Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Whammo (2555)

Whammo
  (email not shown publicly)
http://www.coept.us/

BCWarnock

Journal of Whammo (2555)

Wednesday May 12, 2004
06:31 PM

Pollard

"Spider - he is our hero
Spider - get rid of...
Spider - step on spider!
Spider - we love you, spider"
-- They Might Be Giants

I finally got a chance to hack some Perl today. Good times were had by all.

We've got a sibling organization that feels they really, really, really need DNS resolution of some of our internal addresses (which they're already routing to {grumble grumble}). We've long had an internally rooted DNS structure that we're not going to be able to fix wholesale, and not going to be able to patch in any reasonable amount of time.

So I took Net::DNSServer::Proxy, hacked in some domain rewrite logic, and now have made available our entire structure in a much saner fashion.

Saner, not sane.

Wednesday April 07, 2004
05:51 PM

Abjectness

"This is the end
You made your choice
And now my chance is over
I thought I was in
You put me down and say I'm goin nowhere"

-- Frank Stallone

Sure enough, despite the fairly wide Apache base installed where I work, the latest modernization effort for web services was more or less rejected because Apache isn't NIAP certified.

Of course, neither is IIS, which they approved, but the security accreditors think Microsoft is more likely to pay for certification than an Apache developer. I'm not exactly sure what they would certify IIS against, as the Protection Profile is still in development.

I did point out that both WebLogic and WebSphere are being tested. The last I checked, WebSphere shipped with Apache. I wonder if the evaluation configuration requires it?

Tuesday December 16, 2003
03:04 AM

Calcification

"There were no defects to be found
Snapshot image froze without a sound"
-- J. Geils Band

I applied the recommended patch set on my Solaris 9 Ultra 10 this weekend. Typed reboot, the disks synced, and then... nothing.

So I wait, ever so patiently.

Still nothing.

So I hit the power button.

Still nothing.

So I switch off the power supply. Ahh, that did it. Power it back on, and...

Hmmm. No video. Uh-oh. Two hours to get a display back to the monitor. Okay, let's try again.

Why is it booting from the net? L1 A. Why is it hanging on probe-ide? Another hour testing disks in another system before concentrating on the machine's IDE bus. An hour or two later, the bus magically resets, and everything is golden. Time to boot.

I'm not exactly sure how I fixed either problem. But then again, I'm not sure how I broke them in the first place, so I'll call it even.

Kernel panic. Dump to disk! Oops, no dump device. Better reset before the user gets a chance to read what's on my screen.

Final tally. Lost the mirror. Corrupt boot partition. Ended up doing a complete reinstall. On the plus side, I confirmed I could read Sun SPARC UFS partitions under Linux x86. And I didn't lose any real data.

That was my Monday morning. And afternoon. And part of my evening. You'd think I would have had enough.

I picked up two monster disks to expand into. Problem is, I don't have any systems that will support them.

Well, I have one. My Windows machine, which I have pretty much have just for gaming. It'll support the drive size. Once the BIOS is updated, of course.

Follow the instructions to the letter. Double and triple check everything. Except whether it would save the old BIOS to floppy for restoration in case of an interrupted update.

System powers on. I see the banner indicating the new BIOS rev.

I still see the banner indicating the new BIOS rev.

I still see the banner indicating the new BIOS rev.

Sigh.

Monday June 23, 2003
10:27 PM

Prosaic

"Will you recognize me
Call my name
Or walk on by
Rain keeps falling
Rain keeps falling
Down, down, down"
-- Simple Minds

I had the pleasure of having dinner tonight with Ziggy, Delegatrix, and Piers and his wife.

I never ceased to be amazed at the quality of people that Perl seems to draw. Some days I feel that I'm the most uninteresting person in Perl-land. (Then I realize that would make me interesting, so I drop myself back to second-most.)

Sunday June 22, 2003
08:31 PM

Wistfulness

"And if by chance I should hold her
Let me hold her for a time
But if allowed just one possession
I would pick her from the garden, to be mine"
-- Skylark

There are songs, and then there is music. There is life, and then there is love.

Wednesday June 04, 2003
12:31 AM

Dubitation

"I have stood here before inside the pouring rain
With the world turning circles running 'round my brain
I guess I'm always hoping that you'll end this reign
But it's my destiny to be the king of pain"
-- The Police

The DoD may well have leveled the playing field, but that parity has now significantly raised the barrier to entry for open source projects. (Even though Free and Open Source Software (FOSS) has been used pervasively for years, its "verboten" status prevented it from coming under the same governance processes as Commercial Off-The-Shelf (COTS) software. Now that it's out from under the table, it can be officially scrutinized by all the various policies and regulations that dictate how software acquisition and development is done.)

Under NSTISSP 11's new rules, for example, any software that provides or includes Information Assurance (IA) features - such as user accounts and passwords - is required to be NIAP certified.

NIAP certification was never intended to be an absolute doctrine. The assessment program, particularly at the lower assurances level, rates the likelihood an IA solution is secure, without providing assurances that it is. Although there is active security testing - do access controls work, for instance - there are no code reviews. Certification is largely design and methodology reviews, and heavy documentation requirements.

Oh, and a lot of money.

Very few open source projects have the design documentation or the methodologies necessary to obtain NIAP certification. Fewer still have the bucks to walk their code through accredidation.

But that's okay, because more and more FOSS is being bundled with operating systems, and operating systems, being IA-enabled, are required to be NIAP certified. So FOSS gets the certification for free, right?

Nope.

Certification is against the software load as tested. Modifications to the IA-enabled components invalidates the certification.

That's right. A patch provided by, say, Sun, to fix a known exploit in its authentication code cannot be installed until the patched system has gone through certification, a process that takes months, and can cost upwards of six figures. (Luckily, this conflicts with DCID 6/3, which trumps it.)

Obviously, no vendor does that. Most don't even recertify the major revisions of their code. The last Solaris NIAP certified before Solaris 8 02/02 (which was approved in April of this year) was Solaris 8 FCS, with two patches, and AdminSuite (and its requirements, such as CDE, installed).

Now think how often FOSS is patched.

Separation of the components away from the composite system may also invalidate the certification. So while Apache may be NIAP certified under the web server protection profile as part of Solaris, your build of the same version of Apache may not be.

So let's ask Pudge. The government is now permitted to use slash on its information processing systems. All you have to do is shell out a hundred thou' or so to have it (and MySQL, and maybe Perl) evaluated. Do you think that levels the playing field?

    perl -e 'print scalar reverse "NIAP"'

Tuesday June 03, 2003
07:23 PM

Omnivorous

"You can get anything you want
  at Alice's restaurant
You can get anything you want
  at Alice's restaurant
Walk right in, it's around the back
Just a half a mile from the railroad track
And you can get anything you want
  at Alice's restaurant"
-- Arlo Guthrie

Over the past two years or so, I've become a huge Alton Brown fan, to the point that Good Eats is probably my favorite show currently on the air. Channel Guide has an interesting interview with him on their website.

Monday June 02, 2003
07:17 PM

Vilipend

"If this world makes you crazy
And you've taken all you can bear
You call me up
Because you know I'll be there"
-- Cyndi Lauper

When we last left our hero, he was debating on whether to call back, or let things be. Delegatrix had an absolutely mahhhhhvelous idea, but poor Whammo chickened out.

So I return this evening from grabbing some Chinese, and guess who's left me another message? She still sounds so sad.

All right, I'll call back, telemarketer or no. (If I hadn't had the free minutes, I definitely would have called collect.)

She really was looking for the person she mentioned. She really was sorry for disturbing me, and was very thankful that I called back to let her know it was the wrong person. No, she didn't try to sell me anything. No, she didn't tell me what it was about.

Sigh.

Why do I feel like such a jerk?

Saturday May 31, 2003
10:02 PM

Paranoiac

"Paranoia, the destroyer"
-- The Kinks

Crap. Crap. Crap.

I get home from a day out to find an urgent message on my machine - a request to speak with a name that sort of sounds like mine but clearly isn't, her first name, a non-toll-free phone number, and an emphasis on the importance of a call back.

Now, 95% of the time my phone rings, it's a telemarketer. I stopped answering my phone years ago. My message used to give explicit instructions for removal from phone lists, no telemarketing, and such; and telemarketing companies used to not leave messages. Of course, a lot of that has changed, so I'm used to coming home to all sorts of pitches and gimmicks to get me to call someone.

This woman definitely sounded upset, if not a little panicked. But why not a last name? Why not a hint as to what is so important?

This certainly smells like a scam. But her voice... and a non-toll-free number? And every telemarketer from here to Paraguay knows my name. A web search is in order.

Reverse lookup, of course. And, of course, it can't be found. Well, no surprise there. I've never been able to find something through reverse lookup. But I can at least find out where the area code maps to.

San Angelo, Texas.

Oh, shit. There are people in San Angelo who would have a legitimate need to contact me. But one of San Angelos's largest employers does telemarketing.

Now what do I do?

Well, I keep plugging the phone number into every reverse lookup service I can find. I plug in the number mod 10, 100, and 1000, to see if perhaps this was a private number hanging off a corporate block. No joy.

On the one hand, that's good. If it were a hospital or something, I would have expected a hit. Of course, I would have expected that on the message as well.

Now I'm getting pissed. Pissed at society, when I can't even discern whether or not a personal emergency is occuring because of today's telemarketing tactics. Pissed at this person, if she is a telemarketer, for stooping to such tactics.

I'm scared and furious. The easiest thing would be to call the number (I've got free minutes to use), collect as much information on who's at the other end, and file a neverending stream of complaints against them. But I've been sufficiently scared by enough reports of people doing that and still being tricked into thousands of dollars worth of scams. Perhaps they're collecting phone numbers of everyone who calls back. I don't know. Paranoia will destroy ya.

Besides, if it's that important, she'll call back, right?

Googling for the phone number outright produced nothing. The phone call was made ten hours ago, so if it is marketing, she's probably off shift. I'll call. Chances are, I'll get some sort of indication of who I'm talking to long before a person actually picks up, anyway.

Voice mail. Personal voice mail, most likely for a business, as she gives her full name. No other information given. I hang up.

Back to Google. Who is this person? What, if anything, has happened? Still no results. Oh, well. That rarely works, either.

Crap. Crap. Crap.

[Edited to fix lyrics.]

Thursday May 29, 2003
04:42 AM

Denouement

"Sweet dreams are made of these
Who am I to disagree?
I travel the world and the seven seas
Everybody's looking for something"
-- The Eurythmics

Woke up from a round of intense nightmares to find a whole slew of mail I sent out last night was deferred because of mail server rejection. All of the mail were sent to folks at comcast.net. (I'm on comcast.net.)

After waking up sufficiently to realize that meant my mail hadn't gone through, I assumed that Comcast had finally gotten on the ball about spam prevention, and was rejecting me based on my envelope sender. (It happens on occasion, as I use... er, used an unresolvable host.)

So I figured I'd have to bite the bullet and finally configure my envelope correctly, which I should have done long ago as a good netizen. Even though I can't actually receive any mail anyway. Flush the queue, and...

Mail rejected.

So now I'm thinking... oh ho!* This is Comcast. Their server is just probably down. (I'm still mostly asleep, and am having a hard time remembering the various deferment messages given for each scenario.)

So then I telnet to 25 on the mail exchanger that's crapping out on me.

telnet mx00.comcast.net 25
Trying 24.153.64.1...
Connected to mx00.comcast.net (24.153.64.1).
Escape character is '^]'.
571 Comcast.net subscribers are no longer permitted to directly connect to this mail server. To send email to other Comcast.net subscribers, you may forward messages through smtp.comcast.net.
Connection closed by foreign host.

Mmmm.... makes you wonder what MX records are for.

Okay, okay, okay. At least they gave helpful instructions. So I read through the incredibly verbose comments in the various postfix configuration files, set up my transport to send all comcast mail directly to smtp.comcast.net, and flush the queue.

So why isn't it working?

All those instructions, and not a single mention of how to get main.cf to read a separate transport map. Thanks, Google. Mail's away.

*That's how I think when I'm tired.

[Edited 3 June 2003: The original title - spelled with an acute e - was causing fits to various pages. It was later blanked out. I'm restoring the title minus the accent.]