Oct 07 2011

rip steve jobs

Whilst I have never been an Apple fan, I was enormously saddened to learn of the death on wednesday of Steve Jobs. He was a visionary architect and was undeniably a charismatic, if idiosyncratic, leader in the world of computing and technology.

Whilst his death was not unexpected, he will be missed.

Permanent link to this article: https://baldric.net/2011/10/07/rip-steve-jobs/

Sep 27 2011

webcam mark II

Upgrading the slugs to squeeze killed the webcam. At first I thought that squeeze was missing the necessary gspca drivers, but no, a quick look in /dev revealed an entry for video0 and “lsmod” reported “gspca_zc3xx” loaded correctly. This is a different driver to that which my camera loaded in lenny (spca5xx) but a quick search around the web confirmed that the camera should be happy with the new driver. So clearly the webcam program itself was at fault (confirmed by checking the output when running the program by hand). Time to find an alternative.

A scan of the debian repositories turned up a bunch of possibilities, some of which I had looked at in the past when first installing the camera. I eventually plumped for fswebcam because it was quick and easy to install and configure, it seemed to be actively supported (unlike Gerd Knorr’s old program) and it didn’t need a GUI. More to the point, it works with my old Logitech camera.

The program can be run from the command line with option switches or configured to read its options from a config file. And despite being advertised as a tiny, it has quite a rich feature set. It can even perform simple manipulation of the captured image, such as resizing, averaging multiple frames or overlaying a caption on the image. Nifty.

My current config file is shown below as an example. I may change this because I’m not quite happy with the brightness/contrast mixture and I’m still playing with the options available. Still, a recommended package.

# /etc/fswebcam.conf
#
# config file for fswebcam utility
#
# device and input are defaults
device /dev/video0
input 0
# log messages – only use this is debugging setup
# log /var/log/fswebcam.log
# repeat image capture every 30 seconds
loop 30
# set number of frames to skip if the camera sends bad frames on startup.
# Note – this is only necessary when using the camera for video capture
# skip 10
# background the webcam process
background
# set resolution of image (default is 384 x 288)
resolution 320X240
# set the palette to use in the output format (here JPEG) and the jpeg quality
# (my camera doesn’t like this option so it is commented out)
# palette JPEG
jpeg 95
# set some additional controls
# (use “fswebcam -d v4l2:/dev/video0 –list-controls” to see options)
set brightness=55%
set contrast=40%
# place the banner at the bottom of the image (default)
bottom-banner
# and colour it black
banner-colour #000000
# set the font to use in the banner title and timestamp
font /usr/share/fonts/truetype/msttcorefonts/arialbd.ttf
# set the title and timestamp to display in the banner – (timestamp uses strftime format)
title “Webcam on the Slug”
timestamp “%d %B %Y at %H:%M:%S”
# where we save the image
save /home/web/webcam.baldric.net/images/webcam.jpeg
#
# end

Permanent link to this article: https://baldric.net/2011/09/27/webcam-mark-ii/

Sep 26 2011

squeezing the slugs

Debian 6 (squeeze) has been the current stable version since February 2011. The latest version (6.02) was released in late June. I have put off updating my slugs from lenny (old stable) for a while because I wanted to see how others faired before committing myself. Indeed, initial reports on the debian arm list indicated that the upgrade could be problematic. Worse, a completely clean install of squeeze turns out to be impossible because the debian installer uses more memory than is physically available on the slugs. So the only way to go, even for a clean new installation, is to install lenny first, then upgrade.

Given that both my slugs are operational, and are now an integral part of my network, I decided to invest in a new one as a development machine to test the upgrade rather than risk fritzing a perfectly good setup. (Back in the day I would have been happy to “fix it ’till it broke”, but these days I don’t really need to experiment that much and I’d rather keep a working system, well, working).

Second hand slugs go for around £25 on ebay, and there are still plenty about, so I bid for one that had only about a day to go and was successful. Unfortunately, when it turned up I found that the power supply was fsckd and so I had to switch off one of my operational slugs in order to test the new one. Happily it appeared to boot up OK so I fired off a disgruntled email to the seller and then ordered a new PSU. The seller claimed that it “worked OK when I boxed it” and didn’t offer to pay for the replacement PSU so I wasn’t too happy with him. I became even less happy when the new PSU arrived and I booted up the slug in preparation for reconfiguration to match my network before installing debian.

The debian installation process is handled via an SSH shell. You need to know the address of the slug in order to connect and install. The installer also needs the addresses of a local DNS server and the default route to the outside world (so it can find the servers containing the installation packages). Now the default, factory settings, for slugs includes a fixed IP address of 192.168.1.77. If this does not match your requirements, it must be changed before reflashing with debian. Guess what? The default address didn’t work, so the previous owner must have reconfigured the slug to match his network and he had not bothered to reset to factory default before selling. Nor had he been considerate enough to let me know the new configuration. Needless to say I won’t be buying anything else from him. Nor did he get decent feedback.

I couldn’t reconfigure the new slug until I could connect so I needed to find out what address it was using. A quick nmap scan of the 192.168.1.0/24 netblock showed that it wasn’t even on the default network range so I fired up wireshark and etherape on one of my machines in the hope of catching the slug arping and getting the address from the request. In the event, etherape proved to be quicker (and easier) in providing the answer since the slug quickly popped up and disclosed its IP address as 192.168.2.10. Adding a route to the 192.168.2.0/24 net then allowed me to finally connect and reconfigure the new beast to suit my network. I then rebooted and started a fresh installation of lenny (as previously described in one of my earlier posts). About four hours later I had a nice new clean slug running lenny.

However, since the main purpose of getting the new slug was to allow me to test the upgrade to squeeze in safety I really needed to make it look like my main operational slug. That slug is my DNS and DHCP server, and primary rsync backup for my desktops. It also runs a webserver. Like most (lazy) sysadmins my system documentation tends to lag somewhat behind reality so I can’t rely on the various readme files I routinely create on my boxes to be completely up to date (or even accurate). Fortunately for me though, debian provides a neat way of snapshotting installed packages on a system. You can then use this snaphot to create a mirror of that system which will include all the same packages. Here’s how:

On the source system:

dpkg –get-selections | grep -v deinstall > packages.txt

This lists all active packages, except those deinstalled, and sticks the list in a text file.

Now copy that file to the target system, ensure that the target system’s “sources.list” file matches that on the source, and then run:

dpkg –clear-selections
dpkg –set-selections < packages.txt apt-get dselect-upgrade

This will download and install all the packages necessary to get the target system matching the source.

All that is now left to do is copy across any relevant configuration files so that the two systems fully match and then rebooot the target to check that everything looks OK.

New slug now finally matching old slug it was time to upgrade to squeeze. Martin Michalmayr’s excellent website documents the upgrade process in meticulous detail. The key points to note here are his recommendation that you read the release notes for debian 6.0. In particular, note and follow the chapter on upgrades from debian 5.0 before attempting an actual upgrade. One of the main differences between 5.0 and 6.0 is the use of UUIDs to reference disks. In my case this meant changing my /etc/fstab from this:

# /etc/fstab: static file system information.
#
# proc /proc proc defaults 0 0
/dev/sda2 / ext3 errors=remount-ro 0 1
/dev/sda1 /boot ext2 defaults 0 2
/dev/sda5 none swap sw 0 0

to this:

# /etc/fstab: static file system information.
#
# proc /proc proc defaults 0 0
UUID=db57451a-e3e5-4d8a-95b9-494c48bb5e8d / ext3 errors=remount-ro 0 1
UUID=022bc211-1c52-4848-9ee1-e211e72b28e4 /boot ext2 defaults 0 2
/dev/sda5 none swap sw 0 0

Before finally starting the upgrade I opened two separate SSH sessions to the slug. In one I ran the upgrade process as below:

first a partial upgrade as recommended at Section 4.4.4, “Minimal system upgrade”

apt-get update
apt-get upgrade

then install the required linux kernel image and udev as outlined in Section 4.4.5. “Upgrading the kernel and udev”

apt-get install linux-image-2.6-ixp4xx
apt-get install udev

followed by

reboot

and

apt-get upgrade
apt-get dist-upgrade

to complete the system upgrade.

Now here is where the second SSH session is most useful. The final upgrade and distribution upgrade installs the file indexing package “apt-xapian-index”. Correspondents on the debian arm list have noted that this package consumes more memory than is available on the poor old slug and it starts swapping itself to death. The process must be killed immediately and the package removed. If you leave it too long after the upgrade has completed you will find it impossible to log in until the initial indexation has completed (in excess of 24 hours or more has been reported) because the system is too busy. I ran “top” in the second shell during the dist-upgrade process and kept an eye on the load averages. As soon as they started climbing above 3 I knew that it was time to watch out for the apt-xapian-indexer and kill it. Once the system load returned to normal I was then able to finalise the upgrade with:

apt-get purge apt-xapian-index
apt-get autoremove

to remove the offending indexer and clean up any residual unneeded packages. A final reboot to check all was well was sufficient to convince me that it was safe to upgrade my two operational slugs using the same process. Testing the upgrade on the new slug in the way I did also meant that I now had a backup slug configured exactly like my main DNS server but running squeeze. Any failure on the remaining upgrade would not then be critical.

I must be getting old. I never used to be this cautious.

Permanent link to this article: https://baldric.net/2011/09/26/squeezing-the-slugs/

Aug 14 2011

my wife bought me a kindle

I feel it only right to add to the post below by noting that my wife bought me a Kindle for my birthday. I have since found one useful aspect to electronic publishing. A Kindle can reduce the weight of your luggage when going on holiday.

But I still prefer the “real thing”.

"speedbump" cartoon by Dave Coverly

Speedbump” cartoon copyright Dave Coverly.

Permanent link to this article: https://baldric.net/2011/08/14/my-wife-bought-me-a-kindle/

Aug 14 2011

in praise of dead trees

As an unashamed gadget freak I suppose I should applaud the rise of the e-book in all its wondrous forms. But actually I much prefer the “real thing” (TM). Some while back I became involved in a series of email exchanges about e-books in general and the Amazon Kindle in particular. That exchange made me think about what it is that I like so much about books. I have no idea exactly how many books I have dotted around the house, but I’d guess the number is somewhere north of a couple of thousand, many of which I have read more than once. Someone on the mail list discussion pointed out that I could probably get that entire collection on one Kindle, a thought that, frankly, horrified me.

I like books. I like the fact that I can lend them to people, I like the fact that I can read them in the bath, drop them when I nod off, and know that they are still (just) readable afterwards. I like way that they are actually objects of beauty in their own right, independent of the contents (can you imagine a bookshelf full of Kindles?). I like the fact that the words remain the same between me putting the book down and picking it up again. I like the fact that when I have bought a book, I can be sure that both the book and the original words will still actually /be/ there when I next pick it up (that may not always be the case for electronic words. In fact Amazon themselves very famously shot themselves in the foot when they deleted customers copies of 1984 and Animal Farm back in July 2009).

A real life book doesn’t need batteries, and it will (probably) still be readable in several hundred years when no-one on earth will still have a Kindle. Books can be given as gifts to a friend. That gift can contain a flyleaf note personalising the book in a very special way (I have duplicates of some books simply because a close friend or family member has given me an inscribed copy of a book that I already possess. Such gifts from my kids are beyond price.) E-mailing a friend an electronic book somehow doesn’t have the same aesthetic.

I like the fact that you can scribble in the margins. Many of my books (particularly the text books or reference books) have such marginal notes. Yes I know you can do that with a Kindle, but it somehow doesn’t seem the same as coming across a note you made to yourself 40 years ago whilst you were boning up on a new topic.

I like old bookshops and market stalls selling books. I can happily spend much time browsing shelves for old SF pulp from the 40s and 50s. Time I would probably otherwise be wasting on something entirely frivolous. Sure I could probably find what I wanted by electronically searching on-line, but where’s the fun in that? I’d miss the serendipity of stumbling across a previously unread author. And there would be no bookseller to chat to who could recommend similar books to the ones I had just picked up.

Oh and I like the way old books feel and smell.

cartoon of man buying e-book

Cartoon from the New Yorker dated 14 September 2009. Copyright is fully acknowledged.

Permanent link to this article: https://baldric.net/2011/08/14/in-praise-of-dead-trees/

Aug 14 2011

what time does the pub open

I wanted to check the opening time for a local shop and petrol station this morning so I plugged in a query about opening times to my favourite search engine and hence came across a rather useful little wiki called, not unnaturally, opening times. That sort of single purpose site is exactly what makes the ‘net so useful.

Give it a try.

Permanent link to this article: https://baldric.net/2011/08/14/what-time-does-the-pub-open/

Jul 18 2011

who are you going to call

Like most email users I get my fair share of spam and other internet crud. Mostly I ignore it, but I received an intriguing email a couple of days ago which purported to be a mailer daemon “Delivery Status Notification” informing me of a failed delivery to some address I had not even heard of. Mostly this sort of junk results from backscatter from mailers responding to spammers spoofing your email address in the outgoing mail. I get a lot of this to the “info@baldric.net” address as I’ve mentioned below.

However, this particular email interested me because the message-id in the headers said it came from a machine calling itself mx1.rlogin.net. Now I own and control that domain and I know that I have no such machine. So I concluded that the machine at the address in question (which looks to be at the end of a commercial cable line) was either deliberately being used incorrectly by its owner, or (much more likely) had been compromised and was being used illegally to send spam mail designed to look like it came from my domain. Either way, I’m not overly happy about that so I decided to contact the ISP and let them know that they might have a customer with a problem.

The normal way to do this is to send email to the “abuse@domain.name” address which is usually listed in the whois record for the network owner. There is even an RFC which codifies this practice. However, on searching a variety of whois records I couldn’t find any obvious address to use. Worse, speculative email to “abuse@the-likeliest-relevant-domain” was simply returned as undeliverable. What to do?

Well as it happens I found a very helpful utility called abuseEmail which automates searches of whois records for likely addresses. Better yet, some helpful people at cyberabuse.org give a web based front end to the abusEmail php script so that you don’t have to run your own.

Permanent link to this article: https://baldric.net/2011/07/18/who-are-you-going-to-call/

Jul 02 2011

one reason I don’t use apple

Being a linux and FLOSS fan has its advantages, not least the fact that most, if not all of the software I would want to use (and indeed, /all/ of the software that I actually do use) is free as in beer as well as free as in speech. And given the much smaller target offered by my chosen desktop in comparison to the widely used proprietary offerings, my systems are amost entirely unbothered by malware.

Most of my friends use proprietary systems. A few insist on paying over the odds for Apple products and, perversely, seem to take some pride in doing so. One or two even seem to think that simply buying Apple products marks them as more discerning, cultured and intelligent than the great unwashed who buy their systems from PC World.

In the course of a recent series of email exchanges on this topic, I was therefore delighted to receive this image from another friend. I know he uses windows 7 – I’ve seen it.

update_for_your_computer

(copyright “stickycomics.com” gratefully acknowledged.)

Permanent link to this article: https://baldric.net/2011/07/02/one-reason-i-dont-use-apple/

May 11 2011

I know I shouldn’t do this

but I just can’t resist it.

The Cabinet Office has launched a trial version of a new central government portal called alpha.gov.uk (snappy title). This trial site is a taster for what the designers hope could be a “new, single UK Government website”.

image of alpha.gov.uk webiste

I cannot help but be amused by the fact that one of the “popular tools and topics” the authors have chosen to showcase on the front page is “guide to redundancy”. Someone, somewhere in the Cabinet Office has a wry sense of humour.

Permanent link to this article: https://baldric.net/2011/05/11/i-know-i-shouldnt-do-this/

Mar 29 2011

irony is not dead

Installing counterize to analyse trivia’s logs has been instructive. I now know that some of my most visited pages are consistently those of a “how-to” nature (in particular, those about postfix, dovecot and, strangely, reflashing the old BT home hub). In many ways this is satisfying since one of the objectives of this blog is to document solutions to problems I have encountered personally.

But counterize provides much more than this. For example, I now know that of my visitors, 46.09% use firefox, followed by 27.24% using IE, with safari trailing in third place on 8.75%. Further, the top browser by version is IE 6.0 (now there’s a surprise…) at 13.14% and the most used OS is windows XP at 42.65% (sad, but you can’t argue with the stats).

However, what really intrigues me is the referer analysis. Some are fairly obvious given the content viewed. For example one of the top referers is a page on the-scream.co.uk which points to my articles on the home hub. Others are less so. One that caught my eye today is a referer from a website which sells a tool to spy on mobile phones. That site has a privacy policy (!) which says the following:

Privacy Policy

This privacy policy applies to the use of https://www.spybubble.com

We highly value your privacy and make this policy easily available throughout our site to assist you in understanding the handling of information in the course of using this site.

As Terry Wogan would say, “is it me?”

Permanent link to this article: https://baldric.net/2011/03/29/irony-is-not-dead/

Mar 27 2011

from russia with love

A few weeks ago I installed pflogsumm on my mail server in order to automate my mail log scanning. For some time I had been conscious that my mailer had been rejecting a lot of mail with “user unknown” but I had never really investigated that in any depth. Running pflogsumm over the logs on a nightly basis makes analysis easy. It turns out that over 90% of all mail hitting my server is rejected because I have no user with the name given. Moreover, practically all of that rejected mail is for one user (info@baldric.net) and it all appears to come from mailers with .ru domain names.

By creating a temporary alias for the failing address to a real one I was able to capture some of the mail coming in. The example below is faintly amusing:

“From: postmaster@ruschermet.ru
To: info@baldric.net
Subject: Не удается доставить: лучший секс в Вашей жизни
Date: Sun, 27 Mar 2011 21:22:42 +0400

Не удалось выполнить доставку следующим получателям или лицам из следующих списков рассылки:

hr@ruschermet.ru
Адрес электронной почты получателя не найден в почтовой системе получателя. Microsoft Exchange не будет повторять попытку доставки сообщения. Проверьте адрес электронной почты и повторите отправку сообщения или передайте указанное ниже диагностическое сообщение администратору.

________________________________
Отправлено с помощью Microsoft Exchange Server 2007″

(Try running this through an on-line translation service such as babelfish).

Clearly, what I am getting is backscatter from failed spam deliveries in Russia where the spammer has used the non-existent “info” as a spoofed from address. Ho Hum.

Permanent link to this article: https://baldric.net/2011/03/27/from-russia-with-love/

Feb 01 2011

no police here

The UK Home Office launched a new crime statistics website today at www.police.uk. The site is supposed to show “Local crime and policing information for England and Wales”.

I’m not entirely convinced of the merit of the site in the first place (and can see all sorts of potential objections arising in some of the more rabid tabloid newspapers), but I thought I would try it out before making any form of judgement of my own. Unfortunately I’m not impressed.

The opening page of the new service invites the user to “Enter your postcode, town, village or street into the search box below, and get instant access to street-level crime maps and data, as well as details of your local policing team and beat meetings.”

I have tried various combinations of the suggestions, scaling outwards and upwards from my precise postcode to the whole of that part of the County in which I live. I was not reassured to get the following message:

screenshot of www.police.uk website

Discussion elsewhere on the ‘net suggests that this result is not unusual. It appears to be a badly worded (or badly coded) response to an error condition resulting from system overload following the launch. At least I sincerely hope that is the case and we are not really completely devoid of policing services in the whole of South Norfolk.

Examination of the HTML source for the webpage generated suggests that the service is running on Amazon’s Web Services. Certainly some of pages are retrieved from S3 servers, and the IP address of the site appears to be on Amazon’s AWS (see dig and whois results below *). If the site is, as it appears to be, cloud based, then either the supplier (Rock Kitchen Harris, Leicester) or the Home Office has seriously undersized the requirement. Regardless of who is at fault here, there is an evident need to pull in some more resource pretty quickly. This should be a good test of the much vaunted flexibility of cloud based services such as Amazon’s EC2. I expect the service to be running quickly and cleanly by this time tomorrow.

* dig www.police.uk returns:

; <<>> DiG 9.6-ESV-R3 <<>> www.police.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10557 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.police.uk. IN A ;; ANSWER SECTION: www.police.uk. 1251 IN CNAME policeuk-167782603.eu-west-1.elb.amazonaws.com. policeuk-167782603.eu-west-1.elb.amazonaws.com. 60 IN A 46.137.113.146 ;; Query time: 268 msec ;; SERVER: 80.68.80.24#53(80.68.80.24) ;; WHEN: Tue Feb 1 14:16:23 2011 ;; MSG SIZE rcvd: 107

and a whois lookup of 46.137.113.146 returns:

% Information related to ‘46.137.0.0 – 46.137.127.255’

inetnum: 46.137.0.0 – 46.137.127.255
netname: AMAZON-EU-AWS
descr: Amazon Web Services, Elastic Compute Cloud, EC2, EU

Permanent link to this article: https://baldric.net/2011/02/01/no-police-here/

Jan 29 2011

is my computer off

This site is probably even more pointless than most webcams, but it, and the site it was inspired by, amused me. Having found this, I just had to register a similarly pointless domain of my own. So now I am the proud owner of theinternetisoff.net

Make it your home page. You know it makes sense.

[Postscript added February 2020. I no longer have this domain. I had only ever used it for the one purpose noted here. I have recently been culling my (previously ever growing) list of unused domain names in the interests of saving money. OK, I’m a cheapskate, but it struck me as dumb to continue to pay out for about a dozen domain names which I never used. So they, and this one, have gone. But in the interests of continuity, the references on trivia to this domain now point to a copy of what the old page looked like.]

Permanent link to this article: https://baldric.net/2011/01/29/is-my-computer-off/

Jan 27 2011

now I feel bad about blogging

El Reg has a wonderful ROTW post here. One “Matt Kracht” lays into an article by Andrew Orlowski about P2P bitorrent users saying:

“I hate… no, I *loathe* when bloggers try to move to online news sites. If there’s one thing that web 2.0 has done, it has fucked up journalism so bad that nobody can tell the difference between some dork yelling his uninformed opinions about uninteresting shit and an actual newspaper article. Sure, once in a while, you get filler crap even in the New York Times, but it’s at least *interesting*. It’s about topics that people care about, and has new, informed, researched opinions and insights. What the hell is your article about? Being bored? Unimpressed by illegal file sharing sites run by scammers trying to make a quick buck? God, you’re an embarrassment to anyone who’s ever written anything less shallow than a blog. You offend me, sir, with your pathetic writing.”

Kudos to Orlowski for posting it. But I feel bad to be considered “shallow” because I blog – or do I?

Permanent link to this article: https://baldric.net/2011/01/27/now-i-feel-bad-about-blogging/

Jan 26 2011

I guess they do it differently over there

I came across a potential new entry to the “slug replacement” competition today in the shape of a 2GHz Sheeva Marvell based plug computer by Ionics called the Nimbus 2000 (all the company’s products seem to be named after cloud types – wonder why).

nimbus 2000 sheeva plug

In addition to that rather fast ARM CPU, this little beast boasts: 512 MB DDR2 RAM at 400 MHz; 512 MB NAND Flash; one USB 2.0 port and a Gigabit LAN port. The plug apparently runs a 2.6.23 kernel in a custom embedded linux. Now if we can get debian onto that little thing (as is the case with the 1.2GHZ sheevaplug from Global Scale Technologies), it looks like being an attractive proposition for anyone wanting a small, but powerful web or file server.

But, whilst I was scanning the company web site I was struck by their “careers” page. Here’s a sample:

DESIGN LIBRARY ENGINEER II
• Female
• Bachelor’s degree in Computer Engineering or Electronics & Communications Engineering
• Strong background in electronics engineering
• At least 1 year experience in design library with emphasis on schematic symbol and component footprint creation
• Preferable with experience using Mentor PADS, Cadence OrCAD, Cadence Allegro or equivalent EDA tools

and

ODM QUALITY ASSURANCE MANAGER
• Male
• Candidate must be a graduate of BS Engineering
• Background in electrical or electronics is desirable for this position.
• Must have experience in Original Equipment Manufacturer / Original Design Manufacturer.
• The candidate must have demonstrated previous supervisory experience.
• Strong computer skills to oversee electronic quality management systems including document control and CAPA.
• Willing to be assigned in Calamba City, Laguna

I suppose they must have some odd policy of balancing the sexes across the disciplines. At least they are not advertising for “Secretary – female” and “Engineer – Male” as we might have done a few years back.

Permanent link to this article: https://baldric.net/2011/01/26/i-guess-they-do-it-differently-over-there/

Jan 24 2011

wordpress setup

I have just added a couple of new plugins to this blog and tidied up some old cruft that I had been meaning to get around to for a while. One of the plugins I have added is a really rather good statistcs tool called Counterize II. It provides a very quick (and impressively comprehensive) set of stats about page hits, browser types, referring URLs etc. all readily accessible from the wordpress admin dashboard – so no need to trawl through web logs to find out where your visitors are coming from or which is your most popular post or page. Thoroughly recommended.

In the process of searching for such a plugin I also came across Angie Bowen’s posting about the top ten things she always does when setting up a new blog. Whilst I don’t agree with all her recommendations (identifying the ones I disagree with is left as an exercise for the class) I think this is a very handy aide-memoire. Her pointers about blog security and discussion settings in particular are sensible and worth reading.

Permanent link to this article: https://baldric.net/2011/01/24/wordpress-setup/

Jan 23 2011

click here

The Cory Doctorow article referenced at the end of the post below mentions URL shorteners as potentially dangerous because they completely obscure the actual URL you will be taken to if you click them. By way of experiment I thought I’d post one here just to see how often it is used.

Permanent link to this article: https://baldric.net/2011/01/23/click-here/

Jan 23 2011

damn, I think I got hit by a 419er

I am normally pretty careful about my on-line security and privacy. I take a lot of care to ensure that my home network is nailed down tightly and all the clients and servers on it are also nailed down as well as I know how. I don’t use software which is susceptible to the majority of the malware out there; my browser is nailed down as tightly as I can get it whilst still allowing it to be useful (roll on HTML5, I hate flash, but it is so damned useful); I do some, very specific, browsing (such as on-line banking) from within a VM and do not use that browser or machine for anything except that specific activity; I routinely bin cookies and flash LSOs (in fact I find it better to disallow all LSOs in the first place); this blog does not include any email addresses harvestable by ‘bots; my email client is a niche (i.e. minority) product and is configured only to allow text (no HTML or embedded images or webbugs); I use tor when I want to be as anonymous as possible; my local DNS server blocks access to a whole range of addresses I don’t like; and I never respond to unsolicited email.

But I got phished. Damn.

Here’s what happened.

I advertised an unwanted mobile phone on gumtree. I chose gumtree in preference to ebay because a) adverts are free, and b) gumtree allows you to target the advertising to a specific location. I like this idea because it means you can say “I’ve got a doohickey for sale in South London. Come and see it and pay cash if you want it”. My ad gave details of the item for sale and, as is recommended, I chose to have responses emailed to me. Here I made mistake number one – I used my normal email address rather than a disposable one. To be fair, gumtree don’t expose any of your private details, they just forward any responses to the address you give. Here’s where I made mistake number two, I responded to queries about the ad from the address given to gumtree. Damn. Idiot. So stupid.

So why do I think the responses weren’t kosher? Well there were a number of giveaways. Firstly the requests were for information already in the ad (“how much do you want?”); secondly, there were a suspiciously high number of “spilling misteaks” in the emails; thirdly, the correspondent wanted me to mail the ‘phone to a location outside the UK (“Thanks for your quick respond actually i will love to buy the Ad for my Daughter who is currently studying at British international college (BIC) in West Africa so am willing to pay you additional £48.76 for the shipping via Express Air Mail.” (sic)); fourthly, the respondents all seemed desperately keen for me to accept paypal as the preferred payment option. I’m normally quicker on the uptake than this, but sadly it took me four or five emails to realise that there was a pattern here and that the people after the phone seemed to be following a script and were completely ignoring my responses. Here’s a sample:

Someone calling him or her self “Janet Mason”:

“Hello Seller,
Can I know the condition of the item? I think you will accept PayPal. And I will pay the postage and packing cost for the item. If you can send me paypal payment request now and I will make the payment straight away without any delay. Hope to hear from you very soon.”

My response:

“Janet

As the ad say, the phone is in “as new condition”. This means what it says. The phone is completely clean and has no visible markings or scratches.”

“Janet’s” reply:

“Ok send me your paypal Payment request now so that I can make the payment now.”

My response:

“I’d like a bit more detail first please.

Where are you? (Full address and telephone mumber so that I can confirm that I am sending to “Janet Mason”.

Details of your confirmed paypal account (so that I know that Paypal have verifed you).

If you want to know why I am concerned please read the paypal guidance for sellers – particularly the bit about sending only to UK or US based addresses and getting signatures on receipt of goods.

I have received several requests to send the phone to “my daughter/son/nephew” or whatever in various Countries outside the EU. I am naturally suspicious.”

“Janet” then says:

“Hello, 
Am in London right now but due to the nature of my work here in London I will not be able to post the item to my Business Partner Daughter in Nigeria as a New Year Gift. But I will pay for the postage and packing cost via FedEX. Get back to me with your paypal payment request now so that I can make the payment now and get the item posted out tomorrow Morning.”

Correspondence ends…..

Now whilst I have not lost the ‘phone, I have verified a usable email address to a bunch of scammers. I expect my spam volume to that address to increase dramatically. Never mind though, I’m not alone in losing out to the bad guys, and at least I haven’t lost any passwords in the process.

Still, I’m pretty pissed off.

Permanent link to this article: https://baldric.net/2011/01/23/damn-i-think-i-got-hit-by-a-419er/

Jan 04 2011

critical security update to wordpress

This blog comes to you courtesy of those excellent free open source authors who have contributed to wordpress. Unfortunately, in common with all software, wordpress inevitably has some bugs. Worse, some of the those bugs can occasionally be sufficiently bad as to make the software vulnerable to remote exploitation by ne’er do wells and other assorted bad guys.

On 29 December last, Matt Mullenweg posted a notice to the wordpress security blog announcing a very important update which he recommnded be applied as soon as possible because it fixes a “core security bug in [wordpress’] HTML sanitation library, KSES”. Mullenweg rated this [3.04] release as “critical.”

I have just updated my installation. I recommend you do the same.

Permanent link to this article: https://baldric.net/2011/01/04/critical-security-update-to-wordpress/

Dec 31 2010

a personal note

I have not posted anything new since October because I have been hobbled following an operation to my ankle. Perversely, this made sitting at my desk (and hence my keyboard) very uncomfortable because my leg would swell inside the plaster if I stayed in a seated position for more than a few minutes at a time. But I am now on the mend, the plaster is off, and I wanted to make sure that I made at least one post before the end of the year.

So Happy New Year to (both) my readers. :-)

Normal service will be resumed as soon as possible.

Permanent link to this article: https://baldric.net/2010/12/31/a-personal-note/

Oct 09 2010

google opt out village

The Onion News Network reports:

This is not satire……

Permanent link to this article: https://baldric.net/2010/10/09/google-opt-out-village/

Oct 09 2010

maybe I should sell

I have been exploring the InTrust Domain Names website I mentioned in the previous post. There are some absolutely astonishing prices quoted for some domains which do not immediately spring to mind as being particularly valuable. For example, the domain falldaron.com is quoted at $10000000.00.

If you actually click on that domain name you are taken to this page:

Don’t you just love the “PayPal” option on the payment method?

[WARNING – I recommend that you do NOT attempt to actually visit the domain falldaron.com. It currently redirects to a site on a domain with a very anglo saxon four lettered name which I would not call “work safe”.]

Permanent link to this article: https://baldric.net/2010/10/09/maybe-i-should-sell/

Oct 09 2010

domain sales pitch

In the past couple of days I have received some amusing email spam.

I own ten different domain names, mostly in the .net TLD. The spam emails in question all offered to sell me the domain “exnic.com” on the grounds that I already own “exnic.net” (not an unreasonable sales pitch). It turns out that this particular domain has expired and is currently “pending deletion”. This means that the original registrant has failed to renew ownership of the domain and the registrar is about to release it back to internic for resale. This process often happens and usually results in the sort of irritating website I noted a while back when looking at linuxdoc.org.

But, as I said, the domain name in question is not actually for sale yet, just “pending”, and it is always possible that the original owner will wake up to the fact that his domain has gone awol and will claim it back. The interesting thing about the emails I received was that two of them (purportedly from one “Arthur Simmons”) came from two completely different domains (“underforge.com” and “thewingsofhope.com” – both of which appear to be owned by “InTrust Domain Names”) and seemed to be competing with each other to sell me the domain. A third email came from somewhere calling itself “premierdomainbrokers.net” which at least has the decency to look like a brokerage. That email amused me because it said:

You may have received emails from other companies offering to sell you exnic.com.
That is misleading information. The domain cannot be purchased at this time.
It is actually in the pending delete stage and will be available very soon.

Oh yes indeed. Shame I’m not interested.

Permanent link to this article: https://baldric.net/2010/10/09/domain-sales-pitch/

Sep 25 2010

professional ability

I was skimming through a series of security related sites last week when I came across an article referring to someone described as something like “A Person, M.Inst.ISP, CISM, CISSP, MBCS, CITP, BSc, Director of etc…..” and I found myself wondering what that all actually meant. Yes, I know what the letters stand for, hell I’ve even got a few of them myself, but what do they actually mean in the real world? And because of those letters, would you believe that person knew anywhere near as much about software security as say David Litchfield (Jr), or Charlie Miller, or Thomas Dullien?

Just wondering.

Permanent link to this article: https://baldric.net/2010/09/25/professional-ability/