A new pre-release version of chrony (4.0-pre3) is out today, with some neat improvements to the client statistics output. Specifically, the chronyc clients command accepts three new options:

• -p, minimum packet threshold
• -r, reset client stat counters
• -k, replace control stats with NTS stats

The first two will be useful to anyone who uses chronyd for a public-facing time server.

One constant challenge of operating any public service is detecting and reacting to abuse. What happens when some gomer decides to synchronize his clock to your NTP server 100 times a second, or a vendor bug floods you with 20Kpps at random intervals? How — and how quickly — would you notice? chronyd can be configured to enforce rate limiting, but it still has to receive the packets and decide to ignore them. That's a drain on resources which is better handled by locating abusive hosts and blocking...

Consider the following PHP code:

<?php
declare(strict_types=1)
echo 'Hello' . PHP_EOL;

Running this code will generate the following error message:

$ php file.php

Fatal error: strict_types declaration must not use block mode in /tmp/file.php on line 2

The fix is easy: there's a missing semicolon after declare(strict_types=1). That's all! This tripped me up because the "declaration must not use block mode" error, which will only be raised for this exact typo in this exact statement, isn't what normally appears when a semicolon is missing.

Sometimes when running yum check-update on a CentOS system, yum will complain about a particular repomd.xml file being out of date. You might see output like this:

[root@host ~]# yum check-update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink
 * base: centos-distro.cavecreek.net
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: linux.cc.lehigh.edu
 * updates: reflector.westga.edu
base
extras
updates
Not using downloaded updates/repomd.xml because it is older than what we have:
  Current   : Thu Jul 16 09:45:59 2020
  Downloaded: Thu Jun 25 14:10:47 2020

This message can appear for any active repository on your system:

Not using downloaded base/repomd.xml because it is older than what we have
Not using downloaded epel/repomd.xml because it is older than what we have
Not using downloaded extras/repomd.xml because it is older than what we have
...etc

What's going on?

Notices about old repomd.xml ...

If you receive the following error from subversion,

svn: E125001: Couldn't determine absolute path of '.'
svn: E000002: No such file or directory

The most likely cause is that your current working directory has been deleted by another process. Change your working directory to a valid path before proceeding. If the error message appears while running a shell script, make sure the script is cd'ing out of any temporary directories it might have cd'ed itself into.

If you have a Vantec SATA/IDE to USB 2.0 Adapter (model CB-ISATAU2) that suddenly stops working, and Windows tells you that the USB device isn't recognized, check to see if you have a service named "Macrium Service" running. This service is part of the Macrium Reflect backup suite; among other things, it watches for new USB drives to be plugged in. Something about this mechanism interferes with the SATA/IDE to USB adapter's ability to load its drivers. As a result, Windows can't figure out what you plugged in.

Disabling the Macrium Service in services.msc and then reconnecting your USB adapter will allow your drive to be recognized properly. Once the drive is mounted, you can run Macrium Reflect to interact with it as needed. Unfortunately, Reflect appears to reset the Macrium Service to "automatic" startup mode each time it runs, so whenever you want to plug in a drive with the adapter, check for and disable the Macrium Service first.

Yesterday I received a brief message to an email address listed in various security.txt files:

Date: Sun, 3 Nov 2019 21:36:01 +0100
From: Jay Niffley <jayniffley [] gmail.com>
Subject: Security issues

      Hello,

I´ve found some security issues in your website. Where can i report these
issues over? Do you reward for valid security issues?

Thank you!
-Jay

A Google search for the name "Jay Niffley" was unproductive, and it's likely no real person by that name exists. But the "jayniffley" handle has been used at least once before, in what appears to be an attempted XSS probe on a cryptocurrency wallet manufacturer's support forum. The forum post containing the failed XSS attack references jayniffley.xss.ht. This hostname corresponds to a user of a service called XSS Hunter, a sort of canary interface for people conducting automated XSS testing. Visiting the host in a browser serves up a lar...

In early September, I noticed a new web robot performing a number of rudimentary scans from 160.1.30.97. While hundreds of different bots are making the rounds on any given day, this one was unusual in that the IP is part of Amazon GovCloud's 160.1/16 allocation. GovCloud is an AWS product that's segmented from the public Amazon cloud, and, as its name suggests, is reserved for use by US government entities.

The HTTP traffic from 160.1.30.97 was clearly automated; the User-Agent header was left empty, and the robot requested only index pages with no supplemental content. The timing of observed activity suggests the bot was spidering a predefined list of domains in alphabetical order. Here, for example, is the robot's first visit to this site:

160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET / HTTP/1.1" 301 227 - "-" "-"
160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET / HTTP/1.1" 302 - on "-" "-"
160.1.30.97 - - [04/Sep/2019:15:21:58 -0500] "GET /blog/ HTTP/1.1" 200 30146 on "-" "-"
`...

If you want to compile Doxygen (/usr/ports/devel/doxygen/) on FreeBSD without also building LaTeX and Ghostscript, disabling the "LaTeX support" option in the make config screen isn't sufficient.

You also need to disable the "Build and/or install documentation" option.

Turns out, Doxygen uses itself to build its own docs, and requires features from the LaTeX and Ghostscript support to do so. As such, if you disable LaTeX support but ask for the documentation to be built, LaTeX will be silently re-enabled! This isn't intuitive or apparent from the config interface; you have to look in the Makefile to figure it out. The DOCS_IMPLIES line forces LaTeX back on:

DOCS_USES=              ghostscript:build
DOCS_ALL_TARGET=        docs
DOCS_BUILD_DEPENDS=     dot:graphics/graphviz
DOCS_CMAKE_BOOL=        build_doc
DOCS_PLIST_FILES=       man/man1/doxygen.1.gz \
                        man/man1/doxyindexer.1.gz \
                        man/man1/doxysearch.1.gz \
                    ...

I spend a lot of time on Reddit, and have wanted to explore their public API for years. Last month that itch struck again and I finally decided to scratch it. Armed with a list of data I needed to spider and crunch (more on that another day, maybe), I set out to see what libraries are available. The most popular Reddit API client is written in Python, which I don't grok, and the PHP offerings didn't excite me much. You already know how this story ends; I decided to start writing my own.

Enter Snuze, a new PHP client for Reddit's API.

It's in a preview release state while I get the design stabilized. At the moment, Snuze can:

• Authenticate via OAuth
• Store and re-use OAuth bearer tokens until expired
• Track the API rate limit status and autopause when the bucket's empty
• Fetch subreddit data (and optionally persist to MySQL)
• Fetch link data (and optionally persist to MySQL)
• Fetch user account data

Snuze comes with entity classes to encapsulate th...

Beginning with Java JRE 8u211, the online Windows installer appears to generate a prolific amount of traffic not seen in previous versions. In my environment, it attempted to contact the following hosts:

0138-0-nyc104[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc108[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10a[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10d[unique-id-removed].beacon.rum.dynapis.info
0138-0-nyc10e[unique-id-removed].beacon.rum.dynapis.info
aws-iad1.rum.dynapis.com
aws-sfo1.rum.dynapis.com
azr-dsm1.rum.dynapis.com
azr-iad1.rum.dynapis.com
azr-ord1.rum.dynapis.com
azr-sat1.rum.dynapis.com
azr-sjc1.rum.dynapis.com
beacon.rum.dynapis.com
cdnet.jisusaiche.com
cdnet.jisusaiche.com.wtxcdn.com
dgo-nyc1.rum.dynapis.com
dgo-sfo1.rum.dynapis.com
dgo-yyz1.rum.dynapis.com
edge.jisusaiche.com
flare.jisusaiche.biz
goo-cbf1a.rum.dynapis.com
goo-chs1b.rum.dynapis.com
ibm-iad1.rum.dynapis.com
ibm-sjc1.rum.dynapis.com
jisusaiche-475487.c.cdn77.org
j...