December 23, 2003

On the Move

We're almost there - the Monkeys are moving offices. This, of course, means that yors utrly is on the hotseat - and at least partially due to reasons of my own making.

See, my forte isn't planning. It isn't meticulous prechecking of zillions of conditions. It's not the joy that (I'm told) can come from an exacting schedule and/or checklist of tasks and sub-tasks and sub-sub-tasks and so on that can make a complex operation such as moving a tech firm a synchronized waltz of precision and efficiency. Nope nope.

I'm a seat-of-the-pants Op. This means I excel at pulling chestnuts from the fire of chaos. I'm good at triage; I'm pretty good at finding a workable answer quickly, if not the best answer. I'm pretty good at intuiting now what my answer to a question I haven't thought about yet should be so as to avoid hosing myself later.

This means, natch, that moves are usually several days of sheer pain and suffering, coupled with adrenalin highs, concomitant lows, bouts of depression, rage, glee, loopiness, drunken flights of fancy and strained back muscles.

So, to any of you monkeys that may wander in here before the move: beware. Your Op is in BOFH mode and will not hesitate to LART if you get in the way. Oh, and the answer to 'When will (x) work' is always "WHEN I DAMN WELL GET TO IT." But, likely, before the 29th.

Posted by jbz at 11:31 PM | Comments (0)

December 19, 2003

iPod, iThaw, iRock

This is a tip that no doubt all serious iPod users know, but which I just had cause to discover for myself tonight. Returning to a car parked in chilly weather, I found that my iPod (original 5GB) - which had been sitting in said car - told me that I had no battery left, despite my having charged it that afternoon and only used it for around 20 mins.

After swearing at the situation, I tried to start it a couple times - no dice, I got that annoying battery icon. Finally, I started the car, turned on the heater, held the back of the iPod in front of the vent until it was warm to the touch, and then rebooted the iPod (Pause/Menu held down until the Apple symbol shows). This time, it started up, showing me an empty battery indicator, so I began to play a playlist while holding it in front of the heater. After thirty or forty more seconds, the battery meter had jumped to three bars - where it remained for the forty-minute drive home.

Posted by jbz at 12:34 AM | Comments (0)

December 18, 2003

Portscans and packetsprays, Oh my!

Hm, this is an interesting one. We received a complaint today from some user about one of our servers. His IPCop/ Snort IDS had reported that one of our machines was portscanning his network. Naturally, this is a Bad Thing(tm), so we jumped into the OpMobiles and hit the OpPhones for some Late Night Colo Action(r)! (To clarify: I went to the home office. Mike went to the colo, the lucky bugger.)

...however, on first (and second) examination, the machine in question looks to be fine. We've checksummed all manner of binaries against known goods, checked the logs, etc. etc. To be safe, we downed and isolated the machine and sucked up the downtime while bringing up a warm backup.

My firewall shows numerous SYN FLOOD attacks against our network right around the time that the complaint scans occurred, so my first (well, second, after "FUCKITY FUCK") thought was that we've been hit with some manner of reflective attack or spoof, such as idlescan. That would be a bear, since there's no real easy way to prove that's what happened.

Next step: See if the 'easy script kiddie' version of idlescan works using us as a zombie. It shouldn't; we run current versions of the TCP/IP stack and custom-compiled versions of our servers, and I can say with confidence that we do not use sequential fragment/packet ID numbers, which renders us fairly useless as a zombie for idlescan. Of course, idlescan isn't new, and there's always the chance that the blackhats have figured out a new, snazzy means of doing it that I can't verify with a bog-standard Nmap and my own devious brain.

I have another look at the logs from the complainant. I take the time to curse the fact that we have been given super-basic info (essentially, 'detected a portscan from your host:port 80 to our host: 21 ports scanned in x seconds'). Now, a third possibility has occurred to my sleep-fogged brain: This could, in fact, be purely legitimate traffic.

Here's the scoop. The machine he's complaining about serves as, among other things, a public webserver for Ximian Red Carpet. It spends (some of) its time serving http requests for lots and lots of linux distro and software rpms that come in from machines running the Red Carpet client. This client is fairly quick, uses some really fast http client libraries, and can multithread.

Posit the following situation. I know nothing about this guy's network, but I can probably assume that he put his IDS somewhere near a network bottleneck (like his gateway) so as to catch the maximum number of packets. Now, if there are even a few machines on that network running a Red Carpet update simultaneously, then it is quite plausible that our server will be spraying large numbers of http packets back at his net. Let's look at the complaint again. In all cases, there seem to be '21 ports on 1 host' scanned. That number is significant. I don't know the defaults for Snort off the top of my head, but scanlogd assumes that accesses are portscans if 7 privileged ports or 21 unprivileged ports (or some weighted combo of the two) are accessed in a row with three seconds or less between accesses.

So it seems safe to assume, given that similar number of 21 ports, that whatever his IPCop is doing, it's using similar trigger numbers. The problem is this: let's suppose he has, somewhere on his network, several machines behind a NAT gateway. These machines are all running Red Carpet (for example, suppose they've all been set up to auto-update themselves late at night - maybe even at the same time). From his IDS' point of view, there will be a flurry of packets originating from our machine's http port, addressed to various high-numbered ports on the NAT gateway - and there will easily be more than the 21-in-63-seconds-on-different-ports required to trip the 'portscan' alert.

Well, that's it for now. I'm going to request additional data from the complainant. This is just my thought process during a potentional intrusion; I dunno if it's interesting or even relevant to anyone else, but it's useful for me to record for later perusal and reference.

Posted by jbz at 1:14 AM | Comments (0)

December 13, 2003

Asocial Insecurity and Jamming

This is a transplant from the newly-revived Everything2. I wrote it a while back during one of my more anarchic-leaning days. I still subscribe to the notion wholeheartedly.

It is written in honor of various rabble-rousing publications that, in the past, have proffered suggestions on how to best screw with The Man. It also is meant to emphasize a completely personal peeve that I have regarding the intrusion of Big Brother into far too many aspects of my American life.

Social Security Numbers. Your serial number. Your ID Code. Your asset tag. Whatever. The U.S. Government, through the prima facie motive of being able to provide for you in time of need, has (in the process) created a mechanism by which any organization, good, evil, or completely venal, can uniquely identify you. This makes the Men In Black File Clerk's job so much easier! Furthermore, there is almost no way (other than being foreign, and even then they getcha with a Taxpayer I.D. Number) to escape its evil clutches. Want to go to college? Fork over your serial number. Want a bank account? Ditto. Want to simply receive medical care, even if paying with cash? Bend over for the Big Hot Iron Stamp, please.

So what can we do?

As suggested by several publications, prophets and pundits, I endeavor to jam the system whenever possible. Join me! It's fun! Next time someone asks you for your SSN for what you perceive to be no good reason (like, say, those supermarket discount cards that track your capitalist participation track record) then smile sweetly...

...and give them Richard Nixon's. It's 567-68-0515.

Posted by jbz at 4:38 PM | Comments (0)

December 8, 2003

My CUPS Runneth over

This is a silly tech tip, one that I’m placing here pretty much because I forget it every time I need it. When using CUPS (Common Unix Printing System) it may happen that a user’s printer simply disappears out of the ‘Printers window (this is in Nautilus, on linux). The reason is usually that the partition where CUPS keeps its spool has filled up (typically /var) and needs to be cleaned out. CUPS will ‘helpfully’ remove the printer icon to let you know that it is unusable. It’d be nice if it also told you what the problem was, but, you know, we take what we can get.

Posted by jbz at 2:50 PM | Comments (0)

Women, Biology, Social Structures and The Hell That Is Online Dating. Danger: Personal Crap.

As the subject warns, this is completely personal and useless stuff, so YOU HAVE BEEN WARNED.

Spent an inordinate amount of time the past few days living in complete awe of the mistaken images that women apparently have of the life of a single guy trying to date. Case in point: Internet dating.

I have now had three different women (whom I know) all tell me in the same paragraph that they “understand what it’s like because they’re going through it too” and that they “don’t understand where all these losers are coming from who send them messages.”

See, that’s the trouble right there. They quite obviously don’t understand. Allow me to offer a personal example by way of explanation.

Yes, I have a profile posted on a couple of dating sites. Yes, I actively surf them once in a while. Yes, I respond to profiles. I tend to respond to profiles with individual messages, usually responding to questions asked in the profile, or commenting on some point or other made in the lady in question’s listing. To date, I have sent out (on one popular service) seventy-four responses. I know this because they all sit in my ‘OutBox’ on that service. Each was to a person whose information claimed that they had been logged on no more than 36 hours prior to my messaging.

I have had one reply. That reply came from a woman who I had asked, explicitly, to respond to me even if she wasn’t interested, because I wanted to know if the messages were actually getting through (this was around message 40).

Now, this isn’t meant to be a rant on how pathetic I am (although you can have one of those for a nickel if you want). It’s to make a point. I don’t think I’m alone in this sort of experience; I’ve seen plaintive messages on all the services I use, from men, either wondering if this was normal or berating women who had posted flip messages about how all us guys just suck.

This ties into an argument I frequently end up having with women. It goes like this: I state a particular observation I have made over many years and which I (to date) have never seen any evidence to contradict. Then the woman/women to whom I’m speaking flip out and tell me that I’m completely off base and have a distorted view of their lives to boot.

The observation is this: In the United States, today, if a woman goes to a bar or other public social arena with the intent of getting laid, she can. The only thing that stands in her way is her own decision on how far she is willing to lower her standards if required. In essence, however, if a woman goes into a bar which contains single guys, guess what: she can, if she chooses, leave with one of them.

Now, I’m not saying this is particularly safe. I’m not saying she’ll find her lifemate. I’m just saying that if she really wants to badly enough, she can (and will) find someone to hook up with.

Guys, in the same situation, have the opposite default. They’re going to go home alone - unless they win the audition. It’s not a sure thing, and it’s sure as hell not going to happen unless they work at it. Sure, there are guys who can make it look easy - but even if it’s unconscious, they’re working at it. Because the way biology organized us, it’s the woman’s job to guard the gene pool - and it’s our job to just audition.

Same holds for internet dating. Every woman I’ve ever spoken to (this is perhaps a dozen) who participates in this delightful technological arena of ego pain has said the same thing - even the ones who are completely convinced that they’re hideous hags and that no man ever will want them. They have spoken of the hordes of losers whose messages they had to sort through in a (usually futile) attempt to find someone worthy to answer.

See the problem?


Posted by jbz at 12:57 AM | Comments (1)