We received a rather polite email today from cydoor to "please stop calling their product spyware. You can read the whole email in this article.. the part that amused me most is this:

In regard with your article, I would like to bring your attention to your categorization of our ad-serving technology as spyware#&46 I believe that this categorization is mistaken, and I would like to show you why. I would also like to request that you update your description of Cydoor to be a mild adware.

"Hi mom, how's your pc?"
"oh it has a mild case of adware.. I downloaded something for it"
"That's not bad then, it's only a *potentially unwated program*.."
"Yah, it's nothing, you should have seen the severe case of scamware ...'s computer had last week!"

Well then..

dslreports has been under a massive DDOS attack.. a combination of synflood and bad requests. What's showing in image is actually not accurate, since the attack is much larger than this, but it should give you an idea of what we've been dealing with since last night.

My personal belief is the reason for this is our recent series of anti-spyware articles much like Ben Edelman experienced. I've no evidence to back that up but would love to compare logs.

Ever since I started posting logs of IPs that post spam on my weblog or spam my referrer log, I've been hit with regular trackback attacks. Daily and consistent. What's the relation to the dslr attack? IPs from attacks to my personal server and to the dslr servers are mostly hijacked, trojaned machines on comcast, sbc and other big providers. Big providers who are completely capable to detecting this kind of behaviour and cutting those customers off. Why aren't they doing it? Maybe because they are more concerned with spreading their legs for RIAA and catching small-time file traders instead of making sure their networks aren't used in massive DDOS attacks that take down legitimate websites who provide security resources for everyone?

What will it take to get Comcast to listen? Are you out there SBC?

Comcast cable customers will be kicked off their network and accounts closed if they get caught three times hosting filesharing. There is no similar provision for customers whose machines are used as part of a botnet. Why not? Why isn't this issue as important? Because websites like ours do not have the deep pockets to affect legislature? Because a customer that cannot secure his machine is more important than one who chooses to download movies illegally?

Every broadband customer should be held responsible for securing their machine and if they are incapable of doing so, they should not be allowed on a public network. And no, I can't afford to buy a few senators to make sure that this even gets discussed in a public forum outside of my weblog.

On the errant child's computer in the crontab of a logged in account:

* 23,0,1,2,3,4,5 * * * /usr/bin/osascript -e 'tell application "Finder" to sleep'

(It tells the computer to put itself to sleep every minute of every hour between 11pm and 5am.. of course if the computer is already asleep it doesn't do anything)

I don't who is in charge of Verizon's mail servers, but they need help, now. A few days ago, a few users of dslreports complained that they are not receiving any email from us. Things like password reminders, notifications they asked for, etc.. It's not spam they're missing but legitimate mail. After checking the logs and seeing nothing but tons of time outs trying to connect to verizon's mail servers I did the very first step any admin would take, mainly:

$ dig verizon.net mx

;; ANSWER SECTION:
verizon.net. 13452 IN MX 0 relay.verizon.net.

okay..

telnet relay.verizon.net 25
Trying 206.46.170.12...

That was from the dslreports mail server.. hmm... could be Verizon's server is down?

$ ping relay.verizon.net
PING relay.verizon.net (206.46.170.12) 56(84) bytes of data.
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=1 ttl=243 time=44.9 ms
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=2 ttl=243 time=44.7 ms

--- relay.verizon.net ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1010ms

rtt min/avg/max/mdev = 44.751/44.833/44.916/0.227 ms

Well.. the server is obviously up, but is the mail server? From another host:

$ telnet relay.verizon.net 25
Trying 206.46.170.12...
Connected to relay.gte.net (206.46.170.12).
Escape character is '^]'.
220 sc002pub.verizon.net MailPass SMTP server v1.1.1 - 121803235448JY ready Mon, 14 Feb 2005 18:08:02 -0600

Well.. gee.. look at that, Verizon is obviously filtering out mail.dslreports.com and not allowing us any connections. Blacklists? Nope, clean as a whistle (btw, Derek, yours is consistently timing out from that site).

I emailed the typical addresses one would try to contact a mail admin.. nothing.. no reply, no acknowledgment, no bounce.. great.. In the meantime some of our users started asking Verizon. As customers they have a bit more leeway than I.. Here's what Verizon came back with:

said by Verizon Online Support Center:

Verizon will not accept mail from senders that are not recognized on the senders mail system as a recipient. This is a problem on dslreport's side and will need to be corrected before mail from this address will be accepted.

The domains that are being looked into for you are not part of any blacklisting issue, but rather a part of a Sender Verify process. A While [sic] ago, servers were installed to verify sender e-mail addresses. All sites would need to be sender verified. if a sender is not valid, or their domain has not been validated, the message will be returned back to them. Any site that is not set up for sender verification will be allowed to pass through our system.

Thank you.

I explained to the user how there is no way they could have tried to verify the sender (although that would have failed, this was one of our bounce addresses) since they never even attempted to accept the message.. kind of hard to do that without basics..like say.. server handshakes or maybe a connection?

They had a nice reply back:

said by un-named Verizon Online Support Agent:

I have passed the information along to our engineers. It seems that you have not understood our explanation of the Sender Verification process. I would suggest that you feel free to research this for yourself. You will see that the Sender Verification process is actually an industry standard.

Industry standard.. erm... whatever.. how is that connection doing? Right.. none.. and apparently they're working with us on it too! Funny, I didn't notice. Not a peep, none. Great job Verizon, way to serve your customers.. I've some gmail invites for all you poor Verizon users.

At this point, I'm guessing (this is really a guess) that they have some sort of limit of how many mails they will bounce based on failed sender verify and then blacklist the host.

There is something very amusing about this (plain text message, sent from a mac, no attachment, discussing mail rejections as spam in a bit of an overzealous manner):

Your message to: admin@<removed>.net was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

Subject: Mail rejections

VIRUS ALERT

The <removed> Internet Spam Shark and Virus Viper Firewall found a virus in an email to you with

Subject: Mail rejections

From: <kasia@...>

Amusing..

It's amusing to read now, after the correction, but imagine being an employee of O'Reilly media and reading this::

received an anonymous IM rumor from someone a few minutes ago claiming that "Everybody has been laid off" at O'Reilly Books

What a way to start a work week, anyone hide a mike by the O'Reilly watercooler?

[For those who didn't follow the link, it's not true]

Someone I know is getting weird emails from a gmail account and asked me to look into it. Obviously, first things first, I checked the headers for the originating IP. Guess what? It appears gmail doesn't include that in headers.

I suppose we now have to rely on google to get anywhere with harassing emails, spam and other badness. Google -- policing the Internet, great.

This is a first.. an attempt at patenting something I could produce prior art for! Me and thousands others!

Patent Application:

Herein is described an implementation of an object persister, which serializes an object to preserve the object's data structure and its current data. The serialized object is encoded using XML and inserted within a message. That message is transmitted to an entity over a network. Such a transmission is performed using standard Internet protocols, such as HTML. Upon receiving the serialized object, the receiving entity deserializes the object to use it. Rather than include copies of referenced objects within the serialized object, the object persister includes references to those objects. This avoids redundant inclusion of the same object and potentially infinite inclusion of the object itself that is being serialized.

.. and since when is HTML a protocol.

[via Ray]

I haven't been attending a full time job in the last few weeks, one might think that should give me quite a few hours of free time, right? Not so! It appears I'm far more busy now than I ever was working. I just don't get paid as much doing it.

I think I found a new disorder:

Out-of-work-so-I-have-tons-of-time-for-all-kinds-of-projects-itis.

I wake up in the morning with the idea that I have all these free hours to do all these things I have always planned on doing, except it turns out once my day fills up.. well, it fills up.

I need a job so I can start to relax again!

1. If your new employer buys books, take advantage! Read them!

2. Work extra hours to finish a project that's off-schedule, it will come in handy when it's time for a performance review.

3. Always document your code, you never know when someone else might need to read it.

4. Keep daily notes on your progress, it comes in handy when you need to take a few days away from a project.

5. Take advantage of any training your employer provides, it makes you a more valuable employee.

6. Start your work day early, you can get more done in the morning before the office fills up with coworkers.

7. Don't abuse company resources, that next raise may depend on it!

.. and finally ..

8. Keep your personal items at work to a minimum, it's easier to carry out when it all fits in one box.

9. Label your office supplies, that way you can claim them as your own when it's time to pack your box.

10. Accrue your vacation days so when you get laid off you have extra paid time.

The October 2004 edition

• You consider two consecutive days without any sort of work a vacation.


• "I asked for his ssh key and he sent me his private one" makes you double over in laughter.


• Instead of sitting and eating in an airport, like the rest of the population, you walk around until you can spot a power socket.


• One might find two-or-more gadgets or accessories whose names start with a lower case i in your car.


• The sentence "Secure electronic voting" makes you laugh.


• farting robot sounds really cool.


• Your preferred airline is American just because they have power sockets on some seats (and you know exactly which rows)

I've got more but I'll save them for next year's list.

Prior editions:
February 2003 and Nobember 2002.

This is really cool!

Google SMS

Now this is an sms feature I may actually use.

[via David, whose post on this seems to have vanished]

Nobody likes the crunch of tight deadlines and working overtime to make up for lost productivity at some point in the project. It's stressful, annoying and bound to make the worst whiners out of the best troopers. It would appear that the preceding is one thing all programmers from all corners and platforms can agree on, right?

Well, there is one thing that's almost as bad -- having too much time in a project. Like say, finishing a couple days early. Too much time equals too much creativity. Too much creativity equals your mean, lean program is suddenly a code-bloated monstrosity sprouting features like growth on a ten-month old potato. Christ, give me a tight-deadline anytime over this.

With the recent increase of break-in attempts via ssh, here's a little checklist of making sure your server is as secure as you can make it while still being able to access it from the outside.

• Do not run ssh in Protocol 1 compatibility mode. This is sadly, enabled by default in many installations, you can test yours by simply telnet-ing into it.

  % telnet unix-girl.com 22
  Trying 66.198.51.100...
  Connected to cygnus.unix-girl.com.
  Escape character is '^]'.
  SSH-2.0-OpenSSH_3.7.1p1
  

  Mine's safe, unsafe configuration would show:

  SSH-1.99-OpenSSH_3.7.1p1

  To disable Protocol 1, set this in your sshd_config file.
  Protocol 2
  

• Do not allow root login via ssh at all. Root is probably the most common targeted account for brute-force attacks. To disable root login in sshd_config:

  PermitRootLogin no

• Enable key authentication, keys are more secure than passwords. In sshd_config:

  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys

  In your home directory:
  

  % vi ~/.ssh/authorized_keys
  -- insert public key in the file -- :wq
  % chmod -R og= ~/.ssh/
  

• Disable password authentication altogether: I'm not that sure of this one, it is a lot more secure but then you'll either have to sprinkle your private key in places (I don't want that) or keep a backup system with your private key on it to which you can access from everywhere without using a key.
  

  
  PasswordAuthentication no
  



• Make sure you do not have any of these accounts on the system:
  
  • admin
  • test
  • guest
  • user
  • webmaster
  
  These are a huge magnet for brute-force attacks.


• Make sure these common (and others) accounts use /bin/false or /bin/nologin for shell:


• mysql
• oracle
• server
• backup
• data
• apache
• web
• nobody

.. and have no passwords:



% passwd -l mysql
...



You do not need to login to those accounts, ever, if you do you're doing something wrong.
• Make sure you're using the configuration file for sshd that you think you are. I've seen many servers where the file used is in /usr/local/etc instead of the more intuitive /etc/ssh/. This is determined by the -f flag in sshd startup.

  If you find two of these, it's probably best to just delete the one you're not using so as not to confuse yourself.

I'll add more as I think about it..

I'm seeing about four times as many attempts at ssh entry & scanning in logs on various, mostly-unrelated servers.. I wonder if there's some vulnerability that has not been reported yet?

Something is definitely going on... are others seeing this too?

Edit: found it.

Yesterday, I had to resize tables. Who knew they would reach 4GB each in such a short period of time? They do grow quickly.. don't they.

Today, I had to deal with aftermath of a server running out of space (damnit, I will install some better monitoring, I promise!) and learned that you need 2.2GB of free space to run repair on a 2.4GB table.

Time to prune some data.

When searching for help with hpux + http authentication issues came accross the original Apache http server anouncement on comp.infosystems.www.servers.unix from 1995.

Folks, we in the Apache Group are happy to announce a new public-domain HTTP
server based on patches to NCSA's 1.3 httpd called "Apache".  It fixes many
bugs, in both performance and functionality, and it includes the following
new features: 
 
      Content negotiation (for all you who want to do HTML 3 right!)
      Multiple Domain Names (http://foo.com/ & http://bar.com/)
      Custom error responses (internal redirects to pages or script)
      Send "as is" file types - for including HTTP headers with documents
      More HTTP spec compliance
      DBM-file based user authentication

Ah.. the good old days
link

Once upon a time I used to spend time and effort reading rumors on usenet (back when it was useful) about new! improved! faster! sexier! processors. 200mhz! Oh, I remember that one well. I couldn't afford the Intel wonder but I did get the Cyrix (anyone remember them?) for $400 about a week after it first came hot-fresh and new off the assembly lines. At the time, that was a lot of money for me -- so it was definitely a sacrifice. I was at the top of technology -- following the news, getting the newest and greatest and processing the hell out of my computer.

I remember the 300, the 600.. who can forget the 1ghz? That was something. Somewhere along the way things changed.. I'm stuck in a time warp. My desktop is a dual 600mhz Intel (and I got those for free, they used to run the original dslreports website).. and well, it's good enough. My laptop is a mere 1.25ghz (g4, mind you) and it's just fine and dandy. My work desktop is somewhere in the 2ghz range (I don't even know where) and that's fine and dandy too.. sure, it builds our code fast... that's nice, I suppose.

I just don't care anymore. Somewhere somehow I saw a reference to a 3ghz cpu. First reaction was "when did that happen?".. second was.. "oh I don't care anyway". In a way that's a bit liberating -- I no longer have to spend far too much money to stay on top of things (I just don't care anymore) -- but it's also a bit sad. Somewhere along the way the whole speed race lost its magic.

Here's to the 5ghz cpu, early, bet I won't notice it on time anyway.

My server was down earlier today for mysterious reasons. A switch at the data center was cycled and my box never came back on (the only one that didn't).

• Login via serial console to verify network device is actually alive - check
• Cycle the server for good measure - check
• Cycle the switch again - check
• Ping setup-knowledgable person on IM (idle) - check
• Try several cell calls to various people with no good result - check
• Get a hold of a person who might help - they're too busy right now - check
• Watch the only person left who knows more than you about the setup (I know nothing) go to bed - check
• Start pinging every IP in your range in desperation - bingo!

Bang-head-on-wall *check*

# uptime
22:52:34 up 206 days, 23:19, 1 user, load average: 109.87, 62.86, 27.35

Don't ask :)

It's been raining and thundering all day today and I'm feeling lazy. That means veggie burgers for dinner (I have the routine down to less than 10 minutes including fresh veggie slices and spicy spread) and watching some movie I've seen 10 times (hmm.. feels like an Indiana Jones night) with my favorite buddy while doing some light no-brain-required work on the powerbook.

That's about when I discovered an obscure server I once used to rely on for my email appears to be bouncing messages destined to my inbox.. No problem.. login in, fix sendmail (cough) all happy again. A realization struck me. This is the first time I logged into that system in about 2 years.. and I remembered the root password.

My brain always amazes me.. I have trouble remembering where I left my cell phone half the time (until it rings, I mean buzzes) yet I can remember a root password (one of those good ones, random numbers, letters and let's not forget mixed case and a sprinkling of funky symbols) I have not used in three years. That's not all.. actually.. I can remember login passwords to all kinds of systems.

We geeks are just wired oddly. Time to sprinkle some ssh keys though.

RAGM - Random Access Geek Memory - Remember all things obscure forget the useful ones.

Did you hug your sys admin today?

I used to be one.. long time ago before I crossed over to programming. It's true, sys-admins are very much like minor deities.

The "leading Access Control features such as Tickets@Home".. I wrote that.

Think I can use that as leverage asking for a raise? "Hey, I wrote the leading access control feature such as tickets@home"!

Well.. no.. but pr is still funny.

As noted here I am working on a conversion of a ClearCase repository to Subversion. Since there appear to be no resources for this available I wrote a simple perl script that handles the conversion in a relatively simplistic manner. In short, it checks out each version of a ClearCase file and checks it into Subversion, therefore creating the history. It's simple but effective and it worked quite well to convert our entire repository (some 30+ hours for the whole thing..).

Anyone who wants it, it's here, but please make sure to read the documentation, particularly the limitations before you attempt to use this thing.. and by all that is holy, run a test run and backup!

Oracle client for linux is 386MB.. insane.. that's of course just the installation file which I'm still downloading. I'm sure the actual install is bigger.

There's a small, "instantclient" which is under 10MB and unables you to use JDBC and (burp) SQL*Plus.. but for what I need it's not enough..

When the hell did a DB client (*CLIENT* not the DB itself) get so freaking large? Someone needs to put Oracle on a diet..

It's a bit funny (to me anyway) just how specific my work environment needs are. This topic, of course, came up in a conversation today.. and made me think about just how particular I am.

When I code, I like a big monitor.. so I rarely actually do any coding on my powerbook (unless it's something small and scripty) and will use my desktop with the big monitor for that purpose when working at home. I had a sun box as my desktop machine in my first programming job and having that big, sun monitor forever warped my expectations of a programming desktop. Big monitor, tiny font, lots and lots of xterms. That's one of the reasons I really did not enjoy windows programming during my short Delphi experience.. there is just no easy or logical way to arrange this on a windows box.. not with having to click to focus!

Amusingly enough.. when I do sys-admin type work (which I tend to in the evenings) I can work just fine using my powerbook on my lap.. on the couch.. but yet I cannot seem to program comfortably that way.

Not surprisingly.. we're all creatures of habit. Some of them more odd than others.

iEmployee.com is written by some not very bright people. Forget that the damn thing has to be hacked to work in a browser other than IE.... I can get around that.. whatever.

Their whole session security relies on a session ID in a url. That's right.. knowing the URL you can get into someone elses session. That site contains nice things like my social security number, address.. date of birth.. employment information (after all it's an HR company).. why do they even bother with ssl if this is their idea of a security model?

I think I'll suggest at work we drop these morons.

Considering the kind of information they provide online, wouldn't security be a top priority? Pretty please?

Most of the things I normally compile for unix involves "configure, make, make install" with the occasional sprinkling of "make test" for good measure. That's pretty typical. Then there are the more complex packages that actually require reading instructions before you can compile them, sure.. reading is good for you. But why, in the name of all that is holy, would you include installation instructions in an html document for something that needs to be compiled on a command line? Especially when it's *just text*. I don't care about pretty gifs and paragraph formatting! I just want to compile and install!

Damnit.

I'm researching switching our source control tool from the feature-rich and appropriately expensive Rational ClearCase to the open source and apparently quite nice and stable now, Subversion.

It appears that conversion scripts from CVS to Subversion are a dime a dozen, however I've been having a hard time finding any information on converting from ClearCase to Subversion.. I suppose it wouldn't be particularly hard to make a script to convert all our history.. but I'm more interested in finding out about pitfalls and things to watch out for from people who have done this before.

Anyone have any info?

No, this isn't the old one, it's a brand spanking new one. Mine's upgraded.. spent all of five minutes on it too. Phew, life is rough.

Side benefit of using open source software, all those nice script kiddies and hacker-wannabes work hard and long hours to discover security issues for us. Thanks guys, warm fuzzies.

[via David]

.. of code.

The code I usually work on has been actively used and developed for the last three years. That's really not unusual for what is essentially a very elaborate website with a massive transactional back-end (all written in Java) that talks to many different ticketing systems. It's a very complex project. I often find myself re-writing code because something has changed that facilitates better, more efficient or just simpler processing -- sometimes that something is my own logic and knowledge padded by the additional experience gained since the last time the code was touched. I often find myself wishing I had the time and schedule flexibility to re-write much larger and more complex parts of the code, but as we all know, wishful thinking is just that and schedules are often unforgiving. Today was one of those days.

A code-base, like the one I just described, is really like a big, elaborate gum ball.. when it first starts out it's all smooth, shiny with an underlying sweetness that just begs to be enjoyed. As time goes.. that changes, it gets chewed up, sweetness goes away and before long it just looks like a chewed up, sticky, used-up piece of gum. Other coders add their own tidbits.. and before you know it you have one, gigantic, messy, sticky ball composed of patched-on pieces that doesn't even remotely resemble the sweet and juicy round thing it once was.

I have a theory.. any project that's been actively developed for more than three years needs to be scrapped and started from scratch using the experience gained in building the original code-base. Much like a stepped-in piece of used gum scraped off the bottom of a shoe.

Now isn't this the stupidest analogy ever? It was so bad I just had to blog it ;)

A new workstation recently arrived on my desk and this prompted an experience I have not had in a while. Installing a whole new linux system. Now I'm practically a pro. I've done this dozens of times. I'm very comfortable in unix and can hack my way through most problems. Given that, the installation was a snap despite some problems:

• Burning the cds incorrectly -. I'm an idiot and didn't realize burning them on my powerbook with the default osx tool might cause problems -- eek screwed up file names. Wisely, I also burned just the iso images. Mounted them on my other pc and did a network install.
• The pc not having a floppy drive to boot from (this is tied to the above problem of not having a bootable cd). Lots of old pcs in the office.. So one floppy drive dangling on a cable and propped by a pile of books was the solution.

All things considered, that's an easy install and would have been even easier if I wasn't a dumbo. So what did I have a problem with? The RedHat (I installed Fedora core 1) up2date agent crashing on startup. Once again, I'm a geek, took me 2seconds to find a problem. Missing font! I installed all the default font packages, well it appears I missed some obscure Helvetica size whatever font. Give me a break guys. How do you expect Linux to ever make it as a desktop OS if an entire application silently (to the user not running this from a terminal it just disappears without a trace or an error message) fails because of a lack of a font!

Ludicrous. Stupid. Silly. Amateurish.

This is an application that's part of a RedHat (well, Fedora) distribution, it should be a bit more mature and better than this by now. Especially considering this application is supposed to keep your system up-to-date with all the newest security fixes. Is it a wonder so many new linux users have hacked machines within days of install?

If an application can just silently fail because the system doesn't have whatever font it happens to prefer, then linux has no future on the desktop of your average PC user.

If you're at an airport that appears to have no wireless and no signs pointing to its existance - head for the nearest Starbucks.

I learned that in Cleveland yesterday.. not one sign about it, but there was wireless at the Starbucks (and nowhere else).

Apparently the entire world is under the impression that if they continuously bother me while I'm really busy it will somehow make me work faster.

Well, it won't.

It will make me more irritated, more annoyed, more frustrated and more prone to obscenity. But! It cannot possibly make me work faster.

It's a very simple concept. If something has gone horribly wrong and it needs to be fixed *right now* and I am aware of it and already working on the issue, what do you think I'm doing? That's right, working as fast as I can. Now it is entirely possible that 'my fast as I can' is not quite fast enough but still, does not change the fact that it's simply not humanly possible for me to work faster than my maximum physically-allowable work speed. My brain will explode otherwise. Perhaps my fingers too. My wrists are sure to complain as well.

But you can bet your sweet code blocks that I will not insert multiple return statements anyway. Hah, take that, oh argumentative ones.

I'm often asked "what is it like to be a programmer". It's a good question! After all, programming, being the glamorous and exciting profession it is generates much curiosity in the less-typing inclined portion of the population. Oh, alright, I got the question once and it was from a six year old, but who's really counting? The question still deserves to be answered and who better than I? A typical (in my limited view of the universe - from my living room couch where I am located presently) programmer. Please keep in mind that my view of the programming universe may not apply to other typical (not me) programmers.

An average day in an average life of an average programmer.

A good start to any programming day is to drink coffee (lots of coffee) and make realistic and plausible goals for the days accomplishments. Say, fixing the few outstanding issues in the current project and feeling good about yourself and your productivity at the end of the day.

Around midday, as you get through your second pot of coffee, answer all your email and deal with the usual morning interruptions of questions, phone calls, general chit-chat it's time to start the initial debugging work on the first (and usually the hardest) of the list of bugs to fix for the day. Ah, productivity! Fuzzy, warm, green feelings.

Lunch time!

As afternoon rolls in, the day usually starts to look much more organized and flows in a pattern. Much like a flowchart. Created by a disorganized manic depressive. Who likes to smoke pot. The pattern is very usual and typical.. start up debugger, get through one statement, get interrupted, answer questions, discover application core dumped while waiting for your input (weblogic likes to make our lives exciting that way), go get coffee while weblogic restarts. Rinse, repeat until around 5pm.

The evening shift.

Watch all your co-workers leave the office as you fumble some data, debug some QA problems and discover it's now dark outside. Turn up your iPod to tune out any possible interruptions, code madly, try not to insert too many offensive comments in between removing the hacks you said would only be there for a couple days (three years ago) and finally watch everything fall into place and code operate properly. Success! Bug fixed! One.

Kick the chair as you leave the office.

There has been much noise recently about Google's new mail service and its privacy policy. Specifically, the biggest concern appears to be the storage of the email itself. What should have been the service's main selling point (who has 1GB worth of email sitting around anyway?) is now the biggest point of contention. "What will they do with all that information".

I have to admit, the privacy policy is worded pretty ambiguously and leaves many open doors for all kinds of nefarious schemes.

We will never rent, sell or share information that personally identifies you for marketing purposes without your express permission.

"But we will happily sell all other information". I suppose that in itself isn't quite as bad as it sounds. What company doesn't sell their customer information these days? We sell ourselves and our info for a discount at a grocery store, why not for a mail service. Note, it specifies "for marketing purposes".. so does this mean they will for other purposes?

Residual copies of email may remain on our systems, even after you have deleted them from your mailbox or after the termination of your account.

What exactly is "residual copies" of email? What conceivable reason would Google have for storing more than one copy of an email (other than backups, obviously) on their system? Considering Google is using the content of the email to target ads, this is probably something as simple as using a sampling of email to test and improve their targeting algorithm.. but if that's all it is, I wish they would say as much in the privacy policy.

Google employees do not access the content of any mailboxes unless you specifically request them to do so (for example, if you are having technical difficulties accessing your account) or if required by law, to maintain our system, or to protect Google or the public.

This is the biggest open door. "Protect Google" -- who defines what is needed to protect Google? Of course.. Google, in other words, as long as they can justify "it's good for the company" they can do what they please.

The policy is pretty badly written, leaves too many questions and doesn't explain Google's intentions as clearly as it should, but I would think they're too big of a company to get away with anything too nefarious for too long. I have a feeling that thanks to all the noise this is causing, we'll see an amended policy within days.

If your IP is 216.114.176.211, you have a virus and you're sending it with my email address as return address.

If your mail server is smtp.scotland.net, configure your bloody box to discard viruses not bounce them.

That is all.

This new worm is particularly annoying, since an AV scanner may not catch it at the server level, the infected file is password protected. If you're running postfix, you can block the subjects it arrives with at the server level using header_checks.

In /etc/postfix/header_checks add these lines:

#
# w32.Beagle.j worm
#
/^Subject:.*E-mail account disabling warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*E-mail account security warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Email account utilization warning/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Important notify about your e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about using the e-mail account/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Notify about your e-mail account utilization/ REJECT Suspected W32.Beagle change subject
/^Subject:.*Warning about your e-mail account/ REJECT Suspected W32.Beagle change subject

It will reject the email with the message "Suspected w32.beagle change subject". That's all, postfix rocks.

Diego muses on the percentages of very qualified women vs men in fields like Computer Science:

if, say you have a CS class of 40 people, maybe 5 at most would be women. But of those five women, two would be very good. And there would be maybe three, at most four good computer-scientists-in-brewing on the boys' side.

There is actually a very simple answer to this. A woman has to work twice as hard and be twice as good as the average man to get anywhere in a male-dominated field. I know only a few female programmers but they're all very good if not excellent.. can't really say that for majority of the male programmers I know.

I had a perfect example of the different expectations today as I was upset over what I felt was a mistreatment at work and one of the reactions I received was "you're being bitchy".. It wouldn't have occured to the same person to say that if I was a man, but there is always a slant when the other gender is involved.. This is probably not a intentional or even a conscious decision, it's just how our society has predispositioned us to think.

Women have to be smart and tough to make it in CS. That's why the percentages are so much higher.

Richard Stallman was nice enough to give a talk at the Greater Hartford GLUG meeting. It was tempting enough and I braved the drive through Hartford during rush hour and attended. I'm glad I went. Everyone knows the history of gnu and linux but it's always good to hear it from the proverbial "horse's mouth".

Stallman is a good speaker, throws in enough humorous references to keep the crowd interested and is anything but boring. I suppose I could summarize his stance on non-disclosure agreements (they're bad), free software (free as in freedom not free beer) and general state of software development today, but that's really easy to find on the web in numerous papers and books he's written, so I won't.

I agree with much of what he says. I believe in open source, I think software patents are ultimately evil and I think the government has no business bending over for corporations and passing laws like the DMCA. I don't think *all* software has to necessarily be free. There is room in our communities for both. I can't imagine excellent products like Photoshop (gimp is nice, but it's not photoshop) and autocad would ever come into existence if all software was free. Support fees only go so far for products like these. Companies other than hardware manufacturers need an incentive to create good, professional software and income is probably the best one of them all.

These companies have the right to write software, keep the source private and charge money for it, but they do not have the right (this is in my view, not in legal terms) to tell the users how they can or cannot use their software. They should be responsible for flaws and lack of quality. Most of all, they do not have the right to invade, control or do anything to the user's computer just because their software is on the machine. I think it's a quote from "Good Omens".. "The devil should learn to write agreements from the software manufacturers".

The halo on Saint InGNUcius's head? I was right.. it's a hard drive plate.

If one ever searched for a perfect candidate for the professorate of absent-mindedness they would come up with me at the top of the list. My picture should be in the dictionary next to the definition. I should be awarded the honorary title just based on the first thirty years of my life. When you combine that with my amazing powers of observation (not) and the incredible ability to be oblivious to my surroundings it's a wonder I survived into adulthood. Particularly considering all the experiments I did when studying electricity through home-made lamps and assorted lethal devices around the age of ten.

That's all normal (for me) but it is amazing that I also happen to be an inexhaustible fountain of useless knowledge. Have a topic? I probably know some completely weird and useless factoid about it. When I was in grade school I used to win quiz contests with one half of my brain focused on some incredibly stupid and dangerous experiment and the other half wondering if the cute boy from the other team likes me. I can name authors of books I never read, Latin names for plants I've never seen and quote from movies nobody cares about. All this before my first morning coffee.

I'm often asked "How do you know all this".

I don't know. Really, it all just accumulates in my brain pushing out useful information, like simple regular expressions, the last location of my car keys and the fact that I promised to finish up a certain project. And that's just an example from today's afternoon, morning was more exhaustive.

It's not easy to reconcile these things. How can I remember lyrics to songs I haven't heard in fifteen years but not remember a simple algorithm I've used many times in the last three years? I can name the capital of Manchuria but didn't notice a coworker came by and left a note on my desk while I was sitting there (no headphones involved). I can say "happy new year" in Cantonese but forget my mom's birthday.

One of the childhood stories my mom loves to tell everyone involves me at around the age of twelve, a small storage area and a vacuum cleaner she sent me for. I went there, didn't see it, came back, "no, no, it's there, look again". I looked.. didn't find it, she came with me, the damn thing was right in the middle of the room and only a blind person could miss it. I'm not blind, I'm just incredibly oblivious to my surroundings.

There might be some medical term for this - but for once, I don't know what it could be. Maybe it's part of the Nerd Attention Deficit Disorder.

This is only useful to those who use Scarab bug-tracking software and are not happy with its e-mail handling options. Might also be useful to those who wish to mock my perl (I'm a Java-programmer, dammit).

Scarab e-mail filtering script. That write-up probably leaves a lot to be desired, but it's a start. This filter has been in place at work since mid-December and so far everyone is satisfied with it.

I cannot imagine anyone out there hasn't figured this out yet.. but postfix just totally and completely rocks. After years of dealing with the hell that is sendmail this is a breath of fresh air.

I wanted to configure postfix to listen on two ports (smtp and 26) for those whose ISPs block outgoing port 25 and turns out it was a one liner change.. how great is that.

In master.cf:

26 inet n - n - - smtpd
# postfix reload

Done.

It appears I missed a whole new trend in online discussions. Me! The queen (well, former) of IRC and forum discussion boards! Lately, the flamer on usenet! (It was one post and they really got under my skin, I already repented).

::emotion depiction::

When did this happen? It's not that I'm scared or bemused or even petrified by a new trend.. it's that it completely and utterly went right by me and I didn't notice it until very recently. What happened there? Am I no longer on the memo list?

Man, I guess this is what it felt like to our parents.

*sigh*

er, ::sigh::

This is a really cute tshirt but someone made a boo-boo..

"There's no place like ~/" would have been much more logical.

Microsoft's answer to the IE phishing bug..

The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER.

I have a better solution, how about using a browser that is not vulnerable to a huge security hole that apparently the browser maker isn't in any hurry to fix?

Laughing yet? Good! That is funny.

I have recently discovered ddr (that's Dance Dance Revolution for those who never heard of it) and it's more fun than jumping on a pad to house pop music ought to be. Good source of exercise for the nasty winter days when running outside is not an option and the treadmill sounds about as appealing as writing CS I projects.

Next time I'm in California (CT Is amazingly arcade-poor) I'll have to visit an arcade and make a fool out of myself in public on a nice, metal pad. (Hi Matt!)

(Stats? I'm getting As and AAs in "light mode" songs but still have problems with "standard mode".. I'll get better!).

If one is up at nearly 2am on a Sunday night merrily debugging various server issues that really can wait a few hours (the few hours I need of sleep) I would think that is a big, flashing sign of an issue. With bright colors and blinking lightbulbs around it.

I admit it, I have a problem. If I see an issue I can't walk by it.. I have to roll up my sleeves and dig in (well, not in a physical sense, of course) no matter how useless that may be at the time (face it, if a server is throwing i/o errors one after another it may be a bit late to try and figure out if I have a current backup). It's not that I'm a workaholic, really, I'm not.. I haven't spent all of today working at all... it's just that I can't walk past something like this. Help.

In the great tradition of google and assorted filtering tools Mark Lindner came up with a filter for gaim.

It's fun to annoy your co-workers with!

To quote Mark:
Sappnin' dere, homey. Why duzn't ya give dese rap filters some damn try? Dey be great.

It's the little things in life that make us happy. Today is the last day I have a windows box on my desk at work. At least for a while.

I have the utmost respect for windows programmers, truly, I do.. I just don't make a very good one myself. Having me write windows software is a bit like having a VB programmer who has never used unix write apache modules. In my short, yet ever so annoying foray into the world of Microsoft-based-os programming I experienced Delphi programming and creating installation scripts with Wise (whose scripting language is the weirdest damn thing I've ever learned).

I cheated though.. I wrote my test utilities in perl.

Today, i lovingly deleted all my personal files, cheerfully cleaned out the application list and shutdown the machine. It's being taken away tomorrow morning and I'll be left with my ever so much slower and older, but yet reliable, trustworthy and linux equipped pc.

I'm all smiles, it's the little things.

I have nothing against courier-imap as a server itself. When it works, it works well and it's stable. I do have a serious issue with how it's written. This is the same piece of software whose programmer wants you to use an rpm if you're running redhat instead of compiling from source, like any sane person would choose.

So we have an enforcement of "don't compile as root" (generally a good idea but enforcing it is a bit rude, unless you're the sysadmin), a strongly-expressed preference for users to use rpm for installation instead of compiling themselves.. and then.. this..

strace output of a login failure using MySQL:

[pid 2921] write(6, "j\0\0\0\3SELECT alias, cryptpw, \"\", "..., 110) = 110
[pid 2921] read(6, "\304\0\0\1", 4) = 4
[pid 2921] read(6, "\377(\4You have an error in your SQL"..., 196) = 196
[pid 2921] fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 2921] read(6, 0x807d5a8, 8192) = -1 EAGAIN (Resource temporarily unavailable)
[pid 2921] fcntl64(6, F_SETFL, O_RDWR) = 0
[pid 2921] write(6, "\1\0\0\0\1", 5) = 5
[pid 2921] shutdown(6, 2 /* send and receive */) = 0

Courier log output from the same event:

Dec 26 10:21:58 coral imapd: Connection, ip=[127.0.0.1]
Dec 26 10:22:15 coral imapd: LOGIN FAILED, ip=[127.0.0.1]

Hint: any possible debug parameter is turned on.

That's right.. it's a simple SQL syntax error and one has to use strace to figure out that this is why a user cannot login..

So is the courier-programmer telling me I'm too dumb to compile it myself but have to know how to use strace to debug an SQL statement? I guess so! Sheesh.

I should not expect better from courier, I've seen their annoying, arrogant error messages before.. but this one takes the cake..

configure: WARNING: === I think you are trying to run this configure script
configure: WARNING: === on Red Hat/Fedora. You're doing too much work!
configure: WARNING: === It's much faster to create installable binary RPMs
configure: WARNING: === like this: http://www.courier-mta.org/FAQ.html#rpm
configure: WARNING: === When you do this you may find that RPM will tell you
configure: WARNING: === to install some other software first, before trying to
configure: WARNING: === build this one, and even tell you the name of RPMs you
configure: WARNING: === need to install from the distribution CD. That's much
configure: WARNING: === easier than trying to figure out the same from some
configure: WARNING: === cryptic error message.
configure: WARNING:
configure: WARNING: === Even if you don't intend to use everything you need to
configure: WARNING: === have in order to build via RPM, you should still do as
configure: WARNING: === you're told. All the extra stuff (LDAP, SQL, etc...)
configure: WARNING: === goes into RPM sub-packages, which do not need to be
configure: WARNING: === installed.
configure: WARNING: === But, if you insist, you can simply add '--with-redhat'
configure: WARNING: === parameter to this configure script and not see this
configure: WARNING: === error message. You should also do this when upgrading
configure: WARNING: === and you didn't use RPM with the older version.
configure: error: ... in either case you better know what you're doing!

Yes, I know what I'm doing.. no, I don't want to have to use a stupid option to avoid a dumbass message and it's not RedHat/Fedora!!!

I hate arrogant programers but what I hate more is arrogant programers who can't program the checks properly in their annoying scripts. Did I mention I detest rpm?

For future reference.. `cat /etc/redhat-release` spare the dumbass errors, detect the OS correctly.

So they go through the trouble of checking for RedHat and throwing you out.. but don't bother with providing an option to specify where openssl lives.. just crap out during make.. (yes, I know, hack makefile). No wonder they need this RedHat check.. Why make configure scripts more usable when you simply tell the less-immersed users to go away?

I'm writing a mail-filtering script in perl and while testing just sending all e-mail to myself. Made a typo and exchange - which is our *main* mail server, sadly - returned this error..

did not reach the following recipient(s):

c=US;a= ;p=TIXX;o=SYRACUSE;dda:SMTP=krapszo@tickets.com; on Tue, 9 Dec 2003
13:42:31 -0800
The recipient name is not recognized
The MTS-ID of the original message is: c=us;a=
;p=tixx;l=SYRS-MAIL0312092142YSQZTSW0
MSEXCH:IMS:TIXX:SYRACUSE:SYRS-MAIL 0 (000C05A6) Unknown Recipient

My first thought at seeing this mess was "Good lord, what the hell is my script doing to the headers (I am modifying them)!

Took a second eye to notice that I misspelled my own bloody name and this is exchange's way of saying "Unknown Recipient". If you squint real hard you'll notice that message at the end of the pile of cryptic, useless (to me) information.

That is just hideous and disgusting.

This is an amusing yet rather scary look at just how software patents might influence your average e-commerce website.

The evilness of software patents illustrated.. see this is why those who are proponents of such actions will go straight to hell to enjoy an eternity of programming Fortran under windows 3.1.

[via Justin]

Ran across this picture when browsing Rasmus's pictures from Bangalore..

Impressive, isn't it? I don't think our president knows what open source is.. heck, I doubt he could spell it.

Really, it's always the most obvious, easy thing that's wrong but takes the longest to figure out.

I use postfix and have multiple domains setup in mysql.. the beauty of this setup (as if I need to explain) is that my users are not local users but rather live happily in my database and I don't have to worry about all kinds of security issues. Not to mention adding new users and domains consists of inserting sql statements.. how's that for sexy?

Considering that my users are not local, you can see why I would want my spamassassin settings to live on per-user basis in the db. It's easy to set that up.. there's a nice helpful document here that explains it all including a sample table. Lovely!

Of course I was having problems getting this to work.. running spamd in debug mode.. and it's not even connecting to the db! Looking at mysql logs.. sure enough.. no connection attempt.. google search.. yes, looks like a lot of people are having the same problem but nobody has a solution.

Finally.. (what I should have done first).. "man spamd"

-q, -sql-config
Turn on SQL lookups even when per-user config files have been disabled with -x. this is useful for spamd hosts which don’t have user’s home directories but do want to load user preferences from an SQL database.

Ah.. there it is.. -q -x and works like a charm.

Trivia: how many people know that Jeremy added this spamassassin feature? Small world, huh?

I realized this morning that I have five, (count them: 1, 2, 3, 4, 5) on-going projects that I'm actively working on. This isn't work-related, just my own little side-projects to simplify (heh) my life. At least that's the long-run intention. This isn't a new development by far.. I've always had several things going on at once.

Why isn't that I tend to do this?

Anyone who has better time management skills than your average five year old realizes that it's better to finish something before starting a new project. The biggest time-sucker is finding that particular spot where you left off the last time you worked on the task. Now assuming you spend about an hour a day on some project, each day a different one, and it takes you 15 minutes to arrive at the spot you left off last time.. that's a lot of wasted time. That's where I am.

Now to attempt to answer the question why is it that I divide myself into many projects instead of concentrating on one and actually finishing it.

Boredom.

I get bored easily. If I work on something for too long and don't have quick gratification of immediate results I tend to get bored with the task. That's a terrible trait in a programmer.. after all.. any decent-sized project takes weeks before you start seeing a result! Hours upon hours of work.

So I could approach my little side-projects the way I do work. Schedule, and well, just do it... but I'm afraid that will take the enjoyment out of it.. and what fun would that be.

Or I could continue the way I have been, wasting precious time (oh, how I wish I didn't need to sleep), tediously working through the more boring parts and delaying that good proud-of-myself feeling I get when I manage to do something really cool.

I suppose programming is much like running a long race.. you start out all excited and full of joy, sweat through the middle, force yourself to keep going towards the end and always manage to find that little push to finish looking strong. After that it's just all joy and pride and happy, good feelings. You did it, went for the long one and finished without quitting. You tell yourself you'll never put your body through this again.. but before you know all you remember is the good stuff, forget how bad the bad parts were and sign up for the next one.

Except for that one bruised toe.. that's still there over a month later.

So approaching programming like running.. I guess it's time to sweat and finish these off one at a time. But will I still enjoy it if I do?

Robert Scoble is sorry for our troubles.. where 'us' is everyone who gets caught in the horrible virus-infected-new-machine problem.. That was nice, particularly coming from a Microsoft employee. Certainly feels better to read 'yes we have a problem' as opposed to 'you didn't do the right thing, so it's your fault'.

Thanks!

But it would make me happier to hear that Microsoft is working on a better security model.. What I'd love to see in windows.. is well, essentially the unix security model. Root/Administrative account that isn't used for logins.. just via a tool (sudo, for instance) to explicitely update/install etc.. stuff.. Of course with that goes a very fundamental change to the OS... Do not require system changes to install application unless those applications actually affect the system. Much like unix.

I know many people think that the reason there aren't many linux viruses is because it's not quite as popular. That's actually not really accurate.. it's because even if a user executes an email attachment on a linux machine, unless he's running as root (and most people who use linux know better)