Just what I didn’t know I needed

July 25, 2008 – 3:41 am

Because I hate going to a gym in the mornings, I decided I would give Wi Fit a try so that I can supplement my normal training schedule with some extra effective morning mild exercise. I’ve been checking intermittently to see if Amazon had them, because I really don’t care enough to go and hunt a copy down, but would rather it just magically appear in the mail.

Well this time, I saw this:

textbuyit.jpg

I can reply to a text to buy it? Yes please.

Now I can be a Nintendo fanboy without any effort at all. Sweet.

By Ian Gorrie | Posted in Business, Gaming | Comments (0)

Twitter, Defcon, Geotaging

July 23, 2008 – 5:25 pm

So I caved and succumbed to the lameness of Twitter mostly for the purposes of attending and coordinating things at large events. It’ll be hard to flow of people and places at events like Defcon without it.

Mostly I view twitter as a noise application. It posts “microblogging,” a term which people with near zero attention spans seem to say a lot, updates everywhere, it uses the @username to respond to things. I view it as the ALL CAPS communication medium.

So I’m not in love, but I will use it via Twibble on my Nokia n95 to geotag myself and figure out where people I know are having fun when there are a few thousand people milling around.

There will also be flashmob like behavior coordinated by a con twitter id during the event itself.

By Ian Gorrie | Posted in Internet | Comments (0)

Downtown for Linux

July 23, 2008 – 3:05 pm

I had the pleasure of attending one of the GSLUG [Greater Seattle Linux Users Group] on the 12th.

I was really surprised at the quality of the event. Allow me to explain.

I’m used to these type of occasions being hosted in a filthy classroom or basement of a university or community college and attended by unwashed beasts that are fueled entirely by high fructose corn syrup and not really talking about anything of note besides arguing about what distro is better. This has been my past experience.

Thankfully, this was not one of those events.

This gathering was in a great facility provided by Speakeasy. They even threw down for pizza, salad, fruit and drinks. I’m in training and had none of it, but I appreciated the gesture.

A couple of the talks were particularly interesting as I haven’t been a day to day sysadmin for several years. It’s nice to be able to drop in on things and see some of the recurring problems solved in interesting ways.

First was a talk by Bryan McLellan about how he runs his infrastructure at Widemile.

The second that I found of interest was a demo of git, an alternative to code management systems such as subversion, by John Locke which showed how the compare, a demonstration of how it functions in routine situations, and a Q&A that focused mainly on what git does well and what subversion does not.

I’ll make sure to do my best to attend future meetings of this group. They’re a cool bunch.

By Ian Gorrie | Posted in Linux | Comments (0)

The DNS Drama

July 23, 2008 – 1:03 am

Dan’s Seattle Toorcon 0day keeps going and going and going and going.

If you’re looking for details, the details that were leaked, confirmed, retracted, and denied, here’s a description and a mirror.

So if you run your own DNS, upgrade already as you should have some time ago when you were first told to do so.

Perhaps I will switch to OpenDNS after all. In fact, I should have done this a while ago on most of the nets I deal with routinely.

The commentary in this posting is rather interesting as well. If you don’t trust OpenDNS, and I can’t say that I blame you, a comment poses a worthy option:

  1. I run a local dns server that randomizes source ports whose network facing NAT does not derandomize source ports.
  2. My local server resolves through the root servers. The queries are sent to a random root.
  3. I limit my dns server to strictly use TCP queries and not to use UDP for queries.

Update:

Metasploit code now jupes entire domains.

By Ian Gorrie | Posted in Information Security, Internet | Comments (0)

Playstation update: Your ps3 is now a brick

July 7, 2008 – 2:23 am

I had a gamer friend ask me why I didn’t have any trophies yet for Super Stardust HD, one of my favorite PS3 games.

I had no idea what she was talking about, so naturally I searched for “stardust trophies” and found that the Playstation network has finally added achievements, much like the xbox people have had for years.

So why hadn’t I noticed? I had been playing Metal Gear Solid 4 a few times this last week so I should have seen an update. What was going on here?

As it happens, the system update (v2.40) enables trophies and the related update to Super Stardust HD had been pulled because of widespread reports of it bricking Playstation 3 consoles.

Amazing.

It is said that v2.41 will be out midweek, but I find it seriously amazing that Sony would release an update that wasn’t tested enough to know that they would brick tons of consoles. Additionally, issues have been reported across all released hardware profiles, so it’s a comprehensive bricking update.

Nice work, guys.

By Ian Gorrie | Posted in Gaming | Comments (0)

Amazon downtime

June 10, 2008 – 1:11 pm

There was recent news about how Amazon was down for two hours. Speculation runs rampant on cnet about the cause:

“It doesn’t seem to be the result of a network-initiated attack, at least from my preliminary analysis from our probes,” Ranjan said.

Human error may not sound as gripping a tale as a network attack, but there’s plenty of drama for the people responsible. And it’s the career-limiting variety of drama, said Illuminata analyst Gordon Haff, who hazarded a guess that Amazon’s problem involved its front-end Web servers.

The security group of WebSense, a Web site and communications protection company, also saw no evidence Amazon’s problem was security related.

Having talked to a lot of Amazon people here after my arrival in Seattle, I’m surprised that they don’t have more downtime. Amazon is run like a huge basement operation.

Let me explain.

Amazon doesn’t have a real operational staff. They have developers that code up releases by day and then have handle first-line response to outages and incidents by night.

As far as I can tell, they have no industry standard monitoring software, configuration management platform, or even any centralized policy framework. They leave everything up to business units to develop all of their own infrastructure and systems management strategy. Best yet, it’s all run by developers.

I think everyone reading this who has been a pro in running operational systems just recoiled in horror after that last sentence.

I understand that entrepreneurial environments want to be as nonconforming and iconoclastic as possible as to “think outside the box” or whatever in-your-face-status-quo stance to encourage innovation, but don’t take that kool-aid to the harsh realm of uptime.

Stability in operational systems by standardizing their build process, quality assurance of code deployments, and operational staffing that doesn’t tax your architectural staff not only leads to better performance, but it also takes your staff out from under the Sword of Damocles of downtime. Having to choose between stability and innovation is a poor choice to make when you can have both, and a cost savings, with a bit of operational sanity.

By Ian Gorrie | Posted in Management, Technology | Comments (0)

The encrypted traveler

April 27, 2008 – 5:05 pm

As border enforcement as using increasingly invasive tactics, a traveler that has any privacy concerns for the data that they are carrying (especially if visiting the United States) will very likely take steps to protect themselves.

Examples:

FindLaw:

The Ninth Circuit, in a decision announced this summer, has approved forensic searches of laptop computers at the border, even when the laptop’s owner spent no time outside the airport in the foreign country and was under no suspicion of possessing foreign contraband.

Washington Post:

Nabila Mango, a therapist and a U.S. citizen who has lived in the country since 1965, had just flown in from Jordan last December when, she said, she was detained at customs and her cellphone was taken from her purse. Her daughter, waiting outside San Francisco International Airport, tried repeatedly to call her during the hour and a half she was questioned. But after her phone was returned, Mango saw that records of her daughter’s calls had been erased.

A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. “This laptop doesn’t belong to me,” he remembers protesting. “It belongs to my company.” Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself.

Police Blotter:

What: A business traveler protests the warrantless search and seizure of his laptop by Homeland Security at the U.S.-Canada border.

When: 9th Circuit Court of Appeals rules on July 24.

Outcome: Three-judge panel unanimously says that border police may conduct random searches of laptops without search warrants or probable cause. These searches can include seizing the laptop and subjecting it to extensive forensic analysis.

Ars Technica:

Stuart Romm boarded a plane in Las Vegas on February 1, 2004. When he got off the plane in British Columbia, Canada’s Border Services Agency stopped Romm for questioning. After learning that Romm had a criminal background, Agent Keith Brown searched his laptop and discovered child porn sites in Romm’s Internet history list. Canada then bundled Romm back onto a plane to Seattle, where US Customs agents had a chance to question him further.

They also conducted a forensic scan of his hard drive and turned up images of child pornography in Romm’s browser cache. The images had been deleted (intentionally, it appears), but were recovered by an agent using software called “EnCase.” Romm then admitted to investigators that he used Google to search for child pornography, and that his “therapy” had failed to help him quit.

Why is it always the pedophile that is used as an example of why invasive measures are justified? Perhaps all civil liberties should be put to the pedotest.

Pedobear_13.png

Because of the perceived need for such methods in several countries, many people, including business travelers with trade secrets, choose not to travel with any data on their person at all and access their data online when they have reached their destination.

Toward this end, I would like to call to mention this excellent document produced by the ninjas who make TrueCrypt. The concept of the hidden service via tor or the hidden volume via TrueCrypt will become more and more popular as long as searches and information harvesting becomes increasingly aggressive.

By Ian Gorrie | Posted in Information Security, Privacy, Travel | Comments (1)

Why I hate BlackBerries

April 27, 2008 – 1:16 pm

I have been working hard to avoid Blackberries of all kinds having seen sales people (who if you ask anyone who works with technology, they will tell you that people in sales push for the worst solutions available almost all the time) fiddle with them for years.

  • They never quite worked right.
  • Their voice quality sucked.
  • They’re a closed platform.
  • The integrate with Exchange as some kind of parasitic add-on module (as if running a Windows mail server wasn’t enough of a threat exposure)

Clearly, theirs is like the ultimate recipe for suck.

So I avoided them. I would say things like “You have a business case for me to have mobile email? No problem. I’ll take care of it.” I would then have some kind of mail solution of my own that would work well, integrate with everything else I was doing, and not drive me insane.

Before I complain any more, I will give it up for one thing that Blackberry does do. They push a mobile security policy to their devices that can involve remotely wiping the handheld

They really can’t take credit for all of this as everyone else supports it as well, but it’s a good thing from a governance/management angle. It is obvious that they would need it first because of their sales-centric user base, but necessity is the mother of invention. It’s also the mother of horrible duct-tape-style nasty rigging of solutions.

After dorking around with one of these consumer-level Blackberries and noting how it would ring occasionally and just vibrate at other times. It would perform randomly when I expected things to work all of the time. Additionally, their touch-typing is primitive when compared to other phones. It did not please me.

Enough of this. Can I use my old Nokia e61? It has blackberry software. Shouldn’t it work?

Apparently not. I gave it a good try, but there would be some version incompatibility or hidden password (likely inserted by carriers) that would prevent me from using the software successfully.

This really isn’t surprising why this might be if you look at the Nokia BlackBerry Connect page and look at the completely different dependencies for each of the carriers. If you’ve upgraded your firmware, as I’ve mentioned before is always a good idea, then you can’t use BlackBerry software with it. If it’s supported at all. If you look at BlackBerry’s own site, you get a huge list of carrier sites where you might be able to download a specific supported out of date build.

So let us consider this a moment and ignore some of the exceptional cases. This, usually, is a service that pushes email from a service that a business owns to a handset that a business owns transported over a cellular network.

So why all the dependency and pitfalls for using software? Is it the case that cellular providers believe that handsets should never be touched by end users or even corporate customers and if you do, to fix a vulnerability for instance, they just shouldn’t work anymore.

Having to choose between functionality and security is not fair.

I suppose it makes some sense that they don’t want to support their software on other smartphones as they would prefer you purchased their handset platform as well, but what about supporting people who purchased their enterprise products? Is the message “Too bad, buy more of our stuff”?

Backward, trouble to manage, and poorly performing. I guess I’ll continue to be surprised that people continue to use them. It really shouldn’t be a surprise to anyone that Android and iPhone are going to dominate the market in the next couple of years.

It is a question of usability.

Does this industry really intend that users need to continue to decide between functionality and secure operation? Why isn’t this seen as completely ridiculous? There isn’t any value in requiring a middleman between enterprise software and the platform where the client software runs.

By Ian Gorrie | Posted in Electronics, Phones | Comments (1)

AT&T hates their customers

April 26, 2008 – 3:10 am

Every time I have an interaction with AT&T wireless, it is an agonizing and drawn out horror of an experience. Because I know this, I only call then when absolutely necessary. Basically this is when they break things and I need to figure out why my stuff is busted.

I spent about four hours on the phone with AT&T after my wireless data was mysteriously half-broken. When someone decided that they were pissed off or didn’t want to be helpful, I just hung up and called back in again. There really isn’t any point in taking up any more of my time in

After one of their higher-level techs spilled the beans that AT&T has implemented some new program of removing functionality that customers are paying for based on the IMEI of the phone assigned in the customer account.

Why should you care? I thought that it was interesting that I was no longer getting the service I was paying extra to make sure I received. I spoke to another rep in business sales (another good trick to get decent service is to go through business services as normal customer service is always pissed off, semi-literate, don’t care, or a combination thereof) and he said that he had lost data service on his blackberry about a week ago and that he was likely having the same problem.

Through the course of my research of trying to figure out what they screwed up so that I could tell them how to fix it (this is the only way to handle any telco, by the way), I found several other interesting tidbits.

I took a bit of a longer view of how AT&T manages their customers and their service agreements in order to be prepared for my encounter. Ever since data plans have been offered, consumers have been using the abilities that were built into the phones for this purpose to attach tablets, laptops, and other peripherals to the data service on their phones. This hasn’t been a very big deal until recently and, much like SMS was before it became popular, it was largely free as it was not commonly used by the average consumer.

Now that it has, it is worthwhile to take note of some of the strange language in the agreements for their “unlimited data” plans, which aren’t so unlimited:

DATACONNECT PLANS
DataConnect plans may ONLY be used with AT&T-certified LaptopConnect (PC Data) Cards and eligible AT&T-certified customer owned and maintained (COAM) devices for the following purposes: (i) Internet browsing; (ii) email; and (iii) intranet access (including access to corporate intranets, email, and individual productivity applications like customer relationship management, sales force, and field service automation). The parties agree that AT&T has the right to impose additional charges if you use more than 5 gigabytes in a month. Prior to the imposition of any additional charges, AT&T shall provide you with notice and you shall have the right to terminate your service.

PDA/BLACKBERRY PLANS WITH TETHERING
PDA/BlackBerry plans with Tethering may ONLY be used with AT&T-certified RIM BlackBerry devices and PDAs for the following purposes: (i) Internet browsing; (ii) email; and (iii) intranet access (including access to corporate intranets, email, and individual productivity applications like customer relationship management, sales force, and field service automation). PDA/BlackBerry plans with Tethering may be used to tether such PDA and BlackBerry devices to a Personal Computer. The parties agree that AT&T has the right to impose additional charges if you use more than 5 GB in a month. Prior to the imposition of any additional charges, AT&T shall provide you with notice and you shall have the right to terminate your service.

Source from the AT&T Wireless Terms of Service.

The bold is theirs.

Apparently this is enforced rarely and only as a hammer to punish customers that piss them off.

As you might expect, this has been found and reported a couple of times and usually at Howard’s Forums and reported here by dslreports.

‘Unlimited’ AT&T Wireless Data Plans About To Be Capped?
Rumblings among insiders about implementing 5GB quiet cap, like Verizon…
09:33AM Friday Jan 11 2008 by Karl
tags: prices · business · wireless · bandwidth · Cingular Wireless
An anonymous AT&T insider yesterday hinted to us that the company’s wireless division would soon be implementing a 5GB monthly usage cap on some unlimited data plans. We contacted AT&T for official comment and were told that there’s no changes in store that they’re aware of, but they’d nudge us if anything official came along. Today we’re seeing some discussion over at Howard’s forums that would seemingly confirm there’s some changes coming:

Click for full size

I just heard that the pda plans will no longer be unlimited but will be capped at 5 gigs. Users will not be billed overages but people with constant overages will be contacted to try to reassess the users needs. The new plans are nationwide so I’m not going to disclose my market but they are getting rid of the media bundles and M2M messaging. Text and data is now separate. PDA plans will be lowered to 30 bucks to match blackberry personal and media net unlimited is lowered to $15 bucks.According to the poster, the plans will be live in a few weeks. Assuming these looming changes are true, AT&T may want to start removing the word unlimited from their advertising material. Verizon, who similarly advertised an unlimited service that actually had a 5GB monthly data cap, was busted last October by the NY Attorney General for false advertising. When we hear more on these rate changes we’ll let you know.

..and reported again a couple of months later:

AT&T’s 5GB Wireless Broadband Mystery Cap
Heavy users can prepare to pay a fortune…
03:13PM Tuesday Mar 18 2008 by Karl
tags: business · wireless · bandwidth · Cingular Wireless
For years, Verizon Wireless was trying to have their cake and eat it too, by advertising their EVDO service as unlimited, but quietly imposing a 5GB monthly cap. That advertising charade ended courtesy of NY’s attorney general (no, not client-9) last fall. Back in January, AT&T insiders insisted that the company was preparing to apply a 5GB monthly cap of their own to their unlimited HSDPA service. The company’s terms of service already states as much:The parties agree that AT&T has the right to limit throughput or amount of data transferred and/or deny, disconnect, modify and/or terminate Service if you use more than 5 gigabytes in a month. If you require more than 5 gigabytes per month, ask us about our DataConnect 5GB Overage plan.That plan doesn’t appear anywhere on AT&T’s website. Gearlog called in to ask about the plan, and found that actually using AT&T’s wireless broadband network in any volume can be a very pricey proposition:if you call in, you’ll find it’s $350/month for 5GB, plus $0.50 per megabyte (really, $.0005 per kb, but my megabyte formula is more readable.) Since you’re probably a heavy downloader, let’s think of that as $500 per gigabyte. Yes. They want to charge you $350 for exactly what you’re paying $60 for. Want 10GB instead of 5GB? That’ll cost you $2,850 for that month. Now, to be fair, an AT&T rep told me that they’ll probably give you a pass for a month or two if you accidentally go over 5GB. Then they’ll give you a call and try to convince you to move to the Punitively Expensive Plan.AT&T’s website still advertises “unlimited” data for Blackberry and PDAs provided you don’t tether, but we’d be interested to see if any users have tested the boundaries with smart phone consumption alone.

Note that life as a bandwidth hog on Verizon’s network is no easier. Buried amidst all the fawning adoration of Verizon Wireless for their recently announced unlimited yammering plan was the fact that they implemented some very pricey data overage charges of their own.

I had thought that perhaps it was possible they were mad at me for actually using the service I was paying for, but there was no way I was even using a significant fraction of 5G down a month.

So I looked on Howard Forums and saw that a whole bunch of people were having the same problem. I contributed a bit to these threads with the information I gathered from my hours of talking to AT&T representatives, and then focused on fixing my problem.

After this, and several other misadventures, I don’t suggest anyone even talk to customer care. Just don’t bother. It is a waste of time. If you want to do it at all, do it to make AT&T lose money. It costs money to staff call centers though, as it turns out, AT&T will soon be charging you to speak to a human. It really is amazing how minimum requirements of business are becoming features that one gets billed for using.

So after all this, I had a surprisingly simple solution to my problem.

I went to an AT&T storefront. I told them that business customer care told me that I needed a new SIM. I asked them to delete my data plan and the phone that was currently in my account. They scanned my IMEI number from the back panel of my phone, added a data service to my account, scanned in the new SIM card and gave it to me.

All was fixed and operational again after a few minutes.

The point of this is that cable and telco companies, who have re-established their monopolies, are increasingly using business practices that lock in customers instead of satisfying them. Since the consumers have no choice, the are billed a regulated amount as set by the government.

This is the case because much of this infrastructure was built with your tax dollars. Many of these companies have benefited from this but conveniently forget about this when they ask for less regulation because “they built the network and now it is theirs to do what they want” as is the argument for many companies net neutrality defiant behavior.

So do what needs to be done to defeat the problems generated by companies that don’t really care if they break services that you have come to rely on to do your business. Take the path of least resistance and remember that you owe them no consumer loyalty, because they do not appreciate or respect your patronage.

By Ian Gorrie | Posted in Business, Phones | Comments (0)

My talk at Seattle Toorcon 2008

April 19, 2008 – 9:52 pm

I gave a little talk this weekend at the second Seattle Toorcon.

My presentation is as follows, though as usual, I ad lib when presenting. Video may appear in the future.

Read More »

By Ian Gorrie | Posted in Information Security, Presentations | Comments (0)