Sunday, September 29, 2013

Sync Files Across Your Macs With Unison

Awhile ago I wrote about Bittorrent Sync, basically your own bittorrent network for syncing your files on your home network. I wrote about it because they included a PowerPC binary with their Linux downloads, but unfortunately their OS X client required Intel so if you wanted to use this on your PowerPC Macs, they all had to be running Linux.

This left me still out to sea. I use a mix of Tiger and Debian machines, so Bittorrent Sync ultimately wasn't for me (it's also closed source and unavailable for security auditing). So having tired of SFTPing my files around and expending brain power to keep all the versions straight, I went looking for another option, one like Bittorrent Sync where I could sync on my home network and without involving the cloud.

At first I looked at rsync, venerable I guess you'd call it, not old :), but that offers mirroring, not two-way syncing. Finally I stumbled upon Unison, an rsync-like utility that's exactly what I need, two-way syncing, and it's multi-platform--Windows, Linux, OS X, everything.

You can get Unison in command line form or as a GUI. The command line can be installed with Macports or Tigerbrew on OS X and is in the Debian repositories. Debian also has the GUI, unison-gtk. Does that leave OS X out of the GUI party? No sirree. Universal binaries for Tiger and Leopard have been made available here, and the thing to note is you need the same version on all computers. Meaning if you install 2.32 on Tiger from the previous link, you also must have 2.32 on every other system you're syncing with. Fortunately Debian makes multiple version available for just this situation, so now I have 2.32-12 on my Tiger laptop and 2.32-52-gtk on my Jessie system (the 12 and 52 don't matter).

Using Unison is as simple or as complex as you want it. You can start by using the GUI app and then graduate to the command line for more complex operations which you can automate with cron jobs. But for now I'll give you a quick rundown of getting started with the GUI.

First, it's recommended you copy the folders you want to sync over to your target computer so you start out with identical folders. Then you start up the Unison GUI and create a profile. Here's an example for syncing my Tiger home folder with my Debian home folder on an iBook:

Unison profile on OS X

About the "Remote" part, note this is all done over SSH, so make sure you have Remote Login enabled in your OS X Sharing Preferences or have openssh-server running on Linux. Also note that SSH gives you rock-solid security (unless your password is "password"). For "Host", it could be xxx.xxx.x.xxx or your computer's hostname.

Now save it, but say you don't want to sync everything in your home folder. What if you only want Documents, Music, and Pictures synced? You could create a separate profile for each folder or mess around with symlinks, but a much better way is to edit your .prf file to define those paths. In OS X you'll find it in ~/Library/Application Support/Unison, and in Linux it's in ~/.unison. Here's a simple example of my "powerbook to icebook.prf":

# Unison preferences file
root = /Users/dan
root = ssh://dan@icebook.local//home/dan

# folders to sync
path = Documents
path = Music
path = Pictures

# filenames to ignore
ignore = Name .DS_Store
ignore = Name .localized

# save log file somewhere, anywhere but the home
# folder
logfile = /Users/dan/Library/Logs/unison.log


The first three lines were created when we saved the profile in the GUI, but the rest were added. In the second section, I define the paths of the specific folders I want synced (you don't have to write out the full path as the root is already defined in the first section), the third section tells Unison to ignore those hidden .DS_Store and .localized files in OS X, and the last section tells it where to save the log file (the default is your home folder).

The only trouble I had was with spaces in the folder names. Say if I wanted to enter "path = Pictures/vacation photos" it won't work. Adding \ or enclosing with quotes didn't work, either, so the only solution I can think of is to eliminate the spaces in the original folder's name.

The procedure for all this is pretty much identical in the Debian GUI.

So now you want to get your sync on. So you start up Unison, double click your profile and perform the first syncing. Remember, you're starting out with identical folders, so the first sync is just Unison recording what's what. The only thing you have to note is the direction of the arrows. "-->" means local to remote and "<--" means remote to local. Mark all changes by clicking the left-to-right arrow, then click the "Go" button and it should finish shortly. From then on Unison should only transfer the files that have been changed, and only the parts of those files that need updating. That way you're not uploading huge files when you just need to update small parts of them.

This is also really useful for syncing to a USB thumb drive. You wanna minimize the writes, right? When setting up a profile for that, you just use the "Local" option instead of "Remote" and enter the drive's path. There are a couple of cautions for us PowerPC users, though, in syncing to a USB drive formatted as FAT32 (or any OS X to Windows syncing). Unison will give you errors about permissions and resource forks, so you want to add the following lines to your thumb drive profile:

perms = 0
rsrc = false


These will tell Unison to leave out permissions and resource forks. If you need to preserve resource forks, you can compress the file in a .sit container. And one more thing, when syncing make sure your drive is actually mounted, because if it isn't Unison will think the sync folder is empty and will attempt to delete your files. :o

Anyway, here are a few more links for further reading, including all about syncing more than two computers--star topology--and all that. Have fun!

Unison Manual
UNIX/Linux: HowTo Use unison File Synchronizer
File Synchronization with Unison
Unison - ArchWiki

(UPDATE: Note to self, when changing the names of folders, make sure to also change the corresponding folder names in my .prf file. Otherwise much confusion arises.)

Wednesday, September 11, 2013

A Debian Jessie Update

Since Wheezy turned stable, I've been running Jessie on a spare iBook with varying degrees of success/heartbreak, so I figured I'd throw in a progress report for those of you who are curious about upgrading (DON'T!!!!!!!!!!). I keeed.

It's actually been smooth running except for a few very slightly minor bugs. Like sound, for instance. Completely broken. I don't know if this affects every sound card, but mine isn't detected with the new kernel. Also, suspend to RAM has a very slight, minor bug. Also completely broken. I left two bug reports, No sound on PowerPC with Jessie upgrade and Suspend fails on iBook G3 Dual USB PowerPC, in case anyone wants to add to the crickets left by Debian's kernel maintainers.

Both of these problems can be dealt with, fortunately, by an easy workaround. If you upgraded from Wheezy to Jessie, you can boot into the previous kernel (3.2.0-4) by hitting tab at the second yaboot prompt and typing in "old". Afterward, sound and suspend should be back to normal. You can also install the 3.2.0-4 kernel from a clean Jessie install by adding:

deb http://security.debian.org/debian-security wheezy/updates main

(that's a space between debian-security and wheezy/updates, not a carriage return) to your /etc/apt/sources.list. After installing, follow the instructions on the sixth post on this Ubuntu thread about editing yaboot.conf to tell it to boot a specific kernel.

I suppose those problems will be eventually fixed, but with the latest update I saw even worse news. Xserver-xorg-video-radeon was updated to a KMS-only version, meaning if you have a Radeon GPU and don't have KMS activated, it throws it back to the fbdev driver, meaning video playback will suck and you'll only see 8 bit colors. You can fix the 8 bit colors problem by passing the yaboot parameter "video=radeonfb:1024x24-32@60" at start up (replace 1024x768 with your native resolution). This is familiar to anybody who followed zen's guide to installing Lubuntu. However, this won't help you speed up video playback which, as mentioned, sucks with fbdev.

You can always activate KMS with the yaboot parameter "video=radeonfb:off", but there are downsides (along with the upside of enabling 3d). First, KMS breaks suspend on PowerPC and I found no indication work is being done to correct this. Also, your keyboard brightness keys may not work. But worst of all, when I tried enabling KMS on two of my machines, I got a black screen (iBook) and persistant system freezes after boot (Sawtooth). So KMS is totally unusable for me. So how do I get back my fast 2d desktop with decent video playback that I had with the old radeon driver?

(UPDATE: You can greatly improve window-dragging performance by running Compton ["compton -b" to run it as a daemon])

Fortunately you can downgrade select packages. I'm sure there's a more elegant way by using dpkg, but here's my quick and dirty way of downgrading to the previous radeon driver. First, edit your /etc/apt/sources.list and change all the listings from jessie to wheezy. Then do a sudo aptitude update to update the repositories, then switch to a console and kill X with sudo /etc/init.d/yourloginmanager stop, and then (on one line):

sudo aptitude remove xserver-xorg-video-radeon

Aptitude told me it needed to remove two dependencies, xserver-xorg-video-all and xserver-xorg-video-ati as well, so I said fine and proceeded. Next, I reinstalled the drivers using the old wheezy repositories with (one line):

sudo aptitude install xserver-xorg-video-radeon xserver-xorg-video-all xserver-xorg-video-ati

There's one more step and that's to put a hold on the radeon driver, that is, to tell your package manager to keep it at that version and never upgrade it. I found the instructions for that at Not So Frequently Asked Questions, but it's basically:

sudo -s

to make yourself root. And then (on one line):

echo xserver-xorg-video-radeon hold | dpkg --set-selections

and to confirm the new setting:

dpkg --get-selections xserver-xorg-video-radeon

Finally you'll want to revert back to the Testing repositories by restoring your edits to /etc/apt/sources.list and running sudo aptitude update again.

Afterward when I did a full-upgrade to upgrade all my packages, the video-all and video-ati packages were upgraded, which I didn't care about, but the radeon package remained at its old version. Now when you startx or reboot, your desktop should be back to its old snappy self.

I should note here, you should be cautious about putting holds on packages. It's possible you can have a cascading amount of packages held back from upgrades as the dependencies on that original held package build up. But in this case with the radeon package it hasn't been a problem, but it's something to keep an eye on. I just made sure to save a note about how to hold and unhold packages from the above link.

^
^
^
No.

One more snafu you should be aware of, the new gtk-3-0 update will break some themes causing gtk3 applications to quit immediately upon open. I'm not sure this is a bug that will ever be fixed since the problem is supposedly with the themes themselves. So if yours breaks, you can either wait for the theme maintainer to release an update or find a new theme (and given I hate all themes, except one which I find satisfactory but which is now broken, this is an unfortunate burden). --UPDATE: or you could take the gtk-3.0 folder out of your theme folder from ~/.themes and use gtk3 apps without a theme.

I didn't bother downgrading gtk-3-0 because it had too many dependencies. It would've gotten too weird.

^
Looks like this bug is fixed.

So that's where Jessie is. I admit to being discouraged and depressed about it, especially on the graphics side. A few years ago I had this vision of Linux on PowerPC always getting better and better, but with support for older graphics cards being dropped left and right, and now this KMS-only business, it looks like we'll be patching together systems with sticks and chewing gum for the foreseeable future.

Maybe the Debian team can be convinced to realize they found perfection with Wheezy and to maintain it with security updates and backports for like the next ten years, or at least until our PATA hard drives burn out ;)

Sunday, September 1, 2013

Protect Your Surfing Over Public Wifi

Welcome to Part Three in a series of posts on privacy and security. Before, we talked about Tor and email encryption to keep the NSA away, but today's post will deal with the threats hackers pose, and probably your biggest vulnerability point, surfing over public wifi. Anytime you take your shiny old Mac to a Starbucks and have people gawk at its heretofore undiscovered form factor, you're connecting to a public network susceptible to hackers sniffing for and grabbing all your clear text data. They can see your surf habits, grab passwords, email, or worse. But you still want to surf, right? The solution to all this is encapsulated in the phrase encrypt all the things.

Let's start with the step so obvious I forgot to put it in the first version of this post ;) Turn on your laptop's firewall in OS X's Preferences --> Sharing --> Firewall, and also check that Stealth Mode is enabled by clicking the "Advanced..." button. Linux users can enable their firewall with ufw (Uncomplicated Firewall) or its GUI frontend, Gufw.

Back to encrypting all the things. The simplest and most basic thing you can do is install the Firefox add-on HTTPS Everywhere. This will enforce HTTPS encryption for all traffic on sites that support it and prevent those sites from reverting back to HTTP after you log in.

Got email to send? Encrypt it, or you don't send it. It's really that simple.

If you're chatting, use OTR (off the record) encryption. Pidgin and Adium support it. There's also a Firefox add-on called Cryptocat that in theory looks awesome but suffered a slight scandal recently when it was revealed it had a huge security hole caused by a rookie mistake by the developers. So you may want to avoid that.

As long as we're talking about Mozilla browsers, TenFourFox and Iceweasel users might want to take steps to protect their passwords because, locally anyway, they're, um, completely unprotected. In a fit of jealousy and envy at your beautiful PowerPC Mac, some miscreant could steal it and have access to all your passwords with a simple trip to the Preferences. So go into Preferences --> Security and set a master password. We don't want to make it that easy for 'em.

All that's well and good, but what if you want all your web traffic encrypted, not just HTTPS supported sites? Here's where things get cool. If you have an old Mac lying around not doing anything, you could turn it into a headless SSH server. Then you can set up a SOCKS proxy and tunnel all your web traffic at Starbucks through an encrypted connection to your home server and then on to its ultimate destination. Hackers locked out.

Setting up a server is as simple as it gets. On Debian Linux, if it's not already installed, just install openssh-server and it should automatically run as a daemon. On OS X, go to System Preferences --> Sharing and click the checkbox next to Remote Login. And that's it! Your computer's now a server. You may also need to forward a port on your router. Port 22, TCP only, is standard for SSH.

(UPDATE: I've also learned routers running on Tomato or DD-WRT firmware have their own SSH servers built in, so you don't even need another computer. Set up your router with instructions for Tomato or DD-WRT.)

Now that that's all set, let's open a tunnel from your obnoxiously chic coffee shop. In a terminal, enter:

ssh -CND 9999 user@hostname.com

where user is the username on the server machine and hostname.com is your server's ip address or a hostname you got from DynDNS or an alternative like No-IP or FreeDNS. You'll be prompted for the username's passphrase and you're in. It should be noted that for even better security, you can look into generating SSH public and private keys for passphrase-less login, but that's a bit beyond the scope here. Now leave the terminal window open and move on to configuring your browser.

Under Manual configuration, you'll want to set it to SOCKS host: 127.0.0.1, port 9999, SOCKS v5. Also, No Proxy For: localhost, 127.0.0.1. In TenFourFox, it looks like this (Preferences --> Advanced --> Network --> Settings):

TenFourFox proxy preferences

(Note, to switch back click the "No proxy" or "Use system proxy settings" button.)

To also prevent DNS leaks, go into about:config and change network.proxy.socks_remote_dns to "true." That way your DNS requests are encrypted through your SSH tunnel as well. To plug DNS leaks in other applications, Privoxy is your best option.

In TenFourFox/Iceweasel, anyway, you're good to go. Or as hackers might see it, gvES R∆∂®456E Rkop∫∆®∂ßghZX∂ ≈߃®∆∆kj lytudGFø πµ˜ç√ß∂ß®dfew∫µˆ∆†¥ ƒƒçFGESR˚∆ƒ©ß®ƒç∫∆ NMFGçƒ∆¬∆˚FXgfgdzdx ∫√∂ƒ≈∂ƒGFFDRGHY©√ƒ∂ƒ©g

Encryption humor. Then when you want to terminate the session, hit ctrl-c in the terminal and you're out. To keep from having to switch your browser preferences every time, you can create a separate user profile or look into an add-on like FoxyProxy.

That takes care of encrypted web browsing, but what about encrypting all your traffic, HTTP, NNTP, Bittorrent, everything? For that you need to connect to a VPN (Virtual Private Network). There are some free ones, but for anything good you have to pay. On the client side, Tunnelblick still supports Tiger and PowerPC, so go over and download that if you want to give VPNs a try. On Linux, openvpn is both a client and server package from the command line. And there's gadmin-openvpn-client for a GUI.

And for the truly adventurous, you can eschew VPN paid services and set up your own VPN server on that headless Mac we were talking about. I tried to do this with OpenVPN, but so far I've struck out. If your kung fu is better than mine, you can install openvpn with Tigerbrew or MacPorts (the port is called openvpn2) on OS X or with your package manager on Linux. I'll leave some links on the subject that may be helpful or may just pull you in deeper.

Some Mac-centric instructions:
http://remonpel.nl/2012/02/set-up-an-openvpn-server-on-your-mac/

Get easy-rsa here:
https://github.com/OpenVPN/easy-rsa (the instructions in the above first link show easy-rsa is installed with openvpn, but in newer versions you have to install easy-rsa separately)

How to solve a certain error message:
https://ubuntuforums.org/showthread.php?t=2001055

Alternately, you can set up a VPN server on your DD-WRT router:
http://sriramk.com/ddwrt-pptp-vpn

OpenVPN's HowTo:
http://openvpn.net/index.php/open-source/documentation/howto.html

Apparently there's some extra setup to get OpenVPN to really really tunnel all traffic through the server:
http://blog.johnford.org/openvpn-tunnel-to-home-server/

Finally, on the theme of security, Cameron Kaiser passed on word of a jaw dropping security hole involving sudo in OS X. Fortunately the fix is simple, and you can read in his comments section on how to use vi or nano to do it. Seriously, you'll want to fix this.