Scott’s Blog

I have noticed as I get older, a propensity for growing bristly, unruly, long greying eyebrow hairs. While normally this isn’t particularly noticeable (by me at least,) today I had an experience that made my crazy brows all too apparent to me.

I was swimming at lunch time at NAIT, and I kept seeing a hair or thread flapping in front of the left eye of my goggles while I swam. After cleaning the goggles every time I stopped for half an hour and being unable to get rid of whatever it was, I came to a startling and sad realization… that the thread was a mad scientist eyebrow hair, and it was quite attached.

I’ve plucked it.

I just finished reading Little Brother, by Cory Doctorow. I read a lot, in the order of a couple of hundred books per year. Many books are promptly forgotten, but this is one I’m going to add to my re-reading pile. I’m also going to buy a few copies and give them to a few people. For those who are into reading e-books, the electronic versions of many of Cory Doctorow’s works are freely available from the author’s website, published under a creative commons license, like my blog. That right there earns my respect, and I’m presently perusing the rest of Cory Doctorow’s catalog.

I’m always having these discussions with my wife about this discomfort I have with the idea of surveillance societies and the loss of privacy (ironically, considering how much information about myself that I voluntarily publish). The book Little Brother is a fictional story about what gives me the willies about the attitude “I have nothing to hide, so why should I care if they video me everywhere, read my email and wiretap my phones?” I think that attitude is based on a logical fallacy, that privacy only has value to people who are hiding something. That’s called a false dichotomy. Privacy is valued by people who are not criminals and do not have a guilty conscience too. Otherwise, why do we have curtains? If you have the “I have nothing to hide” attitude, I suggest you read this paper on the fallacy of that idea, written by George Washington Law School Professor Daniel J. Solove. Click the link and scroll down to find several links to the actual PDF of the paper.

Surveillance societies give up essential freedoms in the name of safety. Unfortunately, the sacrifice of freedoms is generally in vain, because the increased surveillance of citizens does essentially nothing to prevent crime or terrorism. Search with Google. There are many many articles and reports indicating western societies are no safer from terrorism than before September 11. In fact, many think we’re worse off, and now we have the added fear of misuse of all the surveillance information by the authorities.

If, like me, you are Canadian, you might think that there’s not much surveillance going on in our country. If that’s the case, do a little experiment. When you’re out and about, think about every instance during your day when your location or activity is recorded by somebody or some automated system. Do you go into a store? You’re on video. Do you buy something with credit or debit? Somebody knows what you bought. Use cash? If so, what about your Safeway Club card or Save On More card? They still know what you bought. Buying online? Same thing. What about traffic cameras looking at your license plate as you travel around town? Somebody could know everywhere you’ve been, and when. Now read Little Brother, and think about the picture of your life that all those little points of surveillance that could be constructed if a single authority were able to combine all that?

Really, I’m only a little paranoid, and I freely share a lot of info about myself. However, as is famously and often stated, just because you are paranoid doesn’t mean they’re not out to get you.

Sleep well.

Yesterday we exceeded our previous spam record by 20%. We received 58,000 spams yesterday. The scary part is that we only set the previous record six days earlier, at 48,000. I don’t think we can sustain that rate of increase for too long before our spam firewall melts. It’s still ticking over at less than 10% utilization, but who knows if there could be a rate that would be a tipping point, after which it would suddenly leap up to maximum utilization and stop keeping up.

The problem is the massive flood of spam coming from the domain name newvega.com. The spammers have recently added a new spamming source at blissultra.com. Today we’re getting hammered with about 12 to 15,000 per hour.

I just modified the firewall in front of the Barracuda to reject connections from blissultra.com and newvega.com. It’s already lightening the load on the Barracuda quite a bit.

Spammers can die in a fire, please.

Yesterday we set a new company record for incoming emails. We received 50,060 messages on Feb 21. Of those, 3701 were legitimate emails and the other 46,359 were spam and viruses. Over 19,000 came from one email address: Platinum_Partner_January@newvega.com. Note to spam harvester robots: Please harvest Platinum_Partner_January@newvega.com and spam the bejeezus out of it.

Throughout this barrage, our Barracuda spam firewall allowed a single message from Platinum_Partner_January@newvega.com to come through, and blocked the rest of the 19,000. Barracuda spam firewalls are worth their weight in bandwidth charges.

That is all.

Here’s what it’s like where I and the rest of my group are:

Here’s what it’s like where our boss is:

I don’t know about you, but I’d take +23 in the rain instead of -23 in the sun (except that here we can snowboard).

I just helped Jennifer finish off the bylaws for the Thunderbirds Water Polo Club. She’s been working on it for days, and was done except for some problems with formatting. She was using Word on her Macbook. I helped her tag the paragraphs so that it would automatically generate a table of contents. If you were to have some preconceived notion about how that should work, Word does it in exactly the opposite way to what you expect every step of the way, and then refuses to show you the result until you do a print preview. For what it’s worth, I really think OpenOffice Write is much easier to work with. This session with Word reminded me why I write anything of any length using docbook tags and let the style processor do all the formatting for me. Emacs is my word processor and .txt is my .doc.

We want to go into the USA during our summer vacation this year. We don’t need passports to go into the USA yet from Canada by a land terminal, but we wanted to have them just to make things easier. Jenn took the completed applications in to the passport office on July 16, and they arrived by mail today. My only conclusion must be that they were mailed to us by Passport Canada six weeks from now, and accidentally got caught in that time warp thing that Canada Post has that makes mail arrive slower the closer the destination is from the sender, and sent back in time. There’s no other explanation for how the passports could have arrived in only ten days.

Researchers at the University of North Carolina at Chapel Hill have discovered that two drugs used to treat bone loss in old folks can both kill and short-circuit the “sex life” of antibiotic-resistant bacteria blamed for nearly 100,000 hospital deaths across the country each year. (Read article)

It’s very hard for me to read that two months after my dad died from an infection of antibiotic-resistant bacteria resulting from a gall bladder problem. I’m hopeful for future sufferers of this type of illness, but for us it’s just too late.

One of my pet peeves, and something that comes up often because I admin our SPAM firewall, is the dumb behavior of vendor and service provider websites in sending our users email with the “From:” field set to an address in our own domain. This is called “spoofing”. An example of its use is when one of our staff goes to a vendor site, and fills out an online order form for a purchase order. The vendor’s ordering site sends an email to my boss requesting approval of the order. The email that the vendor’s site sends has the “From:” field set to the email address of the user who submitted the order, instead of an email address belonging to the vendor. According to section 3.6.2 of rfc2822, which is the document that defines how email addresses are supposed to work, this behavior is wrong.

This excerpt says that essentially, the “From:” address should always belong to the entity who sends the message, namely the vendor.

In all cases, the “From:” field SHOULD NOT contain any mailbox that
does not belong to the author(s) of the message. See also section
3.6.3 for more information on forming the destination addresses for a
reply.

Vendors do this so that if the recipient replies to the message, the reply will go to the person who made the order or whatever. Spammers do this because it is common practice to automatically trust senders from your own domain or from your own address book with your spam filters, so it helps spam get in. Many people who run enterprise spam firewalls block messages from their own domain name if they don’t come from their own mail server, which is the case when a vendor does this.

Fortunately, rfc2822 provides an alternative means to accomplish what the vendor wants, while allowing spoof protection to be enabled and still not block the vendors’ messages. It’s called the “Reply-To:” field, and the rfc defines it like this:

When the “Reply-To:” field is present, it indicates the mailbox(es)
to which the author of the message suggeststhat replies be sent.

All the vendor has to do is put something like “orderingsystem@vendor.com” in the “From:” box, and the address of the customer in the “Reply-To:” box. When a user replies to the message, the reply goes to the “Reply-To:” address. Unfortunately, too many people who build ordering systems or service providing systems are either too lazy or too stupid to read the bloody standard and do it properly.

Instead, the vendors go to great lengths to write FAQs and create help forums and “compatibility assessments” in order to explain to their customers how to “fix” their spam filters to prevent the vendors’ malformed messages from getting blocked. Mail administrators have to often tweak their spam firewalls to allow these damn things through. We have about a dozen whitelist entries in our spam firewall to allow various vendors’ broken messages through.

Consultant that we didn´t know was working for one of our subsidiaries for whom we host web content: ¨What is the login ID, password, database id, login and password for the PHP-enabled web server we will be using to host the new web content that we´ve developed for the subsidiary?¨

Me: ¨What PHP enabled web server with a database? Our public-facing web servers all host static content.¨

Consultant:¨Oh… crap.¨

Now I have to build a new web server VM (which I was planning on doing later this spring) and find some spare capacity at a reasonably high-availability server in our infrastructure to host it (which I was also planning to do later this spring) and I have to do it in a couple of days. Crud