|
|
The war on comment-spam has now begun. It appears that Blogger might have some anti-spam measures of which I was unaware. Otherwise it’s a strange coincidence that I get a huge number of comment spams for extremely hard-core porn from the Ukraine so soon after starting a WordPress blog.
About 24 hours before the spam attack there was a strange blog comment that linked to google (with no offensive or spammy content). It appears that leaving it online was my mistake, when I left that online for a day the spammer decided that I might also leave porn spam online. I arrived home this evening to find almost 100 spams in the form of comments and track-backs, and more arriving by the minute. So I used iptables to block a /20 related to the spam and things are quiet now.
The moral of the story is to delete anything unusual ASAP in case it encourages the idiots.
I’ve also tightened the anti-spam measures on my blog too.
Update:
From now on any short comment that does not add significant meaning will not be accepted on my blog. To the person who submitted many dozens of comments with variants of “nice site” with the idea that the URL listed for the comment author will be visited by readers of my site – nice try. If you genuinely want to send me a message saying “nice blog” then email will work.
In the future I may remove the display of URLs for the comment authors entirely.
Several comments suggested using Akismet to block comment spam. Akismet is free for non-commercial use and charges for commercial use (a suggested threshold being $500 per month in blog revenue).
For the moment I am going to moderate all comments, the number of genuine comments is quite small and this is no great effort for me. I check the moderation list at least twice a day so there shouldn’t be an excessive delay either.
I am starting to move my blog to my own WordPress server. Here is the new URL for my main blog (feed), and here is the new URL for my Source-Dump blog (feed) which is now named just “dump”.
WordPress gives me the power to change all aspects of my blog’s operation (including adding plug-ins). It also allows me to correctly display greater-than and less-than characters (the Perl script I use for converting them is at this post – it’s short now but will probably grow).
Hopefully the new blog will also solve the date problems that some Planet readers have been complaining about.
I will briefly put the same content on both the old and new blogs, when I’m fully confident in the new blog I’ll stop updating the old one and try to get all Planet installations changed. Anyone who wants to convert their Planet installation to my new blog now is welcome to do so.
This paper by Rodney Van Meter about ZCAV (Zoned Constant Angular Velocity) in hard drives is very interesting. It predates my work by about four years and includes some interesting methods of collecting data that I never considered.
One interesting thing is that apparently on some SCSI drives you can get the drive to tell you where the zones are. If I get enough spare time I would like to repeat such tests and see how the data returned by disks compares to benchmark results.
It’s also interesting to note that Rodney’s paper shows a fairly linear drop of performance on higher sector numbers (while he notes that it would be expected to fall off more quickly at higher sector numbers). One of my recent tests with a 300G disk showed the greater than linear performance drop (see my ZCAV results page for more details). It might require modern large disks to show this performance characteristic.
I also found it very interesting to see that a modified version of Bonnie was used for some of the tests and that it gave consistent results! I assumed that any filesystem based tests of ZCAV performance would introduce unreasonable amounts of variance into my tests and instead wrote my ZCAV test program to directly read the disk and measure performance.
It’s times like this that I wish for a “groundhog day” so that I could spend a year doing nothing but reading technical papers.
I’m going to move this blog. The content is now at http://dump.coker.com.au/ .
The aim is to fix the problems documented here (among other things) by moving to a site that I control.
Currently there is a problem with the MySQL default install in Debian/Etch (and probably other distributions too). It sets up “root” with dba access with no password by default, the following mysql command will give a list of all MySQL accounts with Grant_priv access (one of the capabilities that gives great access to the database server) and shows their hashed password (as a matter of procedure I truncated the hash for my debian-sys-maint account). As you can see the “root” and “debian-sys-maint” accounts have such access. The debian-sys-maint account is used for Debian package management tools and it’s password is stored in the /etc/mysql/debian.cnf file.
$ echo "select Host,User,Password from user where Grant_priv='y'" | mysql -u root mysql
Host User Password
localhost root
aeon root
localhost debian-sys-maint *882F90515FCEE65506CBFCD7
It seems likely that most people who have installed MySQL won’t realise this problem and will continue to run their machine in that manner, this is a serious issue for multi-user machines. There is currently Debian bug #418672 about this issue. In my tests this issue affects Etch machines as well as machines running Unstable.
Sune Vuorela asks about how to secure important data such as GPG keys on laptops.
I believe that the ideal solution involves booting from a USB device with an encrypted root filesystem to make subversion of the machine more difficult (note that physically subverting the machine is still possible – EG through monitoring the keyboard hardware).
The idea is that you boot from the USB device which contains the kernel, initrd, and the decryption key for the root filesystem. The advantage of having the key on a USB device is that it can be longer and more random than anything you might memorise.
In my previous posts about a good security design for an office, more about securing an office, and biometrics and passwords I covered some of the details of this.
My latest idea however is to have the root filesystem encrypted with both a password that is entered and by a password stored on the USB device. This means that someone who steals both my laptop and my USB key will still have some difficulty in getting at my data, but also someone who steals just the laptop will find that it is encrypted with a key that can not be brute-forced with any hardware that doesn’t involve quantum-computing.
Also coincidentally also on Planet Debian in the same day Michael Prokop documents how to solve some of the problems relating to booting from a USB flash device.
Jesus Climent writes about donating laptops.
Free Thinkpad
I have a Thinkpad 385xd laptop to give away for free. It has a PentiumMMX-233 CPU, 96M of RAM, a 3.2G IDE disk, and a 800×600 display. As of my last tests it works well and is currently running an old version of Debian.
The power connector on the laptop is a little broken (it takes a bit of work to plug the cable in) and the cable is also broken (I think that some of the wires are broken and it gets hot when used for a while). Probably the best thing to do would be to solder the cable from the PSU onto the motherboard.
If anyone has a good use for such a machine that benefits a free software project and can arrange to collect it from Melbourne Australia then let me know.
Also I can bring it to any conference that I attend.
Update: I recommend not giving things away via blog posts.
I had many responses from people who obviously didn’t read my post properly and none from people who I could meet who wanted to run Linux. So I gave it away at a meeting of my local LUG.
I have just installed a machine running CentOS 5 as a Xen server. I installed a full GUI environment on the dom0 so that GUI tools can be used for managing the virtual servers.
The first problem I had was selecting the “Installation source”, it’s described in the error message as an “Invalid PV media address” when you get it wrong which caused me a little confusion when installing it at 10PM. Then I had a few problems getting the syntax of a nfs://1.2.3.4:/directory URL correct. But these were trivial annoyances. It was a little annoying that my attempts to use a “file://” URL were rejected, I had hoped that it would just run exportfs to make the NFS export from the local machine (much faster than using an NFS server over the network which is what the current setup will lead people to do).
The first true deficiency I found with the tools is that it provides no way of creating filesystems on block devices. The process of allocating a block device or file from the Xen configuration tool is merely assigning a virtual block device to the Xen image – and only one such virtual block device is permitted. Then the CentOS 5 installation instance that runs under Xen will have to partition the disk (it doesn’t support installing directly to an unpartitioned disk) which will make things painful when it comes time to resize the filesystems.
When running Debian Xen servers I do everything manually. A typical Debian Xen instance that I run will have a virtual block device /dev/hda for the root FS, /dev/hdb for swap, and /dev/hdc for /home. Then if I want to resize them I merely stop the Xen instance, run “e2fsck -f” on the filesystem followed by “resize2fs” and the LVM command “lvresize” (in the appropriate order depending on whether I am extending or reducing the filesystem).
Xen also supports creating a virtual partitioned disk. This means I could have /dev/lvm/xenroot, and /dev/lvm/xenswap, and /dev/lvm/xenhome appear in the domU as /dev/hda1, /dev/hda2, and /dev/hda3. This means that I could have a single virtual disk that allows the partitions to be independently resized when the domU in question is not running. I have not tried using this feature as it doesn’t suit my usage patterns. But it’s interesting and unfortunate that the GUI tools which are part of CentOS don’t support it.
When I finally got to run the install process it had a virtual graphics environment (which is good) but unfortunately it suffered badly from the two-mouse-cursor problem with different accellerations used for both cursors so the difference in position of the two cursors varied in different parts of the screen. This was rather surprising as the dom0 had a default GNOME install.
I have just updated my previous post about licenses and also explicitely licensed my blog. Previously I had used a Creative-Commons share-alike license for lecture notes to allow commercial use and had not specified what the license is for my blog apart from it being free for feeds (you may add it to a planet without seeking permission first).
Unfortunately the operators of a site named lemonup.com decided to mirror many of my blog posts with Google AdWords. The site provides no benefit to users that I can discover and merely takes away AdWords revenue from my site. It has no listed method of contacting the site owner so it seems that blogging about this and letting them read it on their own site is the only way of doing so. :-#
I’m happy for Technorati to mirror my site as they provide significant benefits to users and to me personally. I am also happy for planet installations that include my blog among others to have a Google advert on the page (in which case it’s a Google advert for the entire planet not for my blog post).
Also at this time I permit sites to mirror extracts of my articles. So for example the porn blogs that post paragraphs of my posts about topics such as “meeting people” with links to my posts don’t bother me. I’m sure that someone who is searching for porn will not be happy to get links to posts about Debian release parties etc – but that’s their QA issue not a license issue. I am aware that in some jurisdictions I can not prevent people from using extracts of my posts – but I permit this even in jurisdictions where such use is not mandated by law.
Lemonup: you may post short extracts (10% or one paragraph) of my posts with links to the original posts, or you may mirror my posts with no advertising at all. If those options are not of interest to you then please remove all content I wrote from your site.
|
|
