Friday, December 28, 2007

BOT House Disaster Recovery & Business Continuity Planning

That would be a really great idea. My current DR/BC Plan is this:
  1. Shit pance.
  2. Plug in the junk Microsoft ISA 2006 server
  3. Get a new IP address
  4. Re-hack the DNS names (got a bunch)
  5. Fire up a Linux VM for miscellaneous services
  6. Figure out what to do next
I'm still on the last step.

The day after I released the Websense advisory (I now OWN Google searches for "Websense Policy Bypass") was routine. I checked my gmail and got up to pack my little brown bag lunchie. When I came back, BH's hard drive light was flashing like crazy and the box was making a peculiar, high speed snicketta-snicketta-snicketta sound, which turned out to be a death rattle.

A reboot confirmed that the box was hosed.

A fortune would have it, I had already performed my daily bowel function, so I skipped Step 1. But there wasn't enough time to get into Step 2 so that waited until later that evening.

By the end of the day (I hate that expression) - that was a Thursday - I was up to Step 6. I tried to salavge something from the hard drive (a Hitachi, if you care) but it was hosed. I may eventually get around to trying the "freeze method" to get the data off but I believe it's a lost cause (I had some luck with that earlier this year on another box).

On Friday I picked up a 250G drive at lunch and that evening I started rebuilding BOT House. EXPERIMENTAL II was up but it would be a week before BOT House was resurrected.

When it finally was back up I decided to run UTPure on it. That was probably a mistake, considering the BH philosophy has always been "NO DOWNLOADS REQUIRED".

And apparently people don't like it.

By the week of Christmas everything (except UTClassicPack]I[ Online) was back up, but it was (and is now) still running through the ISA server. But since I took that week off and because I have a number of... uh... ummm... heh... covert connections back to my workplace (a risky proposition for people not in the security business) I really can't move everything back to the BH box until I get back to work after the first of the year.

But I have been busy.

The Map has been rehacked and is now working better than ever. It now shows the player locations on both BH and EXP II and it appears the caching problem is gone. The trick to that was deleting the data file on the Web server before uploading the new one. One side effect is that it is occasionally blank between data uploads. But, hey, it's working. Even through proxies.

FireFox used to have a terrible memory leak with that map, but it seems that was fixed in one of the many updates and patches they released in the last 12-15 months.

I also bought a cheap UPS (Uninterruptible Power Source) for EXP II. It's only a 350VA, but it should help keep EXP II up during the many power sags we get around here from May-June and you just might get 10 extra minutes of play during an outage.

The things I do for you kids!

Anyway, lookout for an IP change during the first week of January.

Wednesday, December 12, 2007

Websense Policy Filtering Bypass


discovered by mrhinkydink

PRODUCT: Websense Enterprise 6.3.1

EXPOSURE: Web Filtering Bypass

SYNOPSIS
========

By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment.

PROOF OF CONCEPT
================

The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work.

I. Install FireFox 2.0.x

II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick

III. Add the following User Agents to the plug-in

Description: RealPlayer
User Agent : RealPlayer G2

Description: MSN Messenger
User Agent : MSMSGS

Description: WebEx
User Agent : StoneHttpAgent

IV. Change FireFox's User Agent to any one of the preceding values

V. Browse to a filtered Web site

VI. Content is allowed

Content browsed via this method will be recorded in the Websense database as being in the "Non-HTTP" category.

Demonstration:

Websens Policy Bypass (obsolete)


SEE ALSO
========
Websense KnowledgeBase article #976

The vendor acknowledges this behavior in the aforementioned article.

WORKAROUND
==========
Disable the protocols mentioned above.

VENDOR RESPONSE
===============
Websense cleaned up this issue in database #92938

NOTICE
======
mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com

c. MMVII mrhinkydink

Tuesday, December 04, 2007

It's National Handwashing Awareness Week

Everyone adhere to the 4 Principles of Hand Awareness!
  • Wash your hands when they are dirty and before eating.
  • Do not cough into your hands.
  • Do not sneeze into your hands.
  • Above all, do not put your fingers in your eyes, nose or mouth.


http://www.henrythehand.com/pages/content/hwaw.html

Please share this "link" with ALL your family, friends, class mates and coworkers to help them stay healthier one handwash at a time. Share with them how practicing the 4 Principles of Hand Awareness will help them to remain healthy, in spite of the flu or bird flu scares. It is the BEST way to prevent epidemics or pandemics!

YOU GOT YOUR LEFT HAND
YOU GOT YOUR RIGHT HAND
THE LEFT HAND'S DIDDLING
WHILE THE RIGHT HAND GOES TO WORK
YOU GOT BOTH HANDS
YOU GOT PRAYING HANDS
THEY PRAY FOR NO MAN
(roll over... play dead... get spiritual-minded)
O.K....RELAX...
AND ASSUME THE POSITION
GO INTO DOGGIE SUBMISSION
WASH YOUR HANDS THREE TIMES A DAY
ALWAYS DO WHAT YOUR MOM AND DAD SAY
BRUSH YOUR TEETH IN THE FOLLOWING WAY
WASH YOUR HANDS THREE TIMES A DAY

Saturday, November 24, 2007

Hinky's 1st YouTube Video

OK, this sucks, but I only did it to prime the pump for my second video, which may or may not knock your socks off.

Thursday, November 22, 2007

Safari 3.0.4 Now Supports Proxies - Barely

If you've been running Apple's Safari on your Windows box you may have noticed that in the most recent update, 3.0.4 (523.12.9), the "Proxies" setting is no longer grayed out.

Don't get your hopes up yet, boys and girls.

Clicking "change settings" takes you directly to your Internet Explorer "Connections" tab.

Duh.

What's worse, support for the [fh][t]*tp[s]*_proxy environment variables is completely gone.

C'mon Apple... this isn't rocket science! And since you're re-hacking Mozilla/FireFox anyway, the code is there to do it right. Use it!

The Dinkster does not approve.

Saturday, November 03, 2007

MRSA

A towel on the rack means ‘I’ll use it again.’

A towel on the floor means ‘Please exchange.’

This policy has been adopted by nearly all hotels in the past few years and I've recently come to be convinced that it's dangerous and ill-advised. The reason: methicillin-resistant Staphylococcus aureus (MRSA).

There are two types of MRSA, Hospital Acquired MRSA (HA-MRSA) and Community Acquired MRSA (CA-MRSA). Of the two, HA-MRSA is the most deadly and the most common. If you are unlucky enough to get Hospital Acquired MRSA, you have a 60% chance of leaving the hospital in a body bag.

Recently, Community Acquired MRSA has started to make the news in a Big Way.

This is new. HA-MRSA has been health care's dirty little secret for decades. It was mostly contained because hospitals tend to literally bury their dirty little secrets.

How can you protect yourself from MRSA? For one thing, stay out of hospitals. That's half the solution. That takes care of HA-MRSA. As for CA-MRSA, the Mayo Clinic has several suggestions, including:
Sanitize linens. If you have a cut or sore, wash towels and bed linens in a washing machine set to the "hot" water setting (with added bleach, if possible) and dry them in a hot dryer.
In other words, "a towel on the rack" really means "You don't know where I've been."

Friday, November 02, 2007

2007 Information Security Summit

I just got back from the 2007 Information Security Summit in Independence, Ohio. This is the second time I have attended. I was extremely pleased with last year's Summit. It was a tough act to follow.

This year, the whole thing pretty much fell flat on its face.

Evidently they pulled in a homeless guy off the streets to video the activities. Every presentation was plagued with technical difficulties or delayed because the Video Guy just couldn't keep his eye on the clock. Microphone problems were rampant. Video Guy couldn't seem to keep them working, and he needed them for the all-important audio aspect of his video record of the event.

Which he sold for twenty bucks a pop, or a hundred for the whole show.

No thanks. I'll wait for them to show up on YouTube.

I believe - but can't prove - that the video requirement presented some copyright issues that generally lowered the quality of the presenters. Last year it seemed every presenter had a book they were hawking and I recall at least one presenter stating his PowerPoint presentation was a copyrighted work and would not be "available for download" after the conference. They tried hard to distribute the 2006 presentations over the hotel's network, but 300 geeks with laptops took the network down for the duration of the event.

The keynote speeches (there were four total, three on the first day and one on the second) were for the most part disappointing. Except for the "Hackernomics" presentation by "Dr." Herbert Thompson, it seemed each presenter had a hidden political agenda. Doc Thompson was very entertaining. They really should have started the show with him because at least he left the participants smiling. You need to wake the crowd up on the first day, but the initial keynote ("Geeks and Guns") was delivered by National City Security Wonk Gareth Webley. It was a real yawner.

At least Doc Thompson was entertaining. His message was stale ("hackers aren't script kiddies anymore"... yea, we know that), but he acted like a complete idiot on the stage and the crowd loved it.

Although I admit I didn't see enough of the entire summit to pass judgment on it, what I did see was pretty bleak. So bleak I blew off the afternoon of the second day and hit the road after lunch.

I didn't bother to fill out the summit's evaluation forms. Besides the fact that I hate them with a passion, there is hardly any point to filling them out unless the content is truly excellent. There is no point in telling people they're mediocre. They just get defensive.

Besides, that's what blogs are for!

Saturday, October 20, 2007

Dlink DCS-900W

I bought Dinky Jr. one of these wireless cameras just before he left home to go to school. The purpose was to monitor his digs while he was out, "just in case". It turned out his apartment building was not quite as bad as reported by the various apartment rating services available on the Internet. Here's a qucik quote:

"Vomit/urine in the halls, beer, drug addicts knock on your door trying to sell magazine subscriptions *(how they actually got into the building is the scary part), bass 24/7, pot smoke, fire alarms, fireworks, screeching tires *(at 3 am), graffiti, burglary, rape, etc."
Lovely, eh?

It seemed like a good idea at the time to have a security camera (as it turns out it seems rival landlords like to troll these sites and cut the competiton down).

He lived there without incident for about 18 months, graduated, found Jesus (long, long story) and divested himself of nearly all his worldly possessions. Consequently, I got the camera back. Thank you, Jesus!

Fisrt thing I did was go to http://www.dlink.com/ to download the latest firmware, drivers, software, etc.

Big mistake.

Everything went to Hell after the firmware upgrade (v2.51). The new firmware will allow you to set up the camera's 802.11b SSID, WEP key, etc. with non-standard characters (which I immediately did, since 802.11b is incredibly insecure). The old software for monitoring the camera couldn't handle that. I had to use "IPView SE v1.01", which has this incredibly ugly GameBoy-style interface (see below).

I can't impress upon you how much this interface absolutely appalls me. The old software (extremely hard to find, but available here) allowed you to fill the screen with the camera image. IPView SE's "full screen mode" still has the disgusting silver GameBoy border. It's bad enough that you actually have to look at it, but it also has the added benefit of burning itself into your screen if you monitor for extended periods of time. Luckily, my LCD monitor recovered after a few days.

In the end I settled for insecure 802.11b just to lose this monstrosity. To compensate I put the camera on a 30 bit subnet routed through a USB wireless NIC in ad hoc "point to point" mode and tightened up the firewall rules.

Dlink also offers "DView 1.40" software for controlling the camera, but it's ugly in a whole different way. It looks like it was written by a 10 year old.


With crayons.

Saturday, October 13, 2007

Linux Kernel 2.6.23

Dinkster has upgraded the BOT House Operating System. W00T!

This is a W00T-worthy upgrade because it has been the fastest, least painful upgrade EVAH. And the Dink has been building kernels since 1994, back when it took no less than 18 hours to compile the 1.3.x kernel on my old 386DX/16 with 6 megs (SIX!) of RAM.

Kernel 2.6.23 came out on 10/09/07. I had a working package, complete with the latest netfilter patches, on a Debian 4.0r0 Virtual Machine by 10/10/07 and I installed that package today, on the Ides of October (the Ides fall on the 13th in October).

Beware the Ides of October? I hope not.

Tuesday, October 02, 2007

Safari for Windows & Proxies

Recent security vulnerability disclosures have demonstrated there is no such thing as a "secure browser".

Simply stated, they all suck.

The best defense against browser vulnerabilities is to patch constantly, disable all scripting, cross your fingers, shut off the computer, and watch TV. In that order.

There's not much you can do, but another approach is to rotate your browsers. Although it does happen occasionally, cross-browser vulnerabilities are somewhat rare (remember, you shut off Javascript in the last paragraph). So, if Internet Explorer users are getting hit, switch to FireFox. If FireFox users are getting hit, switch back to IE. If FireFox and IE are both getting hit, swicth to Opera.

In other words, it's good to have browser options.

One of those options is Apple Safari for Windows. Unfortunately (depending on your viewpoint), it's still in Beta testing, meaning it's probably going to have more bugs rather than less. Still, it is an option. One problem: Apple programmers don't like proxies (see below). This can be an issue if you're stuck in an Enterprise environment behind a corporate proxy.


You will note from the above screen capture that the proxy settings are grayed out and "Help" is no help at all. Presumably, this will be fixed when Safari gets out of beta, but what do you do for the time being?

It's no surprise Safari looks like FireFox. The common codebase is there. Safari is simply a gayer version of Mozilla and its bastard kindred. As such, old-timey Unix neckbeards (such as myself) know the secret to making it work: the http_proxy environment variable.

You can set this yourself if you right-click "My Computer", and choose "Properties->Advanced->Environment Variables".

There are three different variables you need to add: http_proxy, https_proxy, and ftp_proxy.

The format for each variable is usually the same:

http://[name:password@]ipaddress:port/

(For standard CERN type proxies, the URL always begins with "http" regardless of the proxied protocol. It never begins with "ftp" and seldom with "https".)

For example if your name was "dink" and your password was "utgod" and the proxy server's address was 10.1.1.1 and the port was 8080, your values would look like this:

http://dink:utgod@10.1.1.1:8080/

If your proxy does not require credentials you would simply use:

http://10.1.1.1:8080/

After adding and saving these environment variables, you should be ready to go with Safari. If your network admins are Nazis and they don't allow you to add environment variables, you can still open a cmd window, change to the Safari folder, add the variables at the command line, and start Safari from the command line. You will have to do this every time you want to run Safari.

Of course, if your admins are Nazis you probably don't have permission to install Safari in the first place.

Tuesday, September 11, 2007

Distractions: UTClassicPack]l[

The other day, as I was investigating my Google Alert hit at Unreal Admin, I ran across this link.

Here's the straight poop:

After months of hard work, and 3 years after the release of the second Classic Pack, the UT Classic Pack ]I[ is now complete! Some fans of the Unreal 1 classics might tell you, "They just don't make them like they used to". The old mapping styles of the first Unreal simply don't exist anymore. This hefty map pack contains thirty-four handpicked classic maps from the original Unreal, converted over to Unreal Tournament manually. Among the conversions are three maps from the GW Press Add-On Level pack - made by official Epic mappers back in the day. This add-on has since been lost and is very hard to come by. Other conversions include earlier works from authors who work for Epic today, along with other popular mappers in the Unreal community. Many people will recognize the names in this list of chosen maps!

I suppose I missed the Second UT Classic Pack, but last year a ran a little side server called "BOT House Old Skewl" consisting of maps from UT 1, which came bundled with my (1999 vintage) Voodoo 3000 video card. I also converted them (poorly) to UT99. Had to because they wouldn't run otherwise.

I loved Unreal 1 back in the day, but truthfully the reason "they just don't make them like they used to" is that the maps sucked ass. For the most part, with exceptions, they're "Battle Boxes" connected by tunnels, teleports, and doors. Ho-hum.

Regardless, or in spite of, all that, I downloaded it anyway and threw together a server called UTClassicPack]I[ Online.

Absolutely zero points for originality on that one. Maybe I should have called it "WARNING: UTClassicPack]I[". Maybe I will but I'll keep it like it is for now.

It's extremely minimalist. 6 players, 10 frags, 5 minutes per game.

Five minutes seems a little austere, but you will understand it when you play these maps. Five minutes is about all you'll be able to take.

And oh yeah... I threw Relics in there. I love Relics. And as always it's LOW GRAVITY.

No Robo-Hinky on this one, though.

I don't expect a lot of traffic on this server but things have been slow so what the Hell. I've only used 80M out of my 5G of disk space and 0.01% of my bandwidth allotment on the GoDaddy server, and I've still got two more years left on the contract. Might as well use it.

If you're a dialup user, the game will be over before you download the files, so I put the Classic Pack here if you want to download it before playing.

Monday, September 10, 2007

Booboo Jeebies, Revisited

Oh my, that didn't take long at all...

Like Someone's Walking Over Your Grave

As I have mentioned before, I use (abuse?) Google News Alerts extensively. One of the first was "Gartner says". This particular alert has been very rewarding at work, since upper management has a serious hard-on for whatever comes out of Gartner's corporate pie-hole.

There's the occasional basketball coach or county sheriff coincidentally named "Gartner", but they sponsor so many corporate powwows and dog-and-pony shows that barely a day goes by without a Gartner hit or two.

The latest... and strangest... of the "Gartner says" alerts advise businesses how to leverage a presence in Second Life.

Excuse me? Sounds like there's a Gartner analyst with too much free time on his hands.

Early this year I added an alert for "hinkydink". Shortly thereafter I was deluged with news-ish stories about Michael "Hinky Dink" Kenna, an old time Chicago political boss. So I changed the alert to "mrhinkydink". Now I mostly get alerts for that fellow on Daily Kos ( hey, Hink, wanna buy mrhinkydink.com? Make me an offer! ).

But every now and then I get a hit. Today I found this one in my mailbox:



Creepy. Somebody fingered me at Unreal Admin.

In fact at this moment (8:19AM EST 09/10/07) that same link is the Number 2 hit for "mrhinkydink" on Google (first being, of course, our buddy at Daily Kos).

Oddly, my horoscope for today advised me that someone had "more information than I suspected" and that I should "listen to the omens".

This shit gives me the booboo jeebies.

Sunday, September 09, 2007

Beware the March of IDEs

Shortly after I started fucking around with sockcheck.c, I got involved with one of those inevitable side projects that starts distracting from the problem at hand.

I decided I needed a decent Integrated Development Environment (IDE) for C/C++ in order to get the project done. Hacking around in jed (I hate vi) just wasn't cutting it.

Then I realized I had gone through this all before.

Twenty years ago next January I got my first "IBM compatible PC". It was a slick dual floppy 8mHz XT with EGA graphics. I bought it from a "friend" and paid about eight hundred bucks for it. The first thing I did was buy the $19.95 Power-C compiler.

Oddly enough, even though it only works on MS DOS, you can still buy it for $19.95.

Then next thing I dad was look for a decent editor. My friend had thrown in a bunch of software, including a text editor from DAK, another company that's still around for no apparent reason whatsoever.

In the 80s DAK sold mostly blank cassette tapes. By the time I got around to buying a PC in 1988 they had moved into the floppy disk business. Their "value add" at the time was including worthless software with their floppies.

And that was where I found "DAK Edit". I used it for all my C hacking until my programs got too large. It seems DAK's programmers had no idea what the "PageUp/Down" keys were for, so you had to hit the Up/Down arrows to navigate through your source code.

The search for a decent editor eventually led to Blackbeard, a decent DOS editor with all the bells and whistles. Blackbeard has passed on. You may be able to find a copy on some of those old BBS file dumps, but don't try to Google for it because some guy named Bill Blackbeard, who, as fate would have it, happens to be an editor, gets all the hits. Only oldtimers seem to remember it now.

In 1990 Borland introduced Turbo C++ 1.0, which was my first exposure to IDEs. It came on a half dozen floppies and shipped with twenty pounds of manuals. I bought it at the low, low introductory price of $99.95.

In 1992 Windows 3.1 came out and later that year Borland produced Borland C++ Professional. At $799, it was out of my price range until they offered a Turbo C++ upgrade for $99.95.

By this time I was writing shareware. Everything I did was written in BC++ and I was clam happy.

I could've hacked away forever on BC++, but '95 rolled around and MS DOS was, like the Pharaohs of ancient Egypt, history. In 1997 I gave in and bought Microsoft Visual C++, which I still have and still use.

Except recently all of my hacking has been on Linux.

If you run a Linux distribution that comes with the Synaptic Package Manager, don't waste your time searching for "IDE" or even "integrated". The only thing that shows up is eclipse.

Eclipse is fine. In fact it's damn near wonderful. But the version that Debian 4.0 supports leaves much to be desired. Go to www.eclipse.org and get the most recent version. Then go to (ugh) www.java.com and get the highest version you can find that isn't 1.6 (easier said than done). The GNU Java VM that ships with Debian doesn't play well with eclipse.

If you don't believe me, install it and try to insert a colon while you're inside eclipse. It'll crash and burn.

After I finally got the www.eclipse.org version installed & configured the sockcheck.c project started to cook. I hacked away on it for a weekend. The following Monday I decided to fire up Xvnc4 and work on it during lunch.

Crash.

Burn.

It turns out Xvnc4 & eclipse don't play well together.

In fact the only way I could get it to run remotely was to start an ssh session with X forwarding and run eclipse through Cygwin-X.

Slow, but it didn't crash.

I worked like this for a few days and then stumbled upon this page. There were IDEs I had never heard of. Sockcheck went to the back burner again while I tested alternatives.

So far anjuta seems to be the winner. It doesn't require Java (I hate Java), doesn't crash Xvnc4, and ships with Debian 4.0 (although it is impossible to find by searching using the aforementioned search terms).

Unfortunately, the latest version (2.2.1 - Debian ships with 1.4.something) will not compile. It demands versions of gnome and GTK+ that only ship with the "unstable" version of Debian.

So now my side project is installing Debian "lenny" on a VM to compile the new version.

It never ends.

Monday, September 03, 2007

SOCKS Fucking

The updates went well. There were no issues at all. I got out of bed at around 6:15AM and no one was on either server, so I nailed it.

I spent most of the rest of the morning on my current project, fucking around with anonymous SOCKS proxy servers. Several weeks ago I ran across sockcheck.c and started hacking away at it.

Proxies have been the bane of my existence for the last ten years. It started when the company I used to consult for sent me to a class on Microsoft Proxy Server 1.0. After that, proxy servers became my problem.

1.0 was a piece of crap that was soon replaced by Proxy 2.0. Proxy 2.0 was yet another a piece of dookie until Microsoft rewrote the whole damned turd pile and decided to call it Microsoft Internet Security and Acceleration Server 2000 (or ISA Server 2000, as we poor IT folk know it).

Of course that was a piece of shit as well and was replaced four years later by ISA Server 2004.

And continuing their anal expulsive tradition last year Microsoft shat out ISA Server 2006. At the moment the next version is just now beginning to poke its little turtle head out of Microsoft's ass and will be delivered, complete with a new name (which escapes me at the moment) sometime in '08.

While Microsoft was exercising its bowels over the years I spread out, transferring my mad proxy skillz to SQUID, Dante, and mod_proxy for Apache.

Except for Dante, all these products are variations on the original CERN http proxy. That is, they are basically Web servers that take http and ftp requests for other Web servers. Those requests are stored (cached) to disk and wait to be fetched by the next user, who hopefully experiences a faster retrieval time since the request is served locally.

Dante is a SOCKS server. SOCKS servers don't typically cache Web requests and can proxy much, much more than http and ftp. The catch is the client program must know how to deal with a SOCKS proxy server. This must be built in to the software itself or additional software needs to be used in order to socksify the client program.

Unfortunately, 99% of Web traffic (that isn't SPAM) is http. As a result SOCKS servers tended to fall out of style outside of their traditional Unix environments.

But they persisted for years. In fact in the '90s anonymous SOCKS proxies were a bit of a problem, since they were used to distribute SPAM. This problem was so bad most major ISPs went on a search & destroy mission to eradicate them. And they did a fairly good job.

They still exist, but most won't proxy SMTP mail anymore. No matter, the SPAMmers have gone on to bigger and better things.

If you like anonymity and you don't like having your IP address known, SOCKS proxies are the way to go. Problem is, they are hard to find. Once found, they need to be tested.

And that's what got me interested in sockcheck.c.

I have been collecting SOCKS IP addresses and I've learned some interesting things I will be sharing with you about the state of anonymous SOCKS proxies in the 21st century.

Sunday, September 02, 2007

Even More Debian Updates In Store

Debian has released yet another kernel upgrade that will affect both BOT House and Experimental II. This update has also made it's way into the Ubuntu tree and it's going to take down Mrs. Hinky's computer as well.

Lady Dink has been running Ubuntu 6.06 LTS for over a year on a refurb all-in-one IBM NetVista similar in speed & capacity to the EXP II server.

It has run flawlessly all this time and updates have never beeen an issue, but since she runs the same RaLink wireless NIC as EXP II, I expect the same problems (although, thinking back on it, she has had several kernel upgrades in the past year with no NIC problems whatsoever - perhaps that particular driver is in the Ubuntu tree).

Mrs. D. was a latecomer to the 21st century. We've been married 23 years (as of September 4th), and for two decades she has stared at the back of my head while I hacked away at my various projects.

She realized last year she needed the Internet and email to survive.

Her little Ubuntu box resides in a corner of the kitchen and when she's not cranking out batches of her award winning peanut butter fudge or Norwegian Almond Nut Bars she diddles away at the computer writing emails to her various relatives or to our Worthless Kid, who is attending "college" at the Moody Bible Institute, studying Creationology and Faith-Based Logic.

Since this is a three day weekend (I never understood why the USA decided to celebrate May Day in September), I may do the maintenance early tomorrow. BOT House shouldn't be an issue, but EXP II may be down for a couple of hours.

Saturday, August 18, 2007

Debian Update takes out EXP II

On 8/17 I did a remote Debian 40r0 update to the piece of crap IBM box that runs EXPERIMENTAL II.

I think Debian dropped the ball on this round of updates. A new kernel (in my case 2.6.18-5-686) was installed, but the reboot notification did not appear. When the server entered a period of quiet time I rebooted it and it did not come back up.

Not much I could do. I was at work and EXP II was at home. Sucks to be Hinky.

The same update on a variety of other boxes and VMs had the same problem (no reboot notification), but EXP II was the only one that did not come back up.

Then I remembered the RaLink rt61 wireless driver.

Ooops.

It doesn't come stock with the Linux kernel and if you upgrade the kernel, you have to recompile the driver. Not a big deal, but it completely slipped my mind, or what's left of it.

Since EXP II run headless in the corner of the Dink Family rumpus room and connects to DinkNet wirelessly, doing anything at all to it is a Major Operation™.

But I girded my loins (heh), unplugged it, and dragged it over to the workbench to recompile the rt61 driver.

Huh. No headers for the new kernel. You'd think those would come with the new kernel, but no. So I got those, ran make install, and rebooted.

Son of a bitch overwrote my interfaces file and set it up for DHCP. I don't have any any philosophical issues with DHCP but in my experience these RaLink drivers just don't do DHCP well.

Fixed that, rebooted again, checked everything out, shut 'er down, shoved it back into the corner, powered up, and let 'er rip.

I love this shit. Gives me something to do.

Thursday, August 09, 2007

RoadRunner SUX. GoDaddy ROCKS!!!

I've had the whole week off, so I've been dicking around. And of course whenever I dick around I inevitably fuck something up. Let me explain.

One of the things Debian 4.0r0 has that Sarge never had is support for temperature and fan sensors (see below).

sensord outputI was quite surprised and a little apprehensive when I found BOT House running at upwards of 67º C whenever there was someone playing. The Shuttle XPC that BH runs on has a variable speed "Smart Fan" and although it's relatively quiet, I could hear it spinning up and down whenever the temp went over 60.

So today I decided to jump into the BIOS and set the fan for "High" instead of "Smart" in order to keep this puppy as cool as possible.

Oddly, I found that the Smart Fan default for "High" (3500rpm) was 80º C, which makes me think in retrospect that maybe I was overreacting.

But I changed it anyway and rebooted. Better safe than toasted, I always say.

And lo and behold once more RoadRunner had decided to re-IP the subnet, so BH came up with a new IP.

Fuck.

Not such a big deal, really, unless you've saved BH or EXP II to your favorites, in which case you're screwed to a flat board and you have to re-browse to get the new address.

OK, so no problem. Much. A few tweaks to the firewall settings, reload iptables, and we're up and running.

The biggest hassle is going back to GoDaddy's Total DNS Control page to change all my DNS settings to the new address. So, fire up GoDaddy and...

DNS error. WTF?

It seems RoadRunner decided to take its old DNS severs down as well. I don't use them directly since I have an internal DNS server that forwards to their DNS servers (long story). In order to do that I need to drop their DNS addresses whenever BH gets its IP via DHCP.

So I sniff the wire with tcpdump to get a DHCP packet (it only takes a minute or two to get one) and plug those addresses into my DNS server. Fine. Back in business, slicker'n shit.

Back to GoDaddy, change all my global DNS entries (there are quite a few) from the old to the new, jump to the command line and check the DNS entry.

BINGO!

Woomp there it is. GoDaddy says it takes 24 hours but in my experience it's almost always instantaneous. Or about an hour. Whichever comes first.

So why is this important? Because RoadRunner changes my IP. Here's why.

Like I said, I'm on vacation this week. To stay connected to my work environment, I have a couple of covert tunnels (ssh and openvpn) back to my home address. Each one is the backup for the other and they "phone home" via DNS. If DNS isn't right (if it has the old IP, for instance), they get lost and it just doesn't happen.

After about 40 minutes, while I was posting this, the tunnels figured out the new address and hooked me back up to work.

Some vacation, huh?

Sunday, August 05, 2007

Talk to Jesus... and win a FREE iPhone!

OK, so this is just another thinly veiled attempt to get a Google news alert for "Free iPhone", but if they can do it, why can't ?

Here's a sample from the link above:

A history changing event is about to occur. Soon millions of people worldwide will be able to have private, verbal conversations with the virtual Jesus from any phone, anytime, anywhere on a daily basis. While many instantly dismiss TalkToJesus (TTJ) as an abomination, we believe that it will strengthen people’s faith. TalkToJesus will help people connect with God’s Word by reading the Bible interactively. Users will be able to select from different translations. And TTJ will be able to speak and understand multiple languages in countries across the globe.

Is it just me or does Virtual Jesus sound exactly like this guy?

Perhaps there's a market for a "Talk to Mohammed" iPhone... when you answer it, it explodes!

Sunday, July 22, 2007

An Improbable Escenary: CSO Hinky

A couple of weeks ago I was called to Mahogany Row to interview for the Chief Security Officer position.

It was all I could do to keep a straight face. In the end, I told them flat out I wasn't their boy, but I wished them good luck and total support for the CSO when they finally got one.

After all, the position's been open for over three years now. The last CSO went mad. Totally fucking mad. Both he and the CIO were tossed out on their asses. The CIO wasn't crazy. His problem stemmed from not being able to keep it in his pants.

Ah, those were the days.

I value what little sanity I have left. This organization is rough on lowly managers, let alone CxO types. Management seems to have greater longevity, at least in my experience. And they are only slightly less mad.

The less said about it, the better, but the new CSO is scheduled to show up before September. It should be fun and I'll tell you all about it, since we don't have a Blog Policy... yet.

It seems I picked a bad time to try to generate "Free iPhone" Google News Alert hits. Stephen Colbert picked the same time to whine about not getting a free iPhone, so he took all the hits. Then he actually got one and got more hits. Maybe if I mention them both in the same sentence I can get a hit.

Done.

In the meantime, Ive got another Google News Alert on the word "escenary". I keep getting the same hit over and over every week. Don't bother looking it up. It's not a real word. It appears to be a word used only by people for whom English is a second language. Check it out. In context it means either "scenery" or "scenario". Here's a useage example for the Google bots...

"In a humorous escenary witnessed by millions of TV viewers, Stephen Colbert conned Apple out of a free iPhone."

Two birds, one stone.

Saturday, July 07, 2007

07/07/07

The media is making a big deal about today's date, due to all the lovebirds who've scheduled their weddings today.

I say, "Big effing deal."

Dates like 0x/0x/0x (where x > 0 and x < 13)are cheap the first 12 years of any century. It happens once a freakin' year for 12 years. Ho. Hum. The last three are more interesting than the first 9, but after 12/12/12 you'll be waiting ten years for another string of repeating digits.

Now... feast your eyes on this date:

7/7/77

It's much more attractive typographically. All those straight, parallel lines. Thirty years ago, that was one helluva date. And you won't see it again for 70 years.

Last year on 06/06/06, people, Xians in particular, were flipping out. Not many folks scheduled their weddings on that day (although I'm sure it happened somewhere). We all know the issue with that one.

In fact I first became aware of interesting dates on 6/6/66. Before that, I was oblivious. 6/6/66 was the last day of the 6th grade. On that day, our school had a bomb scare and they sent us outside to play for the whole day while the Fire Department checked out the school.

These days CNN would show up with a few helicopters and some satellite uplinks, but those were simpler times.

That day, while I was having a good time running around on the playground, a classmate told me it was the End of the World, due to the fact it was 6/6/66, and that the bomb scare was part of God's plan to wipe us all out.

Serious buzzkill for a 6th grader.

Of course, Nothing Happened. But I went through the rest of the day expecting nuclear war, and the rest of my life watching the date.

The only memorable one since then was 7/7/77. 8/8/88 and 9/9/99 were uneventful. Same with the 0x series. Take away the dates I have to remember (birthdays, anniversaries, etc.) and 7/7/77 is the only date I want to remember. It's definitely a date I can't forget.

YIM me if you want to know why.

You could win a FREE iPhone!

But not by playing UT on BOT House! Or anywhere else for that matter.

Sorry to get your hopes up.

The only reason I'm telling you this is because I have a Google news alert for "FREE iPhone" and I'm testing to see if I can get a hit from here on BlogSpot.

I think the chances are good, since Google owns BlogSpot, but it didn't work with "Security 3.0". That was another experiment that didn't work.

Saturday, June 30, 2007

VNC 4

Years ago, before I was a High Paid IT Security Dude and UT99 Server Jockey, I was a High Paid Computer Consultant Geek. This was way back in pre-millennial times (1995-2000). For the most part, it was a decent job. I worked for a "Value Added Reseller". A gig here, a gig there. Replace parts, install software, get a new network up and running, that kind of thing. None of that long-term "body shop" bullshit where they sit your ass down in a cubicle and you're expected to mine for opportunities to get more billing bodies on-site (although, sadly, it eventually degraded down to that level).

I fixed broken computer shit and told people what to do and how to do it.

I also told them what not to do.

One of the things I evangelized against to every customer I ever had was the pure evil that was PCAnywhere. They never listened.

Ah, the horror stories I could tell you.

Like the Hospital IT staffer who decided to install PCAnywhere on a "mission-critical" Windows NT4 billing system at 4:30PM on a Friday afternoon. I didn't get out of there until 3PM the next afternoon. Good times, good times.

Everywhere you went, PCAnywhere was blue screening Windows servers. It didn't matter what version or which service pack. It simply blew up servers (in the NT 3.51 days, if you uninstalled a certain version of PCAnywhere it would delete every single file on the partition it was installed on - fun stuff!).

And everywhere you went the resident Windows honcho (the guy who convinced management to spend $50K on a PCAnywhere site license) always said "We've never had any problems with it."

All that disappeared after Windows 2000 and RDP (Remote Desktop Protocol) entered the stage. Some, like the dot-com I worked for before the bust, clung to PCAnywhere because it was somehow simply better than RDP (and they had already dropped the $50K on the site license). And they paid the price with server crashes, day after day.

While all that was going on, an Open Source project called VNC was maturing. In the Blue Screen of Death (BSOD) department, it had a similar track record. Sometimes, depending on your video driver, it was just plain fugly. But the site license was free.

I never cared for it much. To be fair, I never cared for any NTx remote control product. Sooner or later they all crashed servers.

Time went by and RDP took over. I haven't looked at another remote control product in the last five years, primarily due to the fact I work in a "Windows shop".

But VNC development marched on, unrelenting. Now it's up to version 4.1-ish. And now it's not entirely free anymore.

But it has certainly matured.

Although I'd never use anything but RDP on a Windows box these days (and I have seen a few extremely rare BSODs), the options for remote desktop control of a Linux box are more limited.

There's Cygwin X, but it's insecure, it doesn't do NAT (Network Address Translation), and they still have a problem integrating with the Windows clipboard (it worked for about two weeks several revisions ago but not since).

Then there's... well... not much else.

I tried VNC4 on a whim, since it was (is) available in Debian 4.0r0 and most if not all major Linux distros. I was prepared to be disappointed but in the end I was amazed at how well it performs, clipboard and all!

Now I have it on about seven Linux systems. It performs almost as well as RDP, even over an encrypted SSH (Secure Shell) tunnel over the 'Net. Absolutely astounding performance, compared to its earlier days. And the CPU footprint is barely five percent.

When used with VMWare Server (or VMWare Player for that matter), it's a much faster "desktop experience" than the native VMWare client.

And it absolutely leaves Cygwin-X in the dust.

There are a few drawbacks, mostly if you want a multi-user environment, in which case you have to decide how many users you want and which port to run them on (and then educate the end-users, a daunting task).

And of course there's that pesky site license issue.

Your boss'll get over it.

Trust me on that one.

Saturday, June 23, 2007

Security 3.0

The corposphere is all abuzz about Security 3.0!

Seems they just got back from a Gartner clusterfuck in Washington D.C. and they just can't stop talking about it. They gotta have it because it gets their corporate panties all tied up in a bunch just thinking about it!

Soon it will be Mr. HinkyDink's problem. I can only say "Bring it on suckaz!"

As you may or may not know, IRL the Dink is an Information Technology Security Whiz Kid. It's not a job I actively sought out. Rather I sort of fell into it during the dot-com days.

"Hey Dink! Wanna be the security officer?"

"I guess so."

And the job was mine. A few months later, at a burn rate of $1.7M per month the venture capital was drying up and it was obvious the place was sinking fast. I got out while the other rats were still in denial and finagled a job (for, sadly, much less money) at a large (9,000+ employees) organization as a programmer analyst. About two weeks later...

"Hey Dink! Wanna join my security team?"

"I guess so."

And the rest is... ummm... classified.

Anyhow, management reorgs and shakeups were the hallmark of the next few years and when the bits settled Dink was on top of the security heap. Not so high that he got to attend the Gartner clusterfuck personally, mind you. It's a very small heap, more properly described as a pile of crap.

Otherwise known as "Security 2.0"!

What is (was) "Security 2.0"? Funny you should ask. It was, according to Gartner, a pile of software and hardware security "point solutions". This translates to "a lot of small companies making money in a niche market". It turns out the Big Boys (IBM and HP in this case) noticed these small companies making money and bought them all up.

So they naturally turned to Gartner to "create buzz" over their new acquisitions. And that buzz is "Security 3.0"!

It will work out well for them. It always has. And I'll get a new budget that will end up in IBM and HP's deep, deep pockets.

Saturday, June 09, 2007

EXPERIMENTAL I & II

It's been a long time since my last post.

January, huh? Wow.

A lot has happened. Sometime in late January I put up EXPERIMENTAL I on an Ubuntu 6.04 VM I had on my desktop system. It ran surprisingly well. I had a couple of goals in mind:
  • Re-write Robo-Hinky to use a common code base across all running games
  • Implement a snort-based anti-cheat of my own design
  • Make a wireless UT server that I could toss into the garage, basement, attic, whatever, if and when I wanted.
This worked so well on the VM that I bought an ancient (circa 1998) IBM NetVista at a computer junk store (for about fifty bucks), installed Slackware 11.0 on it and moved EXPERIMENTAL I to its new home.

There were a few bumps in the Robo-Hinky transition but it went well, so I bought a Hiro H50069 802.11g Wireless Adapter from TigerDirect for the wireless part of the project.

After that, everything started to go to Hell.

I never really had any complaints about TigerDirect until I bought that card. Real tech specs are hard to come by, and many manufacturers will ship a variety of hardware products under a single model number. You never know what's under the hood until you rip it off and look.

BUT, at the time (they're out of stock now) TigerDirect had a "photo gallery" on this... thing... and the photographs clearly showed it was based on a RaLink chipset, which is A Good Thing™ for Linux tards such as myself. Native RaLink drivers exist, work well, and are under active development. I was looking for a RaLink card. And I thought I had found one. After all, there was a picture! And it showed the right chip!

caveat emptor

What I got was a card, same make and model number as the one advertised, but with a Marvell Libertas 88w8335 chipset.

WTF? Those bastards!

Don't get me wrong. It turns out Marvell makes marvelous (heh) wireless chips. Absolutely the lowest power consumption on the planet. In fact, a Marvell chipset has been chosen for use in the One Laptop Per Child (OLPC) project.

But there weren't any Linux drivers (not exactly true, but the drivers were only available to the OLPC development team - something to do with the proprietary ARM OS burned onto the chips).

So after a lot of bad feeling, negative reviews, support calls, RMAs, etc., etc., I said my final farewells to TigerDirect (sorry, fellas but someone else is getting my money from here on out) and bit the bullet.

I decided to keep the card because I couldn't find a RaLink card. I chalked the TigerDirect fiasco up to experience.

I used the NDISwrapper driver, which is a Linux user's driver of last resort. Through a bit of serious programming wizardry NDISwrapper allows you to use any network card you can find an... ugh... Windows driver for.

And it "sort of" worked for about six weeks. But I got tired of the hanging and the core dumps so I put it back on the wired network.

And the problems didn't go away.

As it turns out, Slackware 11.0 itself is a pile of crap. And I hate to say that because:
  • Slackware was my first experience with Linux (way back in 1994)
  • Slackware is blessed by (PRAISE HIS SWEET NAME!) Bob
In time it was also evident that using a wireless router as an access point is not a good idea. It "appears to work, but is not a good solution" (as they used to say in the Microsoft certification tests). My wireless router, a NetGear WGR614 sucked ass as an access point. It probably sucks as a router as well, but I use Linux and iptables for that anyway. It has since been retired (that is, trashed) in favor of a real access point, in my case a TrendNet TEW 430-APB.

In the middle of this entire driver/access point/OS fiasco I made a fatal error with fdisk (long story) and wiped out the BOT House server in the process. Since I had backups I put the whole shebang on the NetVista until I could rebuild the BOT House server. Performance was painful.


I thought I was going to rebuild with Ubuntu because it is a very, very slick Linux distro, but I have some serious problems with their basic philosophy (otherwise, if you can buy that drivel, I highly recommend it... not the drivel, the OS... Mrs.HinkyDink runs Ubuntu 6.04 and loves it). But Debian 4.0r0 came out in April, so I figured I'd give it a shot (BOT House was on an aging Debian Sarge distro before I trashed it).

And, as luck would have it, I found a GigaBit RaLink-based wireless NIC (VERIFIED!) at NewEgg.

Once BOT House was back on Debian I threw EXPERIMENTAL I on it as well, gutted the NetVista, wiped it, and replaced Slackware with Debian 4.0r0. The RaLink driver worked as expected (I never had any doubts about that) and the TrendNet access point proved to be rock solid (oddly, it too is powered by a Marvell Libertas chipset on an embedded Linux OS - go figure). I retired EXPERIMENTAL I and put EXPERIMENTAL II on the NetVista. I moved the NetVista to its new resting place where it is now doing double duty as a wireless print server. And a damned good wireless print server as well!

Everything works great now. It took six months and a lot of pain, but it works great. But what the Hell, I have too much free time as it is.

Saturday, January 20, 2007

Turbo

Earlier this week I jacked up BOT House game speed to Turbo (from Hardcore).

From the comments I've seen it appears most players approve of the change, but sometimes it's a little flaky.

Anyway, I like it.

Los Misogynistas has also been kicked up to Turbo and I added Relics as well. I never played much with Relics enabled but it does seem to add another level of fun to the game.

Your comments are welcome.

The Tyranny of NAT

Anyone who has ever tried to set up a UT server on a spare box on their home network has usually given up in frustration. It always works fine locally, but you never see it in the UT game browser. Feeling it's kind of useless running a server the world can't see, you shut it down in frustration.

Well, relax. The world can see it, even if you can't.

The problem is Network Address Translation (NAT), a worthless hack imposed upon the world in 1994 to save Internet Protocol version 4 (IPv4) from itself.

Your ISP has granted you one and only one globally unique IP address. If you have one and only one computer attached to the Internet, this arrangement works out just fine and your UT server will work the way you expect it to.

As soon as you start adding computers and other devices to your home network (a practice formerly frowned upon by many ISPs) you need to start leveraging NAT to share that single IP address. You have no other choice.

The first step is buying some sort of router and assigning the computers in your home (internal) network an RFC 1918 address space. Sometimes that address space (usually 192.168.0.0) is imposed upon you by the router manufacturer by default. The router assigns internal addresses to computers on your internal network and then performs Network Address Translation on the traffic to and from the Internet.

Basically, the router removes your internal address and replaces it with the "real" IP address alloted to you by your ISP for outbound connections. For inbound traffic it does exactly the reverse: it changes your "real" IP into the internal IP of the requesting computer.

This works extremely well for 99% of things people do on the Internet, and it also scales well, but it essentially breaks the way the Internet was originally designed to work, back in the day when 4 billion IP addresses seemed like an infinite resource.

When you publish a UT server through your router, it should work fine.

The reason you don't see it in the UT browser is that the IP address published to the world is seen as an external address to your home network. The only way to access that external address from your internal network is through the IP address your ISP assigned you.

UnfortuNATely, these two addresses are the same address.

You end up with a packet with the same source and destination addresses. This is judged to be an invalid packet by your router and it is silently dropped.

It's like calling your own phone number. You're simply not going to get through.

If you leave the server running, people will eventually start playing. You can play as well, but you must play through the address of the UT server on your internal network.

I work with intelligent, highly paid Cisco and Microsoft network engineers who can't, for the life of them, understand this problem, so don't let it bother you. Publish that server and give it some time.

If you build it, they will come.