On iTunes I can be listening to a podcast or an audio book then pause and sync with my iPod. When I hop into the car and hit play it continues where I left off. If I plug in my iPod when I get to work and I have iTunes there I can hit play and continue right where I left off. I want to have the latest podcasts handy at all times, and it would be nice to have some music on my digital media player as well. Syncing with iTunes mostly satisfies this goal by allowing me to select what playlists to sync, including smart playlists (which can search by relative published dates like “this week”). The last I checked, iTunes only supports auto-fill on the iPod shuffle which has always confused me. I want to have my latest podcasts, and then don’t waste the rest of the space… fill it up with some random music – it’s better than leaving it empty.

Portable media players are built to be sold, which sometimes coincides with usability and customer satisfaction, sometimes not. People use these things when they are away from their computers – running, gardening, doing housework, or driving. If a player makes me stop running or makes me pull off my garden gloves it fails to follow it’s primary purpose – play what I want and get out of the way. From what I can tell, most people don’t listen to podcasts or audio books. They load the music, shuffle, and never touch the thing outside of an occasional skip forward. When you listen to an audio book or podcast you need to pause when you get a phone call or talk to the toll booth dude – music you just let it go. Sometimes you miss something and need to scrub backwards. Often you need to fast forward past commercials. Podcast listeners also update their player daily, something that music-only users are unlikely to do. These features do not seem unreasonable, but most players perform badly with these requirements, and the iPod is no exception.

This is all fine, except I don’t use iTunes. My computers these days are filled with Linux goodness. Linux distributions normally include Rhythmbox, Banshee, or Amarok depending on which way you swing. I don’t have much experience with Amarok, but as of today Rhythmbox and Banshee both are unreliable for use with a portable media device. Yes, you can get them to work once, twice, or five times in a row, but that sixth time is a big fat failboat. They are sooooo close to being good, but in the meantime I end up not listening to my podcasts in the car.

The iPod is designed to work with iTunes and specifically attempts to lock out third-party clients – even though Apple doesn’t make a client for my platform. MTP devices as I understand are more open to different clients – but that still has not led to a reliable experience for my MTP device.

Banshee supposedly worked well syncing MTP devices, so I scored this Sansa c240 for $20 in hopes of being able to reliably listen to podcasts in my car again. Nope, it was no more reliable than the iPod – it’d flake out every few sync attempts. The firmware on this bad boy was beyond horrible. Each time the device starts the volume is at 50% – no matter where it was last time. To turn up the volume you must find a song, play it, then press the volume up button about ten times (can’t hold it) to turn it up all the way. On the plus side, at least it will remember where you were in a song if you happen to navigate back to the exact same track after booting. Oh booting – that’s another thing. It took about ten seconds to boot this thing up which is a long time to sit there waiting to find a song so you can turn up the volume. The default theme made it near impossible to see what was selected, and scrubbing through a track was super slow and difficult.

Enter rockbox, an open source firmware for a number of media players that is loaded with features. I had tried rockbox in the past on my iPod Mini, but was turned off by the unnecessary complexity of the system. This weekend though I put the latest rockbox on my Sansa, and I am rather impressed. After messing with the settings I now have a player that boots up much more quickly and resumes my podcast exactly where I was last. I solved by syncing problem quite simply – by not doing it. The Sansa is a mass storage device so I can just copy things to it manually – but once I get off my butt I’m going to just set up rsync to automatically make sure I have only the freshest of podcasts loaded when I plug it in. Rockbox can build it’s database on startup, which so far has been working quite well. With the iPod or Sansa syncing with Banshee it would always rebuild the music database, which blew away the bookmark on what I was listening to – and I spend half the drive home trying to scrub through an hour-long podcast trying to get to where I left off.

The games and applications with Rockbox are quite impressive running on this craptastic Sansa. I particularly like bubbles, which appears to be a rebuild of Frozen Bubble, a simple Linux puzzle game. Once I get my podcasts syncing correctly I’ll probably write up a script to do an automatic playlist generation. I’d like to have a playlist each day that sorts my podcasts by published date so I can just play the top item to hear the latest content.

Further Thoughts

The Sansa device has a micro-SD card slot in it, which is nice because I have a 1GB card laying around (it’s virtually useless in my Moto Razr). The default firmware seems to just do an either/or thing – it cannot use the card and the built-in flash. Rockbox can and does use both, effectively doubling my storage capacity. I can use one card for music and the other for podcasts if I want. The reason that the screen is unreadable with the default firmware is because they blew out the contrast for some reason… that and the fact that it is a horrendous display. Rockbox lets me turn down the contrast.

Format support is a big reason some people choose rockbox. Normally I couldn’t give a shit about formats, I am fine using the patent-encumbered mp3 format. That said, I’ve noticed that sometimes albums gathered from nefarious places are in a lossless format like FLAC. If I don’t feel like reconverting them I can just slap it on rockbox and it works fine. Ogg vorbis is pretty popular among those who care about openness, so occasionally I may download a podcast in ogg format. Being able to play this on-the-go may come in handy someday.

I have been slightly interested in python for a while, but just never got around to actually writing anything. Not that I am enough of a programmer to be particularly swayed by one language over another – but the path of least resistance for writing plugins and such for the Linux desktop seems to by python. This was a simple project that taught me some basics, and since there isn’t a nicely developed perl module for the Google API I went on with the python.

Lets say you just made a little spreadsheet in OpenOffice

Now you want to share that amazingly complex spreadsheet with your lawyer on Google Docs

Now it’s up there…

and you can edit and share with friends

Nautilus, the Gnome file manager, lets you drop scripts of your choosing into ~/.gnome2/nautilus-scripts/. When you run the script on a file through the right-click menu the file name gets passed to the script. I knew this was possible, and have played around with OS X folder actions before, but I have to say that in practice this is a lot easier than AppleScript to me.

Grab the python script yourself, download and install the gdata python API, edit the file to have your own username/password, and right-click your way to uploading fun. Disclaimer: this is just a quick and dirty thing, do not expect it to be good.

Here is the gist. From my experiences I’ve never seen the use of NAC, 802.1x, or even simple switch port security. I have to assume that many corporations remain blind to what devices are hard connecting to their local network. Each ethernet device has a universally unique burned-in address. It gladly shoots frames with this address out to the network as it attempts to get a dynamic address, or in response to another machine’s request. Arpwatch just sits there and listens for new devices, and creates a log entry when there is a new one.

To me it just stands to reason that a security conscious company would be interested in what mac addresses have been seen on the network, when they were first seen, what VLANs they’ve been on… especially when it is so simple. If you ask a branch office or campus LAN administrator what new mac addresses have shown up on the network TODAY, they simply cannot tell you.

So I thought it’d be a great idea to just set up a linux box with a trunk port to the corporate switches. This would be able to sniff for every ARP on the network and keep an inventory of hardware addresses. Since syslogs are a little lame, I made a database where this information was stored. You could run reports like “show me all devices that first appeared on the network on either VLAN 50 or VLAN 60 between October 10th and 16th which had 3Com network cards”. I also created scripts to use snmp to grab the dynamic cam table from Cisco switches. The idea here is to be able to tie those hardware addresses back into the cam tables to tell us which port and switch the machine had connected. This seems rather obvious to me, and somewhat simple to implement.

I seem to have trouble not with coding or implementing these things, but with marketing. As certain as I was that this is great information to have, there seemed to be no interest. I’ve not seen any other tool attempting to do the same thing.

Oh well, another ill-fated script. Here is some code. I don’t even know if I have all the pieces to this one. I certainly don’t have the database schema.

This one does the parsing and importing of arpwatch logs.
This one does the grabbing of data from switches.

This is really old, so is not exactly “good” but I still think the idea is worthwhile.

This package is a collection of perl CGIs that use Net::DNS to dynamically update DNS. Now in theory this could be any name server, but this was only tested with BIND. You will need to enable dynamic updates to these zones for this to work. You could add in security as well. Here is what it provides:

• Forward and reverse entries created (and removed) with one simple form – type, click, done
• TACACS+ authentication of users
• Audit trail of all entries
• New records show up instantly – no need to rndc reload or any of that jazz
• Search tool to look through a zone for an existing record
• Advanced configuration tool that can allow you to add/delete records such as NS, MX, or TXT

There was also an automated piece to this that would automatically discover and create entries. That was not at all generic so I have not included it. It would be trivial to add your own script to pull from a ordering database or scan the network to find new devices – go nuts.

That’s all for now. Comment if you find this useful.

Here is one that loops through the tacacs+ config file for folks whose password is going to expire soon, then sends out an email to them telling them to update their password. This is generic and could be used for your blossoming spam business I suppose.

Ok, so lets say you’ve got some Riverstone load-balancers and you’re moving over to F5 LTMs… here is a script that may or may not work for you to create a bigip.conf file. Oh, and since Riverstone kinda sucks and it can be difficult to remove load-balance groups without botching the config, here is a command line tool to give you a copy-and-paste template that should work. Oh, and lets say you want to build a graphviz drawing of your multiple sites of Riverstone load-balancers, you could use my little program to create a .dot file to visualize it.

Here is a really lame command line tool that asks you some information about how much your net worth is, what you think your savings rate, growth rate, and inflation rate will be… then it asks you how much money you’d like to retire and it tells you when you can retire. It’s kinda silly, you could do the same thing in a few minutes with MS Excel.

So lets say you are like I used to be and you have your own personal LDAP directory for storing your contacts in – you know, because people do that. And then lets say that you have a server that runs spamassassin to block spam and you want to make sure to automatically whitelist anybody who is in your LDAP directory. Here is a script that can do that. Again, this is just disposable perl.

Logging into Cisco routers with telnet and changing a few things can be easy. Here you go.

Ok, that’s all for now. More tomorrow.

• goes through a repository of configs and puts all the firewall rules into a nice spreadsheet with a tab for each firewall
• for each rule, it actually shows you the hostnames and IPs of each group member
• for service groups, it looks in /etc/services for the name of the service rather than just listing the port
• descriptions of each group are put into those little cell note things, so you can just hover over to see more details
• disabled rules show as grayed out
• it actually works (unlike other cpan modules I tried to use to parse pix)

This program I actually like because it does a whole lot in a fairly easy to understand way. There is potential here beyond writing a spreadsheet. All of the rules are broken out into a decent data structure, so it would be simple to use this as a starting point for writing a script to convert your ruleset to Netscreen or something. To use the spreadsheet features this will require the Spreadsheet::WriteExcel module, but if you just want to parse pix it’s plain old perl.

As a quick offshoot of this script I made this script that uses List::Compare to look at the differences between firewalls in two sites. It also shows lists of unused names and unused object groups for cleanup purposes.

A feature that I started implementing was the ability to do rule shading detection. Lets say rule one is deny any any and rule two is permit any any – clearly rule one makes any subsequent rule useless and misleading. You Check Point people or fwbuilder folks have had this for a long time – but as far as I know in the Check Point and Netscreen world it seems like there is no such function. Alas I never finished that part.

If you use this please drop a comment and let me know.

The first program on the list (download here) is a little web interface to the open source tacacs+ AAA server from shrubbery.net. The Cisco SecureACS server can be fine, but if you need regular expression support in ACLs or a way of automating entries it may not be the tool for you. That said, editing a flat config file can be problematic for some folks. This was my quick solution.

This is just a series of CGI scripts that allows the user to admin the tacacs+ server without learning vi. It includes the ability to add users, delete users, administrative password resets, show configuration, and test authentication. When a users password is near expiration they can log in and change it. Passwords are checked against the aspell dictionary to make sure that they’re not a simple word (yeah, there is room for much more improvement here).

There are also a couple little bonus scripts, one useful and one for fun. The tac2rad.pl script is for tying the shrubery tacacs+ user database in with a freeradius server with the MySQL back-end. It copies the users and passwords over to MySQL from tacacs+. The second, crack.pl, was just for my own learning experience. It scours the config file for des encrypted passwords and cracks them if they’re simple dictionary words… which I somehow thought would be difficult… it is not.

I don’t maintain these or fix them, but if they’re useful to you drop me a comment and let me know.

Anyway, here is a plugin for Banshee called fleow. It basically does what coverflow does, then some. Sometimes commercial software is one step ahead, like with digital video editing – but watch out. Open source is communal, counterintuitive, and a force to be reckoned with.