- How you know if your IT department is doing it right
- More on domain squatting
- Domain squatting for fun and profit
- If the shoe fits
- Full circle: How Microsoft is trying to eradicate email
- /etc/hosts.deny, hackers, and automation run amok
- Clearing the Air
- Let the games begin
- The MacBook Air finds its Nietzsche
- To give thanks
April 14, 2008 | Comments: (0)
How you know if your IT department is doing it right
This one's easy. A good IT department is generally kinda bored.
When the infrastructure has been designed and built correctly and the telemetry is just right, IT doesn't have much to do except keep an eye on things and work on new projects. Sure, there are always break/fix scenarios, but those are par for the course. Unless there's a major project underway, it's the "insanely busy" IT departments that are the cause for worry, not the ones playing Nerf football. As a consultant, I've been involved in projects with hundreds of different companies and seen just about every form IT can take. This theme crosses all boundaries.
My theory of good IT is that the best network and system administrators are the laziest. When presented with a problem that will require lots of small modifications to lots of moving parts, they will always opt to write some code to automate the process. This generally takes less time than the manual effort, and the resulting code can be reused in the future. In many cases, this will require that the admin learn a new language, or at least be able to think abstractly in order to address the problem. Those that opt to do everything manually still get the job done, but with plenty of wasted effort and no long-term gains. To turn a phrase, they're generally too busy mopping the floor to turn off the faucet.
For instance, given a task to migrate from one firewall platform to another, there are many, many admins that would simply re-create all ACLs and rules in the new firewall. This is obviously error-prone and will take a long time if there are many rules. "Lazy" admins will write some perl to parse the config from the original firewall and generate valid code for the new platform. I've done this many times -- even published perl code to migrate PIX firewall rules from conduits to ACLs.
The best admins will design a system that will be more difficult and may take slightly longer to implement in the beginning, but will all but eliminate problems later. Those are the admins you're looking for.
When presented with a new project or new requirements, the better IT shops will look for open-source solutions or frameworks and adapt them to their needs rather than look for something they can buy that may not be as adaptable, but might be simpler to implement. That's not to say that commercial products are never used, but the first course of action isn't to spend lots of money, it's to research what's out there. These shops also don't generally use consultants since there's no real need for them. These are also the IT shops that tend to have the highest admin-to-user ratios, and the lowest overall cost.
Of course, there are downsides to the "lazy IT" method. The main problem is that the "lazy" approach doesn't play well with non-technical executives. The issue is that a well-designed and implemented infrastructure makes everything look easy. Modifications, additions, and tweaks become simple if the foundation is solid, though they can lead to disaster if the foundation is poor. In the right environment, major projects can be implemented with great speed and competency -- but giving the impression to those outside of the IT department the idea that anyone can do it.
Regardless of the stability and performance of the IT infrastructure, there are many that believe that unless the IT staff is red-faced and sweating, they're not doing their jobs. This can lead to staffing cuts, which then cause major problems when those that were most capable of maintaining a stable infrastructure are let go since "they weren't doing anything". New, cheaper staff are bought in and the stability and resiliency of the network infrastructure soon begins to falter. But those new admins sure seem to be working hard, running in circles trying to keep the roof from collapsing. I've seen this happen far too many times. Quite often, I've been the consultant brought in at a high hourly rate to perform CPR and stop the bloodshed.
To executives that lack a concrete grasp of how IT should work, a solid IT department needs to be presented as the best insurance policy available. After all, those insurance premiums don't do anything unless they're needed, but what happens if you stop paying them?
Posted by Paul Venezia on April 14, 2008 09:12 AM
March 27, 2008 | Comments: (0)
My previous post on domain squatting got plenty of attention, and plenty of comments, both positive and negative. Interestingly, the majority of commenters (public and private) who didn't like what I had to say admitted that they were in the business of domain squatting/parking. Huh.
Yesterday, I finally got a response that I'd been waiting for. Just below an argument that domain squatting apparently provides sustenance for needy families, Gary commented:
I'm putting $7,000 a year into the internet for renewal fees. Am I helping out the internet and helping to create jobs. Yes. Am I hurting the internet. No. We can create new extensions and billions of new names if we wanted to, with money that people like I am pouring into the internet with renewals. If you don't get a .com, there are hundreds of other extensions and hundreds more planned for.
Hundreds of TLDs? If you count country TLDs, perhaps, but universally available TLDs? Hardly. For the vast majority of people out there, there's only one: .com
This is ICANNs fault, of course. Rather than act on approving new TLDs in the nineties -- before .com because synonymous with the Internet -- they waited, and waited, and waited. This made .com the only "real" TLD out there. Even .org and .net are marginalized under the public perception of .com. The other relatively new TLDs, like .info, .biz, and so forth are certainly available, but to many people they're suspect. I've had many non-technical people ask me if a .biz or .info site was a malware or virus-laden website simply because it wasn't under .com. They just don't understand that there's more than .com out there.
Even sites like craigslist.org have craigslist.com registered and redirected. When given a domain name (even if it's shown with .org, .net, .info, whatever) most people will append .com.
Let's face it -- .com is it if you want a marketable domain. It shouldn't be that way, but it is.
Posted by Paul Venezia on March 27, 2008 11:13 AM
March 21, 2008 | Comments: (0)
Domain squatting for fun and profit
I just got off the phone with MarkMonitor, a company that according to the fellow I spoke with is hired by multi-national corporations to register and squat on domain names in the interest of brand security. I was calling them to inquire about a specific domain name that they had registered -- a domain that was simply an ad page. I was hoping to use that domain for a little project, but I was told that in order to even inquire about the potential availability of the domain, I would have to have my attorney contact them directly, and then go through a process that might take a few months before finding out if I might have the privilege to buy the domain on their terms. I asked him if he saw any problem with this, and he went on a brief tirade about protecting brand identity, and then roughly slammed the phone down, hanging up on me. Great sales tactic, no?
In some cases, the practice of registering domains that aren't intended for use is legitimate -- someone registering dell.org, delll.com, and putting anti-Dell information there -- or worse, a copy of Dell's website -- could be potentially damaging to Dell, and they have a right to protect themselves in those instances. They are also protecting against someone registering a domain that's close to theirs and essentially blackmailing them into buying it for lots of money. This is what MarkMonitor.com supposedly does, but since I was yelled at and hung up on by their own sales staff, I never got the full details.
The domain that I was inquiring about had no relation to any ad campaigns, corporations, or otherwise. It didn't redirect to a legitimate site, or offer anything useful -- it's simply parked on an ad page. It was being squatted on by a company in the hopes that someone would come along and buy it for some ridiculous price -- essentially exactly what companies like MarkMonitor.com claim to protect against. Variations on the name using hyphens and other small changes produced similar parking pages, but squatted by different companies.
Thus, instead of a domain that could be used to host useful tools or interesting information, it holds nothing of value to anyone. It doesn't infringe on any trademarks, it's essentially been relegated to the trash bin -- of no use to anyone. This isn't brand protection, it's glorified ticket scalping.
I do find it rather amusing that the company running the parking page has a website that hits a Drupal "Database Error" page as of this writing (www.firstlook.com).
Although ICANN has backed plans to reduce domain tasting or the practice of registering hundreds of domains, then returning all but the few that get the most hits (hits to parked ad pages), it's still a big problem. Network Solutions has been under fire for this, but in a more insidious way -- if you use their site to query about the availability of a domain name that isn't registered, they would instantly register it, and then offer to sell it back to you. If you didn't pay for it, they would release it and not pay any fees. The evidence suggests that Network Solutions is the crooked grocer of the digital age, but they have a bigger thumb on the scale, and it's automated.
All of this comes down to right and wrong for me. Is it right that a company can register domain names that are directly related to their own brand in order to protect themselves? Yes. Is it right that a company can register thousands and thousands of domain names that they will never use for anything other than parking pages, simply to be able to bilk someone out of more money when they actually want to use the name? Not in my book.
The more time that passes since the Web was born, the further and further it drifts from the core ideals that formed its foundation. That's an allegory if I ever saw one.
UPDATE:
In response to some of the comments:
I understand the domain industry. I registered my first domain almost fifteen years ago. I understand the economics, and the shady nature of domain squatters. I reject the argument that it's like buying land, subdividing it, and selling it. To me, this practice is more in line with someone standing at the entrance to a parking lot, misrepresenting themselves as the owner, and charging five times the actual price for a parking spot -- essentially engaging in extortion by misdirection. There are nuances here, like domain tasting, but the simple fact remains that domain squatting is a parasitic practice.
Yes, we pay for goods and services, but this is like having someone walk around the supermarket right in front of you, scooping up everything you want to buy and then offering to sell back it to you at an inflated price.
I reject the "that's America" argument, because the Internet isn't limited to America. Neither, unfortunately, is this problem.
A domain name might be "an appreciable marketing asset" but only after the content or function has proven worthy or has a real-world reference like vodka.com. If Google wasn't Google, google.com would probably be parked on an ad page. These ad pages are only marketable in that they generate revenue by misdirection -- typos and the like. Any way you cut it, it's distasteful.
UPDATE:
This was too good not to post. I'm still looking for a domain name that's even tangentially related to the content of the site I want to build. I'm hitting parking pages everywhere... including one with this obviously automatically generated tagline:
"For resources and information on Done swimwear and Colonoscopy Done"
Priceless.
Posted by Paul Venezia on March 21, 2008 06:07 PM
March 19, 2008 | Comments: (0)
I was perusing the Presidential candidates websites today. Interestingly, they all look roughly the same, though Barack Obama's site is better designed than the others in my humble opinion. What was even more interesting was the OS choices, though perhaps these should come as no surprise:
| John McCain: | Windows Server 2003 |
| Barack Obama: | Linux (with a touch of FreeBSD) |
| Hillary Clinton: | Unknown |
Source: Netcraft.com
Posted by Paul Venezia on March 19, 2008 12:18 AM
March 17, 2008 | Comments: (0)
Full circle: How Microsoft is trying to eradicate email
After all this time, all these spams, all the complaints from all over the globe, I can only come to one conclusion: Microsoft is trying to kill email.
Let's take a look at some facts. Spam levels are as high or higher than they've ever been. From my own personal experience, I can say without a shadow of a doubt that 99.9 percent of all email coming to my mail server is spam. That's tragic all by itself, but it's been that way for quite some time now. I have written and documented the severe steps that I've taken to reduce the problem, but the fact remains that hundreds of thousands of connections are made to my mailserver every day, trying to sell me v1@gr@!, inform me of my incredible good fortune in some foreign lottery, or tell me that really need to buy stock in some company nobody's ever heard of.
Hundreds of thousands of connections, coming from thousands of hosts. What are those hosts anyway? The vast majority of those hosts are exploited Windows systems. They're zombies run by botnet operators. Their owners are probably completely clueless to the maelstrom that has engulfed their little Dell desktop. It's just "slow".
There are millions of these systems out there, according to an article from USA Today. Millions.
The mainstream media consistently use the term "computers" when they make forays into this realm. Yes, they are computers, but they're not just any computer -- they are all running Windows. All of them. Let's not mince words here: Botnets are comprised of compromised Windows systems. Thus, Microsoft's massive security failures are at the very core of the spam problem.
Yes, there are still spammers out there that use specific servers and subnets to send their trash, but they're relatively easy to identify and stop, either by the ISP, or through filtering at the client side. Connections from millions of unique systems from all over the globe are much harder to stop. Some of the ways that spam filters try to stem this tide is by identifying subnets assigned to residential cable and DSL providers, and blocking those IP ranges. That's like bringing a sledgehammer into surgery, but it can be effective -- so effective that it blocks legitimate communications from people running their own servers, and hundreds of companies using cable and DSL connections for their business. The subnet allocations caught up in these traps aren't necessarily accurate, and they can cause email to simply disappear at worst, or consistently be marked as spam at best.
Speaking of email simply disappearing, this brings me to my next point about Microsoft's apparent attempt to kill email: Hotmail.
I've had a Hotmail/MSN/Live.com email account for awhile now, and it's been relatively spam-free. Of course, that address is not published anywhere, and I hardly ever use it, so I would expect that to some degree. However, some tests I ran over the weekend shed some light on some of the ways that Hotmail/MSN/Live.com handle spam: They apparently are simply deleting inbound email with no bounce messages, no flags, no notification -- nothing.
I can replicate this at will. When I send an email from my mailserver (located on a commercial circuit) to my gmail.com account, live.com account, and other personal accounts, they all arrive -- except to my live.com/Hotmail account. It simply never appears, and no bounce message is ever seen. If I send myself an email from my live.com account, it arrives speedily, and my reply is delivered back to the live.com account almost instantly. But if I then write a new message to the live.com account, it never appears, even though it came from an address that I just emailed.
Thus, Microsoft is simply deleting legitimate emails. Why would I bother using such a service? It's like buying a car that will only start once in awhile, or a refrigerator that keeps the soda cold, but lets the milk go bad. It's useless.
I'm not alone here, either. This thread at MozillaZine goes back to 2006, and describes these exact problems in excruciating detail, among others. Ian Gregory has also been cataloguing this problem for a few years now.
The temerity of Microsoft to simply never deliver these emails is shocking to me, but taken in concert with my original point that Microsoft software forms the very core of the spam problem to begin with, and the only conclusion I can make is that they are waging a war -- not against spammers, but against email.
Perhaps they're going to unleash some hidden features in Exchange 2008 that will ensure that email sent from one Exchange server to another is always passed through (and always reaches hotmail.com, msn.com, and live.com addresses), leaving everybody else out in the cold -- a Frankenstein thought if there ever was one.
Their motive may be unclear, but their actions are transparent -- they are complicit in the generation and distribution of spam, and are summarily deleting emails addressed to their users under the guise of fighting spam.
Until they remedy this egregious activity, I've instructed my mailservers to discard any inbound email from hotmail.com, msn.com, or live.com.
In a few days, I probably won't be able to reply to them anyway.
Posted by Paul Venezia on March 17, 2008 03:56 PM
March 08, 2008 | Comments: (0)
/etc/hosts.deny, hackers, and automation run amok
3AM. It's always 3AM when these things happen.
Last night, my cellphone started beeping, and after it finally woke me up, I cracked open an eye and checked the screen. Text messages from Nagios, telling me that my main FreeBSD mail/Web server was incommunicado. Lovely.
I crawled out of bed and logged into my MacBook Pro. I had an open SSH session to that box, but it was all but unusable, echoing back a character every few seconds. An eventual 'uptime' showed the 5-minute load at over 300. Three hundred processes in the run queue basically means the box is thrashing wildly... but why?
The Nagios client had respawned a hundred or so times, sshd, snmpd, and inetd were all running 60-70% CPU utilization, completely consuming both CPUs. Everything had come to a standstill. I killed the offending processes from the console (hooray for Raritan KVM-over-IP!) and the box settled back down.
I first started sshd back up, and didn't see the load rise, but as soon as I attempted to SSH back into the box, it spiked to 100% utilization. I killed it, and rebuilt openssh-portable from ports, wondering if I'd been hacked, or the sshd binary had somehow become corrupt. I ran the newly-built sshd manually in debug mode, and watched the same problems occur. Obviously, this wasn't good. Checks of dmesg and /var/log/messages showed literally no problems whatsoever. The I/O subsystem seemed fine, as did all normal server operations -- I could SSH out, Apache, MySQL and sendmail were working, but there was obviously something very wrong.
The uptime on this server was 525 days. Generally speaking, I refrain from rebooting a box unless absolutely necessary, but in this case, I felt that I had to start with a clean slate. For the first time since September of 2006, I rebooted my main workhorse server.
It came back up without issue, other than the same sshd, snmpd, and inetd problems. The reboot was ultimately unnecessary. But what could be causing this problem? As I was making a cup of coffee, I thought that I might try removing hosts.deny to see if that made a difference. That did the trick -- all was well without it. But what caused that?
Awhile ago, I wrote a quick script to scan /var/log/auth.log for spurious brute-force SSH login attempts, and to add the offending IP address to /etc/hosts.deny for sshd. This worked extremely well, reducing the potential effectiveness of these attacks to all but zero. The problem, as it turned out, was that the script eventually wrote over 140 IPs to /etc/hosts.deny, which either triggered a bug, or exceeded a line-length limit that I'm unaware of. Removing that line caused all previously-misbehaving services to return to normal, and after some time to settle down, the server was back to handling a few hundred thousand emails a day, alongside Web and DNS services. I rewrote the brute-force detection script to add IPs to a pf table instead of /etc/hosts.deny, and parsed the previous hosts.deny list into the table to retain that information. Of course, this is how I should have done it to begin with. It took two cups of coffee, but I was out of the woods.
This was a decidedly non-obvious solution to a decidedly bizarre problem. I'd still like to know if I hit a bug in the BSD stack, or what the hosts.deny line-lengths limits are. Anyone? Bueller?
Posted by Paul Venezia on March 8, 2008 02:14 PM
February 13, 2008 | Comments: (0)
So apparently my MacBook Air review has hit both sides of the spectrum. There are those that think it's one of the most balanced reviews yet, and those that think I'm a fanboy.
Nick Farrell's own definition of fanboy (posted in a comment on this blog) is "someone who disengages brain whenever they look at a product. Apple is largely dependant on peddling products to such types who refuse to see that the outfit can do any wrong." If that were the case, why would I write the sidebar on the migration issues at all? Why would I include the negative comments on the Air in the review, and score it below "Excellent"? I suppose that's berating the obvious, however. The fanboy sentiment cuts both ways though -- there are people like Nick that view everything from a particular company in a negative light, regardless of facts or merit.
These accusations come with the territory -- if you give a product a positive review, you're a shill for that product. If you review it negatively, you're a shill for the competitor. If this were actually the case, I'd be a rich man indeed.
I do think that Mac OS X is superior to other operating systems for a variety of reasons, from usability to security, and so on, but my main workstation runs Fedora Core 8, and my servers run FreeBSD or Linux. Most of my laptops are Macs because they give me a very functional native UNIX-based environment in a portable package, never crash, instantly wake up from suspend, and perform very well under load. I view time taken dealing with OS issues, viruses, malware, drivers, and so forth as time wasted, and I have precious little time to waste these days. The day that changes is the day I move to something better -- but there isn't anything better right now. That's why I run Mac laptops along with a few Dells running Linux.
I've seen some forums discussing the review, complete with folks running the numbers on the 50GB file transfer, claiming that I was getting only a few MB a second during the transfer. I was getting 10-11.5MB/s during actual file transfer (as I mentioned in the review), with the remaining time taken up with the other requirements of migration such as configuring user accounts, replicating settings, and whatever else is necessary to completely (and successfully) migrate one system's state to another. Raw transfer time was probably closer to three hours, and I'd transferred nearly 60GB of data when it was all said and done. I also find it odd that of everything I wrote, this sidebar has become the hotpoint. It's specifically about the migration assistant, which is a tool that I've found to be incredibly handy and a significant timesaver, but one that not everyone uses. In fact, it's only tangentially related to the Air. I do really wish that Apple had coded it to let you pick specific folders to transfer as part of transferring a user, but the thirty seconds it took me to do that manually was hardly a cause for concern.
The whole point of the review, sidebar, and my additional comments was to point out what the MacBook Air is, not what others seem to think it should be. Much like a comparison between a Ford F-250 and a BMW Z4 is relatively worthless, reviewing the Air in comparison to even a MacBook Pro is worthless -- they're two completely different products for different needs and markets. That's the whole idea.
If you want to view the Air as just another laptop, that's fine -- you're just missing the point.
Posted by Paul Venezia on February 13, 2008 10:15 AM
February 12, 2008 | Comments: (0)
It seems that Nick Farrell over at The Inquirer isn't so thrilled by my MacBook Air review. Actually, he doesn't really mention the review, opting instead to summarize the sidebar with additional commentary. To clarify a few of his points:
o- Yep, it took five hours to do the whole migration. The first 30 minutes were problematic, but the rest of the time was the two systems transferring 50GB of files via 100Mbit Ethernet without supervision.
o- The Air didn't crash -- the Migration Assistant application crashed.
o- I bought the Air myself.
o- "Fanboy" seems to be a favorite expression of someone who doesn't like to see positive comments about something they don't like. I gave the Air a "Very Good" rating, and it earned it. If it had integrated 3G and a realistic 5 hours of battery life, it might have made it to "Excellent".
o- Isn't it odd that although I'm apparently a "hack" trying to put positive spin on Apple's products, I decided to write an entire sidebar about a negative experience?
I suggest that Nick read the whole review as well as my blog comments. I'd be delighted to see him run that though his fun-house mirror.
UPDATE: Interesting. All the comments on the Inquirer post just disappeared right after I submitted one.
UPDATE: They're back, sans my comment. Curious.
Yet another UPDATE: I might suggest that anyone interested in this topic read the actual review, and my companion blog post, not just the sidebar. I wouldn't want anyone to be embarrassingly misinformed -- it's bad for the knees.
Posted by Paul Venezia on February 12, 2008 11:22 AM
February 10, 2008 | Comments: (0)
The MacBook Air finds its Nietzsche
Quite often, less really is more. One staple of computing in general is the perceived need for options. Painting yourself into a corner a lack of options with hardware or software is never a good thing, but there's a difference between that and trying to paint the room with a half-ton paintbrush.
It's no secret that Steve Jobs -- and by extension, Apple -- is very interested in pushing the design envelope. Going back a long way, except perhaps the dark years in the nineties, Apple has had a history of making big changes and taking big chances with their hardware. The Mac was really the first home computer to have integrated SCSI and a mouse. Apple computers were among the first to be produced without internal floppy drives. The Apple Newton was one of the first usable PDAs and even today enjoys a startling number of users. NeXT Computer, founded by Steve Jobs in 1985, is looked on as being way too far ahead of its' time, producing a line of UNIX-based workstations running the NextSTEP OS, an OS that is the precursor to Apple's OS X. Apple's OS X itself is a complete and total departure from Mac OS -- a move that helped reinvent Apple. The iPod, of course, was instrumental in building a whole new industry. There are more examples, some flops, some not, but they have a common theme: out with the old, in with the new, whether you're ready for it or not.
Apple's design theory seems to be "Rounded rectangles, white or silver, as few seams and ports as possible, as few cables as possible". If Apple designed a Swiss Army knife, it would look like an egg. Their products certainly are attractive, with clean lines and an overall minimalist approach. To get those clean lines, however, all those bulky ports and slots have to go. Quite honestly, I think Steve Jobs harbors a deep, personal resentment towards D-Sub connectors. That's the concept behind the MacBook Air.
In an age when you can still get a laptop with a parallel port, Apple has created a laptop with no legacy ports, even deleting FireWire from the specs. There's also no built-in optical drive. Many reacted to this with disdain, decrying the lack of an internal optical drive, fixed RAM, and limited ports as being too limited and artificially handicapping the system. I've come to realize that I don't think that's the case at all. When I thought about it, I don't really need any of those things on a daily basis, and when I do, it's rare. Perhaps desktops need lots of ports, but not laptops -- not any more. In a time when I can buy a 16GB USB2 flash drive for under $80, why would I bother to carry DVDs and CDs? If I don't use those, why do I need the drive? If I need to transfer files between systems, I can use wired or wireless Ethernet, or that USB flash drive.
I get the vast majority of my computer-based entertainment via the Internet. Music and movies, and other forms of entertainment are easy to download from iTunes, Amazon, or anywhere. Though there are subscription services like NetFlix that are PC-only, that will likely change sooner rather than later. Occasionally, I'll buy a DVD, or a CD at a vintage store, and encoding those to MP3 and MP4 is trivial using a desktop system. I then get the benefit of being able to play them anywhere, instantly. I simply get more bang for my buck with digital files, and there's no reason I'll ever go back to physical media.
I also get the vast majority of my applications from the Internet. I can't ever recall loading a CD or DVD into a Mac to install software other than an OS installation. Even when devices come with driver disks on CD, I generally download them from the manufacturer's website since the version will be newer and hopefully better. The first disc I've put into my MacBook Pro in probably six months was the Apple disc that contained the MacBook Air's CD/DVD sharing installer. I won't miss it on the Air. With Bluetooth, I won't really need more than one USB port either. If I do, there are 3" x 1" four-port USB hubs on the market for less than $15.
So as I use the Air and think on this, I gaze around my lab, noting all the random cables, connectors, components, and options. There are several PC laptops around, rife with colored ports, switches, slots, and buttons. It's a stark contrast to the lithe little laptop in front of me. It's the antithesis, and I think that's a good thing. 
Posted by Paul Venezia on February 10, 2008 08:43 PM
February 08, 2008 | Comments: (0)
Once in awhile, I reflect on some of the tools that I use constantly, and the fact that there's an awful lot of unsung heros out there. Last night I started thinking about it and compiling a simple list of tools and some specific people that fit this bill. Here they are, in no particular order.
PHP
This one should be obvious. PHP has developed into an extremely strong, functional, stable, and fast Web development framework. If Perl makes easy things hard and hard things possible, PHP makes everything easy. I've even taken to writing backend scripts in PHP that would have been Perl not too long ago. A recent IMAP mailbox scanning, parsing, and spam blocking database interaction script springs to mind. It's around 30 lines of PHP and works like a charm.
MySQL
Again, another obvious entry here. Where would we be without MySQL? It's far more powerful and flexible than many DBAs will admit, and scales extremely well. Think Wikipedia.
phpMyAdmin
I don't know how many times I've used phpMyAdmin, or on how many servers I've installed it, but it's simply a phenomenal tool for working with MySQL.
Linux
'nuff said.
FreeBSD
FreeBSD (and NetBSD, OpenBSD, etc) are the unsung heros of the unsung heros. I operate several high-powered and heavily-loaded FreeBSD boxes, and it's a welcome change from the cult of Linux on occasion. It might not be as admin-friendly to the uninitiated, but once you grok it, there are features in FreeBSD that you wish your Linux boxes had.
DarwinPorts
For the past 7 years or so, I've been using Mac OS X, and never have I used the Fink package system. It just seemed, well, not quite right to me. Enter DarwinPorts. I use this all the time, and find it fast, flexible, and simple.
Larry Wall
I want to live on whatever planet Larry's from. It's hard to picture the world without Perl... and we wouldn't have Perl without Larry, that's for sure.
OpenSSL/OpenSSH
The deployed base of OpenSSL and OpenSSH is probably incalculable. From my cellphone to my TiVo, to my workstations, laptops, servers, across all operating systems and devices, there's OpenSSL and probably OpenSSH. It's become as ubiquitous as the air we breathe.
Bram Moolenaar and Vim
Another hidden hero, Bram Moolenaar (et al) is responsible for the best editor ever -- Vim. It's my mail reader on some boxes, obviously my editor of choice, and my IDE all rolled into one. I've been using Vim for years and years, and probably still only know and use 20% of the functions. I'm constantly using Vim reflexes in other editors (like Microsoft Word, or in ecto, which I'm using to write this post). If I can find Vim keybindings for an app, I'll use them. Firefox already supports several, such as the / search.
There are many, many more than those listed here, but these are the ones that topped my list last night while I reflected on this post, a few fingers of Lagavulin warming by belly and my brain. Have some more? Drop me a line.
Posted by Paul Venezia on February 8, 2008 12:57 PM
January 30, 2008 | Comments: (0)
Why must this be so difficult, so painful? Why must you spurn me at every opportunity, causing me to rend my clothing and speak in tongues? This hold you have over me is distressing... O Verizon, how I loathe thee.
You tempt me with promises of on-line account management, of security, let leave me hanging with Byzantine confirmation methods and completely unintelligible voice recordings of temporary PIN numbers. You email me validation codes that don't work, serve me ASP.NET pages that look and function like it's 1998, and yet STILL, you won't let me check my bill on-line.
Why must it be so? Why must you insist that you call my home phone with a temporary PIN thats read in a sampled voice? A voice that makes the letters D,E,G,P,V, and Z all sound alike? How many possible combinations must I try before I'm granted access to my own account, an account that I had full access to only weeks ago? It seems like so long -- so long since I found your website even moderately useful. No, I fear that the deeper feeling is gone, edged away from true apathy by a breathtaking barrage of useless and completely non-functional verification steps. It didn't have to be this way. You could have shown even an inkling of competence -- I would have forgiven, I would have tolerated you for a little while longer...
Now, I know not what will become of me. Perhaps I will finally convert all my lines to Time Warner Digital Phone. But wait! I cannot! You have me in an impossible position because I have DSL!
O Verizon... why can't I quit you?
Posted by Paul Venezia on January 30, 2008 12:27 PM
January 08, 2008 | Comments: (0)
To preface, my home and lab phone systems are driven by Asterisk -- technically an aging TrixBox installation running under VMware ESX 3. It runs two SIP trunks and two analog lines, handles all voicemail, routes calls through the cheapest service for any given destination, and even irons my shirts.
I've found a new way that it can brighten my life, however. I live in New Hampshire. That means that early January in an election year becomes a whirlwind of phonecalls, doorbells, and half a dozen poster-sized glossy mailers in the mailbox every day, hawking all the candidates you've ever heard of, and those you've never heard of. Today's primary will cause this nonsense to throttle down somewhat, but the past week has been really rough. My Asterisk system has logged roughly 20 phone calls per day from all the candidates. Fortunately, only a few of those actually made the phones ring -- the rest were shunted directly to a recording I made where I thanked the caller to never, ever call back, and that while I support the democratic process, I've chosen not to accept any phone calls from any candidates. It's proven exceptionally useful, especially when looking through the logs. It's not perfect, however, since I have to get a call from a number before I can match on that to shunt the call, but that means that all the calls from 000-000-0000 go unnoticed, as do the staggering number of calls from JOHN EDWARDS FOR AMERICA. I didn't vote for him.
Score one for the geek, I guess. In the next few weeks, I'll be transitioning my Asterisk installation to TrixBox Pro for a test -- no more VM, it'll run on real hardware, and use real FXO/FXS linecards rather than the Sipura/LinkSys ATAs I'm using now. Hopefully it'll be a simple process, since at this point, I don't think I can do without it. It's just too darn useful.
Posted by Paul Venezia on January 8, 2008 07:18 PM
November 25, 2007 | Comments: (0)
Having endured the Vongo ads during various football games the past few days, I figured I'd at least check it out. I wasn't sure what to expect, and boy was I surprised. If you don't already know, Vongo is a new digital movie distribution site that allows users to download as many movies as they want for $9.99 a month. Intriguing, for sure, but riddled with artificial restrictions, apparently.
For one thing, Vongo is deeply, deeply Microsoft-centric. So deeply, in fact, that you can't even view their website with a browser claiming to come from another OS. With a Linux or Mac browser, the only possible option is to enter your email address to be notified if/when your OS is supported.
This means that you can't do any research on Vongo from anything but a Windows box -- Switching FireFox to identify itself as IE on Windows XP completely broke the site rendering, and hitting the site from my Nokia N95 (as I would imagine lots of people will do when seeing the ads on football games in bars or at a friend's house) gave me the nice "Incompatible OS" page as well, preventing me from getting any more information about Vongo. Handy.
Also, if you enter in 'vongo.com' to go directly to the site, it redirects to 'www.vongo.com.', a typo that thankfully most browsers ignore, but does show a certain lack of attention to detail.
So I wandered around the site with my Windows XP VM, looking for some answers to what's really happening on the back end. It seems that the only compatible playback devices are Windows XP, 2000, and Vista, or an Xbox 360. I could find no mention of playback on portable devices, although the commercials made a point of referencing this ability (and a point of not mentioning/showing an iPod). I'd guess that the Zune is supported, but I've seen no specific information on that issue.
But the fact that they were expecting to support portable devices without specifically mentioning the Zune gave me a flicker of hope that these movies might not be horrendously crippled for playback on other devices, like my iPod, Nokia N95, and Mac. Those hopes were dashed when I read this on their site:
"In order to enjoy the full experience of Vongo and Media Center Edition feature integration with Windows Vista, we strongly recommend that you uninstall the Vongo application software prior to upgrading to Vista. (Please Note: When you uninstall Vongo you will lose movies and videos already downloaded to your library. Because Windows 2000 and XP are separate and distinct operating systems from Vista, there is simply no technical means of porting Vongo videos across operating systems. As a Vongo subscriber you can always replace the videos in your library at no charge.)"
Really? The movies you download on XP won't be playable on Vista due to technical reasons? Please. Pull the other one, it's got bells on. This little lie is probably in place just to convince potential users to upgrade to Vista first, with Vongo as the proverbial carrot.
So it seems to me that Vongo has been designed as a Vista delivery catalyst and little more...and why would I want to artificially restrict myself so heavily, to the point where upgrading to another Microsoft OS will cause me to lose the movies I've already downloaded?
Amazon recently started offering $8.99 non-DRM MP3 albums. I've bought several so far, since I can use them on any of my playback devices, from my Sonos system to my Linux workstations and laptops to my iPod. It's this reason that I don't use the iTunes store, or any other crippled delivery system. So sorry, Vongo, but I'm completely uninterested.
Posted by Paul Venezia on November 25, 2007 11:09 AM
November 07, 2007 | Comments: (0)
I've had an annoying day. It's one thing when the technology refuses to cooperate, it's another when it seems that human incompetence plays the key role. My woes today revolved around the fact that Ubuntu Server 7.10 seems to be terribly broken on the initial install. I was actually installing Ubuntu Server on a new SPARC system, and was amazed that after the first reboot, the initial account created during the installation did not have sudo permissions, and the root account is locked out. Essentially, the installation was useless without rebooting via rescue mode and manually modifying /etc/sudoers. Of course, the rescue boot hung, and at that point, I just turned the server off and grabbed some dinner. This isn't the first time I've crossed swords with Ubuntu and came away feeling that it just isn't worth the effort.
Otherwise, I've been getting riled up with net neutrality issues, such as Verizon's recent experiments on breaking DNS. Earthlink is also playing this game, apparently. I fail to understand the logic behind these attempts to hijack their own users and subvert a core Internet service. It's small potatoes compared to the other shenanigans that major ISPs play, perhaps, but didn't everyone learn a lesson from Verisign's attempted coup a few years ago?
And coming in third, perfectly framing my disaffection with human incompetence is NaviSite. 165,000 to 200,000 sites offline for days following a failed datacenter migration? How is it possible that a large, publicly-traded company can fail so miserably at a fairly straightforward task? I cannot fathom undertaking such an effort without proper planning and the necessary expertise, but then, I'm kinda fond of not causing epic disasters. Not only have they taken all these customers off the Internet for days and days, but they're apparently also berating them on the phone and no longer participating in conference bridges they themselves set up. It's gone from a tragedy to a farce and back again. Cynthia Brumfield is one of those customers, and after five days is heading to Andover MA to get her data back. She's also bringing a video camera to document her experience.
If it happens, that should be interesting. What might be more interesting is NaviSite's declining stock price, and what I can only assume are some cold feet on the part of Sapotek, who just last week announced a partnership with NaviSite to deliver SaaS via Sun's Startup Essentials program. If I were Sapotek -- or even Sun -- I wouldn't want to be anywhere near this trainwreck. They want to deliver SaaS to thousands of customers, anchored by a company that can't even get a mature business like Web hosting right?
Brave.
PS: Check out NaviSite's page discussing the outage. Doesn't it look like the guy in the image at the top is leaning over to throttle the other guy in the foreground? Maybe it's one of their customers.
Posted by Paul Venezia on November 7, 2007 07:22 PM
September 04, 2007 | Comments: (0)
To make a very long story short, an Exchange server experienced catastrophic hardware failure, scrambled the mailstore, and was rendered completely inoperable. An hour on the phone with HP resulted in a promise that the warrantee replacement parts would arrive within 24-48 hours, no guarantee. However, an "uplift" service was available for the low, low price of $2,500 to expedite parts for next day. The whole server cost less than $2,500. Instead, I found a refurbished 1U server locally for around $1k with twice the resources of the original. We rebuilt the Exchange server, only to find the mailstore corruption. 11 hours later, the mailstore repair tools had finished and the mailstore was finally remounted... with errors.
Some (not all) users could access their mailbox, but were not receiving new mail. The errors in the event log elicited only two hits on Google, and none on Microsoft's site. The two hits were related to the same forum post with no resolution -- useless. Microsoft's own tools for locating resources pertaining to this error went nowhere. The actual error is from source MSExchangeIS Mailbox, ID 1025, error data "An error occurred on database "First Storage Group/Mailbox Store (MAIL). Function name or description of the problem: SLINK::EcUpdate Error: 0xfffffa84". Since I could find references to part of this error, but nothing about it in it's entirety, I had to call Microsoft. That's where the fun started.
After calling in and navigating half a dozen voice prompts, I spoke with a customer service rep who kindly took my credit card information for a $245 charge, gave me a case number, and told me that the tech queue wait time would be 5 minutes or so. I waited on hold for 62 minutes before I got a tech with a very heavy accent. He asked for the case number. I was surprised that he didn't have it already. How could he not have it? I was on the same call. I looked around and couldn't find the paper I'd jotted it down on over an hour earlier. I asked if he could look it up, and he brusquely transferred me back to the CSR pool. While he did this, I found the number. I checked it with the new CSR representative, and discovered that I'd been given the wrong number to begin with. Then, I was told that I'd be put back in the queue, with a hold time of only 45 minutes. I spoke with a supervisor who was very sorry that this was the case, but there was nothing he could do. Back I went into the land of Nod.
I was two hours and $245 into a service call to Microsoft to find more information on their own error code that isn't referenced anywhere on their site that I could find. I finally got a tech for the second time, who asked for the case ID, interrupted me twice while I was trying to give it to her, then abruptly hung up on me. Livid doesn't begin to describe my state of mind. I've worked with Microsoft enterprise products for a decade, and I've never had to call them before. That's truly a blessing.
What a racket. I'd love to get $245 to abuse my customers like this. I'd be a billionaire.
Posted by Paul Venezia on September 4, 2007 02:43 PM
August 10, 2007 | Comments: (0)
Okay, maybe it's just me, but I swear that the default "new email" tone on Profimail is the Super Mario Bros. "new life" tone. Seriously. I'm not sure how I feel about that.
Posted by Paul Venezia on August 10, 2007 11:20 PM
July 25, 2007 | Comments: (0)
Yet another reason the geek shall inherit the Earth
The old saying is just one letter off -- it's not the meek, it's the geek. I'm sitting in Portland Airport in Oregon waiting for a redeye, and the wifi is up but the DHCP server is dead. PDX is an enlightened airport, offering free WiFi for the entire airport (when it works) and I have a few hours to kill before the soul-sucking cross-country flight, and I really needed to get some work done. So, where most of the world would have given up in frustration, I simply ran tcpdump on my WiFi interface, found traffic on the local net which told me what subnet was in use, and I picked an ip high in that range, guessed at the default route (it was .1), specified a public DNS server I run, and voila, I'm posting this entry.
Between that and the knowledge required to successfully configure Bluetooth contact list synchronization, us geeks have it all tied up.
Posted by Paul Venezia on July 25, 2007 12:23 AM
May 09, 2007 | Comments: (0)
Six things that need to change
Although I'm generally able to see both sides of an argument, there exists a short list of issues that I just can't comprehend. These are those issues.
1) The RIAA's war on its customers
This one has been going on so long as to almost be accepted. Of course, that's their plan. The vast amount of money being poured into lawyers, lobbyists, and scare tactics by the RIAA would have been more than enough to rework their long-deceased business model into something for the next generation. For an industry that was built upon pushing the envelope, they certainly can't seem to think outside the CD case. The heavy lobbying in Florida that has resulted in the used CD market there receiving stricter controls than the gun market is just one tiny example.
The RIAA is certainly under attack from every angle -- piracy, slowing CD sales, a massive increase in self-produced music, and flagging interest in marquee acts -- but nearly all of that is their own fault. Instead of embracing the new market, they've been trying to kill it by shipping CDs with rootkits masquerading as DRM schemes, producing lawsuits by the bushel, apparently destroying Internet radio, and projecting an overall public persona that falls somewhere between Al Capone and Stalin. It's just ludicrous.
But then, this is the industry best described in a misquote to Hunter S Thompson: "The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side." His original words were actually describing TV broadcasting, but the sentiment prevails.
2) Broadband Bandits (Update: More on this topic can be found here)
Comcast is the easy target on this one, but there are many perpetrators of this travesty. You know who you are. More importantly, your customers know who you are, and will jump ship in an instant if given the chance. With most of the competition buried in the backyard, and a weakened FCC sitting idly by, Comcast, Verizon, and many other providers are ramping up prices and dropping service levels. They're also applying voodoo AUP interpretations to cut off paying customers that go over some amorphous limit. Many of these companies come from a delivery-only background, where they deliver the signal, and the customer passively accepts it, such as cable TV. Back in the day, this was largely true of the Internet -- Web servers existed in datacenters, ISPs, and universities, and most content was text and the occasional picture. With Flickr, YouTube, MySpace, and the advent of simple videoconferencing, end users are much more apt to be sending nearly as much as they receive, yet most broadband connections are still ridiculously asynchronous. I just ordered Verizon DSL to provide a backup circuit. $30/mo for a 3Mb/768k circuit. This means that uploading a few 5 megapixel photos will take me roughly 3 minutes, and completely obliterate that 3Mb/s download rate due to upstream congestion, even though I'm not downloading anything.
There are a few reasons that most of these wildly unbalanced plans exist. Contracts with peering partners generally dictate up/down ratios to be maintained (eg, saving the ISP money). They also prevent customers from using videoconferencing and VoIP technologies to their full potential, resulting in poor performance. This forces the customer to only use approved methods of communication (eg, paying the carrier more per month). And lastly, they've always been that way, right?
As a sideline to all this nonsense, many carriers go so far as to block well known ports, such as Web, IPSec, and SMTP ports to residential lines. True, most people aren't running Web servers from their house, but lots of them are just trying to connect to the corporate VPN. To do that, you need a business-level contract for way more money per month and usually lower bandwidth. What a bargain.
Certainly, not all carriers act this way. Comcast and Verizon DSL are famous for it, but Time Warner's RoadRunner seems to be above this chicanery, at least so far. If AT&T wasn't dismantled nearly 25 years ago, we'd still be renting our phones from Ma Bell for $20 a month, and our telecommunications infrastructure would be the best the third-world had to offer. At least Verizon is offering FIOS in some areas, yet I know of entire communities that have no broadband whatsoever. Wasn't there a Universal Service initiative started over a decade ago? Note as you read that page, you see "The Federal-State Joint Board on Universal Service recommended that the Federal Communications Commission take immediate action to rein in explosive growth in high-cost universal service support disbursements. The Joint Board is also seeking comment on proposals for long-term, comprehensive reform of the high-cost program. 5/1/07." This is because we've gotten nothing for a whole lot of something.
Just ask a South Korean how much they spend on the 100Mbit Internet circuit in their house. CNet was talking about 20Mbit links, universal video-on-demand on the cheap back in 2004. Not much has changed in three years, except their average bandwidth has increased fivefold. Heck, just ask them about the Internet service to their mobile phones -- it beats anything in the US by far. This brings me to number three.
3) The US is a mobile communications wasteland
Crazy, indecipherable "plans", "anytime minutes", $0.10 per text message, $0.003 per KB (read that any way you want), and current phones that were cutting edge in Europe when John Paul II was still wandering around the Vatican. That's the state of mobile connectivity in the US today. I've heard more than a few foreigners describe a trip to a T-Mobile store as "like visiting a cellphone museum". Given what they're used to in Europe and Asia, I have little doubt this is true. Wireless carriers in the US have been raking in money hand over fist for the past five years, riding the cellphone boom as high as it will go. During all this, they've been slowly doling out features to their users like cake to the starving, while the rest of the world runs circles around us.
The pending release of Apple's iPhone may spark something here, just as the iPod blew the portable MP3 player market apart. Hey, has Steve Jobs ever made a mistake?
4) Airport Wifi
This one's personal. I understand that fleecing business travelers for $10 or so during a flight delay is part of the business model, but even crack dealers give away the first few tastes. Can't we get 30 minutes free, and a reasonable hourly rate thereafter? I can't believe that any airport Wifi installation hasn't already paid for itself a hundred times over. I'll continue to hold Manchester Airport up as a shining example -- wide coverage, free service, no splash page. It's just beautiful.
5) Spam and the Windows Protection Racket
This one will never disappear, but it can be marginalized. If thousands and thousands of compromised Windows systems were to be patched, replaced, or burned in effigy, the volume of spam worldwide would be drastically reduced. Couple this to viruses, adware, malware, and so on, and there's very little that your PC can't do -- your taxes, spreadsheets, Web surfing, and spamming the bejeezus out of thousands of people. I think we may be near the top of a Bell curve on that one. Vista is more secure than XP (which isn't saying much) but the sheer numbers of wide-open Windows systems on the Internet will necessarily begin to decline due to hardware failure, if nothing else. If the replacements are tougher to compromise, then the spam levels will abate somewhat, as will other nefarious afflictions of the digital age, and we'll all be a little safer and saner.
Of course, if Windows were suddenly secure, it would directly affect the revenue of hundreds of smaller software vendors hawking Windows protection applications, but I can't feel too bad for Symantec or McAfee -- they'll survive.
6) Oops! I lost your ID. My bad.
Every week or so, we hear about the theft of another million identities from a laptop or network intrusion. Sometimes it's a corporation, sometimes a university, or sometimes the federal government. Sometimes it's your ID, sometimes it's mine. Pretty soon, it'll be nearly everyone that's ever had a credit card, applied for a loan, opened a bank account, or was simply assigned a social security number.
There are no formal penalties for this invasive personal intrusion, and some companies simply don't tell anyone that the event occurred. If a company doesn't have adequate security and lets a few hundred thousand database records flap in the wind, the victim will at best spend days straightening out a credit mess and changing all their accounts to new numbers. At worst, they'll lose money, their credit rating, and maybe even their job through no fault of their own. If a department store chains' physical security was so lax as to have their customers violently mugged en masse simply for being in one of their stores, you can bet they wouldn't be in business any more. What would be worse would be the poor people that got mugged because they were in a different store, but that store told the muggers they were there. Identity theft isn't much different -- since your ID is bought and sold to whomever, without your approval.
We need accountability for data security lapses of this magnitude, plain and simple. We only get one identity, and when it has been dragged through the mud it can take years to recover, and sometimes it's impossible. Unfortunately, it will take new laws and stiff penalties to see any change here, since it's apparently more cost effective to throw your customers under the bus (see number one, above).
It's obvious that the US is going through a period of massive change, largely related to the presence of the Internet and the forces that can exert some influence on it. Some of these issues may be just growing pains, but some of them may be cancer. Thus, it's very important that we not shortchange our technological future for short-term economic and bureaucratic issues. We've sold our society to the electron, and we'll be beholden to anyone who wields it better than we do.
Posted by Paul Venezia on May 9, 2007 02:58 PM
June 29, 2006 | Comments: (0)
I've had a bit of a crisis recently. Although I use FireFox almost exclusively on all platforms, I find that I just can't take it on OS X any more. With the release of 1.5, I've found that FireFox is simply too much of a resource hog on my 1.67Ghz PowerBook G4 with 1.5GB RAM to be usable. Although I never reboot the laptop, I have to quit and restart FireFox every day or so. When the CPU is consistently at 80% utilization, the memory footprint is more than 400MB with about a dozen windows open (no video, no flash), and text field input is delayed by several seconds on a consistent basis, I get agita. The Linux builds don't seem to exhibit this behavior, even under far greater stress.
So, au revoir, FireFox. The promises of a truly integrated OS X build in the 2.0 release may bring me back, but for now, it's Camino all the way.
Posted by Paul Venezia on June 29, 2006 03:29 PM
May 25, 2006 | Comments: (0)
If you have a MacBook or PowerBook with the embedded motion sensor, you have to see Erling Ellingsen's SmackBook. Desktop paging with a tap of the hand; so very cool. I normally see things like this and appreciate the inventive nature of the author, but rarely do I bother to actually implement them. This was an exception.
If you read the comments you'll find patched binaries of Desktop Manager (a great app that I've been using for eons) and some hints on getting everything working. In my case, I'm running 1.67Ghz 15" PowerBook G4 and I had to do some fiddling with the thresholds after building the patched Desktop Pager. I'm still working on getting the settings just right, but if you're having trouble, try this modified smack.pl:
#!/usr/bin/perl
use strict;
my $stable;
open F,"./AMSTracker -s -u0.01 |";
while(
my @a = /(-?\d+)/g;
print, next if @a != 3;
# we get a signed short written as two unsigned bytes
my $x = $a[0];
if(abs($x) < 10) {
$stable++;
}
if(abs($x) > 15 && $stable > 15) {
$stable = 0;
my $foo = $x < 0 ? 'Prev' : 'Next';
system "./notify SwitchTo${foo}Workspace\n";
}
}
It's a bit trying to find the line between breaking your screen hinges to shift desktops and having them switch too easily. The easiest way to gauge what's happening is to run AMSTracker -s -u0.01 > test and tap each side of the screen at an appropriate level, then take a look at the resulting values. Nice work, Erling!
Posted by Paul Venezia on May 25, 2006 03:52 PM
April 25, 2006 | Comments: (0)
More on trusting your IT staff
As Doug Oliver returns to work today, hopefully on the tail end of the most overblown "scandal" in New Hampshire government IT history, I feel compelled to further my position that trust and investment in IT personnel is worth it's weight in gold. Of course, having a modicum of ethics helps too.
IT has the keys to the kingdom, so to speak. If the modus operandi is to cheap out on staff, training, and equipment, then the returns will definitely reflect that. I hereby propose that April 25th become IT Appreciation Day. The last Friday in July is SAAD, but maybe it's time to branch out and include the whole group.
Posted by Paul Venezia on April 25, 2006 10:54 PM
February 10, 2006 | Comments: (0)
This should be self-explanatory, allowing that TEMPFAIL is a greylist flag:
[root@mail log]# for i in `ls maillog*gz`; do echo -n "$i: "; num=`gzcat $i | grep -c TEMPFAIL`; echo $num; totnum=$(($totnum+$num)); done; echo $totnum
maillog.0.gz: 126907
maillog.1.gz: 137915
maillog.10.gz: 110875
maillog.11.gz: 162012
maillog.12.gz: 141682
maillog.13.gz: 137504
maillog.14.gz: 185007
maillog.15.gz: 167037
maillog.16.gz: 140281
maillog.17.gz: 160331
maillog.18.gz: 123243
maillog.19.gz: 158751
maillog.2.gz: 176522
maillog.20.gz: 157648
maillog.21.gz: 153283
maillog.3.gz: 169739
maillog.4.gz: 271368
maillog.5.gz: 163032
maillog.6.gz: 171642
maillog.7.gz: 150581
maillog.8.gz: 146269
maillog.9.gz: 156355
3467984
[root@mail log]# totnum=0; for i in `ls maillog*gz`; do echo -n "$i: "; num=`gzcat $i | grep -c Sent`; echo $num; totnum=$(($totnum+$num)); done; echo $totnum
maillog.0.gz: 2296
maillog.1.gz: 2231
maillog.10.gz: 2168
maillog.11.gz: 1465
maillog.12.gz: 1442
maillog.13.gz: 1931
maillog.14.gz: 2456
maillog.15.gz: 2187
maillog.16.gz: 2240
maillog.17.gz: 2165
maillog.18.gz: 1545
maillog.19.gz: 1575
maillog.2.gz: 2280
maillog.20.gz: 2137
maillog.21.gz: 2273
maillog.3.gz: 2311
maillog.4.gz: 1338
maillog.5.gz: 1287
maillog.6.gz: 1979
maillog.7.gz: 2085
maillog.8.gz: 2372
maillog.9.gz: 2322
44085
[root@mail log]#
This next snippet is counting the number of ipfw lines that block inbound TCP/25 from hosts flagged by my custom greylist/autoshun code:
[root@mail log]# ipfw list | grep -c ^26000
10286
[root@mail log]#
I don't know whether to be giddy or depressed.
Posted by Paul Venezia on February 10, 2006 09:30 AM
November 29, 2004 | Comments: (0)
I've met many network admins that consistently refer to their network -- or at least the portions under their control -- as if it was their only child. This really isn't much of a stretch, since they've poured hours and hours of time into the design and operation of the network, and can sense when something's just not right although no overt problems seem to exist. These admins are the ones to cherish and reward, as their mindset can only lead to a healthy and successful infrastructure. But the anthropomorphism doesn't always stop there.
There is a relatively rare but shocking human condition called Munchausen by proxy. The basic concept of this disorder is that normal adults will deliberately exaggerate, exacerbate, or even completely create physical or mental health problems in others for personal gratification. The translation here is all too obvious.
For an admin that knows the network inside and out, the creation of a problem that only he can fix provides the reward desired, whether that be a glimmer of awe in a coworkers eye, public recognition, or even a raise by a thankful boss. Some of this desire is fueled by the perceived lack of job security, with artificial problems and remedies seen as a way to prove their worth.
Unfortunately, most infrastructures don't have a good way to track admins. Admins are trusted individuals, and it's common to have root and Administrator accounts available to multiple people, rather than the use of privilege elevation for admin accounts. This permits nearly untraceable root-level access to systems. A few layers down, the lack of TACACS+ or RADIUS authentication on network devices forces admins to use the same local accounts on switches, routers, and firewalls, again obscuring the actual mind behind the keyboard when changes are made.
In some respect, this moves into a discussion on change management practices, but larger organizations have likely implemented individual user accounts already, even if they have not implemented a full change management protocol. Smaller companies are definitely more at risk, as it's less likely that any of these measures are in place.
While I certainly don't think that this form of internal sabotage is commonplace, I've seen a few too many inexplicable problems occur on previously solid infrastructures with equally inexplicable remedies to think that it's not possible. In those instances, whoever, absolute proof was simply not available due to the lack of logging and audit trails.
Remember that especially in a small and midsize company, the IT guys can see and do everything on the network -- always assume that. Therefore, they need to be some of the most trusted employees at the company. If there's an abundance of odd problems followed by miracle saves, it might be time to call in some help. At the very least, be sure that even root-level access has an audit trail, and that individual accounts are used wherever possible. A problem like this is definitely worth the ounce of prevention.
Posted by Paul Venezia on November 29, 2004 08:39 PM
July 24, 2003 | Comments: (0)
If it bleeds, it leads.
I suppose that it's just human nature to rubberneck at a traffic accident. The real problem is when the rubberneckers are holding up traffic behind them.
Enter the SCO debacle, once again.
This whole charade has the makings of a really bad dream. It's silly, ridiculous, completely laughable until it's official. Gartner has decided to issue a warning regarding Linux adoption in mission-critical systems. A choice quote
Determine whether Unix or Windows will provide functions equivalent to those of Linux deployments.
The users of Unix -- taken as a specific, since Unix is now more or less like Band-Aid, and has escaped the specific implementation, we'll think of UnixWare, which is the SCO-branded AT&T SysV Unix -- use it due to the fact that a custom application, probably orphaned or in limited development, requires that OS. Windows shops do so because they've been using Windows since a snappy salesman sold them on it over Novell 6 years ago. The folks that would use Linux generally wouldn't consider anything other than *BSD to replace their Linux systems. With Linux compat layers in FreeBSD, et al, they could even run most ELF binaries... what is Gartner thinking? The quote reads like an ad for SCO/Microsoft.
And another:
Don't ignore the problem by hoping IBM will win or settle its lawsuit (that could take a year or more). An IBM win would not prevent SCO from pursuing individual claims, which, if successful, could cost far more in penalties than buying a SCO license would. If you find SCO's case compelling and you use few instances of v.2.4, pay the license fees.
So.... just give in. Who writes this stuff? I completely understand the concept of corporate liability, but this is obviously a recommendation to just pay the extortion fee and be done with it. Why in the world would anyone heed this advice?
What would Microsoft and SCO tell you to do?
While the actions by SCO are pending, take a go-slow approach to Linux in high-value or mission-critical production systems. Instead, keep pursuing your Unix and Windows strategies.
An example of what's happening:
If I paint a picture, and someone says that I used a similar brushstroke in the painting, do they immediately get royalites to reproductions? What if they're completely wrong? Nothing has been decided, and it is blindingly obvious that this is just a weak attempt at gaining mindshare and possibly some cash.
So that everyone understands, SCO is already hammering out Linux licensing terms. The audacity! Users and contributors of Linux -- folks who have collectively donated hundreds of thousands of hours to Linux -- paying for their own software? What about the code I wrote 10 minutes ago? Do I owe SCO something for that?
SCO goes even further, saying that anyone who worked on the 2.4 code is now "tainted" by their exposure to the original Unix source, and therefore cannot contribute to further Linux kernel development. Houston, we've gone plaid.
The whole of Linux and Open Source isn't threatened by SCO. The threat comes with what the industry thinks. Fear is the weapon of the terrorist, and SCO is trying their hardest to instill fear into the industry, hoping that some money will fall their way. In the process, they're boosting their own enemies, causing damage to a flourishing development environment and cementing their position in the minds of the next generation of IT decision makers.
No, we can't just ignore this, but even more, we cannot afford to give an inch to the thieves in Linden, UT. I've disliked SCO for a long time, mostly due to the general crappiness of their products and backwards notions of a server OS, but now I can say that I truly despise the company. Their actions are simply shameful.
Posted by Paul Venezia on July 24, 2003 11:08 PM
May 26, 2003 | Comments: (0)
Life as a second grade classroom
I remember second grade fairly well. Lots of letters and numbers, learning how to tell time with an analog clock, listening to stories and getting hooked on phonics. I also remember the mentality of that classroom. It was an odd mixture of the primitive and herd mentalities. Anyone perceived as outside the norm either physically or by action would have to withstand the recess ridicule. It seems to me that the world hasn't moved much farther than second grade.
I recall the kid who clapped the erasers on the teacher's chair. A few kids knew who did it, but wouldn't tell for fear of being labelled a snitch. The teacher would then address the class and declare that the perpetrator either owned up to his actions or the whole class stayed inside for recess. More than a few times, the whole class stayed inside.
As I read about more laws appearing on the books with the intent to address a problem presented by 0.01% of the population, but that effects the other 99.9% of the population, I can't help but think of the kid who clapped the erasers.
Examples abound; from the DMCA, proposed draconian DRM and IP laws, to the bizarre laws that prevent the sale of drink specials in the state of Massachusetts, to the PATRIOT act. There are countless laws that exist at state and federal levels that seem more focused on exacting punishment on a stastically irrelevant part of society at the expense of everyone else.
New Hampshire has a few, Massachusetts (warning, horrible banner ads) has many more. Some are laughable and wouldn't make it into a courtroom, but the ones that might are a little scary. One that particularly bothers me is that it's perfectly legal for police to lie to suspects during interrogation about anything. Witness the case of Mike Crow. He was 14, interrogated for 11 hours without his parents or lawyer present, and forced to confess to the murder of his sister. He was told a barrelful of lies by the interrogating officers, including tales of his sisters' blood found in his bedroom. He was subsequently proven innocent by DNA evidence.
So we continue to shoot first and ask questions later. Soon enough, common sense will be outlawed, and we will find ourselves stuck in a maze, where all decisions are made for us by people that we've never met, who's reality we may not share. Should laws be used in this manner? Will the whole class be kept in for recess permanently? When will we stop defining ourselves by the lowest common denominator?
Posted by Paul Venezia on May 26, 2003 08:47 AM
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Virtual Test Lab Automation: Manage development infrastructure
- Improve Resource Utilization and Lower Operating Costs
- Protect Your Data with SSL
