, Windows, iOS, and Android. It also includes a few extra nifty features that aren’t found on many competitors, including screen sharing from iPhone and iPad, a private cloud deployment option, and sharing a computer’s audio feed during screen sharing.


October 30, 2013

DOT NOT use Filezilla anymore. Use winSCP.

I have been using Filezilla for a while now, and just discovered the following things that made me removed Filezilla from my computer immediately:

  1. Filezilla stores all sites username and passwords in clear text in a fixed location: %APPDATA%\fielzilla\sitemanager.xml
  2. Even if you do not use site manager to save your passwords, Filezilla saves all "quick connections" to a file "recentservers.xml", again with all username and passwords in clear text.
  3. A bug has been filed for Filezilla to encrypt the passwords with a master password over 3 years ago, yet no action has been taken.
This is more than bad practice. This is almost deliberately to help hackers/worms steal passwords.

Switch to "WinSCP", which is also open source, and allow you to encrypt all stored passwords with a master password.

October 20, 2013

Merriam Webster Pronunciation Table

For some reason, Merriam Webster users a different pronunciation table than the standard one. So here is their special version:

October 1, 2013

Add context menu copy/paste to a Java JTextArea

suppose you have the variable "ta" as the textarea:

  ta.addMouseListener(new MouseAdapter() {
   public void mouseReleased(final MouseEvent e) {
    if (e.isPopupTrigger()) {
     final JPopupMenu menu = new JPopupMenu();
     JMenuItem item;
     item = new JMenuItem(new DefaultEditorKit.CopyAction());
     item.setEnabled(ta.getSelectionStart() != ta.getSelectionEnd());
     menu.add(item);, e.getX(), e.getY());

September 20, 2013

Nice script to generate a password of 12 character length (on Linux)

# Make a 72-bit password (12 characters, 6 bits per char)
dd if=/dev/urandom count=1 2>/dev/null | base64 | head -1 | cut -c4-15

C function to convert hex to binary

A simple C function to convert hex to binary

#include <ctype.h>

inline int cval(char c) {
        if (c>='a') return c-'a'+0x0a;
        if (c>='A') return c-'A'+0x0a;
        return c-'0';

/* return value: number of bytes in out, <=0 if error */
int hex2bin(char *str, unsigned char *out){
        int i;
        for(i = 0; str[i] && str[i+1]; i+=2){
                if (!isxdigit(str[i])&& !isxdigit(str[i+1]))
                                return -1;
                out[i/2] = (cval(str[i])<<4) + cval(str[i+1]);
        return i/2;


As of time of this post, there are three common password based authentication for TLS:

  1. TLS-PSK (Pre-Shared Key), RFC 4279
  2. TLS-SRP (Secure Remote Password), RFC 5054
  3. TLS-JPAKE, implemented in OpenSSL, not in RFC (yet)
TLS-PSK uses the pre-shared key to generate the TLS premaster key, which is then used to generate master key and session key. It is the simplest one, but the user has to safeguard the PSK.

TLS-SRP is more secure, in that it only stores a password verifier value, not the password itself. It would be a nice upgrade to replace TLS-PSK. Unfortunately, some rumors about potential patent problems (although the authors of SRP, Stanford University, has grant free-use of the patent) prevent it from being adopted in a large scale. For example, Fedora, and therefore Redhat, removes TLS-SRP from its OpenSSL libraries because of this. (Fedora script that removes SRP from openssl). Given that RHEL is the de-facto standard for enterprise Linux, this makes it hard to use TLS-SRP in commercial environment.

TLS-JPAKE is somewhat similar in what it tries to achieve. However, there does not seem to be a standard RFC for it yet, so inter-operability is a question. Also, according to OpenSSL, J-PAKE is still experimental and not activated as default.

For now, we will have to stick to the old plain TLS-PSK, which is a well-defined standard and has been implemented widely. 

September 17, 2013

vim tags file search path

add the following to your .vimrc file:

set tags=./tags;

Notice ";" after tags. That's important. That tells Vim to search tags in the current directory, and if not found, search parent directory, and continue up until found. Isn't that great?

TLS PSK server using openssl library

A simple TLS-PSK server program that based on the openssl library. This is based on the s_server app from openssl, removing all the unused parts and merge all code into one simple file.


Updated with working link:

September 13, 2013

Java Bouncy Castle TLS PSK example

This is an example how to use the Bouncy Castle library to write a TLS-PSK client. The server was tested with was an openssl server (openssl s_server). Keep in mind that I do not write Java program regularly, so you may find some style/usage not the best.


import javax.xml.bind.DatatypeConverter;

import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.crypto.tls.AlertLevel;
import org.bouncycastle.crypto.tls.CipherSuite;
import org.bouncycastle.crypto.tls.DefaultTlsClient;
import org.bouncycastle.crypto.tls.ServerOnlyTlsAuthentication;
import org.bouncycastle.crypto.tls.TlsAuthentication;
import org.bouncycastle.crypto.tls.TlsClientProtocol;
import org.bouncycastle.crypto.tls.TlsPSKIdentity;
import org.bouncycastle.crypto.tls.PSKTlsClient;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

 * A simple test designed to conduct a TLS-PSK handshake with an external TLS server.
public class PSKTlsClientTest

 static String convertStreamToString( is) {
  java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
  return s.hasNext() ? : "";

 static class Z_PSKIdentity implements TlsPSKIdentity {

  void Z_PSKIdentity(){};

  public void skipIdentityHint(){
         System.out.println("skipIdentityHint called\n");

  public void notifyIdentityHint(byte[] PSK_identity_hint){
         System.out.println("notifyIdentityHint called\n");

  public byte[] getPSKIdentity(){
   return "Client_identity".getBytes();

  public byte[] getPSK(){
   return DatatypeConverter.parseHexBinary("1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A");


    public static void main(String[] args)
        throws Exception

  Z_PSKIdentity pskIdentity = new Z_PSKIdentity();

        Security.addProvider(new BouncyCastleProvider());

        Socket socket = new Socket(InetAddress.getByName(""), 10443);

        SecureRandom secureRandom = new SecureRandom();
        TlsClientProtocol protocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(),

        MyPSKTlsClient client = new MyPSKTlsClient(pskIdentity);

        OutputStream output = protocol.getOutputStream();
        output.write("GET / HTTP/1.1\r\n\r\n".getBytes("UTF-8"));

        InputStream input = protocol.getInputStream();


    static class MyPSKTlsClient
        extends PSKTlsClient

  public MyPSKTlsClient(TlsPSKIdentity id){

        public void notifyAlertRaised(short alertLevel, short alertDescription, String message, Exception cause)
            PrintStream out = (alertLevel == AlertLevel.fatal) ? System.err : System.out;
            out.println("TLS client raised alert (AlertLevel." + alertLevel + ", AlertDescription." + alertDescription + ")");
            if (message != null) {
            if (cause != null) {

        public void notifyAlertReceived(short alertLevel, short alertDescription)
            PrintStream out = (alertLevel == AlertLevel.fatal) ? System.err : System.out;
            out.println("TLS client received alert (AlertLevel." + alertLevel + ", AlertDescription."
                + alertDescription + ")");

        public TlsAuthentication getAuthentication()
            throws IOException
            return new ServerOnlyTlsAuthentication()
                public void notifyServerCertificate(org.bouncycastle.crypto.tls.Certificate serverCertificate)
                    throws IOException
                    System.out.println("in getAuthentication");

The simple Makefile (I installed gnuwin32 so my system has "rm" )

        javac -cp "jce-jdk13-149.jar;."
        jar -cfm tls.jar  manifest.txt PSKTlsClient*.class

        run.bat -jar tls.jar
        rm -f PskTlsClient*.class PskTlsClient*.jar

The Server side. Keep in mind that openssl s_server by default uses id "Client_identity". The hint is just a hint. It does not change the fact that the serve requires the client to provide the id "Client_identity". Of course this can be changed if you make your own application. So below you can use anything for the psk_hint, or even omit the argument.

$ cat
openssl s_server \
        -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A \
        -psk_hint Client_identity\
        -cipher PSK-AES256-CBC-SHA \
        -debug -state -nocert -accept 10443 -tls1 -www
manifest.txt file

Main-Class: PSKTlsClientTest
Class-Path: . jce-jdk13-149.jar
run.bat file (The host is Windows 7)

java -cp "jce-jdk13-149.jar;." %*

September 10, 2013

network monitoring software review

August 23, 2013

Simple Golang port scanner

Simple and powerful golang port scanner

Who needs any other port scanner when you can take this one file and compile it to run on both Linux and Windows? And better yet, change the number to workers from 5 to 300 now you can scan an entire /24 network in 3 seconds.

Note that the program seem to have an issue with "\r" and "\n", which suggests that the program may have been developed on a Mac. No problem, simply replace swap "\r" and "\n" in the source  and you are ready to go.

August 4, 2013

August 2, 2013

Download Java JRE JDK using wget script

wget --no-cookies --no-check-certificate --header "Cookie:" ""

More Info get

August 1, 2013

Virtualbox high network latency with multiple CPU Cores

On Virtualbox 4.2, if you assign multiple cores to your VM, and you are running Linux Guest, you may experience high network latency (ssh typing is sporadic even on local GigE network).

This is a bug with Virtualbox.

The solution: Change your VM Ethernet type to PCnet. Then it works!

Here is the link to the bug report:

July 23, 2013

A good Windows SSH/Telnet Server

  • Free, Open source, 
  • works with putty in full color, and full window size
  • and command auto complete works well
  • what else could I ask for?

July 15, 2013

linux dummy interface and renaming

In linux, there is a kernel module called "dummy", which allows you to generate dummy network interfaces such as "dummy0", "dummy1", etc.

1. sudo modprobe dummy numdummies=2
2. now you can do "ifconfig dummy0" to give it an IP address.
3. you can also rename the dummy interface with the following command:
        ip link set dummy0 name eth3
you need to "down" the interface before running the command above.

With the combination of dummy interfaces and ability to rename dummy interfaces, you can do a lot of fun things with them.

July 11, 2013

initramfs with boot argument init=/bin/sh

If you use a Linux kernel with initramfs, the boot argument "init=/bin/sh" would not work. The correct one is "rdinit=/bin/sh". Aha. Gotcha.

July 9, 2013

Add new file type to ack-grep

If you use ack as your grep replacement, and would like to add a new file type, do this:

Create a file at ~/.ackrc with the following line (change Ruby to your file type, and .haml,etc to your actual file extension):


July 1, 2013

How to hide/remove OS field in Bugzilla

This method uses javascript to hide the unwanted fields

1. edit template/en/default/global/header.html.tmpl. Search for "global.js". After the line "[% END %]" add the following lines:

    [% starting_js_urls.push('//') %]

    [% FOREACH javascript_url = starting_js_urls %]
      [% PROCESS format_js_link %]
    [% END %]
    [% starting_js_urls.push('js/my.js') %]

    [% FOREACH javascript_url = starting_js_urls %]
      [% PROCESS format_js_link %]
    [% END %]

2. create the file js/my.js with the following contents:

This hides three fields: OS, OS comment, and Hardware.

To remove more clutters, use the following js:


        $("#attachment_table").hide().before("<button id='tz_bug_edit' style='width:50px'> <b>Edit</b> </button>");
                if ($("#attachment_table").is(":visible")){
                return false;


You can also change skins/standard/global.css to remove hyperlink underline, and change default font:

a {
        text-decoration: none;

/* this already exists, just edit it */
body, td, th, input {
    font-family: Verdana, sans-serif;
    font-size: 11pt;

June 27, 2013

GOLANG SSL Server and Client example

Below is my simple static "SSL Proxy" that listens on port 8000, and connects to another machine, and the proxy logs traffic both ways on screen.

To generate key.pem and cert.pem, you can use openssl, or use go team's simple program included in go package:

package main
import (

func checkError(err error) {
        if err != nil {
                fmt.Fprintf(os.Stderr, "Fatal error: %s", err.Error())

/* slower, by we can print/log everything */
func myrawcopy(dst,src net.Conn) (written int64, err error) {
    buf := make([]byte, 32*1024)
    for {
        nr, er := src.Read(buf)
        if nr > 0 {
            nw, ew := dst.Write(buf[0:nr])
            if nw > 0 {
                written += int64(nw)
            if ew != nil {
                err = ew
            if nr != nw {
                err = io.ErrShortWrite
        if er == io.EOF {
        if er != nil {
            err = er
    return written, err

func myiocopy(dst net.Conn, src net.Conn){
        myrawcopy(dst, src)

func handleclient(c net.Conn){
        config := tls.Config{InsecureSkipVerify: true}
        conn, err := tls.Dial("tcp", "", &config)

        go myiocopy(conn,c)

        //io.Copy(c, conn)
        myrawcopy(c, conn)

func main() {
        cert, err := tls.LoadX509KeyPair("cert.pem", "key.pem")
        if err != nil {
                log.Fatalf("server: loadkeys: %s", err)
        config := tls.Config{Certificates: []tls.Certificate{cert}}
        config.Rand = rand.Reader
        service := ""
        listener, err := tls.Listen("tcp", service, &config)
        if err != nil {
                log.Fatalf("server: listen: %s", err)
        log.Printf("server: listening on %s for https, connects to",service)
        for {
                conn, err := listener.Accept()
                if err != nil {
                        log.Printf("server: accept: %s", err)
                defer conn.Close()
                log.Printf("server: accepted from %s", conn.RemoteAddr())
                go handleclient(conn)

June 24, 2013

Free - Remote Desktop Control Software

To sum it up: 

For business, Use LogMeIn for unattended, for attended.
For personal: Use TeamViewer.

LogMeIn The first and highest rated product in the unattended category is LogMeIn. This is a web-based service that's extremely easy to set up and use and can be accessed from any PC with a browser. The free version won't allow file transfer or remote printing but is a great solution for accessing your remote data as well as file sharing. Registration is required before using the product. It is really meant to be an 'install and leave it' kind of tool and not for the 'quick connect to help a friend' scenario.
I still very much believe that the features and speed of LogMeIn are unmet by any other product and worth the extra hassle if you have access to the other machine(s) or means to connect remotely and install it. It is free for personal and commercial use.

TeamViewer Next is TeamViewer. It is very reliable, allows both attended and unattended control and has great features. There is a portable version of the viewer if you want to use an application or they also have a web-based control site that requires no installation to remotely control computers. The web-based version uses HTML and Flash, so it is usable even if the browser or firewall doesn't allow Java or ActiveX. TeamViewer is a commercial product and is only free  for personal use. Any commercial use is prohibited by the TeamViewer use policy.

Join.MeThe fastest solution in the attended category is Its small 1 MB download and simple security code make it very quick to establish a remote session.

MikogoThe last solution in this category is Mikogo. Mikogo is not the fastest nor is it the most reliable, but it offers the most features of any of the solutions in this article. It is a full-featured solution comparable to the commercial Citrix GotoMeeting product with features such as presenter switching, remote control, white board sharing, file sharing and session recording.

June 7, 2013

To open a page in a frame using javascript

"javascript:top.frames['framename'].location = 'filename.html';return true;"

A list of SSL/HTTPS sniffer/proxy/dump

  1. mitmproxy, written in Python, includes a ncurse-based UI, or the console-based mitmdump. Able to generate SSL certs on the fly.
  2. TCPCather: Looks really good.
  3. sslsniff: by the famous hacker moxie0:
  4. burp (the free version):
I personally used mitmproxy to my satisfaction. 

June 6, 2013

vim regex search tips

1. $ < > does not need to be escaped.
2. [ ] & needs to be escaped
3. [a-zA-Z] sometimes can be better accepted than \a (for alphabet)
4. For replacement, & means the matched term

May 9, 2013

hg serve multiple projects

To use "hg serve" to serve multiple project internally (with your LAN). Create a file named webconf (it can be any name) with the following content:

repos/ = .


allow_push = *
push_ssl = false
pygments_style = vs
style = gitweb

Then in system start up run this:

cd your_hg_directory && sudo -u your-name hg serve --web-conf ./webconf

I like the "gitweb" style because it gives you date on files. The default style is "paper". Other styles can be:


May 8, 2013

shrew vpn masquerade on Linux

Once your have your VPN client running on a Linux box, sometimes you would like to share that link with that machines on your LAN (either physical LAN or virtual LAN such as Virtual Machines).

Because shrew uses the kernel IPsec VPN, the iptables masquerade rule does not work on the virtual tap0 interface. There does not seem to exist an easy fix.

The work around I have is to install a linux virtual machine (virtualbox) on the host, which has two NICs, one is NAT, the other one is bridging. Then run iptables masquerade on the virtual Linux, taking traffic from the bridged NIC, and send it out to the NATed NIC. On the host, since virtualbox behaves just like any other application, it is able to access all the VPNed network resources. Bingo!

It works well here. Let me know your thoughts.

shrew vpn client on Linux for Cisco Concentrator

To talk to a Cisco VPN Concentrator, one can use "vpnc" or "shrew vpn client".

My vpnc only stays up for a few hours, while on Windows the Cisco VPN client can stay up for days. So I wanted to give shrew a try.

Shrew can import Cisco .pcf configuration file. After that, a connection entry is created. However, you probably will need to modify the profile for it to work. On the "qikea" window, right click on the profile, then "Modify", go to tab "Phase 2" and make your choices instead of auto. For example, try change PFS Group to "2". This worked for many people.

If you are interested, you can try to use the tool "ike-scan" to probe your vpn server and find out exactly the parameters for this tab.

That solved my problem.

The following screenshot is a Windows screenshot, but the Linux one is very similar.

VPN Setting

I got the this tip from the following post:

April 26, 2013

Text to ASCII Art

Under Linux, use the program "figlet" to turn regular text info a ASCII art text.


 figlet hello
 _          _ _
| |__   ___| | | ___
| '_ \ / _ \ | |/ _ \
| | | |  __/ | | (_) |
|_| |_|\___|_|_|\___/

figlet -W hello (wide version)
  _              _   _
 | |__     ___  | | | |   ___
 | '_ \   / _ \ | | | |  / _ \
 | | | | |  __/ | | | | | (_) |
 |_| |_|  \___| |_| |_|  \___/

You can choose different style too:

figlet -f banner -W hello

 #    #  ######  #       #        ####
 #    #  #       #       #       #    #
 ######  #####   #       #       #    #
 #    #  #       #       #       #    #
 #    #  #       #       #       #    #
 #    #  ######  ######  ######   ####

figlet -f bubble -W hello
   _     _     _     _     _
  / \   / \   / \   / \   / \
 ( h ) ( e ) ( l ) ( l ) ( o )
  \_/   \_/   \_/   \_/   \_/

Use "figlist" to list all the styles.

April 10, 2013

Fix: vim indent not working

If you loaded a new indent file or syntax file under ~/.vim/ and it is not taking effect, make sure you have the following line in your ~/.vimrc file:

filetype plugin indent on

This turns on filetype detection, filetype plugin, and filetype-indent. 

April 1, 2013

how to mount vdi

First install lvm2, ndb and qemu-common packages:


yum install lvm2 nbd qemu-common

Then run this to load the nbd module:


modprobe nbd max_part=16

And connect the device:


qemu-nbd -c /dev/nbd0 "/home/USER/VirtualBox VMs/CentOS6/CentOS6.vdi"

Load the dm-mod module:


modprobe dm-mod

Run this command to scan for volume groups:



This will output something like this:
  Reading all physical volumes.  This may take a while...
  Found volume group "vg_centos" using metadata type lvm2

In the next step we want to use what is in the quotes above. Run this command but replace vg_centos with whatever shows in the quotes.


vgchange -ay vg_centos

Then show which partitions there are:



This will output something like this:
  LV      VG        Attr   LSize  Origin Snap%  Move Log Copy%  Convert
  lv_root vg_centos -wi-a- 18.12g
  lv_swap vg_centos -wi-a-  1.97g

In this case we want the logical volume named lv_root so run this command:


mount /dev/vg_centos/lv_root /mnt/vdi -o ro,user

Now you should be able to find your disk in the /mnt/vdi folder. Note that you must have created the /mnt/vdi folder first but you can mount it wherever you like into an empty folder.

Some more useful tips.

You can unmount the disk:


umount /mnt/vdi

This command will disconnect the nbd:


qemu-nbd -d /dev/nbd0

After you disconnect the nbd you can unload the module:

March 29, 2013

tip: embed raw text in html

 it's become somewhat au courant to use the "type" attribute to mark <script> blocks that you don't want to be evaluated:
<script type='text/html-template'>
  <div> this is a template </div>
By giving a weird non-JavaScript type, you get a way to stuff raw text into the page for use by other JavaScript code (which is presumably in script block that can be evaluated).

This technique is great for using the block inside the <script> for html template, to be used by JQuery. Without the <script> block, IE will mess with the source code and remove thing it does not know.


March 20, 2013

California LLC taxs and fees

For California LLC not treated as corporation:

  1. Annual tax of $800 is paid in the tax year by 04/15 with form 3522 . 
  2. LLC fee estimate for current year is paid by 6/15 current year
  3. LLC fee final is filed by next year 4/15 with From 568, the payment form is 3536


March 15, 2013

php one line udp client

socket_sendto(socket_create(AF_INET, SOCK_DGRAM, SOL_UDP), $raw_post_data, strlen($raw_post_data), 0, '', 57000);

The above will send the post data  (suppose it is in $raw_post_data) to a local udp server listening on port 57000.

March 6, 2013

Excel 2003 useful shortcuts

Ctrl-1:          Open Cell Format Dialog
shift +space: select row
ctrl + -:        delete row.
ctrl + +:        Insert a row (above the currently selected row)     

March 1, 2013

clean up diff file

The following program take a diff file and removes chunks that are simply different by a white spaces or carriages returns, such as

int func(a,b){


int func(a,b)

Save this to file "diffclean.awk" and run it as "./diffclean.awk my.diff".

#!/usr/bin/gawk -f
function process_block(str,strp,strm){
        regex="[ \t\f\r\n]+";
        gsub(regex," ",strp);
        gsub(regex," ",strm);
        if (strp!=strm){
                print str;

        if (!block_started) {
                if (/^@@/) {

        if (/^diff/) {
        if (/^@@/) {

        str=str "\n" $0;
        if (/^-/) strm=strm substr($0,2);
        if (/^+/) strp=strp substr($0,2);

        if (block_started){