Nostalgia and Perspective: Arcades, Books and Record Stores

I’m not one to dwell on the past; I don’t find it healthy at all. It is a powerful coping mechanism for me. I can generally control my thoughts, in that I can empty my mind of all thoughts, at will, and I can focus on something specific, if necessary (the latter is perhaps somewhat fraught with peril because I’m unfortunately most familiar with negative thoughts and emotions). I can’t generally filter out other distractions but I can filter thoughts. But while I don’t dwell on the past, it doesn’t mean I don’t miss certain things. I’m just writing about some things I miss from the past, because one of those things is on my mind, and I have nothing else better to do. Some friends miss these things, too, as do people I don’t know, but this is – like always – first and foremost for me.

I’ll go in the order of the title, but I’ll also throw in some other things.

Video Games and the Arcades

I’ll not get in to my favourite type of game of all time (text adventures) because these still exist and arcades don’t (and I have no idea what happened to some of the old video game consoles I had).

The first video game console I played was the Atari 2600. I have many fond memories of the console and its games from Breakout to River Raid, to Outlaw to Adventure, and everything in between (Donkey Kong, Pac-man, Space Invaders, Frogger? Hell yes!). Next I went to the Nintendo Entertainment System, where perhaps my favourite game there would be Ninja Gaiden. That game is a true classic; it was the first game to introduce cinematic cut-scenes to progress the story. I loved the music of the game and I found it a lot of fun. Many seem to think the old games were hard but I never thought that; sure, there were some games that were harder (Ninja Gaiden wasn’t hard for me except the very end, right outside of the final boss The Jacquio; Ninja Gaiden II I beat and Ninja Gaiden III I won’t even discuss) than others, but I beat almost every game I played, repeatedly. Indeed, I knew some games better than the back of my hand (including the puzzles, mazes or whatever they might be). I spent many hours playing video games (more than the two consoles listed) at home, over the years (the last console I owned was the Sony Playstation 1), and also at what is mostly an artefact from the past: the arcades. I spent hours and hours at the arcades, and I have nothing but fond memories of the games I played, among them: Mario Brothers (note: what is on the gaming consoles is Super Mario Brothers; Mario Brothers was an arcade game!), Street Fighter, Teenage Mutant Ninja Turtles: The Arcade Game, Mortal Kombat (all of them), Pac-man, and perhaps especially pinball (and its Sonic the Hedgehog spinoff Sonic Spinball, although that was for the Sega Genesis/Mega game drive). There were many more I thoroughly enjoyed, far too many to mention (let alone remember). But I’ve not played a single arcade game in years. I miss that a lot. Nowadays games are connected to the Internet somehow (which I have no problem with, in fact, multi-user dungeons, aka MUDs – predecessors to the MMORPGs of today – are very much a part of me to this day) and otherwise are far superior in graphics (yet I’ve always felt that with all the hardware advances, the effects are far less impressive exactly because the hardware is so advanced; there isn’t nearly as many limitations to the hardware, and some games had rather decent graphics when you consider 8-bit versus what they have nowadays).

Book and Record Stores.

This is what inspired me to write this, actually. This past week I went to a real bookshop, something I hadn’t been in in far too long. It was wonderful. I always loved (even when I buy online I do, but it is different at a bookshop, at least for me and those whom I have talked about this) the smell of the books, the feel of the cover, the binding, the pages, everything about bookshops. You could sit down and read a book (or part of), you could browse different types of books (and genres) whether fiction, non-fiction (whether textbook or something else), and lose track of time (the same was true for record stores except there you might listen to some of the music and you would be browsing records, tapes and eventually CDs; I’ll return to this later). But mostly they are gone today. However, I want to point something out. Something I’ve long believed and now I have proof. See, many people (including employees and owners of book and record stores) believe that the world wide web (or as they would erroneously call ‘the Internet’) is the reason these stores have either gone out of business or have had to change their business model (or otherwise have drastically reduced profit). There is just one little problem with that theory. Amazon.com sells books for cheaper, even if you combine shipping costs. Meanwhile, when you buy in person, you don’t have shipping costs (which means you have less to spend). For instance, I finally got around to buying The Silmarillion (of course by J.R.R Tolkien). I buy hardcover where possible and it was possible for The Silmarillion, too. I spent 40 USD. However, earlier today I saw it at Amazon for 22.66 USD. That is a 43% difference! So here it is: if bookshops would actually change their pricing, they would be able to more easily compete (granted some don’t have the memories of going to an actual shop, but those who do, I know many miss them). Do I mind that I spent 43% more? No. But that is because it was an enjoyable day and I miss the older days here. Otherwise, yes, yes I would mind it.

As for other things, including the fact you don’t see records and tapes as much (I’m ignoring the revival of the vinyl scene because I’ve always thought records were better, more real and more collectible, than tapes and CDs, although nowadays tapes are far more collectible than CDs, DVDs and Audio DVDs; I’m deliberately ignoring bluray and other HD video and sound – I can’t see or hear the differences, anyway). There are many things I do miss. I have really old computer parts that I used years ago but I can’t throw out. The things that we had of yesteryear would surprise the youth of today. If they had any idea of how small hard drives were (in capacity) and how expensive they were (in comparison to what they are today, and considering the capacity differences), they would probably be floored. I still to this day have a hard drive less than 1GB. In this case it is at the ~540MB barrier (which some will remember it as that was as high as they could get it due to limitations that at the time they could not overcome). I also have a HDD that is ~2.5GB. I probably have other drives that are (guessing here) 20GB, 80GB, 120 or 200GB.

There is something else, here, though. It always greatly amuses me when kids tell adults things like “you don’t understand what it is like growing up these days .. it is so different now; we have social media, mobile phones, and we have the Internet!”. It amuses me because they wouldn’t really know anything else, so how would they know that it is so different? Of course, they wouldn’t. I’m going to elaborate just because I want to show how yes, things are different because of evolution (of technology and in general) but no, they aren’t any more complicated (with what we have and don’t have) than before. (Furthermore, things change for both better and worse. But realising this changes things significantly.) Indeed, the Internet is older than they are. For that matter, if you consider its predecessor (arpanet), it might be older than their parents (probably it is)! Certainly the arpanet is older than I am. Depending on what part of the Internet (it developed and extended itself over time) you think of, it is older than me; other parts of the Internet are younger than me. That brings me to social media and the Internet more generally: First, many erroneously believe that the World Wide Web IS the Internet but the Internet is much more than that. The WWW is a small part of the Internet, and without the lower layers, the WWW wouldn’t be ‘world wide’ at all (it might not even exist, we wouldn’t have email and we wouldn’t have many other things that people think of as a single technology). But no, the Internet isn’t new at all, and so this is not something that is all that different (the IoT – the Internet of Things – is another issue entirely, and one that has serious problems, but one that won’t be going away, unfortunately; still, this is technology evolving). As for social media: there were other ways of communicating with people. Let’s start with BBSes (bulletin board systems) and later on web based forums. Then you go to UNIX and you had the talkd (‘talk daemon’) which allowed to users (on the same system or different systems, as I recall) to ‘talk’ with each other (writing messages where one user was at the top and the other at the bottom; it showed characters as sent to the system, so you would see the actual sequences for backspace and the like but this was a matter of getting used to and then it wasn’t really a problem). Then there is IRC (‘internet relay chat’ which worked for the Internet and an internet; the latter simply being a network of networks but not necessarily connected to the global Internet). You also had (later on) ICQ, MSN, Yahoo Instant Message (and others). So no, social media isn’t all that new; it is only an extension of what we had before. I will point out some irony, though, something others have thought of individually, but something that I’ve thought of for a very long time:

Despite the ‘social media’ and the phenomenon of people looking at their bloody phone instead of where they are walking (or with whom they are eating with, sleep with, and who knows what else) and even more ‘connectivity’ (network connectivity only), we are more than ever disconnected. I’d like to say I was ahead of my time (because I wasn’t one who really socialised with peers) but I know I’m not in that way. I was (and am) just… different. I never identified with anyone (in person) and I never really associated with many people (and when I did it was only because of school; I didn’t spend time with them off campus).

Yes, I miss many things that are very different today (different is very loosely defined). But does that mean that I wish I lived in the past? No, absolutely not. It isn’t healthy to dwell on the past; you can’t change it either and the only way to stay somewhat sane (…if that is possible for me – but others can go mad by dwelling on the past, too) is to focus on right now. Even then, there are some things that are better; accept and learn from your mistakes and they aren’t mistakes. Continue to learn, evolve, grow, and you have more to experience, more to understand and more to appreciate. Similarly, if you look at what is here now, you can realise that while some things might be worse, other things are better. It can always be worse (this especially goes for your own health.. and yes, this is what it took for me to understand this though it took many years for me to do so). Always. It might not seem like it to some people but if they ever have long term hardships they will understand this (not to say you can’t understand it without hardships!). Not only will they understand this, they will be thankful for it, and it will give them strength and some sort of peace and acceptance of the world (and others).

Perspective is incredibly powerful; it changes everything!

US Navy in (0-day) Exploits Black Market

I’ve made the statement before that the US government is not merely a victim of cyber attacks but a perpetrator (to be fair, it isn’t just the US but this is about the US). I went further to point out that they provoke other nations. I seem to think I at one point wrote about how they participate in a black market, and how that would not at all help the situation. Even if I haven’t discussed the latter, I have the others. So it is most unfortunate that there is solid evidence (I know I’ve seen other evidence, though) of them wanting to buy 0-days. It isn’t even hearsay. No, not at all; it is a statement directly from the United States Navy.

The Electronic Frontier Foundation has a mirror of the document that was taken from Google cache. This, I might add, is another thing I believe I’ve written about and if I haven’t I know I meant to at one point. I’ll just give a quick summary here: you don’t simply erase something from the Internet. The people that believe Snapchat is a brilliant way to keep things safe are very ignorant, very ignorant indeed. It isn’t brilliant at all (in any way), and there has been more than one incident where many of these supposedly very temporary photos were archived elsewhere (that is not a link but FOUR unique links, two of which include a list of different exploits and results.. and there certainly are others out there). Then there is the Internet which is even more extreme here. That is another topic entirely, however, so I will refrain from going there. I’ll return to the issue of persistence again but for the moment all you need to know is the Navy has since removed their copy of the document. But it isn’t gone.

I’m going to highlight some points from the document, comment on them and bring them all together.

This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied on commercial software.

From the very mouth of the US Navy; they require binaries to exploit widely used and relied on commercial software. Software they almost assuredly will use themselves. It gets better though; I’ll return to the issue of who uses what in a bit.

– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others. [sic]

While there are other things I could label with [sic] I won’t because I’m not trying to be critical here (I won’t at all suggest I don’t make mistakes in writing… I do. Often). However, I do want to point out that Linux isn’t commercial software. In addition, they want the exploits to exploit including but not limited to these products, and all others (is there a reason to list any at all, then? If there is, why ‘and Linux, and all others’?). But the important point here is that they don’t actually care what it is; if it is used they want exploits for it. Not just any exploits though, they want 0-days and also technical support, instructions and everything you would expect a legitimate vendor to provide. I’ll return to this again, too.

– The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.

Interesting bit here: they will select from the list and direct development of the exploit binaries. Why then, pray tell, don’t you just go to a CVE website where they can find it all for free? You know, they exist for a reason, a good reason. But here they’re being used for anything but good. It isn’t bad enough that many home users have unpatched (or otherwise insecure) systems (often unknowingly) that are already infected by more viruses and worms (etc.) than a human body would likely experience in a life time (certainly in the amount of years computers are ‘alive’). No, of course not; but governments to the rescue! Yes, it will affect others: even systems that aren’t vulnerable can be affected indirectly. People are also affected. Including our saviours in the Navy. That’s the best part. This also goes for governments wanting to get rid of encryption; it’ll affect them, their family, their friends, the nation they state they say they are protecting (that’s why they need to get rid of encryption, see? It is a lie, however, that smells near as bad as septic tank.. which is to say can easily be sniffed out even for those without a strong sense of smell). It also is a risk to themselves. It has the potential to affect every device. And the more exposure a device has, the more risks can affect it. This is sort of like the immune system: the common cold is nothing for those with a healthy immune system but to those with a poor immune system, it can be very serious.

– Completed products will be delivered to the government via secured electronic means. Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.

It is rather amusing, isn’t it, that they want it delivered in a secured manner. I suppose they hope no one else will have access to these exploits (which I have alluded to already and will get to further) and somehow it will be safer for everyone. Safer for themselves, actually, and that is incredibly naive: if the US government accidentally ships live anthrax to laboratories across the US and even in other countries (all of which has been reported recently.. and other similar incidents have happened), who is to think they could keep computer exploits under their control? Reality: malware tends to spread; there is a reason the words ‘virus’, ‘worm’, ‘trojan horse’ are used for naming said types of malware. Even if it isn’t malware itself it is incredibly stupid to believe it can’t directly affect the buyer (themselves). You don’t control exploits in the wild like that – you don’t nicely tell it that you are its master and it’ll suddenly obey your every command. Even then you have the reality of bugs in software: humans aren’t perfect (irony: because I thought I saw it earlier, and because I should rest my eyes soon, I checked spelling and what did I do but spell perfect as ‘prefect’ … a great example and I wouldn’t be surprised if more exist in this write-up), programmers are human, therefore programmers aren’t perfect: this leads to errors in software (commonly called ‘bugs’). I won’t even get in to simulators.

– Based on Government’s direction, the vendor will develop exploits for future released Common Vulnerabilities and Exposures (CVE’s).

This extreme naivety that comes close to delusion (and using that word is painful… I readily admit have been delusional in the past and much of their problem is extreme foolishness) they have, that they are in control, is rather scary. Unsurprising. But scary nonetheless.

– Once a product is transferred from the vendor to the government, the government maintains a perpetual license to use, modify or share at the buyer’s discretion.

Obviously. After all, Microsoft and all these other vendors you suggest (with the exception of open source software which you don’t mention many) sell their software and openly allow it to be modified and shared with others. The license also works for infinite devices. So of course you would have this right! Too bad you’re dealing with a black market, isn’t it? Governments create black markets. Stupidly, I might add. Yet in this case there is nothing else: this is to break the security of others, something the governments outlawed years ago. Creating black markets is also another example of not learning a bloody thing from history. Yet in this case it isn’t the same thing, is it? Not exactly. If a company hires (or better yet has on staff all the time) others to audit their security (maintain it), that’s fine. But if a company were to pay another company (or other third party) to break the security of another corporation – or states! – they would be in a lot of legal trouble. This is a triple standard: whine about being victims; pay others to help you do to others what you would whine about if others did it to you; and if anyone else were to do it to others, whine also. Global police.

– The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytical white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.

Gullibility to the extreme! To think that anyone would believe that an entity selling exploit code (especially since in the past, and likely still, much exploit code is still released for free.. but it doesn’t take much thought to figure out that some would have no problem to profit over it; can you blame them? Do corporations sell to only one customer?) is going to not profit from others that would be willing to also pay, is amusing, very amusing indeed. I’ll also point out there is a hypocrisy here: you have the right to do whatever the hell you want with the software, something that corporate vendors wouldn’t allow (and some free software doesn’t allow it!) with their software. At the same time, though, you have the boldness to state that you maintain the license here and not only do you state the licensing terms, you also state that the vendor can’t do what they wish with their own work! Licenses are only acceptable if you’re the one stating the terms, yes?

– All delivered products will be accompanied by documentation to include exploit description, concept of operation and operator instructions.

Pathetic. That’s being incredibly nice. That is the brutally honest truth. You really need documentation of how it works as well as how to use it? Weren’t you also the one wanting to direct the development? Usually the developers write the documentation (at least when they do document it which isn’t always)! Script kiddies demanding documentation. Highly impressive. I know, I know… you bought it all on your terms and since you state the terms, you can also demand the documentation. No dignity, no pride, no honour whatsoever.

– Technical support shall be provided by the vendor to the government for purposes of integrating, troubleshooting, bug fixes, feature enhancements, and OS and third party software compatibility testing. These services must be available Monday through Friday during normal working hours (0730 EST through 1630 EST).

You demand technical support.. on your own hours?! The amount of arrogance there is unfathomable.

Indeed, no pride, no honour, no respect for others (including themselves actually), no dignity. None at all. I’ve made clear that governments participating in cyber attacks are not just victims but perpetrators (and consequently provokers). Well here is solid proof that they really are doing exactly that. With no shame on their behalf (meanwhile everyone else will see their actions as only shameful). I’d like to lastly say this: they deleted it from their website for a reason. They finally realised the implications. If they didn’t mean harm they wouldn’t have removed it. But they did. There is only one reason for it. The tragedy here is they could do things to make things better. But instead they make things worse, worse for everyone. It is a cyclical process too. Indeed, just like mirroring, this will continue more and more.

The Facebook Law and Ethic

Fair warning: I’m in a mood and this is by its very nature going to be touchy (and there will be some bias but the points I’m trying to make are still valid). While I don’t at all find my points out of line, I know many would, especially with the amount of obsession if not outright lust for Facebook that many have. You could call this post somewhat unusual for here although I diverge slightly in to another issue – privacy. This post is motivated by something I saw yesterday, one of many other things I’ve read about before, that makes me think that Facebook truly believes that they can do whatever they want with impunity and no regard to any ethics that they clearly violate. I have a strong ethic, and while I am certainly not perfect, I find abuse and destruction unacceptable. But then there’s Facebook policies and what they allow.

Where to start? Right, we’ll start with what the BBC reported. It is a well known fact that child abuse is a huge problem in this world (much like abuse to the environment, to humans in general, to animals, even the air we breathe). It is also a well known fact that it unfortunately goes to the extreme cowardice (which is sadly cyclical – abuse leads to abuse, there’s some psychology behind it but I’ll not get in to that) of physical abuse including sexual abuse (and frankly it doesn’t matter what age but children is relevant to the discussion). It is also well known that it is illegal in many countries, definitely the country Facebook’s premise is (I’m not sure they live in it, though – some of them certainly don’t act as if they believe they do), to have videos, photos or any example of paedophilia (whether hard copy, on a computer or anything else) As it should be. But one would like to believe videos of child abuse in general is illegal. Let’s assume it isn’t though. What Facebook allows is unethical, it only adds to abuse and frankly it is an utter disgrace in general but especially when their age requirement is just 13. But how do they enforce that? Something like what year you were born in, probably (because it equates to less privacy and more ‘important’ information) your date of birth. Yes, that’s definitely going to be accurate, I’m sure of it. In any case, I dislike kids a lot. That is putting it quite nicely, to be blunt. But I dislike something more: abuse and neglect. Both neglect and abuse makes matters worse for everyone – the victim as well as the people the victim (when older) victimises because they are emotionally/ethically/morally damaged. But here it is, Facebook has what? A video of a baby being repeatedly dunked in to a bucket of water (upside down with arms twisted). Unsurprisingly the baby was crying and one would assume terrified. But what isn’t surprising, either, is that Facebook truly believes it doesn’t break any of their rules, and they only added a warning to the video after a complaint was escalated by the National Society for the Prevention of Cruelty to Children.

The following from the BBC:

“While the welfare of this child is naturally paramount we would also urge you to look at all available options which will ensure UK citizens, including millions of children, are no longer exposed to this kind of dreadful and disturbing content,” the National Society for the Prevention of Cruelty to Children’s chief executive Peter Wanless wrote.

“The NSPCC believes we have now reached the long overdue point where it is time for social networking sites to be held to account for the content on their sites and pay more attention to their safeguarding duties to protect children and young people, whether they are viewing the content or appearing in it.”

Facebook responded as such:

“In cases like these, we face a difficult choice: balancing people’s desire to raise awareness of behaviour like this against the disturbing nature of the video,” said a spokeswoman for the firm.

“In this case, we are removing any reported instances of the video from Facebook that are shared supporting or encouraging this behaviour.

“In cases where people are raising awareness or condemning the practice, we are marking reported videos as disturbing, which means they have a warning screen and are accessible only to people over the age of 18.”

Whether that means they allow referring to it to raise awareness but not allowing it when it is being encouraged, or if they removed this instance but generally feel that raising awareness is acceptable, I do not know. What I do know is that they often state that others should have the choice to watch it if they want, and especially because it will raise awareness (even though the videos they claim are for this go about it in the exact opposite of what would be done for awareness).

Yes, Facebook, because showing videos of atrocities, cruelty and who knows what else, will raise awareness (typically when you raise awareness for such things, there’s something of an explanation that goes along with it, and that includes warnings where relevant)? I imagine also that allowing the videos in some instances won’t actually encourage others to do similar under the guise that they’re raising awareness? I suppose, also, that having these videos won’t be harmful to those who unfortunately and unknowingly watch it without realising what it is they are to see (something I will return to)? That isn’t how you raise awareness: you’re raising awareness? Of what? Why? What should be learnt? What went wrong? Of course, your way will discourage others from these things, too, I’m sure (try telling that to victims of hate and see how far you get). Of course not, all of it is for the good of mankind. Except it isn’t – what you really mean is it is good for you because you have less responsibility to manage and less to worry about. Yet other organisations wouldn’t get away with this. It is only your user base and repeated lies and misdirection – both of which are very easy to sniff out – that allows you to worm your way out of trouble. Indeed, if I were to have such content on my server I could be in serious trouble – as it should be! This isn’t the first time and it isn’t the last time, that you have allowed things like this. Why is that? Because you don’t concern yourself with responsibility, ethics and even if you get away with it legally, it doesn’t mean it is necessarily legal: there’s a reason that child protection services exist and they will actually go after parents simply because their kids enjoyed having a lot of fun doing things that caused injuries needing emergency care (for instance, my brother, myself) fairly often. I’m sure the child in this video was asking for it too, though, so I suppose all is okay, right? Somewhat ironically, though, there’s also a link here – if that video was paedophilia, it would land you in serious legal trouble (as it should) and I would expect far more outrage (as there should be). When is abuse acceptable? It shouldn’t be. But there’s should/shoult not be, and there’s reality, I suppose. Yet there’s a huge problem with being too accepting of others, of things, of surroundings, something that many of your users don’t understand (and/or realise), and also do the same as you. It is even worse, for you, because of your mentality that the information is necessary, that privacy is a bad thing (even if this has lessened over time, it still exists) – you ignore the reality here in ignorance, arrogance and hypocrisy. So here it is:

If you’re too trusting, too accepting, you leave yourself incredibly vulnerable to harm and that means off the Internet (or is that ‘Facebook’ ?) and on. But people are this way and it is often to their peril. Lack of awareness is a real problem (an unfortunate part of being unaware of something includes being oblivious to the lack of awareness in the first place). No matter how aware you are, there’s more you can be aware of (and just like time, things change). Since Facebook has this requirement that you use your real name (although funnily enough, I once had a fake account with the name of a Disney character, one with a nose that grows when they lie – of course it was deliberate on my part), and since the default of many settings – as I’ve read for many different issues; I can’t say from personal experience – are opt out (instead of opt in, as it should always be), including those revealing what should remain private, a scary amount of information can be revealed and mapped (in what I’m about to explain it is literally). While many have probably been more public, I would like to note one that is a plugin to the Chrome browser (I’ll leave Google out of this discussion) and was called by the author the Marauder’s Map which is indeed a reference to the artefact in Harry Potter. You can find more information on how and why this works, what it does, and everything else the author reveals by following the additional links here (the link here is to a brief write up with some additional thoughts). For those who don’t know, in Harry Potter, the map plots out every person in any form (by real name) on the Hogwarts School of Witchcraft and Wizardry grounds, even if they are invisible, by location, with the exception of a couple places (there’s more than one possible reason and I don’t believe there’s ever been a confirmation on which of the reasons were the case though I would certainly like to know), even as they are travelling through the grounds (so it moves the person’s location on the map). Instead this is real and based on a feature of Facebook, that allows mapping out users – including those you aren’t ‘friends’ with – over time, to discover where they tend to be including where they sleep (so not over a period of time but patterns can lead to fairly accurate results). The problem besides it being scary? They could plot an attack even through social engineering (but otherwise too). This might be to rob your flat, your car, physically assault you, or it might be a cyber attack.

All of the latter part could be somewhat summarised as: be very careful of who you trust, ask yourself why you trust them, and whether what you think is harmless is really harmless. The argument that Zuckerberg likes to throw – that you have nothing to fear if you have nothing to hide – is a dangerous viewpoint that is both hiding true intent and ignoring the things they wouldn’t share to others (bank account, etc.), something I’ve explained before. As for ‘friends’ I have this to say: I once mocked a friend (which means in another country, one I’ve never met in person and probably won’t because that’s just part of my personality) about Facebook when he finally caved and joined. He knew I didn’t mean offence but in any case, it was about his so-called friends. Well, some time after that he told me of an occasion where he asked his ‘friends’ if any of them would want to spend time with him in person? Not one. Yes, folks, it is interesting, isn’t it, that the more connected we are too technology, the more aloof we are in person as a side effect, not much unlike how I choose to be.

The unethical issue is hard to summarise and it is rather hard to imagine that a corporation, especially a corporation that is about social networking, would accept it (even though it isn’t surprising).

70 Years Ago Today at the Battle in Berlin

This is clearly an off topic post but when I looked at the calendar today, it occurred to me that on this day in 1945, Berlin unconditionally surrendered to the Allies. It was a significant moment in the second world war, and it wasn’t long before all of Germany surrendered. This is something I felt inspired to write in light of such a dark chapter known to mankind.

70 Years Ago Today at the Battle in Berlin: A look in to the heart of mankind, its past, present and future

The Battle in Berlin ended on 1945 May 2. It was a glimmer of hope for many, and would be a day that would begin the ultimate surrender of Germany in World War 2. Hitler (20 April 1889 – 30 April 1945), along with his newly wed wife Eva Braun, had committed suicide 10 days after Hitler’s 56th birthday – April 30, 1945; he knew the end was approaching and he was not one to surrender: he made sure he was not captured. Josef Goebbels[1], who stayed with Hitler to the very end, had also committed suicide – and forced his family, including his kids (the mother assured the kids everyone was using this drug – I believe morphine – and to not worry, therefore allowing them to be sedated while they’re poisoned) to do the same. Goebbels was, of course, the master propagandist of Nazi Germany, and this combined with Hitler being a very powerful speaker is a very dangerous combination (yet they weren’t the only powerful variables). Hitler of course was concerned that the cyanamide was not sufficiently potent, and despite him being close to his German Shepherd Blondi, a day before he committed suicide, he tested a dose of cyanamide[2] on Blondi; she would be buried and later excavated by the Soviet Union. Meanwhile, Hitler ordered that his remains as well as Eva’s remains, to be burnt. I’ll return to the liberation of Berlin towards the end of this essay.

The fact Hitler was never one to surrender is quite obvious when you consider the end of the first world war – the war to end all wars: he felt it was an utter betrayal to surrender and was in disbelief that the war was finished; he truly wanted to continue after recovering from temporary blindness (from a mustard gas attack). The Germans (Hitler was born in Austria and was very much Austrian: indeed, over the years, as I recall more than once, many cities in Austria have rushed to make sure that he was not still an honorary citizen, after it was made known that a city still declared him exactly that) told him they no longer needed his service. This of course, was not the end: The Treaty of Versailles left Germany a disaster.

Germany lost a lot of land; the Rhineland was to be demilitarised; their military was limited to no more than 100,000 men; they were not allowed an air force; were to give up military air craft; they were not allowed to import or build air power for six months among other air warfare restrictions (yet ironically, despite all this, the Luftwaffe would later literally flatten areas in the UK during The Blitz, which caused many in England to use the tube stations as bombing shelters and led to utter devastation in areas – like North Ireland – that did not prepare if not outright ignore warnings); prohibition in the arms trade; limitations as to what the navy was allowed (battleships as well as number of men); they were to pay billions (marks) in reparations, something I believe they’ve yet to pay off (I would be surprised if they ever do, assuming that indeed they have not yet); and much more. Germany was not invited to the discussions. All of this paved the way for Hitler to eventually take over what would later become the National Socialist German Workers’ Party – or Nationalsozialistische Deutsche Arbeiterpartei (abbreviated as NSDAP), more commonly known as the Nazi Party. It was originally the National Socialists party. It was Hitler who decided to rename it to what it is known as today. His idea was it would appease to the masses, essentially everyone but the communists and the Jews[3]. In addition, the victors also largely ignored the Japanese, despite Japan being a victor.

When you think of all this, it would be absurd to even dream of there not being another major conflict. As far as I am aware, the Americans tried to some time later get some of these limitations removed, because of this fear. But they were too late and/or not successful. Essentially, the treaty would be to the victors’ – and indeed the entire world – peril.

Yet despite the terror of the time, despite the atrocities, mankind has not taken to heart all the lessons. There is no such thing as tolerance if it is not respected and considered 100%; therefore, tolerance is a dangerous lie: selective tolerance still discriminates and that is exactly what happened so many years ago and to this day still occurs. It is true that there were horrible atrocities with terrible consequences and to this day there still is. But war is war. While that does not justify what was done, it should always be kept in mind. The last remaining body guard of Hitler once said something that should be remembered because it is completely honest and 100% valid: there’s never been a war without war crime. I would extend this, and perhaps he meant this too, by adding: war itself is a crime.

Yet despite the Soviet Union liberating Berlin (and other Nazi occupied land), they were not above being horrendous, either. The Red Army looted, committed mass rape and mass murder. This affected many more people: rape and in general sexual – which is also physical, mental and emotional – abuse ruins lives (and a close friend of mine can attest to that, even though it should be obvious). Then there’s the murders. Is that better than the Nazis? The effect would not happen if it wasn’t for the cause; the cause is the lack of tolerance, the hate, vengeful, discriminatory and oppressive behaviour and mentality. Yet many Soviets earned medals for liberating Berlin. One hopes that none that participated in the deplorable actions were also rewarded, but as I’ve already noted – war is a criminal act, and it is inevitable that these things will happen, and in all likelihood many perpetrators were indeed rewarded.

It is interesting to note that two very significant things changed the war outlook (of course there’s others, including some that are because of these). First, Hitler regretted his pact with the Soviet Union, and he decided to break it by invasion. With the Soviet’s scorched earth tactic, combined with the climate and temperatures there, the German army suffered terribly. This also meant that the Soviets would fight the Nazis and ultimately would liberate much of Europe (it is also worth noting that other neutral countries – Sweden, for example – would not only remain unoccupied but also gain the Nazis trust and as such, many Jews were able to flee to Sweden). The other is that Japan bombed Pearl Harbor and this, combined with Hitler shortly thereafter declaring war on the United States of America, would bring the US in to the war. The Americans were an important part of the victory, from D-Day (Normandy) and through the Pacific.

70 years ago today began the first part of a transition to the end of a very dark chapter in mankind. Never forget what happened, how many lives were lost, how many lost family, how many suffered. Never forget it could have been worse. But do not forget either that it could have been better if only there was tolerance, more peaceful cooperation (instead of aggressive competition) and if only more people remembered how their actions affect others. Ultimately, World War Two could have been avoided as could many other wars, including wars after World War Two. But they aren’t avoided. 70 years have gone by and mankind has still not acknowledged these things; there is nothing darker than this realisation.

[1] Just like it is commonly spelt Adolf Hitler (when his birth certificate actually shows Adolphus) it is often Joseph instead of Josef. One of the books I have on Hitler (as below) spells it Josef. Probably the common spellings are English.
[2] I always remembered cyanide. However, because I wanted to cite references to some of this, I looked at one of the books I have on Hitler. While some other Nazis did use cyanide, apparently Blondi was given cyanamide (and it seems that it was initially Hitler’s doctor that suggested this be the way to test it). Ironically, despite Hitler’s fear (he shared the fear with someone who had relayed the fear to Hitler although they had different reasons as to believe it) it was Eva Braun who took the cyanamide (although she tried to use something else; the name fails to come to mind). Hitler shot himself instead.
[3] There was no place for Jews as far as he was concerned. What made him hate Jews so much is likely a combination of factors but one theory is something the Nazis used themselves – spreading fear and hate by words and actions; certainly he mirrored some beliefs as others had already made public, and certainly he was influenced by others. I’m not certain why he hated the communists so much except that he supposedly railed against them in Mein Kampf in addition to the Jews.

While I have more books on Hitler, the one I have actually read (albeit a long time ago until some brief checks earlier today) is below.

Books
Adolf Hitler: The Definitive Biography by John Toland (Anchor, 1992)

systemd tips and tricks

I really have tried to get myself to like systemd and if nothing else I’ve tried to get accustomed to it. While the latter is mostly the case (though I certainly do not know it as well as I could or perhaps should, this admittedly due in part to strongly disagreeing and being against some of the more recent – past few years – changes in Linux, including a great deal of the systemd concept), I still have mostly failed to like systemd; indeed, there is still much of it I really do not like. So this is perhaps an unusual post, in a sense, because I don’t like it – why would I bother with this? Well the reason is it is true to my nature, and I share information where I can (and I’m sincere enough to give credit where credit is due, including for things I dislike). The other reason is that I do find some features really useful and today, as I was updating some configurations, I decided to go beyond the intended goal: in the process, I also came up with some little bits of information that I find useful and if nothing else, I might find it a useful reference later on. The list is short (perhaps not as short as it seems, if you consider the first entry’s additional resource). I feel somewhat humbled and I can honestly claim that – while I still don’t like systemd in full – writing this list actually makes for additional cases for systemd (rather than against), as well as discovering more and learning in the process (which is always positive for me).

  • The passive finger printing service, known as p0f, has an issue that I see as a defect, but can be repaired by systemd (this is something I do appreciate). The defect is that upon detecting the network is down (even if the network service is restarted, i.e. stopped and started immediately), it errors out, terminating itself. But if it is able to detect the network is down, it should be able to sleep/poll (actually, systemd allows for this exactly albeit by having p0f restart on failure, trying until it succeeds) until the network is back online, and then resume its normal operations. Maybe there is some technical reason for their choice (specific to their internals or a library they rely on) but if that is not the case I consider it a defect. It is true that p0f (at least the version I am using) doesn’t support systemd natively, but then you can create a basic p0f.service file and activate it, start it and therefore resolve the problem (systemd can restart services when they fail, as well as in other occasions).
  • As I explain in the p0f.service file, if a service becomes a daemon, you’ll want the line (in the Service section) because otherwise the service will be dead but with no explained reason (systemctl status will show it as it started but that is the last message yet it is dead; the process won’t exist in the system, either):
    Type=forking
  • This is another thing I like (I admit it could be done with SysV but it is somewhat simplified here because each service has its own state as well as its own configuration file and where applicable it can share settings; more specifically, the process of configuration and setting this up, is simplified – you don’t necessarily need multiple PID files, either): you can run more than one instance of the same service, without any problems, even if they have different configurations. For instance, if you use stunnel (tip for stunnel: if your system does not have enough entropy, if you can obtain and use rngd, it can solve the problem, therefore allowing stunnel to start; note, however that you might have to force it to stay in the foreground [the option -f does this] – which isn’t to say you have to keep the session active! – and you might also have to read from /dev/urandom in order for it to start itself!)  you can have a stunnel-client and a stunnel-server, each with their own configuration file (something I just thought of, which could possibly be useful, is multiple instances of a MTA – postfix, for example – for different domains etc.), and each with their own state (is it enabled, is it active, was it stopped?). You should of course make sure they log to different files (or somehow synchronise them) if it would cause problems reading (or parsing) the file but that probably always applies. To enable this, once you create the .service files, you can use the normal commands (enable, disable, etc.) on each service (the main difference is – besides any adjusted configurations – the service name). I find this functionality rather useful. This – I might add – can be extended to make other virtual services; it doesn’t necessarily need to be a daemon (or otherwise fork), and of course systemd has more than services.

So I guess you could say that there’s some useful cases for systemd. In addition, I know there’s another one which makes diagnosing fatal errors – say, boot up failure – easier because of the journal (I think this was the idea although I might be remembering part of this wrong; that is besides the point, however – the idea is it has some benefits and I’m willing to acknowledge and accept this, even though there is much I don’t like, too).

Solution: systemd-sysv-generator: Could not find init script for


2015/03/08: I never seem to remember this and only by chance did when able to note it. I am not fixing it here, however, for two reasons: I don’t have the time or inclination, and it isn’t harmful – it is actually beneficial – to type commands on your own. The problem is this, though: formatting of certain characters on websites. Specifically, the – and — are a minus/subtract/dash sign and two together, respectively. But they won’t be displayed that way so if one was to copy and paste, it won’t be what is truly typed. I am positive this problem is elsewhere here, but again it is something I seldom remember.


This is something I’ve seen in a Fedora VM. It seemed odd to me because the services were not enabled and actually weren’t installed (but had been). I never really looked in to it, however; after all, it is just a warning and I had seen odd things in systemd before (as I’ve documented). But just a bit ago I decided to look in to it. It is quite simple really (however, I’m elaborating on different parts and this includes safe computing practises; indeed, there are some things to consider and if you don’t know how certain things work in full you would be wise to learn those things).

systemd-sysv-generator is a simple wrapper to allow services – that are not systemd enabled (or maybe ‘capable’ is better), that is, those that don’t have systemd files (and instead, as is suggested by the name, is SysV init scripts) – to work with systemd. All one needs to do is determine this (which isn’t all that complicated) and it becomes quite natural to suspect that something refers to what used to exist but does not now. That suggests, also, that it is a dangling symlink (much like a dangling pointer in C, the symlink points to something that doesn’t exist but at one point did). This means that you need only rm the symlink itself. To find all broken symlinks in /etc/rc.d (which is the directory in which all the SysV init scripts are located) you can use the following. Note that I pass the option –color=auto to ls for those who have colour terminals (which means most) and therefore can see that they are indeed broken. However, I’ll explain the reason this works as such. I’ll show how to remove the links but I’m first including how to print the link names. It should be obvious why but just in case: never ever copy and paste a command that deletes (or truncates or otherwise overwrites) files, without knowing the full consequences. Sometimes broken links are installed and I wouldn’t go around deleting just any link (it is one of those things that “don’t do this unless you truly know what you are doing” – it just isn’t safe practise to delete files because they appear useless to you; see below, also).

To find broken links in /etc/rc.d you would use the following command (you shouldn’t need to be root to display them; you would be to delete them, whether through sudo, su with the option -c or as root is up to you):
$ find -L /etc/rc.d -type l -a -exec ls –color=auto -l ‘{}’ \;
The -L option means dereference symlinks. We only care about files under /etc/rc.d so we specify that as where to find the files. -type l means symbolic link. The result of this type is always false unless -L is specified and the link is broken. The -a (you can omit the -a because two expressions, one following the next, implies it) stands for and which means only execute the ls command if the previous expression is true. Since we want to find broken symlinks, and since -L dereferences symlinks, if the file doesn’t exist the dereferenced file cannot be a symlink. Therefore, because of the return value (as previously explained), if the link is broken, we need the and option. The -exec syntax of find is something that I think throws people off. I never had this problem; I read it in a book many years ago and it made sense to me. The idea, however, is this: you escape (in this case through single quotes) the {} (and therefore you have ‘{}’). That is the current object. ls –color=auto is for colouring, as I explained earlier (you don’t have to use that option, of course). The \; you can read as the end of the command. You could also do ‘;’ but the general form is escaping it (hence \; ). Thus, in my case, I saw (not including colour) the following (snipping some of it for sake of brevity):

lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc2.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc2.d/S90tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc6.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc6.d/K10tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc4.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc4.d/S90tcsd -> ../init.d/tcsd
lrwxrwxrwx 1 root root 18 Jan 15 2013 /etc/rc.d/rc0.d/K85ebtables -> ../init.d/ebtables
lrwxrwxrwx. 1 root root 14 Sep 27 2012 /etc/rc.d/rc0.d/K10tcsd -> ../init.d/tcsd

Therefore, to delete the files, I would do the following. Note, however, that I am passing the -i (interactive) option to rm for demonstrations purposes. If you want to confirm that you copied and pasted it right (You should rather type it!), or that there isn’t anything else wrong (and this is a good idea in general; I mean no harm but if I make a typo myself, leave out some information by accident or… if I was being malicious.. it would not serve you well: while I am biased because I am incredibly cynical in life, being cynical when it comes to instructions in computer-land is a very good thing! Trust is far too easily given and this has been abused many times over the years, and I mean in the extreme: rooting a system which means gaining root access which means complete control of the system and potentially more of the network!). This is the command:
# find -L /etc/rc.d -type l -a -exec rm -i ‘{}’ \;
After that, assuming you confirmed every file, and assuming no errors, if you were to try the first find command (the one invoking ls), you would have no output because all broken links would be gone.

As for deleting files (that I referred to earlier, with regards to files that seem useless). This is more general, and by more general I mean the way symbolic links work in general. Depending on options to commands and otherwise how commands are invoked, you can run in to problems: is a symbolic link dereferenced, for example? If it is, then acting on it will act on the target. Otherwise it will act on the link itself (this is akin to C, also, where you can have a pointer to a structure but if you don’t dereference it you are only accessing the pointer, not what it points to!). In short: unless you know which commands do what in which conditions, you can run in to problems (whether you do or don’t is another matter entirely; taking the risk is however, not exactly the best choice). This is also what I described in a post some years back called The Spirit of Pranks – Technology Style and in particular the entry that I titled (one of the entries that were my own doing) ‘The “don’t type a command if you don’t know what it does” trick’. Of course, type also implies (maybe more so!) copy and paste. I want to point something out, finally, on this: this rule is especially important because what if you use a command that and specify the wildcard on a directory? It might be that if you use the recursive option, the command does not dereference the links (and for good reason). However, if you don’t specify that option and you instead use a wildcard (or otherwise a file globbing pattern), you might cause damage rather tha solving your problem. I’ll give you an example, and one that almost bit me hard (and I’ve since that time never had a link to this again): if you have a symlink to /dev/null and you run a command that changes the file (it was I believe owner, since only root can change the owner and therefore the command was run as root!), you can break your system. It might seem absurd, but /dev/null is critical. Furthermore, changing the owners, modes, and so on, of files (in /etc is a good example but it isn’t the only example) can break your system. Indeed, a big mistake is when people accidentally (or don’t know better) use recursively change ownership. The problem is: .* does not mean all dot files/directories below the current working directory. It means all .dot files/directorys in the entire filesystem, when acting recursively! It might seem like it would, because after all, a* shows files that start with an a but it isn’t that simple. If you want more information here, read section 7 of glob in the manpages). And while it is similar to regular expressions it is NOT the same! As I think I’ve made clear before (On this subject, in fact), the pattern would be ‘.??*’ (without the quotes, of course). However, the proper way is to be in the starting directory and then recurse on the path ‘.’ (without the quote). But again, this can be very risky; if you are in /etc you can cause a lot of problems (same with /usr …).

Multiple Default Routes Per Network Interface

Problem: You have two NICs in one system where the first NIC is for Internet bound traffic and the second NIC is for an intranet (in my case attached to the switch but is not allowed to communicate with the first NIC and is isolated from the Internet through ingress and egress filtering). Furthermore, the first NIC is associated (by IP addresses assigned to it) with more than one network. How do you make sure that inbound and outbound traffic for one network uses its default gateway and every other network uses its own default gateway as well? After all, if you have a /32 (single IP) and a /29 block, then you would expect the default routes to be different. But both are on the same interface!

Taking the method of configuring multiple default routes found here with a slight change will solve the problem. I did this a while back and I offered some hints there. But somewhat related to a previous post of mine, that of IP masquerading based on destination port, found here, I have decided to explain it more thoroughly (actually, there really isn’t much to explain at all). So what is this slight change? In fact, the change is only that instead of dealing with multiple NICs (one or more for each network), you only concern yourself with one NIC. Yes, it is that simple. I do have a bonus, however, albeit nothing much. If you use SysV initscripts  (e.g. Red Hat), this is how you configure it so that it remains across reboots; contrary to what is often suggested, you typically do not need to write your own script and neither do you have to modify a script that runs on boot, for these types of changes: the support is already there and for good reasons – no one would expect you to reconfigure your network every time you reboot! This is all you do:

After replacing the IP addresses (this includes all the IPs: the network, the gateway and the IP associated with the interface in question) with your own, making sure the configuration works (after typing – and remember, if you type it you’re more likely to remember it, as opposed to copy and pasting! – it and testing it at the shell as well as from other hosts that are relevant), you take each object type (route and rule) and create a file (i.e. for each interface and for each object type) in /etc/sysconfig/network-scripts with a few tweaks. For rules, if your NIC is eth0, you’d have the following file:
/etc/sysconfig/network-scripts/rule-eth0

In this file, you would take what follows the ‘:’ from the command ‘ip rule show’ and place it in to the file. Note that you want the rules that apply to the table the rules apply to! You don’t want the other tables!

You would also have the file:
/etc/sysconfig/network-scripts/route-eth0

and inside it you would place the ip route add command (that was typed in previously) except that you don’t include the ‘ip route add’ but only what follows it (to the right).

That’s all there is to it!

(Of course, that’s all there is to if you’ve read the original document and equally important, if my being distracted while writing this – which I was – has not created a null … route).

Rant: The State of Cyber War


2015/02/19:
Prepend ‘Rant:’  to the title. I’m on the fence of whether it would be better as ‘Viewpoint:’ or ‘Rant:’ but for now I’m erring on rant because there is aggression and rant is therefore more likely what people would think of (even though there certainly are personal viewpoints here). Yes, the point is valid – cyberwar is a dangerous game indeed, and a game that is unlikely to stop (this is not War Games, after all – at least not as the movie portrays). But sarcasm is in my blood, it really is (and it has always been this way, even as a toddler), and if I were a god I would likely be the god of sarcasm with a quick and nasty temper. I won’t deny it; the way I express myself is probably not the best, certainly it is not the way most people express themselves. I do try to be reasonable – and fair – and this is one of the reasons I try to always have a point but the fact remains that it is often in a vague and cryptic manner with a tendency to go too far.


I want to take some time to clarify some things that I wrote yesterday, that being 2015/01/20. The intent that this is less aggressive. With that in mind, here goes:

Perhaps it is true that I should not have tackled what I did yesterday. Based on how I’ve felt for quite some time, it wouldn’t surprise me one way or another. But even though I might have gone too far in some ways (or in some parts), there is the fact that the point remains the same: attacking someone (or some entity) as well as provoking them, followed by whining (and that is EXACTLY what it is) when the same happens in return, is stupid and hypocritical. Would you really lunge at someone and then complain about how much harm they caused you in return? That is what it is – you reap what you sow.

The fact remains that participating in cyber war, in general, is a dangerous game (and directly attacking other nations computers is NOT defence – it is the cyber equivalent of declaring war on and invading the country). In other words, yes, the suggestion that if all the activity being done was in the real world, it would be a nuclear holocaust, isn’t so far off the radar (if you will excuse the pun).

Lastly, the very idea that nations need laws to somehow share more information with corporations, it is an absurd and dangerous lie. That they also claim it is for the citizens’ own safety and good, is actually scary. Shockingly scary. Yesterday I didn’t want to elaborate on why I chose Nazi Germany to compare. I’ll get to the point momentarily, but to anyone who might want to know (not that I believe I have many readers): there’s many reasons, one of which is I’m a WW2 buff. I studied Nazi Germany extensively. While there is much I don’t remember (compared to before), I still remember a lot. So here it is: the Schutzstaffel, otherwise known as the SS, and the secret police the Gestapo? They made these same claims too: that they were doing it for everyone’s good. The world still hasn’t learned from the war and they didn’t learn much about tolerance, either, did they? Not even close. Tolerance for group one and not group two is not any more tolerant than being tolerant for group two and not group one. But that is exactly what happens to this day and it is a double standard (at best). I’ll not get in to the history aside from this final point, a point that should not be dismissed (I know it is and will continue to be, though): the problem isn’t how far someone travels (i.e. the severity of each act); the problem is how willing they are to create the path that allows the travelling (i.e. what laws come into existence to remove the blockades). In other words, the very idea that they’re needing more and more control (notice how this doesn’t stop after they get the next amount? And then the next? And next? And start all over ad infinitum? Ask yourself how new you really believe that is) for the same purpose – for the safety and the good of the population is scarily similar to what should never be ignored. But it is ignored. Ironically – as I already suggested – the rationale of ‘why they need this’ remains the same. The part that does change is they continue to need more and more (of what they already supposedly have!) to fulfil the same(!) task. The more they need, the more they abuse (it) and the more they abuse the more power they crave. Truly feel safer? What makes you feel that way? What actually changed? Sadly some (many, obviously) will fall for this claim – repeatedly. It is ironically just like history.


This will be a piece that is mixed with ridicule as well as a warning. I fully acknowledge that the warning will be largely dismissed, at least dismissed by those who actually should not ignore it. But then you can’t really reason with politicians, can you? No – one of the definitions of a politician is a complete idiot that is dangerously high on a power trip, desperate for power, one that spreads fear, incites hate and anger. That is about as far as I’ll go in that regard because, as I’ve made clear before, politics is one of the most potent cesspools known to mankind (I have no problem, however, with actually attacking their arguments, their claims, when it comes to computers). To this end, another warning: while I do have good intent here, it was a thoroughly obnoxious day. So the ridicule might go too far. I’ll be in good company though, won’t I? Not sure it is the right company but such is life. So with that:

It seems to me that, given the circumstances, now is a good time as ever to write about the risks of cyber wars. What circumstances? It has been claimed by the New York Times, as well as Germany’s Der Spiegel, that the reason the US officials suggested that North Korea was responsible for the attacks on Sony, is that they had access to North Korea’s network. Yes, that means they compromised North Korea’s network. Yes, that means more hypocrisy indeed (there is never enough of that, is there?). These two news sources, I might add? These are the agencies that Edward Snowden leaked the spying accusations to. As I’ve made clear before, the NSA has a long history of hissy fits about encryption (and otherwise needing control) so really the only news to me is what specifically they were up to – as a spying agency, and as a spying agency that has the history that the NSA has, it isn’t really surprising. Sadly this makes it even more believable. Let’s see, what are the claims that are known, and what is the US saying in defence of themselves?

“While no two situations are the same, it is our shared goal to prevent bad actors from exploiting, disrupting or damaging US commercial networks and cyber infrastructure,” said spokesman Brian Hale.

Noted. That says quite a lot, doesn’t it? The fact no two situations are the same and the fact you want to prevent bad actors from ‘exploiting, disrupting or damaging US commercial networks and cyber infrastructures’, this is why you don’t count yourself, right? Because it is a different situation than yourselves. Makes sense – and since there’s often a lot of assumptions in this topic, I don’t see why I shouldn’t assume here, too, that my suggestion makes sense. That isn’t wrong, is it? Or perhaps it is because you aren’t actually actors but instead being your usual self? That seems quite plausible, too, I must admit. Then again, maybe it is simply that you don’t consider reputation all that important? That would explain why you find it perfectly acceptable to BREAK THE LAW as long as it is for those you (supposedly) are protecting? But it gets better, doesn’t it?

When it becomes clear that cyber criminals have the ability and intent to do damage, we work cooperatively to defend networks.”

You work to defend the networks. If it is on the land of the US, of course. But is that really the full truth? I don’t know if I agree. The BBC makes claim that the paper reporting this new information says that you – that is the officials supposedly investigating the crime – believed that North Korea was mapping the network for two months prior to the attack. Considering that one of the very first things an attacker will do, when going after a network, is getting as much information as they can about the organisation (its employees, its hours of work, its network, the hosts, the services, everything means as much as they can possibly gather), this would make sense, wouldn’t it? Yet it took you two months to figure this out? Weren’t you monitoring them? Why would you not alert them? Why would you not help them? (One hopes you don’t do this with your own although seeing as how there are issues at times, it makes me wonder) Is it because there is some other use out of it? I don’t know, maybe making it an excuse to give more power, more control to the government, with regards to what capabilities you are allowed? Something like this:

A senior Democrat on the House Intelligence Committee on Friday will reintroduce a controversial bill that would help the public and private sectors share information about cybersecurity threats.

“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea.

Or maybe it was because then more sanctions could hit North Korea? Because a cyber attack is the right reason for that over all other things, yes (and of course, sanctioning an isolated state isn’t provocative – it is actually helping the relationship, that’s what sanctions are for, right? It won’t hurt the citizens and actually it will make them feel better, that other nations care enough to cause them more grief ‘as long as it teaches the nation to do what’s right’)? On the other hand, it is possible the attacks are being abused to do that (some might argue all of the above – they’re probably right). My problem with this, goes further. This is encouraging cyber attacks (yet more recently there is the suggestion that the US and the UK will participate in war games, the irony in it all is too much, when you consider why the two nations want to do this). “I want to keep the momentum going on what’s happening out there in the world” implies that you honestly don’t care why, you just have to have more control, as if it is as I put it – a drug. Nazi Germany did similar and their excuses were similar too; they were protecting others from whatever they didn’t like (even though the claim was a farce). Indeed, that ‘keep the momentum’ remark also implies that you’re fine with the attack, an attack that revealed confidential information about people whose only crime was working for Sony. You’re fine with it because it gives you an excuse to tighten the noose (ironically the law allows more spying on the citizens of the nation you claim to be protecting – again, just like Nazi Germany). (Yes, I’m deliberately comparing it to Nazi Germany even though there are plenty of others.  There are many reasons for it. I won’t elaborate on it aside from that.) And the law you want to introduce isn’t just making it easier to share information about cybersecurity threats. There is not a single thing that prevents you from doing that now! Nothing prevents the corporations from informing you of attacks (as they recently showed you exactly that – because the government refused to warn them even knowing it was imminent, a shameful act indeed). The only thing that prevents the government from sharing that information is they would rather not. But that isn’t a legal issue. No, the law you refer to is CISPA – the law that allows spying on citizens (among other things). Anything else is an absurd lie – a lie designed to manipulate the situation (yet again just like Nazi Germany)! No, it wouldn’t have prevented the attack, either. Ironically, given the claim by the government, it seems the one thing that could have prevented it would be the government themselves; the government that claims they need more power (yes, because having been monitoring North Korea wasn’t enough!). Indeed – people in power can never get enough, no matter what they have already, and the more they get (and they are often so insistent on it that it is expected they will) the more they want in a vicious cycle just like the addictive properties (and effects) of drugs.

The fact of the matter is: the United States is not just a victim of cyber crime; they are perpetrators just as much as other nations (perhaps in some ways more so). It is just the United States has the status to get away with it more easily. The reality is that by participating in cyber wars, you’re actually creating more problems and I do not refer just between nations (but that is what this is about). The end result: each and every nation that adds fuel to the fire rationally has only themselves to blame when they fall prey. In addition, corporations that are attacked because of where they reside also could rationally blame their nation (whether they are allowed to be there or not is frankly an irrelevant point (and keep in mind that Sony is a Japanese corporation, not an American corporation, and this, I fear, makes that argument – of nationality and otherwise location – less relevant)). If nations acted this way in the real world – and let’s be honest: that is already far too extreme – there would be a nuclear holocaust. Much of what is claimed is defence is actually direct provocation. As for North Korea versus the United States, I will remind you again: the two nations are not allies and in fact are more like enemies; consequently, provoking them and then complaining about the response, is hardly helpful. It is actually about as stupid and arrogant as when a human goes in to the ocean, even with warning signs about recent shark activity, gets killed (why go in to its territory?) and what do officials do? They hunt the shark down and viciously slaughter it, as if it was deliberately in the territory of humans (because humans live in the oceans, yes?) to slaughter as many (humans) possible (never mind the fact that many shark attacks are accidental). Yes, that is a great analogy: go in to their territory, run into problems and then it is their fault; they shouldn’t have been where I wanted to be! Indeed.

Source IP Masquerading by Destination Port


2015/01/11:
Fixed previous mixup on ports (that I noted but did not fix). I also cleaned up some less-relevant (if not outright irrelevant) stuff and tried to make some things a bit clearer. In addition, while I haven’t yet, I’m considering going through all my how-tos here and move them (or add them to) http://docs.xexyl.net (which has more documents I’ve not made notice to here). This would be among them. If I do this I’d likely try to clean this up even more and make it more clear. For now, however, there should be fewer inconsistencies and errors.


(Another name might be: Source IP selection based on destination port or service)

Problem: you have a static IP (singular or block) and you also have a dynamic IP. For some hosts (i.e. server) you want static IP always, for other hosts (e.g. workstation or desktop) you might have a static IP and a dynamic IP. As for the latter, it might be – since you have a static IP block – that you have a fully-qualified domain name (FQDN). You might also have a PTR record (reverse the address and add an .in-addr.arpa = 127.0.0.1 (localhost) becomes 1.0.0.127.in-addr.arpa) so that if you claim you are host.example.com then the host you are claiming this to, can verify it by confirming that your IP does indeed resolve to host.example.com and not something else (if anything). This is most common with sending email. What to do when you sometimes want to use a dynamic IP (e.g. for web browsing) but certain services should really use a static IP ?

There’s two approaches, depending on what you need. You can use ip routes (and rules) so that depending on source (and/or destination) IP it should use one IP whereas otherwise it’ll use a  different IP. This is how I had my desktop configured because the hosts I ssh in to do ingress filtering by IP blocks (so I have to use my static IP – they’re declared static for a reason and it is the most reliable IP to allow). But something I did not like made me think of (spur of the moment solution came to mind) a way to not have to add many IPs (to the static routing table) simply to solve this problem. The issue is that if I am sending mail to a host that doesn’t resolve to my IP block (which would then know I am indeed who I claim to be), if I’m connecting via my dynamic IP block, I obviously do not have a PTR record. So the fact I claim to be a certain host that the PTR record does not match means any number of things (and this is another subject entirely). But then, surely I don’t want to maintain a list of IPs that should use one route (therefore one source IP) and otherwise use the default (dynamic) IP. So what can you do? Well if you know that certain services are going to prefer (if not require) you to be who you claim, then you can use iptables to masquerade your connection to be from the static IP.

Yes, this involves NAT and specifically source NAT. (And yes, I generally hate NAT but there are uses for it. This is definitely one of them) Now there are two ways to do this. The usual way (‘usual’ might be ‘more common’) is through the iptables target MASQUERADE (yes, all caps indeed). As the man page shows though, that is more so if you have a dynamic IP (it still works, though). I seem to remember it has similar if not exact options (which means you might replace ‘SNAT’ with ‘MASQUERADE’ and get away with it). Regardless, I’m going to use the SNAT target.

If I send mail through port 465 or 587 (SMTP is 25 and mail servers do use it but if you use the former ports – i.e. for secure authentication for purpose of mailing – then it is what matters (and you can do this for multiple ports (and indeed completely different services))) then the following rules will masquerade any packet sent to port 465 or 587 (to any host that matches the rule) so that the source IP will be that which you specify. A note: originally I included what I have in my set up: only match if the source IP is not in the 10.0.0.0/8 block. I’m removing this, however, because I feel it makes it harder to understand. Therefore I am only including the bare minimum. The IP below, 192.168.1.66 would be YOUR static IP (or whichever IP you want to send and receive packets from).


# iptables -t nat -I POSTROUTING -p tcp –dport 465 -j SNAT –to-source 192.168.1.66
# iptables -t nat -I POSTROUTING -p tcp –dport 587 -j SNAT –to-source 192.168.1.66
# echo “Additional rules can be added for other ports”


# is the prompt in this case so don’t type it (I have to state this because, firstly, if you were to copy it to the shell it would be a comment and therefore not run, and second, you should always be careful at the command line and especially when root). So to break down the rules (will only explain the first – the second is the same as the first except we care about a different port) I’ll explain it in one go. Then I’ll explain certain parts below, in more detail. The -t option specifies which table to add the rule to (in this case nat). We insert this rule at the front of the POSTROUTING chain ( -I POSTROUTING ) (in the nat table as noted), specifying that the protocol must be tcp (-p tcp (yes, lowercase here)) and that the destination port is 465 (–dport 465). If the packet matches this criteria, then we jump to the target SNAT (-j SNAT), passing the option –to-source with the IP we want to masquerade as: 192.168.1.66 would be the IP you want to send the related packets from (and have your host translate the inbound packets related to). The basic form, then, is that what follows –to-source is YOUR IP you want to send and receive packets FROM when communicating TO PORT 465. So in my live setup, the IP after –to-source would be my static IP and the rest would be the same. This way, whenever I send to to port 465 on any host, I will use my static IP; when I send to a different port (not specified in any other rule or manipulated elsewhere), I would use my dynamic IP. You can add additional rules and you can change the ports, you can specify port ranges (in one rule) and you can adapt the rules as you see fit. The idea, however, is hopefully clear. I did try rearranging this several times and I think it is mostly understandable now but if not I’ll hopefully be able to explain it better in the future.

In any case, the above is a much cleaner way to deal with the problems combined: specific services (so ports) regardless of the IP (which there could be many including some you might only have the host names (although using hostnames in firewall rules is definitely not to be suggested, which means you would be better off resolving it to the IP but it is still possible). Compare this to keeping a list of all IPs (and keeping it updated) so that certain services work properly (multiple definitions of work properly, two I described in this write-up). Anything else will be fine per your configuration. I should lastly point out that this obviously won’t be of help if you have IPv6 enabled and default to using it (over IPv4): I specifically force thunderbird and firefox to use IPv4 so this works for me (there are other ways around this, too (but is out of the scope of this article)). At my end this is important because I don’t have authority over my IPv6 block (and it would be different with ip6tables).

The Consequences of the Sony Attack

While this should maybe be under security, I want to highlight some other things, too. It is rather interesting to me, but so many people, every year around this time, talk about resolutions. While I’m going to get to the issue the title refers to, I actually think security (and therefore that issue) is a perfect thing to discuss with resolutions. Indeed, I find this interesting yet also something of a farce. I call New Years Resolution what they are: nonsense.

Why on Earth do people think that a certain time is any better than another, to be better about (or accomplish, or… ) something? Is that not absurd? If the idea is to improve yourself, why not always do so? If you can only improve yourself when you’re ‘supposed’ to, you’re not actually improving yourself: you’re actually sealing your fate in a vicious cycle of only do something (that supposedly is better for you) for a short time in the year and then  wait until next year. What is so special about this time of year, and why does it happen every year? The answer to the rhetorical question is, of course: because (they) only last a few weeks before giving up which really means they only pretend to care – you want to improve or you don’t, it is that simple. The only other part of it is that some people believe they want to change in some way but they actually don’t want to (which conveniently fits in ‘or you don’t’) – they try to convince themselves of it but they don’t really want to. I’m a perfect example, actually, but not in the sense of New Years and not actually bettering myself (but it indeed is cyclical). I often try to tell myself I need to be more social (I am incredibly asocial – I’m essentially a hermit that has Internet access and will go to doctors but aside from that I tend to shy away from gatherings). But it doesn’t last and I then come to the conclusion (in a repeated cycle like I described New Years Resolutions) that no, I was only thinking I wanted to change this. In reality I was lying to myself (something I admit I do probably far more often than I’d like to – wait for it – believe) about it.

Where does this go with security then? Correct: you should always be improving your standards (just like everything else, if you truly do want to improve) and this goes for security in normal cases but it goes double (if not triple or quadruple or…) after an attack. It is most interesting that those in to security (I’m not even going to include myself here simply because I don’t – as I suggested moments ago – generally like to be included in a group) are calling the claim that North Korea is the sole responsibility, nonsense. Yet at the same time, those who should be paying attention to them, are just pointing the finger (perhaps figuratively and literally pointing the finger!). I find it rather sad that even despite two groups admitting their role in the attack, the authorities then decide to re-frame it to… North Korea decided to contract the work out. Why not admit to a lost cause? Not only is it impossible to verify (let’s also remember justice is a farce (and unfair first impressions does not help here) and people actually admit to committing crimes they were wrongly accused of (and then they are serving time for a crime they didn’t commit and in fact someone else is free – justice indeed)), it isn’t as if no other country would do similar. That includes the United States of America. So what does this equate to? Instead of trying to figure out what can be learned from the attack, it is playing the game of victim only – a victim of the same thing in the past (and in the past…) and not changing because of it. While I don’t know Sony’s point of view is now what I do know is there was a leaked email from Sony and if I recall, it was the CEO himself. And what was included but the idea that there was nothing they could have done (and the so-called security experts they called in (as if security is only once in a while!) made the claim to Sony!), it was unprecedented and nothing like it has been seen before (if I had a dollar for every time I’ve heard/read/been told/etc. that, I would be filthy rich…). They’re wrong though. This isn’t the first time Sony has been subjected to serious attacks. I doubt it’ll be the last. The last one was not the first, either, as I recall.

The fact is: attacks happen and more attempts happen. Sony is not the only victim. I see a lot of attempts on my (low profile) server. They’re a huge, international company. Of course they’re going to see attacks. Make the best of old news or repeat history (we already know where much of society fits in this selection). It is expected and here is the brutal truth, folks, and this is something Sony (and others) would do well to understand (because the mentality that there was nothing that could be done is actually exactly what I’m going to describe): if you want a sure fire way to get breached, all you need to do is not care about it, tell yourself there is nothing that can be done and just accept the future. In short, do nothing but admit defeat, even before it happened. Ironically, by doing this you’ve actually already lost (yet if you don’t go this route you haven’t lost). Indeed this is a self-fulfilling prophecy: if you so wish to meet this fate, by all means, don’t learn from it. If that makes you feel better then  who is anyone to judge you over it? Certainly I won’t. But I also won’t feel sympathy (for those who won’t change – the fact others are affected is another issue entirely).

As for the United States, I find this rather amusing. I know I’ve explained this before, that I think (because it is the case) the idea of freedom of expression is often taken too far (“kids will be kids – yes, kids will be kids until, that is, they get revenge on bullies, and then how dare them, how dare their parents for not teaching them right from wrong… “). But then since many in the United States are champions of this idea, that freedom of expression (the problem is taking it to the extreme – the problem is not the idea itself: all good comes with bad and all bad comes with good (the two are subtle but it is different: it means even bad people have some good even if it is hard to see for most people)) is ever important, I have to ask: why can’t other countries, other people, also express things that they find important to them (no matter what it is)? I’m not suggesting any one who sees this is not following this, but nevertheless, some do. So to elaborate on the rhetorical question: If someone (or some country, or…) attacks someone, regardless of the legalities, regardless of the ethics, morals, whatever else (that comes to the mind of the ones judging), they are technically expressing themselves. To express something is to convey a thought or feeling through words, gestures or conduct. If they were responsible for the attack, and for the reasons given, then they are by definition expressing themselves! Call it a paradox if you want (but being a paradox does not mean it isn’t valid, remember that) but the reality is the anger they had (and how they display it) is expressing; you might not like how they do it or in what way but they could say the same about you, couldn’t they? It is a healthy thing to believe strongly in something. I feel strongly about some things (but arguably less than I should). But I would like to believe that those who do feel strongly about something do not let it cloud their judgement and that they don’t let it apply to only them (or someone/something they agree with (I already gave an example of this)). Yes, I’m pointing the meaning of expression out because it is true and something that really should be considered. I do look at things from a lot of angles and if you will excuse me, I feel strongly that it is a good thing to do (and yes, I am conveniently expressing myself on the whole issue (see how I did that?)).

 

The Art of Easter Eggs

This is obviously something that is best classified in the general topic, simply because the software I write about is Unix and its derivatives (primarily Linux). What inspired this is two things in particular:

  • I discovered an easter egg in the editor vim earlier this year (which is to say, late September, early October).
  • Besides fond memories of easter eggs I discovered over the years, I enjoy designing them myself, for programs I write (or at least one that others will see, i.e., a specific MUD).

This is just for fun (which is expected with a topic about easter eggs) and basically a list of easter eggs that are memorable to me, that either I discovered on my own or remember reading about them at some point over the years (I’ll specify which is which). I won’t list any I have implemented any where at all and I never will. These easter eggs, mind you, are all old with perhaps the exception of the vim one (which I suspect has been there for quite some time but it is new to me). Therefore I don’t think this is harmful. If however you enjoy finding them on your own, don’t read this. That is my warning.

  • Colossal Cave Adventure, also known as Advent, is an old text based game, somewhat like a MUD only single player. You interact with objects, open/close doors, you can get lost, you can die, and you gain points, too. While the version I am looking at now (version 4, one I fixed a segfault in, for a friend and therefore have it locally) is not the one I played years ago (it was an earlier version that I played), it is still fun and absolutely has easter eggs. The narrator (I guess you could call it) doesn’t take to swearing kindly. There are many responses to swearing and there are many words it sees as swearing. I’ll leave it to your imagination except for the one I find most amusing (at least, literally it is amusing – it contradicts itself):

    ? screw you

    I trust you know what “you” might be, ’cause I don’t.

    Interestingly, when said friend referred to a crash, and they didn’t know exactly what triggered it (it was for her friend who has a Mac and first it failed to compile to which i fixed that) except that it occurred after a command was typed. What that command in question was, I don’t remember (they didn’t know and in fact it wasn’t a specific command and not only that command – it happened more than once) but I had the idea to play with exactly the above: as I was swearing at the computer, it gave me the information I needed; it was a segfault and I recompiled (with debugging symbols – the source is actually obfuscated and I didn’t think of running it through a beautifier and the programmer in me thought to make it drop a core), removed the limit on core size, caused it to crash (therefore dumping core) and found that there was a dereference on a NULL pointer (which, as I’ve discussed before, is much preferable than a pointer that was never assigned to anything – at all – or otherwise pointing to garbage). Added an if, recompiled and it was all fine.

  • I liked this one a lot although I admit I enjoyed more so figuring out how to defeat the boss (and therefore win the game) more than the easter egg (which I also discovered on my own, if memory serves me correctly). I played the game a lot and I beat it many times. The last area  – Icon of Sin – is one hell – indeed, it is intended – of a toxic dump full of demons and monsters alike… but very well worth playing through (unless you are very easily frustrated). This is one of the few computer games I played – most were console games. The game in question is DOOM 2. The easter egg is the severed head of one of the developers, John Romero’s. If you are curious, check http://doom.wikia.com/wiki/ as they have a picture and (for those wondering how it is found) how to find it. What that Wiki page informed me of, something I did not know, is at the beginning of the last area – Icon of Sin – the voice says something that explains – once you decipher it – how to defeat the last boss. I had (have is a much better word) a knack for figuring out how things work and how to solve things (puzzles, games, …) and so I beat it without the hint (there are quite a few things in the area that can make or break your success but I quite enjoy these things).
  • Mortal Kombat series is another game I really enjoyed for a lot of years. These features are more well known, perhaps, but there are hidden characters in the series. One character, named by the reversing the last name of the two developers (or two of, being Ed Boon and John Tobias) is Noob Saibot. He appeared at some points (don’t remember specifics) and says “Toasty”. While checking the Mortal Kombat Wiki, I saw two other names that ring a bell: Smoke and Jade. Looking further it seems that I did indeed go beyond seeing them in the background (definitely this) and in fact fought against them (whether I figured out how to do this on my own or anything else I really cannot remember – I suspect not by myself in full).

More generally, I know there are many others I discovered (or was told about and enjoyed) over the years. I’ll reflect on a theme, one I did not do at all but I remember reading way back when. Then I’ll get to the vim easter egg.

So if you search Google for ‘Bill Gates is the antichrist’. The entry on http://urbanlegends.about.com is much of what it used to be (if not all). It is unfortunate that it isn’t the original, the one I saw so long ago: the original was lost because it was on Geocities and that is long dead. There is an easter egg in one of Microsoft Office (Excel 95 maybe?) that is listed. There’s also some maths with Bill Gates name (think: decimal values being added up) and what it equates to. Funnily enough, among listed is (not so much related to Bill Gates but is is still relevant to the fact I mention the editor vim – though in this case it is vi more so):

Note that the internet is also commony known as the World Wide Web or WWW... One way to write WWW is V/ (VI):

WWW V/ V/ V/ 666
Something to ponder upon, right?

Why is that amusing? Because of the editor wars between vi and emacs. This is one of those wars that is not hell-bent (can’t help it) on flaming but rather wit and humour. Wikipedia has an entry on it but it is claimed vi is the editor of the devil for the above reason (‘vi’, Roman numeral for 6). (There were more examples in that Wikipedia article but that’s the relevant one).

As for the easter egg in Vim I will give an explanation of why and how I discovered it (because I found that more useful than the easter egg), allowing those who are curious, to try it themselves (tip: you can change it as well!). Of all the programs I use, the one I use the most (perhaps better stated is, of all the utilities), is the shell and in my case ‘konsole’ (at my server I don’t have a GUI and so I just use the console itself). I usually have 5-10 tabs (or more) which means 5-10+ shells open at any time. Since I use vim for my editor of choice (I used to use vi but years ago tried vim and I agree with the name: vim is indeed VI iMproved), and since it allows you to open one file and then switch to another file without exiting (you can also open more than one ‘window’, each with another file and this applies equally), the current task in the tab (of konsole) shows the original invocation. This was annoying for many reasons. Looking in to how to fix this, it would be something like putting this in your runtime file (per-user would be ~/.vimrc but you could also use system-wide but I tend to frown upon enforcing changes on all accounts, even if they can disable it):
:auto BufEnter * let &titlestring = hostname() . ":vim " . expand("%p")
:set title titlestring=%<%F%=%l/%L-%P titlelen=70

Now if you open vim with (example): ‘vim file1′ you would note as it is before (in konsole tab): ‘vim file1′ (it might show other information like the hostname or however you configure it but this is up to you, in the profile settings[1]). However, if you were to be in command mode and then use ‘:e file2′ you would now see the tab has been updated to show ‘vim file2′. Now if you quit vim (command mode): ‘:q’ you will see the tab title has changed again. “Thanks for flying vim!” As for how you can change it, I’ll leave that to you but it is noted in the help file (‘:help title’ and read that entry as well as the entries below it, about titles). As an interesting bit, because I wanted to confirm that indeed the two changes are exactly what is needed, I commented out (prepend with a double quote) the first line, saved and (in another shell) started vim. It then shows as the title the name of the file followed by much whitespace then what is usually in the status (bottom of screen by default): current line/line count % where current line is the line where the cursor is, the line count is how many lines total and % is what percentage of the file the cursor is at.

As a final note: Enjoy easter eggs, whether you find them on your own or not: we put them there for our own enjoyment as well as yours! Although I am obviously biased, I think it really shows how programmers are clever and how easily they are amused. It is a good thing, though, it is a good way to release frustrations and some of the time programmers are not really appreciated (or the amount of effort they can put in is not always respected) so these things just show that they too can have fun and when others find it, they hopefully enjoy it as much if not more than the actual program.

Viewpoint: The Attack on Sony

2014/12/21:
I am redacting my original post because while I strongly believe it is misguided and unhelpful what is being claimed (by the US government), I think also that the way I addressed this was was not helpful, either. Certainly it detracts from my main point. While I often will keep things I’ve written, as I put it in my about section, I also believe in fixing mistakes where necessary. I’ve also noted that some of my writing will come off as a rant or otherwise aggressive and that I fix it where I can (and I always try to get a point across but often fail because of aggressiveness, whether it was intentional or not – yesterday’s aggressiveness was not intentional by any means). It is interesting to note that the other day I actually went to write something about this issue and I decided to delay it because I felt I was not in the right mindset. Apparently I was still not in the right mindset, yesterday. Of course, even though I’m fixing the post, that does not at all mean what was public will not remain public: once on the Internet it is as good as on the Internet (and even if all references were removed it still doesn’t mean there isn’t a single person who saw it and potentially captured it: I’ve done exactly this and I know others have too). But I still believe in taking responsibility and addressing mistakes where possible, and addressing means fixing the issue(s). So with that, my modified view on the attack on Sony. Do note that the title could very well be better worded (and this is how it was yesterday, too). I’m not sure how else to word it so it’ll suffice.


The last time, Sony brought (after the ‘first’ – the quotes are important here – attack) brought in a security professional. Yet, while some might find it ironic (it isn’t) there was another attack. First tip of old: if you consider security after an attack, or after deployment (e.g. in software development), then you’re behind at best and you may very well be too late, too. Second tip of old: in general, notwithstanding certain (rare and still not well advised) cases, if your network was compromised (there is one thing to consider here[1]), the only safe way is to start all over with improved policies, based on what you learned from the attack. There is the reason I quoted ‘first': while it isn’t a guarantee (by all means, given what was claimed, it could have been individual but that makes it even worse, not better!) I wouldn’t be surprised if they had left a backdoor or otherwise hadn’t truly left. This very bit is a common thing, isn’t it? Why would it not be? While some do it for a challenge (and I would argue this is far less common these days) there is this simple fact that they use the breached network for many things. This includes bouncing (and this isn’t counting bouncing off of proxies). This brings me to the first real point about the ‘evidence': IP address.

I could elaborate on why IP address doesn’t mean much, certainly not for proof, but I think I have a better way. If you were to lose your mobile phone, or if someone were to steal it, who is the rightful owner? You? Yes. Okay, so what happens if they then use that phone to pull pranks, make threatening calls, or otherwise abuse the fact it isn’t their phone? Is it your fault, is it your responsibility? No? Then what makes you think IP address is any different? It isn’t. There’s far too many possibilities. Worse is that even if the IPs are from North Korea (which I haven’t seen them nor do I really care – it is irrelevant to the point) it doesn’t mean it is state sponsored. It also doesn’t mean it isn’t. And that is exactly the problem: it is speculation and until it is actually confirmed it may as well be slander. I’m sorry to say that being confident (as at least one US official has stated) doesn’t equate to reality, most certainly not 100% of the time; I know this personally as does anyone who has been delusional but is not currently having said delusion: I was confident that traffic signals were spying on me and me alone as one example. Yes, I’m able to admit this publicly. Why? Why not is better asked. While I am by no means suggesting they are delusional here, my point is that being confident does not equate to reality (and this applies to those who are not delusional). While this is not necessarily any better of an example, this is something that specifically makes my point that many things are not as they seem: Mirror Lake in Yosemite National Park, to name one of several (I seem to remember there is one in Canada, too). This should all be kept in mind when dealing with accusations. I know, I know, there is the addition to IP that the attack ‘looks’ similar to a previous attack: it is still speculation until proven otherwise. Again I’m going to give a non-technical example: some countries purchase aircraft from other countries. But that doesn’t mean the jet flying over a country IS the country that manufactured the jet. Similarly, some countries share flags while others have flags that are similar to another. That doesn’t mean that the countries are the same.

There’s also been the claim that this attack is unprecedented. I don’t think so. Neither was it impossible to prevent. Yes, there is always someone who can best another, but that doesn’t mean there is never room for improvement; there is always room for improvement! Always. Just like some attacks are not prevented, many more are. But to throw blame elsewhere, and to not address the real problem is a problem itself. This is not the first time Sony has come under attack. They also aren’t the only one to be compromised more than once. I know for a fact that Kevin Mitnick, what many would call a notorious hacker (and he calls himself a hacker too, or at least he did) fell prey to some that bested his him and consequently compromised his network. His company after his release from federal prison (2001 comes to mind as his release date but I’d have to check to confirm). In addition, the reason he was caught the second time around (indeed his arrest in the mid 1990s was not his first time being in trouble with the law) was because someone bested him then, as I recall someone he had attacked himself. I certainly do not call him a hacker, not even by the media’s definition of hacker: he is excellent at social engineering, that much is true. Regardless, this was not the first time Sony was compromised. You would think that someone like Mitnick would be able to not fall prey here, given his title. But then it is easier to forgive a company like Sony. The only thing that matters is (and I really hope they do exactly this) they re-evaluate their policies and implement the improvements. This goes for every entity. The only true mistake is not learning from your mistakes. The only failure is not learning from your supposed failures; we all make mistakes and none of us succeed in everything.

I would like to leave with some final thoughts: The group that claimed responsibility for the attack on Sony, GOP – Guardians of Peace – only started to use the film about North Korea’s leader after it was suggested it was related. Because of this, and since North Korea was enraged about the film (I have some thoughts here, which I share below[2]) prior to the attack, it was now North Korea’s fault. This is a fallacy. A fallacy is illogical deduction and even if they are responsible, the logic used as above, is flawed.

In the end, IP address, similarity in attack and other such things are not indicative of anything, not indicative unless you wish to believe only what you want to believe. As a final example: Robert Tappan Morris, indeed the author of the infamous ‘Internet Worm’, aka ‘The Morris Worm’, made his worm appear to come from a different university than his. This was to throw the authorities off his trail. Due to mistakes on his part, however, the worm brought the affected machines to their knees. The effects of it were out and he was tracked down. Combine this with the fact that (for instance) many viruses, worms, trojan horses, backdoors and otherwise malware, are families of malware (which might not be written by the same person and indeed this is the case), this shows too that similarities does not imply equivalence (nor same source).


[1] Does web defacement constitute network being compromised? It could. But it could also not be. File integrity checks would help determine this here (but is not perfect either, if the attacker gets root access).  It is true that with content management systems, a web defacement makes it easier and not requiring compromising the system itself (especially true if there is a configuration in the web files that specifically deny the CMS from modifying those files; i.e. you can only use the interface for the content and nothing else). In the end, the only safe way (but mind the fact that depending on how long ago the attack was (and attack implies original access, not defacement!) backups could also have a backdoor or indeed anything else). On this latter bit, backups: this is one of many reasons that the backup volume should either only be mounted when backing up (or restoring) or made immutable (except during writing to the volume). Another reason is user error (and yes, as I’ve made clear, administrators count as users): if a command you run, a script you write or something else you run (or is affected by a bug) goes badly, what if you wipe out (or damage) your backup? Redundant backup isn’t necessarily the answer any more than redundant storage; the point of backup is having it in multiple locations (e.g. off-site – and no, this does not include the cloud or anything you do not have complete control over! – and on-site, even if off-site is only stored on backup disk that is detached from the system), not having multiple copies: the difference is subtle but something that should be understood.

[2] As for North Korea being enraged. The fact remains that North Korea and the United States are not on good terms. So when you consider the film’s plot, and you consider the different culture, it isn’t all that surprising, is it? And you can see how it can provoke them. The subject of free speech (and more specifically freedom of expression) is usually brought up and indeed it is here too. Unfortunately though, like many things in this world, it is very often taken too far. It is especially taken too far when defending someone or something that (you) agree with (or sympathise with). It is also defended when you disagree or dislike that which is offended or upset by the expressions. As something I am unfortunately familiar with far too well, many people excuse bullies (even minor bullying is wrong but minor bullying develops further in to moderate to extreme to beyond extreme) as “kids will be kids”. The problem is, you can only abuse someone so much, before they snap. So yes, kids will be kids, until, that is, the victims of bullying (also kids, by the way) get revenge on bullies (especially if revenge is seriously harm, maim or kill). Then the kids are now horrible, and the “kids will be kids” is no where to be seen or heard (and the parents of these horrible kids are also horrible; what about the bullies who drove their victims to this extent or their ignorant – if not bad – parents?). I am eternally grateful that there isn’t a violent streak in me, because I would have been another example of the above by far. I did get revenge in ways, but I did it subtly and non-violently. I also enjoyed outsmarting them, making them look like fools without them even knowing just how much so (let alone that I had done this in the first place). The reality is violence doesn’t solve anything, at least not in positive ways, but if you subject someone to abuse, when they get revenge (which indeed includes violence), it is natural and expected (and if I am to be blunt, it is in some ways more acceptable because they were driven to it rather than doing it out of arrogance, hate and cruelty). To explain this, there is a phenomenon called ‘identifying with the aggressor’. This is exactly why domestic abuse runs in families: the victims are not in power, are helpless and suffer because of it. But they also see that in order to gain control, which means to stop the abuse, they can become abusive themselves. So continues a vicious cycle…

George Boole: 150 Years Later

This will be fairly quick as there isn’t much to write and I’m trying to turn off the lights for the day (the wording is… intentional). By chance I saw an entry in my BBC feed called George Boole and the AND OR NOT gates. Being a programmer, I immediately knew what it was referring to (of course programmers aren’t the only ones who would know it but they definitely do). What I did not (yes, I know, I can’t help it) is that it was 150 years ago that Boole himself died.

I find it rather interesting because within the last few months I started (and have not finished it yet) an article on boolean logic, looking at it in a different way than I’ve seen it explained. The reason it isn’t finished is, along with that thing called ‘real life’ (or that’s what I am told, anyway – I’ve yet to confirm it to my satisfaction …), it was a multiple-topic article (and it is more specifically how C handles boolean which is not the same as many other languages, e.g. Java). I just never finished it. I will in time but I could not pass this day up without remarking on the fact that he is indirectly responsible for so many things that many take for granted (even simple things like flashlights – if I am thinking right (and I’m not really putting any thought in to this at all for above noted reason) it is indeed the NOT gate that makes it work). It is simply amazing that such simple things as boolean (which can get complicated, yes, but everything can get complicated and the point remains that boolean gates themselves are simple in design) can give life to so many things. But yet this is something that is common: some of the most crazy, stupid sounding (and stupid simple) ideas are actually brilliant and perhaps much more than the person had in mind, when they thought of it in the first place (and boolean logic is only one example).

As an aside, tomorrow, December 9, as I recall, is Grace Hopper’s birthday. She also played a significant role in computing (and indeed she is the one who made popular the term debugging).

101 Years of Xexyl…

… for those who can count in binary, at least; indeed it was five years ago yesterday that I registered xexyl.net. I would have never suspected I would have what I have here, today. I would never ever imagined having my own RPM repository and yet that is only one of the accomplishments here (for whatever they are each worth).


I fully admit I live in something of a fantasy world (which is something of a paradox: if I admit it does that make it real? If it is real then what is fantasy and how real is it?) and so it seems appropriate that, given the anniversary of xexyl.net, I reflect upon the history of xexyl.net and some of the views I have shared (the namesake is much older, as I have made aware in the about section. It was many years ago that I played the game Xexyz and it clearly made an impact – perhaps not unlike the space rocket that was launched in to the moon, some years back… – in me. But xexyl.net is only five years old and while I have older domains, this is the first one I really feel is part of me).

I have written quite some off the wall, completely bizarre and (pseudo) random articles, but I try to always have some meaning to them (no matter how small or large and no matter how obvious or not) even if the meanings are somewhat ambiguous, cryptic and vague (as hard as it is to imagine that someone who elaborates as much as I do on any one topic, I do in fact abuse ambiguity and vagueness and much of what I write and indeed say, is cryptic). I do know however that I do not succeed in this attempt. To suggest anything else is to believe in perfection in the sense of no room for improvement.

I strongly believe that there is one kind of perfection that people should strive for, something that many might not think of as ‘perfect': constantly improving yourself, eternally evolving as a person. When you learn something new or accomplish something (no matter how small or large), rather than think you are finished (something that one definition of ‘perfect’ suggests) you should think of it as a percentage: every time you reach ‘perfection’ – as 100% – you should strive for 200% of the last mile (200% of 1 is 2, 200% of 2 is 4, 200% of 4 is 8, etc.). This is, interestingly enough, exactly like binary: 1, 2, 4, 8, 16, 32, 64, 128, 256, 512 and so on (each increment is a two times the previous value). In between the powers of 2 you make use of the other bits. For example, 1b + 1b (1 + 1 decimal) is 10b (2 decimal). 10b + 1b (2 + 1 decimal) is 11b (3 decimal). 11b + 1b (3 + 1 decimal) is 100b (4 decimal). This repeats in powers of 2 because binary is base 2. I’ve written about this before but this is what I will call – from this point onward – ‘binary perfection’. It is also the only ideal perfection exactly because it is constantly evolving. This may very well be an eccentric way to look at it but I am incredibly eccentric person. Still, this is the ‘perfect analogy’ and I daresay is a brilliant and accurate analogy.

As always, true to my word, I will continue this when I can. Because as long as I admit my mistakes I am not in denial; as long as I am not in denial, I can learn more, improve myself and those around me. While I do it for myself (this is one of the rare things I consider myself and myself alone), if it betters anyone else, then I will consider it a positive side effect. But indeed there are times where I am inactive for long periods of time and there are other times where I have a couple or more posts in a month (or a fortnight or whatever it is). This is because of what I have pointed out: I do this for me but I also believe in openness with respect to sharing knowledge and experience. This includes but is not limited to programming (and by programming I refer to experience, concepts as well as published works, whether my work alone or my contributions to others’ works). But I am not an open person and I never have been. Perhaps this is best: I am a rather dark, twisted individual, an individual possessed by many demons. These demons are insidious monsters of fire that lash out at me (and at times my surroundings) but they are MY demons and I’ll be damned if anyone tries to take them away from me.

I am Xexyl and this is my manifesto of and for eternal madness…

The Secret: Trust and Privacy

First, as is typical of me, the title is deliberate but beyond the pun it actually is an important thing to consider, which is what I’m going to tackle here. The secret does indeed imply multiple things and that includes the secret to secrets, the relation between privacy and security and how trust is involved in all of this. I was going to write a revision to my post about encryption being important (and I might still to amend one thing, to give credit to the FBI boss about something, something commendable) but I just read an article on the BBC that I feel gives me much more to write about. So let me begin with trust.

Trust is something I refer to a lot, in person and here and pretty much everywhere I write about something that considering trust is a good thing. Indeed, trust is given far too easily. As I have outlined before, even a little bit of trust – seemingly harmless – can be abused. Make no mistake: it is abused. The problem is if you’re too willing to trust how do you know when you’ve been too trusting? While I understand people need to have some established trust with in their social circles, there are some things that do not need to be shared and there are things that really should not be entrusted to anyone except yourself, and that potentially includes your significant other. Computer security is something that fits here. Security in general is. The other problem is: ignorance. Ignorance is not wrong but it does hurt and if you don’t understand the risks of something (which I would argue the fanatical and especially the younger Facebook and other social media users, are) is risky, how do you proceed? For kids it is harder as it is known that kids just do not seem to understand that they are not immortal, not immune to things that really are quite dangerous. However, if you are too trusting with computers, you are opening a – yes, I know – a huge can of worms, and it can cause all sorts of problems (any of taking complete ownership of your computer, monitoring your activities which can lead to identify theft, phishing and many other things, from …). The list of how many issues that granting trust can lead to, is, I fear, unlimited in size. It is that serious. You have to find a balance and it is incredibly hard to do, no matter how experienced you are. I’ve made the general ideas clear before, but I don’t think I’ve actually tackled this issue with privacy and secrecy. I think it is time I do that.

In the wake of the Edward Snowden leaks, many more people are concerned for their privacy. While they should have always been concerned, it doesn’t really change the fact that they are now at least somewhat more cautious (or many are, at least). I have put this thought to words in multiple ways. The most recent is when I made a really stupid mistake (leading to me – perhaps a bit too critical but the point is the same – awarding myself the ID 10 T award), all because I was far more exhausted than I thought. Had I been clear I wouldn’t have had the problem. But I wasn’t clear headed and how could I know it? You only know it once it is too late (this goes for driving too and that makes it even more scary because you could hurt someone else, whether someone you care about or someone you don’t even know). The best way to word this is new on my part: Despite the dismissal people suggest (“what you don’t know cannot hurt you” is 100% wrong), the reality is this: what you don’t know can hurt you, it likely will and worse is it could even kill you! This is not an exaggeration at all. I don’t really need to get in to examples. The point is these people had no idea to what extent spying was taking place. Worse still they didn’t suspect any thing of the sort. (You should actually expect the worst in this type of thing but I suppose that takes some time to learn and come to terms with.) Regardless, they do now. It has been reported – and this is not surprising really, is it? – that a great population of the United States are now very concerned with privacy, have much less trust in the governments (not just the US government, folks – don’t fall for the trap that only some countries do it, you’re only risking harm to yourselves if you do!) in privacy. What some might not think of (although certainly more and more do and will over time), and this is something I somewhat was getting at with the encryption post, is this: If the NSA could not keep secret (and that is ironic itself, isn’t it? Very ironic and to the point of hilarity) their own activities (own is keyword number one) secret (and safe!) then how can you expect them to keep YOUR (keyword number two) information secret and safe? You cannot. There is no excuse for it: they aren’t the only ones, government, corporations, it really doesn’t matter, too many think of security after the fact (and those that do think of it in the beginning are still prone to making a mistake or not thinking of all angles… or a bug in a critical component of their system, leads to the hard work in place, being much less useful or relevant). The fact they are a spying agency and they couldn’t keep that secret is to someone who is easily amused (like myself), hilarious. But it is also serious isn’t it? Yes, and it actually strengthens (or further shows) my point that I will get to in the end (about secrets). To make matters worse (as hard as that is to fathom), you have the increase (and I will tell everyone this, this is not going to go away and it is not going to be contained – no, it will only get worse) in point of sale attacks (e.g. through malware) that has in less than a year led to more corporations having major leaks of confidential information than I would like to see in five or even ten years. This is the number of corporations – the amount of victims is millions (per corporation, even)! This information includes credit card details, email addresses, home addresses, … basically the information that can help phish you even enough to steal your identity (to name one of the more extreme possibilities). Even if they don’t use it for phishing you would be naive to expect them to not use the stolen information.

I know I elaborate a lot and unfortunately I haven’t tied it all together yet. I promise it is short, however (although I do give some examples below, too, that do add up in length). There is only one way to keep something safe, and that is this: don’t share it. The moment you share something with anyone, the moment you write it down, type it (even if you don’t save it to disk), do some activity that is seen by a third party (webcam or video tape, anyone?), it is not a secret. While the latter (being seen by camera) is not always applicable, the rest is. And what good is a secret that is no longer a secret? Exactly: it is no longer secret and therefore cannot be considered a secret. Considering it safe because you trust someone – regardless of what you think they will do to keep it safe and regardless of how much you think you know them – is a dangerous thing (case in point: the phenomenon called, as I seem to remember, revenge porn). In the end, always be careful with what you reveal. No one is immune to these risks (if you are careless someone will be quite pleased to abuse it) and I consider myself just as vulnerable exactly because I AM vulnerable!

On a whole, here is a summary of secrets, trust and security: the secret to staying safe and as secure as possible, is to not give out trust for things that need not be shared with anyone in the first place. If you think you must share something, think twice really hard and consider it again: you might not need to no matter how much the person (or entity) claims it will benefit you. Do you really, honestly, need to turn your thermostat on by your computer or phone? No, you do not and some thermostats have been exposed to have security flaws (in recent times). It isn’t that important. What might seem to be convenient might actually be the opposite in the end.

Bottom line there is this: If someone insists you need something from them or their company, they do not have you in your best interest! Who is anyone else to judge whether you need their service or product?

A classic example and a funny story where the con-artist was exposed: If you go to a specialist to have an antique valued and they offer to buy it you should never do it because if they tell you something is worth X it is one thing. It is however another thing entirely to tell you it is worth X and then offer to buy it from you. The story: years ago, my mother caught a smog-check service in their fraud (and they were consequently shutdown for it, as should be) because despite being female – and therefore what the con-artist thought would be easy prey, nice try loser – she is incredibly smart and he was a complete moron. He was so moronic that despite my mother being there listening to the previous transaction between the customer (“victim”) and himself, he told my mother the same story: you have a certain problem and I’ll charge X to fix it. The moron didn’t even change the story at all – he used it word for word, same problem, same price, right in front of my mother. In short: those telling you the value of something and then telling you they’re willing to buy/fix/whatever, are liars. Some are better liars but they’re still liars.

It is even worse when they are (example) calling you – i.e., you didn’t go to them! Unsolicited tech support calls, anyone? Yes, this happened not long ago. I really pissed off this person by turning the tables on him. While what I did is commendable (As he claimed, I wasting his time which means he lost time he could be cheating someone else) do note that some would have instead fallen victim and the reason he kept up until I decided to play along (and make a fool of him, as you’ll see if you read), is exactly because they are trained: trying to manipulate, trying to keep me on the line as long as possible (which means more time to try to convince me I need their service), and they only wanted to cheat me out of money (or worse: cause a problem with my computer that they were claiming to fix). Even though I got the better of them (as I always have) and to the point of him claiming I was wasting HIS time, they will just continue on and try the next until they find a victim. It is just like spam: as long as it pays they will keep it up. People do respond (directly and indirectly) to spam and it will not end because of this, as annoying as it may be. Again, if some entity is telling you you need their service or product, it is not with your best interest but their interest! That is undeniable even if you initially went to them, if they are insisting you need their product or service, they are only their to gain and not help. This is very different from going to a doctor and them telling you something serious (although certainly there are quacks out there, there is a difference and it isn’t too difficult to discern). Always be thinking!