bill’s blog

Sunday 02/20/2009

Well after having my trip extended due to the many issues facing the users in China we were obligated to spend another week to get them up to speed. Unfortunately that meant spending another weekend in China. And while normally that would be a good thing… work was taking its toll. We were tired and hadn’t really planned for anything. Saturday was spent playing war games with our colleagues, which is a story in and of itself. Sunday we were going to spend seeing another city in Guangdong Providence. Guangzhou (also know as Canton) has a population for about 9.7 million people.

1888 German map of Hong Kong, Macau, and Guangzhou

The city’s official name is Panyu and is the provincial capital. In 226 AD, the city however became the seat of the Guang Prefecture. It was during this time that people started calling the city Guangzhou.

Our first stop was to Shamian Island (沙面島) or literally Sand Face Island. The ‘island’ sits on the bank of the Pearl River that runs through the heart of Guangzhou. Separating it from the mainland is a canal.

Upon walking into the park one can’t help but notice the brides and groom that line the more picturesque locations. At first it was the odd couple here and there. I turned the corner and the street was lined with couples waiting to capture the start of their lives together on film.

The park is filled with activity for such a gloomy day. The rain had started to fall but that did not put a damper on the martial arts masters teaching a young group of students or couple dancing under the overpass.

In the trees, lanterns still hang, left over from the Chinese New Year.

After leaving Shamian Island, we headed over to the mall. It’s a wide open space that is filled with street vendors.

Vendor preparing sugar cane for a hungry little boy.

This gentleman was a walking ad for a local chicken restaurant.

A woman was feeding the Koa from a baby’s bottle.

The crowd was massive… there were people everywhere. Guangzhou is the fourth largest city in China.

This poor man is cripple and writes his tragic life story in perfectly formed Chinese characters.

Saturday – 02/21/2009

What an amazing day! We were invited to spend the day with the China Creative Group. They took care of us during our entire stay in mainland China but today was magical. I wasn’t sure what to expect. We were told that in the morning we would go through training. I figured it would be a lot like paintball in the United States but it was so much more.

It was a group building experience and I truly felt like they wanted us to join their ‘team.’ The morning started off with activities designed to foster team work.

The morning culminated in a challenge to climb a 40 foot pole, stand on the top on it and jump to a swing that was ten feet away from the top. I had my concerns about my ankle and being able to make the transition from a kneeling position to standing. But my colleagues cheered me on and helped by manipulating the tension of the safety ropes. What an awesome feeling! I didn’t think I could do it yet through team work I was able to make the jump!

I’ve met my match!

After lunch was through it was time to get to the shooting! Fortunately, the field wasn’t ready for us and we got to spend some time exploring a tree museum. Some of the trees dated back before Buddha! But the really cool part was that all the displays were in Chinese and my colleagues can to my rescue and translated the information so that I could understand.

Now I thought we were into our war games here… BUT they were truly into it! Crawling on the ground… Running into the brush… very realistic! It will be a day I will always remember… Thank you Flower, Lily, Jelly, Amanda, Happy, Cold, Matthew, Joe, Nelson… Everyone!

Monday 02/16/2009

So tonight is my last free night in Hong Kong. I had to spend an extra day to clear up some last minute issues. It’s funny how fast a week can pass. Guess it escaped my colleagues as well! Tonight it’s Sushi at Unkai. They have a really fresh selection and the companies not bad either. The chefs are always friendly and they’re interested in where you come from!

Today, I’m in Hong Kong… 8018 miles from home. It’s cloudy today… I’m sure it’s hot and humid outside but I have some down time. So I’m taking it easy. We’ve been working 60-hour weeks and it’s time to do nothing. The hardest part is being away from my family. During the week it’s easy to get lost in your work but the weekends are hard! Yesterday was a long day. We ran around Hong Kong and saw many wonderful things… the Chi Lin Nunnery, Wong Tai Sin Temple, and the museum in Tsuen Wan. We had dinner in Lan Kwai Fong and then walked the night market on Temple Street. Today, I’m sitting in the sky lounge at the Sheraton in Kowloon… working on my papers for school and this blog. I’m watching the boats pass on the harbor. The sounds of marching band can be heard in the distance. The sun peaks through the clouds ever once in awhile but the skies never go blue. I miss the cold and the clear blue skies on New England. Talk about popping up on the radar… George I have nothing to hide!

The museum is in a farmhouse built by Chan Yam-shing. The Chan clan moved from Guangdong to Hong Kong to engage in rice farming in 1786. The term Sam Tung Uk means “three-beam-dwelling” which describes the original floor plan. The building was modified through the course of the years. The museum houses an exhibit on rice farming in Hong Kong or more specifically, the Tsuen Wan region.

Rice has been farmed in the Hong Kong region for more than 1000 years. It has been noted that rice was the principle crop as far back as 1688. Prior to World War 2, paddy fields covered 80% of cultivated land in the New Territories.

A stamped used for the packaging of rice.

Will making friends wearing the traditional hat woe by farmers in the Tsuen Wan region

Alder having some fun!

A group of students we befriend while touring the farmhouse… Good Kids!

Me looking for some sun!

Another East Asian philosophy is that of Taoism that dates back over 2000 years. The word Tao 道, translates to the path or way and is built upon the Three Treasures of Taoism are: ci 慈 compassion, jian 儉 moderation, and Bugan wei tianxia xian 不敢為天下先 humility. Part of Taoism is the reverence for ancestor spirits and immortals. Wong Tai Sin Temple 黃大仙祠 is one of the most famous shrines in Wong Tai Sin Temple. It is dedicated to Wong Tai Sin, or the Great Immortal Wong.

The temple is famous for the many prayers are answered via a practice called Wong Tai Sin Temple “What you request is what you get” (有求必應). Kau Cim is the shaking of a bamboo cup that contains fortune sticks. The cup is shaken until a stick falls out. On the stick is a number which is recorded against what you are praying for.You then take you numbers to any of the many soothsayer who will interpret the fortune written on the paper.

So what did I wish for? Peace in the family… Happiness for my children and prosperity in the coming year. SO how did the soothsayer interpret my fortune? 2009 will be a peaceful year for my family, my children will be happy and 2009 will not be a good year prosperity-wise unless I change its direction.

The air surrounding the temple is filled with Joss.The shrine has been there since 1921 and the architecture is that of traditional Chinese temples; grand red pillars and golden roof. The Good Wish Garden is where the worshippers place three sticks of burning incense and offer prayers that rise with the smoke.

It is much more chaotic here than at the Chi Lin Monastery.

One of the things I really wanted to do this trip was to see Hong Kong as the people who live here do. I’ve been to the Po Lin monastery on Lantau Island many times. It too is a peaceful but I needed to see something new. Today we visited a Tang Dynasty (618-907AD) timber monastery. It is a Buddhist monastery located at the based of Diamond Hill. It’s a bit miss leading as the Nunnery was founded in the 1930’s and the actual monastery as it stands today was only dedicated on the 8th day, of the 12th Lunar month, of the year of the Ox (1998)! At first I was disappointed when I found out the monastery was recently built but that feeling was soon replace with feelings tranquility. The garden was very special.

The four ponds as you enter ‘First Yard’ are filled with various colored water lilies. The sound of the babbling water and bonsai trees that fill the garden all lend to the inner peace of the quiet surroundings.

The monastery is divided into two sections which represent the Buddhist idea of harmony between Heaven and Earth. Wisdom is represent in the architecture of the buildings surrounding the gardens.It is said the by using wood in the construction of the monastery that you extend the life of the tree which in turn fills the build with life.

The Hall of Celestial Kings

As one enters the hall, it is Maitreya Bodhisattva (the future Buddha) that welcomes all to the Nunnery. In each the four corners of the ‘Second Yard’ are statues of the celestial kings. They represent the four cardinal directions: Vaishravana (North), Virudhaka (South), Dhritarashtra (East) and Virupaksha (West).

Each of the celestial kings are the protectors of Buddha’s teachings. Skanda is the chief guardian of the monastery. The entrance to the Hall of Celestial Kings is flanked by two large white marble Sutra Pillars and a collection of beautifully formed stones.

The Outer Gardens – Nan Lian Gardens

Directly across the street from the monastery is the Nan Lian Gardens. In keeping with the monastery the gardens were designed with the feel of the Tang Dynasty. The design of the Jiangshouju garden can be traced back to the 2400 years to the Tang Dynasty. The garden is filled with many stones and trees.

Daoists aspire to the peace and simplicity of Nature; and Buddhists seek enlightenment through insight into the way of Nature.

Securing SSH

SSH or Secure Shell is one of the most useful applications for administering computers remotely. In reality it is a suite of applications that were created to replace a number of insecure equivalents. Telnet was replaced with SSH which allows for command line access to remote hosts. SCP replaces out RCP, which allows for copying of files or directories to a remote host. Lastly SFTP replaced out FTP and allows for the placing of files on a remote host for later retrieval from a third party. Why replace out the old standards? All data transmitted using these older standards are sent in the form of clear-text. This includes your user ID and password! Data sent via these newer standards are encoded using strong encryption algorithms (Triple DES, Blowfish, AES to name a few). SSH encrypts your data before it is put on the wire. The result is transparent encryption: users can work normally, unaware that their communications are safely encrypted on the network (Barrett, 2001). SHH has a number of benefits. You can get more information at the OpenSSH website.

Out of the box Apple does a great job of securing the OS but there are a number of ways to help SSH further. Apple by default allows root access via SSH. This is not a bad thing per say IF the passwords are strong. The reality is that passwords are never as strong as they should be. Often the passwords are based on normal everyday words and user accounts are normally easy to guess… How about Administrator for example? This can lead to a brute force dictionary attack that if the host is compromised root access is achieved…a bad thing to say the least.

Disabling root

Apple allows root access by default because it needs this to set up replica servers in Open Directory (OpenLDAP). Once the replicas are bound to the directory root access should be turned off. Unfortunately this is not something that can be accomplished easily from Server Admin. There are two ways to accomplish this:

1. Edit the /etc/sshd_config file using a text based editor and add the following line to the end of the file:
PermitRootLogin no
This is by far the most direct method to accomplish this.

2. The other is to allow other users to access the host via SACLs (or Service Access Control Lists).

Figure 1

The downside to option 2 is that you are forced to allow users you may not want having access to you server. As you can see from this above image we have disabled root by allowing the user Bill Heese to have SSH access to the server. This may not always be the desired outcome. The nice thing about disabling the root account this way is the ease of this can be configured. Apple provides a very nice GUI application to accomplish this, Server Admin. One thing to note is that if you are administrating a large number of desktop as well as server this needs to be done on the workstations too. And have SSH enabled you should be editing the sshd_config file on those machines as well.

SSH Keys

Let’s say that you have to log into 20 or 30 machines per day, at the end of that day that can lead to a lot of keystrokes. Even the most focused individual can get interrupted may times during the course of a day. Trying to remember exactly why you are access a host can be a challenge at times now add to that, the servers password. 
 

There are those that feel that using SSH keys is an unsafe practice (and it CAN be) if you don’t protect your host correctly. I have this implemented behind a gateway firewall and behind IPFW rules. This being the case a hacker would have to compromise the network and then the host itself. Is this a guarantee that a hacker can’t get to you? No, but it does make it somewhat more difficult to get at the machines. 
 


So the first thing that I need to do is generate the keys that I am going to use. 


ssh-keygen -t dsa 
 


You can use other algorithms based on your comfort levels. See the man pages on ssh-keygen to see which flags are built into your version of ssh. You should see something very much like this:

 

control:~ bheese$ ssh-keygen -t dsa 

Generating public/private dsa key pair. 
Enter file in which to save the key (/Users/bheese/.ssh/id_dsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /Users/bheese/.ssh/id_dsa. 

Your public key has been saved in /Users/bheese/.ssh/id_dsa.pub. 

The key fingerprint is: 
52:d4: ee:d5: c9:b9: 2e:0a: 0a:ac: 6a: 8d:c9: ee: 9c:cc bheese@control.randomdog.net

 

I did not put a passphase in as I want to be able to access the server using only my SSH keys! ls produces the following out in the .ssh directory. 
 


control:~/.ssh bheese$ ls -al
total 48
drwx------ 7 bheese bheese 238 Mar 2 18:58 .
drwxr-xr-x 30 bheese bheese 1020 Feb 29 22:51 ..
-rw------- 1 bheese bheese 672 Mar 2 18:58 id_dsa
-rw-r--r-- 1 bheese bheese 626 Mar 2 18:58 id_dsa.pub
-rw-r--r-- 1 bheese bheese 5828 Dec 27 19:14 known_hosts

 

To be able to log in to remote systems using your pair of keys, you will first have to add your public key on the remote server to the authorized_keys2 file in the .ssh/ directory in your home directory on the remote machine. Once this is completed… Log into the machine with the account you created the authorized_keys2 for. You will not be prompted for a password. 

One reason for doing this is to allow for scripting across the network. Now you can create a script that can be run against a file that contains (or any input from STDOUT) a list of all machines you want the script to deploy on.

Resources:

Barrett, D. & Silverman, R., (2001, Feb), SSH – The Secure Shell: The Definitive Guide, Sebastopol, CA: O’Reilly Press

Many times I want to change the permissions for an entire directory AND all it’s sub-folders to 755.

I could issue

chmod -R 755 ./*

BUT this will result in every file getting read and execute permissions… NOT something that I want to happen.
A much more finesse-ful way of doing this would be:

find ./ -type d -exec chmod 755 {} \;
find ./ -type f -exec chmod 644 {} \;

Have fun!

Want to capture a screen shot on your iPhone?

Hold down the sleep/power button and press the home button twice! Have fun