Sat, 20 Dec 2003
Allocating rounding errors fairly
Last Monday, I visited a client in California. Their programmer showed me some code he'd been working on and mentioned that he was having some difficulty with rounding errors accumulating.
I shared a technique with him I've used to solve the same problem.
Having way too much time in airports and on planes to think about it, I realized that the method I shared, while quite good for most cases, fails to allocate rounding errors fairly in extreme cases. I spent many hours since trying to find an optimal solution.
Consider the problem of distributing money, evenly, across three accounts. If we only have one cent to distribute, which account should get it?
Using the naive rounding method, none of the accounts will get anything and we will be left with one cent undistributed.
Using the technique I shared with Russ, we would consider the first account and attempt to distribute 1/3 cents. That rounds to zero. We would then restate the problem as distributing our single cent across the remaining two accounts. So, we would attempt to distribute 1/2 cent to the second account. That rounds to one cent. Finally, having nothing left to distribute, we assign zero cents to the third account.
This works well for any number of accounts ensuring that the maximum rounding error applied to any given account is less than one cent.
But what happens if we distribute one cent to the same three accounts 10,000 times? Ideally, two accounts should end up with $33.33 and one should end up with $33.34.
Using naive rounding, all three accounts would still have zero balances. Using the second method described, the first and third accounts would have zero balances, and the second account would have a balance of $100.00, since it would always get the benefit of the rounding errors.
I spent a lot of time working on a fair method for distributing the rounding errors. I'm certain I spent my time simply reinventing the wheel, but it was a very interesting problem to solve.
Consider the same problem: distributing $0.01 across 3 accounts.
The first account should get 1/3 cents. Since we can't divide a cent, we'll give the first account a 1 in 3 chance at rounding up. 2 out of 3 times, we'll move on to the second account and give it a 1 out of 2 chance at rounding up. 1 out of 2 times we'll still have our cent to distribute and we'll move to the third account, which will always get the cent if we reach it, because it is the only remaining account.
If you work out the math, you'll see that each account has exactly a 1 in three chance at getting the cent.
Surprisingly (at least it surprised me), this works out with any amount to be allocated, and with any weighting.
For instance, assume we have 3 accounts with weights 1, 2, and 1 respectively. If we want to allocate 1 cent to these accounts, we would attempt to allocate ¼cents to the first account, giving it a 1 in 4 chance to round up. 3 out of 4 times, we'll move to the second account and give it a 2 out of 3 chance (2 is it's weight, and we consider only the remaining 2 accounts for a total weight of 3) at rounding up.
To allocate a larger number, we simply allocate the the integer portion after multiplying the amount to allocate by the account's weight and dividing by the total weight. The odds of rounding up are given by the fractional remainder. We reduce the total amount to be allocated by the amount allocated to each account and the total weight by the account's weight at each round and move on.
The following perl subroutine demonstrates the algorithm:
# usage: allocate(amount, weight_1, weight_2, ..., weight_n)
# returns an array of n allocated amounts
sub allocate {
my $value = shift;
my $basis = 0;
$basis += $_ for @_;
map {
my $allocation = $value * $_ / $basis;
my $allocated = int($allocation);
my $remainder = $allocation - $allocated;
++$allocated if rand() < $remainder;
$basis -= $_;
$value -= $allocated;
$allocated;
} @_;
}
[/programming] [link]
Fri, 19 Dec 2003
Broken firewalls refuse ECN enabled connections
I worked through an interesting problem last night at the office.
One of our users was unable to reach the
State of California's website. We recently
installed a Squid proxy and he assumed the
proxy server was blocking his request. He got a connection refused
error reported back from Squid.
I tried to reach the site without using the Squid proxy and could do so from the firewall but not from the machine hosting the Squid proxy. Packet sniffing with tcpdump revealed the connection attempt was, indeed, reaching www.ca.gov and was being refused by it. That was confusing, because the firewall provides NAT and the target system should not have been able to distinguish any difference between a request coming directly from the firewall box and one coming from the box hosting the Squid proxy.
Comparing the captured packet headers between the successful and unsuccessful attempts I did discover a difference. The firewall box was sending a packet with the Syn flag set (as expected) which simply appears in tcpdump as 'S' in the flags field. The failed attempt from the Squid proxy box had flags 'SWE'.
A Google search turned up a useful hit:
Are you running kernel 2.4.x? If so, _and_ you have TCP ECN enabled, that's the problem. How to check? # sysctl net.ipv4.tcp_ecn 1 means on. How to fix? Short term: # sysctl –w net.ipv4.tcp_ecn=0
That was indeed the problem. The Linux kernel configuration help file includes the following note:
Note that, on the Internet, there are many broken firewalls which refuse connections from ECN-enabled machines, and it may be a while before these firewalls are fixed. Until then, to access a site behind such a firewall (some of which are major sites, at the time of this writing) you will have to disable this option, either by saying N now or by using the sysctl.
Given the odd symptoms, I was very pleased to have been able to find and fix the problem in just a few minutes. Thanks goes to Nathan E Norman whose post on the debian-user mailing list provided the solution and to Google fantastic search engine for making it easy to find.
I'm a Debian user myself. For the time being, I've added the following line to the appropriate interface's section in /etc/networking/interfaces:
up /sbin/sysctl –w net.ipv4.tcp_ecn=0 || true
That seems to do the trick.
Mon, 08 Dec 2003
Dad’s notes
Mom has been boxing and sending Dad's books to me—hundreds of them. I've been working on a database to store information about Dad's books including a scanned image of each book cover, with a web interface. I'm using MySQL for the back-end database and Mason running under mod_perl for the web front end. More on the application development later.
Yesterday, I pulled one of Dad's books out a box at random. Tucked inside were several notes, including the following:
I find these notes of Dad's fascinating. I'm not sure what the formula at the top is all about (if you know, please e-mail me). The screwdriver diagram is particularly interesting. Is it an original idea—an invention on paper? Or did Dad draw it to document something he saw or remembered? I'll never know.
Dad would have considered this sketch nothing more than a doodle—something to pass the time. He certainly wouldn't have considered it presentable. I would give my eye-teeth to draw so well.
Wed, 03 Dec 2003
My first Open Source contribution
This morning, Jonathan Lundquist and I found and fixed a bug in the Squid Web Proxy Cache. I'm not sure about Jonathan, but it was my first, direct contribution to Open Source and a rewarding experience.
It took my knowledge of the Linux development environment, tools, and protocol for creating and submitting a patch; and it took Jonathan's excellent analysis and debugging skills to quickly locate the bug and suggest a patch. Individually, it may have taken either of us 2 days to find and fix the problem in totally foreign code. But together, we found it, fixed it, made a report including a patch in under 2 hours.
I think it is rare to find a working relationship that multiplies productivity that way. Several years ago, Jonathan and I wrote the first version of a Windows based application in a single 30+ hour session, passing the keyboard back and forth. That product has gone through many revisions with thousands of man hours invested, but the core of the application still consists of the code we wrote in those 30-some-odd hours.
Sadly, after 12 years working closely together, that working relationship will end, soon. Jonathan has accepted a position as CFO of for one of our clients. Good luck, Jonathan. I'll miss you most when debugging code on my own!
[/programming] [link]
Wed, 26 Nov 2003
Rocket Fuel
My boss is fond of saying, “It isn’t rocket fuel.” Well, this is rocket fuel.
When I was 13 or 14 years old, my brother and I enjoyed building and launching model rockets. My father, the scientist, made rocket fuel for us. I remember him mixing the ingredients in a large pan on the stove.
“Listen,” he said. “This is dangerous. If I tell you to run, then you run. Run out into the orchard and don’t come back to the house until I call you. Understand?”
We nodded and watched. Not long afterwards, Dad became very excited and shouted, “Run! Run!”
Sat, 22 Nov 2003
Daddy, I’ve just been in a wreck
Nothing in the world can make a father’s heart turn to stone as fast as those words. Fortunately, it wasn’t a very serious accident.
We got our first snow of the season, a record breaker, with 8 inches in Spokane. April drove home from WSU for the Thanksgiving break. Just outside of Spokane, the road narrowed to one lane due to accidents ahead. Traffic stopped in April’s lane. Unfortunately, the Ford F-350 behind her didn’t stop soon enough!
Highway 195 was closed for two hours later in the evening.
We’re certainly glad to have her home. We’ll be extra nervous when Chris makes the same trip Wednesday night or Thursday morning.
Mon, 17 Nov 2003
Dirty weblog referrer robot trick
While browsing my web server logs, I noticed something that appears to
be a dirty little trick to drive traffic to other weblogs. I'm getting
hits from a handful of sites that get only the default page (no css,
images, etc.), have referrer fields that point to other weblogs, and
have user agent fields set to MSIE 6.0.
Since many weblogs automatically create a links for referrer they detect, I assume this is just a ploy to get those weblogs to drive a bit of traffic to the offenders sites.
Time to install a bot trap.
Sun, 16 Nov 2003
First item of Dad’s listed on eBay
Today, I listed the first of many items that belonged to Dad on eBay. This item had no particular sentimental value. It looked like a good candidate for a start. If you're curious, check it out. It is eBay item 2573916471.
Pictures from our Colorado/Arizona trip
Update: The old clubphoto albumn expired long ago. I've reposted the pictures from our trip to Colorado and Arizona on Flickr.
Linux season
With winter here, I'm spending more time indoors, now. Linux gets most of my indoor time. After a long summer of neglecting Linux in favor of bicycling, I've refocused on extending my Linux knowledge and skill.
I've been reading The Art of UNIX Programming by Eric S. Raymond. This isn't the kind of book I would normally purchase. It is virtually devoid of any in-depth technical material, source code listings, and detailed explanation of technique. I spent nearly two hours at Barnes and Noble thumbing through a copy before I decided I had to take it home with me.
I've learned great deal from the book that I wouldn't have gotten from a
more technical treatise. I learned, for example, which IPC mechanisms
are preferred, and that some, although documented, are deprecated and
should not be used. There's a lot of best practices
information to be
gleaned from Eric's new book.
And there were a few threads to chase, as well. Eric referred to Pic as one of his examples of mini-languages. Pic, it turns out, is a tool I immediately put to use. I generated the images in my Vernier scale post a few days ago using Pic.
Pic was originally written by Brian Kernighan. I used the GNU version, gpic, which is part of the groff package.
That lead me on a search for a similar mini-language to use for 3D modeling. I really wanted such a tool when I wrote my Summer Solstice post in June. What I found was POV-ray. POV-ray's scene description language does, indeed, allow me to quickly and easily describe simple models like the one I needed for the Solstice post. It goes far beyond, however. A visit to the POV-ray Hall of Fame (a continuously updated gallery of scenes) is well worth the time.
I bought a used flat bed scanner, an Epson Perfection 1200U, on eBay. When it arrived, I discovered I did not have support compiled into the Linux kernel for USB scanners. Normally, that would be a simple matter of compiling the necessary module and installing it individually. But somewhere along the line, probably with and upgrade to gcc, the 2.4.20 kernel source would no longer compile.
Linux is so stable that there has been no need, whatsoever, for me to keep on top of the kernel releases, recently. So, the need to get the new flatbed scanner working resulted in a download and compile of the 2.4.22 kernel. That was, as always, a trouble free experience. And my sound card now has native kernel support, so I was able to drop the Alsa sound drivers I was using previously.
I'll need some time to experiment with the scanner, but so far, the SANE scanner utilities seem to be doing a perfect job.
Linux certainly hasn't lost it's appeal for me; I'm looking forward to plenty of time with it this winter.
Tue, 11 Nov 2003
Vernier scale
I've been going through some of the instruments and gadgets that belonged to my father. A common feature on many instruments is a vernier scale.
I can remember Dad teaching me how to read a vernier scale, but I never gave much thought, until now, to how and why it works.
The vernier scale is based on some very simple mathematics that yields a surprisingly powerful and useful result.
Consider the following scale. The base scale is on top, the verier scale on the bottom.
Notice that the vernier scale divides 9 units on the base scale into 10 equal parts. Therefore, each vernier unit is 0.9 base units.
1
on the vernier scale falls on a point that must be 0.9 on the base
scale, even though the base scale is not marked at that point. If we
slide the vernier scale 0.1 base units to the right, the 1
on both
scales will align precisely, and the arrow at the origin of the vernier
scale will be positioned precisely at 0.1 base units.
If we slide the vernier scale to the right until the 2
marks on both
scales align, the arrow on the vernier scale will be positioned at 0.2
base units. It must be, because each vernier unit is 0.9 base units; 2
vernier units equal 1.8 base units; 2 – 1.8 = 0.2.
So, as we can see, when a mark on the vernier scale aligns with a mark on the base scale, that mark on the vernier scale indicates, in tenths, where the vernier arrow falls on the base scale.
Take the following setting, for example.
The 3
on the vernier scale aligns with a mark on the base scale, so
the arrow falls at 2.3 on the base scale.
A common set of vernier calipers allows measurements in thousands of an inch. The base scale is marked inches, and tenths, with each tenth divided into 4 parts (0.025 inches). The vernier scale divides 24 of the smallest marked units on the base scale into 25 vernier units. Each unit on the vernier scale is, therefore 0.024 inches long, 0.001 inches shorter than a unit on the base scale. When a measurement is taken, the thousandths indicated on the vernier scale are added to the nearest 0.025 inch mark on the base scale, left of the vernier origin.
It would be impractical to mark a rule with thousandths of an inch and even more impractical to use, but by employing a vernier scale, measuring that accurately is simple.
Wed, 05 Nov 2003
The Long Walk
Jenny and I just finished reading The Long Walk by Slavomir Rawicz, the true story of the author's escape from a Siberian prison camp in 1941 and his and his companions three-thousand mile trek, south, through Siberia, the Gobi Desert, Tibet, and over the Himalayas, in winter, to freedom.
The wayfarers suffered days on end without food or water. They pressed on driven only by their sheer will. Slav's story is awe inspiring. I heartily recommend his book.
Jenny and I rarely watch television. Until recently, we spent most of our leisure time cycling. With the loss of Daylight Savings Time, the shorter days, and colder weather, we've been spending more time inside. As an experiment, of sorts, we decided to send some time reading a book together (which means I read aloud and Jenny listens).
It's been an interesting experiment, and I'm ready to find another book to read. We ran across this book at our local Barnes and Noble store. I had actually read about it in the same Rivendell Bicycle Works catalog that lead to the Grandpa's Pine Tar Soap experiment. I guess all things are connected.
Wed, 29 Oct 2003
Coats aren’t cool
We had our first snow, today. Not much, just a brief flurry in a fierce wind that looked eerily like a snow globe scene.
On a brief afternoon walk from the office down the street for a coke, we saw the middle school kids headed home. Many were without coats. Coats aren't cool. I remember that all too well. My boys never wanted to wear their coats.
Here's my sure fire, guaranteed method to get your teenager to wear his or her coat.
Let them go to school without it. Shortly after school starts, show up
at the class room with your teen's coat. Interrupt the teacher.
Excuse me… Oh, dear. There you are. You forgot your coat!
NOTE: If your teen still refuses to wear a coat to school, have him tested, immediately. It may be a sign of a severe learning disability.
Blonde Coffee
I'm going to lobby for a name change. I'd like to see white coffee called blonde coffee. That way, Jenny's favorite coffee drink would sound even more like a personal ad that it does already.
Give me a hot, single, tall, skinny, blonde coffee mocha, please.
While we were vacationing, the farther south we travelled, the more difficult it became to find an espresso stand. And nowhere, after leaving Spokane, did we find white coffee.
Jenny made a point of requesting white coffee wherever she went, knowing full well they wouldn't have it. Then she gave them her sales pitch touting the benefits (as she sees them) of white coffee: no coffee flavor and 30% more caffeine.
Thomas Hammer, our local supplier of white coffee, may be getting inquiries from several western states wondering why the sudden interest in white coffee.
Tue, 28 Oct 2003
Final Goodbye to Dad
On October 18, 2003 my father, Powell O. Mims, passed away after a long struggle with heart disease.
Dad was the brightest light in my life. He illuminated a fascinating world for me with his incredible intellect and zeal for life. He shared his fascination for math and science with me, lead me on many inward journeys of discovery, and helped shape my character and interests.
Dad achieved much in his life. He was an inventor, with at least two patents to his name. He served in the US Navy as a pilot. He worked for Martin-Marietta on the Titan missile system and other cold war era defense projects. He worked as a surveyor for PG&E in California before returning to Colorado to finish his education at the Colorado School of Mines, receiving his Bachelor's Degree in Mathematics.
In 1971, Dad moved us to Hotchkiss then Paonia, Colorado. He opened a self service gasoline station on Roger's Mesa (near Hotchkiss), then another in Paonia. The station in Paonia was also a fast food restaurant known, then, as the Huskyburger. Mom and Dad ran the businesses together. They became jobbers (distributors) for Husky Oil, then for Chevron Oil. They opened several more self service stations and supplied others. They had gasoline transport trucks and smaller farm delivery trucks. They provided many Western Colorado communities with fast, friendly service and low prices.
In 1977, Dad suffered a major heart attack. His doctors were not optimistic. They prepared us for the worst and performed bypass surgery in an effort to prolong Dad's life and improve its quality. He recovered from that first surgery remarkably fast, but continued to suffer from heart disease and several more heart attacks.
In 1982, Dad underwent another bypass surgery. His recovery from this one was anguishingly difficult. Heart disease continued to progress, and in 1991, he moved in with me and my family in Orem, Utah and was put on the waiting list for a donor heart at the University of Utah Medical Center.
Dad received a heart transplant in 1991. Unfortunately, the donor had Hepatitis C. That fact went unnoticed until 1994 when Dad was diagnosed with the disease and had already begun to suffer from some of the rarest and most brutal conditions associated with it.
Despite the difficulties, Dad spent many happy years with us — many more than his doctors predicted and many more than anyone with less determination, courage, and strength would have.
I am proud to have had not only a father-son relationship with this great man, but a strong, close friendship with him. Dad and I talked frequently on the phone, corresponded on-line, and spent as much time as we could together, even though it was much less time than either of us wished.
For about the last 18 or 20 months of his life, it was a struggle to just make it from one day to the next. Dad lost the ability to pursue many of the interest that had kept him so alive previously. He also lost most of his hearing. During the last weeks of his life, he was unable to converse on the phone, too frustrated with his inability to hear. I missed our normal telephone conversations terribly.
Jenny and I planned a vacation — our first two week vacation, ever. We traveled first to Colorado to visit with Mom and Dad, then to Arizona to spend time with Jenny's family. I spent some precious hours with Dad. He was tired and struggling, but he had not lost his whit, charm, and sense of humor. We parted with a warm hand shake and wave that I will remember forever.
On our return trip home from Arizona, we got word from my brother, Brian, that Dad had passed away. He died at home while Mom was away at work. Apparently, his heart finally failed. As much time as Dad had to endure in hospitals, I'm happy that he spent his last days at home with Mom instead of in a hospital bed.
Dad was absolutely devoted to my mother. Anyone of less courage and strength would not have been able to endure his daily routine. Dad fought through each day for the pleasure of spending one more day with the love of his life. She will miss him profoundly as will everyone that knew and loved him.
The world will be a much different place for me without the bright light that has guided and mentored me all these years. I will cherish his memory and hold dear the knowledge, skills, and love of life he gave me.
Thu, 02 Oct 2003
Grandpa’s Pine Tar Soap
Last week, I received a wonderful surprise in the mail. The Rivendell Bicycle catalog. The catalogue is a better read than most magazines. It's packed with explanations, advice, and anecdotes. These guys clearly love what they do.
And it's not just information about bicycles and accessories — this issue even had a bit of advice on personal hygiene. They plugged a product called Grandpa's Pine Tar Soap, billed as a soap, shampoo and deodorant, all in one.
Now, I love simplicity and efficiency. That's one of the reasons I enjoy cycling so much. What mode of transportation is so simple and efficient? And what could be more efficient than a soap, shampoo, deodorant, shaving cream, all in one bar?
I need to place an order with Rivendell, if for no other reason than to support the fine literary work they call a catalogue. But I didn't want to spend a shipping charge to try a bar of soap. So, before placing a bulk order, I found a local store that carried Grandpa's soap and Jenny picked up a couple bars for me to try.
Unfortunately, the experiment failed. The soap has a fragrance that would be pleasant if not so strong. It was overpoweringly strong. I showered before bed, using the Pine Tar Soap as both soap and shampoo. The soap rinsed clean, and I couldn't smell it on my body so much, but the smell of the soap in the bathroom soon filled the bedroom.
In the middle of the night, Jenny just couldn't take it any longer. So, I got up, put both bars of soap in a zip lock bag and hauled them out to the garage. I opened the bathroom window and shut the door. The order was still heavy in the bathroom in the morning.
I love the concept, but the product just didn't work out for me. Maybe I'm just plain nuts; even though the experiment ended in failure, I found the experience rewarding.
Two bars of Grandpa's Pine Tar Soap (one slightly used <g>) to a good home.
Sat, 27 Sep 2003
Fed up and Fee-ed Out
I'm so sick of bank fees I could scream. I've been a Wells Fargo customer for over 10 years. It's way past time to switch banks.
NetBank is probably where I'll land. Interest paid on checking, no fees for online bill pay, or any of the other services I typically use. They live on the Internet, like I do. Seems like a good match.
The straw that broke the camel's back was a $30 wire transfer fee. Wells Fargo quoted me $20 over the phone, but would not do the transfer by phone or fax. They insisted I show up in person at the bank. The local branch manager charged me $30.
Thinking (hoping?) she was wrong, I sent an e-mail inquiry requesting an adjustment if the branch was in error. Wells Fargo's reply sounded like some of the television commercials I've seen recently:
I researched the $30.00 wire transfer fee charged to your account…The fee for this type of wire is $20.00. Additionally, there is a $10.00 fee if a store banker assists with sending the wire.
I'll probably be hit with a $30 research fee
for being fool enough to
question the wire transfer fee.
Suck rocks Wells Fargo, you've sucked your last drop of my blood.
Nancy Lundquist’s Guatemala Pictures
My good friend and coworker, Jonathan Lundquist, and his wife, Nancy, made a trip to Guatemala in April. They are both avid photographers and they came back with some great pictures.
Nancy posted her pictures on their weblog. NOTE: It's one, long page filled with images. Even with my broadband connection, it took several minutes to load the page. Well worth the wait, though.
Lost in Translation
Attempting to build upon our success last week, we ventured out to the movies last night.
Based on a chart in the Friday paper indicating a thumbs up from all reporting reviewers, we picked Lost in Translation.
This movie sucked. If not for three cups of coffee, stretching dinner out long enough to fill time before the 9:40 start, I would have slept through it. If not for the fact that we were blocked into the center of our row, we would have walked out.
Here's my recommendation. Wait until it's playing at the dollar movies, give your dog a buck and send him to the show. That is, unless (a) you like your dog; (b) you value a dollar.
Wed, 24 Sep 2003
Riding in the dark
The sun sets, now, before our evening ride ends. We finish in the soft light of dusk, which, for me, was near complete darkness Monday and Tuesday. I wear my prescription sunglasses when I ride. Removing them is not an option — I'd just as well close my eyes.
With the sunglasses on, and the sun down over the western horizon, the rabbits begin to look like bushes and the bushes begin to look like rabbits. It's unsettling when the rabbits don't move as you approach and it's downright unnerving when the bushes dart across the trail in front of your wheel.
We're planning a trip to see our families next month. We'll take the bikes with us and do a little daylight riding in the Arizona sun. We'll have the opportunity to see some new wildlife, perhaps including snow-birds, which, they tell us, drive automobiles and eat unsuspecting cyclists for lunch.
Mon, 22 Sep 2003
Safe Comcast HighSpeed Internet Installation
Comcast HighSpeed Internet default installation procedures are not safe. They leave unsuspecting users susceptible to worms and viruses. In addition, there are many accusations that the Comcast install installs spyware on users computers.
The problem is a Catch-22. If you're running a Windows based system, you need to apply security patches before you expose your computer to the Internet. But the only reasonable way to get the security patches is to download them from the Internet.
There is simple alternative to Comcast's default installation instructions that has the benefit of an additional layer of security and privacy. You don't need to install any software provided by Comcast.
If you are running Linux, or another unsupported
OS, you can get
your Comcast HighSpeed Internet connection up and running without access
to a Windows based PC by following these instructions.
sas.r1.attbi.com
, port 8000, as your proxy server, excluding sas.r1.attbi.com.http://sas.r1.attbi.com
and complete on-line registration process.On my Comcast connection, last week, I received over 14,000 Welchia probes from over 700 different hosts. And that's just Welchia. There are dozens of other threats raining down on my firewall all day every day. Barely a minute passes, on average, without some kind of parasite trying to determine whether or not I'm a vulnerable host and infecting me.
A new Comcast users is likely to be a vulnerable to recent worms and viruses. Even a brand new system is unlikely to come from the factory with current security patches. Bundled virus scanners likely have out of date virus signatures.
So, my advice to all Windows users is to first obtain a good broadband router with NAT support. There are several broadband routers to choose from. Among them are options from:
In addition to some added security, broadband routers with NAT allow you to share your Internet connection with other computers in your household.
It is understandable that Comcast does not want the added variable of a broadband router or firewall device between the PC and the cable modem; it would complicate installation and troubleshooting. However, exposing vulnerable computers to the kinds of worm and virus attacks we've seen recently probably leads to just as much, if not more, trouble down the road as infected computers chew up bandwidth, frustrated users overload support centers, and systems have to be sanitized.
Sat, 20 Sep 2003
Matchstick Men
Last night, Jenny and I went to the movies for the first time in ages. We saw Matchstick Men and loved it.
We've filled our summer with cycling and haven't turned the television on for weeks, so we hadn't seen any advertisements, reviews or commentaries except for the brief blurb in the newspaper describing the currently playing movies while we made our selection. So, we had the pleasure of seeing the movie without having seen all the highlights in a trailer.
This one gets my recommendation.
Sat, 13 Sep 2003
Inspiring
Jenny and I made the ride to Rockford and back this evening. While we were waiting in the left turn lane for the light on 32nd and Highway 27, a cyclist pulled in behind us.
My plan was to time myself, as usual, on the big climb. So, when we reached the bottom of the hill, I started the stop watch and charged up the hill for all I was worth.
I waited for Jenny at the top. The cyclist that had pulled in behind us at at the light came up the hill ahead of Jenny. He pulled to a stop and complimented me on my climb. "You nailed that hill. You really hammered it."
He wasn't far behind me. He was lean – not an ounce of fat on him.
He wasn't winded; obviously he had climbed the hill at a comfortable
pace. I asked where he was headed. "Freeman, or maybe Rockford if I
have time," he said. "I'm just visiting friends here. I haven't ridden
this way before.
Rockford and back is where we're headed,
I told him.
I rode to Coeur d'Alene this morning,
he said. "But I needed a few
more miles."
At that he pedaled away. Wow, I said to myself, when I'm in my
seventies, I want to be just like him – still riding and riding
strong. I was inspired.
Stealthing Port 113 on D-Link DI-604 Router
In recent days, the most frequent Google searches leading readers to my site seem to have come from people trying to figure out how to stealth port 113 or their D-Link DI-604 Routers.
I wrote an article titled Dropping IDENT requests causes e-mail delays explaining why, in some cases, you may not want to stealth port 113. The article does not explain how to stealth port 113, if that is what you want. This article adds that information.
You may want to review the prior article, first, to determine if that's what you really want to do. If so, the solution is quite simple.
To stealth port 113 on D-Link DI-604 Router simply forward port 113 to an unused IP address on your network using the technique described in the D-Link TechSupport FAQ.
Some routers, such as the Netgear RP614 automatically stealth port 113. If you experience delayed connections to outbound services like SMTP and IRC, you may want to un-stealth port 113 so packets are refused instead of dropped.
To un-stealth port 113 on Netgear RP614 (or many other routers), forward port 113 to an active IP address on your network that responds with a closed port. In my prior article, I forwarded port 113 to a network connected HP printer. For the RP614, see the port forwarding instructions in the reference guide.
In either case, you can use Steve Gibson's excellent ShieldsUp!! page to test the results of your configuration change.
Wed, 10 Sep 2003
The big crash: 7 years ago, today
On a cold September morning, just like this one, seven years ago, today, I pulled on a cycling jacket, long fingered gloves, and headed to work. I left a few minutes later than usual. My ride took me past Central Valley High School where classes had started just a few days before.
A 16 year-old student, licensed just a few weeks prior, made a left turn in front of me. I steered left and braked for all I was worth, first trying to avoid an impact with the cab of his small, Toyota pickup that would have sent me through the glass, then trying to avoid a crash all together. I didn't make it. I impacted right at the back axle, went airborne and landed on my back in the street on the other side.
The crash fractured both the radius and ulna of my left arm, sheering off the ball joints at the wrist. It left scars on both arms where they impacted the side of the truck and a deep bruise across my right leg that took months to fade away. My arm was repaired with stainless steel plates and screws. The crash destroyed my bicycle.
Seven years later, I'm back on the bike. I'm not riding as many miles as I did then, but I'm enjoying every minute I ride. I'm hoping for a less eventful ride to work this morning.
Thu, 04 Sep 2003
Finally, Googled
I made by first blog entry about 6 weeks ago. The Googlebot finally found me in the early morning hours Tuesday (9/2). Last night, I saw the first hit from a Google search, and a couple more today.
When I checked last night, I wasn't able to find any search results for my own site. Whatever entry point I have into the great Google engine hadn't been updated, yet.
As of today, I can, indeed, search. So, finally, I'm Googled.
The hit's I'm getting from searches are encouraging, so far. They are hitting some of the technical articles I've written. Hopefully, my ramblings will prove to be beneficial to someone else.
Wed, 03 Sep 2003
More miles than hours
The days are getting shorter at the same time I'm getting more fit and able to ride longer. I'm finding there are more miles to ride than hours of daylight to ride them.
Jenny continues to get faster and stronger. This past weekend, we rode nearly 100 miles together, much of it hilly. She stayed right with me.
In fact, she scared me. She was about 20 yards behind me as we approached a stop light. The light turned green. I still had 50 or 60 yards to go. Knowing it is a very short light, I sprinted for all I was worth to make it through.
Now, I'm no sprinter, but I cleared the intersection at my top speed. When I was safely through, I turned to see if Jenny was coming through or if she was stopped on the other side. She nearly ran over me! Not only was she through, she was right on my wheel!
Speaking of top speed, we went to Pig Out in the Park this weekend. While we were there we caught Top Speed at the IMAX Theater. Watching Marlo Streb handle a mountain bike and Marion Jones do the 100 meter was amazing. If you haven't seen it, do!
Fri, 29 Aug 2003
6:50.3
I rode by myself last night from the office to Freeman then home. I tackled the hill on Highway 27 and shaved a few seconds off my prior record.
I failed to get properly prepared to time the climb, so instead of timing from the first reflector post at the bottom of the hill, I used the 2nd post. To compensate, I went one post farther at the top. The vertical distance should nearly exactly the same. The over the road distance turned out to be slightly farther, 1.36 instead of 1.35 miles.
Jenny started some Pilates classes this week and needed a day off the bike. All the riding plus the workouts at the gym were just too much.
Tue, 26 Aug 2003
Panic
Another ride on the Centennial Trial yesterday evening.
Jenny forgot her cell phone and her water bottles. So, I wasn't able to reach her by phone to tell her I would be 10 minutes late. And when I arrived, hoping for a short easy ride, she said, "We'll have to ride to Post Falls so I can get some Gatorade."
I gave her one of my water bottles, and we would have been okay to
just refill them at the state line rest stop, but Jenny doesn't just
drink water – she needs her Gatorade.
So, we set off into a slight headwind. (Unusual – we normally have a
tail wind going and a head wind on the return trip.)
It was an uneventful but challenging ride to Post Falls and back. We each got a cold sports drink and I refilled the water bottles before we made the trip back. With the tail wind, we made good time coming home.
I had ridden 57 miles the day before. Not only had I made an evening ride to the state line rest stop and back with Jenny; earlier in the day, I made 3 loops up the hill in Highway 27, back down Dishman-Mica road, around the Painted Hills Golf Course and University High School. It took a lot of concentration to keep the effort up and a steady tempo.
We arrived back at the car with just enough time before sunset, it appeared, for me to make the ride up to the office to retrieve my pack, meet Jenny in the parking lot there to let her hall the pack home, and ride the 4 miles from there to home. So, as usual, I left Jenny to change her shoes and load her bike and I headed off to climb the short hill on Pines Road to the office.
Normally, I have enough time to get to the office and retrieve my pack before Jenny arrives. Invariably, she pulls up at the back door while I'm setting the alarm and locking up.
It was a quick ride to the office – I managed to get short red lights
and made good time on the road. But retrieving my pack took longer than
usual. I dropped my keys in the pack by mistake and went back looking
for them thinking I may have left them on my desk. And, I had to make a
trip down stairs to retrieve the sweatshirt I had worn on the morning
ride to work and would likely need the following morning.
So, I was surprised when Jenny was not at the back door when I was finally ready to go.
I put the pack on my back and decided to meet her at the intersection on Pines Road. She was no where in sight. I watched until there was no traffic either direction between Broadway and Mission and set out to find Jenny.
All sorts of scenarios went through my mind as I raced faster and faster back to where I had last seen her.
I checked each intersection for an accident – my worst fear. I looked
closely at each gas station – perhaps she was critically low on fuel.
I watched the side of the road – perhaps she had car trouble.
When I was within sight of the last stop light, I knew she must still be
at the trail head. Perhaps she locked her keys in the car, I thought.
Maybe the car wouldn't start. That's what I hoped for – something
simple. But there was panic just under the surface. What if the car is
gone? Or, what if the car is there, but Jenny isn't? I was pedalling
as fast as I could go afraid of what I could find.
In the distance I could make out the car (a Honda station wagon). The
back hatch was open, and I could see Jenny standing behind it. Car
trouble, I thought. Good – at least she's safe.
I nearly skidded to a stop and the sweat immediately began pouring down my face. Jenny was chatting away with another cyclist. He had seen her sitting in the back of the station wagon putting on her cycling shoes when he left on his ride. There she was when he returned, in the same place, doing, it appeared, the same thing. So he struck up a conversation to see why she'd seemingly been right there for the past two hours.
So, no need for panic. It was par usual. Jenny loves to chat and it was no different than 10 minute trips to the store that take an hour and a half, or when she's 40 minutes late for lunch because she stopped to talk to the neighbor across the street when she went out to get in the car.
I was just happy to discover she was safe and there was no problem to solve before heading home. It was, finally, getting too late to ride. Jenny followed me home, riding shot gun. And I got an incredible workout: 40 miles instead of the 20 I had expected, two climbs up from the river instead of one.
The reward was a new low weight , 185.5, this morning.
Perhaps I won't be so quick to panic next time.
Wildlife
I've written before about the wildlife we've seen on our bike rides:
Canadian Geese, rabbits, chipmunks, quail, hawks, deer, a box turtle,
ground hogs, a crane, etc. Last year, I saw a coyote. The year before,
on a ride up Dishman-Mica Road, I saw a sad, but incredible site – a
deer, probably hit by a car, running on three legs, the left hind leg
broken and flopping, and a coyote in hot pursuit. They crossed the road
just ahead of me and the coyote shot me a quick glance but remained
undeterred.
Sunday, Jenny added a new creature to the list.
We were making our usual ride on the
Centennial Trail
to the I-90 rest stop on the Washington/Idaho border and back. About
¼mile before reaching the rest stop, I passed a couple with a baby
stroller. I warned, On your left,
as I approached, but they did not
move from the center of the trail. So, I passed on the left with less
clearance than I'm comfortable with, but went safely by, nonetheless.
As I passed, I turned and shouted, One more coming!
We had a great tail wind. I had pulled away from Jenny on a gentle incline a couple miles back and gone on my own to the rest stop at a good clip. Jenny was just less than a minute behind me.
Between the time I passed the couple and Jenny reached them, the guy decided to relieve himself. So, when Jenny came around the corner, much faster that he would ever have expected, I suppose, there he was exposed to the world.
Jenny was fussing and fuming when she got to the rest stop. Not only was she disgusted, but the couple left her even less room to get by than they left me.
Anyway, it was a first. Add trouser snake
to the list of wildlife
we've spotted.
Wed, 20 Aug 2003
The good, the bad, and the ugly
Although I haven't recorded a blog entry for every ride and every experience, I decided to jot down a few one-liners that summarize many of them.
The good:
The bad:
The ugly:
As the wheel turns…
I've been doing a lot of riding, reading about riding, thinking about riding, but very little writing about riding.
Jenny has been my constant riding companion this year. It's been a lot of fun. The guys at the office surely don't read my weblog. If they do, my admission that I'm still as much in love with my wife as I was the day we were married will shatter the image I've created. But it's true. There's nobody I'd rather ride with.
Last Saturday, Jenny took a spill. Her first – ever – as far as I
know. We were leaving the
Centennial Trail
at the Flora Road access. There is a short but very steep climb from
the trail to the road. I charged up the short rise. Behind me, I heard
what sounded like a cleat coming out of a pedal, only much louder.
Looking back, I didn't see Jenny's green helmet coming into view as I
expected, so I spun around and charged back.
There she was, standing on the trail, bike in hand, seat pointing sideways, with fire in her eyes. She was furious with her bike and herself. The chain had jammed then come off at the steepest part of the short rise. She immediately rolled backwards and went down, unable to disengage her feet from the pedals quickly enough.
Back on the bike, she did a Lance Armstrong: she surged ahead so fast I thought I wouldn't see her again until I finally made it home.
Sunday, we discovered the real problem. A pin had worked its way loose and was occasionally getting jammed between the chain rings. We made a 35 mile ride to Rockford and back. Just a few miles into the return trip, Jenny's chain jammed hard. Examining it at the side of the road I finally realized what had caused her fall on Saturday.
We were stuck. I didn't have a chain tool and we were many long miles from home.
With my head down, I didn't even see the cyclists approaching from the
other direction. When the pair of riders was directly across the road
from us, one of them shouted, Do you need any help?
Her unexpected
call startled me.
You wouldn't happen to have a chain tool, would you?
I replied.
I just bought this neat tool kit,
she said. "I don't know what's in
it."
They circled around to our side of the road and pulled up behind us. She handed me her tool kit, which did, indeed, have a chain tool. Two minutes later, with barely an interruption in our ride, we were back in business and headed home.
To our fellow cyclists, whose names we failed to ask, THANK YOU!
Sobig.F Worm Attack
Yesterday, I had an extremely frustrating experience with the W32.Sobig.F worm. Even though, as a Linux user, I was not susceptible to an infection, this ugly worm inflicted quite a bit of pain.
Between 7:27 AM an 12:05 PM, I received 125 e-mail messages addressed to my Bigfoot.com forwarding address, each containing the worm.
All the messages came from the same, infected machine at a university in
Sweden. If the messages had been sent directly to my personal e-mail
address, hosted on a system I manage, it would have been trivial to
stop the attack – I could have simply blocked all traffic from the
offending IP address at the firewall, or added it to the
RBL I use to block known spammers and mail
abusers.
But this attack was hitting my Bigfoot.com address. Bigfoot.com is a forwarding service, so all the worm laden messages were coming from Bigfoot.com's mail server. Blocking that address would have blocked all legitimate messages sent to my Bigfoot.com address as well as those containing the worm.
Worse, Bigfoot.com has a daily message limit. I'm a paid subscriber, which entitles me to 150 messages per day. Even with the amount of spam I receive, that limit has always been more than adequate to handle my needs. Had the Sobig.F attack continued much longer, however, I might have had my mail account temporarily suspended due to the volume. I was expecting a very important e-mail message and having it delayed or lost would have been painful.
Bigfoot.com has an emergency
help desk address. I fired off a message
with attached headers from one of the worm laden e-mails and asked them
to please block the offending address.
I tracked the offending, originating IP address to a Swedish university and sent a message with appropriate details to their abuse address.
I did receive a reply from the university. Bigfoot never responded. At 12:05 PM, 4 hours and 38 minutes after the attack began, 1 hour and 39 minutes after I contacted the university, the worm storm stopped.
In addition to the messages with worm payloads, I received several
undeliverable messages. Sobig.F forges from
addresses from the same
pool of addresses it targets. I also received some automated replies
from auto-responder addresses that had been targeted by the worm and
where my address had been forged as the source address.
I narrowly escaped exceeding my daily message limit at Bigfoot.com and, thankfully, I got the important e-mail message I was expecting.
Without any feedback from Bigfoot.com, and with only the acknowledgement that my message had been received and was being investigated at the university in Sweden, I don't know where to give credit for stopping the attack. It is, of course, possible that neither was directly responsible. The user of the infected machine may have found and fixed the problem.
In any case, the Sobig.F attack demonstrated that worms can have devastating effects even to systems that are properly protected and not vulnerable to direct infections.
Fri, 15 Aug 2003
My Blaster theory gains strength
This morning, the first HTTP exploit attempt in 5 days showed up in the logs. It confirms that nothing has changed in my ability to detect and log these exploits, confirming that there has indeed been a complete absence of these attacks on my system for days.
I think this adds strength to the theory
I proposed yesterday – the Blaster Worm seems to have taken down
virtually all of the systems previously infected with
Nimba,
Code Red,
and other worms that propagate through HTTP exploits.
I'm still waiting to see a news article offer the same or similar theory.
Thu, 14 Aug 2003
Two new records
Today I reached a new, low weight since starting my diet in April. I've lost exactly 35 pounds, now.
After work, I tackled the hill on Highway 27. I completed the 1.35 mile climb in 6:56.7. That's more than 2 minutes faster than the first climb I timed this year and an improvement of more than 30 seconds on my prior best time this year.
Is W32/Blaster cleaning up the Internet?
For the past few days, I've been scratching my head trying to figure out
why, all of a sudden, I don't see any HTTP exploit attempts in my logs.
I usually see 4-10 exploit attempts – a mixture of cmd.exe and
default.ida attempts. However, Sunday, 8/10 was the last time I saw any
such attempts in the logs.
It seems statistically improbable that this is just a normal lull in activity.
There is a possible explanation. Perhaps the W32/Blaster Worm (aka, LovSan) is responsible.
I assume the vast majority of exploit attempts come from Windows systems that have been compromised by worms like Nimba and Code Red. They are attempting to propagate themselves through HTTP exploits. If these same systems where taken down by W32/Blaster, then they aren't able to spread the other worms they host.
Because Blaster causes infected machines to crash, they will get the attention of their owners. Some will just remove W32/Blaster, leaving other worms intact. However, I expect most infected systems will get a more thorough cleaning, virus detection software installed, etc.
A side effect of W32/Blaster could be a much cleaner Internet.
I haven't verified this or seen this theory posted elsewhere, yet. I'll be hunting for verification.
Wed, 06 Aug 2003
Domino effect
I could have had lunch with the guys, today. Instead, I'm sitting here
waiting for my darling wife to pick me up for lunch – she may never
show.
You see, while I was away in Santa Maria last week, I got a call at 11 PM one evening. I startled awake in a strange place, stumbled out of bed searching for my ringing cell phone in the dark running into every piece of furniture in the room. When I finally laid hands on the cell phone, tethered by its charger cord, I pulled the lamp off onto the floor and missed the call.
When I was finally able to focus my eyes, the cell phone display
read, Missed call from Jenny.
So, I called back and got Christopher. He was in Pullman.
Dad, I borrowed April's car to drive to Pullman,
he dove right
in, and on the way out of town I stopped to get a coffee.
(This
must be significant.) "At the stop light, my foot slipped off
the brake and I bumped into the back of a Mercedes.
"Now, their insurance company is calling and they want me or you to call them back."
(This conversation did wonders for my ability to obtain a good night's sleep.)
I told Chris I'd call him the following day. And I did!
At 7:00 AM, sharp, I returned the favor and rolled him out of bed with a cell phone call. I told him not to contact the other driver's insurance agent, but, rather, to call our agent, give him the details, and let him handle it.
What, you ask, does this story have to do with the fact that I'm sitting here waiting for Jenny?
We had a lunch date. She called me shortly before noon to tell me she had to take April's car downtown to have pictures taken and would stop by the office on her way home so we could get some lunch. Three minutes later, I got an invite to go to lunch with the guys.
I called Jenny right back to release myself from our failing lunch date. I got Christopher. In Pullman. Again.
Seems he got himself in some financial difficulties at the end of
last semester and hasn't yet earned enough money to pay off his
cell phone bill. After months – nay, years – of pleading,
the kids all have cell phones, why can't I have one?
I got
Jenny her very own cell phone. And to what end? It goes to
which ever baby bear can't make their own payments and I still
can't ever get in touch with my wife.
Just think, if it hadn't been for that damn cup of coffee Chris had to
have last week, I'd be having lunch with Jenny or the guys – at least
not sitting here writing this – and you wouldn't be wasting time
reading it. Talk about a domino effect…
Disclaimer: The facts in this article should not be considered facts. They should be considered hearsay and stirred with poetic license. They should not be considered suitable for admission as evidence, should, say, a claim of injury resulting from described
bump into Mercedesbe made. Which it has. Apparently. …another domino falls.
Assault Charges
Last night on the way home from work, a car load of punks passed
screaming insults and throwing coins or beer caps – something metal
bounced off my left hip and went ringing down the pavement.
Jenny was right behind me in the car. She and I had spent the evening riding on the Centennial Trail. I had ridden up the hill to the office to retrieve my pack. She met me there, took my pack, and was headed home.
While in the left turn lane from south-bound Pines to east-bound
Broadway, I heard shouts somewhere behind me. The shouts got louder
when I turned my head to my right to see if someone in the car to my
immediate right was trying to speak to me. I never did hear what they
said, but Jenny had her windows down and heard the work bike.
So, she
was already in defensive mode.
Just after the turn, the punks passed, threw some projectile, quite accurately, but with no ill effects, and headed down Broadway. Jenny pulled along side and I told here to get their license plate number.
She caught up with them right away and took down their number. I almost caught them at the next light, McDonald; it turned green just as I arrived.
I did catch them at the following light, Evergreen.
The young punk in the passengers seat got a bit wide eyed when I pulled along side. I'm sure he didn't expect to be caught by a old fat guy on a bicycle.
Words were exchanged, the light turned green, and, as they pulled away,
another coin or bottle cap was hurled my way – a miss.
Having a license plate number, descriptions of the car and passenger, I called Crime Check as soon as I got home. The operator informed me she would need to send an officer to take the report in person since the incident would be considered an assault.
A report was filed. Now, we'll see what comes of it. The officer who
took the report was completely humorless. If I said he was rude, I
might be mistaken, but not by much. Perhaps it is the required
demeanor of law enforcement – I don't know. His parting words were
less than encouraging, though:
This will go the the detectives. They might follow up on it.
Might?
Santa Maria
I spent last week at a client's site in Santa Maria. The bike went with me. Several years ago, I made a similar trip with the bike and had some great evening rides. It was long enough ago that I couldn't remember the routes I had taken.
Monday, just before closing, I stopped by Main Street Cycles where I found a very friendly and helpful young man tending the store. He provided me with some route advice and one of the best cycling maps I've ever seen. The map is available free of charge. A description and details are available online: Bicycling in Santa Barbara County.
I was able to get in three evening rides:
The weather was great! Spokane was experiencing near record highs while I was away, so highs in the upper seventies were very welcomed.
Santa Maria has plenty of bike lanes and I was quite comfortable riding
there. The bike lanes were much, much cleaner than here in the Spokane
Valley where I reside – not free of debris, by any means, but ridable.
However, I only saw two other cyclists in my 70 miles of riding there. And I was warned by a few non-cyclists that the area isn't very bicycle friendly despite the bike lanes and maps. Fortunately, I didn't have any negative experiences to validate their assertions. I look forward to my next trip to Santa Maria.
The one truly frustrating experience on the trip was getting the bike checked as baggage. First, it cost $100, round trip. The extra charge for transporting a bicycle is outrageous, but that's a dead horse issue I won't beat.
The real problem is new heightened security.
I have an
Iron Case
for packing my bike for travel. I take a lot of care when packing the
bike to ensure nothing gets broken, bent, scratched, etc. I pack the
bike, tools, grease and chain lube and a few rags.
Coming and going, the TSA had to open
and inspect contents of the bike case. I was allowed to stand by and
answer questions, but I was not allowed to touch.
So, the contents
were shuffled and repacked far less optimally than I liked.
Fortunately, no damage resulted, but it was a concern.
In Spokane, on the way out, they confiscated my chain lube, perhaps 1/2 ounce of White Lightning. The bottle says flammable, so it is obviously an inherent danger to the passengers. Of course, I'll bet it is no more flammable than those mini bottles of booze they store in the galley. But why argue. The TSA agents just follow the rules as illogical as they are.
Fri, 18 Jul 2003
Crackers died
Crackers is a silly name for Cockatiel, I suppose, but the kids were young and they helped name him. He was purchased as a gift for Christopher for his 11th birthday. This morning, Chris and Jenny were sitting on the sofa when they heard 3 distressed chirps from Crackers. When they got to his cage, he was feet up.
He was 11 years old. Supposedly cockatiels can live up to 20 years, so Crackers apparently died young.
Several years ago, Crackers gave us one of our lasting, family memories. He escaped and was missing for 2 weeks.
We had a policy of locking all the doors when Crackers was out of his cage to prevent him from escaping if someone unexpectedly opened an outside door. For whatever reason, one of the doors didn't get locked and one of the kids came in while another had him out of his cage. He made his exit.
I got a panicked call at work and came home to find some teary eyed kids trying to coax their bird down from the top of the willow tree in the back yard. To no avail.
He moved from tree to tree, then finally took off, circling higher and higher, and disappeared from sight.
We placed an ad in the news paper, notified the local pet stores, and spent evenings and weekends on our bikes pedaling around the Spokane Valley calling for our lost bird.
A failure on our part, we never called the Animal Shelter. We simply thought of it as a place for dogs and cats. Not birds. It turns out, someone found Crackers, exhausted beside the road and took him to the Animal shelter. A worker there saw our ad in the paper but not before they had adopted Crackers out. She called to tell us so that we wouldn't be worried, but offered little hope of us getting our bird back.
We pleaded our case, and she contacted the new owners. She ended up bringing Crackers to the house to see if she could determine, definitively, whether or not he was our missing bird.
It was obvious from the moment he entered the house. "HEY! Where's everybody been! You wouldn't believe what's happened to me!" he jabbered in bird speak.
The clincher for the lady that brought him by was when one of the kids
grabbed a toothbrush and said, Watch, he brushes his teeth.
While
April or Chris (I don't recall which) brushed their teeth in front of
Crackers, he started bobbing his head up and down doing his best
toothbrush noise imitation. There was no doubt in anyone's mind, it
was Crackers.
Rest in peace, Crackers.
Wed, 16 Jul 2003
Dropping IDENT requests causes e-mail delays
Some router/firewall boxes silently drop IDENT requests instead of
refusing them.
Steve Gibson
refers to this as stealth
mode. In theory, the advantage is that an
attacker can't tell that anything even exists at your IP address if it
doesn't respond to any connection attempts, including port 113, the
IDENT/AUTH service.
But dropping all IDENT requests leads to long connection delays for many popular services, including outbound e-mail connections to many SMTP servers.
The smart thing to do is drop (or stealth
) IDENT connections from
hosts you have no active, outbound connections with. Refuse IDENT
connections, which requires sending a reply packet, from hosts to which
you have established TCP connections. A stateful firewall should be
able to do this, but I haven't done any research to discover whether such
firewall/router boxes exist short of configuring a
Linux or
FreeBSD
server for that purpose.
An associate of mine has a Netgear RP614 Broadband Firewall/Router box. He complained that his e-mail connections were intolerably slow and asked me to investigate. The problem was dropped IDENT requests. His system made connections through the Netgear box to an SMTP server on the Internet. Upon establishing each connection, but before sending any data on the connection, the SMTP server attempted an IDENT connection back to my associates computer. His Netgear box silently dropped the incoming IDENT packets.
SMTP servers typically handle two situations quite well. The first is an accepted IDENT request. If the host making the outgoing SMTP connection has an active IDENT service, the SMTP server connects to it, request the user ID associated with the outgoing SMTP connection, and adds that bit of information to its logs and/or received headers. This is quite useful for tracking down the responsible party of e-mail abuse on a multi-user system. Without it, the task would be much more difficult.
The other common, and quite valid case, is to refuse IDENT requests.
When this happens, the SMTP server gets an immediate response to its
request, No!
Fine. It simply notes that no user ID is available and
proceeds with the SMTP mail transfer.
When the IDENT requests are silently dropped, however, what is the SMTP server to do? It has little choice. It assumes it's un-replied packets are traveling on a slow or congested network. It waits. After it has waited long enough, it decides the IDENT packet may have been lost on the Internet before reaching its destination. Another request is sent. This wait/resend cycle continues, usually for 30 seconds, but is often configurable and can be longer or shorter. In any case, it causes a very noticeable delay before the SMTP mail transfer actually begins.
While searching for a solution to this problem from the source of all knowledge, I found only one reference regarding the Netgear RP614 and IDENT requests, a comparative review of the Netgear RP614 and the D-Link DI-604 by Scot Finnie, publisher of the, apparently, very popular Scot's Newsletter.
In his review, Scot preferred the Netgear box's approach to IDENT requests: silently dropping IDENT packets. In fact, even though his bottom-line choice with the D-Link router, he considered the "closed port" (i.e., refused connections) a bug and encouraged the manufacturer to fix it.
I wrote Scot an e-mail explaining that I was trying to solve a problem
created by the very security feature he preferred. I assumed that he
may not have been aware of the connection delays stealthing
port 113
causes.
What did I expect?
I suppose I expected a reply along the lines of, "Yes, I'm aware of the issue. It is a non-issue, and here's why…"
I hoped for a reply along the lines of, "You are correct. I will let my readers know the pros and cons of stealthing port 113. Some, if not all, would be better served by a firewall that refuses IDENT requests than by one that silently drops them."
What I got was:
…RFCs don't matter to me in the least. What matters to me is something that works.
I'm not against the IDENT functionality; just the way it's been implemented.
To which, I replied:
…Surely, you don't mean what you're say[ing] here. The Internet works as well as it does because of compliance with RFCs. Without them, interoperability between platforms, programs, and networks would be virtually impossible. The fact that you and I are exchanging e-mail at all is because RFCs do matter to the people that created the tools we're using to communicate.
In what way is it implemented incorrectly? How would you implement the functionality it provides in a way that wouldn't create problems for firewalls that blindly drop IDENT packets?
Then I got this retort:
Marc, you're not listening. And you just want to b***** about your e-mail problem. As I said before, most people don't have this problem. If you decide to become a subscriber, let me know. I'll have more time to discuss this with you then.
I meant everything I said. And none of your arguments swayed me. I have thousands of readers. Not everyone has the same problems you do. I represent everyone. Not just one.
Wow! I truly was trying to be helpful by pointing out what I thought was an oversight in Scot's review. This exchange was really not what I expected.
Scot may have thousands of loyal subscribers. I think I only have one (Hi Mom!), but I think she's getting better advice.
No, I won't be subscribing to Scot's newsletter. My first encounter didn't leave me feeling like I'd discovered an expert.
Mon, 14 Jul 2003
Like the Nike commercials
Stage 9 of the Tour de France, Bourg d'Oisans to Gap, was perhaps the most thrilling TDF stage I've ever followed. Numerous breakaways were chased down. Lance Armstrong lost his overall lead, at one point over 5 minutes behind the stage leaders, then regained it to finish just 36 seconds behind the stage winner. The winner, Alexandre Vinokourov, of the Telekom team is now only 21 seconds behind Lance in the overall standings.
Lance narrowly avoided a crash that took second place, overall, Joseba Beloki, out of the the tour. He went down hard on a fast corner just ahead of Lance. Beloki sufferred a
fractured upper femur, a complex fracture of the right elbow, a simple fracture of a right finger and multiple contusions to the hip.
Beloki's crash cut off Armstrong's path forcing him off the road.
Just like a Nike commercial, Lance went cross country, cutting the corner and rejoining his group on the road. Tyler Hamilton, another incredible story this year, a former teammate of Armstrong, gave him an amazed, congratulatory pat on the back as Lance remounted his bike to finish the last few kilometers of the race.
Hamilton, who broke his collar bone in a crash in stage 1, has continued not only to ride, but to ride at the front. He's fifth overall, less than two minutes behind the yellow jersey.
I generally take a few minutes in the morning to read an article or two about the day's Tour de France coverage. After reading about today's stage I had to arrange to watch the television coverage after work with my bikin' buddy, Tim Maher. I don't get the Outdoor Life Network channel; Tim does, so I invited myself over. (Sorry Michele!)
There are literally hundreds of articles about the Internet about today's Tour de France stage to feast on:
Sat, 12 Jul 2003
Highway 27 Climb
This morning, for the first time this year, I rode up the hill on highway 27.
I made two loops:
I time the climbs from the reflector pole at the base of the hill to the last reflector pole before the climb flattens and the road begins to curve left.
Somewhere (hopefully not on the hard drive from the old Windows system that died) I have times from prior years. It seems to me I had gotten my times down under 6 minutes and was hoping to get down to 5. I was younger, lighter, and in better shape then.
Today's climb times were 9:04.5 and 9:04.9. Consistently slow. <g>
There was a strong headwind to fight or the times would have been slightly better, but I obviously have a long way to go to regain my prior fitness level.
Fri, 11 Jul 2003
Happy Birthday, Christopher!
Wow! The years have gone by way too fast. Our little boy is all grown up. We had been parents for 21 months when Chris was born; we thought we had the game all figured out. Chris quickly taught us how wonderfully wrong we were. Some children need strong discipline, strict guidelines, and constant supervision. Chris, crushed by a harsh word, needed only encouragement, love, advice, and challenge.
Happy 21st, Chris!
Tue, 08 Jul 2003
SMTP Authentication in Exim
At work, we recently took our Microsoft Exchange Server off the front lines. It still handles internal mail, but all external connections are made via Linux servers running Exim.
The motivation for the change was spam. We discovered we could eliminate about 50% of our spam by using the Spamhaus RBL. It is trivial to configure Exim to use an RBL. The same can't be said for Exchange Server. Simply making a Linux server the primary MX wasn't enough. The spammers just backed off to other MX hosts, the Exchange Server being one of them.
So, we configured back-up MX support on three separate domains each on different broadband networks. They each provide backup MX for the other two and they each use the same RBLs. Spam on all three domains dropped dramatically.
We had, however, relied on the Exchange Server to provide our road warriors with SMTP access. We allowed relaying from IP address on the internal network and for authenticated connections from the Internet.
I was unable to find a way to allow relaying for authenticated connections while disallowing any mail delivery from unauthenticated connections. So, I simply added SMTP authentication support to one of the Exim servers.
The following configuration was added to a new, 7th section in the exim.conf file:
# End the Rewrite section. It was implicitly ended here before,
# because this was the end of the file.
end
################################################################
# AUTHENTICATION CONFIGURATION #
################################################################
auth_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if eq{$2}{${lookup{$1}lsearch\
{/etc/exim/passwd}{$value}fail}}{1}{0}}"
server_set_id = $1
auth_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if eq{$3}{${lookup{$2}lsearch\
{/etc/exim/passwd}{$value}fail}}{1}{0}}"
server_set_id = $2
auth_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = "${lookup{$1}lsearch{/etc/exim/passwd}\
{$value}fail}"
server_set_id = $1
I started with CRAM-MD5 hoping, but not expecting, the remote Microsoft Outlook clients would use it to authenticate without sending clear text passwords. Not surprisingly, Outlook did not use it.
Next, I added the PLAIN method. This time, I was surprised when Outlook did not use it. I resorted to sniffing the authentication transactions between an Outlook client and the Exchange Server and discovered that the LOGIN method was being used. So, finally, I added LOGIN support. The other two remain to support any mail clients we may employ in the future that use them.
The password file /etc/exim/passwd
is a simple key value list of user
IDs and passwords:
alice: sea-kert
bob: mySecret
One step closer to a non-Microsoft network!
Sun, 06 Jul 2003
Getting mail to AOL users
Since finally getting broadband Internet access a few weeks ago, I have very much enjoyed the ability to host my own web server and mail server.
Today, however, I had trouble sending e-mail to a couple of AOL users in my address book. I remembered reading a /. article about AOL blocking e-mail from DSL hosted accounts, so I immediately recognized the problem.
Fortunately, solving it was trivial. I prefer to let my mail server, running Exim, send mail directly, but adding a smarthost router entry for AOL was quick, easy, and solved the problem:
smarthost:
driver = domainlist
transport = remote_smtp
route_list = "aol.com smtp.comcast.net bydns_a"
I just inserted the smarthost entry ahead of my default lookuphost router entry. Now, mail to aol.com users is sent via my ISP's mail server. Everything else is still sent directly.
Sat, 05 Jul 2003
While you were away…
April and I had some fun. Family friends asked her to care for their animals while they were away for the holiday weekend. They told her to feel free to use the pool. So, even before they left town, we hatched a plan for a bit of a prank, Internet style.
Yesterday, we drove over with a grocery sack full of empty beer bottles as props and a digital camera. April took pictures while I modeled my swim wear. (No commercial offers, please — it’s just a hobby. <g>)
Our biggest problem was finding empty beer bottles. Where do you find them the day after trash pickup and a holiday to boot? Sad, but true, I dumped many good bottles of perfectly good beer down the drain. Our little project was more important at the time than our cooler full of beer.
You can see a few more of our favorite shots here.
Wed, 02 Jul 2003
First flat
I left the office at 5:15. At home, we've been working on a house painting/repair project for weeks. Cheaply built in the mid-70s, the house needed poorly sealed windows, weather damaged fascia boards, and a dry rotted false chimney replaced.
Christopher was scheduled to work 6 PM to close at his summer job. If I made it home by 5:30, that would get me 15 minutes to get the heavy panels for the false chimney I assembled yesterday onto the roof before he left for work.
I carried the bike up the outside stairs from the basement before realizing the back tire was flat. Sigh. Oh well. Back inside to fix my first flat of the year.
Halfway through the tube replacement, I was paged. Had to take a support call.
Now, this particular user's initials are TDS. He's my employer. (And if I've exceeded the boundaries of his sense of humor, that last statement may only be true in the past-tense!) By force of authority, TDS reverses the troubleshooting process. Instead of starting with the most likely problem (user error), and working forward (user's desktop computer, …, mail server), we have to work in reverse.
The mail server is down.
I check the server. It's up and running. I can connect from inside. I
ssh
to an external system and try from there. "The server is up and
running and it is accessible from the outside," I report.
We go from there to checking server logs for authentication errors, firewall rules, and eventually, packet sniffing to watch the inbound and outbound packets on port 25. Nothing.
Perhaps your ISP is now blocking port 25 access,
I venture. Testing
that hypothesis, I have him check various other mail servers with
telnet
to port 25. No luck. We seem to be confirming the theory.
I have him try the POP3 port. If his ISP has blocked port 25, we will have to use their SMTP server for outbound mail. He should still be able to retrieve mail directly from the company's mail server, though.
No luck. Then, in the midst of failed attempts to connect to other servers, I see a series of packets exchanged between his IP address and our POP3 server.
What did you do differently,
I query.
Nothing.
Hmmm. Go see if Brenda can receive mail.
TDS runs a small home
network, and Brenda, his better half, has a mail account.
Sure enough, Brenda can send and receive mail, and it was a periodic
mail check I had seen with tcpdump
.
Well, obviously, it's your system,
I say.
How can that be?
Are you running Windows?
Yes. I blame everything on
Windows. It's easy, and usually correct.
No,
he says, I'm running Linux.
An outright lie, of course. If he
was running Linux, we wouldn't be having this
conversation. First, Linux wouldn't be behaving this way. Second, any
user capable of running Linux could troubleshoot this problem without my
assistance. No offense to the hand that feeds me. <g>
Well, then, it's a hardware problem.
What's that line? The first
liar doesn't have a prayer — I learned it from TDS.
Are you running a virus scanner?
Yes, of course. I updated it today.
Ah-ha!
"Let's see. It's supposed to be scanning incoming and outgoing e-mail, but there's an error icon."
A config change (unadmitted, of course) and reboot, and he's receiving mail, again.
And I make it home by 7. Just enough time left to haul the components for the false chimney up on the roof without Christopher and assemble them before an advancing thunderstorm chases me off the off.
Damn, that was a pretty sunset behind those lightning bolts from my vantage point on the roof. <g>
Mon, 30 Jun 2003
Weight spike
There is a considerable spike on my weight chart today. It's the result of my first big meal since April 18th. Yesterday was Jenny's birthday, and we celebrated at Red Lobster. Rolls, mozzarella cheese sticks, Caesar Salad, steak and shrimp, and Bananas Foster Cheesecake seriously derailed the trend line.
I'll be back on the bike and back to restricting calories today to see if I can make a quick course correction. So, what's a typical meal plan?
Sat, 28 Jun 2003
Model of efficiency
This week, I saw a superb example of efficiency. A roofer, working alone, and making progress at an astonishing pace.
He was putting a new roof on an office building across the street from Spokane Software Systems where I work. For the three days prior, three men had worked to remove the old roof. At about ten-thirty on this particular morning, however, there was only one worker, and he was already a third done.
I had just looked away from the computer screen for a moment to give my eyes a break when I noticed him. He was opening plastic wrapped bundles of tar shingles. Somehow, he'd pick them up, flip them over, releasing the shingles from the wrapper which he then twirled like a towel. Just at the point where (were it a towel) you'd expect him to snap an unsuspecting victim, he brought his hands together collapsing the wrap in to a tight, plastic ball and discarded it in a box.
He repeated the unwrapping process on several packages of shingles in just a few moments. Then, without a pause in the action, he began shuttling stacks of freshly unwrapped shingles down to the edge of the roof, placing stacks diagonally up the roof where the new shingles he had already laid met bare tar paper. Each time he placed as stack of shingles, he would fan each end of it like a deck of cards.
The pace was incredible. He was just short of running from the pallet load of shingles at the peak of the roof to next pre-staging point, moving up the diagonal on the roof, back-and-forth, back-and-forth.
When the pre-staging was complete, he began nailing new shingles in place with an air powered nail gun. Bam-bam-bam…bam-bam-bam…bam-bam-bam, perhaps one every two seconds. In no time, he had completed a march up the diagonal front to the peak of the roof. Then, he turned, and on his way back to the bottom edge of the roof, flipped each bundle of pre-staged shingles over, marching them toward the advancing front.
You could literally watch the line of new shingles advance across the roof.
I had only watched a few minutes, and in that time had seem him lay three or four new rows of shingles up the roof. Amazed at his efficiency, I turned back to my own work re-motivated.
About a half-hour later, I looked up again, expecting to see significant
progress. I was surprised to see virtually none – perhaps only one or
two rows of shingles had been laid down since I had stopped watching.
I quickly spotted the problem. There were three workers on the roof, now. One was handing the original roofer shingles, but he was no where near fast enough. And instead of pre-staging them so enough were within reach at every point along the way, the helper ran to the peek and grabbed a new stack each time they ran out.
Bringing up the rear was another roofer. He was laying shingles in a second advancing line, but without assistance and without any pre-staging. So he was constantly setting his nail gun down and fetching more shingles. When the first roofer reached the peak and returned to the bottom edge of the roof for another pass, the two roofers had to deal with their tangled air lines. The beautifully efficient work that I had witnessed earlier had collapsed in to a chaotic stagger.
The addition of two people to the job slowed progress to a crawl. Seeing it reminded me of The Mythical Man-Month. Apparently the principle holds true in disciplines other than software engineering.
Thu, 26 Jun 2003
Two weeks, two incidents
Tomorrow marks my second full week riding to work and back, this year.
As a cyclist, sharing the road with motorists can be challenging and dangerous, especially when sharing it with the ignorant and the hostile. I’m accustomed to the “Get on the sidewalk!” shouts and other, much more threating actions from the latter group. So, I wasn’t surprised the other morning when I pulled up to a stop light to make a right-hand turn and encountered a hostile motorist on my tail.
Fri, 20 Jun 2003
Summer Solstice
There was some discussion at work today, on a break, about the Summer Solstice. Tomorrow is the longest day of the year in our neck of the woods.
I thought I had a reasonably good understanding of the earth’s tilted axis and it’s effects on the Sun’s path through the sky from my observation point here at 47.63 degrees north latitude. But someone asked, “Is it the longest day of the year everywhere in the Northern Hemisphere, or just everywhere north of the Tropic of Cancer? And, if it’s the longest day of the year at some dividing line, how can it be the shortest day of the year just on the other side of that line?”
It wasn’t until I got home and found a few quiet minutes to close my eyes and ponder the question that it all made sense.
Yes. Tomorrow is the longest day of the year everywhere in the Northern Hemisphere, and conversely, the shortest day of the year everywhere in the Southern Hemisphere. And you can stand on the dividing line between the two.
Right on the equator, every day, year-round, is the same length. Twelve hours of light and twelve hours of darkness. A few feet north, the days get just a little (as in infinitesimal fractions of a second) longer as the North Pole tilts toward the Sun, peaking at the Summer Solstice. The farther from the equator you get, the more pronounced the effect, until, at the North Pole, the Sun does not rise, or set. It circles sky, the 23 degrees above the horizon.
At the equator, although the Sun makes a northward arc as it travels across the sky, it rises due east and sets due west. At our latitude, this time of year, the Sun rises is the northeast and sets in the northwest, arcing southward as it travels across the sky. It’s the extra time it spends morning and evening, north of us, that gives us the extra hours of daylight.
Now that I’ve resolved my own confusion over the matter, I should be able to get a few hours sleep before the long day begins …unless I start worrying about when North, South, East, and West should be capitalized and when they shouldn’t.
Wed, 18 Jun 2003
This Hacker’s Diet
A few years ago, I went from about 220 pounds to 160 pounds with a low calorie diet and plenty of bicycling.
In the years since, for a variety of reasons (…excuses?…) I put all the weight back on, and more.
Then, referenced in a slashdot article I found John Walker’s on-line book, The Hacker’s Diet.
Reading it gave me just enough motivation to finally start taking the pounds off again. I wrote a couple of simple perl scripts to log my weight and graph it. I try to keep it updated, daily, for my own reference and to thumb my nose at a few friends who are now fatter that me. <g>
About this weblog
This site is the personal weblog of Marc Mims. You can contact Marc
by sending e-mail to:
[email protected].
Marc writes here about cycling, programming, Linux, and other items of personal interest.
This site is syndicated with RSS.
Archives
Credits
CSS stolen from Tom Coates who didn't even complain.