29th October 2005: Daylight Savings Time

It's time to put the clocks back again (in the UK, anyway). That's a bit of hassle for all of us, and those of us who dual-boot machines often have a bit of grief twice a year getting the clocks coordinated again.

There is another aspect to this, though. Suppose you know that something dodgy happened at 01:30 GMT (that is, the first 01:30 of the morning, before the clocks went back). Maybe a critical file was deleted, to which only steve and bob had write access. You know that bob had been logged in all weekend, so the sshd logs will not give you any evidence for or against Bob. The next morning, you see the following events in your system logs:

Oct 30 00:59:56 myhost sshd[8857]: (pam_unix) session closed for user steve
Oct 30 00:59:59 myhost sshd[8888]: Accepted keyboard-interactive/pam for steve \
from ::ffff: port 33085 ssh2 Oct 30 00:59:59 myhost sshd[8891]: (pam_unix) session opened for user steve by (uid=0) Oct 30 01:00:01 myhost sshd[8891]: (pam_unix) session closed for user steve
What you don't know from these logs, is: Was steve logged in for 2 seconds, or one hour and 2 seconds? Could Steve have deleted the file? Or is Bob the only suspect?

Okay, I failed to replicate this exactly on my system - I missed it by a second. What I did get was this:

Oct 30 01:59:59 turing sshd[9101]: (pam_unix) session opened for user steve by (uid=0)
Oct 30 01:00:01 turing sshd[9101]: (pam_unix) session closed for user steve
This can be clearly seen as being a 2-second login. That's the other side of the coin, of course.

There are a few ways around this - a mark facility would let you know what had happened, if run frequently enough:

Oct 30 00:59:59 myhost sshd[8891]: (pam_unix) session opened for user steve by (uid=0)
Oct 30 01:00:00 myhost marker[8432]: -- MARK --
Oct 30 01:10:00 myhost marker[8432]: -- MARK --
Oct 30 01:20:00 myhost marker[8432]: -- MARK --
Oct 30 01:30:00 myhost marker[8432]: -- MARK --
Oct 30 01:40:00 myhost marker[8432]: -- MARK --
Oct 30 01:50:00 myhost marker[8432]: -- MARK --
Oct 30 01:00:00 myhost marker[8432]: -- MARK --
Oct 30 01:00:01 myhost sshd[8891]: (pam_unix) session closed for user steve
This tells us that Steve was indeed logged in for an hour, not just 2 seconds. In that case, you should look more deeply into what both users were doing for that hour. However, the logfile quickly fills up with meaningless clutter this way.

This facility can be useful if you come in to work one morning and find that the system crashed in the middle of the night. Syslog will start logging again once it reboots, but if the machine is not configured to automatically reboot, or if it failed to reboot, the mark facility would at least pin down the crash to a 10-minute window. This would be useful if a customer complained that the service was unavailable at a certain time - you have evidence that the system was still up then, so that complaint is not related to the system crash. However, simply touching a file periodically would also provide such evidence. Another way around this is for the dst code to mark the event:

Oct 30 00:59:59 myhost sshd[8891]: (pam_unix) session opened for user steve by (uid=0)
Oct 30 02:00:00 myhost dst[8432]: Setting time back from 02:00:00 to 01:00:00 \
due to Daylight Savings Time policy Oct 30 01:00:01 myhost sshd[8891]: (pam_unix) session closed for user steve
NTP could do something similar, of course, assuming you are running NTP. If you care about the content of your system logs, you should really be running NTP against a reliable source in any case.

I think that the main candidate here would be NTP - it seems the most obvious place to put this. However, there seems to be an increasing trend (for largely good reasons) to split system logs across different files. This increases clarity and helps administrators to find relevant needles in an information haystack. This means that we can log all sorts of detail (in case it is later required) without cluttering up a single /var/{adm|log}/messages file.

The downside to splitting these events across multiple files is that each file needs to be updated when the clock is adjusted. I believe that this can be justified, as the system clock is something that every logfile relies upon for its accuracy and integrity, so that information is indeed pertinent to every single logfile, whatever type of event it is logging.

Another approach (I believe that Microsoft Internet Information Services takes this tack) is to log everything using UTC (that is the politically correct term for GMT). That sounds like a sensible approach initially (especially if you are in the UK - manually allowing for a one-hour difference during summertime is not a great inconvenience) but if you are in Australia, that must be a real pain at any time of year. Also, if you are reviewing some old system logs, and national policy on DST has changed, it can be difficult to be sure that the interpretation is accurate. Similarly, if you are checking the logs from a system in a foreign country of which you do not know the DST practices, there is room for confusion.

Yet another solution would be to append the timezone to every log:

Oct 30 00:59:59 BST myhost sshd[8891]: (pam_unix) session opened for user steve by (uid=0)
Oct 30 01:00:01 GMT myhost sshd[8891]: (pam_unix) session closed for user steve
This has a good number of benefits, in that system administrators around the globe can share event logs (they may be tracing the route of a worm around disparate systems owned by different organisations). On the downside, it does require that everyone knows the relationship between BST, GMT, and their own timezone. Email has a solution to this problem by appending the timezone's properties to the date:
Received: (qmail 15143 invoked from network); 29 Oct 2005 07:29:59 -0700
This would be translated into syslog format as:
Oct 30 00:59:59 -0100 myhost sshd[8891]: (pam_unix) session opened for user steve by (uid=0)
Oct 30 01:00:01 -0000 myhost sshd[8891]: (pam_unix) session closed for user steve
... or is it the other way around? I have never been quite sure. Tonight is a good chance for me to check this out easily.

Personally, I think that I would prefer that NTP would update every possible system log. There is a downside, of course - every syslog file would need the ntp.info event added to its loggable events. If you are interested in security, this strikes me as a price worth paying.

22nd October 2005: Replaced the dodgy Polo aerial!

Not sure of the proper date for this article, I think it was the 22nd October. I have finally got around to replacing the embarrassing yellow aerial, replacing it with a standard silver retractable one (7.99 from Halfords). I can finally associate myself with the car without feeling totally humiliated by the aerial. Whilst it isn't worth putting alloy wheels on the car, or anything like that, I do want to make it look a little bit more respectable than just a 12-year-old banger. I'm not the kind of person to go for spoilers, bumper kits and neon lights - especially on an old Polo, but I do fancy putting maybe a little bit of tasteful chrome on it (once I've fixed the parcel shelf and radiator grille, anyway). Maybe I'll even touch up the paint job, though I don't think that I'm likely to get around to dealing with the driver's door (it's a darker red than the rest of the car).

8th October 2005: Will SCO be around to collect if it wins?

An interesting article over at IT Manager's Journal about SCO. The facts-in-brief are:
  • The IBM / Linux court case is due in Feb 2007 (17 months away)
  • SCO have $13m in the bank
  • SCO are burning $2m per month
As the article says, in its charmingly American manner, "You do the math". I think my favourite quote of the article is:
Licensing sales for the quarter were $32,000 [ ... ] Meanwhile, the expenses associated with those licensing sales came in at $3.085 million
Now that's an interesting way of making desperately-needed money.
The above might not be my favourite quote, though - that prize could be reserved for the final sentence / sentance:
In summary, it should be obvious that from an investment viewpoint, SCO is unlikely to make the cut on anyone's list, unless they are looking at it in the same way you might view a lottery ticket.

3rd October 2005: A Radio!

When I bought the Polo, it had no stereo installed. It had a bunch of cables under the dash (and some mains cabling going under the upholstery to the rear of the car... the rear speakers had been removed, along with (why?!) the existing cabling, so some previous owner had obviously replaced the existing wiring with the mains cable. They had also ripped out two holes from the parcel shelf to hold two large-ish speakers.
When I say bunch of cables, that's exactly what I mean - the VW adapter was long gone, there was an adapter with cables to the front speakers, and connector feeding power down to the cigarette lighter, which had apparently also previously fed power to a stereo. Totally non-standard stuff... someone with half a clue about electrics has owned this car before - I'm almost surprised not to find cabling for blue neon underneath the car.
I bargained a few quid out of the guy because of the lack of working stereo; he responded by throwing in an old Panasonic stereo he "happened to have in the house". I don't have much opportunity to trawl around shops, what with having a job, and all, so I've been on the internet looking for anything which looks vaguely like the connector on the Panasonic, with absolutely no success. I took the radio to one shop on Saturday, and they just said "We're not a Panasonic dealer; try the Yellow Pages". So I had a look on Google Local, and found a local place, phoned them to check that they did have Panasonic connectors, and drove down there. He had a look at it, declared it "too old" - apparently, he'd shifted 2 boxes of stuff the previous day, which may (or may not) have included such a connector, so I just bought a new stereo (I needed a cage, anyway) for £35. (Plus another £13 for an antenna adapter). It's a Blaupunkt from a Honda, but it doesn't look out-of-place on the dash, unless you're terribly aware of brand names.
On the first attempt (getting late (i.e., dark) on Saturday, now), I blew the fuse so that was that for Saturday. The Haynes manual claims that the circuit is controlled by fuse #11, so I looked at that, and it was fine. Late that night, I looked at fuse #12, and it had blown. So the Haynes manual is wrong. That's a bit worrying - I've been using Haynes as my bible, so it's a bit disturbing to find errors in it. Over the 5 years this car was built (in Spain, believe it or not, for a VW), many tweaks have been made, but this strikes me as a strange change to make. I had another go on Sunday afternoon (Grandma generously looked after the kids, whilst Jackie had a well-earned break, and I played with the car), with the help of a voltmeter, I switched on the interior light (same circuit, so I could easily see at which point the fuse blew), checked the output from the pins with the ignition key both removed and inserted, then plugged it back in again, and it Just Worked™. As a bonus, it came straight on to Radio 4.
So I now have a working stereo in the car.

That seems to make a big difference, somehow... Now I've had the car for 3 weeks, and no stereo, I've got used to that, but it's so nice to have Radio 4 back again. Of course, on a Sunday afternoon, there's nothing on the radio, so I had to put an Elvis Costello tape into the deck.

Tape deck?!!! I hear you ask. Yes, that's right. For £40 I could have got a new CD player, but I paid £35 for a 2nd-hand tape/radio unit. I got a CD/Tape adapter from eBay (1p + £4.99 shipping!) and there's an MP3 Player in the post. I don't relish the idea of keeping CDs in such an old, easily-broken-into car, so a removable MP3 Player seems like a better choice. True - any car is easily broken into, but this car has no cover on the glovebox, and nowhere to hide CDs, so it's advertising the CDs and the CD player. Plus an MP3 Player is so much more 21st Century!

This particular MP3 Player also has bluetooth, so it acts as a headset for your phone, too - no idea how I'll incorporate that (if I bother at all - I plan to use this car for 2 mile journeys, so should be no need to use the phone at all). Why did I buy this £64 device for a £35 stereo on a £475 car? Well, my wife joined a health centre, with a £60 voucher because a friend of hers also joined the club. They offered this MP3 Player for £64 (free P&P) so it cost me £4 - not bad for a 256Mb device, by any reckoning, with or without Bluetooth.

If I can plug in a microphone, I'll have the kind of funky setup which Audi A6 owners pay hundreds of pounds for, all in my humble Audi 50 (the original name for the Polo).

I know I've promised photos, so here are my excuses:

  • I can only take photos in daytime
  • I'm at work in the daytime - once I get home, I'm with the kids until nightfall
  • Weekends I'm also with the kids - any daytime I do get at weekends, I'm tweaking the car (still got to fix the rear-window demister, and something else I can't just think of at the moment)
  • I've still not ditched the yellow aerial, and I don't relish any pictures of the car with that horrible yellow aerial!

Random blog - October 2005
Share on Twitter Share on Facebook Share on LinkedIn Share on Identi.ca Share on StumbleUpon
My Shell Scripting Book:
    Shell Scripting, Expert Recipes for Linux, Bash and more
is available online and from all good booksellers: