Kahomono - It Means Lucky

Random musings on whatever subject strikes my fancy that day.

Tag: IT Page 1 of 3

DBAs take on Marriage Equality, or The Y2Gay Problem

A geekily-hilarious but also serious treatment of one of the least bigoted objections to the Marriage Equality decision of last Friday: the database administrators of the world now have hell to pay.


Of course, we live in the twenty-first century, and in the words of Eddie Izzard, “there’s gonna be a lot more guys with makeup during this millennium”. Basically what I’m talking about is your non-conventional people, your non-male-non-female folks. Just having sex as a “male or female” choice is as short-sighted as having “marriage” as a “husband or wife” choice. You may need something like:
- id
- forename
- surname
- birthdate
- sex_id (foreign key references column sexes)

- id
- partner_1_id (foreign key references column humans.id)
- partner_2_id (foreign key references column humans.id)
- marriage_date
- divorce_date (NULL if marriage not ended)

- id
- string
…where the latter table would contain such well-known sexes as “female”, “male”, “intersexed”, “not stated” and leave room for juggling later, since gender roles will doubtless become more non-trivial as time passes.
In fact, the whole “gender”/”sex” thing is more complicated than this. As we all (should) know, “sex” is a strictly biological term referring primarily to the shape of the organs between your legs while “gender” is more of a mental identity or social role term, so let’s include that too:

Yeah – go read the whole thing.  It’s actually all quite funny.

Why Security on the Internet is an Afterthought

This WaPo article gives us an historical perspective on why the Internet was designed to operate mostly with no encryption.  The money quote:

“Back in those days, the NSA still had the ability to visit a professor and say, ‘Do not publish that paper on cryptography.’ ”
As the ’70s wound down, [Vint] Cerf and [Robert] Kahn abandoned their efforts to bake cryptography into TCP/IP, bowing to what they considered insurmountable barriers.

This is really a great piece on how the internet morphed from an academic & defense research project to the collective nervous system of humanity.  I came into the field during the second decade of the Internet and it was not really a part of my life until about four or five years in.  I really enjoyed the insight into the earlier days.  Note the role Richard Stallman took back then – it hasn’t really changed much, at its core.

h/t to Rob Slade via CISSPForum.

Security is a Pain

I set out this weekend to figure out how to get PRTG Network Monitor to tell me the Internet bandwidth being used by our various machines, and where on the internet all that data is coming from or going to.  In order to get that level of detail, I have to enable SNMP and then tack a bandwidth monitor sensor to each device.

SNMP gets a pretty bad rap in the security world.  It’s host to its share of vulnerabilities, and the default credential (community string, in SNMP parlance) of “public” makes it obvious it gives up too much info too easily.  Every best-practices benchmark or manual will tell you to turn that off or reconfigure it so none of the defaults are taken.  More to the point, most modern OS distributions no longer enable it at all by default, and you have to explicitly enable it.

Enabling SNMP with all non-default settings turns out to be a very finicky process.  Unless an IT shop is operating at a scale where everything will be built from “golden images,” it is easier to understand why security inspections often find defaults taken.  Even though this flies in the face of best practices, the defaults on SNMP agents match the defaults on SNMP sensors.  How incredibly tempting to IT managers with thinly-stretched staffs to take zero over the double work of setting sensors and agents up non-default and then testing to make sure they set the exact same non-defaults on both sides?

This doesn’t make it right, but it sure makes it understandable.  Any security manager needs to show some empathy when finding things like this in the environment.

The Painful Joys of Learning a New Technology

I decided a while ago that I wanted to try a next-gen firewall.  So I recently acquired a small ARM-based PC with dual LAN interfaces, installed a disk in it and set to work getting Sophos Home UTM running.

An old friend and co-worker of mine once pointed out that we programmers and other IT types often find ourselves working at a tough problem or bug for hours or even days.  Then we hit upon the solution.  Now at this point, in the popular imagination, we erupt in celebratory exclamations along the lines of, “Eureka!”  Any of us who have been through the process, however, know that what is vastly more likely is that we erupt in vicious, self-directed insults along the lines of “Idiot!”

I have had my share so far of “Idiot!” moments.  Let me share them with you.

By the way: my only justification for being such a moron in the vignettes that follow is, this is my hobby and even though it is frustrating at times, I am having fun.

I got the software and tried several different utilities to make a bootable USB stick from the ISO.  A Linux utility called “USB Image Writer” quickly proved itself nigh-on useless.  Unetbootin works well for Windows or Ubuntu, not so much for anything else.  I discovered that there is one of this scruffy class of programs that actually works well, including adjusting the varieties of the output USB stick formats to how the ISO it’s laying down is set up, and that is Rufus.

Now, with a USB stick in hand that would boot the installer and begin, I quickly encountered an error message during the formatting of the disk, “install.tar not found”.  I probably could have resorted more quickly to the “just google the error message verbatim” strategy and saved myself a lot of time on this one, so that will count as my first “Idiot!” moment.  It turns out that you have to work around the fact that the Sophos ISO is designed to lay down a CD image with links to files as well as files, and this is not well-replicated on the USB version.  Also, for reasons not clear to me, the installer dismounts the install medium during the disk formatting process.  So you need some redundancy that the Rufus utility will not create.  I found this sequence of commands, which worked well:

Start the Installer, then

1. On the First Screen, hit Alt-F2. [gets a command prompt]
2. bash-3.2# mount /dev/sdb1 /mnt [mounting your install USB]
3. bash-3.2# cd /install
4. bash-3.2# mkdir install
5. bash-3.2# cd install
6. bash-3.2# cp -a /mnt/install/* .
7. bash-3.2# cd ..
8. bash-3.2# cp -a /mnt/* .
9. bash-3.2# cd /
10. Hit Alt-F1  [returns to main installer]
11. Finish the Installation, Reboot.

OK, now with this scriptlet, I can get the install to run to completion.  Along the way it takes a default for its static IP, which occasioned my “Idiot!” moment #2, by just clicking past that.  Oh, it also takes a default for the netmask, so my “Idiot!” moment #3 followed #2 pretty quickly.  I hear you objecting that we can change these after install with ifconfig.  It’s true, yes… but are you willing to assume that the installation of all that other firewall functionality did not record those bad defaults somewhere your after-the-fact change will not reach?

Let’s just say, I got good at that command sequence above.

Last but not least, after getting it working to the point of being able to put it on the bench and do as much pre-configuration work as possible prior to setting it inline and trying it out… I made the one mistake that should really have me considering a second career in pottery.  I created a new admin account with a complex password that I recorded in my password manager… and then deleted the default admin account… and then discovered that the new admin password was mistranscribed and therefore useless.  After a break, I get to practice that command sequence again.

And yet, I know how this movie ends.  My persistence at these things is close to boundless, and I will have a functional installation at the end.  And a newly deepened respect for sysadmin and netadmin types who do this for a living.

How I Choose Toys

As you may have guessed, my toys are mostly pretty techie.  So I hear you ask, David, how do you choose your gadgets?  Well, absolutely free and worth the price, here is my advice for how to select a great value in a great gadget.  And no extra charge for auditory hallucinations.

If the thing I want is a computer-ish, home theater-ish, outdoors-ish or camera-ish thing, I first visit The Wirecutter.  They have around a hundred continuously updated reviews of gadgets, nicely organized on the front page into about two dozen categories.  The site is supported by affiliate links to Amazon and other retailers, so that it doesn’t matter to them which brand you choose.  They also provide a low-volume mailing list so you can get alerted when reviews are updated.  These emails are often very important to me, because I am asked all the time for advice on tech items with information-security implications (e.g., home wireless routers).  Wirecutter’s updates help me stay on top of new products and new versions of those products.

Wirecutter’s companion site, The Sweet Home, is the place to go before you go to Home Depot or Bed, Bath and Beyond.  The same continuously updated reviews, and the same business model as The Wirecutter.  I find that kitchen gadgets and small appliances have such a high propensity to be disappointing, that I can’t imagine picking one anymore without reading some unbiased reviews.

Of course, there’s the digital incarnation of that old standard, Consumer Reports.  I think it’s worth the $30 a year, especially since we bought a new car last fall.  There are simply no rivals to Consumer Reports when it comes to cars.

Finally to software.  Gizmo’s Freeware is my usual first stop to check for free (as in freedom), free (as in beer), or freemium software products.  This is especially important when I am trying out a new-to-me kind of software.  I get a lot of help from their comparison articles in the process of firming up and refining what my requirements are for this new program.  One caveat I will give about this site is that download links frequently lead to CNet and similar places that add all manner of interesting “packaging” with the product you’re looking for.  You have to be very careful when downloading even legitimate freeware… this will be a topic of a future post.

Page 1 of 3

Powered by WordPress & Theme by Anders Norén