Private Dancer

Several days ago, while pondering an issue we’ve had at work an epiphany struck me. The problem we ran into was that our local network is a box of question marks. We don’t really know how it’s assembled or really what the rules are for using it, we just plug cables into wall jacks and if things work, they work. Until they don’t.

Enter NetInstall and NetRestore. These are the two imaging technologies for Macintosh and I’ve assigned my coworker to explore and develop images. Frankly he self-started it and I encouraged his exploration. We tried it first and both actions use a lot of bandwidth on the network and we eventually ran into a lot of problems. Not only did the machine we were working on take forever but it bogged down the server and caused huge headaches for everyone. We came to the conclusion that our local network just isn’t designed to carry any payload of appreciable size. It’s not really a complaint, but more of a characterization. It’s kind of fragile and wimpy.

So, was there a way we could still use ethernet technology without having to depend on our “provided” fragile and weak network? I sat in my chair pondering all of it, knocking some options out of the park instantly because of the machines we have. We can’t really depend on IP-over-Firewire as we have plain-jane MacBooks in the mix, they don’t have FireWire ports, just ethernet ones. As I looked across the way at all the server technology I had in the rack it struck me, each one, including the lowly Drobo had two Ethernet ports. Huh. Two. Only one was really being used to connect each machine to the network so each one had an available secondary port available. I then started to root around in my junk bin and found an old unused Netgear ethernet switch, five ports model, no fuss, no muss. I then grabbed a gaggle of short ethernet cables and started hooking all my servers and such to this little spare switch. Everything worked out magnificently well. In each server I configured these ports to conform to 192.168.0.* and assigned manual IP addresses for each of them. Then I found a unused Apple Express Wifi Access Point, plugged it in, set it for bridge mode and now I can extend this custom network into Wifi using 802.11N which is nice and fast. Just like that, cake and eat it too! What’s great about this setup is that my coworker and I can move large batches of data all over between these machines without having to worry about clogging up the network for all the other users who are trying to use these servers for their real work. Their files are small and their use sporadic, our use is large and nearly (sometimes) constant. The parts are just a few more blinking lights in the rack and just a little bit more spaghetti wiring hither and yon, but I don’t care, it works and it was free with the parts I already had on hand. The only part of all of this that upsets me is that I didn’t think to do it sooner. I suppose I should take some solace that it’s better late than never. Having this private access to all the systems makes both of our lives much better. We don’t have to complain to central networking anymore because we’ve abandoned their fragile wimpy thing for a far better solution in-house, and because it’s unroutable, we didn’t break one single rule, mind we don’t know what the rules are, but still. 🙂

It’s a good Friday.

Google Authenticator

Dial lockOver the long Fourth of July holiday weekend I received an email from WordPress.com detailing news that they were now fully compatible with the Google Authenticator Two-Factor security system. I haven’t thought of Two-Factor in a long while and decided to look into how Google had cornered the market in this particular security market.

First a little background. The term Two-Factor security means that when you want to prove who you are to some service, called authentication, you usually just have to present two pieces of information, a username and a password. This combination not only identifies who you are and proves your identity through the shared secret of the password, but allows systems to remain as open as possible to all clients who want to connect – assuming that everyone is playing by the rules and nobody is trying to be sneaky or clever. Passwords are notoriously wimpy things, most people give up on complexity because they can’t readily remember the password and it’s not convenient so they select simple passwords like “12345”, “password”, or “secret” and leave it at that. The problem with passwords is that people who make them up are either lazy or don’t care about entropy or complexity and since a lot of your work and identity is being controlled using these systems, using these simple passwords is begging for disaster. Another issue that plagues a lot of people, and goes in with how naturally lazy many of us are, is that people will use one poor password on every site they go to and keep their usernames the same as well. The risk here is that when one service is compromised, all the other services are compromised as well and it’s a huge upward climb to get out of that mess if you find yourself trapped in it.

Cleverness works both against people in general, with thieves, phishers, and hackers as well as for people in general, with things like hashapass or applications like 1Password. Hashapass is a free service that combines the web address of a service with one single complicated password to generate a hash, which is to say, a value that is easily calculated from the combination of the single complicated password and the web address but done so in a way that going backwards is very difficult to do. If any piece of the puzzle is missing, it’s technically unsolvable. As an alternative to this there is 1Password, an application that I have become very fond of, and it uses a similar approach to hashapass. In 1Password one master password unlocks a database of all the sites and their individual passwords so you don’t have to remember a constellation of passwords, all you need is to remember one very good secure password and you are all set. There are a few other nice features to 1Password that I like, being able to generate very long random passwords and store them for me allows me to establish plausible deniability when it comes to my online identities. Because 1Password randomly selected a 32-character password for Facebook, I cannot be compelled, even under torture to reveal that password to anyone else. I just don’t know it. I know 1Password, but that’s not the right question so my account remains secure.

All of this I have collected and use, and I use it everywhere. On my MacBook Pro, my iMac at work, my iPad and my iPhone. 1Password makes it very easy to manage the security database and I’m quite sure that it’s secure. In my life, any more security is rather like putting more padlocks on a firmly locked jail cell, it’s rather silly and feels a lot like overkill. Then again, more security is always better, especially if it’s really clever and somewhat convenient.

Two-Factor security adds another component to the process of authentication. It augments the username and password combination. A password is something I know (or store using 1Password) and the second factor is something called a Time-Based One Time Password (TOTP). This is where the free iPhone app called Google Authenticator comes in. The app records a secret key from a site I wish to prove my identity to in the future, for example, Google itself. I set up two-factor, request a security token for Google Authenticator and set it up in the app. The key is transmitted by QR code, which means you can quickly acquire the long complicated random (hard to type) secret key using the camera in your phone. Once this process is complete the Google Authenticator app displays a six digit number that will work to prove your identity to the site associated with that particular entry and this entry only exists for 30 seconds at a time. This six digit password exists only once in any one 30-second period and there is no way to divine this password without having the Google Authenticator application with it’s stored secret code.

Having two-factor enabled in this way means that my username and password are no longer as important as they once were. Even if my username and password are revealed or compromised without my knowledge, the secret key that I have in my Google Authenticator app remains secure with me and the 30-second-long one-time-password additions remain a secret with me. What I know may be compromised, but what I have (the Google Authenticator) most likely won’t be unless someone steals my phone and finds a way to best the security on that device before I have a chance to wipe it remotely. If in the case my Google Authenticator becomes compromised, my passwords will likely not be because they are uncrackable, and so I am still secure.

Practically how does this work? When I want to log into Google Mail using two-factor, this is what I do. I open a web browser, I type in the address “gmail.com” and press enter. Then I enter my username and my password and then in the third field under the password is a box labeled “Google Authenticator Token” and then I grab my phone, start my Google Authenticator application and then read the six-digit number from my phone and type it in. The service logs me right on and after a few seconds, that six-digit password is no longer valid and is meaningless. I’m authenticated and the system did as it was designed to do. One of the nice parts of Google Authenticator is that the entire app is a mathematical operation, it doesn’t require the network at all to generate these numbers, so this would be a good solution for people who may not have a reliable connection to the network or have a data quota on their phone.

Of course, online authentication is just the beginning. I found a way, yesterday, to embed the Google Authenticator system into my Mac OSX Mountain Lion installation so that when I want to login to my computer at work or my laptop I have to type in my username, my password, and read the six-digit code from my Google Authenticator application. The setup isn’t difficult to get it to work. You need a compiled PAM module which I have (just ask if you want a copy) and an application which you use to create the secret key on your computer. With it all set up, and a slight adjustment to a settings file, even if I were to lose security on my password at work nobody could login to my account without my username, password, and GA token.

This arrangement works quite well and I’ve set it up for my Google accounts, my WordPress.com and .org blogs, Facebook, Evernote, and Dropbox accounts as well. Everything is secure, obnoxiously secure. 🙂

photo by: MoneyBlogNewz

G-RAID, Time Machine, and Spotlight Headache

A few days ago, of course right before the “Money Back Guarantee” expired on our G-RAID 8TB Time Machine drive at work both my S3 and I were battling with a rather nasty pernicious bug that was plaguing this device on our new fancy Mac Pro Server running OSX Mountain Lion.

The problem was this, you plug the drive in, using Firewire 800 and Time Machine sees it and starts backing up files. That works just fine. After say 1TB of files get backed up Time Machine works gamely for about three or four hours and then the drive suddenly goes deaf. What I mean is that the drive is still connected, the icon is on the Desktop, but you can’t do anything with it. It gives you a fusillade of meaningless errors, vague ones like “Unspecified error with file system” and the like and Time Machine is stuck and can’t do anything at all with the drive. It’s not really a headache for us currently because the server is brand-spanking-new, but still, it’s a concern for us. You have to eject the drive, and not a plain eject either, but a Force Eject. When you move it to another computer and plug it in and do a fsck on the drive everything pans out fine. Everything is hunky-dory, journal is fine, structures are peachy, the works. So annoying.

So off to Google we go. Turns out there MIGHT be a bug in the “Turn off Hard Drives when possible” in the Energy Saver preference pane in System Preferences. This strikes me as a wee bit of bullshit, the drive should go to sleep and wake up elegantly like anything connected to a Mac should (and almost always does!) so, fine, turn that off. Testing. Ah, failed. So next stop was to try to irritate the drive with constant actions. To that end I created a script:

!/bin/bash

while true
do
touch /Volumes/G-RAID/keepalive
sleep 60
done

So what this script does is touch, which is a Unix command in the Mac that just runs out and accesses a file, it’s size is zero, it just runs the most basic of file operation on a drive. If you touch a file on a sleeping drive, it should wake it up. If the drive is counting down until it goes to sleep, this operation will reset that counter. Then the entire thing takes a nap for a minute and does it again, and it does it over and over forever.

We tried that, and still ended up with a failed Time Machine backup and a drive that’s gone deaf. The exact error you get in Time Machine is “com.apple.backupd: Error: (22) setxattr for key:com.apple.backupd.HostUUID … ” So, still no solution to our problems. We finally figured out what the silver bullet was, and it came from an unexpected source. We added the G-RAID drive to the Privacy pane of Spotlight in the System Preferences on the server and voilà! Magical solution!

Since I did that, the drive has been working happily since I made the change, it’s been about a week. My working theory is that mds (which runs the Spotlight service) either locks a file or does something sneaky with this extended attribute on the HostUUID object and that, somehow, ruins access for the entire file system on that drive. It’s not that the file system is damaged, it’s just not working.

So, where’s the bug? Is it in mdsworker, mds itself, backupd (Time Machine), Firewire 800, the Firewire 800 cable, or the G-RAID drive? The answer is a definitive YES. Somewhere. Something is causing it and the only solution seems to keep mds’s muddy hands to itself and pester the drive every minute with a meaningless file operation via touch.

The upside is the damn thing works, so we’ll keep going with it until it stops working. I wish there was something clearer than this Error 22 from backupd to go on, but alas, this seems to be a valid workaround and frankly I don’t really need Spotlight to go futzing about on the drive anyways. There won’t be any searching done on it anyhow, just the indexing that Time Machine needs and that’s it.

I guess in the end, all’s well that ends well.

Mr. Technical Support Guy

While sitting enjoying some nice tea, in this case Chocolate Chai Pu-erh tea at our local tea shop I had my iPad and my Bluetooth keyboard set up and I’ve been wandering through my Drafts-stored blog-prompts looking at things to write about. While writing about my Nook HD a pair of ladies approached me and asked me about the setup they saw me using. What it all was and how much was it and how did it work. So I gave them an impromptu sales pitch for Apple technology, the iPad, the Smartcover, and the Bluetooth Keyboard. They asked why I was using a physical keyboard and I confessed that I type a little too fast for the processor in the iPad to keep up. When I try to write The, the t and h are usually missed because my taps are too fast and I end up with E. Almost always. So I use a physical keyboard because that can keep up with my typing speed. They were impressed and wandered off to their table to enjoy their chocolate treats.

I was marveling at being an Apple Store employee without of course being one, yay for Apple evangelism (!) and I got back to work writing. Then another lady came up to me with her Kindle Fire in her hands and she asked me for help. Something about sitting here with a tablet and keyboard marks me as “Mr. Technical Support” and her problem was as she described to me “My Kindle says I have too many windows open. I went to Best Buy and the Geek Squad guy was no help, I was wondering if you knew how to fix this problem?” and I smiled at her and looked at her Kindle Fire. It’s worth noting that I’ve never really ever touched a Kindle Fire before, I don’t know what it’s system is like (I assume it’s a variant of the Android OS, maybe) and I invited her to sit down next to me while I looked at her Kindle Fire device. I suggested the best path would be to open up a browser on my iPad and bring up Google and search Google for “kindle fire too many windows open” and see if there was anyone else who had this problem and how they fixed it. As it turns out, there is no clear way (from what I could see) to actually close apps in a Kindle Fire. Now, it’s important to note that I’ve never actually touched a Kindle Fire and I’m not actually a part of Amazon’s Technical Support team, and all I really have is cleverness and Google. I found the solution for her and showed her how to hard reset her Kindle Fire. It’s like it is for any tablet device, hold down the power button and keep holding it until the device is forced off and then press the power button again to turn it on. Once her Kindle Fire came back on I asked her to try to bring the error on again and she opened an eBook on her Kindle Fire and said “It should show the error now… wait, it’s working! You’re my hero!”

And now she knows how to fix her own problem with her Kindle Fire.

Apparently I am “Mr. Technical Support Guy” after all. I should wear a shirt and have a Square reader and take credit cards for my services. $10 for Answers. LOL.

PAD 5/5/2013 – The Glass

Is the glass half-full, or half-empty?

The glass is half-full, and there should always be more where that came from in the refrigerator.

This of course runs against what I believe when I’m beset by people. Sartre said that “Hell is Other People” and along those lines I understand what he meant by that. When I’m working with other people, by and large the glass is half-empty, it’s got a little hole drilled in it so it’s actually a dribble glass and it was cast improperly so there are parts of the cup that are too thick and other parts that are too thin and if you touch it wrong the entire glass can fall apart like a super-fragile Christmas ornament.

Mostly I feel the “half-empty” because, in a very generalized way, people are glorious disappointments. They are frail, they fail, they sometimes embrace ignorance and apathy and sometimes they do things that boggle common sense. Feeling this pessimism doesn’t really get me down, as people don’t really get me down because I have accepted long ago that how I see the world and how I act in it is uniquely mine and I’ve made peace that expecting anyone else to live the way I do is the height of folly. So I can be a half-glass full guy in a world full of glass-half-empties. I think the biggest thing I’ve learned is to not let the turkeys get you down. In that regard, it’s good to have your own set of glasses that you keep to yourself.

PAD 3/18/2013 – Impossibility

“Why, sometimes I’ve believed as many as six impossible things before breakfast.” – the White Queen, Alice in Wonderland.

What are the six impossible things you believe in? (If you can only manage one or two, that’s also okay.)

I have lived too long and witnessed too much inexplicability to not believe in astrology, Tarot cartomancy, and the subtle presence of magic in our world. It’s always a soft arrival too, if you try to force it or put it under a spotlight it evaporates as if it was never there. I don’t think that any of it will ever be in any way “explainable” by science. These things really can only be apprehended by faith. When I write of faith, I don’t really mean religion. I’ve always found religion to be stultifying and so I try to live without it as much as I can. The faith for these impossible things has been borne out by event after event where upon reflection the accuracy of all of it, any of it, is utterly remarkable.

I even run into it in my workplace. I have lost count of the number of times I have received notices from my coworkers that the systems that I support have failed them. When I walk in, even just walking by, the problems appear to evaporate. It’s just my presence that seems to do it and after a while you start to notice this remarkable phenomena and after a while I got to thinking that one possible explanation is that my office is beset by gremlins, brownies, manitou, or domovoi, or they are all there and acting in collusion with each other. I fancy that my presence scares them off and so the technical systems that I support, when I use them, work perfectly fine for me pretty much all the time, but when my coworkers try to use them, it’s a crapshoot for them. Until I appear, and then it’s back to being perfectly fine. I suppose there might be a more rational explanation about why this is, perhaps something to do with my bioelectric field or something subtle and clever and measurable like that – but I prefer to live in a world where everything is slightly tinted by the mayhap of the hidden world of magic. I select to live with a world that is enriched by tiny mysteries, because living in a world where everything is a field, particle, or wave is just too banal and bankrupt for my ability to endure such a stark emptiness. I think, for me, it comes down to the hidden pleasure that comes from the doubt that we may all live in a world more complicated and wonderful than we can ever possibly know and more complicated and wonderful than we will *ever* be able to know. I find value in that little layer of maybe that hides right underneath the surface of our mundane world. Skeptics and debunkers would claim that all of this is so much fantasy and magical thinking and that it doesn’t serve any purpose other than to encourage ignorance and the folly of a false make-believe world. In response to them, I embrace the bunkum. If you can’t prove it really isn’t there, then what is the harm of belief? Wouldn’t it be a right hilarity that the world is exactly the way I think it is, a mechanical universe with a touch of mystery overlaid on top of it. You could swap out magic with God and then Voltaires comment that there is no proof for God doesn’t mean you shouldn’t believe in him, on the off chance that he does really exist. Perhaps magic really does exist.

Impossible things are important.

PAD 5/7/2013 – Key Takeaway

Give your newer sisters and brothers-in-WordPress one piece of advice based on your experiences blogging.

If you’re a new blogger, what’s one question you’d like to ask other bloggers?

The best advice I can give is to be honest but have control over what you say. Honesty is the best policy, as the old adage is fond of saying and it keeps blogging simple as you don’t need to remember any lies you’ve written in order to keep your blog internally consistent. However, honesty has it’s limits, and that has more to do with sharing and privacy. Depending on why you blog, sometimes you may find yourself wanting to write about something private. I think that assigning posts passwords is a great feature to WordPress and makes sharing securable.

Some things are worth talking about, writing about. Some things you share aren’t really meant for your coworkers of your employer and then the best policy here is to slap a password on the posts and keep them private from wandering eyes.

There are a lot of great reasons too, to blog independently from WordPress.com. Having control over your content, not having to worry about quotas or paying for extra services all make self-hosting with WordPress.org really worth it in the long run, especially with the right hosting provider. I’ve found a lot of the plugins that enrich the self-hosted option of WordPress.org makes the product really shine. Here are some things to look into if you think blogging may be for you:

1. Fixing your .htaccess file on your blog. This can be configured to restrict your blog from foreign browsers. I’ve decided to ban entire countries from reading my blog mostly because I don’t agree with their politics, and in the case of China, I’ve gotten quite tired of comment spam. By limiting incoming traffic from browsers using this file, you can preclude them from ever being a problem. Just because the Internet is global doesn’t mean that you should feel forced to respect that globality.

2. Blacklist & IP Filter – These two plugins help identify unwanted IP addresses that are unwanted on your blog and the plugin IP Filter helps you block those with more configurability than you can get with .htaccess.

3. Akismet and Jetpack really help protect and extend your blog. Every blog I host has these two plugins and once you get them configured properly they add so many wonderful features to your blog that it’s difficult to imagine using the blogs without them.

4. PhotoDropper – This plugin makes searching for and inserting pictures in your blog posts a cakewalk. It takes care of searching for the terms you want, only shows you Creative Commons licensed imagery so you don’t accidentally run afoul of image copyright holders and automatically includes credit lines to your posts to help respect the people who are sharing the imagery you are using on your blog. It’s about as turnkey as I’ve been able to find when it comes to finding and crediting blog pictures that I use to enrich my blog posts.

Beyond plugins it’s also worth it to mention AgileTortiose’s iOS app Drafts. This app makes writing anything, journal entires, emails, and blog posts a snap. You can update on any connected device until you are ready and the destination selector feature makes pushing your updates out to various service a snap. I journal with DayOne and I post to WordPress using Poster. Drafts has options for these other apps and a dizzying array of more just for the tapping.

One Slipped Key

Death By ChocolateWhile working I wrote a little bit of SQL, trash really because it was just a one-shot query, real short too, and I wanted to show off the SQL code for making the iModules degree info pretty. Instead of clicking open, I clicked the save button. I found the file I thought I was opening and double-clicked. The computer asked me “Are you sure you want me to save using this file, overwriting the old file?” and I absent-mindedly clicked Yes.

The little useless fragment of SQL code replaced my huge SQL script. Boom. All gone. So sorry.

So then I was thinking about how I could recover the file, that it was on my laptop at home and so if I could turn off the Wifi at home and start my laptop I could copy the file before the Dropbox sync app replaced what I needed with my mistake.

But then I thought there should be something in Dropbox that helps address my stupidity. Turns out there is. Right click on your oops file, click on “View Previous Versions” and it opens a website and shows you all the previous times you saved your file on the service. Oh look, there’s all my hard work, right there. Click. Whew!

So, how much do I love Dropbox? Even more.

 

photo by: JD Hancock

Lost Days

Yesterday was a lost day. Absolutely no traction. I got stuck in the quagmire of web development. The project was quite straightforward, I wanted to create a form that could hold information, text, checkboxes, dates, lists you could check. Then I wanted to cast these forms as blog posts that could be commented on, tracked, just like I do on SupportPress. I naively thought this would be easy. Hah. WordPress ate hours wallowing in custom post type hell, then template hell. I gave up on that. Then I turned to Drupal, what a mess that is! It’s worse than Perl! Thousands of crisscrossed resources, some only work with older versions, some only with newer versions. What a headache. I thought I could force a bug-tracking system to bend to my will and so tried Mantis. That pretty much killed the last dregs of my day. What a mess.

So since there was no easy path, my investment was zero dollars and I really don’t care to slog around with struggling with web development I just abandoned the entire thing. There was a system called Gravity Forms for WordPress but it was $$$ and I couldn’t be sure that it would have worked and didn’t want to sink money into a solution that would probably not be adopted anyways.

But at least now I know. That area of web development is a mess. Bleh.

IP Filter Plugin – Blacklist Page

Barricade SignsI came across two great plugins – WP-Blacklister and IP Filter for WordPress. The first lists all the IP addresses for all the spam comments that a blog gets. The spam is identified by Akismet, I grab the IP addresses and then put them into TextWrangler. I sort the lines, find the really obnoxious networks, the ones with the same three octets over and over again, so something like 5.5.5.1 and 5.5.5.2, and 5.5.5.3, these, depending on how they resolve in an IP lookup get a block, either 5.5.5.* or 5.5.*.* or 5.*.*.*. From the left to the right there you block off more and more of the network. The more *’s in the block, the more stations are simply thrown off.

And then there is IP Filter plugin, I assemble a list of naughty IP’s and then fill in the details for this plugin. If an incoming IP address matches any of my blocks, they get no content and a short blurb stating that their network was either a source of spam, malware, or otherwise is unwanted traffic. I applied this list to all my blogs and I had spam comment rates which were about 30 per hour go to zero.

I will be creating a new page on my blog that lists these bad networks and IP addresses. Feel free to get this plugin and enter these blocks for yourself if you wish. I’ll be updating it as I find more spam or Limit Logon Attempt Plugin lockouts.

There is a wee part of me that is toying around with blocking the 141.218 subnet. We’ll see. 🙂

photo by: The Tire Zoo