So is Web 3.0. And this is what I want out of it:
(Right-click, View Image to enlarge, or whatever it is that you crazy IE users use. Or, heck, just click it.)
]]>ip tunnel add he-ipv6 mode sit remote 209.51.161.58 local 64.22.124.36 ttl 255 ip link set he-ipv6 up ip addr add 2001:470:4:b2::2/64 dev he-ipv6 ip route add ::/0 dev he-ipv6
[kyle@averageurl ~]$ ping6 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes 64 bytes from 2001:4860:0:1001::68: icmp_seq=0 ttl=55 time=327 msYup...
kyle@ksb ~ $ ping6 ipv6.google.com PING ipv6.google.com(2001:4860:0:2001::68) 56 data bytes 64 bytes from 2001:4860:0:2001::68: icmp_seq=1 ttl=54 time=325 ms
Tracing the route to IPv6 node 2001:470:d82b:ffff::2 from 1 to 30 hops 1 2 ms <1 ms <1 ms 2001:470:0:32::2 2 76 ms 75 ms 75 ms 2001:470:0:35::2 3 103 ms 103 ms 103 ms 2001:470:0:4b::2 4 103 ms 103 ms 103 ms 2001:470:0:8c::2 5 148 ms 148 ms 148 ms 2001:470:4:b2::1 6 234 ms 236 ms 238 ms 2001:470:d82b:ffff::1 7 234 ms 233 ms 233 ms 2001:470:d82b:ffff::2... while it sits behind my IPv4 NAT router. And then my Vista computer, and then my laptop connected to the wifi. Then I got to go take a look at The KAME project and check out the dancing turtle. It turns out that Google's IPv6 site also has an animated logo.
Obvious counter argument: go out there and search for "windows virus scanner" and check that out: 1.38 million results on Google. 53,000 if you include the quotes.
Either I'm wrong, or Google is lying to me. That's a lot of results for a virus scanner. "Windows virus" turns up 134 million. Clearly, Windows is anything but the perfect platform. My reasons as to why it is regarded as an imperfect, shoddy, spyware-ridden platform are very clearly written in a packet I got ahold of recently, concerning a website which is used extensively at work. The website in question will be launching with a new version soon, and to inform their customers of the upcoming changes and needed alterations to your OS (read: Windows and Internet Explorer) in order for this website to work.
Quoted directly from this thirty page packet: ... "you will need to download a new control from the [XX] site, this requires that you be administrator of your machines for that 1st export only. Unless it is a big company with an IT department, you are likely administrator already."
Let's put this in linux terms. "You are required to run as root in
order to get this piece of software to work. You are already running as
root, so don't worry about it."
The problem with Windows isn't Windows. The problem with Windows is the
absurd number of poorly written software packages, all of which require
administrator rights. This is a website, not a system reconfiguration
utility. "I know! And, so, I only require administrator rights the
first round!" One of these days, I'm going to go find out why it
requires administrator rights at all.
This packet then proceeds to outline all of the needed steps to get this new website up and running on the individual computers. This process must be repeated for every user on every computer. For me, this means driving between three buildings, located in Sandy, Salt Lake, and Bountiful. For the curious, that's a half-hour drive. The total machine count is 37. Total miles driven will be just over 50. Time spent in transit will be roughly an hour and a half, all things considered. Once I hit the first building, however, the real work begins. This packet outlines that the following changes need to be made:
It should be noted that not one of those steps included instructions that told me how to download and install said unsigned, marked not safe for scripting, "I need admin rights to continue" ActiveX control.
So, come the Monday morning that this launches, I get to drive around more than I care to, tweaking more settings that need tweaked, decreasing the default system security, installing ActiveX controls as administrator.
There is nothing wrong with Windows; there is everything wrong with the average software package (and/or website, as is this case). Because of this, Windows doesn't even have a fighting chance. If a website you loaded up suddenly popped up a box stating that it wanted your root password to continue, what would you do?
Why don't you do the same thing on Windows though?
Oh, right, the software requires it.
The operating system isn't broken, just all of the third-party software is.
]]>Only to go away really fast and continue booting up your computer without really telling you much. Awfully anti-climatic, if you ask me. I mean really, you add an option to your boot order, hit the button to make it go, and it starts doing all of these wonderful things only to promptly "stop" and advance in the boot order without telling you a thing.
Let's clear up the mysticism: what you (typically) just activated and attempted to use was this thing called PXE. PXE stands for "Preboot Execution Enviroment." Wikipedia has an awesome article (also available on the German Wikipedia) on the details of PXE, but I may be biased in thinking that because I assisted in it's writing. Admittedly, it has changed a fair amount over time, but the content of the article as a whole is still there. Now, come on, I know you're lazy and didn't read all of that artice. I'd even go as far as to say you didn't read any of it. So, if you're still wondering "What is this PXE thing?" I'll answer that here and now.
PXE is in it's most simple terms, a boot device. At least, that's what it appears to be to your BIOS. However, instead of spinning up your hard drive, it fires up the NIC in your computer and starts probing for DHCP (or BOOTP, but that won't be covered here. It's pretty much obselete). Then, once it has acquired an IP address with the needed DHCP options set, the PXE ROM goes about downloading and executing files off of a TFTP server.
So, what is PXE? A way to boot your computer without the need of a hard drive or any real physical storage medium. It's commonly known as netbooting. The process, as outlined above, is pretty simple. The NIC scans for a DHCP server, and then acquires an IP address. In it's brief exchange with the DHCP server, the client is sent several "DHCP Options" along with the IP address, one of which is commonly known as "filename." If the client does not find this option, it gives up and (typically) advances with the boot order. If it finds this option, however, it tries to download the specified file off of a TFTP server. An additional option which can be given is "next-server" which is the IP address of the TFTP server to contact in order to download "filename." If the "next-server" paramater is omitted, then it defaults to the same IP as the DHCP server, and likewise tries to download "filename" and in turn, execute the file it downloads.
That's it. That right there is the majority of what PXE "is" and how it works. Why did your computer acquire an IP address only to just continue on booting? Because you didn't have the needed DHCP options set. To be fair, the huge majority (99%) of all home routers lack the ability to configure the needed options, so it's likely you've never even heard of "DHCP Options." However, my personal feelings on how retarded home routers are do not belong here.
Let's move on to a "What is/isn't PXE" list real quick.
PXE is:
PXE isn't:
In sum, PXE has a vast number of capabilities, but PXE in and of itself is pretty much worthless. You can't feed it an ISO of a bootable CD and say "Go!," nor can you magically make an entire lab of computers run Firefox without hardrives. I'll admit it in full: PXE does not run your computer for you. You are in charge of that. But, it certaintly can help in installing OSs or running entire diskless labs. If this seems unclear, I'm sure the latter articles will clear it up.
In the next few parts, I'll use the following software: ISC DHCP,
tftp-hpa, pxelinux, memtest86+, and maybe a little bit of the debian
installer. Who knows, maybe I'll splurge and go overboard with some
CentOS installation over PXE, but for the most part, you're safe with
the previous list. (Don't go downloading all of the debian CDs though,
as we won't be using them.)
It should also be noted that I have written and maintain the only wiki
(that I know of anyways) that is dedicated to the topic of PXE booting.
For the curious, that wiki is available here.
I am glad that Vista was released. It is an upgrade. It is worth purchasing. There are too many advantages, both in terms of the technical side of Vista, and user interface side of Vista, to think otherwise. Once again: Vista is good.
I run a network for small business. It's a Windows network, through and through. Pair of Win2k3 servers in two locations, a copy of MSSQL, and two point to point T1 lines linking three buildings together. It's all built on Windows Server technology, and I'll be dead honest here: I haven't found a better, easier to use, scalable server system than that of Windows Server. Let's do this in bold too: Windows Server is good. Windows Server makes me happy, and it makes all of the employees happy (even though they could care less, they just want to work.).
So what did I do the day Vista was released to the public?
Blow away my last copy of WinXP. Destroy it. That was also my last
copy of anything Microsoft that I use for my own personal computing.
Hear that? No more WinXP in my blood. No more XP on anything that I personally use, be it at home or at school. Bye WinXP. Vista is out, and I don't care what the critics and journalists say: Vista is worth purchasing.
So, I replaced my copy of XP with Linux.
And it feels good. So very good.
My number one complaint about Vista is two-fold: versions, and limited features/too many features. I run networks, I build networks. My primary computer has five different NICs in it, three of them are 1000mbit and two of them are 100mbit. Further, I have a PCI wifi card in there, and my router is a soekris box with a hand-rolled distro running on a CompactFlash card. I like my networks, and I like them a lot.
Know what I like MOST about networks? Networking. You know, intra-device communication. The flexibility that networking provides. File is on another computer? So what, just click click, bam, your file is in front of you, even if you're on the opposing side of the globe. Networking is fun.
Networking with Vista is not. Now, don't get me wrong: new TCP/IP stack? Re-worked IPSEC support? Hate to break it to you people, but with about seven clicks (with Vista) I can literally move three buildings from open TCP/IP to straight IPSEC communications between ALL computers, using SSL certificates. Seven clicks, and I have a network that runs IPSEC flawlessly, and effortlessly. And no, the IPSEC implementation isn't broken: it works, and it works well. I'm not trying to say that Vista has horrible networking with that earlier line. The network stack, the possibilities... I love.
What I hate is the arbitrary limitations imposed upon the different versions of Vista. For example, lower end versions of Vista cap the number of connections you can have to any specific computer at five. Let's count.. my desktop, my other desktop, my laptop, my brother's computer, the family computer, my sister's computer, and my xbox. Oops, seven. Vista Home Basic is out of the running.
Also, Remote Desktop (aka 'RDP') has been essentially removed from
Vista Home editions. I can't bring up the computer's display at will
anymore, I have to install VNC or something similar.
It's these little things that get at me. Want feature X? Gotta spend
more money. More connections to a computer than Y? Yeah, spend more
money, but note that you're capped at 10 period unless you drop several
thousand on a copy of Windows Server, and oh, we don't have Vista
Server out yet, it'll be another year or so.
This is the biggest reason I switched to Linux: there are no arbitrary limitations imposed. Anywhere. I can connect thousands of machines to this one, and I can type a single line to bring a window from a desktop to my laptop, in a secure fashion, from anywhere in the world.
Let me give you a scenario here, from my everyday work. At school, I use my laptop for everything. Notes, research, papers, reading, the works. All of my work is kept in a subversion repository. Because of this, I can access my up to date notes from pretty much any computer and any OS anywhere.
I get home, and turn my laptop on. It boots up, and I place it in the dock. The laptop automatically detects that it has been docked, and brings up the wired ethernet interface. As a part of this process, it also registers with my LAN DNS server as it obtains an IP, and then commits my most recent set of school notes to the subversion repository. At this point in time, I can type a line into my desktop, and update my desktop's copy of my notes with the most recent version.
Further, because it has registered with my LAN DNS server, I don't need to worry about assigning static IPs. This can be taken one step further: whenever anyone brings over their laptop, they get the same treatment (I should mention that I run an iTunes server on my desktop also. Not apple software, but linux software providing the same functions).
Because I run linux on my laptop and desktops, I can type one more line and bring up windows from my laptop on to my desktop. If I have a bookmark I want to grab, I just run firefox on my laptop and watch the window appear on my desktop.
Earlier up, I mentioned I have an xbox connected to my network, and counted it as a computer connecting to my other computers. Why? It's a modded xbox, running a copy of XBMC. XBMC uses libsmb from samba to give it networking with other windows computers, in addition to having UPnP support, and the ability to browse for iTunes shares on the network.
You know those mockups that Microsoft and Apple have every so often, where it shows the "house of the future"? Where someone walks in with a laptop and wirelessly collaborates with the people in the home? How the music is there to be listened to, the videos to be watched, and work just "gets done" because of the transparent technology powering it?
Hate to break it to you, Microsoft and Apple, but I've already got
all of that and then some. It didn't cost me a dime, it works flawlessly,
and I can bring as many networked devices I please into the fold
without paying more to get around an arbitrary limitation. I've got an
xbox that can play any assortment of video and audio at 1080i
resolutions in 5.1 surround, laptops plug in (or wifi in) and
mystically "just work," and then "just work" with the desktops in a
beautiful unison.
I should also note that the Windows Server network I run has its bits
moved around by linux routers. Sure, Windows Server powers the
desktops, but the bits don't move from site A to B to C on their own,
and quite frankly, I wouldn't want anything Microsoft doing that for me.
I love open networking. As a direct result of networking with open technologies, I already have the home of the future. Plus, all of my private networking is encrypted, transparently. Anything that's "open to the public" is, well, just that: open. It's a beautiful thing.
Sorry Vista, you don't fit that bill at all.
]]>Foreward: My database of choice would be MySQL (again, it's a PHP focused post). Note, however, that anything I mention here is easily applicable to any database. I have done developement on PGSQL and even, gasp, MSSQL, and likewise I'm quite confident that everything I mention here as far as databases go should apply to pretty much anything.
PHP is probably the most used language on the web. Why? It is fairly easy to pick up, and has a huge amount of support on pretty much any server anywhere, never mind the monstrosities of pre-existing PHP scripts you can download from... pretty much everywhere. Forums, download sites, e-commerce sites, you name it, you can probably find a PHP script doing it. However, as a result, it's one of the most commonly attacked languages out there, and while it is incredibly easy to pick up, it's not as easy to write PHP properly and in a secure manner.
Uh-oh, I wrote "PHP" and "secure" in the same sentence. That's a bad thing. PHP has recently recieved a fair amount of flak for it's security, or lack thereof. One of the lead programmers for PHP whose sole purpose was really just to make PHP more secure, stepped down. This article is a good read on the matter, for anyone curious. From what I gather, he stepped down for one main reason, with another one on the side. The main reason would be the response time to security holes. The side reason would be a view that PHP was built insecure from the ground up, and try as he might, that wasn't going to change.
That debate really comes down to "it's the programmer's fault for coding that way" vs. "you shouldn't even allow that to happen, ever." And it's true: improperly coded PHP is a complete nightmare, riddled with security holes, both in code and in function, and it turns into a complete mess quickly.
Now, let's avoid all of that, shall we?
Point #1: Check all of your data for validity.
Now, this is no small order. PHP is typically used to take user input, process it, and then output it. Right there, you have three places a malicious user can attack your code: the input, the processing/storage of the data, and finally, the output.
The input is one of the most commonly checked and parsed things, and, in my opinion, wrongly so. Assume, for a moment, that everyone everywhere is a non-malicious user. Why shouldn't they be allowed to have a username of "admin' or 1=1--"? Sure, it's a little weird, but then again, so is the internet as a whole. End result, most people code to strip out less commonly used characters. Others call htmlspecialchars(), and other flat-out deny query execution when some special characters are detected. Oh, and then you have the swarm of mysql_real_escape_string() people, and as a result, every other line will be mysql_real_escape_string().
Now, admittedly, the last bit there (mysql_real_escape_string()) is a real and valid solution to the bigger problem of SQL injection. But, it is not optimal. Optimal would be using SQL statements in combination with stored procedures. Currently, only MySQL is supported directly with stored procedures, by ways of the mysqli functions. However, PHP's PDO project is coming along very nicely, and with that you can use SQL statements with pretty much any database out there. SQL statments are, to put it simply, a way of using SQL queries in a manner that guarantees you will never be vulnerable to the most common type of SQL injection attacks (which is generally input manipulation).
Now, before you touch the database (I know, I'm out of order), you can do other sanity checks on your data. Take for instance, the ever common URL, http://example/page.php?id=1. It's that ?id=1 part that is common, and further, non-specific to PHP. My question to you is this: why is it that you have countless webpages where ?id=1 is a security hole? You can make your data checks really, really easy here: is_int(). Really, think about it. You can completly skip all forms of data validation in this example, by checking the results of $_GET["id"] with is_int(). Is there ANY reason why $_GET["id"] should be anything but a number? No? So then why are you spending so much time checking for odd characters that shouldn't be there, when you could merely check the datatype and know for sure that it's legit?
This can also easily apply to strings, or to be more defined, UUIDs
(On that page, search for "UUID()", it's roughly 2/3 of the way down).
If you know that a UUID will always be in
theaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee format, you could use a regular
expression to check that easily (not to mention to check that it only
contains a-Z and 0-9 chars).
Point #2: Proper database security and design
If you've ever installed a PHP script that used SQL, it asked you for a login to a SQL server of your picking. In my opinion, it should ask you for two seperate logins. "Why?" That's an easy answer.
As it stands now, any SQL username and password you provide to a script, generally has complete reign over the database. SELECT, UPDATE, DELETE, the works. This poses the question: Why should someone viewing a page (not editing, adding, removing, etc.) even have the rights to turn a query around and run a DELETE? Does that even make sense? I sure hope not.
The solution to the problem is this: have two users, with differing rights on the SQL server itself. The first user should really only have SELECT, the ability to run a stored procedure, check out a view or two, and... that's it. Even at that, stored procedures that only execute SELECT. I can't name one reason why an anonymous page view should use a connection to the SQL server with enough rights to run an UPDATE. It just makes no logical sense. The second user, however, still shouldn't have UPDATE rights: rather, it should only have the ability to execute stored procedures. Stored procedures protect your data, and can sanitize code everywhere. Again: there is no reason why an anonymous page view should even have the rights, let alone ability, to run an UPDATE or a DELETE query. So, um, please stop allowing such things. It will make the world a nicer place.
Point #3: Taking point #2 a step further, and seperating the code that writes from the code that reads.
PHP 5.0 introduced a lot of very useful object oriented capabilities. Take for example, a mock forum, with the following functions: $forum->view->thread(), $forum->update->thread(). Again, there is no reason at all why view->thread() should be calling update->thread(). Functions and classes can be marked as private, protected, and public: please do so. Before someone goes off and states "but end users can't execute PHP code that I didn't write!", think again. It can happen. It has happened before. It is preventable. Plus, this makes your code cleaner and enforces good coding habits all around.
Point #4: Check your SQL output
As yes, the ever popular login string of "admin' or 1=1--". Commonly used is poorly coded web scripts to gain a login as the user "admin", you can simply google around for this and see countless example of it pretty much everywhere.
But there's a bigger problem with this. Let's assume for a moment that someone used this on a poorly coded website and succeded with a login as user "admin." The real problem? The "or 1=1" bit. You just selected every single user in the database. Here's yet another sanity check, useful for such things: *_num_rows(). This is an incredibly simple check all around: if you're trying to log in one user, and you get four rows back, you know something somewhere is wrong. So.... why do you allow it?
All of the above can really come down to two main points: data validation, and not allowing the database rights, but rather abstracting the rights into stored procedures. Data validation is usually taken too far in the wrong direction (stripping characters, not allowing query execution), while database rights are completly overlooked. All that data validation should be, is simple sanity checks (like is_int() and *_num_rows()). Used in combination with SQL statments and stored procedures (with limited database access on top), you'll quickly come to see just how secure PHP can really be.
The biggest problem with PHP out there currently? People try to secure their scripts, and then they do it incorrectly. "But I stripped out all of the backslashes!..."
]]>Oh, "as we expand." Seeing as every site will have it's own T1 line, point to point T1 line, and linux/windows server combo, this means that I could host the public (and private) websites on a lot of IPs, and a lot of servers. However, I really really didn't want to have to maintain and update website code on multiple servers. The solution? Subversion.
As it stands now, we have company sites A, B, and C. C is merely a remote location without any servers, linked into it all with a point to point T1. Likewise, we're going to ignore that site completly. A is considered the "home" building, and I work in the B building. The B building actually has space for IT equiptment, and likewise that's where the large majority of it resides. Sites A and B each have a linux/windows server combo, but site B also has a decent sized RAID array. So, I picked the 1.2TB RAID array to house the actual subversion repositories.
I setup the repo server to be served over apache. I didn't bother with SSL because 1) the point to point T1 lines run IPSEC and 2) apache is configured to allow the login "server/server" from a hard-coded list of IPs (which would be the servers). The server login is not allowed write priviliges either. If you were to try to access the SVN repo from anywhere else, the server login would not work, and further I'm the only other one with a login. Seeing as I'm sitting about four feet away from the SVN server, I'm not worried about plaintext transmission (but I'll fix that when I get around to it).
The repo itself contains 1) all of the needed apache vhost config files, 2) htaccess files and 3) all of the actual website data. Due to items one and two, in httpd.conf I can throw in the line "Include /srv/conf/vhosts/*" and never worry about having to configure apache ever again. Likewise, if I really screw something up, it's easy to revert all of the servers at once to a working configuration.
Logging is still one thing I need to figure out. Currently, the vhosts are just set not to log anything at all. I need to think up a way to store the logs locally on each server, yet still manage to generate statistics for all of the servers combine. The best I can come up with so far is a daily rotation of the logs, only at the end the previous logs are shipped off to be stored somewhere (and likewise merged together, and then analyzed). Unless anyone else has any better ideas, I'll probably wind up doing that in the near future.
The servers have a cron job that runs nightly, which will execute `svn up` in /srv, and then /etc/init.d/apache2 reload. That's it. That's really all that there is to it.
Now I have a versioned setup for multiple servers. Further, it's rather easy to add additional servers: USE="mysql apache2" emerge apache php; cd /; svn co http://svn/srv. Tada. All done, just like that.
I would like to point out, however, that there is a reason I did not use NFS for this. Firstly, that's a single point of failure over an already incredibly loaded point to point T1 line. That's also the second reason: less traffic going over the links that would be better used to serve people files as they work through the day. Lastly, I just don't like NFS much.
Plus, it allows me to update any aspect of the websites from any computer. Never mind the local copy I can keep on my laptop and desktop at work.
As a direct result of installing subversion to maintain a few websites, I've simplified the management that I have to do, increased my ability to effectively admin multiple servers at once, and cut back on bandwidth running inbetween the two sites.
Subversion: what do you want to do today?
]]>Let's review a recent "digg": "World of Warcraft scans player's Internet Explorer browsing history".
GASP! A GAME! SCANNING MY HISTORY! INVASION OF PRIVACY AND I'M GOING TO BOYCOTT AND SUE!
For the linked picture, aka "proof" to all of you digg users, go here. For those of you who don't care to click (I'd be one of them in your shoes, I am rather boring), it's a screenshot of one of the best windows programs of all times: Process Explorer. In this screenshot, it shows a running copy of World of Warcraft (WoW.exe), and then it lists every file opened by WoW.exe. Semi-surprisingly, listed, is the poster's Internet Explorer history. C:\Document and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\index.dat. Yup, that's the history all right.
For those of you who don't know, and I'd assume that number to be many, World of Warcraft employs a nice little thing called "The Warden." The Warden is WoW's anti-cheat. But, not really. That's yet another misconception. The Warden runs every 10 or 15 seconds, searches out every running process, takes a hash of the process name, and compares it against a list of "known bad" (read: botting, hacking, etc.) programs. Yup, that's it. Compared to things like PunkBuster, the Warden is amazingly tame. It does basically nothing.
But never underestimate the power of stupidity, especially when it numbers in the seven million users range. Their anti-cheat has been accused of sending Social Security numbers, bank account numbers and PINs, e-mail addresses, and other "private information that I don't want Blizzard to have." None of this is true, of course, but again: stupidity comes with numbers. Will said anti-cheat read your Quicken title bar and grab your bank account number? Sure will. Will it send it off to Blizzard? Nope. Remember: it hashes the process name and then compares that hash to a list of known botting programs.
Average digg.com user: "So why in the world," (no pun intended) "is this game reading my history? I know you have an anti-cheat, and I know that it's rather invasive: BLIZZARD IS SCANNING MY WEB BROWSING ACTIVITY AND SENDING IT ALL BACK TO THE MOTHERSHIP!" Word for word? No. But do read the comments to the above link, and you'll find several people stating that.
The screenshot proves that WoW.exe can read your history. Nothing more. It does not prove anything more than that, period. "But the screenshot..! The open files!" In the words of the digg.com post:
"The linked screenshot provides proof that WoW developer Blizzard is actively scanning players' browsing history and cookies. Early speculation is that this is a countermeasure against cheaters, but players are arguing that Blizzard has no right to access this highly private data."
Hate to disappoint you, diggers: WoW uses Internet Explorer as part of the in-game engine. No wonder it has access to the history, it's using the browser! No joke? No joke, and no kidding. Want some proof? Here you go. Some more? More proof for you! One last bit? Sure! Even more proof? Here's the HTTP header that the launcher sends: "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)". Check that stuff out. Blizzard has a reason to be in your history! Even though they aren't. Shock.
"But the second link you gave there is just the launcher which runs before you start the game, and the last one is just a blank page!" Yeah, you got me there. That's because there aren't any alerts at the time of posting. And further, it's the "alerts" that are displayed in game when you login. Seriously. You know - that box you see sometimes when you login, that reads: "These realms are down/will be down! Enjoy your stay in WoW, and we're deeply sorry." Yup, that's a webpage, and yup, WoW.exe uses Internet Explorer to render it.
Which brings me to my (*ahem*) point. Digg users are lemmings. Here I thought the the slashdot moderation system encouraged "group think", but that's capped from -1 to +5. Digg is probably capped to 2^32, allowing for stupidity and group think to the scale of 4294967296. Because one person posted a screenshot and said, "here, proof that they WATCH ALL OF YOUR BROWSING HABITS," several hundred people hopped on the bandwagon of "lemming," walked on over to the World of Warcraft forums, and began spamming. They don't know any better: they're just another lemming.
Digg, while "cool," "popular," "web 2.0-ie," and "high traffic," has also become a synonym for "sheer and utter stupidity on a grand scale." It has one or two cool or funny links every so often, but the huge majority of anything on there is just sheer stupidity. Do I care about some guy's experience at a Taco Bell? Or a list of proxies? Maybe a really annoying, incredibly simple game? An idiot suing Amazon?
I believe a very good (not) description of the site is the one found if you google "digg": "Technology focused news site where the stories are chosen by community members rather than editors."
Lemmings, I tell you.
]]>Note the italics.
As I was cleaning the system out (before I knew of the spambot), I noticed the wireless connection was in heavy use. I didn't think too much about it, as it had several viruses on it then, but I also needed the networking in order to properly clean the system. It wasn't until I tried Trend Micro's Housecall service that I really looked into the networking problem, and noticed four packets sent for every one recieved.
Oops.
I grabbed a laptop, fired up an SSH session to my router, and then started the tcpdump. I must admit, while I hate spam, it was sending a seriously impressive volume of spam per minute. I reset tcpdump to only output data headed to :25/tcp remote, and it was connecting to a good fifty different servers per minute. Fifty different servers per minute. That's a ton of spam, and it was all going over my home cable connection.
I decided I had better fix that little problem quickly, and that meant an iptables rule. Behold the results:
pkts bytes target prot opt in out source destination>
5488 263K DROP tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
5488 different connection attempts in a matter of minutes. That's a lot of spam.
What scares me is that this was just one computer on a home residential computer. If my sister was hit with this worm, that means her friend also has it. And due to the nature of the IM networks, that likely means everyone my sister knows, and everyone of them and all of their contacts, also have this spambot churning out e-mail to the public as a whole.
Did I mention that's a lot of spam?
So, internet, sorry for not selectively blocking :25/tcp outbound in the first place. Sorry for sending out more spam in minutes than I get legit e-mail in three weeks. Oh, and sorry for having family members that don't know *nix. On the flip side, I have yet to see a good MSN client for *nix that features audio and video chat too, so until you can get me (or rather, my sister) that...
]]>So is Web 3.0. And this is what I want out of it:
(Right-click, View Image to enlarge, or whatever it is that you crazy IE users use. Or, heck, just click it.)
]]>It's funny how little we value the ability to easily communicate until it's suddenly not so easy.
I started out trying to install ejabberd, but failed miserably. In both the Sandy and Salt Lake offices, I have a modest linux router installed, doing all routing/firewalling/networking in general. Likewise, throw in the DNS SRV records on a per-site basis, in theory I would have been able to point all clients to the same host, but end result have them all wind up connecting to their local instance of ejabberd.
For those of you who don't know, ejabberd is famous for it's ability to cluster and fail/fault-over abilities. It uses a database that is essentially distributed by default. Further, it has a very nice web interface for management, along with a shared roster (list of people on the service) built-in. Sadly, I never was able to get the distributed part of it (the reason to use it) working. I would add a user on one side, and magically, that user would never appear on the other. Huh, oh well.
I wound up reverting back to the tried and true method (for me, anyways) of getting a jabber server up and running: jabberd2. Jabberd2 is not distributed like ejabberd, but it also typically uses MySQL as the backend (granted, ejabberd can also, and I've never tried to do so either, but I also know how to make jabberd2 work, and that's what I wanted here), which I'm rather familiar with.
So, about twenty minutes after I gave up on ejabberd, I had a functional jabberd2 server, up and ready to go. (For those of you curious, I have a 1.2TB RAID5 array, on which the database server is running. Overkill, yes, but I don't want to burden the router down with a database server.) Now for the fun part: the client, the program that everyone will actually be using.
All of the clients are running Windows XP, along with two or three Windows 2000 boxes. jabber.org has an impressive list of jabber clients, for pretty much any OS under the sun. In the end, I chose Miranda IM, for several reasons:
All in all, this is pretty much a perfect client for people. It's simple enough to use, effective, small, and to top it all off, free. The only thing it was missing was a .msi installer package (it is being installed on a windows domain after all), and the official stance from the Miranda devs consists of, "you have a .zip and a .exe installer, and what we provide works. If you want a .msi package, feel free to build it yourself." As a result, I did, and I used Wix to do it. Yay for open source and free Microsoft programs that get the job done, and get it done well. The posts I saw on the Miranda forums included a lot of users wanting a .msi installer, so once I polish it off, I'll post both the Wix .xml file, along with the final .msi for people to abuse. For now, I'll link to the .msi which I'm using here. This includes jabber components only, and installs without prompting to Program Files. This file is suitable for usage anywhere, as it saves all settings in places where anyone can write to, and it is multi-user sane (in the sense that user A can't see user B's settings and contacts).
Earlier, I mentioned that ejabberd has shared rosters, where basically everyone can see the same group of people. Sadly, jabberd2 lacks this feature, but makes up for it in another way: it has MySQL as it's backend. This makes is horribly easy to write a small script which clears the existing roster table, and re-populates it with everyone else who is registered with the service. This makes it pretty easy to accomplish a similar "shared roster", and it bypasses the semi-complicated process to add a user, consisting of:
For people who only know how to use computers as far as clicking File, Print goes, the automatic addition of new users to their lists saves time and effort all the way around. Not to mention the new person doesn't have to go and add thirty other people, and then wait for all thirty people to add and authorize the new person.
In the end, I wound up with a setup that's as close to perfect as it can get. Shared rosters, easy to use client, and a client that works perfectly and easily.
I'm rather liking this whole "run your own IM server" idea now that
I'm using it on a scale larger than two users. And hey, so are all of
the employees.
Links:
Once again, these files do not include a GUI installer of any sort, but rather will install the program automatically without prompting. There's your warning.
]]>I was driving to work today when I noticed a car with heavily tinted windows pull up behind me. In my general paranoia, I figured this was an undercover police car (fortunately, it wasn't). This then in turn reminded me of a story my uncle had told me semi-recently.
My uncle worked in a rather large car shop. The local police department would bring their cars down when something broke, when it needed a tune-up, or whatever. Likewise, for most of the cars he had worked on, he took it for a short (15 minute) drive to make sure everything worked as it should. He'd test out the brakes, made sure everything was shifting properly, etc.
Likewise, a civilian legally driving a police car can be incredibly fun. For example:
It's not like he can pull anyone over. It's not like he's stolen the car; he has a legal right to it. So why not enjoy it? :)
]]>I'm not talking just "bad", I'm talking HORRIBLE. There's a line, and this single application crosses that line in multiple ways at once.
I work for a small law firm, and we recieve massive PDFs of legal
documents all day, in any one of a good ten different file viewers and
file formats with different file extensions (although I have yet to
find a single format that wasn't either a PDF or PCL doc with just
that: a different extension and a differently branded viewer). I just
had to help a user get their document package to print, and let me tell
you, it was a doozy.
First off, I present you with DesertDocs. This is the offender's website, but the website is half the problem. More on that later.
The e-mail in question had nothing more than a document number and a link to this website. If you click on the "WebPost General Inbox" on the side, it'll bring you to a rather confusing page. The nature of the documents include personal information (likely SSIDs, names, addresses, etc.). Nothing that we would knowingly spread around, in other words. So, we picked the "Private Inbox Login" button. Username and password? Not in the e-mail. So, we go back, and pick the "Download Docs" button.
... to be presented with an EULA. Scroll down, click agree... hmm. Now it wants me to install a document viewer for this. Why I need a seperate viewer to view these docs is beyond me, but I've also grown used to it over time (refer to the previous paragraphs). So, I install it (the user in question has guest priviliges, I had to install it personally as the administrator), and try the website again.
Only to be prompted to download the viewer again.
*twitch*
At this point, the user I'm helping has to get this done now, and further, has a migraine. She also had the winning idea: call them. So, we find the toll free number, and call them up.
After explaining the problem to the person who answered, I could tell instantly that they had encountered this problem before. Their solution? "Delete your temporary internet files and cookies, that is what is preventing you from getting the docs you need."
"Okay, done, and it's still not working."
Upon hearing this news, he directed me to the application's Program Files directory, and instructed me to start the "wpcookie.exe" application. (Side note: he directed me to the directory in question by having me right-click the doc viewer shortcut, hit properties, and then 'Find Target'. This is actually ingenious, and probably the only correct thing that I got out of the entire call.) I ran it and it seemingly did nothing. He then told me to open the website up and try again. Tada, it worked.
"So, what did that just do?"
"Place a cookie in Internet Explorer."
Problem one: when enough users call in and whine that it doesn't work, causing you to package a seperate program just to set a cookie on the computer, you have issues.
As pissed off as I was then at how horribly broken their program was, I continued on with the guy, because plain and simple, we needed it to work. I was able to then get to the link to download the documents. I click the link, and naturally, it opens in a popup (which is blocked).
Problem two: when your tech support takes it in stride to tell you to allow the popup that was just blocked, take a clue yourself, 'developers': stop using popup windows.
"Hey! That's what I need!" the user exclaims. "Good," I'm thinking to myself, "I'm almost done." (Hint: I wasn't.)
I was then told to click on 'Print', 'All', and then 'Okay', and I would then be asked a printer to print the docs on. Sure enough, I was, only instead of printing, a 500kb file downloaded, and the viewer program that I had downloaded launched. Only to error out in a horrible way: "Permission denied." I then read the error message.
Problem three: the %TEMP% dir exists for a reason. Quit thinking you can write to Program Files\Your Stupid App\temp, because you can't. Copying the downloaded file from the Temporary Internet Files directory to a temporary directory in Program Files is just plain stupid. Use the %TEMP% dir, that's what it exists for. By doing this, not only are you assuming that the user is running on Windows 95/98, or that they have Administrator rights (which they don't, not on my grounds!), but you're adding multiple security holes into your application and breaking all forms of file system quotas automatically. Oops.
At this point in time, I was laughing to myself, and just blindly following the guy's instructions. Two more attempts were made to fix this. One of these included copying the file from the Temporary Internet Files directory to somewhere else, and then opening the utility to click File --> Open ("Double clicking on the file will not work."). I forget the other.
At this point in time, he said something that was honestly quite amazing: "Huh. Well that's weird."
Someone has never used a windows computer as a guest, have they?
At this point in time, I just told the guy to hang on while I tried something of my own. That something involved giving the user permission to write to the application's own temporary directory. Guess what? It worked.
Guess what else? That little 500kb file? Was an archive. In the archive, was a .pdf and a .html.
Problem four: quit re-inventing the wheel with applications that don't work. I just spent the last 15 minutes on the phone with you trying to fix this, only to find out that you just as likely could have given me a link to the .pdf (the .html wasn't really needed in this case), or, thought of all thoughts, a link to a .zip.
Luckily, this can easily be rectified.
Given that I can take a fair share of blogs and note how they either sport tags or categories, and I can likewise view that blog by all posts tagged or categorized, if I want to read about a specific subject someone blogs about, that's 100% doable. Face it, if you couldn't, people would wine. Hard.
So why doesn't my RSS reader software have this? Why can't I label digg.com as "stupid", "retarded", and "marginally interesting"? I'd tag my local newspapers as "news" and "local", and the other larger ones as "news" and "global".
Then I want a little search box up on top that will let me search though and view my tags. If I wanted local news, I'd just type in "local news" and tada, all of my local paper's RSS feeds would pop up. "internet news" would give me /. and digg. etc.
I'd really, really appreciate such a program that would let me tag blogs like that. It really would make my reading so much more enjoyable.
]]>