Kook Alert

Recently, two mails of a conspiracy theorist sneaked past my spam-filter. Pure flashback to the heyday of the good old Usenet kooks. Consider this quote:

The Jewish nazis also continued to send ‘messages’ and ‘feedback’ to me through the media and internet and through the EBL – Electronic Brain Link – whereby, among other things, they ‘invited’and sucked me in to directing my attention and using my amazing power on images in magazines, the internet, TV and other media

I mean, if that doesn’t trigger your kook-detector, nothing will.

More upgrading tidbits

As mentioned before, I disabled xen before the etch->lenny upgrade. Now I’ve re-enabled xen, and the following bits may be of wider interest:

My server at the Hetzner hosting center has one static IP address and a small network that is routed towards that IP address. So my plan was to use this small network (88.198.160.176/28) for the virtual switch inside the xen Dom0 and connect all the domUs to it. I solved this the following way:

In /etc/network/interfaces I tell Debian to create the bridge and use br0 as the interface of the dom0 into that bridge:

auto br0
iface br0 inet static
        pre-up brctl addbr br0
        address 88.198.160.177
        netmask 255.255.255.248
        bridge_fd 0
        bridge_hello 0
        bridge_stp off

That way, the xen scripts themselves have little to do. The settings in /etc/xen/xend-config.sxp are:

(vif-script 'vif-bridge bridge=br0')
(network-script network-route)

In the config-file for each individual domU, I just use something like

vif  = [ 'ip=88.198.160.178,mac=00:16:3e:77:e2:79,bridge=br0' ]

but I’m not sure whether that’s actually needed at this point.

Concerning the domUs: The hints in the Debian Wiki were helpful, especially about changes to the console handling.

Upgrading from etch to lenny

Just in case somebody was wondering why this blog was down over the weekend:

I finally bit the bullet and upgraded my server from Debian etch to Debian lenny. And while doing that ran into Bug #541371.

Otherwise the upgrade was pretty painless. But as timid (some might say sane) as I am, I disabled xen before the upgrade. Getting that up and running with a new kernel will be the next step. This is especially tricky as I do not have a remote console, just the Hetzner rescue system.

Oh, and as I’m no longer running a pre-historic wordpress, this blog might get a new design sooner than later.

Free SSL/TLS certificates

CAcert has tried for some time to provide free X.509 certificates based on automatic checks and a web of trust. They never managed to get the root certificate included in the default installations of the major browsers. As I read it, they’ve given up on Mozilla for now.

Aaron forwarded me a link to a blog post by StartCom where they announce that their CA will be included in IE soon. As they are already recognized by Mozilla and Safari, their certs are pretty much as good as any other commercial x.509 cert for servers.

In that respect, they are not unique, you can buy commercial grade certs from various sources, the most popular being Thawte, Equifax, Usertrust, Comodo, and Verisign.

What makes StartCom special is the fact that they give away free certificates similar to what CAcert is doing. Their enrollment at http://www.startssl.com/ is pretty much straight forward and getting certificates (both by uploading CSRs or by letting them generate a key) is painless.

Furthermore, they impressed me by:

  • Adding priv.at as a valid domain suffix within a few hour after I mailed them.
  • Checking the server for which you requested a cert and giving you hints if you made a configuration mistake.

Recommended.