Equinox

Just noticed:  Sunrise 06:25 Sunset 18:26.  Starting today, we are into the season of daylight!

We’ve had some spring weather too, though nothing dramatic.  What is looking impressive is the wide range of spring flowers and blossom all around.  Not just the Usual Suspects like daffodils and primroses, but even later flowers like the tulips in the front garden are peeping through.  And we have the appearance of other spring wildlife, like the bumblebees servicing the flowers in the garden.

Also mildly bemused by the white heather at the bottom of the garden.  I’ve seen heather ranging from red/pink through to blueish, but pure white is new to me.

Advertisements

Under attack

Yesterday morning I woke up to several hundred (or was it thousand?) messages from the online contact form on my website.  They came from what was clearly an automated dumb probe: all within a few minutes just before 4 a.m.  The probe had tried filling different fields with all kinds of payloads: fishing Unix paths, fishing Windows paths, escaped and unescaped commandline sequences including shellshock, SQL injection attacks, Javascript/XSS fragments, attempts to send mail or proxy HTTP.  Oh, and some fragments whose potential purpose eludes me.

OK, no big deal: just a few minutes of my time.  Dumb bots attack websites all the time.  Whatever vulnerabilities my server has (and I’m sure there are some), that kind of bot probing my contact form is no threat – except insofar as it could become a DoS.

This morning, another 740 messages.  From an even briefer probe: all at 03:59 and 04:00.  Checked the IP they all came from, and firewalled it off.  With a DROP rule, of course.  If it recurs from elsewhere, I’ll have to take a view on whether this approach can be extended or is useless.

If I can be arsed, maybe I’ll stay up and tail the log tonight, starting 03:50 or so.  Wonder if the perpetrator can be pwned while in action?  On second thoughts, maybe not at that hour, doubly not after the couple of pints I regularly enjoy on a Thursday evening.

Pratocracy Article

Some months ago, Apache PR (aka Sally) launched a monthly series under the generic title “Success at Apache”, and solicited volunteers to write articles on topics of relevance to the Apache Way and how things work.  I was one of many to reply, and she put me down for this month’s piece.  A few days ago it went live, here.

The original proposal was to discuss the Just Do It and Scratch Your Own Itch aspects of Apache projects and how, with the checks and balances provided by the meritocratic and democratic elements of project governance, that Just Works.  Some (linguistically) very ugly words for this have been floating around, so I’ve made an attempt to improve on them with a new coinage to avoid muddling English and Greek.  Pratocracy: the Rule of the Makers.

Sometime before I started writing, a question came up on the Apache Members list about any guidelines for companies looking to get involved with an Apache project.  It appears most of what’s been written is on the negative side: things not to do!  This seems to be a question that dovetails well with my original plan, so I decided to try and tackle it in my article.  This became the longest section of the article, and may hopefully prove useful to someone out there!

Sadly I was recovering from a nasty lurgy at the time I was writing it, and I can’t help feeling that the prose falls short of my most inspired efforts.  I’ve avoided repeating Apache Way orthodoxy that’s been spoken and written before by many of my colleagues, but in doing so I may have left too much unsaid for a more general readership.  At times I may have done the opposite and blathered on about the perfectly obvious.  Ho, hum.

No FOSDEM

I didn’t make it to FOSDEM last weekend.

This time I could perfectly well have done so: there was nowhere else I had to be, no deadline I was pressed to meet, no travel difficulties.  No such excuse.  I just didn’t go.

My loss.  Certainly in terms of who I didn’t meet (old friends and new), what I didn’t learn, how my mind didn’t get stimulated, what projects and ideas haven’t excited me.  Damn.

So what kept me away?  Obviously it’s that bit harder work than higher-budget conferences.  The venue is a bit hit-and-miss, with some of the rooms being quite an ordeal.  On the other hand, the big lecture theatre with the keynotes and the smaller ones where most talks happen are perfectly good, the room with the “lightning talks” (always a good default place if there’s a time when you have nothing scheduled) likewise, and the better project rooms are good for a session – at least when there’s something in that limited space of interesting but not too overcrowded and stuffy.

No, what really put me off was the prospect of once again running the gamut of the smokers.  The stench of it in the lobby and corridors, exhibition space and coffee area, coupled with the crowds that prevent getting from A to B on a single breath.  The good reasons to go to FOSDEM are at an intellectual level, but the feeling of a descent into filth when I think about going is overwhelming at a basic, Proustian level.

On that analysis, I may never go again.  That’s sad.

Echoes

Now transcriptions of Trump’s inaugural speech are available, I can confirm the historic echo I thought I heard.

We are one nation – and their pain is our pain. Their dreams are our dreams; and their success will be our success. We share one heart, one home, and one glorious destiny.

Wow!  That is surely too close to be pure coincidence.  His own words, or a speechwriter?

One people, one nation, one leader.

But will he do as well as his role model in rebuilding his country’s infrastructure and industries?  History tells us where that eventually leads.

Travel made easy

Back from Brighton a couple of days ago.

That’s kind-of more newsworthy than a simple journey should be.  Travel to Brighton has been disrupted, first by a lot of general disruption on Southern Railways, and more recently by strikes adding to travel problems.  Brighton’s commuters have a lot of horror stories about their troubles.

By planning my journey at specific times of day, I can travel from here to Brighton on just two trains, both operated by First Group, and changing at Westbury.  So I can easily avoid the disrupted trains.  However, that puts me on a short train of just three coaches for the Westbury-Brighton journey.  And from Southampton, it’s a stretch served also by much longer Southern trains, many of them eight coaches.  So the worry was that my train might be overwhelmed with refugees from disrupted Southern services.

So I took a few precautions.  I booked in advance, and avoided not just any Southern services, but also their strike days.  Booking in advance still seems to be a nightmare, but I eventually managed.  Phew!

Come the actual travel, everything is far better than I’d dared hope.  Not only are the trains running smoothly and on-time, but I find I have ample space to spread out.  Indeed, a double-seat to myself throughout both outward and return journeys.  Even in January low season, that’s unusual!

I can only infer that the news of disruption has driven potential passengers away.  People with a choice about it are avoiding travel, not merely in the regions affected by disruption, but also on the mainline service from London to southwest England, well clear of the disruption.  All the better for those of us who do travel!

The Power of Denial

Someone from the Red Cross describes our NHS as a humanitarian crisis.  Oh dear.  OK, bit of commentary in the media, politicians spin it.  No big deal.

But then someone from the NHS denies it, thus invoking the Power of Denial to make it a much more serious story, less likely to be relegated to a footnote in Current Affairs by next week.  And it’s not even an unqualified denial.  Whoops!

My first reaction: how silly to rise to the bait.  But was it deliberate?  One shouldn’t attribute to Conspiracy what can be explained by Cockup, but in this case I’m not at all sure.

Trump’s first triumph

One of the many thoughts I composed in my head but never got around to posting was a reaction to the election of Donald Trump.  An optimistic reaction, mixing tongue-in-cheek (to wind up some – probably most – readers), benefit of the doubt, and a few realistic hopes for how his presidency might lead, intentionally or otherwise, to real improvement in the world.

It’s too late for that now.  He’s made so many appointments I’d have to dig into them before taking a Panglossian view on his rhetoric about surrounding himself with the best people.  He still has the outsider’s potential advantage that, if he chooses, he can better afford to stand up to Vested Interests – including those who control purse-strings for US politicians of both parties – than his predecessors in modern times.

On one matter of foreign policy he’s sent a message which is both clear and constructive.  He is not in favour of warmongering around the world where his country has no business.  Like provoking civil war and supporting terrorist and rebel groups on a my enemy’s enemy basis.  The most obvious potential beneficiary of that is Syria, where the hope and expectation of Western intervention launched and subsequently fuelled a devastating civil war.

Trump gets elected, and after just a couple of weeks the rebels in Aleppo finally cut their losses.  Another couple of weeks and we get a ceasefire backed by Russia and Turkey, and for the first time the Western-backed rebels seem to have dropped their show-stopper precondition that Assad and his government be booted out.

Coincidence?  Even if we attribute Aleppo to pure military victory, the change in the rebels’ stance is surely not unconnected with Trump’s election.  Trump has sent them a clear signal that the leading warmongers in the West – like John McCain in the US or Andrew Mitchell in the UK – won’t persuade our governments to step up military involvement.

Of course that doesn’t mean peace: it remains to be seen to what extent that can happen, and indeed whether Russia and Turkey can make a better job of it than the West’s interventions in other countries (above all Iraq).  The key point right now is that the US – and by extension the West – no longer stands in the way of peace.

A little secret

Yahoo admits to a billion customer records being compromised.  The numbers are staggering, but the news of the exploit is mundane.

Doubtless the raw numbers are very largely inactive accounts.  People who long-since stopped using Yahoo accounts.  People who signed up with some other company that subsequently got borged by Yahoo.  People who once signed up to access some service but never used the accounts.   Etcetera.  Just as with social media numbers (even just the number of followers of this humble blog), to be taken with a big pinch of salt.

Nevertheless, that’s a billion signups.  Allowing for fakes and duplicates, that might be a nine-digit number of real people who once answered security questions.  That’s a bunch of answers that, unlike passwords, travel with the user across multiple services, not just online but also those you might access by other means such as the ‘phone or even face-to-face.  The name of your first pet or your primary school are no more secure than the classic mother’s maiden name.

And now a billion such records have leaked.  Give or take: we don’t know how many users ever were genuine, nor how many such questions and answers each genuine user disclosed.

So what does it mean if you’re one of the billion?  If someone wants to steal your identity, your security questions and answers have passed from the realm of something they have to research to something easily automated.  Well, we don’t know that for certain, but it’s certainly a risk that can no longer be dismissed.

You’d better change your security questions everywhere that matters.  What do you mean, you can’t remember which questions you signed up to Yahoo with twenty years ago?  Don’t tell me you can’t change the city of your birth, or the initials of your first lover.  Oh dear [shakes head].

And even if you’re not one of the billion, you may already have started to get the phishing emails purporting to be from yahoo (or others) about changing passwords.

I’ve argued here before that security questions are not fit for purpose.  Perhaps the Yahoo leak might help persuade the world to stop using them for things that matter!

A lesson from Castro

With Castro dead, the world can draw another line under the Cold War.  I have no intention of trying to comment on his life: a complex subject on which I have nothing really to say.

But the reporting of his death reveals an interesting split, between those who revered (or at least respected) him and mourn his passing, and those who hated him and danced on his grave.  The former being Cubans in Cuba, the latter being Cubans in Miami.  Plus a handful of  global Cold Warriors on either side, who will dismiss the other side with a quasi-religious fervour.

Could that split between a home population and expats in the West be the exact same phenomenon that led us into fighting and provoking so many disastrous wars, particularly in the middle-east, in recent years?  At various times, our media have presented us with articulate expats from countries we’ve openly invaded (like Iraq and Libya) or meddled more quietly in and stirred with agents provocateurs (like Syria), in support of our campaigns.  Those would be their countries’ equivalent to the Miami Cubans dancing on Castro’s grave.  And that’s where our narratives of our wars come from: when our powers-that-be want war, they can find some extreme but articulate expats and present them as the voice of ordinary people.  Only once the die is cast do some in our media start to question dodgy dossiers and claims.