Line noise from the ether

Prague, apartments and landlords

2011-08-22T03:50:00.000-07:00

Moving to Prague has been quite an experience but not in the way that I'd imagined. The problems all started the day that I was to sign the lease for the apartment that I'm renting...

The landlord, is Jan Stodola and he lives in Canada (with his family) and has assigned power of attorney to his brother Martin Stodola (or at least that is what I believe his name to be.) This is fairly normal practice - I have assigned the power of attorney to someone else in my family that lives in Australia so that they can see to it that any work that needs to be done on the apartment that I own can be done without requiring me to be involved in the paperwork.

On the day that I was to sign the documents, I arrived to find the agent there, along with Martin and another. They were still making "last minute changes" to the apartment. At this point I'll mention that so far as I could tell, Martin is not a certified locksmith and that this was "family work" to reduce cost. In this case it was changing the locks in the door. Unfortunately the new lock that they'd put in was very hard to turn once the key was in. After some playing around, they managed to make it workable enough that I felt it was ok to sign the contract. The agent was quite embarressed and by the time it was all signed and sealed, had spent 2 hours there. Presumably they worked on the door some more as by the time I returned the next day, the lock was working as it should. Unfortunately when I returned the next day, I found something rather unexpected - a dirty toilet. Someone had used the toilet and not flushed it. Needless to say, the brown water (and whatever else was in it) was flushed away quick smart. It almost made me vomit such was my disgust with what I'd found.

On first try, the toilet door seemed somewhat reluctant to close properly and then as I examined it more closely, the problem became clear: the door has (for whatever reason) become warped over the years such that the top corner of the door opposite the hinges will never meet the wood of the door frame at the same time as the bottom corner. Furthermore, the door does not hang straight. Whether this was a problem when the door was originally put on or something that has developed over time is unknown. As you can imagine, this is not an ideal situation and it is something that you would normally expect the landlord to become properly engaged in. As it is, I'm discovering the true nature of the landlord and it is not one that is most becoming. At first there was resistance because the "door is antique". Not my problem, take the door off and put it in an antique shop or similar. Now it would seem that the landlord wants to "fix" it by addressing a symptom - putting stuffing in the hole. The word for this approach that I'd use in Australia is "cheapskate." Ultimately, trying to fix the problem by addressing symptoms rather than the cause does not result in the real problem being fixed.

There are other issues as well, that seem to be the product of "best intentions" but because those carrying out the work are just "family", there's no attention to detail or understanding of all the issues that need to be delt with. For example, a coat rack was put in the entrance hallway, which sounds good, except that it hasn't been mounted properly on the wall. This means it is both a lose mount (push the wood and it moves around!) with cardboard stuffing behind it and that for people that are 5'8" or taller, there's the potential to hit your head on the rack and board above it because they're in the path as you exit the lounge, as well as directly in front of you when you open the front door. The motive (to provide a place to hang coats) is good, but the execution and planning have not been thought through properly, as they would if a professional had been hired to do the work.

Perhaps the most discomforting aspect of this thus far is the reluctance of the owner and/or his brother to provide a notarised document for his brother's signature. What does this mean? Handing a registered notary a copy of your identification (e.g. drivers licence) that is issued locally and then signing a statement that you are who the identification says you are and that the attached signature is in fact associated with that particular person. Often there is a small fee (in California it was $10) charged by the notary to affix their stamp to the document. In this instance, I'm not sure whether to believe that there is identity fraud taking place or that the owner is just being cheap and doesn't want to have to pay for certificate to be issued (if indeed there is a cost.)

It would almost seem that having raised the various issues, the owner seems to be keen for me to move out (and have someone less ... demanding ... move in?) as he's now asking if I would like to move out. Well, I suppose given the number of grievances I've had, that isn't an unreasonable conclusion to arrive at. And to think that we're not even at the end of the first month. Oh my. The things people will do in order to not spend money that is ultimately an investment in the property they own. How short sighted some people are.

No ads with Mafia Wars on facebook

2011-07-30T01:39:00.000-07:00

When I started playing Mafia Wars on facebook, the game was very much centered around input in the top area of the screen. Over time, Zynga have added their own bars and gadgets at the top of the screen, pushing the game content down. In more recent additions to Mafia Wars, you often find yourself spending large amounts of time scrolling down a long way, so much so that the top part of the page is never seen.

And this means that the ads that facebook throws at you are also not seen. Whilst this is a good thing for me (I'm not bothered by ads whilst I play), it also means that those paying for those ads are also not getting what they think they're getting. Why? Although I might be present on a given page for many minutes, as the ads are never seen even though they may be present for many minutes,. Thus a page impression from Mafia Wars results in me seeing the ad for a vastly shorter period of time than I would if it were facebook itself.

With other games such as FarmVille, the action is very much centered on the main playing screen, such that you don't have to scroll away from the ads.

If facebook and Zynga are in bed together to keep customers around, then it would seem that it's the third party in this menage a trois - the advertisers - that are getting screwed by both of their bed mates when it comes to Mafia Wars.

In search of hidden waterfalls

2011-06-27T15:59:00.001-07:00

With this year being a very wet year in California, it seemed like a good idea to go in search of waterfalls. Not just the well known ones such as Yosemite, but others. This is something of a mixed blessing as quite often waterfalls look better in photographs when there is not as much water flowing.

This quest led me to a website called Waterfalls of the West. Note: only very easy/popular water falls have their full information available. Others require you to register. Registering requires submitting your email, after which you get a short period (24 hours?) of "free access" to information about the waterfall. This includes its height (estimated), GPS co-ordinations, etc.

A few weekends ago, I tried it out. For the waterfalls that are easily reached by a recognised and dedicated trail, the website provides good information. For others, the directions are somewhat lacking. The problem with the directions is that the person providing them is a GPS navigator and does not understand what is necessary to describe for others hiking using the directions rather than following GPS co-ordinates. For example, in one description it recommends that you "park at the turnout and walk down the road." However road is a misleading word - unused, overgrown track is more appropriate. Thus my first attempt to find that waterfall failed as I was looking for something resembling a road. After this, I made another go and discovered that there is something there that may have once been a track - not a road.0 Even USGS maps prior to the expedition being described it is clear that what's being described was never a road. When confronted with details like this, the website author complained that I was being "too picky". I'm flabberghasted. Details are extremely important when you're describing where and how to get somewhere but maybe this is a result of dealing with the Internet generation that use a GPS instead of a map.

Perhaps the most galling part of my interactions with the web site owner was that he still expressed hope that I'd pay him money. For what? Writing inaccurate directions that lead to people going astray with a caveat "you may want to use a GPS."?

Nevertheless, I found the waterfalls that I wanted - such as Mossbrae - and others that I didn't want - Little Roaring Creek. The latter is a story in itself.

Online Persona

2011-01-30T14:42:00.000-08:00

Every website asks us for the same information: date of birth, zipcode, phone#, etc, so that it can later verify that we are who we say we are by answering a question or two based on this information. The catch is that those who are close to us probably also know all of that information, including what our friends look like. So long as everything is calm, this poses no risk. But what happens if you have a rather acrimonious break up with your partner? Suddenly all those secret questions that offer you privacy do not seem so strong..

Enter the Online Persona.

If we carefully construct our online persona to be fictitious by choosing a different date of birth, where we were born, etc, then we're adding layers of security (although only by obscurity.) Each extra piece of incorrect information acts as another password that only we know. Whilst this means that features like facebook's birthday announcements become meaningless, does it really matter? Those who need to know when your birthday is will know, one way or another. The real catch with this is you need to be able to remember all of the false answers or you may find yourself locked out of your own accounts!

IPFilter: Designing for security

2010-09-08T10:07:00.000-07:00

In the last 15 years, IPFilter has been popular enough that it has inspired at least one other firewall to imitate its configuration syntax (pf) and seemingly the basis of another in progress (npf). The examples that I've seen used for each indicate to me that neither of them is intended to be used in a manner that focuses on security as the prime goal of the design. That is distinct from saying that they can't be used to implement or achieve security.

One of the central themes in security is the ability to audit. For IPFilter, my interpretation of this requirement is that it is absolutely necessary to be able to audit the running configuration of the machine against what is found in its configuration file otherwise how else do have any assurance of what security policy is actively being applied to packets? In this instance, rule expansion where one rule with 5 ports becomes 5 rules or when you're using a text expression that is compiled into opcode makes it significantly harder to verify what's loaded into the kernel with what's in your configuration file.

To successfully audit an IPFilter configuration, three steps are required:
(1) collect the sorted rules from the kernel
(2) generate a list of sorted rules from the configuration file
(3) compare the results of (1) and (2)

Why do I mention "sorted rules"? The order in which rules are retrieved from the kernel and their grouping (all input rules and/or or output rules) is not likely to match the order in which they appear in the configuration file.

To give a brief example..

An extract of my configuration file looks like this:


pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on nfe0 proto tcp all flags F/F
pass out quick on nfe0 proto tcp all flags R/R
#
block in log all
block in log quick from any to pool/666
block out quick log from any to pool/666
block in quick log from pool/666 to any
block out quick log from pool/666 to any

If I parse that configuration file and sort it using ipf, I get:

$ ipf -nvf /tmp/foo | sed -e 's/(!)//' | sort


block in log all
block in log quick from any to pool/666
block in log quick from pool/666 to any
block out log quick from any to pool/666
block out log quick from pool/666 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on nfe0 proto tcp from any to any flags F/F
pass out quick on nfe0 proto tcp from any to any flags R/R

If I dump the kernel configuration and process it like above:


# ipfstat -io | sort
block in log all
block in log quick from any to pool/666
block in log quick from pool/666 to any
block out log quick from any to pool/666
block out log quick from pool/666 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on nfe0 proto tcp from any to any flags F/F
pass out quick on nfe0 proto tcp from any to any flags R/R

Thus it is immediately possible to compare both. If I were to audit what is in the file itself rather than what the parser interprets it,
then the text I would be comparing with what is output from the kernel would be:


block in log all
block in log quick from any to pool/666
block in quick log from pool/666 to any
block out quick log from any to pool/666
block out quick log from pool/666 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on nfe0 proto tcp all flags F/F
pass out quick on nfe0 proto tcp all flags R/R

Whilst that isn't the same as what ipfstat reports, it is very close and allows for a simple audit with diff to determine what the differences are and if they're proper. In this example, the only difference is "all" vs "from any to any". "all" becomes "from any to any" whenever there is a packet attribute that is required for matching that is not an address or port number.

This is a very simple requirement that actually delivers a very strong foundation.

For those familiar with IPFilter, you may be wondering why didn't I apply the same rationale to ipnat. Indeed when I review it, it is most definitely lacking a mechanism to display only the loaded NAT rules or only the active sessions. Currently doing "ipnat -l" lists both at once. Whilst the NAT functionality isn't directly responsible for enforcing security and thus exposed to the requirement of being able to be audited, it does play a part and should be more friendly in this area.

An additional benefit of this design is that removing a rules from the kernel's configuration is rather easy. For example, to remove all of the current rules you can perform a flush (ipf -Fa) or remove rules individually (ipfstat -io | ipf -rf -). The former is more common because it is both simpler and there are fewer complications when using rule groups. As it is, the design allows for tools to interrogate the kernel and the result of that interrogation is valid input that can then be reused.

2009-02-07T13:20:00.000-08:00

With a new record temperature in Melbourne (Australia) set this month, there will be, without doubt, cries that global warming is to blame. But is it?

On the other side of the world, England has been hit by a severe cold front, disrupting life for millions. But nobody there is blaming global warming. But they've had worse winters, for snow, than this year. How do we know that there hasn't been similarly hot (or hotter) weather in the "Melbourne" part of the world before?

A big problem that Melbourne faces is that it is one great big Urban Heat Island - especially in areas of new development. Footpaths with trees that can grow up and provide a canopy to the road in later years is essential. A good way to grasp the problem here is to take a walk in a wooded area on a hot day and compare that with walking by a road. Compare the temperature of the ground, not just during the day, but after night fall, when black ashphalt can still be releasing significant amounts of heat. The contention here being, to what extent would the construction of cities made from steel, concrete and ashphalt make on the environment even if there were no people or fossil fuel burning?

But is it fair to blame a temperature of 46.4C on global warming? Hardly. The earth is 100s of millions of years old. We have accurate weather data for maybe 100 years. What we can say is that putting more carbon dioxide in the air is bad (because it must mean that there is less oxygen) and we can say that on average, there has been a small rise in average temperature over that time.

But consider the Earth's history. It has descended into ice ages and come out of them without man to either help or instigate them. So there must be clearly something else going on. Our problem is that we do not have any accurate data to know what happened before these events that brought them on.

While global warming is something we need to face up to, what are we (the human race), going to do when the next ice age comes around? I say when and not if because they do occur on a regular basis. How will we deal with North America being under half a mile of snow and ice? Where will 300+ million people go? Will they just die? And what of Europe and Asia? And what if global warming is the only way to avoid another ice age? I suspect that may be a foolish statement and that either the progression to ice age is cyclical (and we will end up in another one, regardless of what we do or do't do, just as the tide always goes in and out) or we'll manage to change the cycle to be something else. Whilst some dooomsday folk would like to pretend that we'll cook the planet, I don't believe that will happen. What will happen is that we'll change the points between which the planet's weather oscillates. For example, last year, many places on Earth recorded much lower temperatures than average: Temperature Monitors Report Widescale Global Cooling.

While we can say that there has been a gradual rise in the average temperature over the last n years, how do we know that has not happened before in the history of the planet? And how do we know it will continue? In short, we don't. And perhaps our greatest folly is pretending that the world will always be as it is now. That it won't change. That the weather won't change. That another big chunk of rock from space won't land on our back door step. In our ascendency here on Earth, we've become masters of many aspects of this planet but we aren't (yet!) masters of its weather or tectonics (and will likely never be.)

If the Earth has swung into being very cold as recent as 15,000 years ago, how do we know it hasn't swung to being much warmer, before, than the average we've calculated over the last 100 years?

But consider this: in our continued burning of fossil fuels, each year we release into the Earth's environment extra energy. That energy doesn't all just evaporate out into space, it hangs around, warming the planet. Thus to solve global warming, we need to find a way to take that energy out of the atmosphere and return it to the ground. The only option we have here might be to just start planting more trees. In the mean time, using energy sources such as the wind and sunshine will help move our energy use away from tapping the bank of stored potential energy. The green reader might notice that I left out geothermal from that. I've also left out microwaving energy to Earth from orbit for the same reason: while both are "green", both introduce more energy into the biosphere than what brought us to our position of content - the continual bombardment of our planet with energy from the Sun.

All of this isn't to say that we shouldn't stop polluting the atmosphere: we should! In our thirst for money and power, we're stripping forests away at an alarming rate, largely in impoverished areas like the Amazon jungles of Brazil where it is hard to make a living otherwise. In doing so, we're reducing the capacity of the planet to make oxygen (which we need to live) and increasing the amount of carbon dioxide (which is not so healthy for us.) A similar problem exists for cars: they consume oxygen and produce carbon dioxide, not to forget using up our finite supply of fossil fuel. We're cutting off our noses to spite our faces.

The problem we face is two fold: (1) the current level of pollution is higher than we believe it has ever been for the planet and (2) there is no sign yet of the human race's activity abating. So while some might be tempted to say that even at current levels we're all surviving on this planet, so things can't be that bad and therefore we don't need to do anything to change, where we're we at is not the end game and the real problem is, we don't know what the end game will be or what it will look like.

p.s. If you're wondering what the point of this all is, it is to consider that we really have a paucity of data available on the environment (when you consider its age) with which to make predictions for the future. In places on Earth that have dynamic weather patterns (such as Melbourne), the Bureau of Meterology considers a successful forecast to be if their forecast for the day from 5am is close to accurate. That's a forecast for the next 18 hours. 5 day forecasts are notoriously unreliable. But yet people are trying to claim that models for the climate (due to global warming) can predict what the world will be like n years from now. Who's to say that the macro weather patterns aren't just as dynamic as the micro weather patterns?

Finally, the banks are getting it...

2008-11-11T09:21:00.000-08:00

Amongst the headlines of various financial publications this morning I found an article
talking about Citibank offering to refinance home loans. That they need to
is perhaps part of their own doing.

In the USA, the interest paid on a loan is indexed against your credit score. An example of this can be seen in this table http://www.myfico.com/myfico/creditcentral/LoanRates.asp where a low credit score results in twice the interest to be paid.
This represents the risk to the bank - a low credit score means you're not very good
at paying all of your bills (credit cards, utilities, etc.) So a person with a high
risk has to pay more because the chance of them defaulting is considered to be greater.

While this model can make it very profitable to be a bank, it can all come unstuck
if there are too many people defaulting because they cannot afford the interest
repayments. And that's where we are now. Too many empty homes for people that cannot
afford the loans sitting on bank balance sheets, losing value and the bank money.

One wonders if banks should have been doing this 12 months ago, but perhaps they
thought there were enough people with good credit that could soak up the excess
property that has come onto the market. Although it can be hard to believe that the
banks didn't know this was coming, maybe they had a different view of reality.
I would really like to have seen what internal spreadsheets were predicting for
loans in the sub-prime category.

While I haven't read any details about what Citigroup and Wells Fargo are doing
with respect to refinancing, one hopes that they realise that a home with people
giving them some money every month is better than an empty, foreclosed, home that
they can't sell.

What I'd like to see is a complete abandonment of the credit-score linked to
interest rate model. It disadvantages those who would benefit from low interest
the most. In essence, the credit score penalises the poor for being poor and making
bad money decisions and benefits the wealthy. What we should be doing is preventing
the poor from being able to make mistakes with money by restricting the amount of
credit they can have or reducing the amount they can obtain via a loan. Index the
maxmimum amount of debt they're allowed to have via the credit score rather than
how much that debt costs them.

If Solaris dies, will Linux stagnate?

2008-09-25T23:55:00.000-07:00

In a story posted on the New York Times titled "Is Sun Solaris on its deathbed?",
a rather one sided view of Linux vs Solaris is presented. The casual reader might be
inclined to agree that Solaris is in trouble, but if it is, what does that mean for
Linux?

By and large, most open source projects exist to provide a free alternative to some
commercial product that you must pay for. Linux started out as a free Unix-like operating system when you had to buy Solaris, never mind whether or not it ran on a PC.
If you look at the length and bredth of open source software, it is incredibly hard to
find something that was done first there or where open source innovation led commercial
space.

Lets analyse this for a bit. In the commercial sector, you need to come up with new ideas and new features to woo the customer into paying for something new or to convince the customer that your product is better than the other one.
In the open source space, many of the contributors work on something that they first
see in a commercial product - i.e. the Linux equivalent of Solaris' DTrace.
If Solaris hadn't of brought the world DTrace, would Linux?

If I stop and think about the flow of ideas between Linux and Solaris, it is hard to
see anything new that Linux is doing that OpenSolaris wants to follow.
The best that seems to happen is someone in Linux comes up with a better way of doing
X. If I expanded the set of operating systems to include AIX and HP-UX, there may
indeed be very very little innovation in Linux. And that should scare Linux.

And that leads me to the title of this blog entry: if Solaris and the other Unix-like operating systems die, who will Linux be left to copy? If Linux is thereafter left to innovate on its own (something that it hasn't seemed able to do
in 15 years of existence, so far), will it happen? Or will it simply flounder and stagnate because the real innovation that it has relied on to copy has disappeared?

SNMP trap sending added to IPFilter

2008-09-11T02:15:00.000-07:00

Late last night, or early this morning, or was it yesterday morning, I finished adding sending of SNMP traps, in response to logging events, to ipmon. ipmon is the daemon that performs logging for IP Filter.

This feature is only present in IPFilter 5.0 and won't be back ported to the 4.1 series. The configuration allows for matching on the same data to send both v1 and v2 traps - if that's what is desired. The configuration options for enabling sending of traps looks like this:


match { logtag = 10000 }
do { send-trap v1 community public 192.168.1.239 };
#
match { logtag = 10000 }
do { send-trap v2 community read 192.168.1.239 };
#

Of course it goes without saying that to enable this to work you will need to allow SNMP traps to be sent out of the firewall. There are a couple of issues that need to be discussed and resolved:

what address (given a firewall can have many) should be included in the trap message and how should it be configured - or just left as 0?

what should "uptime" be reported as? The time since IPFilter was last enabled, the current time or something else?

There's a request_id in SNMPv2 and some error numbers in both v1 and v2. Does it make sense for these to all be 0 or something else - and if so what?

So the hard work (creating the trap messages!) is done, now there's just some gaps to fill in.

A disaster waiting to happen...

2008-09-03T01:37:00.000-07:00

To follow up on my earlier post, not only have logins been centralised between blogs.sun.com and other parts of Sun's Internet facing web pages but the login names are derived from publicly available data and the passwords ... I'm not sure if I should mention what our passwords are, suffice to say that if someone managed to hack any of the sun.com web pages used for logins and captured passwords then a lot of Sun employees might need to change their password. (And that's the rosy side of a successful attack. The dark side is everyone inside sun.com will need to.)

A couple of decades ago, we would have had those concerns for mail software (and perhaps we still should) but whatever problems there are with email now is dwarfed by those with web pages. Maybe in a couple of decades using sensitive passwords on outer web pages will be considered "ok" or "safe" by many but for now, such designs leave me aghast.

New single signon at sun.com

2008-08-23T12:23:00.000-07:00

By day I have a normal job, doing programming at Sun Microsystems, for Solaris, where we are encourraged to blog, from time to time, about what's on our mind or what we're doing at work. It's a relatively big company and has lots of infrastructure run by different people. Some things start out small, on their own, only to get rolled up into the corporate mess later. One such example of this is the blog website they have for employees, past as well as present.

From time to time I used to scribble there about what was on my mind, more often about current affairs than about work. But of late there seems to have been an infrastructure change and now blogs.sun.com wants you to login via identity.sun.com. Well, that doesn't work for me. I've had a different blog account name to username for downloading from sun.com and both of those are different to my internal Sun logins - and for very good reason: I update and edit my blog from wherever I might be, using a different username and password to everything else, thereby not exposing internal login details to the whims of the Internet. For downloading, I've been using a username/password that predates my blog account and is just a random email addres/password/username - they don't need to know who I am when I'm downloading the latest CD/DVD images from the Internet.

Now they want me to use just one username/password for everything.

Sounds great, sounds simple, sounds amazing.

But it now requires cookies to be exchangedbetween parts of sun.com's website that I'd previously not allowed. Sorry Sun, my privacy policy does not agree with your new expanded use of cookies and logins.

So it would seem that any further blogging by me on blogs.sun.com will have to be from work - I'm not even sure if that will work yet. I don't know if they'll get what they wanted from that.