random strings - techhttps://blog.randomstring.org/2021-09-29T09:50:09-04:00setting vim options makes me itch2021-09-29T09:50:09-04:002021-09-29T09:50:09-04:00-dsr-tag:blog.randomstring.org,2021-09-29:/2021/09/29/setting-vim-options-makes-me-itch/
<p>It’s hard to break the habits of a lifetime – or at least, those
rooted decades deep.</p>
<p>Ever since I can remember, I always wanted to be a goodfeather.
Sorry, wrong reference. As far back as I can recall, I have been wary of
making changes to vi (later vim) settings out of a fear that I would
become reliant on them, and thence unproductive when I had to work on a
freshly installed machine.</p>
<p>There are several good arguments against this position.
</p>
<p>It’s hard to break the habits of a lifetime – or at least, those
rooted decades deep.</p>
<p>Ever since I can remember, I always wanted to be a goodfeather.
Sorry, wrong reference. As far back as I can recall, I have been wary of
making changes to vi (later vim) settings out of a fear that I would
become reliant on them, and thence unproductive when I had to work on a
freshly installed machine.</p>
<p>There are several good arguments against this position.
</p>
<p>First, even a sysadmin who is professionally installing machines just
doesn’t do that much by hand any more. A one-off machine is a rarity; a
corporate cattle machine will have basically everything ready to go by
the time anyone would want to log in and edit something.</p>
<p>Second, I spend far less time installing and investigating broken
machines these days. It isn’t impossibly rare, but it is decidedly
unusual now.</p>
<p>Third, humans are adaptable. Even if I were to become entirely
dependent on soft text wrapping and line numbers, not having them is not
the end of the world. I would notice fairly quickly and either make the
appropriate settings, or more likely just carry on without them.</p>
<p>I suppose I am ready to allow a few more entries into my general
<code>.vimrc</code>.</p>
pseudovalidation techniques2020-12-01T16:30:20-05:002020-12-01T16:30:20-05:00-dsr-tag:blog.randomstring.org,2020-12-01:/2020/12/01/pseudovalidation-techniques/
<p>Pseudovalidation is a major goal of marketing and advertising.
Actually validating a claim is expensive and often boring. Why not just
make people feel like they’re important in some way?</p>
<p>But once you recognize it, pseudovalidation feels disrespectful:
these people are lying to me and don’t even care if I know it:</p>
<p>Pseudovalidation is a major goal of marketing and advertising.
Actually validating a claim is expensive and often boring. Why not just
make people feel like they’re important in some way?</p>
<p>But once you recognize it, pseudovalidation feels disrespectful:
these people are lying to me and don’t even care if I know it:</p>
<pre><code>Subject: Lunch?
Hi Dan,
My Head of Delivery asked me to reach out to you (see below) and offer to
buy you lunch through Uber Eats for a quick virtual meet and greet.
Here is a 1-minute video <URL/explainer> about what we
do and why PERSON would like to get on your radar.
Let me know if you think it’s a bad idea?
MARKETROID
---------- Forwarded message ----------
From: PERSON (no email address)
Date: Nov 18, 2020, 9:41 AM
Subject: Meeting with Dan
To: MARKETROID (no email address)
MARKETROID - I came across Dan’s LinkedIn profile. Here is the link
<yup, a linked-in profile>
Try to see if you can get an email and invite Dan to a virtual lunch.
I think Dan would be a great person to get in front of.
Thanks.
PERSON-diminutive-nickname
PERSON
Head of Delivery at COMPANY
Watch Our Software Development Humor Commercials </code></pre>
<p>Let’s see what we’ve got.</p>
<p>MARKETROID plays on our sympathy for them as a hard-working
MARKETROID who just wants to get their job done. They offer a small
bribe for our attention. As pseudovalidation that you have come to the
attention of PERSON, (who commands MARKETROID and is thus mighty and
powerful), they send a copy of an email which is curiously unconvincing
as the sort of email actual humans send to each other.</p>
<p>Note that at no time does MARKETROID say</p>
<ul>
<li>what COMPANY does</li>
<li>why it would be interesting to us</li>
<li>why they think we are clearly the people they need to sell to</li>
</ul>
<p>Nor is it normal for a salescritter or MARKETROID to forward internal
email to someone outside the company. Usually there’s about seventeen
lines of extralegal disclaimers at the bottom explicitly rejecting that
as an action compatible with continued employment.</p>
<p>Update, from a day later: as part of my job, I occasionally inspect
the company-wide spam filters to see whether they are effective. Guess
what a coworker determined was spam, with every word the same except
that it had my coworker’s name inserted instead of mine?</p>
<p>Note to salescritters: if your phrasing is creepy when it’s repeated
to different people, it really is a bad idea.</p>
quote of note iii2016-02-09T09:28:46-05:002016-02-09T09:28:46-05:00-dsr-tag:blog.randomstring.org,2016-02-09:/2016/02/09/quote-of-note-iii/But every day the balance shifts: computers get faster, but
developers don’t get smarter, so a language that sacrifices performance
for ease of development becomes a better choice.<blockquote>
<p>But every day the balance shifts: computers get faster, but
developers don’t get smarter, so a language that sacrifices performance
for ease of development becomes a better choice.</p>
</blockquote>
<p><cite>lmm writing in <a
href="https://news.ycombinator.com/item?id=11065062">a comment on Hacker
News</a></cite></p>
quote of note ii2016-02-05T15:02:31-05:002016-02-05T15:02:31-05:00-dsr-tag:blog.randomstring.org,2016-02-05:/2016/02/05/quote-of-note-ii/Most people, who own and drive automobiles, learn by their second car
that life time operation cost can be higher than purchase cost, so their
shopping around needs to find one with good gas mileage, good
warranties, good service, few break downs, etc. Most people never learn
that about computing.<blockquote>
<p>Most people, who own and drive automobiles, learn by their second car
that life time operation cost can be higher than purchase cost, so their
shopping around needs to find one with good gas mileage, good
warranties, good service, few break downs, etc. Most people never learn
that about computing.</p>
</blockquote>
<p><cite>Alister Macintyre in <a
href="https://catless.ncl.ac.uk/Risks/29.24.html">comp.risks vol
29.24</a> </cite></p>
the ops in devops means operations2016-02-05T08:41:17-05:002016-02-05T08:41:17-05:00-dsr-tag:blog.randomstring.org,2016-02-05:/2016/02/05/the-ops-in-devops-means-operations/Lots of people will give you guff about “devops” and how it means
that you no longer need people to run your business infrastructure
because it is all a simple matter of programming.<p>Lots of people will give you guff about “devops” and how it means
that you no longer need people to run your business infrastructure
because it is all a simple matter of programming.</p>
<p>I cannot emphasize enough how wrong this is.</p>
<p>What devops does is apply the lessons learned in software development
to the processes of running computer infrastructure. As a direct result,
you can improve your processes by minimizing human involvement in the
execution of processes. What you cannot do is improve your processes
without knowing what those processes are, how they are executed, and
what might go wrong.</p>
<p>Ask any developer: can you solve a business problem without
understanding it? No, you cannot. Programming is the expression of
decision-making in a formal automation. You cannot make (good, or even
reasonable) decisions without understanding the process.</p>
<p>The naive devops-uber-alles view concentrates on building an MVP, a
minimum viable product, and then elaborating on it in customer-desired
ways. The ops part is relegated solely to deployment, the process of
getting the application running on one or more servers.</p>
<p>Here is what operations brings to the table:</p>
<ul>
<li>statistics collection</li>
<li>systems monitoring</li>
<li>alerting of humans based on the above</li>
<li>load balancing</li>
<li>strategic deployment decisions (e.g. multiple vendors, geographic
distribution)</li>
<li>backup and restore decisions and methods</li>
<li>security policy</li>
<li>security implementation</li>
<li>security testing</li>
</ul>
<p>In modern development, it is considered good to write tests to ensure
that the code you write does the right thing. In modern devops, you need
to implement runtime tests to assure yourself that the computers you are
running on are still behaving as you desire.</p>
quote of note2016-01-27T18:32:13-05:002016-01-27T18:32:13-05:00-dsr-tag:blog.randomstring.org,2016-01-27:/2016/01/27/quote-of-note/1 The DOCUMENTATION is my guide; I shall not wonder. 2 It maketh me
to understand the necessary concepts; It leadeth me through the
installation process. 3 It reassureth me; It leadeth me on the happy
path for my desired objectives. 4 Yea, though I work through the
advanced configuration menus, I will fear no failures, for thou art with
me Thy FAQ and thy troubleshooting they comfort me. 5 Thou providest
examples to me in the context of mine use cases. Thou explainest my
expected outcomes. My results are perfect. 6 Surely good performance and
stability will persist throughout the system life And it will run within
the parameters of the DOCUMENTATION forever.<blockquote>
<p>1 The DOCUMENTATION is my guide; I shall not wonder. 2 It maketh me
to understand the necessary concepts; It leadeth me through the
installation process. 3 It reassureth me; It leadeth me on the happy
path for my desired objectives. 4 Yea, though I work through the
advanced configuration menus, I will fear no failures, for thou art with
me Thy FAQ and thy troubleshooting they comfort me. 5 Thou providest
examples to me in the context of mine use cases. Thou explainest my
expected outcomes. My results are perfect. 6 Surely good performance and
stability will persist throughout the system life And it will run within
the parameters of the DOCUMENTATION forever.</p>
</blockquote>
<p><cite>author: <em>Abi Sutherland</em> at <a
href="http://nielsenhayden.com/makinglight/archives/016428.html">Making
Light</a> </cite></p>
<p>Possibly one in a continuing series. Possibly not.</p>
do not do this2016-01-15T13:16:57-05:002016-01-15T13:16:57-05:00-dsr-tag:blog.randomstring.org,2016-01-15:/2016/01/15/do-not-do-this/Do not do this:<p>Do not do this:</p>
<ol type="1">
<li>Reduce the number of people working for you in order to save
money.</li>
<li>Induce extra stress in the current staff, leading to:</li>
<li>Lower efficiency of current staff</li>
<li>Hire consultant or offshore group to achieve target production</li>
<li>Reduce productivity across the entire company, at a theoretically
lower cost.</li>
</ol>
<p>Instead, figure out how to improve the efficiency of the current
staff.</p>
<p>That’s hard, you say? If it was easy, they wouldn’t need you to solve
the problems, would they?</p>
<p>Protip: if you can automate something, that increases efficiency for
everyone who touches that thing.</p>
<p><a href="https://xkcd.com/1205/">There is an ObXkcd</a></p>
comments2016-01-10T17:39:07-05:002016-01-10T17:39:07-05:00-dsr-tag:blog.randomstring.org,2016-01-10:/2016/01/10/comments/Why don’t I have comments on this blog?<p>Why don’t I have comments on this blog?</p>
<p>Short answer: People (not you, probably) are jerks.</p>
<p>Longer answer:</p>
<p>Do you hate spam? I hate spam. And not only is email spam intensely
irritating, but blog-comment-spam is too. If I had comments enabled on
this blog, I would have to spend more time moderating them (removing the
spam, censoring the angry) than I find worthwhile.</p>
<p>I could outsource this, in part, to some other service, like Disqus
or Discourse. However, I’m not fond of Disqus, which is a third-party
service that makes money from advertising. Discourse is acceptable, but
setting it up is a big project. Then securing it would be a big project.
Then keeping it secure would be a big project.</p>
<p>Instead, feel free to email me. There is a link at the bottom of each
page which invites you to send email. Real email, not some weird
web-form that drops your message into a database so vast it could engulf
Sweden without stretching. Go ahead, write to me. If you are a decent
human being, or can simulate one in email, I will probably write
back.</p>
it might be workflow2016-01-10T14:50:35-05:002016-01-10T14:50:35-05:00-dsr-tag:blog.randomstring.org,2016-01-10:/2016/01/10/it-might-be-workflow/After whining on my blog about not updating my blog (please nominate
this for the <em>Early 21st Century Problems Only A Certain Small Group
of People Can Have Award</em>) I decided that maybe I was totally
wrong.<p>After whining on my blog about not updating my blog (please nominate
this for the <em>Early 21st Century Problems Only A Certain Small Group
of People Can Have Award</em>) I decided that maybe I was totally
wrong.</p>
<p>I played around with Pelican themes, picked something reasonably
sedate with very little color, added my tao icon (for my main server,
named tao since time immemorial or at least a decade or so), and started
mucking with configuration bits in Python to get the tags working. Turns
out the category system does not do what I want at all, but tags are
peachy.</p>
<p>Then I added user friendly features to the Makefile. Please nominate
that sentence for another prize. Automatic population of headers, less
fussy filenames, let the computer do what computers are good at sort of
thing.</p>
<p>Finally I cut a step out of the deployment process and made it about
forty times faster.</p>
<p>Will it work? Will I write more blog entries, now that I have futzed
with the mechanics enough?</p>
<p>Maybe?</p>
a musical analogy2015-11-23T11:23:11-05:002015-11-23T11:23:11-05:00-dsr-tag:blog.randomstring.org,2015-11-23:/2015/11/23/a-musical-analogy/This morning Itzhak Perlman was on NPR. He said <a class="footnote-ref" href="#fn1" id="fnref1" role="doc-noteref"><sup>1</sup></a> “If
you say someone 8, 9, 10 years old loves to practice, I would say to you
either someone is lying, or there’s something wrong with them.”<p>This morning Itzhak Perlman was on NPR. He said <a href="#fn1"
class="footnote-ref" id="fnref1" role="doc-noteref"><sup>1</sup></a> “If
you say someone 8, 9, 10 years old loves to practice, I would say to you
either someone is lying, or there’s something wrong with them.”</p>
<p>That’s why I’m not a musician. Practicing bores me. And it is
absolutely necessary to get better, so that you can perform, which is
the goal of any musician. Oh, and I hate crowds and the concept of
performing is not something I find appealing.</p>
<p>Playing music is an inhuman task. It involves learning to read a
notation, then translate that into specific motions and breathing and so
forth, all of which has to be done with extreme precision and accuracy
and timing. I expect that people who have gained these skills like
having them, but the amount of time necessary to invest to gain them is
all out of proportion for the reward I would get.</p>
<p>People like to say that programming computers is like music, and they
are right and they are wrong. Computers are instruments… but they are
also the players of the instruments. Programming a computer is not like
being a musician. You do not have to hit keys in the right sequence and
the right timing, you do not have to be perfect. Programming a computer
is like writing music, being a composer. You take an idea in your head
and you turn it into instructions - via a programming language, a
notation - for the players to perform.</p>
<p>I am not much of a composer-programmer. I have never written a
symphony. Instead, I write little ditties that express one theme. They
get the job done.</p>
<p>What I mostly do, in fact, is conduct. Systems administration is
conducting an orchestra of computers. You take music programs written by
other people, and arrange them to be played by the computers you have,
and then you practice with them to get the effect you desire.
Conducting, though, is too much like a performance. You need to have
good timing. You need to understand the whole system and do the right
things at the right time – conducting is a form of dance. Dancers use
their bodies as instruments…</p>
<p>I avoid conducting whenever possible. Instead, I write and test out
choreography for conductors that works with the music written by
composers to get a performance out of the players.</p>
<p>Or, if you prefer, we use DevOps techniques to automate our system
administration tasks in order to get software to run on computer
networks.</p>
<section class="footnotes footnotes-end-of-document"
role="doc-endnotes">
<hr />
<ol>
<li id="fn1" role="doc-endnote"><p><a
href="http://www.npr.org/sections/deceptivecadence/2015/11/23/456781573/my-goal-is-to-not-be-bored-by-what-i-do-itzhak-perlman-at-70">At
NPR</a> – sadly, the quote is not in the transcripted portion.<a
href="#fnref1" class="footnote-back" role="doc-backlink">↩︎</a></p></li>
</ol>
</section>
how is a tech recruiter different from a used car salesman?2015-10-05T09:52:58-04:002015-10-05T09:52:58-04:00-dsr-tag:blog.randomstring.org,2015-10-05:/2015/10/05/how-is-a-tech-recruiter-different-from-a-used-car-salesman-/Telephone: I’m here! I’m here! Pay attention!<p>Telephone: I’m here! I’m here! Pay attention!</p>
<p>Me: $workplace, $myname here.</p>
<p>Technical Recruiter: Hi! I’m $name from Workbridge Associates, and
I’m specializing in placing DevOps engineers in the Boston area. Let me
tell you about a guy I have. He’s at $company right now, and he writes
Chef cookbooks for JBoss in their AWS environments. He’s also got
several other great qualifications. Are you hiring right now?</p>
<p>Me: Let me ask you one question: what’s the difference between JBoss
and AWS?</p>
<p>Technical Recruiter: [pause] Uh, I don’t know.</p>
<p>Me: Then we’re not hiring right now.</p>
<p>Very long pause. I hear chit-chat in the background.</p>
<p>Not Very Technical Recruiter: AWS is a web service… and… jayboss is a
web framework.</p>
<p>Me: We’re not hiring from you right now. Bye.</p>
<p>Telephone: click</p>
<p>This is a true story, and it happened just a few minutes ago. Minor
changes have been made to protect the clueless and innocent.</p>
<p>(To answer the title question: you expect a used car salesman to be
able to drive a car. Technical recruiters don’t even know what they’re
talking about.)</p>
non-lethal anti-drone defenses2015-09-11T12:13:12-04:002015-09-11T12:13:12-04:00-dsr-tag:blog.randomstring.org,2015-09-11:/2015/09/11/non-lethal-anti-drone-defenses/<p>Let us suppose, dear reader, that you are worried about small drone
aircraft – copters, quad and hex and so forth - espying on your private
activities. This is not as completely unreasonable a fear now as it was
a few years ago. A realtime first-person-view drone can be as small as
your hand and still manage 10 minutes of hovering and scooting
about.</p>
<p>Let us also suppose that you are not the sort of maniac who is
willing to shoot a deadly projectile at a rapidly moving small target in
a populated area. If you are that sort of maniac, please move to an
unpopulated area immediately, and put up big signs at your property
border. “I am an armed idiot” might be suitable phrasing.</p>
<p>Let us suppose, dear reader, that you are worried about small drone
aircraft – copters, quad and hex and so forth - espying on your private
activities. This is not as completely unreasonable a fear now as it was
a few years ago. A realtime first-person-view drone can be as small as
your hand and still manage 10 minutes of hovering and scooting
about.</p>
<p>Let us also suppose that you are not the sort of maniac who is
willing to shoot a deadly projectile at a rapidly moving small target in
a populated area. If you are that sort of maniac, please move to an
unpopulated area immediately, and put up big signs at your property
border. “I am an armed idiot” might be suitable phrasing.</p>
<p>So, what are the characteristics of a suitable solution? We want to
stop a device which is small, fast, unpredictable, and lightweight. It
is guided by a human (likely to remain true for the next 20 years, when
AI will replace us) who has an OK field of view straight ahead and down
a little.</p>
<ul>
<li>we could use an energy weapon</li>
</ul>
<p>Archimedean solar reflectors would be cool, but aiming is a problem,
as is the availability of sunlight. Lasers are great, except that their
focal distance causes them to have somewhat excessive ranges. Blinding
an aircraft pilot by accident is not a great outcome.</p>
<p>It would be nice to use a jammer to remove the video and perhaps
control interfaces linking the drone to the pilot. Sadly, the FCC frowns
on jamming. This is a tactic that the military could use, perhaps.</p>
<ul>
<li>we could use a projectile weapon</li>
</ul>
<p>Yes, let’s throw something really fast at the drone. Bullets are out.
Anything resembling a bullet is also out - shot from a shotgun, marbles
from slingshots, rocks from slings, arrows and bolts from bows. These
all share the problem of continuing to be dangerous after they miss the
target. We’d like to avoid that.</p>
<p>And we will miss. We will miss a lot, because we are not going to be
practicing every day, and we probably will not want to buy a thousand
drones to let us go target shooting…</p>
<ul>
<li>we could use lots of projectiles</li>
</ul>
<p>It would be nice, but not a firearm. We want the projectiles to
become non-dangerous if they hit something we did not mean to destroy.
Maybe rock salt in a shotgun? Apparently the range is awfully small.
Something else that breaks up over distance, but retains enough energy
to swat a drone 40 or 50 feet up… something like water.</p>
<p>A garden hose does not have the pressure we need – well, not the
pressure as such, but what a pump engineer calls “head” – the vertical
distance that the pump can raise the water stream. Your garden hose is
probably good for about the height of your house. Not good enough.</p>
<p>How about pressure washers? You get a tank, a compressor, and a hose
with a nozzle tip on it. Some of the high-end pressure washers come with
their own gasoline engines. They cost from a few hundred to a couple of
thousand dollars. And all of them seem to assume that you can stick your
nozzle right up within a foot or two of your target. That might
work.</p>
<p>What you really want though, is something more like a fire hose, with
a fire pump to push a lot of water high into the air.</p>
<p>Turns out they sell them on ebay. The low end systems are designed
for protecting your home – that would be exactly what you want. $600 on
up to the thousands. Easy to aim. Non-lethal. Death on drones.</p>
server security certificate semi-pro tips2015-05-22T00:00:00-04:002015-05-22T00:00:00-04:00-dsr-tag:blog.randomstring.org,2015-05-22:/2015/05/22/server-security-certificate-semi-pro-tips/<p>Unless you have a good reason not to do so, the services you run on
your server should be encrypted. For the last few years, and probably
the next few, that means you need a security certificate, commonly
called an SSL cert, even though we just stopped using SSL in favor of
TLS, which is exactly the same but slightly more advanced.</p>
<p>(You don’t run a server? OK, the services that you access should be
encrypted. It’s the moral equivalent of sending letters in sealed
envelopes instead of postcards: you do it even when it doesn’t matter
much, because that way you don’t accidentally forget and send a hundred
dollars to your friend by taping it to a postcard. The rest of this post
is for people running servers – mostly, people who run one or two
servers as a hobby or small business. I expect the professionals to
already know all this.)</p>
<p>(But some don’t.)</p>
<p></p><p>Unless you have a good reason not to do so, the services you run on
your server should be encrypted. For the last few years, and probably
the next few, that means you need a security certificate, commonly
called an SSL cert, even though we just stopped using SSL in favor of
TLS, which is exactly the same but slightly more advanced.</p>
<p>(You don’t run a server? OK, the services that you access should be
encrypted. It’s the moral equivalent of sending letters in sealed
envelopes instead of postcards: you do it even when it doesn’t matter
much, because that way you don’t accidentally forget and send a hundred
dollars to your friend by taping it to a postcard. The rest of this post
is for people running servers – mostly, people who run one or two
servers as a hobby or small business. I expect the professionals to
already know all this.)</p>
<p>(But some don’t.)</p>
<p></p>
<p>Sometime in the next few months, you’ll be able to get a
domain-validated SSL certificate for free from <a
href="http://letsencrypt.org">Let’s Encrypt</a>. “Domain-validated”
means that the only security check that was performed is that the
issuing authority – the CA, Certificate Authority – confirmed that the
domain name verified by the certificate is used by the requestor. Some
people say “is controlled by the requestor”, but what it mostly means is
that you can receive email addressed to
<code>postmaster@yourdomain.com</code>. Let’s Encrypt will have a
slightly more complicated (and automated) scheme, but it won’t be more
traceable than that.</p>
<p>If you aren’t running a significant business from your server, Let’s
Encrypt certificates are going to be your first choice. Unfortunately,
they aren’t available quite yet. What should you do in the mean
time?</p>
<p>If your budget is strictly limited, go over to <a
href="http://www.startssl.com">StartSSL</a> and register for a free 1
year certificate. You’ll have to jump through some hoops, but you will
get a certificate trusted by all major browsers, and you shouldn’t have
to deal with them again. Let’s Encrypt should be up in the course of the
next year.</p>
<p>Let’s say you have a small but non-zero budget, and StartSSL is out
for some reason – say, you have already dealt with them and they don’t
want to help you out any more. For nine bucks you can get a Comodo
PositiveSSL cert from any number of resellers. I recommend you use <a
href="https://www.namecheap.com">NameCheap</a>, partially because
they’re cheap for most of their products, and partially because I have
found them to be very reliable and pretty quick. And unlike StartSSL,
their website works on weekends.</p>
<p>Presumably you’re going to want to secure
<code>www.yourdomain.com</code>, or what have you. Here’s my advice:
apply for <code>yourdomain.com</code> instead, assuming that you own it.
Comodo will automatically extend the certificate that they give you to
cover <code>www.yourdomain.com</code> as well.</p>
<p>If you’ve done all that, good. Make sure your operating system and
server software are running the latest available versions, and read up
on current threats. You can run a test at <a
href="http://www.ssllabs.com">SSL Labs</a> to get a really complete
evaluation of how you’re doing – there’s no reason why you can’t score
an A or A+ if you read their HowTo docs.</p>
optimizing the wrong thing2015-05-01T00:00:00-04:002015-05-01T00:00:00-04:00-dsr-tag:blog.randomstring.org,2015-05-01:/2015/05/01/optimizing-the-wrong-thing/<p>“Premature optimization is the root of all evil.” – Donald Knuth, in
“Structured Programming With Go To Statements”, 1974.</p>
<p>That was more than 40 years ago.</p>
<p>You think we’d have learned that lesson by now.</p>
<p>“Premature optimization is the root of all evil.” – Donald Knuth, in
“Structured Programming With Go To Statements”, 1974.</p>
<p>That was more than 40 years ago.</p>
<p>You think we’d have learned that lesson by now.</p>
<p>Of course we have not.</p>
<p>Now, I am prone to a certain technological conservatism. Things that
work are better than things that do not work. New is not better; old is
not worse. Making small changes in something that works is better than
starting over from scratch. At some point this must break down, because
we know that making small changes to a project eventually leads to a
project which hasn’t been designed, but is instead a random assortment
of ideas that seemed good at the time, a crazed patchwork.</p>
<p>Deciding where that line is, is highly political.</p>
in which I talk about a smartphone2015-03-30T00:00:00-04:002015-03-30T00:00:00-04:00-dsr-tag:blog.randomstring.org,2015-03-30:/2015/03/30/in-which-i-talk-about-a-smartphone/<p>I’ve had an LG G2 for about two years now. There are lots of new
flagship Android phones coming out now. Is it time to change?</p>
<p>I’ve had an LG G2 for about two years now. There are lots of new
flagship Android phones coming out now. Is it time to change?</p>
<p>No.</p>
<p>I need a device which can reliably make and take calls. For some
reason my house is located in a dead zone for all the major carriers
except Sprint. Move 400 meters in any direction and they all work well.
I get decent LTE coverage, too.</p>
<p>I need a large screen, but the device must be small enough to be
comfortably used one-handed. The G2’s rear volume/power buttons help
with that.</p>
<p>I want a high resolution screen – but it turns out I can’t see any
better than the G2’s 424 ppi screen anyway. 1920x1080 and 5.2”.</p>
<p>It should be fast – looks like none of the most recent flagships are
significantly faster than the Snapdragon 800 in the G2.</p>
<p>I want battery life. The G2 has the best battery life of any
smartphone I’ve ever used: I routinely pick it up at 6:30AM and put it
down to recharge at 11PM with about 20% remaining. I have a battery
grapher here that says that on average I have the screen on for 6 hours
a day, and that my record is just over 11 hours of screen on time. I’m
pretty sure that was a weekend when I was using it as a book reader.</p>
<p>The slightly modified OS it’s running – SuperG2 KitKat – is
incredibly stable. I’ve had uptimes of 500+ hours between reboots, and I
can’t recall the last time it rebooted spontaneously.</p>
<p>Finally, I didn’t buy insurance on this phone and I’m glad. Insurance
would want a $100 deductible, and cost about $8/month. I can get a
new-in-box G2 for about $250, or a used one for under $200.</p>
<p>LG’s chosen successor, the G3, doesn’t seem to improve on any of
these points. The G4 will probably be out in August. We’ll see how it
goes. In the meantime, the Samsung Galaxy S6 and the HTC One M9 look
like very nice phones – but they offer no extra value to me over the
G2.</p>
IPv6 is relatively easy2015-01-15T00:00:00-05:002015-01-15T00:00:00-05:00-dsr-tag:blog.randomstring.org,2015-01-15:/2015/01/15/ipv6-is-relatively-easy/<p>It turns out that if your firewall is a full Linux box, adding IPv6
is relatively easy. I suspect that the main barrier to consumer adoption
is the prevalence of crappy home routers.<br/>
</p><p>It turns out that if your firewall is a full Linux box, adding IPv6
is relatively easy. I suspect that the main barrier to consumer adoption
is the prevalence of crappy home routers.<br />
</p>
<p>There are several free IPv6 tunnel services out there if you aren’t
among the blessed with ISP support. I’m not. SIXXS seems to be designed
to be resistant to abuse, whereas Hurricane Electric wants you to
succeed. I’ve run SIXXS tunnels before, but HE was a much smoother
process.</p>
<p>Checklist:</p>
<ul>
<li>get an address <a
href="http://www.tunnelbroker.net">assigned</a></li>
<li>configure it on your router</li>
<li>install radvd on your router</li>
<li>set up an ip6tables firewall</li>
<li>on each Linux client, add “iface eth0 inet6 auto” or similar. You
won’t need further config…</li>
<li>if you are running a server, check each service to see if you have
IPv6 compatibility turned on. On Debian, if something seems not to be
working after you’ve touched the appropriate config, check /etc/default
for a “-4” or similar.</li>
<li>on Mac clients, check Network Preferences=>Advanced=>TCP/IP
and look for an IPv6 autoconfiguration to turn on.</li>
<li>create AAAA address records for servers you want to have reachable
from the outside world.</li>
</ul>
<p>Note that IPv6 address autoconfig (SLAAC) will always return the same
address for a given MAC. If you change a NIC, you can either force the
MAC to be the same as the old one, or update your DNS. (If you don’t run
any services at all from that machine, you might not care.)</p>
<p>Finally, you’ll want to go back and adjust your ip6tables firewall to
allow the various services you’ve just tested.</p>
lies, damned lies and benchmarks2014-12-13T00:00:00-05:002014-12-13T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-12-13:/2014/12/13/lies-damned-lies-and-benchmarks/<p>Rule of thumb: if you have a working computer, you shouldn't replace it
with one that's less than twice as fast.</p>
<p>If Moore's Law held true, then that means you can spend the same amount
every 24 months and double your speed. Turns out, Moore's Law isn't true.
Kinda. Sorta.</p>
<p>Rule of thumb: if you have a working computer, you shouldn't replace it
with one that's less than twice as fast.</p>
<p>If Moore's Law held true, then that means you can spend the same amount
every 24 months and double your speed. Turns out, Moore's Law isn't true.
Kinda. Sorta.</p>
<p>OK, so <a class="reference external" href="https://en.wikipedia.org/wiki/Moore%27s_law">Moore's Law</a> applies
to chip density, not megahertz or any other measure of performance, and it's
an observation, not a real law. There are periods of fluctuation, and the
point at which it is economical to produce CPUs is always 1-3 years behind
the design phase. Right now commercial feature size is around 22 nanometers;
if you could believe Intel and IBM and AMD in 2010, 14 nm fabs should have
started producing commercial chips this year. They haven't.</p>
<p>So let's go to a benchmark: the PassMark Single Thread CPU Benchmark. See all
those caps? That means they won't tell you quite what they're doing, but you
can compare scores. Not knowing what PassMark is actually doing is
problematic for comparing things that are very different from each other, but
here we are going to end up being within an order of magnitude from top to
bottom anyway.</p>
<p>Here are some sample CPUs, and their reported scores, number of cores, and
a naive extrapolation (approximately multiplying cores by single-thread
score, to represent a sort of ideal parallelized performance):</p>
<table border="1" class="docutils">
<colgroup>
<col width="47%" />
<col width="19%" />
<col width="19%" />
<col width="16%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">CPU</th>
<th class="head">Score</th>
<th class="head">#cores</th>
<th class="head">S*n</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>AMD 5350</td>
<td>804</td>
<td>4</td>
<td>3200</td>
</tr>
<tr><td>AMD Athlon X4 640</td>
<td>878</td>
<td>4</td>
<td>3500</td>
</tr>
<tr><td>Intel Core 2 E6600</td>
<td>920</td>
<td>2</td>
<td>1800</td>
</tr>
<tr><td>AMD FX-4130</td>
<td>1269</td>
<td>4</td>
<td>5000</td>
</tr>
<tr><td>Intel Core i3-3225</td>
<td>1786</td>
<td>2</td>
<td>3600</td>
</tr>
<tr><td>Intel Core i5-2500</td>
<td>1896</td>
<td>4</td>
<td>7600</td>
</tr>
<tr><td>Intel Pentium G3258</td>
<td>2179</td>
<td>2</td>
<td>4300</td>
</tr>
<tr><td>Intel Core i3-4770</td>
<td>2240</td>
<td>2</td>
<td>4500</td>
</tr>
</tbody>
</table>
<p>You may notice that all of these are cheap-ish desktop CPUs. I don't
play games on these machines, and I especially don't play 3D games.
The 5350 is in fact marketed as one step up from an embedded system (and
I'm using it in my new firewall); the i3 series is supposed to be Intel's
basic business desktop. Not one of them has ever been the top-of-the-line.</p>
<p>So, in everyday use, does either the score or the score*#cpus represent
how fast the machines feel? There's a factor of 3, almost, in single thread
scores, and a factor of 6 in the parallel scores.</p>
<p>Kinda, sorta, not really.</p>
<p>I don't run complex calculations for the sake of doing the math. I push
a lot of pixels, but only in 2 dimensions, which barely counts these days.
And the truth is, I don't really feel the difference in CPU speed between
the E6600 and the i5, both of which I use as desktops on a daily basis.</p>
<p>In fact, I don't really notice any CPU differences. Here's what I notice:</p>
<ul class="simple">
<li>the difference between machines with just enough RAM and loads of RAM</li>
<li>the difference between machines with SSDs and spinning disks</li>
</ul>
<p>That's it. Want a fast machine for cheap? Take a low-end CPU, add lots of
RAM (16GB and up) and get a reliable SSD. Back it up automatically every
night. You can build it yourself for about $450 or so, maybe less.</p>
<p>For what it's worth, PassMark says that the best single-thread cpu on the
planet tops out at 2535, which is a little more than 3x the performance
of chips so cheap you can barely buy them anymore. And remember that the
Pentium G3258, at 2179, is only $60 or so. That looks pretty promising.</p>
easy vs complete: system stats2014-11-22T00:00:00-05:002014-11-22T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-11-22:/2014/11/22/easy-vs-complete-system-stats/<p>If you are the sort of person who wants to know about the performance
of one or more computers, you should know that lots of people share your
desires. As a result, there are many software packages that do one or
more of gathering information, storing it, graphing it, displaying the
graphs, and perhaps generating alerts based on the information
received.</p>
<p>Most of the time, though, you can skip researching all those and go
directly to small, medium or large.</p>
<p>If you are the sort of person who wants to know about the performance
of one or more computers, you should know that lots of people share your
desires. As a result, there are many software packages that do one or
more of gathering information, storing it, graphing it, displaying the
graphs, and perhaps generating alerts based on the information
received.</p>
<p>Most of the time, though, you can skip researching all those and go
directly to small, medium or large.</p>
<p>The small option is <a href="http://munin-monitoring.org">munin</a>.
It’s small enough that if you have just one machine, it’s reasonable to
install munin. Config on the master node takes just a few minutes;
config on the client nodes is usually non-existent unless you have funky
DNS. You get pretty graphs with some history, the ability to group by
nodes or services, and you can look at a live <a
href="http://demo.munin-monitoring.org">demo.</a></p>
<p>What don’t you get? If you have a non-UNIX client, you need SNMP
support. There’s no Windows support other than SNMP, though Mac OS X can
be either a master or client. Finally, there’s not much history or
precise statistics – munin tells you more about trends and where you
should be looking for problems.</p>
<p>The medium option is <a
href="http://www.observium.org">observium</a>. Observium only does SNMP,
no client-side, which makes it extremely easy to add a new client node –
just tell Observium the IP or name and anything odd about the SNMP
access configuration. On the other hand, you don’t set up individual
SNMP checks – Observium will try <em>everything</em> it knows about, and
Observium knows a lot about SNMP. There’s graphing and grouping and a
fancier, more interactive web control panel than munin. It looks like
Observium will add monitoring/alerting capabilities soon, though I
haven’t tried them out yet. Also, observium really wants to run on its
own FQDN – if you don’t run DNS, munin is really a better choice for
you.</p>
<p>The large option, for people with really complex or large-scale
needs, is a combination of <a
href="http://www.collectd.org">collectd</a> and <a
href="http://graphite.readthedocs.org">graphite</a>. Collectd acts as
the client, graphite charts the results, and there are options for
storing all the history, writing your own queries, and everything else
that you might want to do. The basic tradeoff is that you will need to
invest time in learning the systems and writing your configuration
carefully; in return, you can scale to horrendous numbers of systems and
sort through exact numbers in search of patterns completely beyond the
grasp of lesser systems.</p>
the real problem with systemd2014-11-18T00:00:00-05:002014-11-18T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-11-18:/2014/11/18/the-real-problem-with-systemd/<p>Let’s quote a Debian Developer, who I will not name:</p>
<p>“Oh, and by the way, systemd bloody works on my system. I can’t even
remember when I switched to it. It Just Worked.”</p>
<p>The problem with systemd is that he’s got one system, not five
hundred, and he somehow thinks that makes it a representative
sample.</p>
<p>I don’t have any such confidence. </p><p>Let’s quote a Debian Developer, who I will not name:</p>
<p>“Oh, and by the way, systemd bloody works on my system. I can’t even
remember when I switched to it. It Just Worked.”</p>
<p>The problem with systemd is that he’s got one system, not five
hundred, and he somehow thinks that makes it a representative
sample.</p>
<p>I don’t have any such confidence. </p>
want ads for technical jobs2014-11-15T00:00:00-05:002014-11-15T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-11-15:/2014/11/15/want-ads-for-technical-jobs/<p>HOT hot HOT startup needs Rock Star dev! Only apply if U R THE BEST!
Work hard/play hard! 120 hour weeks but we have kegs in the break room
and four subwoofers in the game room! Just like college but no classes,
except Java classes, amirite?</p>
<p>No, thanks.</p>
<p>Demanding a rockstar is a sign that you don’t know how to accomplish
your goals and you want Superman to bail you out.</p>
<p>What does a good employment ad look like?
</p><p>HOT hot HOT startup needs Rock Star dev! Only apply if U R THE BEST!
Work hard/play hard! 120 hour weeks but we have kegs in the break room
and four subwoofers in the game room! Just like college but no classes,
except Java classes, amirite?</p>
<p>No, thanks.</p>
<p>Demanding a rockstar is a sign that you don’t know how to accomplish
your goals and you want Superman to bail you out.</p>
<p>What does a good employment ad look like?
</p>
<p>I workshopped my last employment ad through the <a
href="http://www.lopsa.org">LOPSA</a> (League of Professional Systems
Administrators) mailing list; I think it was improved immensely. People
told me what their actual desires are:</p>
<ul>
<li>Above all else, clarity</li>
<li>A description of what the company does</li>
<li>A description of the actual duties of the advertised position</li>
<li>A description of the likely future of the position or the career
path of a person working in that position</li>
<li>Office hours, on-call hours, weekend hours</li>
<li>Skills that are actually needed</li>
<li>Lists of technologies actually in use</li>
<li>Goals of the group</li>
<li>Professional development opportunities</li>
</ul>
<p>And what they don’t want to see:</p>
<ul>
<li>Rockstar/Ninja/Pirate/Robots!</li>
<li>Descriptions of how lush the HQ or breakrooms are</li>
<li>“Marketing speak” about what the company or group does</li>
<li>Anything that comes across as pretentious, self-aggrandizing or
insincere</li>
</ul>
<p>It shouldn’t come as a surprise that people prefer to be treated as
mature adults, rather than as boisterous teenagers.</p>
when moving isn't moving so much2014-11-14T00:00:00-05:002014-11-14T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-11-14:/2014/11/14/when-moving-isnt-moving-so-much/<p>I’ve been in charge of IT at my employer for the last eleven years,
and that means I’ve been in charge of moving the infrastructure of HQ
four times. (Cambridge office space is a vicious market.) In that time
we lost no employees because of the moves.</p>
<p>I attribute this to a few simple things.</p>
<p>I’ve been in charge of IT at my employer for the last eleven years,
and that means I’ve been in charge of moving the infrastructure of HQ
four times. (Cambridge office space is a vicious market.) In that time
we lost no employees because of the moves.</p>
<p>I attribute this to a few simple things.</p>
<p>First, there is an understanding that the company’s moves are
dictated by the market. We seem to have a knack for picking spaces that
will be much more valuable when our lease is up. In two cases, Microsoft
has decided that the building we were in was perfect for them. If MS
decides that they want to occupy a large chunk (or all) of a building,
nobody smaller than Google can afford to counterbid.</p>
<p>Second, there is an understanding that the company will stay near the
Red Line, somewhere north of South Station and possibly as far out as
Alewife. In practice we’ve moved between Harvard, Central and Kendall. I
think the best was at 1 Cambridge Center, which is built on top of the
Kendall Square T station. MS has that now. They had a new exterior
elevator built in an inconvenient location in order to have private
elevator service…</p>
<p>Third, we haven’t been victims of <a
href="http://www.joelonsoftware.com/articles/OfficeNewYork.html">Whyte’s
Rule</a> – corporate headquarters always move to minimize the CEO’s
commute. Our president lives in Cambridge, and sometimes his commute
gets a little longer and sometimes a little shorter.</p>
<p>To sum up, you can keep your employees happy even with frequent moves
if you are consistent, open, and keep to the same general area.</p>
a new firewall2014-11-09T00:00:00-05:002014-11-09T00:00:00-05:00-dsr-tag:blog.randomstring.org,2014-11-09:/2014/11/09/a-new-firewall/<p>I decided that my next firewall would not be a home wifi router
thing, even running OpenWRT – I wanted something that I knew I could
upgrade and configure to handle whatever comes down the pipe next.</p>
<p>And I wanted it to be fast.</p>
<p>And I wanted it to be cheap.</p>
<p>I decided that my next firewall would not be a home wifi router
thing, even running OpenWRT – I wanted something that I knew I could
upgrade and configure to handle whatever comes down the pipe next.</p>
<p>And I wanted it to be fast.</p>
<p>And I wanted it to be cheap.</p>
<p>After appropriate research, I sadly discarded the idea of getting a
Ubiquiti EdgeRouter Lite. It’s cheap – $99 – and fast – wirespeed
gigabit routing on three ports – but the OS it runs is almost but not
quite a supported release. While based on Debian, it lags a major
version behind and there is no community-supported toolchain to build it
yourself.</p>
<p>(If that changes, it would be a great option for most people. And if
you aren’t horrified by these lacks, it might be good for you now.)</p>
<p><em>edit from the future, mid-2015: Ubiquiti is also violating the
GPL. That should concern you, too.</em></p>
<p>I thought about buying a PCengines micro PC. They’re reasonably cheap
if you assemble them yourself, and can run a standard Linux. Power draw
is pretty low, 5-15W. While searching NewEgg, I discovered that the
high-end of that range is available from a motherboard manufacturer as
an almost-complete unit: <a
href="http://www.newegg.com/Product/Product.aspx?Item=N82E16856107110&cm_re=t40e-_-56-107-110-_-Product">Jetway
G-T40E barebone PC</a> for $220. I almost got that. Two ethernet ports
and WiFi on the motherboard, in a nice small case.</p>
<p>Turns out that the successor to AMD’s T40 is a relatively new chip
called the Athlon 5150 or 5350, depending on speed. And NewEgg had a
sale bundle: buy a 5350, an MSI AM1I motherboard, and a miniITX case for
$118, about $40 off the regular price of all three. The miniITX case had
excellent reviews, takes a standard ATX power supply, and even came with
a thermally-regulated 120mm fan in front.</p>
<p>So I got that, a 64GB SSD, and a power supply. I had several 2GB RAM
sticks lying around, and 4 GB is certainly enough for a firewall. Intel
gigabit NICs run $20-30 apiece. All together, I got a modern
small-but-not-tiny machine for about $220.</p>
<p>But how fast does it boot? About 3 seconds for BIOS initialization, a
5 second delay for GRUB to see if a human wants to stop the boot, and
then 4.3 seconds to a login prompt, an additional 3 seconds for the
ethernet to be up and happy. Call it 15 seconds from cold.</p>
<p>Debian Wheezy, 7.7, x86-64 architecture, 4GB RAM, that’s a CPU with a
maximum TDP of 25W and an idle around 5W.</p>
two stage mail filtering2014-10-30T00:00:00-04:002014-10-30T00:00:00-04:00-dsr-tag:blog.randomstring.org,2014-10-30:/2014/10/30/two-stage-mail-filtering/<p>Sure, you have a system which automatically filters incoming mail
into appropriate folders – most of these are for mailing lists, a few
from specific companies or people – but you still have mail that comes
in to your inbox specifically because you want to see it and deal with
it.</p>
<p>After you’ve read it and done something about it, you want to archive
it, because storage is cheap and more reliable than your memory. Do you
throw it all in a pile? </p><p>Sure, you have a system which automatically filters incoming mail
into appropriate folders – most of these are for mailing lists, a few
from specific companies or people – but you still have mail that comes
in to your inbox specifically because you want to see it and deal with
it.</p>
<p>After you’ve read it and done something about it, you want to archive
it, because storage is cheap and more reliable than your memory. Do you
throw it all in a pile? </p>
<p>Some people do throw it all in a pile, and trust to their full-text
indexer (<code>mairix</code>, <code>mu</code>, <code>notmuch</code>…) to
find it for them later. If you don’t have a full-text search system, any
of the three I just mentioned are a good idea.</p>
<p>Even if you do have that set up, sometimes you just want to browse.
It sure would be nice if you could do that without sucking in 120,000
messages to find the ones about credit cards, right? And the obvious
answer is that you save messages to folders rather than dumping them in
one pile.</p>
<p>Let’s do that automatically, with a second stage mail filter. Since I
use <code>maildrop</code> as my incoming filter, I’ll use it for my
archive filter as well. If you like <code>procmail</code>, use that. Any
filter that can use a non-default rules file will work.</p>
<p>In an incoming mail filter, you often filter on List-Id,
Mailing-List, Sender and other specialized headers. So far I’ve found
that those aren’t very useful for an archive filter. Mail that you want
in your inbox doesn’t come from a mailing list. Most matches will be on
From: or To:.</p>
<p>Start with a new file. Maildrop defaults to
<code>$home/.mailfilter</code>, so we’ll write
<code>$home/.mailfilter-archive</code>:</p>
<pre><code> if (/^From:.*root@.*localdomain/:h)
to "| /usr/local/bin/deliver-to-maildir seen $HOME/Maildir/.system/"
if (/^From:.*@retailer.com/:h)
to "| /usr/local/bin/deliver-to-maildir seen $HOME/Maildir/.commerce/"
if (/^To:.*school@domain.edu/:h)
to "| /usr/local/bin/deliver-to-maildir seen $HOME/Maildir/.school/"
if (/^To:.*family@localdomain/:h)
to "| /usr/local/bin/deliver-to-maildir seen $HOME/Maildir/.family/"
#default
to "| /usr/local/bin/deliver-to-maildir seen $HOME/Maildir/.archive/"
</code></pre>
<p><code>deliver-to-maildir</code> is courtesy of <a
href="http://www.tropic.org.uk/~edward/homepage/deliver-to-maildir/deliver-to-maildir">Edward
Speyer</a> – I’m using it specifically because of the ability to specify
that the mail goes in the <code>Maildir/cur</code> directory, rather
than <code>new</code> which is what a naive use of <code>to</code> or
<code>cc</code> would do.</p>
<p>Next, we need to be able to summon this filter from
<code>mutt</code>. In your <code>.muttrc</code>:</p>
<pre><code>macro index Z "<enter-command>unset wait_key\n<pipe-message>maildrop $HOME/.mailfilter-archive<return><delete-message><enter-command>set wait_key\n"</code></pre>
<p>I specify the scope of the macro as index because it’s most useful
when you have finished dealing with a message – I suppose that the pager
might be a useful additional scope. <code>Z</code> becomes the key to
automatically file a message after you’re done with it; if the filter
doesn’t know where to put it, the default at the end kicks in and drops
in a big archive pile, which is not worse than before.</p>
<ul>
<li>2019 edit: deliver-to-maildir is defunct, but fear not: there’s an
even better way to do this. See <a
href="https://blog.randomstring.org/2018/07/26/a-nice-improvement-in-maildrop/">the
updated article</a></li>
</ul>
removing systemd from a Debian jessie system2014-10-14T00:00:00-04:002014-10-14T00:00:00-04:00-dsr-tag:blog.randomstring.org,2014-10-14:/2014/10/14/removing-systemd-from-a-debian-jessie-system/<p>Let’s say you install a new Debian system using the Jessie release,
which will become the next stable release in a few months. And let’s say
that you would prefer not to be enmeshed in systemd.</p>
<p>Too bad.</p>
<p>However, you can remove it. </p><p>Let’s say you install a new Debian system using the Jessie release,
which will become the next stable release in a few months. And let’s say
that you would prefer not to be enmeshed in systemd.</p>
<p>Too bad.</p>
<p>However, you can remove it. </p>
<p>Here’s how:</p>
<pre><code># apt-get install sysv-rc sysvinit-core sysvinit-utils
# apt-get purge systemd libpam-systemd systemd-sysv
# echo udev_log=\"err\" >> /etc/udev/udev.conf
# update-initramfs -k all -u
# shutdown -r now</code></pre>
<p>For my sample KVM virtual machine, 1 cpu core and 512MB allocated on
a reasonably idle i5-2500 desktop:</p>
<ul>
<li>boot time on a default install: 1.33s<br />
</li>
<li>boot time on a sysvinit without the udev.conf change: 32.18s<br />
</li>
<li>boot time on a sysvinit with the change: 1.37s</li>
</ul>
fail2ban and the repeat offender2014-09-25T00:00:00-04:002014-09-25T00:00:00-04:00-dsr-tag:blog.randomstring.org,2014-09-25:/2014/09/25/fail2ban-and-the-repeat-offender/<p>An IP address does not identify a person. It does not reliably
identify a computer. It does identify an organization, but that’s rather
nebulous.</p>
<p>But in the short term, when someone on the internet is poking at your
systems and trying to get in – and that’s happening right now, to you,
and to everyone else – the source IP address does represent something.
Think of it as a temporary alias for a bad guy.</p>
<p>An IP address does not identify a person. It does not reliably
identify a computer. It does identify an organization, but that’s rather
nebulous.</p>
<p>But in the short term, when someone on the internet is poking at your
systems and trying to get in – and that’s happening right now, to you,
and to everyone else – the source IP address does represent something.
Think of it as a temporary alias for a bad guy.</p>
<p><a
href="http://www.fail2ban.org/wiki/index.php/Main_Page">fail2ban</a> –
is a daemon that watches your logs for failed attempts to get in. Then
it inserts firewall rules to block those IP addresses for a short period
of time, usually minutes to days. It’s complex (bad) and depends on
regexps, which are easy to screw up.</p>
<p><img src="http://imgs.xkcd.com/comics/perl_problems.png"
alt="Now you have two problems" /> from <a
href="http://xkcd.com/1171/">XKCD #1171</a></p>
<p>For certain situations, fail2ban is an approximation of the best that
can be done. What situations? Well, if you have a network service that
you want to offer to the public at large, or to specific people but you
can’t nail down the IP addresses they will be coming from, and you also
want to avoid letting Mallory guess your passwords by brute force.</p>
<p>You might also consider using fail2ban if you have a well-secured
service like ssh with required key authentication, and you just want to
make the automatic harassment attempts stop. (It would be nice if sshd
came with an option to signal a client that only keys are allowed, but
that would probably signal other things that would harm the net as a
whole.)</p>
<p>In any case, fail2ban is short-term. What do you do for an IP address
that comes and knocks on all your doors and windows persistently?</p>
<p>(If you’re me, you write an email to the organization that controls
the IP address in question. Most ISPs will listen to complaints with log
excerpts. Those that won’t, I stop telling them.)</p>
<p>There is a <a
href="http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban/">simple
config for fail2ban</a> that searches through your logs for repeat
offenders and institutes a longer ban. You don’t want to replace your
short-term bans with this, it’s a supplement.</p>
<p>I’m not sure a one year ban is a great idea, even for an IP address
that gets banned 21 times, but a month to three months seems
plausible.</p>
<p>There’s also mass IP banning, in which you decide that there’s nobody
in Vietnam or Thailand or Austria or whatever who will legitimately
access your service, so you whack everything coming from IPs registered
to that country. It’s not a very friendly thing to do, but you might
have justfications. Beware if you ever travel to those places, though –
you will probably not remember that you blocked them until it’s too late
to log in and carve an exception for yourself.</p>
shellshock explanations2014-09-25T00:00:00-04:002014-09-25T00:00:00-04:00-dsr-tag:blog.randomstring.org,2014-09-25:/2014/09/25/shellshock-explanations/<p>Today or tomorrow you’re going to start hearing about “ShellShock”, a
vulnerability in approximately all UNIX, Linux, and Mac OS X systems,
and probably a few Windows systems.</p>
<p>Is it a big deal? Yes, definitely.</p>
<p><em>edited later that day</em></p>
<p>Today or tomorrow you’re going to start hearing about “ShellShock”, a
vulnerability in approximately all UNIX, Linux, and Mac OS X systems,
and probably a few Windows systems.</p>
<p>Is it a big deal? Yes, definitely.</p>
<p><em>edited later that day</em></p>
<p>Is it something that you can do anything about as an end user? A
little, which you should do, but it won’t help much. (Apply security
updates in the next few days; you should be doing this all the time, but
even more so now.)</p>
<p>Should you worry about it beyond that? To the extent that you aren’t
a sysadmin, no. To the extent that you’re my father, run:</p>
<pre><code>sudo apt-get update
sudo apt-get upgrade</code></pre>
<p>Now the technical part, which I will attempt to make both
non-technical and mostly correct.</p>
<p>You know that UNIX people use command-line interfaces all the time.
Those are the long lines of green text that hackers type in movies.
Those are real, though most of the things that hackers do in movies with
command lines can’t actually be done. Command-line interfaces are called
shells, because they form a thin layer between your fingers and the
important stuff underneath.</p>
<p>One of the most popular programs for managing those command-line
interfaces is called bash, the Bourne-Again Shell. Yes, it’s a pun on
the name of a previous version. bash has been in use for over 25 years,
and people keep adding features to it and turning it into a complete
programming environment (albeit a very primitive and generally
uncomfortable programming environment).</p>
<p>It was recently discovered that an attacker can pass some specially
formatted data to the bash shell which, wrongly, bash will decide is a
valid command. Normally we wouldn’t worry very much about this, because
you need to be an authorized user of a system before you get access to a
bash command-line.</p>
<p>However, bash is very widely used as a sort of glue in between other
programs; it’s very fast and easy to do that, and although “everyone
knows” that you should replace it with a more permanent method, somehow
that doesn’t happen until there’s a performance problem. Then you’ll
often find that calling up bash isn’t very fast, just convenient. So
lots of places in many systems just do the convenient thing. Web
servers. Network tools. Infrastructure where it’s more important to get
things working right now than anything else.</p>
<p>And as a result of that convenience, we now have methods for evil
people to run code on our systems – mostly in places that we haven’t
looked at in a long time.</p>
<p>Fixes were issued yesterday for many systems, and more will come in
today, but it also looks like the first fix may not have been complete,
and a second one is being tested.</p>
<p>EDIT: by 1900 Eastern, a second patch has been generally agreed on
and released for general distribution. The problem now reduces to the
all too familiar race of finding and patching computers that are running
bash.</p>