gushi: (Default)

Gmail outright rejects mail from my server delivered via ipv6, but allows it via ipv4.

What this means is that I'm going to have to simply maintain a list of gmail MX AAAA's and pump them into an ipfw reset rule like:

reset tcp from me to 2a00:1450:400c:c02::/64 dst-port 25


On the same note, I am getting continually added to various google groups that send me a bunch of Indian CV's for people seeking employment. Google apparently will anyone be added to a google group without confirmation.

I keep maintaining a procmail rule that looks like this:

:0
* 1^0 ^List-ID:.*.shaikhgroups.net
* 1^0 ^List-ID:.*zain-22.zaryabi.info
* 1^0 ^List-ID:.*hadi-20.hadebad.info
# ...more goes here
| /home/danm/spamcopquick.pl

I should probably write a SpamAssassin module that detects this crap, and once it does, rather than filtering the body, detects the list-header and reports as appropriate. (I don't want to reject at SMTP transaction time, because I want the lists to get onto google's radar as a problem that's not simply a delivery issue)

Note: Looks like this journal theme doesn't show the markdown "code" properly. Dammit.

gushi: (Default)

TV:

  • Tell my apple TV to turn off my lights via Siri.
  • Bring up an app on my TV to turn off my lights.
  • Use find my friends on my TV.
  • Use find my iphone on my TV.
  • Use the awful "TV Remote" app to turn on my TV.
  • Connect a camera or microphone to my TV so I can use it for Skype or Facetime.

New Macbooks:

  • Use any thumbdrive that's out there without an adapter.
  • Not worry about my power cord pulling my macbook off my desk.
  • Use an apple pencil on a macbook.
  • Use my $1000 thunderbolt display to talk to a modern mac pro.
  • Use the existing cache of magsafe adapters I'd built up.
  • Plug an sdcard in.

(Seriously, would it have killed you to ALSO put a magsafe port on these things? Or make a magsafe-to-usb-c adapter that would permanently live in the mac?)

Desktops:

  • Buy any desktop mac that supports all this new USB-C nonsense.
  • Buy any desktop speakers that I can plug my earpods into and have the mic work.

MacOS:

  • Find a knob that makes the "maximize" button work the way it used to.
  • Not keep a local cache of ALL my mail from my imap server.
  • Use a decent third-party mail encryption app.
  • Control homekit devices via siri on a mac (or via any app?)
  • Sync my MacOS/Time Machine backups to icloud. Or, do over-the-air backups of my phone to my Time Machine server.
  • Use standard OTR Jabber encryption.
  • Sync up which machines I've "seen" a given Jabber messsage on, so I don't have to go "read" a given message on every system.
  • Save a bookmark to the "root" folder of my bookmarks.

Watch:

  • Ping my watch via control-center from my phone.
  • Have my watch alert me -- noisily, when I forget my phone.
  • Just light up the screen as a flashlight (just...turn it white).
  • Use my watch to control my ipad (which may be tethered to a media center).
  • Get haptics from third-party apps like Waze.
  • Initiate a call ON MY PHONE from my watch. (Any "Hey Siri, Call Bob Smith" will cause the WATCH to make the call).

Family Sharing/AppleID/iCloud:

  • Allow my family members a choice in where they make their purchases from -- the shared card, or their own. (Hint: not all families are the same -- my family is two adults).
  • Allow my family calendar to be shared to non-family-members. Even with an odd nonstandard family like mine, families may want to share their schedule with a maid, or a Nanny, or an event planner.
  • Allow partial opt-in to Family Sharing. (I.e. letting an adult join my family without letting me wipe their device)
  • Merge two appleIDs: I have one for the store and one for iCloud, from back in the day where I was told an appleID must be at mac.com. I'd love to just have these merged.
  • Use an API to access my bookmarks.

iPhone:

  • Charge my phone wirelessly.
  • Use an external USB camera (like a microscope, or a borescope), either to take pictures with, or just to use the phone as a recorder.
  • Use a apple pencil on an iPhone (prime opportunity to scoop the Galaxy Note crowd, you missed the bus).
  • Use headphones and external power at the same time. (So, Ingress, or long train trips, or flights?).
  • Use both lightning earpods AND headphone-port headphones at the same time (think: two people watching the same movie, wanting independent volume).
  • Use both wired earphones and airpods at the same time.
  • Use my phone to control my ipad's audio.
  • Add non-credit-card NFC cards to Apple Pay.
  • Add basic barcode-based loyalty cards to Passbook/Wallet.

Carplay:

  • Use an app like ODBFusion (which gives me virtual dashboards) on my carplay display.
  • Buy any aftermarket stereo that supports wireless carplay.
  • Use any mapping app besides apple maps.

Some other suggestions for Apple:

  • Give the Mac Mini some love. Give us one with both classic USB ports as well as USB-C. Give us one with just some DIMM slots and an NVME-style hard drive on the bottom.

  • Stop it with the soldered-onboard ram/ssd on your desktop machines. This makes sense on a macbook, perhaps, but it just twists the knife at purchase-time for desktops like the Mini which are designed to be easy to open.

  • Some of us use these machines as servers. Which means supporting some kind of reasonable out-of-band access and remote power-cycle/remote console functions. Either rebirth the xserve, or work with dell to put an Apple SMC in one of their machines but also have full iDrac functionality.

gushi: (Default)

About a year ago, I was at a rock concert at the local arena called BFD (Sponsored by Live 105, our local Clear Channel affiliate). It was one of those 20-something-acts in one affairs with five stages, a bunch of indy bands on the outlying stages, and a main stage with a bunch of top acts.

The highlights of my experiences were:

* Seeing Garbage Live, and seeing the connection they have with their fans.

* Seeing Cake live, and seeing a similar connection.

* Realizing that the most technical, gimmicky, and prop-heavy show (Jane's Addiction) was just plain terrible.

However, while I was there I also came across some technologists who had put a project forth on Kickstarter and were doing their soft launch at the venue. This was, after all, in Google's backyard.

The project was the iCache Geode, and it's a brilliant piece of technology: An iPhone case that has a fingerprint reader on the front, a credit card slot on the back, and basically gives you the ability to clone any of your credit cards onto a single, dynamic "geocard": so you need only carry your phone (and ID) and you've got the full compliment of affinity cards, credit cards, and the like. Because I'm a geek and I know quite a bit about the internals of how the readers work, I had a bunch of questions about how such a thing actually works. And their engineers were on site and willing to talk. Their dyanmic "GeoCard" was more than just a smart card; it was actually a credit-card-sized computer that had an antenna where the magstripe would be, and basically "replayed" your credit card when it detected it was being read. It was a *brilliant* implementation, and I geeked out for a good hour picking their brains.

It was bloody cool. I wanted to buy one on the spot, but their ship times were long, and prioritized for their Kickstarter backers, so I held off.

Cut to now.

Their website is up and running, still, but their support desk license seems to have expired. The "checkout" button is strangely absent from the "buy" link on their page. No twitter updates from them, but a whole lot of mentions from Kickstarter backers who are somewhat upset.

For a company that was so strong on social media, and the crowdsourced kickstarter feel, I think a dryup like this is attributable to one of three things:

1) They took the money and went to aruba. I don't believe this happened.

2) They just outright ran out of funds, couldn't secure additional funding despite having an already-developed and strong product, and shuttered.

or....

3) They got patent-trolled, got hit with a cease-and-desist order on prior art, pending a long and drawn-out settlement.

I don't know for sure, but I'm incredibly curious. As I don't have a real stake in this show, the curiosity is nothing more. In my next post, I'll be going into detail on a similar product, where I was in fact one of the lucky ones who got their product, and others seem to be out in the cold.

Stay tuned.

Note: this is my first post using the LJ client for IOS. I tend to prefer the one on my shell account, where I have Markdown to play with. I'll see how things look once the final entry posts.

Posted via LiveJournal app for iPad.

gushi: (Default)

Heh, watch as I litter you paid and permanent users with the ads a plus-user has to see.

I saw this today...

Stupid Credit Score Ad

So, um...if you're telling me that a poor score is 550 or lower, why are you blatantly contradicting your own judgement just a few pixels later, where you seem to feel that 619 or lower is "poor".

Stupid nonsense.

gushi: (Default)

Note: since I started writing this entry, in that half hour or so, the problem I was writing about went away, although it hadn't been for at least the past few days. This is one example of a problem I see fairly regularly, a site that answers on www.domain.com, but not on domain.com. These are the details, but they're far from an isolated case.

Back in the day, when IMDB first was started, they had a partnership arrangement with a little online-video company called reel.com.

Since that point, reel.com has been bought by hollywood video and has discontinued their online business, and their one storefront store still stands in berkeley.

However, this entry isn't about this, it's about countless websites that do a stupid-but-annoying thing.

reel.com has an IP address. www.reel.com has an IP address. They happen to be the same, but they don't have to be.

If you go in a browser to http://www.reel.com, you get to a "thanks for your patronage" page that points traffic at the Hollywood Video page. If you go to just plain http://reel.com (no "www"), you get...nothing. You get a "Virtual Directory Denied".

Finally, if you go to the ip address of reel.com, which is http://72.5.61.11, you get the main page.

Why?

Well, for starters, lets make it real clear. The webserver that serves this site is running Windows. That "Virtual Directory" error is an IIS thing.

Sending along a hostname isn't part of the original HTTP specification, it's part of a little add-on known as HTTP1.1, when it was realized the proliferation of the web would quickly exhaust the number of ip addresses out there if there was only a 1:1 mapping.

IIS, the piece-of-garbage webserver built into windows, has a site config window that looks like this.

Note that there's an option to specify ONE name for a site, and only one.

So, if you connect to an ip, but don't send a hostname (or send a hostname containing only an IP address), you get a site. If you send EXACTLY what's in that box above, you get a site.

In order to add multiple host headers, to the same site, even if they are really just aliases of the same site, requires work, it requires clicking that "Advanced" button, and putting the hosts in, OR it requires having your site be the ONLY one on that IP address, and specifying no header.

So, let's make it clear, what could the administrators do better?

1) They could configure a different site in IIS for reel.com, and configure it to be a redirect to www.reel.com. They can even preserve the path so a request for reel.com/images/logo.gif just gets handled the right way, instead of redirecting everyone to the "front door".

2) They could remove the need for host headers entirely, since chances are, the reel.com site is the only one running on that ip.

3) Radical option: they could simply remove the A record for reel.com. What this actually means is that the user will get an error that the domain doesn't exist. You can't tell me this error is any better or worse than the "Virtual Directory Listing Denied" error.

4) They could use a real OS/Webserver. Seriously, you're working for a publicly traded company like Hollywood video. I'm sure they're paying you good money to click the little boxes to turn on IIS. Perhaps they could instead pay someone who knows what they're doing? And if the OS and webserver require a degree of clue to get running instead of "click I Agree, click next, click next, click Finish", then maybe that's not a bad thing.

Don't get me wrong, windows is good for a lot of things. I run it at home because I don't feel like fighting my hardware just to run a GUI, and because I like working video, sound, and USB drivers. I like my stress-relief games to work without having to deal with the stupidity of an emulator.
I like being able to buy anything at the store and know I can plug it in and have it work without installing a bleeding-edge kernel.

But for a server? None of those apply. People all the time cite "But I need something supported" as a reason to use Windows, but nobody pays the per-incident Microsoft support fees, everyone just calls someone with more clue, or Googles. You can afford better than that. Unix is darwinistic: people who figure out how to use it are the ones that do. The clueful people advance. You want one of those, Hollywood.

I mean, potentially, this is free advertising for them. Don't you want money? Can you imagine if say, netflix.com didn't work, but www.netflix.com did? Think that would be a problem?

gushi: (Ferret Love)

Hello, and welcome to Gushi on dreamwidth. I would have used the user-account tag for that, but I don't honestly know what the tag for it is. Using <lj-user="gushi"> doesn't make sense, does it? It does in a way, kinda, since that would make it compatible with other clients. However, I'd also like a way that I could cross-site link. I've got 300+ friends on Livejournal, and I'd like to be able to link to them there with a tag.

So, here's the big problems thusfar.

  1. First and foremost, I don't have a client for it. I'm going to probably modify jlj for this.
  2. Secondly, while there's a "reading page" here, the DreamWidth analog of your LJ friends-page, but I see no way of adding LiveJournal accounts to that page. Even if one were to add every LJ's RSS feed, that doesn't get you restricted entries. Livejournal claims that if you use an RSS reader that does digest authentication, you can read an individual journal's rss feed, but there's no way to rss-syndicate your friends page AND do authentication. So Dreamwidth would have to log in and trawl each of your friends page under your LJ account. This is probably not possible, and it certainly defeats the purpose of RSS.
  3. Third, looking over some of my entries, they just don't fit in the scaling. For example, this entry is problematic. There's a strong lack of alternative styles.
  4. While there's an import tool, there's no easy way to "unimport" things and reset your journal to blank after an import, nor to tell either via a tag or some other manner which entries were "born here" and which were "adopted".
  5. From glancing over the FAQ, it looks like there's heavy dependence on the admin_console. This makes sense, it's easier to code for, rather than trying to put hooks to do things in multiple places and multiple styles.
  6. No permanent accounts. There was a sale once, but the admins claim they will not hold another. Honestly, I believe in this project, and I want to show more support than the paid account I've already bought, but I would like to be able to hold out hope for this.
  7. No phone support. While I'm not against the "old" mode of voice post transcription, where your friends do it for you, I have literally been able to update my LJ via voiceposts from hospital rooms where I don't know if I'll survive the night. I'm not ready to give that up.
  8. No way to specify that entries are being crossposted. This entry, posted to LiveJournal, has no extra text to mark it as such (other than the tag I set on DreamWidth, "native dreamwidth entries", but that was not set in any crosspost setting, it's just a tag I set to solve another problem above.) Thankfully, it at least LOOKS like when I edit an entry here, it updates the entry on LJ as well.

Sadly, each and every one of those is a show-stopper for me. I believe every one of them is fixable, but it's going to take time.

I haven't managed to figure out yet what I will use to differentiate this between Gushi-here and Gushi on Livejournal. Right now, I'll probably be mostly crossposting, which gives no advantage to my friends to kick it over to here. I'm tempted to be better to this journal than I have to my previous: always using tags, always setting moods, and the like. Perhaps making sure each entry is written syntactically valid, in the same style, with auto-formatting turned off.

I have several invite codes available, let me know if you want one. Other than that, well, in the word of a gryphon: That's about all I have to say about that.

Ferret One Out!

gushi: (Default)

There is a spammer that has been annoying me. They're doing things halfway legit, so they bypass a lot of filters. They're advertising a site called nextjob.us, mostly telling me about candidates who I'd want to hire who need H1B visas or green cards.

I've complained via SpamCop, and also directly to their ISP (Cogent).

I did a google search for them recently, and discovered that not only are they being blocked by google, but that they're asking on google's forums for help!

I quickly typed out my own reply, which has since been deleted )

And they emailed me back, again asking for help, and seeming somewhat apologetic. )

While one might think I'd don my BOFH hat to handle this, I'm somewhat touched, because I know the answer to this.

My response was long, and almost didn't get to them, because they set their "Reply-To" header to "no-reply@nextjob.us". This alone indicates a serious case of "you don't know how this works".

My reply is below the cut )

gushi: (Default)

So, I just got this amusing email...

From slackerng@gmail.com Thu Jul  2 02:08:05 2009
Date: Thu, 2 Jul 2009 01:07:54 -0500
From: Cody Grunenwald <slackerng@gmail.com>
To: "root@gushi.org" <root@gushi.org>
Subject: I really need help

I saw that you had a crash file that you can crash wc3 users only by whispering
them. Now im a noob with technology and stuff so i was wondering if you could
get on battle.net and go to Channel CLAN STN and crash anybody in that channel
with praetor in their name. Long story short they hacked themselves into OP and
were a new clan so we have no shamans or anything and hes holding our clan
hostage. please help us.

Note that they emailed root@gushi.org. Now, there's only one place I use that. root@prime.gushi.org is common, but root@gushi.org was ONLY used, for a while, as the ServerAdmin for the gushi.org domain (as in, ONLY my personal domain). Thing is, it also shows up as the serveradmin for people who use www.gushi.org/~username aliases...and a quick google revealed the problem.

A user I had kicked off a while ago, who was using prime as his location for starcraft hacking tools (I know because I heard from Blizzard about it).

Remember fun LJ entries like this?

So, obviously what's happening is people are finding some webpage that links to this, getting a 403, and then EMAILING ME.

Gee, how ever could I find out who this is? Oh wait, look, I have my webserver logs!

%tail -1000000 access_log|grep -i celeron
gushi.org 75.72.94.81 - - [01/Jul/2009:20:48:09 -0400] "GET /~celeron/hacks/Exended1.4.zip HTTP/1.1" 403 345 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5"
gushi.org 97.83.163.193 - - [02/Jul/2009:01:56:50 -0400] "GET /~celeron/hacks/SCCRASH.zip HTTP/1.1" 403 342 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
gushi.org 97.83.163.193 - - [02/Jul/2009:02:05:37 -0400] "GET /~celeron/hacks/SCCRASH.zip HTTP/1.1" 403 342 "http://gaminkings.tripod.com/id8.html" 
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)"
%

So I checked out the tripod page (I especially love that the banners on the webpage are offering a DEGREE IN HACKING), and there they are.

Now, the question is, what to do with them?

  • Tell them "it's a game, there really are more important things"
  • Tell them "STFU NOOB!"
  • Tell them I'll hack THEM for disturbing me! (Mess with the best, die with the rest!)
  • Tell them I'll do it for 1000 gold, sent to the WOW account of anyone I don't particularly like?
  • Forward the tripod hacks page on to Blizzard?
  • Compain to tripod myself, as it's causing me negative traffic, perhaps threatening that if they don't take the page down, I will POPULATE those links?
  • Since they seem so willing to download and run files, send them a nicely wrapped boot sector rewriter?
  • Two words: mod_rewrite.
  • Send them a link to this entry.
  • Do nothing but blog about it, sigh, and shake my head sadly.

Yeah, probably that last one, but you never know. *sigh* *shakes head sadly*

gushi: (Default)

So I discovered today that I was getting a lot of spam mail that slid right through my filters...most of it by a company called Diversion.

I looked at the headers and found a few interesting things:

1) All the recipients had "real names", and the spam was directly addressed to them, as opposed to being bcc'd or sent to "undisclosed recipients".

From: Diversion Media <diversion_media@hearstmdinfo.net>
To: Mark Scribbins <marks@gushi.org> <-- like that
Subject: Get to Know Diversion.com for Physicians - at Your Fingertips

2) The links on the site, while going through a "Redirector" all matched, and was a sane domain, which corresponded with the link text, and which in turn was the same as the email domain. It wasn't a long subdomain, nor was it loaded with random letters or characters.

3) The text was relevant to the subject line, which in turn was relevant to the content, which was readable instead of the markovian crap I'd expect.

I looked at one of the articles...this one, and it's reasonably well-written and informative. Sure, a bit fluffy, but a decent read.

This didn't smell like spam to me.

I looked over their site, and found a "contact us" link. I called the number for their "advertising" department, and a person answered. Okay, too wierd!

The conversation went like this:

"Hey, how's it going. I seem to be on your mailing list several times, and I wanted to let you know that the whole domain goes to me, and I'm getting several distinct copies of these emails from you. Normally I'd report this stuff to spamcop or whatnot, but it seems you guys are legit. Like, if I were a doctor, I'd probably be interested in this stuff, it's well written and informative. So what I'm guessing probably happened is that you guys bought a bogus list, and I'm just calling to let you know you may want to go back to whomever sold it to you and take it up with them."

I gave them my domain name, and was told "yeah, unfortunately this isn't the first call like this I've gotten", and "thanks a lot, not everyone would have done what you did." (Again, not things I'd expect a spammer to say.)

Now, over time, I've gotten several spams that claim "PHYSICIAN LISTING!!!" or "50000 US MD LISTINGS!!!1!". And chances are, Diversions either bought such a list (how accurate could such a list be?), or someone who seemed more legit bought such a list and re-sold it to them. Welcome to the ponzi-driven internets :)

What this also indicates to me is that there are a number of services out there that "discover" domains that accept all domain-bound email. I suppose, historically speaking, I should look for the first emails sent to those services. (As I keep lots of email, and lots of logs, this isn't hard).

What it also means is that in my quest for better filters, I can now track everyone else who uses those lists, since the list-generators have managed to create a unique fingerprint for their lists. While I don't expect anyone to share with me where they bought it from or whatnot, I suppose if I were in a different field, I could offer to help legitimize these folks -- adding better verp detection, better feedback loop awareness, and the rest. And quite frankly, if I wind up blocking an otherwise legit site like this, because they bought a shitty list...oh well.

Somehow this reminds me of when I was parked in Home Depot, and there was someone running around, putting flyers on everyone's windshields, saying "Advertise in the Pennysaver, call this number!" Huh? If the Pennysaver is such an effective means of advertisting and communications, why do you need to be paper-spamming cars?

I mean, let's face it, marketing data is an asset, and I suspect, as Diversions is discovering right now, you get what you pay for. Or better still, let the buyer beware!

gushi: (Default)

I think it's pretty safe to talk about this publicly.

I just discovered something obnoxious in the course of my day.

Most unix machines have a "hostname", and this "hostname" includes a "domain". When your hostname is stated with your domain, it it said to be your "fully qualified domain name". For example, "prime.gushi.org", or "bitsy.mit.edu".

This is all well and proper. This is the way it has been in the unix world since TCP was invented. A computer knows its first and last name, and it corresponds with the name that systems use to look you up with, in protocols like the DNS.

Now, with Microsoft OSes, machines normally get their "domain name" by joining an Active Directory Domain. For example, in company.com, they may designate "ad.company.com" to be the active directory domain. Note carefully that this also sets something in windows called your "primary dns suffix" which means "the domain part of your hostname".

Normally, the procedure involved in setting this thing manually involves digging rather deeply into the system control panel, going to the "Computer Name" tab, clicking the "More" button, and setting it.

Now, here's the annoying thing I recently discovered:

I recently decided to run a very-tight box to only serve one thing: DNS (running my job's software). Thus, knowing that I'd never share any files, never want to connect to any servers to grab files, I uninstalled "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks".

What I then discovered was this:

After uninstalling these components, the "More" button in the Computer Name field disappears!!! Unless you have "Client for Microsoft Networks", your machine CANNOT POSSIBLY be configured with a fully-qualified domain name. Worse still is that windows machine names cannot include dots.

Note carefully that some other programs use this value. Some mail servers even DEPEND on it being set to something real.

Does Microsoft POSSIBLY think that the only thing that requires an FQDN is their own SMB networking stack?

Configuring a DNS search path is also done per-connection, as opposed to globally. How does that work? If I'm at a command prompt and type "ping foo", it doesn't ask me which network interface I want to use (although ostensibly the one that has my default gateway would be the primary one). It's still a kludge.

Now, I'd be a lot more angry if this actually stopped me from doing anything, this is purely a semantic issue, but hey, I work in the DNS field, I'm allowed to be a pedant about this.

gushi: (Default)

I think it's pretty safe to talk about this publicly.

I just discovered something obnoxious in the course of my day.

Most unix machines have a "hostname", and this "hostname" includes a "domain". When your hostname is stated with your domain, it it said to be your "fully qualified domain name". For example, "prime.gushi.org", or "bitsy.mit.edu".

This is all well and proper. This is the way it has been in the unix world since TCP was invented. A computer knows its first and last name, and it corresponds with the name that systems use to look you up with, in protocols like the DNS.

Now, with Microsoft OSes, machines normally get their "domain name" by joining an Active Directory Domain. For example, in company.com, they may designate "ad.company.com" to be the active directory domain. Note carefully that this also sets something in windows called your "primary dns suffix" which means "the domain part of your hostname".

Normally, the procedure involved in setting this thing manually involves digging rather deeply into the system control panel, going to the "Computer Name" tab, clicking the "More" button, and setting it.

Now, here's the annoying thing I recently discovered:

I recently decided to run a very-tight box to only serve one thing: DNS (running my job's software). Thus, knowing that I'd never share any files, never want to connect to any servers to grab files, I uninstalled "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks".

What I then discovered was this:

After uninstalling these components, the "More" button in the Computer Name field disappears!!! Unless you have "Client for Microsoft Networks", your machine CANNOT POSSIBLY be configured with a fully-qualified domain name. Worse still is that windows machine names cannot include dots.

Note carefully that some other programs use this value. Some mail servers even DEPEND on it being set to something real.

Does Microsoft POSSIBLY think that the only thing that requires an FQDN is their own SMB networking stack?

Configuring a DNS search path is also done per-connection, as opposed to globally. How does that work? If I'm at a command prompt and type "ping foo", it doesn't ask me which network interface I want to use (although ostensibly the one that has my default gateway would be the primary one). It's still a kludge.

Now, I'd be a lot more angry if this actually stopped me from doing anything, this is purely a semantic issue, but hey, I work in the DNS field, I'm allowed to be a pedant about this.

gushi: (Default)

Okay, everyone, have a quick look at a message I just exported EXACTLY from my mailbox. It's the raw message, with the raw headers, so it might not make sense to all of you.

It's right here. Note: when rendered in a BROWSER, the email looks like THIS

After that, I want you to have a look at how it looks in my mail client, click this preview:

I've got several MAJOR problems with this.

Note: it may help to refer to the entry in Wikipedia about MIME and how it works.

Techie Ranting about email formats )

gushi: (Default)

I know a lot of people with iphones. I will likely never buy one. Here's why. Note: some of these may be dead-wrong now -- I've heard complaints about all of them.

1) No tethering. You'll likely hear me bitch about this one a lot. I can't use it as a modem. Hell, I can't even use it as a modem to make an ANALOG call, or send a fax. I can't use it as a modem even for relatively-slow gprs.

2) Useless bluetooth. It's good for headsets. That's it. Can't sync via bluetooth. Can't send/recieve contacts last I checked. Can't tether it. Can't transfer files to it. Can't use a bluetooth keyboard. Also: the ipod touch has a bluetooth chip but doesn't support it!

3) Also: Can't sync via wifi -- what the hell? Are you honestly telling me if I buy your sexy macbook air, the ONLY way I can use the ipod with it is by eating the single USB port?

4) No tactile feel. In my pocket, I can blindly feel for the thumbwheel (or even the unlock combination) on my p800. An iphone requires me to be looking dead at it. On the same note, I don't think there's support for a "smart" remote like the early ipods had. A bluetooth keychain remote would also rock. If you know, the bluetooth weren't worthless.

5) No IRDA? Cmon, apple!

6) No voice dialing, tho this is supposedly supported by third-party apps. Apple's such a media-high company that this should be in by default.

7) Is there support for doing calls over WiFi? (and I don't mean with Skype or something third party -- I mean with AT&T, so calls come from YOUR NUMBER and are receivable the same way.) If not, why not?

8) Lack of input options. On my phone, I can get data into it with the numeric pad, use handwriting recognition, tap things out on a tiny qwerty keyboard, use a bluetooth or IRDA keyboard, or connect it to my PC (with a third party app) and type using my PC keyboard. Yes, using the smaller-than-the-iphones onscreen keyboard requires a stylus, but my finger (or a pen) works in a jiffy.

9) The Jail. I shouldn't HAVE TO "break" my phone that I paid lots of money for just to be able to use it. It's already been proven that there's about a dozen ways around apple's DRM -- from tools for "backing up" your ipod, to stripping your AAC files, to "just burn it to a CD then rip it" to the classic "analog hole." Why don't they just make the "jail" turn on ONLY if you are syncing it with an itunes account containing DRM'd music? What this says to me is "you can have bugfixes OR you can have a phone that you can use the way you want, you pick."

10) AT&T's "visual voicemail" should have transcription. Even for an extra fee, this should be a dirt simple drop-in option. And it should give you the option to reply to a (transcribed) voice message via either text, or email.

gushi: (Default)

I know a lot of people with iphones. I will likely never buy one. Here's why. Note: some of these may be dead-wrong now -- I've heard complaints about all of them.

1) No tethering. You'll likely hear me bitch about this one a lot. I can't use it as a modem. Hell, I can't even use it as a modem to make an ANALOG call, or send a fax. I can't use it as a modem even for relatively-slow gprs.

2) Useless bluetooth. It's good for headsets. That's it. Can't sync via bluetooth. Can't send/recieve contacts last I checked. Can't tether it. Can't transfer files to it. Can't use a bluetooth keyboard. Also: the ipod touch has a bluetooth chip but doesn't support it!

3) Also: Can't sync via wifi -- what the hell? Are you honestly telling me if I buy your sexy macbook air, the ONLY way I can use the ipod with it is by eating the single USB port?

4) No tactile feel. In my pocket, I can blindly feel for the thumbwheel (or even the unlock combination) on my p800. An iphone requires me to be looking dead at it. On the same note, I don't think there's support for a "smart" remote like the early ipods had. A bluetooth keychain remote would also rock. If you know, the bluetooth weren't worthless.

5) No IRDA? Cmon, apple!

6) No voice dialing, tho this is supposedly supported by third-party apps. Apple's such a media-high company that this should be in by default.

7) Is there support for doing calls over WiFi? (and I don't mean with Skype or something third party -- I mean with AT&T, so calls come from YOUR NUMBER and are receivable the same way.) If not, why not?

8) Lack of input options. On my phone, I can get data into it with the numeric pad, use handwriting recognition, tap things out on a tiny qwerty keyboard, use a bluetooth or IRDA keyboard, or connect it to my PC (with a third party app) and type using my PC keyboard. Yes, using the smaller-than-the-iphones onscreen keyboard requires a stylus, but my finger (or a pen) works in a jiffy.

9) The Jail. I shouldn't HAVE TO "break" my phone that I paid lots of money for just to be able to use it. It's already been proven that there's about a dozen ways around apple's DRM -- from tools for "backing up" your ipod, to stripping your AAC files, to "just burn it to a CD then rip it" to the classic "analog hole." Why don't they just make the "jail" turn on ONLY if you are syncing it with an itunes account containing DRM'd music? What this says to me is "you can have bugfixes OR you can have a phone that you can use the way you want, you pick."

10) AT&T's "visual voicemail" should have transcription. Even for an extra fee, this should be a dirt simple drop-in option. And it should give you the option to reply to a (transcribed) voice message via either text, or email.

gushi: (Default)

Okay,

I'm at my dad's house. He has a new laptop, which he needs me to "set up". Normally this task is accomplished by opening the laptop, and because I didn't rush to his aid when his old computer (the last of several computers I've built for him) died, he got a new laptop from a friend.

[Unknown site tag]

Yick, Vista.

It wasn't so many years ago, that windows XP was the new, Ugly face of windows...and it's easy to see where Microsoft has still done a few things wrong.

For example, my dad's been a Dialup guy for a number of years. The Microsoft Office trial that comes with the system "Free for 60 Days, it swears!" won't work without a trial. Windows defender (which currently has definition version 1.0.0.0 -- HOW?) flashes an unhappy exclamation point at you, because it cannot update without an internet connection (although, I'm not sure where one would get spyware without an internet connection.) Norton complains unhappily as well. The HP "product showcase" that's so cleverly placed in it's "please click me" location on the desktop won't work. The pre-installed "Yahoo Search" that's stealing Taskbar real estate is functionally useless.

Vista Home Premium includes a game called Chess Titans, which is chess played on a 3d board. However, in the default layout, at the beginning of the game it shows a sweeping 360 degree view of the board, then goes to a top-down view from a 45 degree angle (i.e. white's eye view).

Of course, because it's a 3d chess program, all the taller pieces obscure all the smaller ones...and when viewed top-down (the way I've been playing computer chess since 1986), all the pawns are just round circles, instead of showing iconic, pawn-like representations. And the best part is, if you try to spin the board to give you a better view...it reverts after about 3 seconds.

There's a game called Inkball that has not only the most pitifully incomplete helpfile I've ever seen (apparently, in the game, your whole raison'd'etre is to draw lines to lead a ball into a hole -- but there's an unexplained bonus you get where you can drop "blocks" with no restriction, even to the point where you can completely block off your goal.

When I connected his external monitor, a nice dialog popped up saying "hey, do you want to mirror this, expand your desktop across both, or what".
But it's not the same behavior as the one in the Windows Display control panel, nor is it the same behavior that comes up when hitting the display-swap fn-hotkey. It reeks of sloppy design. As an aside, it IS the same as what's in the Nvidia Control panel -- but why the hell hasn't that just been integrated into the "Display" control panel -- we've only been doing this since 1995 now, can't we find a plugin architecture that works cohesively by now? I.e. "If a third party provides function X, show theirs, otherwise show the default MS interface."

There's about a dozen useless things preinstalled, of course. There's a shortcut to Ebay on the desktop. As if, someone who has used ebay before can't figure out how to get online.

It includes Office 2007...which as far as I'm concerned, the fucking Ribbon Bar will just convince him he wants to use OpenOffice...as soon as he learns what it is.

And so on, and so on.

Of course, I'm only here for a night...and Fios will be installed on tuesday. Naturally.

Well, I've got windows up and talking to his huge flatscreen monitor, and tells me that his friend Steve, who got him the laptop "has a little box on the side that everything just plugs into". I can't tell if he means a USB hub, or a full-blown port replicator.

I've also taken a few moments to revert his copy of Windows back to the same way 95-and-everything previous looked before this. Sadly, that's something that Windows keeps making harder and harder to find, so I hope to god the Fios guy doesn't look at this and say "Hey, we only support XP or better".

As usual, the system has a 64 bit processor (a Turion, whatever the fuck that means) and HP has decided to only include a 32 bit OS.

There's some part of me that really wants to tell my father "here, this will run natively on your hardware and will actually use it to its full potential", except Linux Just Ain't There Yet...

I wish he'd have gotten a mac.

gushi: (Default)

Okay,

So after fixing my little mail logging issue I remembered that I had logwatch set up on my cobalt raq3.

Logwatch is cool. It emails you everything in the logfiles, you define great regular expressions as to what's harmless noise, and keep going till it's only the critical stuff that you get.

I just got a mail FULL of the following:

client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN' denied: 1 Time(s)  
client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s)
client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s)     
client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN' denied: 1 Time(s)  
client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN' denied: 1 Time(s)  
client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN' denied: 1 Time(s)  
client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN' denied: 1 Time(s)  
client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)
client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)     
client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied: 1 Time(s)   
client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)
client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s)     
client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  
client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s)  

So after I dig around for a bit (no pun intended), I realize.

What I'm looking at is a whole bunch of terribly broken DNS implementations. DNS implementations that bypass a host's DNS entry, and directly query ME instead of looking something up directly.

All the domains above are A records (address records) that are pointed to by MX (mail exchanger) records. I host sites that use those MXes, but I don't host (obviously) googlemail.com.

Okay, so I know why this is happening. It's mostly harmless.

My options:

1) Tune logwatch so I don't get these.

2) Tune BIND so it doesn't log these hits.

3) Use this information to feed a real-time blacklist -- it's fairly easy to write the parser but from the looks of it, most of these IPs are already on RBL's I use (spamhaus PBL, CBL).

4) Find a way (as recursive as this sounds) to block queries to my DNS server, based on this blacklist. I don't think BIND supports such a feature.

-Dan

Stupidity

Apr. 15th, 2008 11:53 am
gushi: (Default)

Here, let me know if anyone spots the problem with this email I recently got:

Date: Tue, 15 Apr 2008 11:37:26 -0400
From: Avis <avis@avis.ed10.net>                                                                                               
Reply-To: Avis <avis.bwqw49.78761@avis.ed10.net>
To: avis@gushi.org
Subject: Great Offers from Avis                                                                                               
Parts/Attachments:
   1   OK     118 lines  Text
   2 Shown    177 lines  Text
----------------------------------------                                                                                      
Ensure our messages always go straight to your inbox. Add Avis@rent.avis.com to your Address Book or Safe List.               
Click here [click.avis.com] to learn how. If this e-mail does not appear properly, please click here
gushi: (Default)

Dear PHP.

Please for the love of god stop being such a monlithic pig.

I'm watching ONE INSTANCE of ONE PHP SCRIPT for ONE USER (that's ONE page hit) eat 107 megs of ram right now. To serve ONE http request.

I mean, seriously, apache has been a multithreaded daemon since april, 2002. And because "PHP is Glue", (and yes, that's literally your excuse), you decided that you'll most likely never be thread safe.

Not that I'll ever run you threaded, of course -- since unix can't do privilege separation on threads. Because you foster the ability for people to write such ugly and insecure, godawful code, I can't even use the techniques most ISP's do to "trick" you into running faster, running you as a module in my webserver.

Of course, PHP regardless of how you run, you could define yourself as a slim application, and dynamically load the modules you need on the fly. Do a quick inventory of which modules are present, and then load when needed. If someone does something like phpinfo(), then sure, load all the modules and show all your stuff. Otherwise, unless someone calls mysql_connect, don't load it. Be cognizant of when the mysql lib is there, maybe via a trusted host cache of modules-to-functions -- but there's no reason for 90 percent of the code in you to be in ram 90 percent of the time. But you don't get it, PHP. Instead, support for everything from TrueType to SSL is compiled, statically, into you.

While we're at this dynamic bit, PHP, security could be handled the same goddamned way. I could run you as a module if you'd have thought AT ALL about the problems you'd cause ISPs everywhere. But you didn't.

This too, could probably be done securely, if you knew what you were doing, PHP. Force all file access through a stub program, like suexec does. For files that merely need to be read, simply check permissions, and if you could read them anyway, just do it. For files in a trusted directory (like modules), just load them. For files that need to be read only by the user (like mysql configs), call your stub program to pipe the data in to you. For files that need to be written, actively...do all your writes through the stub, just like suExec or SuPHP. Because god knows we haven't had enough zero-day postnuke (ever wonder why they called it that?) or phpBB security holes.

But being sensible or logical is beyond you, PHP. I can't stand you, PHP. You continue to anger and frustrate me, and drive prime's load skyward whenever someone decides to run a badly-written gallery app to basically run a for-loop for a directory of images.

But if I disable you, I lose users. And they ostensibly give me money.

So you can stay, but you're sleeping on the fucking couch.

gushi: (Default)
By the way, when I propsed income tax be abolished, there were things I wasn't including in the theory. It's by far an imperfect system, but guess what? So is the one we have in place now. In this state, minimum wage at 40 hours a week puts you well below the poverty line. That's a problem.

Property taxes. These are a state thing, not a federal thing. The IRS does not charge you property tax, your state and local governments are responsible for assessing things like this.

Morton: Yes, you mentioned that black markets will become a bigger problem, and that's true. But the only thing right now that doesn't leave a paper trail is cash. I could see some interesting things happening as a result of this. With a federal income tax, a slew of new laws would pop up for people who now EVADE taxes by buying online. Hell, the feds and ebaypaypal could go into cahoots, and allow online merchants like me to automatically withhold (and submit on the fly) such sales tax.

And of course, basic staples of life (by that I mean food) would be untaxed. The computer systems in supermarkets already do this anyway.

I mean, sure, some things would fall through the cracks. Landlords who collect rent in cash would still not declare it. The kid who mows your lawn for $20 would not declare it.

Everyone who works off the books just to make ends meet...would still work off the books to make ends meet. But if some off-the-books fool goes out and buys an X-box 360, yeah, guess what, welcome to being a contributory member of society. Wanna buy beer and lottery tickets? Uh huh, you're gonna pay. Besides which, the stupid things that are presently charged sales tax would still likely apply.

For anyone who says "life essentials are the only thing taxed", I offer this example:

Filet Mignon is untaxed. Caviar is untaxed. Frozen hors d'ouvres are untaxed.
Toilet Paper is taxed. Soap is taxed. Band-aids are taxed.

The real problem with the sales-tax solution is that it takes away from certain things. When you go to file for (say) financial aid, they look at your tax returns. Now, they'd have the option to look at your state return, get a savings statement from your bank, or something like that. Credit reports wouldn't go away, but are less than perfect for this scenario since students typically have bad or no credit anyway, and having GOOD credit doesn't mean you have money. It would shatter the nice little standardization they have going, but I suppose they could find a nice way to employ all the lifeless personality-less drones who used to work for the IRS in college financial aid departments.

I'm probably babbling on about this, because I KNOW it won't get fixed. See also my rant about why I don't vote, and my last registered voter registration went back to the address of my high school. Which was about the last time I thought there was someone worth voting for.

May 2017

S M T W T F S
  123456
78910111213
14151617181920
21222324252627
28293031   

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 26th, 2017 02:45 am
Powered by Dreamwidth Studios