Sep 162019
 

Very well, I’ve been had. I lost all my bitcoin savings.

Don’t worry, it was not much. Approximately 0.0113 bitcoins. Just over a hundred US dollars at current exchange rates. And it’s not like I didn’t know from the onset that something fishy was going on. Of course I was not planning to hand over my hundred bucks to a scam artist, but I figured the learning experience was worth the risk. I had no idea how things would play out, except for one thing: I knew I was not going to get richer, but my risk was limited to my meager bitcoin holdings.

Here is how it began. I became acquainted with an Alexander H. Perkins on Quora. At first, we exchanged some private messages, in part about some of the answers I wrote. But soon, he started talking about the business he is in, cryptocurrency. He seemed legit: I looked him up. A cryptocurrency expert, member of a listed cryptocurrency company’s advisory board. He asked if I wanted to invest some bitcoins into cloud mining, because supposedly, I can make “8% a day”.

OK, red flags are up. Nobody, and I mean nobody, is paying you 8% daily interest. That this was a scam, of that I had no doubt, but I just couldn’t resist: I had to understand how the scheme worked.

It so happened that I actually had some bitcoins, those 0.0113 BTC, in a bitcoin wallet. So what the heck… let’s play along.

As soon as I agreed to become his victim (not that he called me that, mind you), this Mr. Perkins kindly set up a “mining enabled” bitcoin account for me at blockchain.com. He provided me with all necessary details and soon enough, I was able to manage the account. I then transferred my bitcoin holdings from my other wallet to this one.

And within 24 hours, I received about 0.0008 bitcoins. And again, 24, 48, 72 hours later. I was told by Mr. Perkins that this money is not completely free money: that there will be a “mining fee”, which sounded odd because how can they charge any fee to my bitcoin account? But you know what, let’s see what happens. Indeed, after about a week of regular, daily payments, four days ago I actually got charged about 0.0008 bitcoins. But the payments continued: after two more payments, my bitcoin holdings were getting close to double my initial investment.

Meanwhile, Mr. Perkins called me several times on the phone. It was always a bad connection, suggesting to me that he was using a VoIP phone, but for what it’s worth, his calls came from a California number consistent with his place of residence. He was advising me that I should invest a lot more; that investors who put in a full bitcoin or more (that would be $10,000 US) are doing much better. I told him that I’d think about it. He asked when I might make my decision. I said he’d be the first to know. He did not sound happy.

Indeed, the phone calls stopped and for the past two days, I received no e-mail notification of payments in my bitcoin wallet either. So earlier today, I went to check the wallet, and whoops: all my bitcoins are gone. The wallet has been zeroed out two days ago.

I sent this Mr. Perkins a Quora message but I am not expecting a reply. On the other hand, I think I can reconstruct what actually happened, so my bitcoins were, after all, well spent: I did learn some intriguing details.

For starters, I am pretty certain that the Quora account doesn’t actually belong to the real Alexander H. Perkins. I tried to find information online about Mr. Perkins but I was unable to locate a valid e-mail address or social media account. The person is undoubtedly real, mentioned in a 2017 press release by Glance Technologies as a newly minted member of their advisory board. But Mr. Perkins seems like a rather private person with little visible online presence.

The Quora account was only created about a month ago. It has very low activity.

The aggressive sales tactics seemed odd from a noted expert, and represented another indication of fraud. But how exactly was the fraud committed?

Here is how. It all started when “Mr. Perkins” kindly set up that “mining-enabled” Bitcoin wallet for me on blockchain.com. I knew something was not kosher (what exactly is a “mining enabled” account, pray tell?) but in my ignorance of the technical details of cryptocurrency wallets, I could not quite put my finger on it. When I received the account info, everything checked out and I was able to secure the account, restricting transactions with two-factor authentication and even by IP address.

However, unbeknownst to me, Mr. Perkins must have copied down the blockchain.com wallet backup phrase: twelve words. The company warns me: Anyone with access to my backup phrase can access my funds. What I didn’t know is that the backup phrase can be used anywhere. They need not access the wallet through blockchain.com; with the appropriate cryptocurrency software, they can recreate the wallet and empty it.

Which means that my entire blockchain.com wallet was compromised from the onset. Never mind the steps that I took, setting up two-factor authentication and all… It was never really my wallet to begin with.

The big warning sign was when the crook first processed a “mining fee”. I did not understand the details, but I knew that something was wrong. No third party can take money from your bitcoin wallet, “mining enabled” or otherwise. Yet at the same time, I continued to receive small payments, so I was still waiting for the other shoe to drop.

I guess eventually “Mr. Perkins” decided that I am unlikely to invest more into his scheme, but more likely, I was not his only or biggest victim. You don’t set up an elaborate scam like this, with a fake social media account, fake phone number and all to just steal a hundred bucks from someone. (That would be a less effective, and certainly more risky, way of making money than working at minimum wage.)

There is the usual, “if it’s too good to be true” lesson here: Nobody is going to pay you 8% interest a day. OK, I knew that. I also knew that cloud mining is a very risky proposition, the returns are not spectacular and fraud is rampant. I didn’t have to spent a hundred bucks to learn this.

But there is also a valuable technical lesson. I had zero experience with cryptocurrency wallets in the past, and thus I did not realize that anyone setting up the wallet basically has a permanent, irrevocable key to that wallet. And when a sum, however small, goes missing from your bitcoin wallet, it is a guaranteed indicator that the wallet is compromised.

There is also another other thing that I did not realize until today. Namely that the Perkins account on Quora is almost certainly a fake, an impersonation. In fact, it was not until I actually asked myself, “how can this chap commit such fraud under his own name?” that I came up instantly with the obvious answer: he didn’t. Rather, a scamster used the name and credentials of a respectable but social media shy expert to set up shop and rip off his victims. That I did not think of this possibility earlier is a consequence of my prejudice. I had very low expectations to begin with, when it comes to people in the speculative cryptocurrency business. So neither the cheap VoIP line nor the pushy behavior raised additional red flags: I was wondering what scam the real Alexander Perkins was dragging me into, I did not expect to be dealing with an impostor.

 Posted by at 7:49 pm
Aug 212019
 

I am reading an article in The Register about a major Internet outage that occurred last December, when a handful of rogue packets managed to clog up a backbone network for more than a day and a half, blocking even VoIP 911 calls.

There are two rather frightening aspects of this fiasco. Both rather horrifying, as a matter of fact.

First, that in this day and age, in late 2018, a backbone service provider can still be brought to its knees by something as simple as a malformed packet. What on Earth are you doing, people? Have you heard of penetration testing? Fault tree analysis? Auditing your equipment and system software? Or have these essential steps been dropped just so that you can report some cost savings to your shareholders?

But it really is the second point that I find particularly upsetting. To quote, “the nodes along the fiber network were so flooded, they could not be reached by their administrators”.

Say what? Are you telling me that you had no alternate means to access your nodes? Like, you know, something as crude and simple as a dial-up port with a command-line based management interface? I mean, this is something even my little home office network used to have, and when I dropped it last year, reacting to rising landline costs and the fact that I no longer used that data/Fax phone line at all, I did so because I have dual network connections. To learn that a major backbone provider doesn’t have the kind of redundancy that I take for granted for my own little network is disconcerting, to say the least.

I suppose I should stop rambling now, though. Truth to tell, I am ignorant as to how CenturyLink’s actual network is configured, and I certainly never managed a fiber optic backbone network. I am simply reacting to the main points of The Register‘s article even though I cannot independently confirm its veracity. In my defense, The Register‘s articles tend to be well written and accurate. Even so, criticizing from a position of ignorance is never a smart thing to do.

Nonetheless, if The Register is correct, this really is not how a transcontinental data network should be configured and managed. This also seems to be the FCC’s conclusion.

 Posted by at 5:04 pm
Jun 132019
 

The news this morning is that former PM Jean Chrétien suggested that Canada should stop the extradition proceedings against Huawei CFO Meng Wanzhou, as a means to win back the freedom of the two Canadian hostages in China, Michael Kovrig and Michael Spavor. (Yes, I called them hostages.)

The case against Huawei runs a lot deeper, however, than the financial fraud Ms. Meng is alleged by US authorities to have committed.

There is also the question of espionage, including the possibility that Huawei’s 5G equipment cannot be trusted because of firmware or hardware level backdoors.

I repeatedly encountered the suggestion that this issue can be trivially remedied by using end-to-end encryption. Unfortunately, end-to-end encryption, even if properly implemented (ignoring for the moment our own Western governments’ recurrent pleas to have built-in backdoors in any such encryption algorithms), solves only part of the problem.

It still allows Huawei to steal metadata, such as where calls are routed or the amount and nature of data traffic between specific endpoints. Worse yet, no encryption prevents Huawei from potentially sabotaging the network when called upon to do so by the Chinese government.

For this reason, I reluctantly came to the conclusion that the US ban against Huawei is justified and appropriate. It must, of course, be accompanied by a suitable increase in spending on researching 5G communications technologies, because otherwise, we risk shooting ourselves in the foot by banning the use of equipment that is technologically superior to the available alternatives. This is a new situation for the West: The last time the West faced a great power adversary that matched Western scientific and technological capabilities was in the 1930s, with Nazi Germany.

As for Ms. Meng, I think the suggestion to suspend the extradition process is wholly inappropriate. It would signal to the world that Canada is willing to suspend the rule of law for the sake of hostages. However strongly I feel about Messrs. Kovrig and Spavor, however strongly I desire to see them released, this is not a price Canada should be willing to pay.

 Posted by at 5:56 pm
Mar 302019
 

Content management software that I use, Joomla! and WordPress in particular, have been complaining for a while now that the PHP version that runs on my servers is outdated and potentially unsecure. Not exactly true, as PHP 5.4 remains part of the official Red Hat/CentOS release, but it would certainly be prudent for me to attempt an upgrade.

I tried to do just that last night, on a test server. And it was a miserable failure, a waste of many hours that I will never get back, to make no mention of the heightened risk of cardiovascular disease due to my elevated blood pressure caused by all that frustration.

The relatively easy part? PHP 7 complaining that its just-in-time compilation feature ran out of memory. Easy-peasy, I can disable JIT. Check.

But then: several of my Joomla! sites refused to run, with a cryptic and ultimately meaningless error message and nothing in the logs. And at least one Joomla! site just got itself into an infinite redirect loop. But why?

I tried many things. I kept looking for answers on Google. Nothing worked. Eventually I took two of my Joomla! sites that are very similar in nature, and began comparing their settings, side-by-side. One worked, the other didn’t. Why?

I then stumbled upon a custom Joomla! module, one that I wrote to support some ads that appear on my sites. This module was installed on the site that failed, but not used on the other. I disabled the module and, presto, the site was working with PHP 7. I re-enabled the module and the site was dead again. So… why?

Well, the module contains some PHP code. Which, after some preamble that allows it to connect to the internal data structures of Joomla!, begins the real work by accessing the MySQL database that contains the actual ads:

$conn = mysql_connect("localhost");
mysql_select_db("www");
$res = mysql_query("SELECT PAGEID,ADTEXT FROM ...

Oops.

You see, mysql_ calls have been deprecated and REMOVED from PHP starting with version 7.

And I have hundreds, if not thousands of lines of legacy code* (including, e.g., my calculator museum at rskey.org) that rely on this old library.

So I guess that PHP 7 upgrade will have to wait a while longer. Looks like I have no choice but to rewrite the affected pieces of code everywhere, as there is no other long-term solution. (Even if I find a third-party PHP plugin that re-enables mysql_ codes, how long will that continue to work? How reliable will it be?)

What a muckup. Grumble. And I do have other work to do.

 Posted by at 10:40 am
Mar 282019
 

Even as Facebook is battling white supremacism and fighting accusations of racial profiling, there is more nonsense going on.

In the past few days, I received several Facebook requests from accounts purportedly owned by young women, whose profiles contain sexually explicit, rather pornographic images and videos.

Here is one of the mildest ones (the majority of the images in this and other accounts from which I received friend requests were far, far more explicit in nature, including images depicting intercourse):

I do not wish to be a prude here; I am, after all, a middle aged male in relatively good health, and certainly not immune to, ahem, shall we say, visually stimulating images (though I admit I was never a fan of hard-core pornography. Not my cup of tea.)

But these Facebook accounts are obviously not accounts owned by bona fide young women trying to seduce older, happily married males like myself. They are probably overweight middle-aged male scam artists doing their shady business from their parents’ basements. Or worse yet, organized crime operating out of shady boiler rooms somewhere in Eastern Europe or Asia.

Thanks but no thanks. I have presently no desire to break my marital vow, but even if I did, there are better, safer ways.

As for these friend requests, I just block them and report the accounts to Facebook.

 Posted by at 2:08 pm
Jun 162018
 

When I was a teenager, the classic novel, The Count of Monte Cristo by Alexandre Dumas, was one of my favorites.

And one of my favorite chapters in that book was a chapter with an uncanny (not to mention unusually long) title: “How a Gardener May Get Rid of the Dormice that Eat His Peaches”. In it, Dumas describes a classic hack: exploiting the human in the system. By bribing an operator of France’s early optical telegraph network, the book’s protagonist is able to plant a false message, which ultimately contributes to the downfall of one of his mortal enemies. In short: a targeted cyberattack on a telecommunications network.

What I did not know, however, is that this chapter may have been inspired by real life events. About ten years before Dumas published his novel, the brothers François and Louis* Blanc managed to hack the telegraph network in a manner even more sophisticated than the hack described in Dumas’s book. Yes, the real-life hack relied on bribing operators, too, but it also involved a case of steganography: inserting a coded message that would piggyback on the original telegraph transmission. Not only did the scheme succeed, like any good hack it remained in place and undetected for two years. And when it was finally detected, the Blanc brothers were charged but never convicted; there were, after all, no laws on the books back in the 1830s against misuse of data networks.


*Well, that’s what Wikipedia tells me. It appears that the twins are misidentified as Francois and Joseph in several English-language publications. Francois was later known as The Magician of Monte Carlo, a casino that he owned and where he first introduced the single-0 style roulette wheel.
 
 Posted by at 7:52 pm
Nov 102017
 

I’ve seen several news reports commenting on the fact that Donald Trump was using Twitter while visiting China. That despite the fact that Twitter is one of those Western services that are blocked by China’s “Great Firewall”. Some even speculated that Trump was using a military communications network or some other exotic technology to circumvent Chinese restrictions. (As if the US military was foolish enough to let this idiot of a president’s unsecure smartphone access their network.)

But reality is much more mundane, as I know quite well from personal experience in China.

When you are traveling with a phone registered to a foreign service provider, your Internet connection initiates from that provider’s network. So insofar as the Internet is concerned, you are not even in China. Your connection initiates from your home country. In my case, whenever I used my phone in China for Internet access, I accessed the Internet from an IP address registered with my Canadian cellular service provider, Rogers. I had unrestricted access to Google, Facebook, CNN and other news sites, with no Chinese restrictions.

Trump probably did exactly what I did, except that he probably worried about international data roaming charges and data caps a little less than I. He grabbed his phone, turned it on, and used it without a second thought. (OK, that’s not exactly like me. Trump was probably not surprised to see Twitter work on his phone in China, because he probably knows very little about the Great Firewall. I was mildly surprised myself, especially as I went there prepared for the worst, with multiple overt and covert VPN options prepared just in case I needed them. Which I did… but only when I was using the hotel Wi-Fi instead of the cellular network.)

 Posted by at 9:21 am
May 292017
 

Is your mother proud of you being a crook?

I have asked this question many times in recent months; basically, every time I receive a call from the “computer support department”, trying to tell me how my computer is full of viruses or whatever.

I usually don’t expect an answer; as a matter of fact, I usually just hang up, although more often than not, the other party hangs up first before I get a chance. Understandable… that’s what they are trained to do by their criminal masters.

Today, for some reason, I chose not to hang up. And the gentleman on the other and of the line asked me to repeat myself instead of hanging up on me. I obliged. After a moment of silence, I actually got an answer.

“Well, sir, I need the money.”

That was an unexpectedly candid admission, not that I was not aware of this basic truth. These callers, usually in boiler rooms somewhere in India or Pakistan, do this because they need to earn a living.

But it’s one thing to earn a living, it’s another to defraud vulnerable people, old ladies and whatnot. I told that much to this agent. He just repeated himself, defensively: “But I need the money.”

So I told him that I understand. That I, too, was a refugee once 30 years ago. (True.) But even when I had no money, I did not start defrauding people. I asked him to think about this, please; then thanked him and hung up.

Did I accomplish anything? I don’t know. Is it valid to compare my situation 30 years ago: granted, a refugee, but a refugee in a first world country (Austria) with no family to worry about and with guaranteed shelter and food at the Traiskirchen refugee camp, which I declined to take advantage of only because I found work (no fraud involved, but it’s true that I had no work permit) and I was able to afford better accommodations?

Yes, I read Les Misérables. No, I do not want the poor to be disproportionately punished, with no grace or mercy.

Still, I think there is an ethical line to be drawn here. No matter how great your need is, I still don’t think this moral justification applies when you work for a criminal enterprise, earning a living from defrauding vulnerable people halfway around the world.

 Posted by at 2:21 pm
May 062017
 

One of the major events during last year’s presidential campaign was the hacking of e-mails of the Democratic National Congress. In particular, the hacking of the e-mails of campaign chairman John Podesta.

How it happened is simple. Podesta received a bogus e-mail, purportedly from Google, that there was an unauthorized attempt to log in to his account, and that he should change his password. A helpful link in the form of a button was provided.

Podesta’s assistant was suspicious and asked for expert help. The expert inadvertently described the e-mail as “legitimate” (presumably, he meant to write “not legitimate” or “illegitimate”) but advised that Podesta should change his password, and provided the correct (Google) link for password changes.

The assistant forwarded the e-mail to Podesta, adding in her own words that “The gmail one is REAL”. This prompted Podesta to change his password… using the fraudulent link provided to him in the original message. By doing so, Podesta inadvertently disclosed his e-mail password to Russian hackers.

How do we know that they are Russian? There are many reasons to believe this to be the case, but I just noticed another peculiarity. (It is possible that I am not the first to notice this, of course.) Look at the subject line of the Podesta e-mails:

Subject: Sоmeоne has your passwоrd

Now try searching for the word “Someone” on this page using your Web browser’s built-in search feature (hitting Control-F activates this feature in most browsers). Can you see (or rather not see) how nothing in this Subject line is highlighted?

That is because several of the o’s in this subject line were typed on a Cyrillic keyboard, and they are Cyrillic characters. A Cyrillic ‘о’ appears very much the same as a Latin ‘o’, but it has a different code (hexadecimal 043e as opposed to 006f):

Funny thing is… I got this subject line straight from Wikileaks. You know, the same Wikileaks who are protesting high and low that the e-mail dump is not from Russia. Yet on their very own Web site, the e-mails that resulted in the Podesta hack contain Cyrillic characters. Go figure.

 Posted by at 8:34 pm
Feb 022017
 

“After a second notices he ran it on db1 instead of db2″… This sentence (somewhat shortened, to make a fitting title) describes the beginning of a colossally effed up night at GitLab.com.

In response to a spike in system load, which resulted in lag on a replication server, the operator thought that maybe restarting the replication server with a clean slate is a good idea. So he decided to wipe the replication server’s data directory.

Unfortunately, he entered the command in the wrong window.

I feel his pain. I did make similar mistakes before, albeit on a much smaller scale, and the memories still hurt me, years later.

I have to commend GitLab for their exceptional openness about this incident, offering us all a valuable lesson. I note that others also responded positively, offering sympathy, assistance, and useful advice.

I read their post-mortem with great interest. In reaction, I already implemented something that I should have done years ago: changing the background color of some of the xterm windows that I regularly open to my Linux servers, to distinguish them visually. (“Create issue to change terminal PS1 format/colours to make it clear whether you’re using production or staging”).

Of course similar incidents and near misses also changed my habits over the years. I rarely delete anything these days without making a backup first. I always pause before hitting Enter on a command that is not (easily) reversible. I have multiple backups, and tested procedures for recovery.

Even so… as Forrest Gump says, shit happens. And every little bit helps, especially when we can learn from the valuable lessons of others without having to go through their pain.

 Posted by at 10:13 am
Dec 132016
 

This morning, when I woke up, the regular status e-mails that my servers greet me with told me that there is a major CentOS update (version 7.3). Cool. Unfortunately, it meant that I needed to upgrade as many as five servers. This includes my main server, its physical backup, my backup server in NYC, another “in cloud” backup, and yet another server that I help administer. I began this process shortly after 8 in the morning, after I finished breakfast.

And as usual, a major upgrade like this brings to the surface little problems, little annoyances such as folders that had incorrectly configured SELinux permissions. No big deal, to be sure, but several such little things can consume hours of your time.

And then, it was also Microsoft Patch Tuesday, the second Tuesday of the month when Microsoft releases scheduled updates to Windows and other products. As soon as I was done with CentOS, my attention turned to my Windows machines, including my main workstation, its backup (actually, the same physical machine that also acts as my server’s backup in a dual-boot configuration), my wife’s desktop computer, two laptops, and last but not least, my old desktop that I still keep around as a backup/test computer.

Moreover, I also decided to update three virtual machines (one running Windows 7, the other two, Windows XP) that I keep around both for test purposes but also to have older software, older configurations available if needed.

Furthermore, when I update Windows, I tend to check and see if any other software packages need updating. On some computers, I run Secunia PSI, which keeps track of many applications. But even on other systems, I had to update Java (if installed), Adobe Flash, Chrome and Firefox.

And on older hardware, the process can be painfully slow.

To make a long story short, by the time I finished the bulk of this work, it was 7:30 in the evening. And one computer (a really low powered old netbook) is still doing its thing, even though it’s well past 11 PM now.

No wonder I didn’t accomplish much today.

Of course all of this needed to be done. Since I am a one-man band, I don’t have an IT department to rely on, but it is still important for me to keep my systems secure and well-maintained.

Nonetheless, it feels like one hell of a waste of a day.

 Posted by at 11:22 pm
Nov 232016
 

This was a potential nightmare scenario. Imagine if we found out that the swing state results of the Nov. 8 election were altered by hackers. Imagine if an investigation found that Hillary Clinton won these states after all, and hence, won the electoral college.

Remember the hanging chads of the 2000 election?

Remember the hanging chads of the 2000 election?

Why is it a nightmare? Because it would likely lead to a constitutional crisis with unpredictable consequences. Donald Trump would be unlikely to concede. But even he did, tens of millions of his supporters would likely find the results unacceptable. Even the predictable disaster of a Trump presidency is preferable to a crisis of such magnitude.

And last night, the specter of just such a crisis was raised, in the form of a New York Magazine article (which was soon echoed by other news outlets), reporting on the doubts and suspicions of prominent scientists who noted a bias in the county-by-county results, more likely to favor Trump in counties where votes were counted electronically.

But not so fast, says fivethirtyeight.com. You cannot just compare the raw results without accounting for demographics. And once you take demographics into account, the apparent bias disappears. And while fivethirtyeight notes that it is difficult to validate the integrity of the voting system in the United States, nonetheless the burden of proof is on those who claim electoral fraud, and so far, the burden of proof has not been met.

I no more welcome a Trump presidency today than I did two weeks ago, but an orderly transition is still preferable to the chaos of a constitutional crisis.

Meanwhile, Clinton’s lead in the popular vote count increased to over two million votes (yes, they are still counting the votes in some states, including mighty California). This in itself is unprecedented: never in the history of the United States did a candidate win the popular vote with such a wide margin, yet lose the electoral college.

 Posted by at 6:31 pm
Nov 172016
 

It is rare these days that a piece of spam makes me laugh, but today was an exception. After all, it is not every day that I receive an e-mail notice, pretending (kind of) to be from UPS, informing me that my “crap” has been shipped:

Still trying to figure out though if the language was intentional, or simply a mistake made by a non-native English speaker unfamiliar with certain, ahem, idioms.

 Posted by at 1:16 pm
Nov 152016
 

I just came across this recent conversation with Barack Obama about the challenges of the future, artificial intelligence, machine learning and related topics. A conversation with an intelligent, educated person who, while not an expert in science and technology, is not illiterate in these topics either.

Barack Obama Talks AI, Robo-Cars, and the Future of the World

And now I feel like mourning. I mourn the fact that for many years to come, no such intelligent conversation will be likely be heard in the Oval Office. But what do you do when a supremely qualified, highly intelligent President is replaced by a self-absorbed, misogynist, narcissistic blowhard?

Not much, I guess. I think my wife and I will just go and cuddle up with the cats and listen to some Pink Floyd instead.

 Posted by at 11:35 pm
Nov 122016
 

If there was a single cause that sank Hillary Clinton’s bid for the presidency, it was undeniably the “e-mail scandal”.

Which is really, really sad because it was really no scandal at all. I just read a fascinating account (written back in September I believe) that offers details.

Some of what happened was due to ineptness (either by Clinton’s team or the State Department’s), some of it was a result of outdated, inconvenient, or unreliable technology, some of it was just the customary bending of the rules to get things done… most notably, there was no recklessness, no conspiracy, no cover-up, just the typical government or, for that matter, corporate bungling. (And as I noted before, Clinton’s e-mails were likely more secure on the “home brew” server sitting in a residential basement than on the State Department’s systems.)

 Posted by at 4:47 pm
Jul 132016
 

Today, I took the plunge. I deemed my brand new server (actually, more than a month old already) ready for action. So I made the last few remaining changes, shut down the old server, and rebooted the new with the proper settings… and, ladies and gentlemen, we are now live.

Expect glitches, of course. I already found a few.

The old server, of which I was very fond, had to go. It was really old, the hardware about 7 years. Its video card fan failed, and its CPU fan was also making noises. It was ultra-reliable though. I never tried to make this a record, but it lasted almost three years without a reboot:

$ uptime
 12:28:09 up 1033 days, 17:30, 4 users, load average: 0.64, 0.67, 0.77

(Yes, I kept it regularly updated with patches. But the kernel never received a security patch, so no reboot was necessary. And it has been on a UPS.)

This switcharoo was a Big Deal, in part, because I decided to abandon the Slackware ship in favor of CentOS, due to its improved security and, well, systemd. I know systemd is a very polarizing thing among Linux fans, but my views are entirely pragmatic: in the end, it actually makes my life easier, so there.

Anyhow, the new server has already been up 13 minutes, so… And it is a heck of a lot quieter, which I most welcome.

 Posted by at 12:45 pm
Jun 092016
 

Dictatorships can be wonderful places, so long as they are led by competent dictators.

The problem with dictatorships is that when the dictators go bonkers, there are no corrective mechanisms. No process to replace them or make them change their ways.

And now I wonder if the same fate may be in the future of Singapore, described by some as the “wealthiest non-democracy”.

The Ministry of Information and the Arts

To be sure, Singapore is formally democratic, with a multi-party legislature. But really, it is a one-party state that has enacted repressive legislation that require citizens engaging in political discussion to register with the government, and forbids the assembly of four or more people without police permission.

Nonetheless, Singapore’s government enjoyed widespread public support for decades because they were competent. Competence is the best way for a government, democratic or otherwise, to earn the consent of the governed, and Singapore’s government certainly excelled on this front.

But I am beginning to wonder if this golden era is coming to an end, now that it has been announced that Singapore’s government plans to take all government computers off the Internet in an attempt to improve security.

The boneheaded stupidity of this announcement is mind-boggling.

For starters, you don’t just take a computer “off the Internet”. So long as it is connected to something that is connected to something else… just because you cannot use Google or visit Facebook does not mean that the bad guys cannot access your machine.

It will also undoubtedly make the Singapore government a lot less efficient. Knowledge workers (and government workers overwhelmingly qualify as knowledge workers) these days use the Internet as an essential resource. It could be something as simple as someone checking proper usage of a rare English expression, or something as complex as a government scientist accessing relevant literature in manuscript repositories or open access journals. Depriving government workers of these resources in order to improve security is just beyond stupid.

In the past, Singapore’s government was not known to make stupid decisions. But what happens when they start going down that road? In a true democracy, stupid governments tend to end up being replaced (which does not automatically guarantee an improvement, to be sure, but over time, natural selection tends to work.) Here, the government may dig in and protect its right to be stupid by invoking national security.

Time will tell. I root for sanity to prevail.

 Posted by at 1:45 pm
Apr 152016
 

Not for the first time, one of my Joomla! sites was attacked by a script kiddie using a botnet.

The attack is a primitive brute force attack, trying to guess the administrator password of the site.

The frustrating thing is that the kiddie uses a botnet, accessing the site from several hundred remote computers at once.

A standard, run-of-the-mill defense mechanism that I installed works, as it counts failed password attempts and blocks the offending IP address after a predetermined number of consecutive failures.

Unfortunately, it all consumes significant resources. The Joomla! system wakes up, consults the MySQL database, renders the login page and then later, the rejection page from PHP… when several hundred such requests arrive simultaneously, they bring my little server to its knees.

I tried as a solution a network-level block on the offending IP addresses, but there were just too many: the requests kept coming, and I became concerned that I’d have an excessively large kernel table that might break the server in other ways.

So now I implemented something I’ve been meaning to do for some time: ensuring that administrative content is only accessible from my internal network. Anyone accessing it from the outside just gets a static error page, which can be sent with minimal resource consumption.

Now my server is happy. If only I didn’t need to waste several hours of an otherwise fine morning because of this nonsense. I swear, one of these days I’ll find one of these script kiddies in person and break his nose or something.

 Posted by at 11:50 am
Apr 102016
 

I’ve been encountering an increasing number of Web sites lately that asked me to disable my ad blocker. They promise, in return, fewer ads.

And with that promise, they demonstrate that they completely and utterly miss the point.

I don’t want fewer ads. I don’t mind ads. I understand that for news Web sites, ads are an essential source of revenue. I don’t resent that. I even click on ads that I find interesting or relevant.

So why do I use an ad blocker, then?

In one word: security.

Malicious ads showed up even on some of the most respectable Web sites. Ad networks have no incentive to vet ads for security, so all too often, they only remove them after the fact, after someone complained. And like a whack-a-mole game, the malicious advertiser is back in no time under another name, with another ad.

And then there are those ads that pop up with an autostart video, with blaring sound in the middle of the night, with the poor user (that would be me) scrambling to find which browser tab, which animation is responsible for the late night cacophony.

Indeed, it was one of these incidents that prompted me to call it quits on ads and install an ad blocker.

So sorry folks, if you are preventing me from accessing your content because of my ad blocker, I just go elsewhere.

That is, until and unless you can offer credible assurance that the ads on your site are safe. I don’t care how many there are. It’s self-limiting anyway: advertisers won’t pay top dollar for an ad on a site that is saturated with ads. What I need to know is that the ads on your site won’t ruin my day one way or another.

 Posted by at 9:19 am
Sep 212015
 

Today, I spent a couple of hours trying to sort out why a Joomla! Web site, which worked perfectly on my Slackware Linux server, was misbehaving on CentOS 7.

The reason was simple yet complicated. Simple because it was a result of a secure CentOS 7 installation with SELinux (Security Enhanced Linux) fully enabled. Complicated because…

Well, I tried to comprehend some weird behavior. The Apache Web server, for instance, was able to read some files but not others; even when the files in question were identical in content and had (seemingly) identical permissions.

Of course part of it was my inexperience: I do not usually manage SELinux hosts. So I was searching for answers online. But this is where the experience turned really alarming.

You see, almost all the “solutions” that I came across advocated severely weakening SELinux or disabling it altogether.

Since I was really not inclined to do either on a host that I do not own, I did not give up until I found the proper solution. Nonetheless, it made me wonder about the usefulness of overly complicated security models like SELinux or the advanced ACLs of Windows.

These security solutions were designed by experts and expert committees. I have no reason to believe that they are not technically excellent. But security has two sides: it’s as much about technology as it is about people. People that include impatient users and inadequately trained or simply overworked system administrators.

System administrators who often “solve” a problem by disabling security altogether, rather than act as I have, research the problem, and not do anything until they fully understand the issue and the most appropriate solution.

The simple user/group/world security model of UNIX systems may lack flexibility but it is easy to conceptualize and for which it is easy to develop a good intuition. Few competent administrators would ever consider solving an access control problem by suggesting the use of 0777 as the default permission for all affected files and folders. (OK, I have seen a few who advocated just that, but I would not call these folks “competent.”)

A complex security model like SELinux, however, is difficult to learn and comprehend fully. Cryptic error messages only confound users and administrators alike. So we should not be surprised when administrators take the easy way out. Which, in a situation similar to mine, often means disabling the enhanced security features altogether. Unless their managers are themselves well trained and security conscious, they will even praise the administrator who comes up with such a quick “solution”. After all, security never helps anyone solve their problems; by its nature, it becomes visible only for its absence, and only when your systems are under attack. By then, it’s obviously too late of course.

So the next time you set up a system with proper security, think about the consequences of implementing a security model that is too complex and non-intuitive. And keep in mind that what you are securing is not merely a bunch of networked computers; people are very much part of the system, too. The security technology that is used must be compatible with both the hardware and the humans operating the hardware. A technically inferior solution that is more likely to be used and implemented properly by users and administrators beats a technically superior solution that users and administrators routinely work around to accomplish their daily tasks.

In short… sometimes, less is more indeed.

 Posted by at 7:17 pm