Udo's Techblog

[this is somewhat explicit]

The good news: Joss Whedon's long-awaited Dr. Horrible's Sing-Along Blog is now online. And I must say, when I saw this reviled Hulu icon in there I was convinced it wouldn't even play (since they don't offer content for un-american people). Well, there's a suprise: turns out, they'll let Dr. Horrible sing in other countries.

But just for the weekend. After that: no more. But, you can buy it on iTunes! There is a big sticker on the site, taking you right to the iTunes Music Store.

This is, of course, where the bad news starts: you see, iTunes has a strong regional commitment policy. This ensures, for example, that us Germans can only consume German content (by the way: we translate every single second of content that comes out of other countries first - a painful and quality-destroying process that often takes years). So I can't give you my money, Joss, because obviously you don't want it. You'd rather I wait for the crappy German version which will never come out since this is a niche product. But at least you, Apple and the fucking MPAA can rest assured that American content gets only to Americans and the rest of the world stays in their own little corners. Well done.



Oh, and by the way, look at that iTunes window telling me politely to fuck off and die: it's in German! My OS X is set to English. Why is my iTunes speaking to me in German then? Or why is every single game I order on Steam in German, even though I specifically set it to deliver everything in English? Why does Google insist on giving me their German site even though my browser and OS are both set to English? Stop prescribing content that you think is "better suited" for me and fucking start giving me what I requested!

Can't log on to your favorite website? Google.com went down? Another twitter outage?

There is a bug in the Mac name service cache which sometimes causes the machine to lose track of a domain name. It makes you believe the server has gone offline when, in reality, OS X just can't find its IP address any more. Apparently, at some stage, the local DNS cache tries to fetch a domain's IP address, fails, gets discouraged and subsequently gives up on the whole thing.

Anyway, the fix for pre-Leopard OS X is widely known:

sudo lookupd -flushcache

However, things have changed in 10.5.2, and quite often the command has been misprinted all over the net. Here is the correct format to flush your DNS cache:

dscacheutil -flushcache

I really, really hope Germany's broken IT law system will self-destruct or at least harm the economy in some unforseen, unprecedented way before this country completes its transformation into Saudi Arabia or something. :-(

OK, this one might also be widely known but it cost me a few minutes to figure it out, so here it goes: Software Update installs Java 1.6 on 64bit-capable Macs running Leopard. However, this doesn't mean they change the default runtime version that gets called when you click on a jar file or call code directly from the command line.

OS X's Java binaries live in a directory called "/System/Library/Frameworks/JavaVM.framework/Versions". On a 64bit Mac this should contain quite a handful of different runtimes:

lrwxr-xr-x  1 root  wheel    5 Apr 30 12:25 1.3 -> 1.3.1
drwxr-xr-x  3 root  wheel  102 Sep 29  2007 1.3.1
lrwxr-xr-x  1 root  wheel    5 Jan 22 14:00 1.4 -> 1.4.2
lrwxr-xr-x  1 root  wheel    3 Apr 30 12:25 1.4.1 -> 1.4
drwxr-xr-x  8 root  wheel  272 Jan 22 14:00 1.4.2
lrwxr-xr-x  1 root  wheel    5 Jan 22 14:00 1.5 -> 1.5.0
drwxr-xr-x  8 root  wheel  272 Jan 22 14:00 1.5.0
lrwxr-xr-x  1 root  wheel    5 Apr 30 12:25 1.6 -> 1.6.0
drwxr-xr-x  8 root  wheel  272 Apr 30 12:25 1.6.0

This directory also houses two symlinks called "Current" and "CurrentJDK". As root in Terminal, remove those and replace them with symlinks to the 1.6 runtime:

rm Current*
ln -s 1.6.0/ Current
ln -s 1.6.0/ CurrentJDK

There, all done! From now on "java -version" should return something like:

java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13-120)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_05-b13-52, mixed mode)

Fun communications hosts an ID theft demo at http://idtheft.fun.de/. Like any other fishing site it works by presenting a fake login page to the user - in this case you can first choose your OpenID provider and are then presented with a copy of their sign-in page.

Somehow people are throwing nervous fits over this antique exploit. Seriously, I just don't see the point of this exercise. Am I missing something? During the whole spoofing process, idtheft.fun.de's URL is plainly visible and it is very obvious that something is wrong. If you fall for this thing, you're also the type of person to fall for any other fake sign-in attack. This is not a technical problem, it's a classical social engineering attack.

Sadly, there are still many people out there who don't know what that thing in their address bar is. *sigh*

I'll admit it: I'm a total Mac noob. Though I've owned Apple computers since 1999, I've only recently started to use the platform for anything but web browsing. Since FileVault was invented I've always been a little irked about the fact that only your home folder is encrypted. At the time, my search might not have been extensive, but all the forums seemed to say about this was: "wait till TrueCrypt comes to the Mac". Now, TrueCrypt might be a moderately handy tool for Windows, but the Mac Version is an absolute nightmare.

I'm sure most people have known about the solution for ages, but I only recently found out: when you create one of those disk image files, OS X lets you create an encrypted filesystem that has pretty much the same properties as a FileVault store. I feel really stupid for having taken so long to find out. But I'm gonna post this in case there are other people like me, still running around and wondering how to 'vault their drives.

1. open Disk Utility
2. click "New Image"
3. enter size and select 256AES encryption from the list
4. choose "sparse disk image" or "sparse bundle disk image"
5. click "Create"
6. Profit! ...erm I mean: done!

In case you're wondering what the "sparse bundle" is: it's a format that has been added with Leopard. The normal sparse image is a single file that grows as the filesystem contained in it gets filled. This means the recovery of unused space is complicated and time consuming. The sparse bundle, however, consists of a collection of fragments that can be handled more efficiently be the OS. The bundle is a directory that contains some meta info and the actual filesystem data in so-called bands. Here's what it looks like:

-rw-r--r--     1 udo  staff     499 May  1 20:31 Info.bckup
-rw-r--r--     1 udo  staff     499 May  1 20:31 Info.plist
drwxr-xr-x  5725 udo  staff  194650 May  1 21:04 bands
-rw-r--r--     1 udo  staff  122880 May  1 20:31 token

Neat, isn't it?

Hi everyone, I finally found some time to put the blog back up. After the recent experiences with Wordpress I decided to write my own blogging engine. Don't get me wrong, WP is great and the hacks are probably my fault for not performing upgrades recently, but I wanted to have more control this time - even though that means less features. My code may have vulnerabilities of its own, but at least I'll know where they are and how to fix them! So let me know if you discover anything odd. Also, I'm thinking of posting an how-to about this little project, what do you think?

Things are going to be different
From now on, I'll be using creativepark.net domain as the main URL. In all these years, I haven't used the domain for anything else, so it only makes sense to shorten the path. I'll keep the old address working indefinitely, though (I'm a firm believer in the permanence of URLs) and I'll work on some redirects that should make the old links to the site work.

It's back to the roots!
I'm going to write again about RPGs, techy geek stuff, software and maybe some science stuff in the middle of it. I know, it's a weird mix, but those are my interests and I've decided against a separate blog for each of these things. If at all possible, I'll try to stop myself from posting worthless comments about the latest Web 2.0 fad as well as mopey crap about my personal life (which sucks badly, if you must know). Among the many, many things I didn't elaborate on any further is the Dynamic World scenario and I hope I'll find some time and inspiration to go more into that one, along with some actual code maybe.

Maybe personal sites are vanishing, but I'm not ready to offload everything to Twitter and Facebook and call it a day, just yet.

Comment from John Scalzi, via Wil Wheaton's blog:

indeed, as a late-thirties balding man of modest height, weight and physical attractiveness, I am practically invisible to anyone under the age of 30, and visible to anyone over that age only to the extent that they have to walk around me, or have to have some limited amount of social interaction with me as we stand in a line or some such.

Wow, it's like he's my twin! Fiendish though as I am, I sometimes enjoy it when people are forced to interact with me. Over the years I have come to derive some form of perverse pleasure from observing their barely concealed pain while they have to talk (or worse: listen) to me, all the while wondering when they can get back to, you know, real people. Ah, good times!

Funny thing happened to my blog recently: not only was it being hacked, there was also a DoS attack going on. The attack originated from 65.55.107.111, which made me revise my initial impression that the two events were somehow connected. See, this IP is owned by Microsoft, and the USER_AGENT string identifies the server (which made well over 1.5 Million HTTP requests in a short time frame) as an MSN search bot.

I'm hosted at MediaTemple, using the Grid Service hosting plan. That means, an attack of this sort cannot likely disable the server, since there is a whole grid that can absorb the load. However, this also means that I have to pay not only for bandwidth used but also for cluster resources such as CPU time. So what's a site owner supposed to do in this case? Now that the episode seems to be over, I still don't have a comprehensive answer - but maybe telling the story will help someone somewhere in some way some day. Here's what happened:

The good thing with MediaTemple is that you get almost realtime reports regarding your resource usage. That's how I saw that something was not right: most of my billable resources were being consumed by pages on my blog that couldn't possibly be valid URLs. And there were already hundreds of thousands of such requests occurring targeting these URLs. Well, after downloading the logs for that day it became pretty obvious the originating server was 65.55.107.111, which resolves to

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

So far so good. Could be Microsoft, could be a spoofed attack pretending to come from MSN's IP address. The reason why I thought an MSN server was the genuine source were the nature of the URLs used: they looked highly recursive, like someone made a horrible mistake programming their bot. And now it was stuck in an infinite loop querying my site!

First measure: block those URLs

The first and easiest thing to do was go into the Wordpress code and hardwire the response to those URLs. Since they would never occur during normal web browsing anyway, this was an easy choice. I made it so WP would return no data upon such calls, so there was no further HTML that could be parsed for more recursive mayhem to be added to the bot's to-do list. So far, so good. Because now execution was canceled as soon as the URL was called, excess CPU cycles had been cut by one-fifteenth. Not bad! But still, at the rate those requests were made, it was clear that by the end of the billing cycle I would still be well above my alotted limit. However, I felt this was all I could do on the technical side of things.

Second: contacting Microsoft

Allright, what do you do if there is a company out there, hammering your server? You write them a nice notice, informing them that they have a rogue bot, of course. Oh, how naive I was. I thought it was actually possible to contact someone, they would listen, surely discover their mistake and fix it! Ha, maybe they'd even apologize for causing me costs and workload, I thought. The hubris! There are maybe a hand full of email addresses that you can use to contact MS in case of problems. However, half of them return error message right back at you. The other half, I imagine, are just huge data graves where emails go to die. Of course, there was no help coming. It's just not possible to reach someone who cares. I was at least hoping to get the infamous Condescending Automated Response, but apparently my problem wasn't even worthy of that.

Third: what about MediatTemple?

Well, if MSN wasn't going to do anything at all, maybe I could turn to my provider for help. Of course, the thing you have to keep in mind is, that MT is profiting from such things happening to their customers. Nevertheless, I wrote a diligent message detailing the problem to MediaTemple's support. In the beginning I was even hopeful, because some first-responder sent me a mail right back explaining that my request had been escalated to a sysadmin. However, this state of hopefulness quickly faded away, when the sysadmin finally gave me my Condescending Automated Response. It explained things along the lines of "if you don't want bots spidering your site, you can exclude them by editing the robots.txt". Bloody brilliant, like I hadn't already forbidden MSN to crawl my site. Like these million requests were part of a normal indexing run, sure!

Upon explaining these things again to MT support, I got a semi-useful message back: there just wasn't anything they could do, period. Blocking this IP would mean other customers' sites couldn't be indexed by MSN. And I could always use an .htaccess rule to further cut down on CPU cycles. But otherwise, that's just the risk of running a site.

And then, everything went quiet

I'm not really sure what happened next. The attack suddenly stopped. Maybe MediaTemple had suddenly recognized the fact that this wasn't a normal bot running its index and blocked it, though I doubt it. Maybe MSN finally rebooted their server, though I'm fairly sure they didn't even get the message that anything was wrong. Maybe it will even happen again come next indexing run. Who knows? It's not like you get any curtesy information out of any of those companies. And if it happens again? Well, I'll just have to pay up then, won't I?

What little can be done

I've excluded MSN bots from spidering the site at several levels. It's the least I could do. And it's also not like there is any meaningful traffic coming through MSN search there, too. I would encourage other people to do this as well, because if an MSN bot goes rogue, there is absolutely nothing you can do against that as a lowly site owner. The least you can do to protect yourself is to pull your stuff from Microsoft-related indexes.

Udo's Techblog

All things considered, the attack did turn out to be not so bad, but I certainly didn't enjoy the hacking and the posting of spam in my name. These recent events have added to much of the negativity that is currently in sum making up my life. Things have been going downhill for a long time now, I just don't know where the bottom is, yet. I guess this is also the reason for the shocking lack of original content recently. I haven't decided what to do with the blog, yet. If nothing else, it certainly has allowed unpleasant people in my life another angle of attack. The blog comes up as the first result when someone googles my name and Analytics is telling me lots of people have been doing exactly that, recently. That's nice as long as everything is going great. But if you're bankrupt and overall not doing so well, it becomes another thing entirely.

Looks like my blog is being hacked, I apologize for the stuff some of you might have received in their RSS feeds. I think I know who did this, if it was indeed aimed at me personally (which I do believe, maybe because humans are good at pattern recognition even given random data).


Apparently, there is also a DoS/overload attack going on, which seems to confirm the initial suspicion.