Category Archives: internet
OK, no big deal: just a few minutes of my time. Dumb bots attack websites all the time. Whatever vulnerabilities my server has (and I’m sure there are some), that kind of bot probing my contact form is no threat – except insofar as it could become a DoS.
This morning, another 740 messages. From an even briefer probe: all at 03:59 and 04:00. Checked the IP they all came from, and firewalled it off. With a DROP rule, of course. If it recurs from elsewhere, I’ll have to take a view on whether this approach can be extended or is useless.
If I can be arsed, maybe I’ll stay up and tail the log tonight, starting 03:50 or so. Wonder if the perpetrator can be pwned while in action? On second thoughts, maybe not at that hour, doubly not after the couple of pints I regularly enjoy on a Thursday evening.
When google comes under attack, I’m usually one of the voices in the peanut gallery defending them. That’s because most of the attacks on them, particularly the anti-trust stuff involving regulators, is grossly ill-informed and follows an Agenda that seeks to subvert Google’s central purpose of supplying the best possible search results for the person searching.
Now I’m going to attack. It may be true (as I’ve argued here before) that there’s a certain historic inevitability to the Enclosure of the Commons. But that doesn’t excuse Google’s crucial role, particularly in the demise of the Usenet commons.
The suicide and resurrection of an online community in which I participate has reminded me of that. It started on November 3rd, with an an announcement that a set of discussion boards was to close on Nov 17th. Just two weeks notice: quite a large number of boards and a thriving community. The reason given was problems with old/unmaintainable software (which had indeed left a lot to be desired), but we suspect that the more fundamental reason was that the website (which has, in other areas, a number of paid staff) was losing money.
Why they didn’t try to sell the boards – with community intact – to whomsoever thought they could make a go of it – eludes me. But that’s now water under the bridge. And it may be a long-term blessing, if a highest bidder might’ve been under financial pressure themselves and perhaps trashed the site with intrusive levels of advertising.
Of course, discussion turned to ideas for how it might be replaced. My own preferred option of a decentralised solution – individual blogs with an aggregator to focus the community – was a non-starter on that timescale, even if it could in principle have gained traction in the absence of time pressure. But someone else had a practical solution: they set up an alternative site at a new domain with well-chosen name, and phpbb driving a replacement set of boards. They announced it within hours of the closure notice, and rapidly gained traction. The community has been rapidly migrating to the new site, which now also has tremendous goodwill. Early days, but it seems we have a level of continuity, albeit with archives about to be relegated to what may be found in dusty attics.
So what has this little tale got to do with Google or Usenet? Well, the old boards originated in January 1998. The second half of the ’90s was precisely when lots of websites were making a land-grab for online discussion fora, and a rising non-techie user base would follow the best-advertised route oblivious to inherent limitations like private (often quixotic) control and single points of congestion and failure. As soon as a community moves from the Usenet commons to the private gardens – walled or otherwise – of a website, it becomes vulnerable to all kinds of things, like a rug being pulled.
Google’s role comes in their own land-grab, and in what they did to Dejanews. Actually, come to think of it, the first time I ever heard the name Google was in that context: they were a company that had bought Dejanews. So now the folks who run the fantastic Usenet search engine now also have web search, and … it turns out to be rather good, returning results more-or-less as good as Altavista but without all the clutter and crap that had made Altavista a pain to use. Nice!
But it turned out to be part of a much more sinister agenda. Google Groups started life as a WWW gateway to Usenet: all good. But the waves of new users coming through Google weren’t being told that: they saw web fora, with thriving communities. If memory serves, it was the whole of Usenet (less some of the wilds of alt.*) that had been hijacked in an audacious land grab. Old-timers found ourselves fighting a losing battle against the impression that the whole thing was Google’s territory. Google were far from the only people doing that (and public mailinglists got similar gateways), but they were unique in owning Dejanews.
But Dejanews itself disappeared. Or rather, became just a tab in an integrated Google search frontend. Then the tab wasn’t even labelled “news”, which took on the obvious meaning it still has today. Then the “groups” tab vanished: after all, the content was Google Groups, and that’s just Web content like any other, right? Over the following decade or so, Usenet content simply vanished, increasingly much of it literally so.
The community mindshare had been grabbed, except for old-timers. Search had been lost gradually and the community, like a boiling frog, had failed to react to incremental changes and create an alternative. In the face of such trends, the will to put much effort into other things like newsreader development and combating the rise of spam, also waned. The land grab has happened, the commons are lost, we live in a world of private gardens. Worse still, many including the biggest (Facebook) are walled off against us: access is limited to their registered users! And it’s very largely all Google’s fault.
If I can be arsed I may post a followup to this, proposing a new alternative. It won’t be Usenet: that ship has sailed. It will be based on aggregation and syndication of distributed content, under the control of individuals. Damn, am I fighting the same battle I pooh-poohed Moglen for?
Folks who know me will know that I’ve been taking an interest for some time in the problems of online identity and trust:
- Passwords (as we know them today) are a sick joke.
- Monolithic certificate authorities (and browser trust lists) are a serious weakness in web trust.
- PGP and the Web of Trust remain the preserve of geekdom.
- People distrust and even fear centralised databases. At issue are both the motivations of those who run them, and security against intruders.
- Complexity and poor practice opens doors for phishing and identity theft.
- Establishing identity and trust can be a nightmare, to the extent that a competent fraudster might find it easier than the real person to establish an identity.
I’m not a cryptographer. But as mathematician, software developer, and old cynic, I have the essential ingredients. I can see that things are wrong and could so easily be a whole lot better at many levels. It’s not even a hard problem: merely a more rational deployment of existing technology! Some time back I thought about setting myself up in the business of making it happen, but was put off by the ghost of what happened last time I tried (and failed) to launch an innovative startup.
Recently – starting this summer – I’ve embarked on another mission towards improving the status quo. Instead of trying to run my own business, I’ve sought out an existing business doing good work in the field, to which I can hope to make a significant contribution. So the project’s fortunes tap into my strengths as techie rather than my weaknesses as a Suit.
I should add that the project does rather more than just improve the deployment of existing technology, as it significantly advances the underlying cryptographic framework. Most importantly it introduces a Distributed Trust Authority model, as an alternative to the flawed monolithic Certificate Authority and its single point of failure. The distributed model also makes it particularly well-suited to “cloud” applications and to securing the “Internet of Things”.
And it turns out, I arrived at an opportune moment. The project has been single-company open source for some time and generated some interest at github. Now it’s expanding beyond that: a second corporate team is joining development and I understand there are further prospects. So it could really use a higher-level development model than github: one that will actively foster the community and offer mutual assurance and protection to all participants. So we’ve put it forward as a candidate for incubation at Apache. The proposal is here.
If all goes well, this could be the core of my work for some time to come. Here’s hoping for a big success and a better, safer online world.
I don’t know how I should describe the nonsense I pay Virgin (“Liberty Global”) good money for. It’s supposed to be an Internet Service Provider, but it falls well short of that far too often, and sometimes for extended periods. Back in the summer I was stranded without service for several weeks.
This morning (or, more precisely, yesterday morning) I found myself unable to read my mail. I also couldn’t ssh to the server. Lynx could get the front page, but only after a long delay. This looked exactly like something that happened last week, when only after rebooting (from the rackspace console) and calling rackspace support did I realise the problem was with Virgin, and traceroute was hanging on a Virgin machine after just a few hops from here. Using my EE 4G connection, all was well.
Today as last week I could see the server was fine, as I could access it from an apache.org machine, but anything from home just timed out. I let that pass, and again used the EE connection to read mail. But after a full day of downtime I thought I’d check a little more. This time traceroute gives me an entirely different destination: 184.108.40.206, which is a machine owned by Virgin! A simple DNS lookup tells me the same. So this time it’s a DNS cockup.
If it’s a DNS cockup, how come I can still browse my website (at least using Lynx, which doesn’t time out first)? There must be a HTTP proxy – with valid DNS – on 220.127.116.11. Smells like deliberate sabotage! And how come this didn’t appear to affect other sites I’ve been to today? For example, $work email (c/o gmail), or this blog @wordpress?
Probing further, this time (unlike last week) I can route to the server by IP address. So it’s definitely just DNS.
WTF is going on? I think it’s time to drop this sick joke of a non-ISP. Maybe get a second 4G connection from another provider for a bit of redundancy: that connection seems good most of the time, but wifi to the 4G modem is totally flakey so I have to use it via USB, which is a poor second-best.
 Yeah, of course any geek should have tested that before going to rackspace. In my defence, I was flat out in bed with a nasty lurgy and in no fit state to browse the web, let alone fix a problem on it.
I’ve been on the ‘net a lot longer than you.
Well, that won’t apply to all readers. This blog is aggregated at Planet Apache, so is likely to cross the feeds of some true veterans. But I’m sure I’ve been online far longer than any of the politicians or journalists who are getting into another frenzy about online porn and ‘protecting’ the children. Without getting into the nitty-gritty of what counts as an ancestor of the modern ‘net, I first accessed a computer remotely in 1983, subscribed from home and saw my first online pics (of sorts) in 1987, and got my first access over a ‘net using today’s protocols in 1990.
And in all that time, I’ve never encountered anything I’d describe with any certainty as porn. The most dodgy material I’ve seen is at the sites of trashy newspapers: specifically the Daily Mail (to which I occasionally follow a link) and Pravda (which I use as a test site when developing internationalisation software like mod_xml2enc). Both of those seem to bombard me with lots of pics of scantily-clad young people, predominantly female.
And violence? I don’t read novels online, though I might indulge in occasional dodgy media. Far and away the most violent content I’ve encountered is music from less politically-correct times, setting words from that ultra-violent text, the Bible. Blessed is he that taketh the children of the heathen, and casts them upon the stone.
So how is this relevant? I think it firmly gives the lie to the myth that you can stumble inadvertently on anything nastier than you’d see in your local newsagent or bookshop. If you want porn, you have to seek it out proactively. And if you seek proactively I expect you’ll find it, regardless of anything idiot politicians do to try and stop you.
We already have the censor blocking a widening range of contents. Now apparently we’re to have a whole new raft of Big Brother legislation. So as a very minor protest, I just googled for contents that will become explicitly illegal. Tizian’s Rape of Lucretia looks pretty unambiguous: it’s not merely a representation of rape (enough to make it illegal), but true, violent rape!
In fact, I think today’s news just prompted me to seek out the nastiest image I’ve seen in 30 years online. The further they go in the direction of book-burning and aggressive censorship, the more I shall feel inclined to opt out. I certainly won’t accept filtering of my ‘net contents while I have any choice, and if choosing Shakespeare over Bowdler puts me under suspicion from Big Brother then so be it.
I have no interest in porn (and 30 years to prove it), but now legislating to make it ‘impossible’ introduces an element of interest. How might I go about finding it? A search for “Rape of Lucrece” finds the soon-to-be illegal image here, but what search term might find something more modern? Maybe I can get a handle on some search terms by looking at the spam appearing on – and more usefully being filtered from – this blog. Here’s a sample, though those particular search terms are probably long-since outdated. I’ll leave the details as an exercise for the reader, but if you start a blog at WordPress.com you’ll have access to an akismet log containing lots of clues, likely to be more current than any stupid block-list.
 Unless our governments were to do something genuinely useful and take serious action against spam.
 At least, logically speaking. I expect they’ll find a loophole for anything that can get itself classified as art.
I’ve just taken delivery of a new phone, to replace the one that drowned. A similar model, but I won’t dwell on that in this post. What impressed me today was the delivery.
It wasn’t cheap. The retailer (Handtec) didn’t offer a free delivery option, and I decided to pay a couple of quid extra for next day delivery rather than spend several days potentially in limbo.
What happened next was rather good, and suggests that online shopping may be finally taking the problems of delivery seriously. On placing the order I got the customary acknowledgement email, followed by the email telling me my order has been cleared and is being dispatched. Another hour and a message from the delivery company (GPSK) telling me it would be delivered on Tuesday, but giving me options to select another day. Better still, this morning another message giving me a one-hour delivery time window (12:43-13:43), again with the option to request a different day. So on hearing a diesel van pull up at 12:53, I looked out of the window, saw the logo, and went down to take delivery. All very smooth!
Both the messages from GPSK came both as text and email to maximise the chance of reaching me in good time, if I had wished to make a change. And both contained embedded reply mechanisms to request a change. This attention to detail is exactly the kind of thing I’ve been asking for, and suggests that the business of online ordering and delivery is finally reaching a decent level of maturity!
I recently installed an update of a software package running on an Amazon EC2 host.
In the configure step I found there was an unsatisfied dependency: it wanted ossp-uuid, which was not available on the system. Neither was yum able to find it: there was an alternative uuid, but no hint of anything from ossp. Turned up some problems with yum too (a hung security-update process from weeks ago and a corrupted database), but that’s another story. Checking my box at home, the reason I hadn’t stumbled on the dependency is that ossp-uuid is installed as a standard package here. A case of different distros having different packages in their standard repos.
In the absence of a package, installing from source seemed the obvious thing to do. So I made my way to ossp.org, from where navigation to an ossp-uuid source download is easy. Reassuringly I see Ralf Engelschall is in charge (whois lists him too), but worryingly none of the packages are signed. A summary look at the source package reassures me it looks fine, though I don’t have time for exhaustive review. In the unlikely event of a trojan package having found its way to the site, I expect some reader of my blog will alert me to the story!
Anyway, that’s getting ahead of myself. The unexpected problem I faced was actually downloading the package, which is available only through FTP. Firefox from home timed out; lynx or perl GET from the ec2 machine returned an unhelpful error. Looks like a firewall in the way of FTP building its data connection. Installing an old-fashioned commandline ftp I found neither active nor passive mode would work, meaning neither the client nor the server could initiate the data connection.
Before going into an exhaustive investigation of those firewall components over which I have control (my router being #1 suspect at home), I decided to try other routes. The problem was resolved when I was able to access the FTP server from my own (webthing) web server, then make the package available over HTTP from there to the ec2 box.
In the Good Old Days™ before the coming of web browsers and bittorrent, FTP was THE protocol for transferring files. In 1990s web browsers it shared equal status with HTTP and others, and even into this century it was widely seen as a superior protocol to HTTP for data, particularly bigger files.
Now by contrast, the widespread use of blind firewalls requires me to jump through hoops just to use the protocol. The rant I once published about everything-over-HTTP is coming to pass, and is not a good thing.
I guess once wifi hotspots became a strategy for big telcos, it was only a matter of time before they reached us here. And so this week it has come to pass: two new unprotected wifi access points labelled BTFON and BTOpenzone-H. They provide a decent signal level too, second only to my own router from where I type.
So I connected to one, then the other, and took a look. They appear to be offering the same service: evidently like buses they’re social and cluster together! Indeed I suspect they may be no more than different aliases for the same physical router. Unsurprisingly they’re a BT service. Equally unsurprisingly there’s a catch: all they actually connect to is a sandbox. A website promoting a BT service, and inviting me to pay for access to …. what exactly?
In principle this could be an interesting offering. Indeed, if sufficiently reliable, such a service together with VOIP phone SIP exchange might even replace the landline and ADSL connection altogether. But its value depends entirely on whether it provides full internet access. If it’s one of those mickey-mouse services that blocks everything but web (and maybe mail) ports even after I’ve gone to the trouble of paying and logging in via the sandbox I can access, then no thank you!
Now, guess what information I can’t find anywhere on the sandbox site, after following every remotely promising link like “technical information” and “FAQs” (erm, yeah, right, everyone is frequently asking questions whose answer is immediately obvious to anyone who can formulate the question in the first place). Yep, that’s right, they’re not going to tell me whether they supply any bloomin’ service beyond a bit of point-and-drool.
What do you do when you’re anticipating a long session on the ‘puter, naturally including ‘net access, only to find your connection is dead? A call to your ISP gets you a recorded message about a major ‘net outage, though only after you’ve listened through a tedious spiel telling you please use their website to deal with problems(!)
If you have any sense, you get on with something else once you’re done cursing and swearing at it. Something you can do offline. And so I eventually tried to do: started hacking on something I could do quite a lot of without having to google anything. It didn’t work: my concentration span was shot to pieces by wanting to look up the latest updates from my ISP (which I could access from the pocket-‘puter over O2’s mobile data network). And, worse, I felt a perverse need to browse all my regular websites using the small screen and inadequate keyboard.
Is that a symptom of addiction? It’s not at all so bad having planned offline time, e.g. when travelling without the laptop.
(This was Wednesday evening, from early evening through the night to Thursday morning, when the problem was finally fixed.)
King Canute famously failed to prevent the tide coming in. I can’t help wondering if Eben Moglen is setting himself on a similarly futile course, when he calls for decentralisation of our information infrastructure.
The subject of Moglen’s opening keynote at FOSDEM was liberty, and how technology can work for or against it. He spoke of current and recent topical events, from Wikileaks to the role of the ‘net in Egypt’s (so-far) peaceful revolution. And of how technology can serve those who might threaten freedom: how much sensitive information could a heavy-handed government pick up from something as simple as a legal action on Facebook. How Data Protection in Europe has merely served to outsource handling of personal data to countries like the US with no such protection of privacy.
His call to developers was to build decentralised networks, where we can publish, communicate, interact as we do on the ‘net without submitting all our data to any centralised database that might become the focus of malign attention. Examples of tasks he spoke of ranged from Facebook-style networking to building a citizens cellphone network from $20 base stations in people’s homes. Tasks which are at least technically feasible to prototype and develop.
Listening to this, my reaction was that he’s battling against history here. History on the ‘net has shown different media and channels becoming more, not less, centralised. The once-popular Usenet medium for public discussion has given way to web-based fora: a wholly inferior medium for the task, and one for which I must admit my small measure of guilt (though it seemed like an interesting thing to implement in 1995). IRC discussion remains popular amongst geeks, but elsewhere there came chatrooms, and now we even have Twitter making a grab for that space. Every time, the geek medium gives way to an inferior one because the latter gets the mindshare. Non-technical journalists will routinely invite us to ‘tweet’ them, or mention a web forum relevant to a topic under discussion, so the public learn of these media. Meanwhile the old, decentralised, shared, and in both these cases altogether superior, media are relegated to enclaves of geekdom (or, in the case of much of usenet, to wastelands of spam and other abuse). My suggestion to him was, you need to concentrate your efforts not so much on legislators, but on communicators. Journalists in mainstream media!
OK, ‘net history is short. Why should a campaigner for freedom not call for trends to be reversed?
A wider perspective tells us that the online centralisation trends of which I have written are merely examples of similar trends backed by far more history. The most striking parallel in English history is the Enclosure of the Commons. The absurd valuations given to some websites (headed by Facebook) tell us a new aristocracy is profiting from enclosing an online commons, albeit an ephemeral and transient one.
And I plead guilty to hosting my blog at another aristocrat of web-land, WordPress. Yep, my rantings are centralised as a matter of simple convenience.