I enjoyed watching the moon race past some bright planet a little above the sunrise last week. I guess it was Jupiter -- a bit too far along the ecliptic to be Venus.
Over the weekend, there was a news feature about the Mahdi army in Iraq. At one point the camera zoomed in on the moon to show this conjunction closer than I ever saw it. For me, that dated the report better than any digital means -- no encryption, no secure timestamp -- just very hard to fake.
Every morning lately, when I've been there to see, a train of twenty or so flatcars each with twelve colossal steel billets heads east, to Ashford and I guess the tunnel. This morning they were behind a class 92. In my mind this question: If the country is so prosperous that the government can offer flexible working hours to every employed parent, how can anyone make money exporting raw steel? Am I that detached from the real world?
The shed computer has been on my queue for a very long time. It was running an elderly Kubuntu (6.04?) and I've never found it entirely satisfactory -- Konqueror is not supported in Google Docs, I couldn't get Firefox to install and in fact I couldn't get anything to update or install. Well, I can see which way the world is going, so I wanted to put a current Ubuntu, and I've finally done it. It wasn't easy. The PC is a Dell Latitude PIII. It was classy in its day, but I think it has problems, especially with the CD drive. The steps I've had to take to get it installed are these:
Hurrah! The log files make sense again, and the gods of time have punished the impious humans for pretending that the solar zenith is 13:00....
A frisson walking across the fields on my way home this evening -- that lively sound of bullets wheeling past my head. It wasn't a demented assassin emerging from my ugly past -- the faint red light gave it away as an incompetent lamper with a silenced rifle killing rabbits behind Forstal farm. He carried on firing as I walked out of danger even though I was shining my torch at his likely location. Once I'd got to the safety of the lane I walked along to find out what was going on, and encountered a man claiming to be Shay Harbour(?) He knew about the footpath, he said, and thought his line of fire would be OK.
Any more of that sort of thing, and I'm getting a 50mW green laser and a night vision scope -- after this shone down his bins he'd be hard put to tell up from down, let alone fire his weapon.
This is a little Perl idiom to open a text file and read all the non-comment lines.
Key parts are
my $listfn="linelist.txt";
open LINELIST, "<$listfn" or die "Open $listfn $!";
while (<LINELIST>) {
s/^\s*//; s/\#.*$//; s/\s*$//; chomp; next if /^\s*$/;
print "$_\n"; # Or whatever else you want to do.....
}
Obviously printing is a bit dull -- instead you could drop the lines into an array:
push @linelist, $_;@results = grep((/$mypatt/i), @linelist);use locale;This is a perl script that shows what perl does well. It takes a couple of programs which provide useful output -- nmap and nbtstat -- and combines them into a single daily archive showing what's on your network. Key features are:
# my range.txt
servers 192.168.10.0/24
perimeter 192.168.12.0/24
c:\perl\bin\perl nmap.pl range.txt
# Start of nmap.pl by umacf24
# This program takes a single parameter -- a file containing pairs.
# Example (but leave off the #)
# servers 192.168.10.0/24
# perimeter 192.168.12.0/24
#
use strict;
use warnings;
# NBTSTAT codes from Jim Halfpenny
my %group = ( hex("00"), "00 Dom",
hex("01"), "01 M Browser",
hex("1C"), "1C Domain Controller",
hex("1E"), "1E S Browser", # Browser Elections
);
my %unique = ( hex("00"), "00 WS", # Workstation service
hex("01"), "01 Msgr", # Messenger Service
hex("03"), "03 Msgr", # Messenger Service
hex("06"), "06 RAS Server Service",
hex("1B"), "1B Domain Master Browser",
hex("1D"), "1D Master Browser",
hex("1F"), "1F NetDDE Service",
hex("20"), "20 SVR", # File Server Service
hex("21"), "21 RAS Client Service",
hex("22"), "22 MS EXC Interchange(MSMail Connector)",
hex("23"), "23 MS EXC Store",
hex("24"), "24 MS EXC Directory",
hex("30"), "30 Modem Sharing Server Service",
hex("31"), "31 Modem Sharing Client Service",
hex("43"), "43 SMS Clients Remote Control",
hex("44"), "44 SMS Administrators Remote Control Tool",
hex("45"), "45 SMS Clients Remote Chat",
hex("46"), "46 SMS Clients Remote Transfer",
hex("4C"), "4C DEC Pathworks TCPIP service on Windows NT",
hex("42"), "42 McAfee AV",
hex("52"), "52 DEC Pathworks TCPIP service on Windows NT",
hex("87"), "87 MS EXC MTA",
hex("6A"), "6A MS EXC IMC",
hex("BE"), "BE Netmon Agent",
hex("BF"), "BF Netmon Application",
);
# results stored in an array for re-use
my @nmapout;
my $ofn='hosts.txt';
my $opath='.\\ip\\';
my $header = "Key\t++ Up but unnamed, \n\t** Named but not responding to ping.\n\t?? Improper NBT names\n";
$header .= "Ping scan run between ".localtime(time())." ";
my $ipall; my $ipup; my $ipdown; # Address counters
# Process the file of network names. Run NMAP against the network spec (iprange).
while (<>)
{
next if (/^\s*#/) ;
my @line = split /\s+/;
if (2==@line)
{
my $ipname = sprintf "%-15.15s ", $line[0]; # Fixed width
my $iprange = $line[1];
my $cmd = ".\\bin\\nmap -sP -R -oG - $iprange |"; # local nmap
print STDERR "$cmd\n";
open (NMAP, $cmd);
while ()
{
chomp;
next if /Smurf/;
if (/^Host: /)
{
$ipall++;
my $hostline=$_;
$ipdown++ if ($hostline =~ /Status: Down$/);
$ipup++ if ($hostline =~ /Status: Up$/);
my $flag =' ';
$flag = '++ ' if ($hostline =~ /\(\)\tStatus: Up/) ;# Un-named
$flag = '** ' if ($hostline =~ /\([^)]+\)\tStatus: Down/) ;# Named, but not responding
my $hostip = $1 if ($hostline =~ /^Host: ([0-9\.]+) .+ Up$/);
my $prefix=$ipname . $flag;
my $postfix=nbtstat($hostip) if ($hostip);
$hostline =~ s/^Host: /$prefix/;
$hostline =~ s/Status: Up$/NBT: $postfix/ if ($postfix);
# print STDERR "Host Line $hostline | $postfix | $hostip\n";
push @nmapout, $hostline;
}
}
}
}
$header .= "and ".localtime(time())."\n";
if ($ipall)
{ # Some addresses seen
$header .= "$ipall addressses pinged:- Up: $ipup, Down: $ipdown\n";
}
else
{
$header .= "No addresses scanned. NMAP in path?\n";
}
# Preserve an archive Version
my ($sec, $min, $hr, $day, $mon, $yr, $wday, $yday, $isdst) = localtime(time());
$yr = $yr + 1900;
$mon = $mon + 1;
my $prefix = sprintf "%04d-%02d-%02d.", $yr, $mon, $day ;
my $afn="$opath$prefix$ofn";
my $hfn="$opath$ofn";
#Don't overwrite existing hosts file until we have finished scanning.
open (AHOSTS, ">$afn") or die "could not open $afn $!";
open (HOSTS, ">$hfn") or die "could not open $hfn $!";
print AHOSTS $header; print HOSTS $header;
foreach my $hostline (@nmapout)
{
print HOSTS "$hostline\n";print AHOSTS "$hostline\n";
}
close HOSTS; close AHOSTS;
sub nbtstat
{
my ($hostip) = @_;
my $cmd = "nbtstat -a $hostip |";
my %survey; my $ret;
my $domain; my $server;
# print STDERR "survey $cmd\n";
open (NBTSTAT, $cmd) or die "can't run $cmd $!";
while ()
{
# print STDERR;
# The meat of the NBTNAME command is in this format: name type
if (/^\s+(\S+)\s*<([0-9A-F]{2})>\s+(GROUP|UNIQUE)/i )
{
my $nbtname = $1;
my $nbtclass = $2;
my $nbttype = $3;
if ('00' eq $nbtclass)
{
$domain = $nbtname if ('GROUP' eq $nbttype);
$server = $nbtname if (('UNIQUE' eq $nbttype) && ($nbtname !~ /(\~)|(MSBROWSE)/));
}
my $desc = ('GROUP' eq $nbttype)? $group{hex($nbtclass)} : $unique{hex($nbtclass)};
$desc = "$nbtclass $nbttype Unknown" unless $desc;
# print STDERR "$nbtname $nbtclass $nbttype $desc \n";
push (@{$survey{$nbtname}}, $desc);
}
}
close NBTSTAT;
# We should have a good domain name and a good server if we have anything
if (%survey)
{
$ret = ($domain and $server) ? "$domain\\$server" : '??';
}
foreach my $nbtname (keys %survey)
{
$ret .= " $nbtname: (" . join (', ', @{$survey{$nbtname}} ). ")" unless ($nbtname =~ /(\~)|(MSBROWSE)/) ;
}
return $ret;
}
# End of nmap.pl
Here's the Interpol (rare to see a .int domain) release on operation Vico. That's impressive work by the image experts, but I think the credit lies with the investigator who had the imagination to see that information was still there and the thing was worth trying. That's the leap I would have failed to take, and it's the difference between a proper investigator and the guy who looks at proxy logs.
After red-eye reduction, obscuring faces is probably the second most popular use for home image processing, the home porners generally botch it, and I've often wondered why packages don't include a better tool. Perhaps they can't find a suitably euphemistic name. Anyway, I suppose we'll now see a slew of unswirl tools.
I'm looking at a list of domains groups which control access to removable devices and media through Pointsec Protector (which used to be Reflex Magnetics Disknet Pro). We've had groups for various types of devices and now I'm trying to simplify -- to operate a much cruder level of control.
I'd prefer to leave it as it is, but the membership of the current groups is a mess. The technology is fine, but the control environment stinks. At present we allow or deny access to the groups based on a managers approval: "he has a business need to use a USB key" -- and that makes a good deal of sense. Who else can make that choice?
Who else indeed? Because the managers aren't technical -- so they don't understand what they're approving -- and they don't see any downside from insecure access. Essentially every request gets approved. And in six months time when the the lists have to be recertified, it's probably a different manager, or the original justification is forgotten, and it's easier just to agree. We've got adequate technology, and a process that the auditors think is just fine, and there's no real control at all.
Of course, this isn't just a problem for USB devices. It very easy to fail at this last hurdle by asking approvers to use a discretion that they just can't understand.
I've thought about making these accesses part of the permissions attached to the job description global groups. But that doesn't reduce the problem unless IT security can engage with the role definition approvers, and we don't.
So this is my plan: I'm going to name the groups after the risk, with alarming group names and descriptions:
Risk In -- "Trusted to read data from unknown sources"
Risk Out -- "Trusted to send corporate data to unknown destinations"
Device Risk -- "Trusted to attach untrusted and untested devices"
Let's see whether that gets the message across.
In Arthur C. Clarke's Rendevous With Rama, the world of the 23rd century prepares for a visit by potentially hostile aliens. A minor character, a general, justifies military preparations by claiming that even though humans have complete dominion over a wasps nest, we still leave it alone if we possibly can. So even though the aliens may be vastly more powerful than we are, they would still care enough about nuclear missiles to leave us alone.
I suppose that's comforting. But it's not very comforting. The wasps nest I destroyed on Sunday afternoon had little idea who I was, and no idea why I was attacking. Alas! they didn't know I was afraid of their stings and I would have left them alone if only they weren't so dangerous. Even worse, the means chosen by the superior alien -- me -- was an organophosphorus agent: nerve gas. We might be better off without our stings.
It's been an astonishing year for fruit, but there's a price to pay. In ordinarily heavy years, plum tree branches can easily break with the weight of fruit. This year has had so much water that the damsons were the size of plums and edible straight off the tree while the table plums have needed props, to hold up the masses of disappointing bland fruit. And while the flavours been fine, we've had apple branches broken to create more challenges for the winter pruner. I drove past this old orchard today and saw trees pulled over or split in two -- it'll take more than pruning to fix that.
Of course you want to use a web proxy, but some of your services need web access. Proxy settings are per-user, and if you run services as specific users you can log on and set them. But for the built-in anonymous accounts SYSTEM, SERVICE, how can you tell them where to find the proxies?
The obvious need for this is to get Windows Update working behind a proxy server. It's needed even if you are using the web interface, because WU still depends on the BITS service.
Well there are a number of ways. But what's easy is proxycfg, a command-line program that will create the appropriate entries in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
The program is in the XP build, but it runs fine on W2K -- just copy it over. Running it with the -u option will copy the current user's settings in to the service default and you're done.
Of course, you still need to ensure that the requests will be permitted by the proxy: The service can't authenticate. On our Bluecoats, you make a combined destination object that precedes authentication and is accepted on the first rule.
Last weekend I picked a lot of apples: 50% Bramley, 30% James Grieve, 20% Spartan with oddments of John Downie crabs and Conference pear, and screwed it down to a bit over four gallons of juice. I'd say there was a ratio about three gallons of loose apples to one of juice, but that may be optimistic, They were all fresh off the tree and hard, so I don't think I mashed them as well as I should have. Anyway, after a rather slow start, it's fermenting nicely with whatever Wilkinson sell as wine yeast at this time of year.
It was extremely hard work. The book had been rather lyrical about the benefits of community endeavour with everybody helping to get the work done. Mrs U left me to it, driving off to visit her parents, and I pounded out the whole lot using the boss on a 17lb fence post digger and a six liter screw press myself.
Since I set that lot going, I've learnt that 80% cookers is a bad thing (too acid), that using fresh apples reduces the juice yield (too hard, and too tart), and basically I've done it all wrong. So today I filled the mower trailer with 60% eaters and the balance mostly Bramleys and I've hidden it in the shed. In a fortnight's time I'll see whether they've softened up, and perhaps make myself some less acid cider to blend. For certain the Spartans had the dullest juice so I'm afraid the cider will be bland, but we'll have to see how that goes.
I've just been through my spam, and I'm disgusted. Where are all the Northern Rock "After the difficulties on our website, please re-enter your details to restore your access..." or "The bank has been nationalised. Please provide details to validate access to your deposit...." ?
Don't these people read the news?
And it's a surprise: the best juice comes from crab apples.
Admittedly they were ripe red John Downie, but straight off the tree they were still a lot more like hard red berries than proper apples, and they were the devil to crush. I got three pints from a gallon of mush, and it was sweet and appley with a lot of the puckering richness which I think is malic acid. Drinkable - delicious - running off the press.
