the capacity of one person or thing to react with or affect another in some special way, as by attraction or the facilitation of a function or activity.

Dark Fiber in Tacoma, Washington – letter

Posted on | July 11, 2014 | Comments Off on Dark Fiber in Tacoma, Washington – letter

I don’t want to talk about the fact that in the United States what we pay for internet connectivity is 2.5 times what a similar service in the UK costs and almost 7 times what we would pay in South Korea or about the fact that our internet is ranked 31st in global speed ratings.

What I want to talk about briefly is our responsibility to make the best use of the “connectivity” resources in Tacoma to insure their availability for our hospitals, schools, businesses and the people that are living and working here now and to manage these resources so that they are available for the businesses that we want to grow here in the future.

The mayors of San Francisco, Ed Lee, and Seattle, Ed Murray, said it in a piece they wrote together earlier this month in the SF Gate.

“A free Web also serves as the entrepreneurial laboratory for hundreds of new startups that are driving a new piston in America’s economic engine – one creating new jobs and sharpening the country’s competitive edge.”

The Electronic Frontier Foundation had more to say about enabling a free web in an article addressing the U.S. Conference of Mayors in Dallas including steps that the Mayors could take to help keep the internet open and available.

“there are two things Mayor Lee can do right now to protect the future of our open Internet: strongly support municipal wireless and light up the dark fiber that weaves its way under the city of San Francisco. And other mayors around the country have the same opportunity, if they’ve got the will to take it.”

We need to carefully consider these comments and what they might mean to our future here in Tacoma as we work with Click! and the existing unused dark fiber under our roads.

Please check the links to both of these articles for more information.
SFGate article

EFF Article

Simple backup script for Single Server Zimbra Community

Posted on | July 11, 2014 | Comments Off on Simple backup script for Single Server Zimbra Community

This is just a simple script that I wrote to manage backing a singer server installation of Zimbra Community. It needs some attention, additional tests, etc. but works as is with zimbra 8.x on an ubuntu 12.04 server installation. Of course you will need to change ip addresses to suit your environment…

—– start of script —–

# 6.4.14
# run this as root
# should we run zmcontrol stop before we backup ldap
# exclude the ldap database directory from the rsync operation
# this assumes an ssh connection to the destination for the rsync

BACKUPLOG=’/opt/backuplog/backup_$(date +%a).log’

if [ x`whoami` != xroot ]; then
echo Error: must be run as root user
exit 1

# exit 0

# create a log file with the date2
# need to test for existence of directory – if not exist make the directory – then
touch /opt/backuplog/backup_$(date +”%a”).log
# set a start time
START1=$(date +%s)

# send the start time to the log file
echo “Time backup started = $(date +%a) $(date +%T)” >> /opt/backuplog/backup_$(date +%a).log

# execute the live sync…
# test for exist rsync – if not exit else then
# test for exist source and dest – if not either one – exit else
echo syncning files from $SOURCE to $DEST
$RSYNC_LOC -avH –exclude $EXCLUDE –delete $SOURCE $DEST

# set a finish live sync time and calculate the difference
FINISH1=$(date +%s)

# i will use the times to output to a log file later
echo “total time live rsync $(( ($FINISH1-$START1) / 60 )) minutes, $(( ($FINISH1-$START1) % 60 )) seconds” >> /opt/backuplog/backup_$(date +%a).log

# start the clock again
START2=$(date +%s)

# next backup the ldap databse to a local spot – may not work if there is a file there
# test for exist – if not exist – exit else


# now sync the database with the remote destination

# run rsync again to try and catch any files that might have been in use
# sync again – should not take long
$RSYNC_LOC -avH –exclude $EXCLUDE –delete $SOURCE $DEST

# here we should gather some info on the condition of the server, etc and stick it in the
log file.

FINISH2=$(date +%s)
echo “total time services down: $(( ($FINISH2-$START2) / 60 )) minutes, $(( ($FINISH2-$START2) % 60 )) seconds” >> /opt/backuplog/backup_$(date +%a).log

# Display Zimbra services status
echo “Displaying Zimbra services status” >> /opt/backuplog/backup_$(date +%a).log

su – zimbra -c/opt/zimbra/bin/zmcontrol status >> /opt/backuplog/backup_$(date +%a).log
# We need to clean up some things like removing the data.mdb file from /opt/ldapbackup because mdb_copy destination has to be empty

echo “Good bye” >> /opt/backuplog/backup_$(date +%a).log
exit 0

#### will grow this after some testing ####

11 steps to a better relationship…with your data.

Posted on | April 19, 2014 | Comments Off on 11 steps to a better relationship…with your data.

11 steps to a better relationship…with your data.
New Years Resolutions – Keep your data Yours.

After reading some new information regarding the Target data breach in December that exposed the personal and financial information of more than one hundred and ten million people (110,000,000) we at 2bridges Technologies thought it would be wise to go over some simple things that we can all do to help protect our own private data from loss while online.

1- We know it is an inconvenience but it is important to lock every digital device that you own and use.

    Use a Pin code. Make it longer than 4 numbers if you can.
    Picture passwords are arguably better than pin codes
    Actual passwords/phrases are better than either.
    The jury is out on Apple’s fingerprint reader – it has been breached but it is better than nothing

2- Make sure your computer and device screens auto lock after a time limit and require a password to log back in. Don’t leave your computers unattended at work. On windows machines just get in the habit of using WindowsKey-L when ever you step away from your desk. On Macs use Ctrl-Shft-Eject (or Power if you computer doesn’t have an eject key)

3- Make sure your antivirus and anti-malware software is up to date and running. I know that even though antivirus software isn’t proactive and does not protect you from certain types of security threats, it is still one very important component of any security plan for individuals or businesses.If you don’t have any installed – find a reasonable vendor and install it. Windows 8.x comes with this built in – but there may be better choices.

Don’t skip this step just because you own a Mac. Many thousands of Macs are still infected with a two year old trojan (OS X Flashback) because people assume that their computer doesn’t require protection or do their updates.

4- Make sure you install security updates for your OS and other software.

5- Have a good router/firewall between you and the internet – always. This is one of the most important of things to implement. No kidding. When you travel have a “travel” wifi/ethernet router. Don’t plug directly into a hotel’s wifi/ethernet. These little router are very reasonably priced and smaller than a deck of cards.

6- Never use public wifi anywhere unless you have a VPN loaded on your laptop/tablet/phone. It is trivial to capture your network traffic (including your logins and passwords) without this. If you don’t want to use a commercial VPN company (because you think they are a front for the NSA) make sure your home router supports VPNs and then you can direct all of your interent traffic through that when you are away from home. VPNs encrypt all of your intransit internet traffic. Use a vetted opensource VPN like OpenVPN.

7- This really should be in first place but I’m too lazy to renumber everything. Backup you stuff. Unless you don’t care about it. Take one of the backups off your network – CryptoLocker and it’s ilk are not going away.

Use multifactor authentication if it doesn’t make you crazy. Many of the services you use offer this. Twitter, Facebook, Dropbox, Gmail, Apple, Evernote, Paypal, Microsoft, Amazon web services, etc.

9- Clean up your browser. Get rid of old, non functioning, out of date extensions and add-ons. Check your system to make sure that you are only using the latest version of flash and java (if you have to use them). I recommend that you reserve a browser for all of your online banking, etc. that does not have any of those extensions loaded. Have a separate browser for your ‘web surfing’.

10- Audit your passwords – 2bridges does not recommend storing your passwords in your browsers – We highly recommend a service such as LastPass that encrypts your passwords and stores them only on your computer.

LastPass has been well vetted and recommended by a number of security experts. The LastPass software uses what is called ‘TNO’ (trust no one) technology that ensures only you have access to your encrypted keys – no third parties. Once you load software like last pass it will import all of your current passwords that are stored in your browser, allowing you to remove them. Do not have it remember your password especially on portable devices.

11- If you want to join the ranks of the truly cautious (some say paranoid) use a tool like TrueCrypt to encrypt the data on all of your computers and your backups. Store the encryption key somewhere off premise or just memorize it and burn the paper copy.

If you have questions about any of these items or just want to talk with someone about a plan of action, give me a call at 2bridges Technologies. We love to talk about this kind of stuff.

The Heartbleed Bug

Posted on | April 13, 2014 | Comments Off on The Heartbleed Bug

by 2bridges CIO, Ken Lombardi

I know there is a great deal of information about Heartbleed on the Internet but I wanted to take a couple of moments to quickly describe the issue, tell you what we at 2bridges Technologies have done to to insure the safety of clients using our services, and also to layout some steps that you can take to protect yourself as this problem evolves.

Briefly, the Heartbleed bug is simply a security vulnerability in one part of a recent version of OpenSSL (exploit in the heartbeat – hence heartbleed). OpenSSL software itself is used by a large number of services such as web servers, email services, and VPN tunnels. It is used to protect the transmission of logins, passwords and data as it travels across the open internet.

A software ‘tool’ has been built by some nefarious people to exploit this vulnerability, allowing certain information to be gathered from vulnerable servers very easily by anyone with the ‘tool’. Even though only a small amount of data can be gathered with each probe from the tool (64k), the bad guys just send the appropriate ‘request’ over and over again until they can gather lots of useful information to sell or reuse themselves. They get alot of junk but also logins, passwords, and keys used to encrypt data. Generally not a good thing.

At 2bridges Technologies we, along with many other companies offering services on the Interent, quickly responded to the release of this information by auditing our firewalls, switches, routers and servers to insure that the version of SSL in use was either not vulnerable or to insure that any patches required to protect against this exploit were installed and tested.

We were very fortunate and none of our internet based services were impacted. None of our firewall appliances are vulnerable to this bug and all of 2bridges hosted services have also passed with a clean bill of health. Our Microsoft based solutions do not use OpenSSL so have no attack surface at all in this case.

Sadly some other sites on the net were not as fortunate as 2bridges Technologies. A number of sites that realized they had been vulnerable have published that information so that their patrons would be aware and take appropriate measures. We should thank them for being fast acting and informing us and helping us protect our personal information. Some very straight forward steps should be taken by Internet users in these cases.

Here are some of those sites –

These services all seem have been patched:

1. Facebook
2. Instagram
3. Pinterest
4. Tumblr
5 . Twitter
6. Google
7. Yahoo
8. Gmail
9. Yahoo Mail
10. GoDaddy
11. Intuit Turbo Tax
12. Dropbox
13. Minecraft
14. OkCupid
A much longer list is available at GitHub

If you use any of these services the Department of Homeland Security has posted some valuable information concerning measures to take. See their blog at:

To quote them:

Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.

Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages.

After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.

Two additional steps that you should take are:

1) Use two factor authentication whenever possible. Services like Google, Facebook, Twitter, LastPass and many others offer this feature. 2bridges will post an article in the near future to introduce this process in an “easy to understand” way. Current LastPass users can check all the sites they have in their database and get a list of those that require a password change.

2) Revoke and recreate personal access and application tokens that you might be using for Google, Yahoo, Pinterest, etc.

GitHub has been very involved in getting information to the public about this vulnerability and they have compiled a number of valuable lists. At this location they list the results of testing on one thousand websites on April 8th.

Several organizations and individuals have been kind enough to post tools that can determine if a site is vulnerable or not. These tools are very straight forward and easy to use. Just enter a site you are curious about and wait a moment for a report.

If you are interested in delving deeper into this issue and other security matters there are two places I can highly recommend.

Schneier on Security at
Krebs on Security at

Both offer very interesting perspectives and sometimes eye opening information about security issues.

Installation of zimbra 8.06 Collaboration Server Open Source on a hyper-v vm

Posted on | April 10, 2014 | Comments Off on Installation of zimbra 8.06 Collaboration Server Open Source on a hyper-v vm

Installation of zimbra 8.06 Collaboration Server Open Source on a hyper-v vm

March 2014 – ken lombardi

Well – I thought I would jot down some notes while I was installing ZCS – Open Source on a Hyper-V cluster. Single server installation.

In the short time since this installation we have all been confronted with the Heartbleed exploit so right up front I am going to say – make sure when you are done check the version of openssl that you are running.

openssl version -a

You will want to take a look at the build date – make sure it is equal to or greater than April 7 of 2014

I hope this helps someone get this pretty straight forward installation up and running. What a great email server.

Here goes.

First I built vm with 4gb ram and 20gb hd
Set network card to vlan2 (adjust to your needs) – we use vlans to manage ip space – if you are doing this on your local box or? you most likely won’t be using vlans. YMMD
Installed ubuntu 12.04
Only included open ssh server in addition to core components (see note above – confirm safe version when done)

I set a static ip during installation

192.168.x.2 gw
Set name servers to 192.168.x.3
(of course all of these types of things need to be changed to meet your needs)

– why does it take sooooo long to install? –

Logged in as me

sudo su (yeah I know we are supposed to sudo each command but I am old and what’s the worst thing that could happen? – so just remember as you look at the commands during the installation – unless I specify otherwise I am running them in an elevated state – as root)

apt-get update
apt-get upgrade

wait awhile for this to finish – good to go


set hostname to zimbra2b
(again edit to suit your needs – we own that domain so I just used it for testing)

hostname –fqdn =

I am going to use bind9 instead of dnsmasq (because Chris hates dnsmasq sooooo much)
dnsmasq may be a little lighter weight and easier to config – but maybe you want to use this computer as a full fledged DNS server for your domain(s) as well as a mail server…

apt-get install bind9


Now edit /etc/bind/named.conf.options
Add the forwarder dns server ip address – I used and changed to default directory to “/etc/bind”
I used vi – you use the editor of your choice. This is what it looked like when I was done.

options {
directory “/etc/bind”;

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0’s placeholder.
forwarders {;
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };

Now add a zone to named.conf.local

klombardi@zimbra2b:/etc/bind# vi named.conf.local

// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your
// organization
// include “/etc/bind/zones.rfc1918”;

zone “” {
type master;
file “”;

You can store your zone files where ever you want – if you are going to do lots with bind you might want to change the location – your call. I was lazy and just put them in with the other config files. Note that in the named.conf.options you can change this directory

Then create the data file

vi /etc/bind/

Here is the content of mine

root@zimbra2b:/etc/bind# more

; BIND data file for local
$TTL 604800
@ IN SOA (
2014032702 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN A 192.168.x.99 IN NS IN MX 10
zimbra2b IN A 192.168.x.99

Keep in mind that there are lots of ways to do this…try whatever works for you.
What’s the worst thing that could happen? – You will have to fix it.

Then I edit the /etc/network/interfaces to put the name server ip for this machine in 1st place. I used because I know that I am going to be moving this box to a different IP when it is put into service.

root@zimbra2b:/etc# more network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
# dns-* options are implemented by the resolvconf package, if installed

You may want to hand edit the /etc/resolv.conf file by hand to reflect this change.
Now reset the bind9 service

root@zimbra2b:/etc# service bind9 restart

you could use
/etc/init.d/bind9 restart

Here are some places for background…


Now you will want to test your configuration…missed semi-colons can cause ‘issues’
(ok – so I missed a semi-colon, oh yeah, and a period, oh yeah and some letters)

root@zimbra2b:/etc/bind# dig mx

; <<>> DiG 9.8.1-P1 <<>> mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29296 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN MX ;; ANSWER SECTION: 604800 IN MX 10 ;; AUTHORITY SECTION: 604800 IN NS ;; Query time: 3 msec ;; SERVER: ;; WHEN: Fri Mar 28 17:04:15 2014 ;; MSG SIZE rcvd: 89

You may want to check DNS resolution for someplace out in the real internet too.


Now go to zimbra and download the zcs file for ubuntu


This is the file that I downloaded.

Extract this (de-tar?) this file.

root@zimbra2b:/home/mydirectory# tar -xvf zcs-8.0.6_GA_5922.UBUNTU12_64.20131203103702.tar

Cd down into the zcs-8.0.6_GA_5922.UBUNTU12_64.20131203103702 directory and execute the file

(remember that the name of the file you download from zimbra may have a different name)


Checking for prerequisites…
FOUND: netcat-openbsd-1.89-4ubuntu1
FOUND: sudo-1.8.3p1-1ubuntu3.6
FOUND: libidn11-1.23-2
FOUND: libpcre3-8.12-4
MISSING: libgmp3c2
FOUND: libexpat1-2.0.1-7.2ubuntu1.1
FOUND: libstdc++6-4.6.3-1ubuntu5
MISSING: libperl5.14

Checking for suggested prerequisites…
MISSING: pax does not appear to be installed .
FOUND: perl-5.14.2
MISSING: sysstat does not appear to be installed.
MISSING: sqlite3 does not appear to be installed.


The suggested version of one or more packages is not installed.
This could cause problems with the operation of Zimbra.


I had to stop here and install the missing prerequisites… listen to some music.
It sure is nice that it checks and lets you know….up front (try to spell the packages right)

You can do them one at a time or all at once…your choice.

apt-get install libgmp3c2 libperl5.14 pax sysstat sqlite3

For some reason I insist on sqllite3 or sql-lite3 or anything but the right spelling. I suppose I could copy and paste…

Once all that is done run the installation script again. Install all of the items you need (I install them all thinking that someday I will use ldap and radius)

– why does it take sooooo long? – I need to get faster computers, eh?

This is what you should see (this may change over time but I have no control over that)


Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create:
******* +Admin Password UNSET
+Anti-virus quarantine user:
+Enable automated spam training: yes
+Spam training user:
+Non-spam(Ham) training user:
+SMTP host:
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: https
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL:
+Configure for use with mail proxy: FALSE
+Configure for use with web proxy: FALSE
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email:
+Version update source email:

4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

Address unconfigured (**) items (? – help)


Note that the admin password needs to be set. Press 3 and the appropriate sub choice.
Enter your password – I’ve noticed this has an issue with certain special characters? anyone else?


CONFIGURATION COMPLETE – press ‘a’ to apply
Select from menu, or press ‘a’ to apply config (? – help) s

Save config in file: [/opt/zimbra/config.48847]
Saving config in /opt/zimbra/config.48847…done.

*** CONFIGURATION COMPLETE – press ‘a’ to apply
Select from menu, or press ‘a’ to apply config (? – help) a
Save configuration data to a file? [Yes] yes
Save config in file: [/opt/zimbra/config.48847]
Saving config in /opt/zimbra/config.48847…done.
The system will be modified – continue? [No] yes
Operations logged to /tmp/zmsetup.03282014-182540.log
Setting local config values…done.
Initializing core config…Setting up CA…done.
Deploying CA to /opt/zimbra/conf/ca …done.
Creating SSL zimbra-store certificate…done.
Creating new zimbra-ldap SSL certificate…done.
Creating new zimbra-mta SSL certificate…done.
Installing mailboxd SSL certificates…done.
Installing MTA SSL certificates…done.
Installing LDAP SSL certificate…done.
Initializing ldap…done.
Setting replication password…done.
Setting Postfix password…done.
Setting amavis password…done.
Setting nginx password…done.
Creating server entry for…done.
Setting Zimbra IP Mode…done.
Saving CA in ldap …done.
Saving SSL Certificate in ldap …done.
Setting spell check URL…done.
Setting service ports on…done.
Adding to zimbraMailHostPool in default COS…done.
Setting zimbraFeatureTasksEnabled=TRUE…done.
Setting zimbraFeatureBriefcasesEnabled=FALSE…done.
Setting MTA auth host…done.
Setting TimeZone Preference…done.
Initializing mta config…done.
Setting services on…done.
Creating domain…done.
Setting default domain name…done.
Creating domain…already exists.
Creating admin account…done.
Creating root alias…done.
Creating postmaster alias…done.
Creating user…done.
Creating user…done.
Creating user…done.
Setting spam training and Anti-virus quarantine accounts…done.
Initializing store sql database…done.
Setting zimbraSmtpHostname for…done.
Configuring SNMP…done.
Setting up syslog.conf…done.
Starting servers…done.
Installing common zimlets…
Finished installing common zimlets.
Restarting mailboxd…done.
Creating galsync account for default domain…done.

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.0.6_GA_5922_UBUNTU12_64)

Notify Zimbra of your installation? [Yes] yes
Notifying Zimbra of installation via

Notification complete

Setting up zimbra crontab…done.

Moving /tmp/zmsetup.03282014-182540.log to /opt/zimbra/log

Configuration complete – press return to exit

Incase you forget the password you created for the zimbra admin login

root@zimbra2b:/opt/zimbra/bin# ./zmprov sp somepassword

I’ve noticed that this has some issues with certain special characters. I should pay more attention next time and write it up.


Now you can go to a browser and point it at the ip address you assigned.


Login with the admin/password combo and start setting things up.
YAY for Zimbra!

Thank you 2bridges Technologies for letting me write and post these things (and work on such great projects)

2 LastPass or not 2 LastPass

Posted on | March 20, 2014 | Comments Off on 2 LastPass or not 2 LastPass

Over the last year security breaches of various kinds have made millions of logins and passwords available to virtually anyone that is interested. The recent Adobe software breach alone released roughly 38 million logins and passwords onto the open internet.

We know that this kind of information leaked onto the net causes damage, but we can also learn a great deal about protecting ourselves by looking at the studies of this kind of data. At 2bridges Technologies we review these studies to find information that assists us in protecting our clients.

In this article we want to focus on one of the most important take-aways from several of these recent password studies.

To set the background I am going to list the first 10 most used passwords compiled from the Adobe breach. If you want to review one of the sources of this data visit PCWorld at

It is important to remember these are real passwords used by real people.

The list is ordered by the number of people that used each password, high to low. My understanding is that only about 32 million of the passwords were actually used in this study (meaning that these are the ones that were cracked I would think). The password is on the left and the number of people using that password is on the right.

Password                        Number of users
1. 123456                       *1,911,938
2. 123456789              *446,162
3. password                  *345,834
4. adobe123                 *211,659
5. 12345678                *201,580
6. qwerty                       *130,832
7. 1234567                   *124,253
8. 111111                       *113,884
9. photoshop              *83,411
10. 123123                   *82,694

All of these passwords are trivial to ‘crack’, they are simple, short and in a password dictionary. And the odds are good that they are being used by the same person in multiple locations not just at the adobe site. This is the road to password perdition.

I know you’ve heard it a dozen times but long, psuedo random passwords with as much cryptographic entropy as possible are the only secure way to go. In tests done at 2bridges our technicians determined that with not very specialized equipment,i.e., a computer with a reasonably fast processor, reasonable amounts of ram and a couple of high end graphics cards, passwords of up to eight characters could be ‘cracked’ in about five minutes.

So how do you get “cryptographic entrophy” (a fancy way of saying “mixed up with no pattern”)? When we log into a web site we can choose from different types/sets of characters to use in our password. Those characters types are, upper case alphabet A-Z, lower case a-z, the numbers 0-9 and special characters like “:;<>-=~!@#$%^&*()_+{}|\/?.,`”. These (including the space) are called printable ASCII characters. Using some of each of these character types in your password is how you add entrophy. The more entrophy the better. And there should be at least twelve characters in that mix. Also the more the better.

So a long ‘randomized’ collection of letters, numbers and symbols. Wow. Some of the guys here at 2bridges can remember those types of things but I can’t. I’ve always thought that there is only so much room up there for storage and I don’t want to have to forget fun things in order to remember a bunch of random login stuff.

One other catch is that we don’t want to use just one randomly built password, we need to use a different password for each place we go. Not possible in my world since I have to log into hundreds of different forums, financial institutes, vendors, and other websites on a pretty regular basis. If I had to memorize all that i would probably have to forget my own birthday to make room.

I know that down the road there will be ‘no password required’ solutions for authentication and authorization on the internet but I am not sure exactly how far down the road that is. And we need something that will work now, not next year.

Using a password management package is the best solution for resolving this problem in a way that lets us have safe, long and unique (by site) passwords, without having to carry our desk around with us. Many people end up using password tools built into browsers, but even the ones that are protected by a password are not really secure. Luckily there are a number of good password management tools available to choose from for whatever OS or device you use.

At 2bridges Technologies we have found that one of the most secure, easiest to use, and widely available on the OS of your choice package is called LastPass. Their website is located at The software is free as an extension for your browser of choice on your desktop and if you want it available on your phones and tablets it is available for $12 per year (Windows tablets are free).

Though I consider security to be the primary reason I started using LastPass what keeps me enjoying it is the fact that it makes my life easier every day and saves me time and frustration. Plus I sleep a litte better at night.

LastPass works with Windows, Windows RT, MacOS, Linux, Android and iOS. There are browser extensions for Firefox, Chrome, Opera, Safari, Dolphin, and Internet Explorer. It doesn’t just manage your passwords either. Built in is the ability to import all of your browser stored passwords, test for weak or duplicate passwords, generate good long passwords for you while recording your login information, storing form filling information, and a feature that I use alot called ‘secure notes’.

The secure notes feature offers templates for many different types of items you might want to have secure access to like health insurance info, drivers license, bank accounts, server logins, wifi passwords, and many more, as well as a ‘general purpose’ form that I use for all sorts of crazy stuff (like my wife’s birthday).

The web sites you log into can also be organized into groups that make sense to you, which will make them easy to find (there is a search feature too). Some people use their LastPass vault as their ‘homepage’ giving them quick access to an organized list of sites they visit. Just click and you open the web page and login securely.

The one password you will *have* to remember is your password for logging into your LastPass app because LastPass itself is designed around a security concept coined by Steve Gibson called “TNO”, trust no one. This simply means that LastPass never has unencrypted access to your password or password data and no one else will have unencrypted access either. Only you. This is a good thing, especially these days.

If you have any questions or are interested in talking about or taking a look at how we use LastPass give us a call at (253) 292-9989 or stop by. We love to help.

And remember that even though January 31st, 2014 was “National Change Your Password Day” it’s not too late to do it now.

New Jersey’s Attorney General issue subpoena to MIT students.

Posted on | March 15, 2014 | Comments Off on New Jersey’s Attorney General issue subpoena to MIT students.

TITLE: New Jersey’s Attorney General issues subpoena to MIT students.

This is a story we should pay attention to for a couple of reasons.

The first is the chilling effect this will have on the Computer Science students at MIT who are working on the project they call “Tidbit”, but just as important is the effect this will have on other students exploring creative ideas all over our country. The MIT students were served a subpoena just prior to their finals. A tough time to have to balance attention between school and lawsuits.

The software “Tidbit” is looked at by its developers as an alternative to advertising on the Web, something that a lot of folks might like to have available as a option. It involves trading some local cpu cycles to mine Bitcoins in place of receiving advertisements when browsing a web site that offers this feature.

The attorneys from the Electronic Frontier Foundation, who are contributing their expertise to defend the students, feel that the sate of New Jersey has no personal jurisdiction over Tidbit, which has had no direct involvement in New Jersey. To paraphrase, New Jersey is in New Jersey, the developer is not a resident of New Jersey, and MIT is in Massachusetts. The courts will argue this out, spending the good people of New Jersey’s tax dollars. Probably better spent doing something useful.

The second issue that is just as concerning, if not more so, is the lack of understanding that some parts of our government have when it comes to how modern technology actually works. There seems to be a gulf between their ideas and reality, and though I hope officials involved have the best interests of the citizens in mind, many times poor decisions are made based on that disconnection.

Keep in mind – this software is only in the ‘proof of concept’ stage. No one has ever used this software to mine any kind of virtual currency. It’s not even in beta. It’s not a product. It’s an exploration of an idea. Something that we should support, not hinder.

Please read the letter from President L. Reif of MIT to the alumni of MIT concerning this matter. Read some articles, write us a note. This is an important conversation.

My Xoom MZ602 (Verizon LTE) doesn’t get 4G anymore

Posted on | September 22, 2013 | Comments Off on My Xoom MZ602 (Verizon LTE) doesn’t get 4G anymore

This is for Xoom MZ602 – verizon lte/4G device – Wrong baseband running 4.1.2 – gets 3g but no 4g

So… not sure how but somewhere along the line this 4G Xoom of mine lost its way and could no longer see the 4Gees. Possibly during some ROM install or another (or maybe cosmic radiation).

I first tried to stock (3.2.2) and allowed all of the ota (over the air) updates from Verizon – this did not work.

A good friend managed to get it working on 3G again but no 4G. We agreed that it had the wrong baseband radio (cdma only).

I looked and looked and read and read – found a number of places and discussions that touched on this but I was looking for the Holy Grail (something that is simple – well, relatively simple – and works)

Some how after playing around some more trying to fix this problem I ended up with android 4.0.4 unlocked and rooted with team win recovery but still no 4G.

I threw my hands in the air and said “Just start over dammit” …and thought some more…sounds good but exacty at what point – os version, etc – should my phone be at when I start over?

This is where my Xoom was when I started this final process :
stock 4.0.4 rom, rooted (universal root) with the bootloader unlocked (fastboot oem unlock). I was running ClockworkMod recovery.

The process below is what I ended up doing to fix my problem – it worked great for me. I used a computer running windows 8.

Understand that this will take you back to stock – but it’s so easy to get root back – why worry?

I picked up these steps from several different places and taped them together into something that was coherent for me and hopefully will help you.

Thank you to all of the folks that do all of the hard work so that I can figure out an easy way to fix my phone

You can break/brick your phone doing these things.
Before you proceed note that this can void your warranty.
We will not be held responsible if anything should happen to your device.
Proceed at your own risk.
Flashing the wrong radio can brick your device

Here are the steps:

1- Find the img files for 3.2.2 –
 (make sure you have the full image files – not the upgrade files)
2- Get – CDMA_N_03.1A.65P LTEDC_U_05.19.07
3- Collect the CWM recovery image file
4- You need to have fastboot.exe and the appropriate device drivers
(I assume you have them and know roughly how to use them)
If not – go to XDA or some other resource and read a HowTo

3. recovery-Tiamat-R4c-100611-1150-cwm.img
4. what was this for? oh yeah fastboot.exe and drivers –

Unzip the MZ602 file – when you are done you should have:

<start later note>
(after writing this I collected all of these things into one place and zipped them up with these directions) I called it
</end later note>

These need to go into the directory with fastboot.exe so they are easy to find when you are typing commands (I used c:\xoom )

If you are going to need CWM recovery put it in there with fastboot.exe too. (if you already have it loaded it’s ok to not reflash it)

Take the file and put in on a microsd card – we are going to use CWM to install this…
Put that sd card into your xoom.

–Skip this section if you already have CWM installed
Put your xoom into fastboot mode and hook it up to your computer
Open a command prompt and move into the directory where you have fastboot and the files
Flash the CWM image (fastboot flash recovery recovery-Tiamat…..img)

–Start here if you already have ClockWorkMod installed
Boot into recovery (3 seconds after the [red circle M] press the vol down key – select with the vol up key)
install the bootloader update (the using CWM recovery

reboot the phone into fastboot (don’t let it restart…restart bad. fastboot good.)
flash the unzipped HLK75D images

fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash recovery recovery.img
fastboot flash userdata userdata.img
fastboot erase cache
fastboot oem lock

yay! – reboot the device
Don’t freak out if you look at the settings and it says baseband unkown…. be calm – set up wifi and let the xoom do the first update

If life is good and all is well you should be at 3.2.4 after the upgrade and the baseband version should be
CDMA_N_03.1A.65P LTEDC_U_05.19.07
The next update should be HLK75H and will take a little longer probably but who really knows – maybe it will decide to be faster. 3.2.6?
I forgot to check – yes 4Gees

Now onto ICS update….and then JBean
They all seem to take way too much time for me…I get a little edgy waiting to see if I’ve really broken my tablet this time.

Sweet success…4.1.2 stock and with 4G…

Good Luck,

Fail2ban – Intrusion attempts against Asterisk

Posted on | July 5, 2012 | Comments Off on Fail2ban – Intrusion attempts against Asterisk

You can find directions for doing this is several places and I debated whether or not I wanted to post this anywhere but in the process of walking through this install for some interns and poking through a number of different log files I noted that the regular expressions being used were a little out of date for some of the current “attack” formatting that we were seeing.

I made some changes to the regex portion that I think will be beneficial in finding and blocking more instances of intrusion attempts. ( as of May 2012)

This is on a CentOS box running 5.8 with the tools needed to compile and run asterisk already installed.


First install the extra packages for enterprise Linux 5 – i386 “epel”

(of course you can also download a source file from and go from there – but that is a different post)

[root]# rpm -Uvh

warning: /var/tmp/rpm-xfer.U0EYpN: Header V3 DSA signature: NOKEY, key ID 217521f6
Preparing… ########################################### [100%]
1:epel-release ########################################### [100%]
now check to make sure it has added itself to your repositories
[root]# yum repolist
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base:
* epel:
* extras:
* updates:
epel | 3.4 kB 00:00
epel/primary_db | 3.1 MB 00:00
repo id repo name status
addons CentOS-5 – Addons enabled: 0
asterisk-current CentOS-5 – Asterisk – Current enabled: 562
base CentOS-5 – Base enabled: 2,725
digium-current CentOS-5 – Digium – Current enabled: 461
epel Extra Packages for Enterprise Linux 5 – i386 enabled: 5,728
extras CentOS-5 – Extras enabled: 282
updates CentOS-5 – Updates enabled: 510
repolist: 10,268

Now that we have modified the repositories we should be able to yum install fail2ban…lets see
(ok we needed python – which happens to already be installed on this machine – note that it is be updated with this installation)

[root]# yum install fail2ban

Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base:
* epel:
* extras:
* updates:
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package fail2ban.noarch 0:0.8.4-29.el5 set to be updated
–> Processing Dependency: shorewall for package: fail2ban
–> Processing Dependency: python-inotify for package: fail2ban
–> Running transaction checkcd
—> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
–> Processing Dependency: python-ctypes for package: python-inotify
—> Package shorewall.noarch 0:4.0.15-1.el5 set to be updated
–> Processing Dependency: shorewall-perl = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-shell = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-common = 4.0.15-1.el5 for package: shorewall
–> Running transaction check
—> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
—> Package shorewall-common.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-perl.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-shell.noarch 0:4.0.15-1.el5 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size
fail2ban noarch 0.8.4-29.el5 epel 136 k
Installing for dependencies:
python-ctypes i386 1.0.2-3.el5 base 207 k
python-inotify noarch 0.9.1-1.el5 epel 86 k
shorewall noarch 4.0.15-1.el5 epel 9.2 k
shorewall-common noarch 4.0.15-1.el5 epel 232 k
shorewall-perl noarch 4.0.15-1.el5 epel 137 k
shorewall-shell noarch 4.0.15-1.el5 epel 76 k

Transaction Summary
Install 7 Package(s)
Upgrade 0 Package(s)

Total download size: 883 k

Is this ok [y/N]: y

Downloading Packages:
(1/7): shorewall-4.0.15-1.el5.noarch.rpm | 9.2 kB 00:00
(2/7): shorewall-shell-4.0.15-1.el5.noarch.rpm | 76 kB 00:00
(3/7): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00
(4/7): fail2ban-0.8.4-29.el5.noarch.rpm | 136 kB 00:00
(5/7): shorewall-perl-4.0.15-1.el5.noarch.rpm | 137 kB 00:00
(6/7): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00
(7/7): shorewall-common-4.0.15-1.el5.noarch.rpm | 232 kB 00:00
Total 656 kB/s | 883 kB 00:01
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6
epel/gpgkey | 1.7 kB 00:00
Importing GPG key 0x217521F6 “Fedora EPEL <>” from /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL

Is this ok [y/N]: y

Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : shorewall-common 1/7
Installing : python-ctypes 2/7
Installing : python-inotify 3/7
Installing : shorewall-shell 4/7
Installing : shorewall-perl 5/7
Installing : shorewall 6/7
Installing : fail2ban 7/7

fail2ban.noarch 0:0.8.4-29.el5

Dependency Installed:
python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 shorewall.noarch 0:4.0.15-1.el5 shorewall-common.noarch 0:4.0.15-1.el5
shorewall-perl.noarch 0:4.0.15-1.el5 shorewall-shell.noarch 0:4.0.15-1.el5



Take a look at these urls for slightly different approaches:

I edited the /etc/fail2ban/filter.d/asterisk.conf file in order to reflect some localizations as well as some additions to the regular expressions used when fail2ban is looking at the log files to match indications of an ‘attack’

[root]# vi /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
# $Revision: 250 $


# Read common prefixes. If any customizations available — read them from
# common.local
#before = common.conf


#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “<HOST>” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

Then editing /etc/fail2ban/jail.conf to enter appropriate email addresses, bantimes, etc.
[root]# vi /etc/fail2ban/jail.conf


enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200

Don’t forget to check the email address for reporting ssh notices as well…

Now when I start fail2ban I get :

[root]# service fail2ban start

Starting fail2ban: [ OK ]

Then I want to take a quick look at iptables to see if fail2ban is showing up there.

[root@localhost filter.d]# iptables -L -v

Chain INPUT (policy ACCEPT 438 packets, 33411 bytes)
pkts bytes target prot opt in out source destination
438 33411 fail2ban-ASTERISK all — any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 217 packets, 24088 bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
438 33411 RETURN all — any any anywhere anywhere

Chain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all — any any anywhere anywhere


Now you can test the setup by pushing the log file against the filter we defined

[root]# fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf

If you have a huge log file this could take quite a while as well as max out the cpu so be careful. You might want to fine some ‘fail to authenticate’ entries in a log file and copy them into a new file to test against that much smaller file…

Also to take a better look at the configuration files without comments try this command (replace the jail.conf with the file you want to look at) –

The “#” can be changed to whatever comment char you see in the file; this will also remove  blank lines from the file

[root]# grep -v ‘^$’ jail.conf | grep -v “#” | more

Hope this helps someone.

PCI-E vs. Dremel

Posted on | July 5, 2012 | Comments Off on PCI-E vs. Dremel

The PCI-E card vs. the DREMEL.

It all started simply enough.

I had a box over in the corner that had been running as a server for a couple of years but now I didn’t need it to do that any more. It was a nice enough computer (xeon) and would make a solid functional workstation where things could be created that would make the world a better place to live.

The Problem

Problem was that it needed two monitors for the this good work I had in mind and sadly the built-in adapter was not up to the task.

You will notice in the accompaning pictures that there are some interesting slots on the board, including an x8/x4 slot that is integrated with the riser slot closest to the CPU.

I looked around for an x8 pci-e card but no one I knew had actually ever seen one and searching for one seemed like a pretty thankless endeavor. Plus I had a couple of working pci-e x16 pulls that were just collecting dust.

I knew in my heart that it was ok to plug a smaller/shorter/slower card (x1,x4,x8) into a larger (x16) slot but was not sure about the other direction. Nomally x4 and x8 slots included an end stop that prevented plugging in an x16 card though over the course of time I have seen a couple of boards that had open ended slots. I assumed this meant that you could put a longer card into the slot designed for a shorter card, for example an x16 card into an x8 slot.

We all know what happens when you assume things so I did a little digging. I am always amazed at how quickly you can loose track of what you are looking for when you go searching on the interwebs.

After controlling my urge to wander down the many paths calling to me I noted that there were many stories; I saw a guy that did this, I remember a friend of mine told me a buddy of his did one thing or another, we cut out the end of the slot…you know. And then there were the pci-x manufacturers that said, no way, don’t try this kind of thing at home.

I began to doubt myself but I continued tirelessly searching (to the sound of Muse playing on Pandora).

The Solution

During these travels I stumbled across the very simple idea of converting an x8 card slot to an x16 slot. Hmmm. They called these magical things lane reduction extenders. I know that confuses me a little bit too, reduction extenders…I love english.

Anyway, these devices raised the height of the card by a bit and seemed to me that they cost too much money and would end up causing more trouble than they were worth. Then I found the adaptors that used some cable to overcome the height issue. The “Riser Card Adapter Flexible Extender Extension Cable”. Dammit they only cost about 10 bucks. Obviously these were designed and sold by agents of the devil to seduce simple minded people to the dark side.

I began to doubt myself again…where would I tape/glue/screw/attach the card on the end of the flapping cable? Damn the devil and his/her easy fix…

I took a walk and pondered the meaning of life. It didn’t really help much with that but when I returned I had a revelation.

If somebody was willing to sell these converters it must be *OK* – or at least work some of the time. That was enough to convince me that an x16 card would work in an x8 slot – if there was just a way to put it in there? So the uban legend of cutting out the end of the slot may be real after all. the search continues. news at eleven.

However there was no ‘end’ cap to remove from my slot so this simple solution would **NOT** work for me. Why does life have to be so complicated? The x8 slot coexists with the riser card slot…if I removed the seperator I knew deep down that the extra fingers would mate with contacts in the slot that would generate electircal kinds of magic stuff, releasing the smoke trapped in the card and maybe the motherboard. This would be bad. (now listening to Lindsey Stirling, Crystallize)

The *REAL* solution

The strength of my earlier reveleation carried me over the bumps and troughs of this path, helping me accept that my life goal was to someway make this wedding of card and motherboard a reality.

But cutting the slot was off the table so, what is a lazy (though now enlightened) person to do? Spend money on a simple but inelegant solution of purchasing a lane converter? No…No…No… that would be too easy. I would not be bettered by a simple disjunctive syllogism.

Yes such a simple blinding vision – Cut the card to fit!

So I followed my vision even though my workmates thought I had finally slipped over the edge. Dremel and saw and knife and sander…(and tape)

I know – you think you can call BS but I am including some pictures in no particular order so that you can see for yourself.


p.s. I am currently installing update 753.5 of Windows 7 -64bit on this box…

keep looking »
  • About

    This website is supported by Ken Lombardi @ analogman consulting.
    phone: 253.two.two.two-7626
    email: ken@analogman'dot'org
    tweet: analogmanorg

  • Admin