Follow grumpybozo on TwitterFollow me on Twitter, where I write more and shorter
May 29, 2014
Even Crypto Coders Burn Out

(Posted as a comment on Brian Krebs’ piece on the TrueCrypt shutdown)

The iSec initial audit report was very critical of the TC code quality, and implied that it looks like the work of a single coder. There was no update for 2 years. The build process requires a 20 year old MS compiler, manually extracted from an exe installer.

Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.) You have to eat, so you have a real paying job. You’re not so young any more (doing the TC crap for a decade) and maybe the real job now includes responsibilities that crowd out side work. Or maybe you’ve got a family you love more than the whiny paranoids you encounter via TC. And now iSec is telling you your code is sloppy and unreadable, and that you should take on a buttload of mind-numbing work to pretty it up so they will have an easier time figuring out where some scotch-fueled coding session in 2005 ( or maybe something you inherited from a past developer) resulted in a gaping exploitable hole that everyone will end up calling a NSA backdoor.

Maybe you just toss it in. Why not? Anyone with a maintained OS has an integrated alternative and as imperfect as they may be, they are better than TC for most users. Maintaining TC isn’t really doing much good for many people and the audit just pushed a giant steaming pile of the least interesting sort of maintenance into top priority. Seems like a fine time to drop it and be your kids’ soccer coach.

January 9, 2014
Official Gmail Blog: You need to get more spam

Another reason to not use Google+ and GMail. By default, Google has decided that anyone with a Google+ account should be able to send email to the GMail account of anyone else on Google+. Fuck that. It’s easy to turn off, but true to form, the “Don’t Miss A Chance To Be Evil” folks at Google rolled it out wide open. 

It makes the day I just spent rebuilding my mail server seem worthwhile. If I had to rely on the slimeballs running GMail or the unmanned seats at Yahoo that let their system die for days only to come back up limping and serving malware for days or anyone else handing out “free” email service, I think I’d give up using email altogether. 

December 26, 2013
"If their first sight of a vagina traumatizes your teenage child, then you have brought them up wrong"

Cameron’s internet filter goes far beyond porn - and that was always the plan (via stopdropandbeauty)

The critical point being that the endemic shoddiness of “porn filter” implementations is a symptom, not a problem in itself. The idea that a communal “porn filter” can be anything but trouble is closer to the core issue: parents demanding that government and society at large impose a scheme of fundamentally bad parenting which is also intrinsically impossible

(via crankypants16)

December 26, 2013
best present ever


And favorite kid, I swear - house is a disaster and we’ve been too not-coping to deal with it. Christmas gift from kid #2 was to clean and reorganize most of our upstairs - best thing ever. 


A Xmas gift beyond fabulous. My daughter is awesomely wonderful. 

December 23, 2013
Subject line: “Adding dicks to your holiday photos.”


I thought you might be interested in fun little app we put together for Christmas.

Lets face it, we all like drawing dicks, so our concept is simple, upload one of your photos (preferably something christmassy), and then you can drag and drop various rude animated objects (the d’s… and the b’s) onto your photo.

Once your happy with your masterpiece you can submit it to the gallery and share it with your friends.


Lets face it, we all like drawing dicks

December 23, 2013

(Source: sailorfailures)

December 22, 2013
Does this seem right to you?

I am an affirmative unbeliever. Not pushy about it usually, but don’t get me started.

I actively don’t want anything I don’t need. The clutter is bad and past Christmases are partly to blame. 

I suck at gift selection so badly that non-family thinks my stories are jokes. The traumatized are probably glad I gave it up years ago.

Winter dark starts kicking my mood down mid-November. 

My only kid under twenty greets every day like Xmas as long as his gifts include a day at school. He’ll tolerate Mom and Dad for a couple of days and having his big sister in town to latch onto buys another, but eventually the destructive impulses and boredom win. Today’s score: Kyle: 1 Doors: -1 (it’s a zero-sum game…) His concept of holidays is weaker than mine, an accomplishment clearly requiring severe neurological deficits…. 

People keep urging me to enjoy the holidays. Fuck that, not happening, doesn’t matter. My task is to get to 1/6 with no deaths or significant injuries while minimizing real estate depreciation and family alienation. Hard, not impossible. I’ve done this before. 

December 22, 2013
The Toughest Woman You Know Has Been Raped | Snipe.Net

I admit it: I follow Snipe because she is an endless fount of  BoFHish  snark. No deep noble purpose involved. This is not unlike my reasons for following anyone, and I refuse to accept that there is anything other than chance behind my mostly following women… 

But there’s better reward than entertainment for being a vaguely creepy not-quite-stalker of many women online. Floating in the nauseating sea of sewage that surrounds women on the net (as everywhere, less visibly) there are occasional shiny icebergs of feminine strength, sticking up above the mess and defying all the crap.  (ok, so literary metaphor isn’t my strong suit)

My daughter is about to turn 23. For most of those years, she has made choices asserting her autonomy and scaring the crap out of me while also making me inordinately and undeservedly proud. She’s strong in ways I can’t take credit for beyond always hoping she would be. She’s tough.


A few times since she unilaterally decided to move in 2009, I’ve had panicky phone calls from Vegas exposing gaps in her preparation for adult life. In my defense, my failures are not that I forgot to pass along all of my copious wisdom, but rather that my own basic life skills as an autonomous adult are sparse and were even more so when she was present and trainable. I’ve always felt unequipped as a dad to talk to her in depth about rape et al. beyond safe platitudes and cartoonish interaction with her sparse set of not-too-scary boyfriends. Her mother, stepmother, and grandmother all could have been and maybe were more helpful, but I don’t really know and at this point “parenting” is mostly past. I’m largely at peace with this failure as a parent, because it’s due to my inability to know what being female feels like. It’s fundamentally unlike the many things I should have but didn’t know which argue against my choice to reproduce… 

One thing I DO know is that even today, young women get cultural signals about sexual coercion which serve to protect rapey guys at their victims’ expense. I can offer my daughter other ideas, but I’m just her crazy old dad with a history of spinning rosy scenarios about how men and women interact (I coped with divorce poorly.) So I am thankful that a woman clearly far cooler than her parents (even if nearer our age than our daughter’s) can tell her own story in a starkly honest way. Snipe isn’t the only strong woman to do so, she’s just the latest proximal example. I don’t know but deeply hope that the fact of such stories being told openly will push the culture a little in positive directions: away from blaming victims, away from impunity for rapists, away from making even “tough” women keep the violence done to them secret. 

November 28, 2013

It doesn’t matter what you’re into, so long as you OWN IT.


It doesn’t matter what you’re into, so long as you OWN IT.

November 16, 2013
Not entirely worthless as a parent

I’ve made lots of odd choices as a parent, but one I never regret is doing everything I could think of to foster my daughter’s innate strong will and never hide from her how proud I was of that strength.

This week I grudgingly logged into my Facebook account because the flavor of this week’s dishonest “you have pending notifications” spam was different and seemed to indicate that maybe there was something I’d want to see. No luck on that front (basically, Facebook tells me lies…) but I did the obligatory scan of Meg’s timeline and found vindication as a parent. Her feminist tilted posts brought out a couple of whiny rude dudebros from her social circle’s woodwork, and she took them apart.

I can’t claim credit for that entirely, of course. One of my most awesome/terrible memories is from the obstetric surgery room where I made my first dubious choice as a Dad, standing up to look when the Dr. asked if I wanted to see my daughter being born. She was born bloody, fighting, and roaring in outrage about 2 octaves below all those other wimpy babies in the maternity wing. Her mom & I did not so much build her strength as we avoided repressing it. 

So now I get the joy of watching my fearless 22-year-old daughter school assholes of the “Misogyny? What misogyny? Whiny GIRL!” crowd openly, refusing to be silenced by paternalistic bullshit and needing no protector but herself. I think this is how a different sort of Dad would feel when seeing a son win a boxing match or land a NFL contract. “Pride” barely touches it, but I guess it’s the word I’ve got… 

October 14, 2013
Dr. Isis: An Open Letter to Scientific American and Why You’ve Lost a Reader: #BoycottSciAm

[ UPDATE ADDED AT THE BOTTOM 2013-10-14 21:30 EDT]

[ UPDATE ADDED AT THE BOTTOM 2013-10-14 21:40 EDT]

Background: DNLee writes a great blog titled “Urban Scientist” blog,  Scientific American. She’s a biology postdoc at a MRU and her topics are diverse. The tagline is “A hip hop maven blogs on urban ecology, evolutionary biology & diversity in the sciences” As that implies, the subject matter isn’t just science or even predominantly science. It’s substantially meta-science, talking in a very personal voice about the career issues of a young black female scientist and about the bigger picture of the scientific professional community. She is also an active Twitter user with an even broader range of topics.  

Root incident: DNLee was solicited as a guest blogger by someone identifying himself as the “Blog Editor for” with the single name “Ofek” (like “Cher” I guess…) She asked about payment, he made the usual pitch about paying with exposure rather than money, she very politely declined. To which he needlessly responded, apparently for the sole purpose of calling her a “whore.” 

Fallout: DNLee posted to Urban Scientist about the incident. You can’t see that post there any more because Scientific American pulled it. (Chase Dr. Isis’ links above to find the reblog of it. The tweeted rationale by their EiC: ” is a publication for discovering science. The post was not appropriate for this area & was therefore removed.”

There’s no interesting space for debate about “Ofek,” whose words triggered this odious yet easily unnoticed mess. He is at least unfit for engagement in professional communications. My personal instinct as an intrinsic asshole is that he is a waste of potentially useful organic materials and could most benefit the world by being rendered over a slow fire. His request, while couched in polite words and pitched well, was fundamentally insulting. DNLee declined in the most professional manner possible, politely not showing offense at the demeaning substance of his pitch. His answer to that with “whore” made a public “calling out” imperative. It is entirely a credit to her integrity and personal courage that DNLee responded so powerfully in a prominent place. 

The removal of that response by SciAm was an act of cluelessness. It  demonstrates a focused naive ignorance of the norms of the blogging world, even if it was an act that might have made sense for their print edition or its online derivative which have, quite rationally, cautious and stringent editorial policies. However, those policies cannot apply to blogs and have not been applied to the blogs at SciAm. DNLee and many other of their authors have posted many articles talking about unprofessional behavior in the scientific and science communication communities, both broadly and from a 1st person perspective on specific cases. 

If one is unacquainted with the key ideas that distinguish “blogs” from traditional media (and their direct online derivatives such as the main SciAm site) the statement about the post removal by Mariette DiChristina  might seem like a reasonable and sober editorial statement. For the rest of us, it stands out as a perfect specimen of the biological oddity produced unrelentingly by traditional commercial media like Scientific American: Transparent Bullshit.

It is interesting that is listed as a member of a “Partner Network” SciAm. What exactly that means isn’t clear: SciAm’s list is just a list of sites with blurbs and a link. Biology Online doesn’t mention the partnership. DiChristina tweeted a bit later that the partnership was “not a factor” but that seems to be more of the same: Transparent Bullshit

In context, it is obvious that the removal of DNLee’s post wasn’t normal. Something special drove it. The “Partner” relationship is something special, although what it is exactly is not clear. Something routed the SciAm editorial decision-making process out of its normal path, seeking a way to remove a post. The way normal processes get re-routed is access:   someone who wants special treatment knows where to direct pressure outside the normal channels. The bullshit is transparent in both ways: one can willfully believe it isn’t there by pointing at the objective application of a sober and cautious editorial policy, but on the other hand that application is so far from normal in the context of SciAm’s blogs that it completely fails to mask the existence of some deeper truth about that odious editorial decision. This is a particular talent of professional media operations: providing low-risk pat explanations that don’t make trouble for anyone, even when someone clearly merits trouble. 

Late addition: I took so long writing this that SciAm managed to come out with Transparent Bullshit Layer 2: The Lawyers Made Us Do It. At the risk of being redundant: I don’t buy that crap and wouldn’t expect anyone else with a nose to do so.

UPDATE 2014-10-14 21:30 EDT: This morning, the people in charge at took a quick look at the facts, the hammer came down fast and hard on “Ofek”, and an unhedged full apology was sent to DNLee. It is worth noting that they show very few signs of being a commercial media operation in a traditional sense. Hence: no Transparent Bullshit.

UPDATE 2014-10-14 21:40 EDT: SciAm is sticking with the lawyer line as explanation, but they did the right thing this afternoon.

August 27, 2013
The Staggering Power of NSA Systems Administrators - Conor Friedersdorf - The Atlantic

I don’t read CF much, but this one caught my attention and it is worth a look. Not because he’s entirely right but because he missed something. My comment is there, and it is also here: 

The most appalling part of this is that NSA has been the most important contributor for decades to the conceptual models and implementations of information systems that do not have “superuser” system administrators who are autonomously all-powerful and capable of escaping audit trails. 

Such systems are not mythical but they are rare, at least in the universe of organizations whose IT staff speaks openly with outsiders about their work. They are very costly, but that is not because of any really special hardware (although there are performance costs) or expensive licensed software. Rather it is because they require very careful planning and configuration up front before they are handling protected data and when in production demand ongoing support by staff in larger numbers and with higher skill levels than is required for normal systems. It is only a slight exaggeration to say that relative to normal IT environments, a rigorously secure “trusted system” environment demands twice as many sysadmins, a revival of a large “operator” job class that has almost vanished from modern normal IT, and a brand new staff layer for policy governance and audit. Oh, and end users need retraining too, because they can’t use such systems (including the devices that might normally be described as “personal” computers) in the same ways as they would in normal environments. 

Trusted systems are a tough sell to IT managers outside of the snoop world.They may come to their security folks begging for seriously secure systems but when they learn that it means hiring more neckbearded oddballs at $80k and WAY up, for systems they won’t see for a couple of years, they reconsider their commitment to security. A sometimes-winning argument has for a long time been that the standards over the years and even some of the tools have come from the serious spooks in the DoD, the public face of he NSA. In short: “military grade security” is a powerful phrase with CIOs.

Manning and Snowden have shown that “military grade security” is no such thing. Sure, some outsiders use NSA tools and rules, but the NSA and DIA clearly do not. Keith Alexander has shown himself to be much like so many IT managers who like security on paper but flinch in practice when faced with the fact that security is the enemy of efficiency, agility, and low-cost staffing. In his insane plan to replace sysadmins with automation, he has provided evidence to group him with the dominant class of plodder CIOs who reflexively resort to cutting headcount (which saves money, right?) whenever they see a problem that would take courage, imagination, and investment to truly solve. 

August 22, 2013

Let’s get this straight: 

Elon Musk is the kind of guy who probably read comics as a nerdy teen.

Elon Musk was a teen at a time when Tony Stark was a well-deeloped persona in the Iron Man comics. 

Elon Musk probably modelled his own life off of the Tony Stark of the Iron Man comics. 

Elon Musk runs through a box of Kleenex every time anyone suggests that Tony Stark is modeled after him. 

(Source: catbushandludicrous, via crankypants16)

May 9, 2013


Screencaps of info relating to UniteBlue hosting. @TrinaCuppett @OmegleWarden @GlobalRevOrg @DkChoco

It’s important to understand what Robtex output is and isn’t. It’s lightly sifted and robotically explained data, it is not the product of informed analysis: not “information.” It is also inherently incomplete in important ways. Using Robtex as a source of initial clues is fine, but it is rarely going to be able to provide all the data needed for a serious investigation of the relationships between online entities. Perfectly legitimate and common relationships can be totally invisible to Robtex without any anyone making any effort to obfuscate them or even any errors of any sort.

So, who hosts UniteBlue?

The name “” resolves to the IP address is an IP routed to the Peer1 San Antonio data center. It is in an address block whose registration carries Peer1’s “ServerBeach” brand and a San Antonio address, implying that it is used for their retail/commodity hosting there. There is one “reverse DNS” record (i.e. PTR type, mapping IP-> name) for that IP, pointing to However, actually resolves to a different IP address ( which is also on a Peer1 network, also registered as ServerBeach, but apparently in Herndon, VA. The Herndon IP has a reverse record pointing to the name, which thankfully has symmetric resolution back to the same IP. Both of the *.br names seem to be functional as both http and https server names, but their server roots all redirect to URL’s that kick back 403 and 404 pages (not found/access denied) depending on the name and protocol. If those are operational websites, they are clearly not intended for public use. Interesting as well is that when HTTPS is used, both present a certificate issued to *, so it is very likely that the forward DNS is legitimate.

So, what to make of this?

Not much. UniteBlue uses commodity hosting. Unshocking. I have my criticisms of commodity hosting and specifically of ServerBeach, but I’m biased: my current gig is a company that provides *custom* hosting and I’ve spent a couple of decades in the trenches of network abuse response. Peer1 & ServerBeach have a special cage in my menagerie of scorn, but the explanation of that would be a long geeky screed that would lose all readers and say almost nothing about this case. The only useful bit: I am not in the slightest way surprised that Peer1 has a single PTR record pointing to a stale customer name for an IP that they use for a commodity shared hosting machine.

So, is UniteBlue connected to arms merchant ATK?

I would see absolutely no basis for that question, were it not for an unfortunate tweet by Karoli tha got some attention. I can see no evidence that ATK (a.k.a. Alliant Techsystems) is connected to the name by anything other than the ‘atk’ hostname and that’s a weaker than weak coincidence. Just as ATK is a brand name of Alliant and ServerBeach is a brand of Peer1, the English word “Financial” and the associated domain are a brand of Atatika, a Brazilian financial software company. It seems more likely that ‘atk’ is an abbreviation for the company name or some component of their software rather than a reference to a US defense contractor. The DNS serial number for implies that it has not changed since 2009, so even if the name was at some time intended to indicate an Alliant (ATK) connection, the name has not resolved to the IP address hosting UniteBlue since long before UniteBlue existed. Peer1 has an obviously stale PTR record for an IP address that they are now using to host an unknown number of websites, one of which is UniteBlue but none of which are the site that once used the name In short: making a connection from UniteBlue to ATK relies on imputing random significance to a random coincidence in a DNS record that is at least incorrect and seems at best to be stale by 4 years if in fact it was ever correct. 

April 4, 2013
0xabad1dea: Concerning the nature of a woman of computer science


A long-form response to Ionic, who, in essence, has found woman’s dedication lacking, if she submits so few papers in comparison to her fellows of the masculine gender.

Mr. Ionic (or Mr. Esser, if you prefer) I am writing this because we have exceeded the capabilities of Twitter to contain our…

Liked posts on Tumblr: More liked posts »