Follow grumpybozo on TwitterFollow me on Twitter, where I write more and shorter
August 27, 2013
The Staggering Power of NSA Systems Administrators - Conor Friedersdorf - The Atlantic

I don’t read CF much, but this one caught my attention and it is worth a look. Not because he’s entirely right but because he missed something. My comment is there, and it is also here: 

The most appalling part of this is that NSA has been the most important contributor for decades to the conceptual models and implementations of information systems that do not have “superuser” system administrators who are autonomously all-powerful and capable of escaping audit trails. 

Such systems are not mythical but they are rare, at least in the universe of organizations whose IT staff speaks openly with outsiders about their work. They are very costly, but that is not because of any really special hardware (although there are performance costs) or expensive licensed software. Rather it is because they require very careful planning and configuration up front before they are handling protected data and when in production demand ongoing support by staff in larger numbers and with higher skill levels than is required for normal systems. It is only a slight exaggeration to say that relative to normal IT environments, a rigorously secure “trusted system” environment demands twice as many sysadmins, a revival of a large “operator” job class that has almost vanished from modern normal IT, and a brand new staff layer for policy governance and audit. Oh, and end users need retraining too, because they can’t use such systems (including the devices that might normally be described as “personal” computers) in the same ways as they would in normal environments. 

Trusted systems are a tough sell to IT managers outside of the snoop world.They may come to their security folks begging for seriously secure systems but when they learn that it means hiring more neckbearded oddballs at $80k and WAY up, for systems they won’t see for a couple of years, they reconsider their commitment to security. A sometimes-winning argument has for a long time been that the standards over the years and even some of the tools have come from the serious spooks in the DoD, the public face of he NSA. In short: “military grade security” is a powerful phrase with CIOs.

Manning and Snowden have shown that “military grade security” is no such thing. Sure, some outsiders use NSA tools and rules, but the NSA and DIA clearly do not. Keith Alexander has shown himself to be much like so many IT managers who like security on paper but flinch in practice when faced with the fact that security is the enemy of efficiency, agility, and low-cost staffing. In his insane plan to replace sysadmins with automation, he has provided evidence to group him with the dominant class of plodder CIOs who reflexively resort to cutting headcount (which saves money, right?) whenever they see a problem that would take courage, imagination, and investment to truly solve. 

August 22, 2013

Let’s get this straight: 

Elon Musk is the kind of guy who probably read comics as a nerdy teen.

Elon Musk was a teen at a time when Tony Stark was a well-deeloped persona in the Iron Man comics. 

Elon Musk probably modelled his own life off of the Tony Stark of the Iron Man comics. 

Elon Musk runs through a box of Kleenex every time anyone suggests that Tony Stark is modeled after him. 

(Source: catbushandludicrous, via crankypants16)

May 9, 2013

drumsnwhistles:

Screencaps of info relating to UniteBlue hosting. @TrinaCuppett @OmegleWarden @GlobalRevOrg @DkChoco

It’s important to understand what Robtex output is and isn’t. It’s lightly sifted and robotically explained data, it is not the product of informed analysis: not “information.” It is also inherently incomplete in important ways. Using Robtex as a source of initial clues is fine, but it is rarely going to be able to provide all the data needed for a serious investigation of the relationships between online entities. Perfectly legitimate and common relationships can be totally invisible to Robtex without any anyone making any effort to obfuscate them or even any errors of any sort.

So, who hosts UniteBlue?

The name “uniteblue.com” resolves to the IP address 69.174.246.134.  69.174.246.134 is an IP routed to the Peer1 San Antonio data center. It is in an address block whose registration carries Peer1’s “ServerBeach” brand and a San Antonio address, implying that it is used for their retail/commodity hosting there. There is one “reverse DNS” record (i.e. PTR type, mapping IP-> name) for that IP, pointing to atk.financialonline.com.br. However, atk.financialonline.com.br actually resolves to a different IP address (64.34.169.186) which is also on a Peer1 network, also registered as ServerBeach, but apparently in Herndon, VA. The Herndon IP has a reverse record pointing to the name va.financialonline.com.br, which thankfully has symmetric resolution back to the same IP. Both of the *.br names seem to be functional as both http and https server names, but their server roots all redirect to URL’s that kick back 403 and 404 pages (not found/access denied) depending on the name and protocol. If those are operational websites, they are clearly not intended for public use. Interesting as well is that when HTTPS is used, both present a certificate issued to *.financialonline.com.br, so it is very likely that the forward DNS is legitimate.

So, what to make of this?

Not much. UniteBlue uses commodity hosting. Unshocking. I have my criticisms of commodity hosting and specifically of ServerBeach, but I’m biased: my current gig is a company that provides *custom* hosting and I’ve spent a couple of decades in the trenches of network abuse response. Peer1 & ServerBeach have a special cage in my menagerie of scorn, but the explanation of that would be a long geeky screed that would lose all readers and say almost nothing about this case. The only useful bit: I am not in the slightest way surprised that Peer1 has a single PTR record pointing to a stale customer name for an IP that they use for a commodity shared hosting machine.

So, is UniteBlue connected to arms merchant ATK?

I would see absolutely no basis for that question, were it not for an unfortunate tweet by Karoli tha got some attention. I can see no evidence that ATK (a.k.a. Alliant Techsystems) is connected to the name atk.financialonline.com.br by anything other than the ‘atk’ hostname and that’s a weaker than weak coincidence. Just as ATK is a brand name of Alliant and ServerBeach is a brand of Peer1, the English word “Financial” and the associated financialonline.com.br domain are a brand of Atatika, a Brazilian financial software company. It seems more likely that ‘atk’ is an abbreviation for the company name or some component of their software rather than a reference to a US defense contractor. The DNS serial number for financialonline.com.br implies that it has not changed since 2009, so even if the name was at some time intended to indicate an Alliant (ATK) connection, the name has not resolved to the IP address hosting UniteBlue since long before UniteBlue existed. Peer1 has an obviously stale PTR record for an IP address that they are now using to host an unknown number of websites, one of which is UniteBlue but none of which are the site that once used the name atk.financialonline.com.br. In short: making a connection from UniteBlue to ATK relies on imputing random significance to a random coincidence in a DNS record that is at least incorrect and seems at best to be stale by 4 years if in fact it was ever correct. 

April 4, 2013
0xabad1dea: Concerning the nature of a woman of computer science

abad1dea:

A long-form response to Ionic, who, in essence, has found woman’s dedication lacking, if she submits so few papers in comparison to her fellows of the masculine gender.

Mr. Ionic (or Mr. Esser, if you prefer) I am writing this because we have exceeded the capabilities of Twitter to contain our…

April 4, 2013
Lexicon: “Wrong” vs. “Bad”

I have a lot of collisions with the mis-conflation of the ideas of “wrong" and "bad" because I have a kid with severe neuropsychological impairments and because my work consists largely of computer technical support for non-technical users.

My son expresses his desires almost entirely in declarative or imperative sentences, which sometimes can rise to the level of bad behavior but  often is simply wrong. I often need to say “No” to him, to which his usual answer is “You call it YES!” even on matters of fact, as if I could change anything by changing what I say about it. This is wrong, and he often escalates from opposition to rage, which is bad. In my work, I encounter users misunderstanding the unseen technical aspects of how computer systems function ALL THE TIME. They are not bad for misunderstanding, but they are wrong. Over many years I have tried to correct such users without seeming or being wrong or bad, and to the degree that I succeed it has helped me in my work and as a parent. People acting on wrong beliefs may get bad results OR MAY NOT. A bad outcome can be due to bad intent but more often is rooted in wrong beliefs. Sometimes, bad outcomes are inevitable despite good intentions and correct knowledge. There are circumstances where predicting a good outcome is wrong and that may or may not be bad, depending on one’s awareness of the wrongness of the prediction and its effects.  Objective reality can be bad, but it cannot be wrong

April 4, 2013
A Subversive Concept: MOAR SMRT HUMANZ

[ Originally Posted: 04 Apr 2013 13:45 as a comment at Ars Technica ] 

Seraphiel wrote:
BillCole wrote:
The only reason to switch off SELinux on a web server is a lack of human capacity to define the necessary policies.
I would suggest that it’s not a reason to switch off SELinux, but instead a reason to find new humans to be responsible for that server. ;)

You’ve caught me! I am in fact a subversive sysadmin agitator roaming the net planting the logical seeds to counterpunch the trend of replacing highly skilled (and highly compensated) sysadmins with low-skill (i.e. low-cost) button-pushers. That trend is facilitated by increasingly sophisticated system management tools that guys like me have built to free up our time to hang out all day on /. and Ars, foolishly leaking their existence to Management, which responds to phrases like “it’s all automatic” and “any idiot can do it” with jolly rejoinders like “reduced human resource costs” and “human change management.” In my defense, I ‘m only spreading the gospel of hiring more and better sysadmins because I’m only about half done with making a living as one and would rather not abandon the profession to stay employed.

But aside from that tangent: Yes, it is increasingly important for the people in direct operational control of exposed servers to have the talents, skills, and time necessary to understand and evaluate the “work” done by the increasingly powerful “idiot-proof” tools used to manage them. Any idiot can instantiate 100 new LAMP-stack VPSs with 10 seconds of pointy-clicky and a few minutes of waiting for them to all deploy and boot, but keeping such a herd of systems safe and useful will probably always demand the ongoing support of multiple professional system administrators. Humans are devising the new modes of attack and subterfuge after a compromise, so the proliferation of effectively discrete systems demands a proliferation of similarly-skilled humans working on defense and detection.

January 26, 2013
I’m a terrible father

Full title for youngest spawn: 

Kyle the Deranger and Dementor, Prince of Darkness

I can justify every part of that, and he likes it. 

January 20, 2013
Jacktron 9000: Prescott Pharmaceuticals Side Effects - Full List

brentbuford:

Took some digging but I found this over the weekend and made myself cry reading it out loud at lunch on Sunday.

Abdominal Migration

Abdominal Salad Shooters

ADHDEAD

An Inability to Breathe on Weekends

Ankle Bearding

Aortal Collapse

Arby’s Mouth

Argyle Pattern Baldness

Armpit Homunculus

(Source: )

January 18, 2013
Lessig Blog, v2: A time for silence

lessig:

A week ago today, Aaron gave up. And since I received the call late Friday night telling me that, like so many others who were close to him, I have not rested. Not slept, really. Not connected with my kids, at all. Not held my wife except to comfort her tears, or for her to comfort mine.

Instead…

January 13, 2013
Remember Aaron Swartz: Official Statement from the family and partner of Aaron Swartz

rememberaaronsw:

Our beloved brother, son, friend, and partner Aaron Swartz hanged himself on Friday in his Brooklyn apartment. We are in shock, and have not yet come to terms with his passing.

Aaron’s insatiable curiosity, creativity, and brilliance; his reflexive empathy and capacity for selfless, boundless…

January 13, 2013
Remember Aaron Swartz: Official Statement from the family and partner of Aaron Swartz

rememberaaronsw:

Our beloved brother, son, friend, and partner Aaron Swartz hanged himself on Friday in his Brooklyn apartment. We are in shock, and have not yet come to terms with his passing.

Aaron’s insatiable curiosity, creativity, and brilliance; his reflexive empathy and capacity for selfless, boundless…

January 12, 2013
Lessig Blog, v2: Prosecutor as bully

lessig:

Boston Wiki Meetup

(Some will say this is not the time. I disagree. This is the time when every mixed emotion needs to find voice.)

Since his arresting the early morning of January 11, 2011 — two years to the day before Aaron Swartz ended his life — I have known more about the events that began this…

December 17, 2012
saboma:

[Enter maniacal laughter here]

saboma:

[Enter maniacal laughter here]

December 17, 2012

December 17, 2012
whitedork:

Cookies.

Cultural sensitivity is important

whitedork:

Cookies.

Cultural sensitivity is important

(Source: kallichaos, via saboma)

Liked posts on Tumblr: More liked posts »