03/9/06

RIAA puts profits over lives

I dunno, I should be shocked (shocked I say!), but I’m not…

Every so often, the US Copyright Office takes comments regarding the DMCA (the law which makes it a crime to use products you paid for in ways other then the creator intended). Most recently, Sony-BMG (a member of the RIAA) added DRM technology to music CD’s (actually, technically, they’re not a real music CD because of the DRM, hence they don’t carry the CD logo) which ended up creating a security hole on people’s computers. This security hole was then abused by other people (criminals to be precise) to break into those computers.

In response, people like Ed Felton requested the the USCO grant an exception to the DMCA which would allow users to remove DRM software which caused harm for the end users. Others asked for an excemption which covered DRM which, “employ access control measures which threaten critical infrastructure and potentially endanger lives.”

Sounds pretty reasonable right? Apparently though the RIAA doesn’t think so.

02/26/06

Will Tor have Extrusion Detection?

Richard Bejtlich wonders in light of Tor being able to be used to anonymously attack other systems, will Tor add extrusion detection capabilities?

I seriously doubt it. First, there are technical reasons for this, namely each exit node would need to have their own policy since some operators would want very strict polices and others more open policies. Pushing knowledge of that policy to the rest of the network to make routing decisions would be very complex and incurr high overhead on a system which is by it’s nature not very efficent.

Secondly, adding additional monitoring to an anonymity system is just ass-backwards. The whole point of Tor is to allow people to be untraceable and access content that they normally are unable to access (get around filters) or unwilling to access if it was known they were accessing it. Actively monitoring anonymity systems reduces the effectiveness of the primary purpose of the system.

Lastly, most attack monitoring systems are simply ineffective out of the box. They require extensive configuration and tuning, something that a Tor node operator either has no interest, time or expertise to do.

02/25/06

SSL on the cheap

Well I finally got a real SSL certificate, signed by a trusted CA for www.synfin.net. For less then $20/yr no more annoying popups in webbrowsers, mail clients or my Treo. Anyways, overall I’ve got to say that GoDaddy made the process pretty painless and quick. So far I’ve tested Firefox and Safari and both seem to be happy with the cert. Two thumbs up.

One thing to note, if you’re grabbing the tcpreplay source from SVN the SSL Certificate has changed. If anyone knows how to pass in a certificate chain file for svn let me know.

02/19/06

Shame

Shame on Yahoo, Microsoft and Google. But part of me understands. For better or worse, companies are ultimately responsible to their shareholders, not morals or concepts of right and wrong. Even Google’s motto of “Do no evil” is convienently pushed aside when it becomes monetarilay inconvient.

Given the choice of helping the Chinese government put a dissident behind bars or pissing off the Chinese government which allows them access to the largest potential customer base, Yahoo decided to assist the communist dictatorship which resulted in Shi Tao getting 10 years in jail.

But perhaps the most scary thing is that Microsoft couldn’t say under oath wether or not IBM should be ashamed for helping the Nazi’s. I guess if even in hindsight you can’t figure out what is wrong, how can you be expected to know right here and now?

02/16/06

Fair Use under attack (again)

Actually, there are a lot of reasons why I support the Electronic Frontier Foundation.  One such reason, is that they’re one of the few organizations fighting for our Fair Use rights.  Fair Use provides some basic rights allowing greater creativity and expression of ideas.  It also is the legal basis for technologies that we take for granted like the VCR, Tivo and iPod.

And like so many other freedoms, Fair Use is under attack.  What are you going to do about it?

02/5/06

VP of Eng.

At Mu we’re looking to hire a VP of Engineering. Anyways, I figured I’d list some of my interview questions I plan to ask.

  1. As a manger, what kind of environment makes you the most effective? The least?
  2. Every manager seems to claim they have an “open door policy”. How do you get people to walk through the door?
  3. What do you bring to the table that can help a fast growing startup continue to execute quickly and maintain quality?
  4. What role do you intend to play with regards to our CTO and VP of Product Management?
  5. What qualities do you look for in an engineer when interviewing? What are some red flags?
  6. What do you expect from your engineering teams? What should they expect from you?
  7. What are some pet peves?
  8. Complete the sentance: “I manage by…”
  9. How do you hope to improve by working at Mu?
  10. What do you read for fun and profit?
  11. Any questions for me?
01/26/06

Don’t be evil (unless you can make money!)

So we all know Google’s corporate motto is “Don’t be evil.” It’s not the most inspired thing in the world; since evil is a rather strong term and it leaves a lot of wiggle room compared to something like “Always be good.”

Now recently, Google made a deal with the Chinese government. Basically, the Chinese government has an internet firewall which tries to stop it’s citizens from accessing certain kinds of information on the internet. Here in America, we have a word for this: censorship. In the past, the Chinese government would block certain content that Google helped Chinese citizens access, but now Google has agreed to censor itself based on the Chinese government’s requirements. Now of course, Google being a search engine (and a very good one at that) has a pretty clear goal: make information available to people. Obviously censorship and the whole concept of a search engine are in conflict with each other.

So what does this mean? Well if a picture is worth a thousand words, here’s a good example:

Do a search for “tiananmen square” pictures in the US version of Google: http://images.google.com/images?q=tiananmen+square

verses the Chinese version of Google:
http://images.google.cn/images?q=tiananmen+square

Just a wee-bit different, huh? Now here’s the billion dollar question: Would Google do this sorta thing to get on the good graces of the Chinese government if China didn’t represent such an important market for Google’s services? If this was Somalia we were talking about, do you think Google would censor pictures of things the Somalian government thought cast a bad light on it? I seriously doubt it.

01/23/06

First rule of Congress: you must not talk about VEIL

I’m trying to understand what is so important to secure that the US Congress is not only considering mandating certain security methods, but that those methods be a secret from the general public. Nuclear weapon control systems? New kind of stealth aircraft? Some kind of spy satellite? Maybe some new way of tracking down terrorists?

Turns out it’s none of those things. Instead, this bill has to do with limiting what Americans can do with TV shows. You know, like taping them on a VCR/TiVo or perhaps fast-forwarding thru commercials.

Basically, Congress is looking to force companies which decode digital TV signals to impliment DRM technology called VEIL. But you and I can’t read the specification about VEIL or know what it does… well not without signing a legal agreement promising not to discuss or disclose anything about the technology and forking over $10,000 in cash. Even then, you only get the information on how to decode VEIL data, not the other way around.

The end result is we have no idea what this technology actually does, how reliable it is, how much it will increase the cost of TV’s that consumers buy or even if this technology is extensible enough to adapt to new media or requirements. Basically, it’s a government mandated way of one company of generating millions if not billions of revenue since every TV manufacturer who would like to sell to Americans would have to license this technology from them.

I’d ask what ever happened to Congress looking out for consumers instead of business interests, but frankly, that hasn’t been true for years. Anways, to read more, check out Ed Felten’s blog.

01/14/06

RAID & Backups

So every IT person worth a penny knows that RAID isn’t a replacement for backups and that backups are worthless if you don’t test them.

So why do so many of us find ourselves “too busy” to bother testing backups? So today I almost found myself burned. After noticing that a drive failure in a RAID10 array had taken out my server, I started thinking about that that nightly backup. Luckily for me, only one drive was down and the array was able to come backup (albiet in a downgraded state). So I immediately kicked off a manual backup.

Now, the output of the backups are always emailed to me and I had noticed for quite some time, that it oddly reported skipping files in /var twice. I would occasionally try to figure out why star was skipping files in /var when it was supposed to be backing up /home, but I never tried too hard to figure it out.

So as my manual backup was running, I figured I’d once and for all figure out this oddity. Imagine my shock when I realized the obvious… I wasn’t backing up /home, but rather /var twice.  “Oops.” Oh well… better to have figured it out now then when I was trying to restore some critical file in /home.

01/8/06

Wow, spammy

So lately, I’ve been really annoyed with the amount of spam I get. After various custom filters + SpamAssassin, I still get around 100 spams/day (of which about 20% finds it’s way into my inbox and the remaining 80% into my spambox which I have to check for false positives). Pretty painful.

So yesterday I splitted things up to figure out where my spam is coming from (or rather to). I’ve figured out that roughly 2/3rds of my spam comes from my two pobox.com accounts. About 3/12ths comes via my speakeasy.net address (which I’ve never used in my life, which is pretty odd) and the final 1/12th is via my synfin.net address. Checking out the anti-spam settings on my pobox.com account shows that they have *blocked* over 7700 spams in the last month. HOLY CRAP!

At that point, it was painfully obvious that after 10 years, I need to retire my pobox.com addresses. Just way too much spam is coming through and theres just no way to block it all even with agressive filters. So I’ve decided to migrate all my mailing lists to my gmail account (synfinatic) and retire my pobox.com address in favor of synfin.net (aturner or aaron… haven’t really decided yet. aturner gets under 10 spams/day and aaron is spam-free, but people can’t seem to spell synfin or aaron which seems like a bad combination).

Gmail seems to have pretty decent spam filtering, since most days I don’t get any spam in my inbox. But frankly, I’ve never been a big fan of webmail systems, and gmail isn’t much better then others IMHO. Oh well, either way, it’s Taps for aturner@pobox.com.