I really am a geek. <SEG>

I coded this this afternoon as a demonstration for work. I'm pretty happy with it, actually, although it could be made better. No, no nifty quotes on this one. Sorry. <G>

I spent last night hacking up a quick CGI script for one of Keri's clients. Nothing fancy, just a random quote generator; it pulls a random line from a file and displays it as HTML. The nice thing about it is that the same script can be used by any number of sites; you pass the location of the data file you want to use to the script when you call it, so there's no hard-coded variable in the script. It's pretty simple to use, too. Here's an example, using everyone's favorite "error message haikus" (pulled from the first Google return; no author information.)

Refresh to see a new Haiku:

If you'd like to use the script, you can download it here. GPL'd for your convenience.

Later...

I mentioned to John Dominik last night that I intended to create a "fortune" data file for quote. Well, when he mentioned something about it again this morning, something in my head said "hey, Perl can do that..." Guess what? My head was right. Same as above, refresh to get new fortunes. The data file I'm using is downloadable here. (Warning: 615k)

And, if you're really bored, this link will just show the fortunes quote - refresh to your hearts' content. Fortunes are the clean ones included with SuSE 7.2.

Thursday, August 2 - RIP

Goodbye, Poul Anderson. May this journey be as satisfying as all of those you've given me over the years.

The first news story of the day would appear to the Code Red worm. Apparently, although it was worse than I expected, it won't really be a problem either. Yes, there was some degredation from the packets flying around, but not enough for anyone to easily notice; all in all, the second round of infections appears to have peaked, and the damage done is not very severe. So, we can now start putting that one behind us, suffer through the media morons patting themselves on the back for averting the catastrophe, and move on to other things. Until the next one, at least.

THOR is not doing well. It crashed again last night - fortunately while I was sitting at the computer - with the exact same symptoms. This time, I managed to get more information from the logs, and from what I've discovered, I think I have a hardware problem. Specifically, it looks like one of the RAM modules is dying. Granted, THOR is not a spring chicken, and it never did have the highest quality components, so this is not entirely unexpected. It's still more than a bit annoying. THOR has 96 MB of RAM in 4 SIMM modules, though, so finding the bad SIMM might be an interesting experience. We'll see.

A friend in Phoenix is visiting a defunct company, though, and they're offering insanely low prices on hardware. He's going to keep an eye open for a good deal on a server; maybe THOR's problems will be a moot point, after all.

I saw a few news stories this morning about the Boy Scouts that appears to make John Dominik happy; proof that the entire Boy Scout organization isn't a total loss. In a similar vein, Germany has passed and enacted a law to allow same-sex "civil unions"; it's not quite marriage, despite what the news organizations are claiming, but it's close. They can register their partnerships, claim some of the benefits of marriage such as medical insurance; they even have legal divorce, now. They still don't get the tax advantages, and they can't adopt children - but they're getting closer. Perhaps someday the "Land of the Free" will be so reasonable. I wouldn't bet on it, though.

It seems that every time someone tries to bring up the issue in the US, the same two tired old arguments come up - brought by the same bigoted airheads that get in the way of everything. The first is that homosexuality is morally wrong; the second is that same-sex marriage would damage "traditional" marriage.

Morally wrong is tough to argue because it's tough to define. What's "moral" mean, anyway? OK, so you are a member of a religion that believes homosexuality is a sin. Fine. Obviously, the homosexuals don't agree. I don't agree, either, and neither do a great many people. But for some reason, a loud, obnoxious and very annoying group of people seem to feel their beliefs trump the rest of us. Personally, I'm not worried about what people want to do in their sex lives unless I'm directly involved; I'm more worried about what these idiots are going to try to do next in the name of their morality. You have to wonder about religious groups who promote hatred and bigotry over love and acceptance. Isn't that illegal now?

As for damaging traditional marriage; I'm sorry, but that's just plain dumb, not to mention asinine, arrogant, and insulting. I'm married, to a woman. A woman that I happen to love a great deal. Keri is my friend and partner. I don't care who you are or what you do. I don't care if you make it legal to marry sheep. It isn't going to damage my marriage. And if you believe that allowing same-sex marriage would somehow damage yours, you've got much bigger problems.

All right, all right. Enough ranting for today. Have a good one...

Wednesday, August 1 - A Bit of Crow for Breakfast, a New Toy, and a New Job

Yes, ATTWS finally got that letter to me. And I signed and returned it. So, I have the same job I had yesterday, but the paychecks come from a different company, my badge is a different color (red eq contractor, blue eq employee) and I actually have to start paying attention to all the employee communications. <G> Yes, I'm mostly happy about it; the job I've finally settled into, although not nearly the same as what I signed up for in the first place, is interesting, and best of all - AT&T Wireless is not going to go belly-up any time soon.

So. On to the "New Toy". ATTWS bought me a Compaq iPaq, the 3600 model; color screen, 32 MB RAM, and so on. Very nice, I have to say. It's not any faster than my old Visor, but then, it's running much more complex software - Pocket Word, Pocket Outlook, and so on. The most impressive part, to me, is the handwriting recognition; I got very used to Grafitti over time, but this is much better. It's almost - but not quite - normal print lettering. And, of course, the color screen is quite a novelty for me.

Best of all, of course, is the PCMCIA sleeve that allows a wireless network card or CDPD modem (hey, I *do* work for a Wireless company, after all...) I can even get a 2.5G wireless modem; ATTWS just rolled out the service here in Seattle. And since I can do that, goodbye boring meetings... hello wireless net access from meeting rooms...

The reason I have this new toy is actually reasonable. Compaq makes a client for their RIB cards that runs on PocketPC. The RIB board (Remote Insight Board) allows you to completely manage a Compaq server from a web browser - power the system up or down, enter and modify the system BIOS or RAID controller - if you've got someone to change CDs for you, you can install OSes on the system without ever touching it. With a CDPD or GPRS (2.5G) modem and that software client, I can manage systems from anywhere that I can get a cell signal - which means I can respond to problems while on-call without being trapped at my terminal. And that's a very good thing.

Now then. The "crow" bit. Well, remember how I said Code Red would never reemerge from the background noise of the Internet?

Ooops.

I'll post a message from incidents@securityfocus.com (an essential list, btw, if you have any security responsibilities..). This message is from Alfred Huger, the moderator of the list, as a response to a message he posted last night - saying much the same as I did, that Code Red wouldn't be a problem. It's a verbatim copy, so errors and such are his, not mine. I do agree with his statements and conclusions, however.

Subject: Full Plate of Crow
Date: Wed, 1 Aug 2001 09:01:59 -0600 (MDT)
From: Alfred Huger
To:

Well, for future referance, crow is for the most part terrible breakfast food. It seems that the end is actually nigh and all my sarcasm has come back to haunt me. Well, perhaps not.

People as you know, are seeing Code Red attacks on the increase although it has yet to become a problem. If you look at the attack rates the attacks seems alot faster than last time. We started seeing Code Red on the 11th last time and it took several days though before it started picking up steam en masse. Today however the rise seems alot more effective. Still no snapping powerlines, major ISP's going down or general digital chaos but we can always hold out hope for that later.

Something to note here, upsurges in port 80 probes and actually identifying a Code Red attack are two differant things entirely. If you are basing your attack stats off of firewall logs or simple access list packet drops your stats might well be out to lunch. Keep in mind a firewall is only telling it dropped a packet, not what was in the packet. Alot of the people mailing me last night and this morning were sending firewall logs, not IDS logs. Firewalls are great, I have on myself but you see the problem is that they were not designed to be very inquisitive, hece IDS's. So before you assume Code Red is massing at your border router for an all out Iwo Jima no holds barred assualt - check your logs. Meaning your IDS logs or web logs. Conjecture in times like this causes panic. Panic is bad, unless of course you profit off of people panicking, which some of us in the industry do.

Three people also mailed me asking about SANS's Incidents.org and their front page showing (as of now) something like 8000+ hosts infected. So far as I know Incidents.org (which is a good site) is pulling it's data from Dshield.org (which is a really good site as well). Now Dshield so far as I understand it gathers it's stats from a number of devices but it does not do attack correlation. Meaning it does not actually make sense of the logs outside of telling what was denied on what ports. So it could be saying that 8000+ people have seen traffic dropped on port 80, or perhaps their staff are going through the logs by hand (I pity them if this is the case). Perhaps someone from one of those organizations can post and shed some light on this for us.

Now lastly, the list is going to be reserved to Code Red traffic today so if your posting other things (and many of you are) I will approve them tommorow after some judicious moderation.

Cheers,
-al

VP Engineering
SecurityFocus.com
"Vae Victis"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-------------------------------------------------------

So, what does this mean? Were the media right, and the Internet is about to be destroyed? No. It means that Code Red is a bit more dangerous than anyone ever expected, but it's not a serious threat, yet, either. I'm still monitoring the list, and the number of infected hosts is increasing - but it's not increasing very fast. Faster than any of us would have bet yesterday, yes. As fast as it did the first time, no. Fast enough to be a clear threat to the 'Net - no.

So. You're a security admin. You have IIS servers, and you think you're exposed to the Code Red Worm.

What should you do?

First, install the patch from Microsoft. Their information, instructions, and patch are here. Please note, Mr. Thompson, their instructions for dealing with the infection, which I knew and has been talked about repeatedly in various places - start by rebooting your server, because that will eliminate the Code Red worm from your computer.

The reason that works in this case - and generally speaking, only in this case - is because Code Red is memory-resident, but it doesn't save itself to any files. It simply sits in memory. So when you reboot the computer, the virus is dumped. You still have to install the patch, though, or you may - most likely, will - be reinfected again.

Me? Yep. All the servers at work are current on their patches, including this one. I still need to monitor things though, so I'll see you later.

Later...

Sigh. Guess I know what I'll be doing this weekend - THOR died mysteriously this morning. Segfaults all over the place. I rebooted the server (ran home to do it) and when it came back up, it hadn't mounted any filesystems. None of the service daemons started. It didn't even know the correct hostname for itself.

A mount -a as root fixed the filesystem problem (thank Dog for Reiserfs) and a reboot brought back the system - for now. I still don't know what caused the initial problem. Solar flare? Cosmic rays? Cockroach snot? Who knows. This weekend, hopefully I'll have time to pull it apart - physically and logically - and find the problem.

Tuesday, July 31 - Well, This Is Going to Be a Lovely Week

One of my jobs at AT&T Wireless (in fact, my main job right now) is to create a new Operations team for Microsoft operating systems. AT&T Wireless (a.k.a. ATTWS) is traditionally a Sun shop, with over 250 Sun Solaris servers vs. less than a dozen NT boxes and perhaps twice that many HP-UX boxes.

However, the beancounters have noticed that Windows machines are considerably cheaper than Sun - even with OS licensing issues - and so, NT boxes are becoming more and more common in the engineering plans that come our way. As a result, we need an NT Operations team. Guess who's the only administrator who's good with Windows NT? Yup. So I have to create and lead the new team. No big problem, right? This is Microsoft country, the place should be crawling with good admins.

Heh.

The truth is, as I had a recruiter explain to me, Microsoft absorbs the cream of the crop. (I suppose I should be flattered that they made me an offer then, huh?) The rest, like any other sysadmin group, can currently be devided into two groups; the Pros and the Other Guys. The Pros are people who've either been admins for ten years or more, or are admins by choice. In NT, these are the guys (and girls) who spend time at home hacking on their own machines, own a nice collection of computer books, and in general are pretty dedicated to their careers.

The Other Guys are people who until a few years ago were "something else". They may never have looked at a computer before then. When the dotcom boom started, they saw the money to be made, took a computer course, and became an administrator. Now that the dotcom boom is over, they're stuck with a few years of experience, no real interest in what they do - and for some reason, they persist in trying to find jobs.

Most people who're hiring can quickly spot the difference, and in general they're not interested in the "Other Guys" anymore. Salaries are down, budgets are down - there's no money to waste on people who aren't really dedicated about computers. Which, of course, means that for every "Pro" resume I receive, I have to discard a couple of dozen "Other Guy" resumes. It also means that although the job market in Seattle is not good for admins - in fact, it's pretty dead - according to the companies I've been talking to, the "Pros" wouldn't have any trouble at all finding jobs - if they could make themselves heard over the noise of the Other Guys.

Anyway. A couple of weeks ago I found and hired a Pro, but she's a Canadian citizen and it's taking a while for the Feds to decide she's not a terrorist or something. Anyway, I hired her a while ago with the expectation she'd be starting... tomorrow, but instead it may be September. Not her fault, of course, but still not a good thing. So last week I found another Pro. I've only got the two open positions, so I dropped the other interviews, told the recruiters to stop looking, and got ready to start the new guy.

Well, he quit yesterday. Better offer, he says. I'd have appreciated something more than an email, and even more I'd hae appreciated the chance to make a counteroffer (I may not have *done* it, considering he'd already accepted our offer, but still...) So now, I have to start the process all over again.

On top of that, my own offer letter was lost in the mail. Apparently, it helps when the HR department puts the apartment number on the address form. Go figure. (Yes, this means that I'll be becoming an ATTWS employee. Monday, supposedly, unless they lose the letter again.)

On top of that, three new projects showed up in my inbox yesterday, all NT-focused, all due to be in production on unreasonable schedules.

I need a vacation...

Monday, July 30 - Run for the Hills! It's Code Red... err, Again!

Unless you've been living under a rock the past few weeks (or have no interest in computers), you know what the Code Red worm is. A bit of malicious code, infecting Microsoft web servers using a known vulnerability. It spreads very quickly through unpatched machines, and on a certain date it launches a massive DDoS (Distributed Denial of Service) against the IP where the Whitehouse.gov website... was.

Now, when that happened, it wasn't a very fun situation, particularly for IIS admins. The Whitehouse.gov admins did something intelligent, however, and moved the site - those DDoS packets didn't really have a target anymore. Still, they did cause some localized damage; the numbers of packets they were shelling out were sufficient to shut down some portions of the Internet. By far, the worst damage was from unintended targets; some small Cisco routers, the kind used by home DSL users, crashed when the Code Red worm hit them, knocking their users offline.

Now, there's a big outcry going up over concerns that it may be coming back. Supposedly, if just a few machines have the wrong clock date set, and they try scanning again, we could see a massive re-infection, and all the problems will start over.

In a word, batpuckey.

First, the amount of publicity generated over the first infection of the Code Red worm means that most of those servers which were infected the first time around have been patched. Second, since the target is now extremely well known (the former IP of the whitehouse.gov, now unused) *if* large numbers of servers do appear to be reinfected, ISPs can prevent the problem by simply blackholing that IP. Blackholing means the routers won't have a published route to the IP address, and will drop the packet - making it disappear without a trace, as if it had fallen into a black hole. (And you thought we just made these names and terms up...)

Third, the number of machines with still-live infections of Code Red must be vanishingly small. The worm code is entirely memory-resident; if the system is rebooted - under the best of circumstances, a fairly frequent occurrence with Windows systems - the worm disappears. If the admins of the box are incompetent enough to have an unpatched vulnerability after this much publicity, and an incorrectly-set system clock, *and* they haven't noticed the infection on their server before now - well, the chances that their server has survived this long without needing a reboot are, shall we say, exceedingly remote. I don't expect this "return of the Code Red" to ever emerge from the background noise of attacks on the Internet.

Some of you have no doubt already heard of the Dmitry Sklyarov case. Dmitry is a Russian programmer who was arrested two weeks ago for violation of the Digital Millenium Copyright Act - which he violated while in Russia. The DMCA is not a Russian law - it's not even a just and fair American law - but he was arrested anyway. Adobe filed the complaint with the US government that got Dmitry arrested, and after a massive series of public protests, they asked the feds to release him. He's still in jail.

My own position is that the DMCA is a bad law, a law which needs to be repealed or revised; in order for a copyright violation to occur, the person committing the violation must actually have an intention to defraud the copyright owner, through redistribution or sale. (Even then, some cases are acceptable; teachers, for example, need to be able to give their students copies of articles without restriction.) I won't explain much further; there's someone else who's done an excellent job. Lawrence Lessig is a law professor at Stanford University, well known in the online legal world, and highly respected. He's written a very, very good Op-Ed piece in today's New York Times. (Sorry, nasty free registration required. If you like, use this account to register; username "buggeroff999", password "buggeroff"; the personal information registered with that account matches no one on the planet, I hope.) Take the time to read it.

In other news, much work was done on the new fish tank stand; the carcass is more-or-less complete (carcass refers to the internal structure of the cabinet; the skin goes over the carcass) and it's actually going together quite nicely. Yes, "The Wood God" and I have made several changes in the shop, but that's not a bad thing; no matter how good CAD is at rendering 3D images, some things just don't become apparent until you've got the actual pieces in front of you. By standard manufacturing processes, this cabinet that we're building is the prototype; and there are always changes to be made between prototype and production. Keri has some pictures up from Saturday, but you can't see much of the cabinet other than two rendered drawings of the original design. Saturday was spent assembling the frames for the front of the cabinet; Sunday, Jon and I connected the frames and started on the sides and deck. Yes, Keri, I now understand about cutting expensive fabric; that first cut into the oak plywood... <shudder> That there was an US$80 sheet of plywood, folks. But, the cut turned out fine, and another weekend should see it completed.