So this morning I get an email from the US Department of Defence. Seems one of our computers was being used as a launching pad to exploit some DOD systems. Found the computer, pulled it off the net and proceeded to do a post-mortem. My co-workers were offering all kinds of suggestions about how to go about this, what to look for, etc. All wrong of course. I've done this before. Found the payload in about 3 minutes. Hidden away in "/var/tmp/.. " - note the space at the end. Clever yes, but this is an old trick. I pulled off the payload files to have a look. Lessee, a streaming media server, thirty different denial of service attack generators, and one old root kit from 2001. 

My co-workers were instantly preparing to format the disk. Rootkit, bad. Re-format. Nah, these guys weren't after root, and they didn't get it. They got what they were after - another zombie to join their network of DoS slaves. If they really wanted to get root access, they would've used a modern rootkit.  The poor kid who uses this box has his entire PhD on it, and the last thing I want to do is erase his life's work. No need to. Just reset the password, get rid of the zombie net and put the machine back in service. 

Incidentally, this is just one of a growing number of incidents coming out of Romania. There were Romanian 'fingerprints' all over this particular exploit. FYI. In year's past we've seen involvement by Germany, Russia, China and others. This one is Romanian for what it's worth. Somebody there is funding an effort (or being funded) to stage denial of service attacks on a global scale. Interesting. 

I've been working on all kinds of different ways to completely stop XSS (and potentially the related CSRF) and provide a much better authentication framework for web applications. 

The problem:

The HTTP protocol is completely stateless. On the server side each and very page access starts with zero knowledge of who is at the other end of the connection. In order to provide what were once considered 'sessions' in the pre-web computing days, the client is able to store a 'cookie' which is sent from the server, which is sent to every page within that domain. The server can look at this cookie and use it to bind a particular person who has presumably passed authentication so they don't have to re-authenticate.

But cookie storage has some serious flaws. If somebody who isn't the specified logged-in person can read the cookie, they can become that person. IP address checks can help to provide extra verification but in a world containing proxies this information can be spoofed.

Cross Site Scripting is a method whereby a malicious person who is allowed to post HTML on a page can inject javascript code which is then executed on a registered user's session and the cookie is leaked or sent elsewhere - allowing the malicious person to impersonate the registered person.

A possible solution:

I'm still working out the details so please let me know if this is flawed, but I think I've got a way to prevent XSS and still allow registered members to post full HTML, CSS, whatever - including javascript.  It relies on the fact that cookies are stored and used per-domain. Different domains are unable to see cookies from another domain. 

We'll also assume SSL connections since anything else can leak everything (cookies, passwords, everything) to a port sniffer.

We'll start with a normal website at https://example.com - which we'll assume is a multi-user website where XSS could be a problem. If somebody on this site can inject javascript onto a page, they can steal the cookies of a logged-in user. There are hundreds of ways to do this that are beyond the scope of this discussion.

But we'll also create another domain - say https://private.example.com - which processes logins and does not serve content. This will have a different cookie than example.com. Perhaps we'll let it serve the website banner image just so that it is accessed on every page of the site. Since there is no active content allowed, it is immune to XSS eploits.

It is allowed to process login requests and send cookies, and one image. That's it. 

What this means from an attacker's viewpoint is that he/she now needs to steal two cookies to impersonate somebody else.  It may be easy to steal the cookie on the main site, but there's no way to get at the cookies for the private.example.com site since it isn't allowed to host active content.

The main site uses out-of-band methods (not involving HTTP) to communicate between the two domains and establish that the session is valid and authenticated. They're both hosted in the same place after all. It can check a file or database to see that the logged in session was authenticated by the other site. Both keys (cookies) have to match or the authentication is denied.

Anybody see a flaw in this? Granted I still haven't thought it through completely and haven't yet tested it, but I don't see any glaring problems on the surface. Some variation of this concept will probably work and both prevent XSS as well as provide a better way of doing web authentication that is much more resistant to intrusion.   

Again assuming https to prevent snooping, the only way I can see to steal both cookies and impersonate a logged-in user is to have access to the target person's desktop and browser. 

It also allows a site to completely separate the authentication mechanism from the content server allowing the authentication code to be small, simple, self-contained, and verifiable. 

 

Who'd a thought that a simple query to a Myspace.com page would result in the finding of long lost friends? Within 24 hours no less and from halfway around the world.

I've been looking for some friends in New Zealand, off and on, for the last 6 or 7 years. A couple of years ago I found a cell phone number in the online white pages in New Zealand but no address. Of course I promptly lost the number and never found it listed again.

 Yesterday I decided to reactivate my page on Myspace.com (yeah, I know - what's a 50 year old woman doing with a Myspace page.) I did a search on my friends oldest daughter - she was the only one who's name I could remember. Had to search through a few pages but found one that looked like a good possiblity.

 Sent a message to the person yesterday, telling them what I was looking for and could they possibly be one of the people I was looking for. This morning I check my e-mail and I've got a message from that person. Turns out I picked the right page - it belongs to the oldest daughter of my friends. Not only that, but she happened to be at her parent's house when she was checking her Myspace page and saw my message.

Turns out the family had left New Zealand, except for 1 daughter, and headed to Australia. Could explain why I couldn't find any trace of them in New Zealand. Didn't think to look in Australia - but then again, Australia is just a wee bit larger than New Zealand. Guess I'll be looking at a trip to Australia when the economy here improves (if it ever does).

You always here the bad things about Myspace.com and Facebook but here's one that's great. Kinda like how I found my husband. Decided to see if he had joined the 21st Century and was online - found him on Classmates.com and the rest is history. See the Wedding Blogs for more details.

Please visit ericarthurblair.com

George Orwell is the penname of Eric Arthur Blair. Known for writing "1984" and "Animal Farm", his first novel was "Burmese Days". It was based on his experience as an officer of the British Empire in Burma when his was 19 to 24 years old. Reading "Burmese Days", one can see how he acquired his distaste of governments that control their people.

I believe that if he were alive today, he would have many negative things to say about the current state of affairs in Burma. The military dictatorship sets a standard for evil that few can surpass. Millions of its citizens have been displaced, either by government decree or by fleeing for their lives. The government enslaves the population for public projects and in some cases has used villagers to walk through, and thereby clear, minefields at the cost of many lives. Burma, once the breadbasket of Asia and rich in natural resources, is today one of the poorest countries on Earth, unable even to feed itself.

Most of the citizens who have fled the country have gone to Thailand. Burma does not issue exit visas, to leave Burma you must do it illegally. Estimates of the number of exiles in Thailand today (2008) range from 200,000 to over a million. This website contains some pictures of a school for the children of refugees. No mention will be made of the location, as the school exists to benefit this future generation but in violation of Thai law. The children are taught history/culture, Burmese, English, math and science. A local health clinic provides ‘train the trainer’ classes for the teachers in public health issues such as food safety and hand washing, and this information is also provided to the children.

As the schools (and there are dozens in the Thai-Burma border areas) are illegal, they are grossly under-funded. The school cannot provide paper or pencils to the students. The teachers can’t make copies of anything. The books were written for Burma schools decades ago, and only the teachers have a copy. Everything is written on whiteboards for the students to use. The particular school pictured here serves lunch to 101 children each day, a bowl of rice with a spoonful of cooked vegetables on top. There’s no money for meat or milk. And yet, for many of the children, this meal alone makes attending school a great day. They have far less to look forward to at home.

Cyclone Nargis has just made a bad situation unbearable. The refugee flow into Thailand has begun to increase, as the Burmese population realizes no help will be coming from anyone. Large sections of Burma are uninhabitable, contaminated with salt water and completely without food or water. The government has declared the disaster ‘over’ and closed the shelters, leaving thousands without food, water or a roof over their heads during the monsoon season.

I have worked directly with some of these refugees and have learned one lesson above all: they are just like you and me. They want a better world for their children, they love their family, and they want to be healthy. Any differences are minor. I have learned from other work following disasters that the best help for survivors comes from neighbor helping neighbor. I ask that you consider these people your neighbor, on this planet we call Earth, and that you open your heart to help those less fortunate. I vow that any money collected here will go straight to Burmese people, either in the Irrawaddy Delta, recovering from the Cyclone, or to refugees in Thailand, preparing for the day when they may return to their homeland, no longer in fear for their lives. All money will reach a Burmese person. Thank you for your generosity.

At this time, I've managed to pull together a working kernel and prototype of the Reflection CMS. It is not yet ready for public release, but I've been pleased with the progress. Here's a bit of a white paper I've been putting together to explain the rationale and provide a high level overview.

 

                 Reflection Content Management System

Purpose:

Web content management systems and frameworks that exist today are clunky, overly-complicated, and often insecure. While many of the open source projects are developer friendly and openly encourage derivation, there is often a group that jealously protects the 'core' from feature creep. This makes it difficult to realise many web designs; as it is often the core that is insufficient to the task at hand. Being developer friendly does not mean that an application provides a workable development environment. Add-on modules often cannot be trusted - as they often reflect the work of novice software designers who have had to overcome the limitations of the core product.

In an effort to appeal to the most people, data abstraction is taken to new levels of absurdity and inefficiency. This is not limited to content management systems, as it is a software problem in general.

What I have attempted in taking on this gargantuan task of creating yet another content management system is to solve many of these problems, and to create a system that is extensible and encourages development at all levels - including the so-called core. To that end - most every function can be over-ridden without introducing serious versioning and update issues/incompatibilities. Nothing is sacred. 

The more that I mulled this task, the more it became apparent that what I was looking for in a content management framework is no less than an operating system for web pages. This involves user management, security, and the ability to execute arbitrary 'applications'. It also involves a notion of a file system hierarchy which can be represented entirely by URLs.

Many other content systems abstract data types, and this is a good idea; though it often makes for messy designs. At the heart is a generic nucleus of a content - who owns it, what the permissions are, various timestamps, etc. Data fields that are unique to a particular content item are stored elsewhere and joined on demand.

Implementation of this level of abstraction is a challenging problem. Due to design limitations of most database systems, it involves some tradeoffs - primarily in the ability to perform searches on extended data of multiple extensible data types. For a single type, it can be done with one query. However when multiple data types are involved, a second pass needs to be run to return the extended data for each item. For this reason, it is prudent to store as much 'searchable' information as practical within the nucleus.

There is also general agreement over using themes and templates at the presentation end, so that different renderings are possible without hacking code. Here I'd like to take it one step further and modularise the entire presentation layer. As well as a 'theme', once can choose a particular layout or representation of objects, such as a choice between list view and iconic view, and/or XML feed elements. By making this extensible and arbitrary, entirely new renderings can be accomplished without touching the object code or business logic.

Permissions System

Permissions are the core of any multi-user system. This needs to be well defined, and implemented close to the kernel or core and far away from the presentation layer. In a development environment, the developers should mostly be free of managing permissions. I've implemented a permissions concept similar to Unix/Linux - although modified for better adaptability to web applications. It uses the familiar rwx concept, but I've split the 'x' permission into 'x' and 'u'. 'x' is simply a list permission. 'u' is an ability to use or extend an item. For an article, the 'u' bit allows comment rights. For a vocabulary, it allows the ability to tag something using that vocabulary. I've also introduced higher level permissions. There are six levels: 

• rwxu admin  
• rwxu moderators 
  
• rwxu owner 
  
• rwxu group 
  
• rwxu members 
  
• rwxu other (aka visitors)

Members is for logged in members. Group is a group association to a unique group identifier, moderators are site moderator accounts. Admin privileges are included in the permissions flags for completeness; though it isn't obvious what value this serves and in most cases these will be masked to prevent locking out the system admin from managing the system.

The Directory Object

The directory or folder object is the primary means of implementing complex data structures and representations. It is an object like any other object on the system, but when navigated to, presents a listing of those items which are attached to it as siblings. It implements a general purpose search and list/enumerate operation. It also contains a path/filename to distinguish it in the URL hierarchy and provide file system semantics to database objects. However, the important items that it contains are a umask (permissions mask) which is applied to any child items, and it can also be configured only to hold items of certain types. This is what distinguishes a photo album from a weblog or forum list. One holds photos and the others hold articles. By allowing a directory to hold any type of content, it can be made to resemble a traditional filesystem; and indeed a multi-user website can be implemented which provides member sub-sites that they manage completely.  

The directory also has complete control over the presentation layer, via themes, renderings, and menu selection. This implies that directory is not simply a 'list', but the complete embodiment of the controls, settings, and the look of that list. These can be inherited and passed on to sub-directories. A limitless range of site policy and structure can be implemented by controlling the settings of the appropriate directory entries.

Applications

Applications or executable code lives outside the virtual directory tree. In order to address the need for an extensible application space and recognising the confines of URL management, applications are denoted by the first URL path parameter. For instance http://example.com/edit invokes the object edit/post application. Additional URL path components are passed to the application as arguments an a manner similar to Unix/Linux 'argv/argc' mechanisms. Application URLs take precedence over path URLs, such that creating a directory or document called 'edit' at the root level will be unavailable at that URL if the 'edit' application exists. An external path alias mechanism exists to redirect to another URL in the case of conflict with the application space.

An application framework exists that supplies plugin methods for handling initialisation, form posts, main page content, and menu callbacks. Arguments are parsed and passed in as argv/argc elements, although meta-arguments dealing with pagination (such as 'page=4') are dealt with by the kernel or core to minimise extra argument parsing at the application level. To provide pagination, an application only needs to obtain a count the total number of items and invoke a 'paginate' function.

Licensing

Reflection will be available under the generic Berkeley license. Free for all uses but with no implied warranty.

Platform

Recent/modern flavours of LAMP. Apache/mod_rewrite is required. PHP5.2+ is required for timezone support. Language: English.

Well, made it through the wedding - nary a hitch to worry about (at least not about the service itself). Had a great time in Vegas and actually stayed within our budget.

The flight to Las Vegas was the flight from hell though - but what did I really expect? US Air cancelled our direct flight, which was booked 3 months in advance and made us change planes in Phoenix, AZ. That wouldn't have been so bad as the layover was only supposed to be an hour but it actually lasted almost 4 hours. People were not pleased. Especially those of us that had to sit next to an honest to god Tweaker who came very close to losing her life from the time we sat down to the time the plane landed in Las Vegas. You hear about these people but you never think you're going to get stuck sitting next to one on a very small plane for and hour and a half but I did. At least the airline didn't lose any of our luggage - Praise the Powers That Be!

Then, we finally get to the rental car agency - in Las Vegas they have moved all the car rental agencies to one site off site of the airport. At least they have a nice little shuttle to and from the airport. Wouldn't you know it? We get there and there are only 3 people working the counter and a rather long line of people wanting to pick up or rent a car. One poor clerk was having to deal with a woman who was having major problems renting a car (credit cards were being declined). Once she was taken care of, things seem to move rather fluidly. Got our car, got our luggage loaded and got to the Hotel. Of course, we had several messages on our cells from friends and family wondering where the hell we were.

Got checked in, found our room and went and found FOOD. After that point, things went rather well. Even our flight home was uneventful. Probably to make up for the flight down. We definitely won't fly US Air again if we can help it. Although, when we checked in for our flight home, one bag was over the weight limit by 3 pounds and the clerk let it go without hassle or fines. I was very appreciative and let her know that. I have a feeling they don't get too many compliments or kudos. She was very nice and efficient and I did appreciate the fact that she didn't give us any grief. Funny, it didn't weigh that much going down to Vegas.

Gambling sure has changed since the last time I hit any casinos. Used to be there were only nickle, dime,quarter, 50 cent, dollar & $5 slot machines. Now, thanks to electronics there are tons of penny machines to play but none of the slots spit out money anymore. If you win, you get a ticket to take to a machine to get your winnings. The slots still sound off when you hit a jackpot, you just don't get the thrill of seeing your coins drop into the bucket. I did make a little bit of money playing BlackJack down on Fremont Street though. My hubby doesn't play the tables, he likes the slot machines. He didn't do too bad on Fremont Street either.

Excalibur has a restaurant/bar on the casino level called 'Dick's Last Resort' and the faint of heart or easily embarrased should refrain from entering. The servers have attitude and know how to use it. You have to see it to believe it and believe me, we saw it, participated in it and had an absolute blast. In fact, I have a piece of clothing on display there (at least it should be) unless one of the bartenders is still wearing it.  I'll let you wonder about that.

I just have to remember that the next time we decide to go on holiday and rent a Harley to make freaking sure that it's the top of the line touring model. Trying to shift to a more comfortable position without armrests is exceedingly difficult - especially if you don't want to cause an accident. Plus, there just a little bit more room for two people on the big fancy dancy models.

I can now say that I have ridden across both London Bridges and have the pictures to prove it. As far as I can tell, one of the only things Lake Havasu City, Arizona has going for it it the fact it is the home of the old London Bridge. That and the series 'Party Heat' is filmed there for CourtTv or whatever it's called now.

 

Just wanted to update y'all on current happenings since I terminated my daily rants a while back...

I've been working under the covers on a new web project; which takes all that I've learned building this here website and social spaces in general and pushes it into a new realm.

The thing about CMS software is that they all suck. Some suck worse than others, but they're all really, really bad. Most of them try to be all things to all people - and as a consequence fail miserably at being anything to anybody. I guess I've been guilty of that myself.

I'll be putting up a serious contender over the next several months to show that the situation doesn't need to be so abysmally abysmal. Oh yeah, and it will be open source, extensible, yada, yada. While basically working securely and outperforming any of the competition - without resorting to caching to make up for the sucky performance; like everybody else does.

In order to accomplish this, I'm not even going to try to create something that is all things to all people. Apache2.x+, php5.x+, mysql5.x+ and English only. I've re-written my existing website engine to be leaner and meaner and am currently adding some core functionality back in, whilst tossing 90% of the code that nobody (but me) ever used.

I've boosted performance by a factor of 4 at least, and will be reducing the number of database queries per page to under 10 on average (from a current average of 20-35); still way under the market leaders which hammer the database several hundred times for each and every page - and hit the file system an equal number of times. That's piss poor engineering and an embarrassment to any serious software developer. 

Security on each object has been radically simplified - however is extremely robust and verifiable.

Stay tuned... 

    

 

Here's a little shell script I cooked up to aid in managing large groups of Windows/Linux dual boot client workstations. It essentially makes the Linux systems 'call home' whenever they boot up so that we can have a series of scripts on the server which will bring them up to date. The alternative is to walk around to each workstation and type some commands. This gets old after you've done several hundred. It was also necessary to do this from a client side process, as there exist tools to push down changes from the server already, but we never know when Linux will be running. The PC might be running Windows for weeks. We just want everything to sync up the next time somebody boots Linux.

Anyway, here it is - I call it 'pcu':

#!/bin/sh -f
##
##
## Update client workstations from a
## sequentially ordered set of update scripts
## located on a network drive.
##
## Scripts may be named numerically to be processed
## in order. Only scripts with ctime newer than the
## time of last invocation will be processed.
##
##
##
## Configuration:
##
## For synchronizing clock

NTP_BINARY='/usr/sbin/ntpdate'
TIMESERVER='ntp.example.com'

##
## Server/path containing scripts. This dir is NFS mounted locally.
PCUSERVER='pcu.example.com'
BASEPATH='/home/pcu'

##
## Where to find the files locally
## Default is $LOCALPATH/$FAMILY/$HOSTNAME
## or $LOCALPATH/$FAMILY/default if no $HOSTNAME dir exists.
##
## $FAMILY is used to group scripts of similar
## machines/architectures/lab configurations

LOCALPATH='/etc/pcu'
FTIMESTAMP='/etc/pcu.time'
FAMILYCONF='/etc/pcu.family'
INSTALLOC='/etc/init.d/pcu'
DEFAULTFAMILY='general'

########################################################
##
## Install
##
if [[ ! -x $INSTALLOC ]] ; then
  echo "PCU installation commences. $0 "
  cp $0 $INSTALLOC
  chmod 755 $INSTALLOC
  update-rc.d pcu start 99 2 3 4 5 .
  mkdir $LOCALPATH
  touch $FTIMESTAMP
  echo "PCU installed."
fi
##
########################################################

if [[ -x $NTP_BINARY ]] ; then
  $NTP_BINARY -su $TIMESERVER
fi

mount -t nfs $PCUSERVER:$BASEPATH $LOCALPATH

if [[ ! -x $LOCALPATH ]] ; then
  exit
fi

if [[ ! -e $FTIMESTAMP ]] ; then
  exit
fi

if [[ -e $FAMILYCONF ]] ; then
  FAMILY=`cat $FAMILYCONF`
else
  FAMILY=$DEFAULTFAMILY
fi

echo "Processing Updates for $FAMILY"

if [[ ! -x $LOCALPATH/$FAMILY ]] ; then
  echo "$0: Warning: $LOCALPATH/$FAMILY ($PCUSERVER:$BASEPATH/$FAMILY) is not ac
cessible."
  umount $LOCALPATH
  exit 0
fi

if [[ -x $LOCALPATH/$FAMILY/`hostname` ]] ; then
  UPDATEPATH=$LOCALPATH/$FAMILY/`hostname`
else
  UPDATEPATH=$LOCALPATH/$FAMILY/default
fi

if [[ ! -x $UPDATEPATH ]] ; then
  echo "$0: Warning: $UPDATEPATH ($PCUSERVER:$BASEPATH/$FAMILY/default) is not a
ccessible."
  umount $LOCALPATH
  exit 0
fi

for a in `find $UPDATEPATH -type f -newer $FTIMESTAMP | sort -n` ; do
  echo -e "\t" `basename $a`
  sh $a
done

umount $LOCALPATH
date > $FTIMESTAMP

Some call it a vacation, these next two months, but I call it adventure and rejuvenation. I'm off to help some Burmese children learn about another world they hardly know exists. This has been planned for months. But recent events, as described in the following article, have overshadowed what I had envisioned as a chance to change a small piece of the world. I may be headed into a refugee tsunami, if the Burmese dictatorship totally fails it's population and the only route to survival lies in exodus. 

I've found it ironic that the current US President has been critical of the lack of response to the cyclone by the Burmese government. I was in Mississippi following Katrina, and can easily identify a kettle when it calls the pot black. But this article points out not only the lack of governmental response to disaster in Burma, but the fear of government held by not only the Burmese, but also outsiders already in Burma. Would you be willing, or able, to work for the common good under circumstances like these? I can only hope if the opportunity arises, that I can.

Misery in Laputta

---

By THE ASSOCIATED PRESS / LAPUTTA

Sunday, May 11, 2008

---

 

Apart from the sound of children crying, the town of Laputta is strangely silent.

Traumatized by the ordeal of surviving Cyclone Nargis, few people have anything to say. But it is also fear bred by 46 years of repression by military regimes that keeps them quiet.

A Cyclone Nargis survivor sits at a damaged school which has been turned into a makeshift refugee centre in Laputta, on May 10. (Photo: Reuters)

Although overwhelmed by the worst disaster in Burma's recent history, the junta has turned down foreign help and insists on using its ragtag infrastructure and poorly equipped military to conduct a grossly mismanaged relief operation for some 2 million people in distress.

And no one dares to protest. Even aid agencies are cautious.

"There are certainly parameters around whatever we do. It is very sensitive politically, but within those parameters we are getting through," said Tim Costello, CEO of World Vision Australia, one of the few foreign aid workers allowed into Rangoon.

Aid workers said critical supplies were reaching Laputta, a town of 20,000 people whose population swelled with 30,000 refugees streaming in from dozens of surrounding villages devastated in the May 3 cyclone.

Laputta is located near the coast of the Irrawaddy delta some 120 kilometers (75 miles) southwest of Rangoon.

But efforts to rush food and medicine from Laputta to lower-lying parts of the delta that were hardest hit have been slowed by the military's intense micromanaging.

"The government wants total control of the situation although they can't provide much and they have no experience in relief efforts," said a leading aid worker for an international aid organization. "We have to report to them every step of the way, every decision we make."

"Their eyes are everywhere, monitoring what we do, who we talk to, what we bring in and how much," the aid worker said in a soft voice, constantly looking around nervously as his assistant turned off all the lights except one dim lamp.

He agreed to the interview at night after being assured he wouldn't be named or identified in any way.

"Sorry, sorry. We don't want them to see you here. They don't trust us, as it is," he told a foreign reporter in Laputta.

The town, about 200 meters (600 feet) inland, is littered with flattened thatch-roofed homes and fallen trees. But it fared better than most neighboring villages, with several structures withstanding the cyclone's 190-kilometer (120-mile) per hour winds and the tidal surge it whipped up.

Schools, large houses and monasteries have become temporary shelters. Hundreds of survivors crowd the floor of a monastery's open-air hall, which is lit by dim kerosene lamps and candles. Only a few houses, mostly those belonging to people connected with officials, have generators.

People quietly eat whatever food is available while others try to sleep. Most people have to sit up because there is no space to lie down.

Few survivors wanted to speak to an outsider, as military trucks drove constantly through the town. Most cowered in corners.

Survivors take shelter while waiting for first aid treatment in Laputta on May 10. (Photo: Reuters)

On the outskirts of Laputta, 12 people were crammed into one tent pitched on a rice field. They were the only survivors from the village of Pain Na Kon and had fruitlessly searched Laputta for family members.

"We are family now. We are from the same place. We are together," said U Nyo, one of the survivors, his eyes red from tears and fatigue. "We need food. There isn't enough space in the town so we decided to stay here."

What lies beyond Laputta is the worst of the devastation, an area that remains difficult to access.

Fishing boats along the coast have helped ferry survivors to safety but can't make enough rounds a day to rescue everyone and the trip is a stomach-wrenching journey, said Maung U, the 36-year-old driver of a rescue boat.

"Each trip takes five or six hours through a narrow waterway littered with dead bodies," he said. "Every few meters, you see another dead body, human or animal."

He said every family has at least two or three persons missing or dead, and many people had to leave the bodies of their family members behind in the water or in the fields.

Diesel supplies are running low and rescuers fear that time is running out to help the people stranded in remote delta villages.

"Some have been living on coconuts," he said. "But even those are running out."

Copyright © 2008 Irrawaddy Publishing Group | www.irrawaddy.org

Updating all the timezone stuff one needs on a LAMP environment: (necessary in Australia because they changed the daylight savings start date once again). I haven't yet been able to convince my hosting provider to go through all this hassle; and the tables are outdated - so Aussie visitors may see an incorrect time on some of my websites for the next week. 

Test:

# zdump -c 2009 -v Australia/Sydney | grep 2008
Australia/Sydney  Sat Apr  5 15:59:59 2008 UTC = Sun Apr  6 02:59:59 2008 EST isdst=1 gmtoff=39600
Australia/Sydney  Sat Apr  5 16:00:00 2008 UTC = Sun Apr  6 02:00:00 2008 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  4 15:59:59 2008 UTC = Sun Oct  5 01:59:59 2008 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct  4 16:00:00 2008 UTC = Sun Oct  5 03:00:00 2008 EST isdst=1 gmtoff=39600

(If the first two lines contain 'Mar' instead of 'Apr' you've got old tables). e.g. this is what an unpatched system would report:

# zdump -c 2009 -v Australia/Sydney | grep 2008
Australia/Sydney  Sat Mar 29 15:59:59 2008 UTC = Sun Mar 30 02:59:59 2008 EST isdst=1 gmtoff=39600
Australia/Sydney  Sat Mar 29 16:00:00 2008 UTC = Sun Mar 30 02:00:00 2008 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct 25 15:59:59 2008 UTC = Sun Oct 26 01:59:59 2008 EST isdst=0 gmtoff=36000
Australia/Sydney  Sat Oct 25 16:00:00 2008 UTC = Sun Oct 26 03:00:00 2008 EST isdst=1 gmtoff=39600

Debian:

# apt-get update 

# apt-get install tzdata

PHP5.x

# apt-get install php5-dev 

[fetch and save] http://pecl.php.net/get/timezonedb

# tar zxvf timezonedb-xxxxxxx.tgz

# cd timezonedb-xxxxxxx

# phpize

# ./configure

# make

# make install

# echo "extension=timezonedb.so"  > /etc/php5/conf.d/timezonedb.ini

# /etc/init.d/apache2 restart

 

 

MySQL:

# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p

(ignore all the errors from Riyadh{NN}, iso3166.tab, and zone.tab) 

 

Those two or three people who actually visit this website may have noticed that I haven't done much with it lately. I think it's time to declare it over and done with - though I'll leave the archives here indefinitely should anybody wish to see the timeline of happenings. 

Blogging is so 2002. Social nets are so 2004. I'm tired of it all. Seems the world has tired of my writings as well (or more accurately it's just another channel of stuff amongst the 200+ million channels of stuff to choose from on the web). Thanks to the RSS fiasco and a host of other factors (e.g. search behaviour, PageRank changes, my use of a 'non-standard' community platform, etc.), traffic has plummeted way beyond rock bottom. We're now down to 3 visitors a day on average, down from 100,000 back in October and even the 20-30,000 around Christmas.

There's no point anymore writing into space - as I mentioned a few weeks back. The photo albums for friends and family are largely unseen. Except for two of you, friends and family are too intimidated by online spaces to touch the place.

The community site has been a dismal failure - a lot of hard work wasted. 

It's coming up on one year since I arrived in Australia, and so much has changed. Work and family consumes my time, as it should (at least family). Work is what it is. Blogging and social nets are a thing of the past, and tremendous time-wasters at that.

It was fun. Now onto the next chapter - of a book which probably won't be written online.

I'm pretty much ranted out.

17 days and a wake-up until the wedding. So many last minute details to deal with. At least I found shoes to wear under my wedding dress. I'm working on the veil - good thing it's a very basic veil.

Still need to get a small guest book and gifts for the maid of honor and the best man. 2 more details to take care of before heading for Vegas. Looking at the cost to take a shuttle to the Oakland Airport - it works out cheaper to park in one of the park-n-fly lots. At least we'll know where the car is and not have to worry if the shuttle will get us to the airport on time and be there to pick us up. Can't ask anyone in the family to transport us - they're going to Vegas too.

Packing is going to fun - at least the airline won't start charging for checking a second bag until after we come back. 1 suitcase if going to be for wedding clothes only and I hope it doesn't weigh more than 50 lbs. We'll have to fit everything else in the other bags and my carryon bag. We won't talk about what's in Fred's carryon bag.

Looks like it's going to be a small wedding - 18 people including my better half & myself. Can't complain, last wedding only had 2 guests. Can't remember how many at the first one - way too long ago. My oldest brother, his son and daughter-in-law and their kids aren't going to make it though. The rest of the family is. A few friends are making the trip too so it should be fun for all.

and so here's two posts in one day. And Holy Cow, are you kidding me? This is not on any news agency that most Americans receive.....

Indonesia Intensifies Security for Terror Fugitive after Singapore Escape

---

By GILLIAN WONG

Saturday, March 1, 2008

---

E-MAIL

PRINT

TEXT SIZE

Security forces continued to comb Singapore on Saturday for a suspected terrorist leader after he escaped last week from a high security prison.

Singapore Armed Forces military policemen are seen keeping watch under a major highway close to a wooded area. Interpol said Friday it has issued a worldwide security alert following the escape of an alleged Islamic terror leader from a jail in Singapore. (Photo:AP)

Authorities in neighboring Indonesia, meanwhile, bolstered security in case Mas Selamat Kastari, 47, attempted to reach the nearby archipelago. Interpol also issued a worldwide security alert Friday for the suspected commander of al-Qaida-linked Jemaah Islamiyah's Singapore arm.

Mas Selamat is accused of plotting to hijack a plane and crash it into Singapore's international airport. The Singapore government said he escaped Wednesday because of a "security lapse" at the high security detention center.

 

 

Dozens of community leaders, including members of Parliament, fanned out to distribute posters of the fugitive to the public.

Security breaches are virtually unheard of in Singapore. Among its security services' biggest successes were pre-empting alleged plots to bomb the US Embassy, the American Club and government buildings in 2001—schemes in which Mas Selamat allegedly had a hand.

 

link 

 

I won’t harangue you now or later during the election year. But I do want to make my opinion known, hence today’s scribbling. Most of my friends who have made their own feelings known, have chosen Hillary Clinton as their candidate. I have chosen Barack Obama, and want to tell you why.

There are many reasons, today I will write about three. I believe his anti-war position is stronger than any candidate other than (perhaps) Ron Paul. Mr. Paul however, has leadership issues in my eyes that make him less attractive. A strong anti-war position is important to me. I don’t believe that war makes anyone safer. In a world where ‘war on terror’ is a buzzword that implies that Americans are in mortal danger every moment from radical extremists, and as such must sacrifice the freedoms and liberties we claim to believe in, those of us who disagree need a standard bearer to lead us into a new way of governing on the world stage. We need to reach out to all, not just our ‘friends’ or allies. The war in Iraq is misguided, and we have yet to see or comprehend the ultimate price we will pay for our folly. It will disrupt our culture, destroy our economy, and undermine any chance we have as a nation of contributing to world solutions to global problems. It has already destroyed our image around the world. We are beginning to see the results in the rising price of gas and the falling value of the dollar in overseas markets. But these effects are just the tip of the iceberg that is in our path. The war must be ended sooner rather than later. I believe it will happen sooner with Mr. Obama than any other candidate.

 

The second reason I came to support Mr. Obama is his goal of inclusiveness. He, more than any other candidate, espouses the belief that we are all one. His is not a politics of divisiveness, of us v. them, of looking down our collective noses at the rest of the world. First of all, anyone who is awake and has lived outside the US understands one thing: no country is perfect. But likewise, no country is entirely evil, either (neither Burma nor Afghanistan). There is good, and the drive for good, in all people, races and countries. Conflict happens when the door to discussion, to understanding, is closed. Mr. Obama has received criticism from all in the Washington culture, Ms. Clinton included, about his stand on negotiating with anyone. I agree with him, that you cannot shut the door to discussion with even your enemy if you have a hope to resolve conflict through peaceful means. I have loved the quote from John Kennedy that Obama often refers to: “Do not negotiate from fear, but also do not fear to negotiate” from the first time I heard it. Seeing good in even your own enemy is the first step in conflict resolution, and that requires dialogue and an open mind (both appealing qualities in a leader).

 

And so to the third reason. Please ask yourself what it is that you expect from a President. Myself, I expect someone who will express a vision and inspire all to join the effort to make it real. A President cannot, alone, change the economy, nor balance a budget, nor start a war. A President must be a leader, and having been a leader myself, I understand what it requires: breaking up the project into pieces that each person can lift and carry themselves, and directing those pieces into a coherent whole that makes the future your vision requires. At it’s most fundamental, leadership is the art of negotiation and communication.

 

And so I ask myself: do I believe Ms. Clinton has the ability to inspire others? To reach out around the world to all the people, races and cultures that America has wronged in the last few decades? I have to say no. She has spent her whole career trying to fit into the Washington political scene, and now campaigns claiming her ‘experience’ will let her hit the ground running. First of all, what experience? First Lady? As Senator, just like Mr. Obama? Whitewater? As a lawyer, just like Mr. Obama? To my taste, she’s too much like what got us here, when what I want is someone to lead America out of the swamp. I also appreciate that Mr. Obama has more sense of his international roots. Until you’ve spent significant time outside the US, it’s difficult to assess America’s role in the global situation, and leads to faulty (insular) thinking. As the world grows smaller, new leadership must look beyond the borders of America to find what makes everyone safe, safe from others, from environmental degradation, from bad water or disease, from economic ruin. That may require an end to nationalism, and I ask you today: are you prepared to think globally, universally? Or will you continue to think American?

 

Please join me in voting for a new vision that includes all in dialogue to solve our problems, to let every spirit flourish, to fill every soul with joy.

The school start of session turned out to be a non-event thanks to all the preparatory work we've done in the last few weeks. Yawn. Whew!

Gas prices in San Francisco hit $3.35/gallon. Which infers that peninsula prices are probably closing in on $3.50. Whatever. Don't whine. We pay a bit over $5 here. 

The U.S. shoots down its errant Keyhole satellite. Seems that a load of hydrazine fuel may or may not be the hazardous substance they were warning us about - if indeed there was one. Likely this had something to do with posturing vis-a-vis China who shot a satellite to smithereens (actually large chunks) recently. If the thing smashed up over a major city it wouldn't really matter if it had a full tank or not. The death toll would be about the same either way. The real motive is probably that it was headed for a crash somewhere that the US couldn't get to and lock down the site. 

Nader jumps into the presidential race. Why now?  OK, better question - why at all?  The media never took him seriously enough to do their routine mudslinging probes. Let's quickly figure out what skeletons are in his closet and get rid of him before he screws up yet another election. 

 

Yesterday around lunchtime an entire subnet at the school went 'dark'. This is not good. The session ('semester' for my  friends in the northern hemisphere) starts on Monday. This is the absolute busiest time of year for faculty and staff because we've got a lot of stuff to prepare for next week when the hammer falls.

The curious thing is that the subnet that went 'dark' was only one subnet, and another subnet which traverses the same wire continues to work fine. So only a random smattering of machines was affected. This made it very difficult to even track down what happened because it appeared as a random cluster of machines that suddenly could not route packets. As it turns out they're all related by having an equal third byte of the IP address. What made it even more difficult to troubleshoot is that two of these machines which went dark are the primary DNS servers, so when they vanished, nobody could see anything 'by name' until we patched a couple of machines over to an alternate.

Trying to get anything done by IP number is a minefield, because even if you don't use any hostnames directly, you might accidentally touch a server or service which does - and you're screwed; waiting for it to time out (if you're lucky).  Some services just hang until you get tired of looking at the hourglass icon and then you have to go find another already logged-in session somewhere else to work. Can't start any new sessions because they mount home directories, which touch name servers and will hang.  

So I'm chugging the morning coffee and heading off to work an hour early this morning to try and recover from this disaster. Spent half the night awake formulating a plan after spending the entire evening determining for certain where the problem was. The problem is a router that's locked in a closet, and only the main campus IT folks have keys. Coincidentally, they made some configuration changes in that closet yesterday. Around lunchtime.

Gentlemen, get over here right now and unlock that door.

Unfortunately it isn't that easy, as there are layers of bureaucracy to contend with. My backup plan is to move two of our absolutely critical machines out of the darkness and into the light. One of them I can unplug and carry away. The other is a virtual machine living on two networks (which can run elsewhere) but I've got to find a wire in another room/building that can talk to both subnets. Oh and a cooperative host with enough disk and memory, that won't mind being loaded up with an alien machine.   

I've got this Minarik Goddess Special Edition guitar that I picked up to sell a few years back, and it never sold. So I kept it. It's really an awesome guitar, but I could never quite figure out why I didn't like it. It's 'meaty' (the best way to describe it). Not a speed demon. Should be great for jazz, rhythm, or chordings like heavy metal or ACDC. Beautiful to look at, exceptional tone quality. But it sounded like shit. I didn't do anything with it until recently because of this, and the fact that it was best left as-is as a collectible to hopefully sell some day. (Serial # 000025).

But finally I figured that it wasn't much good to anybody if it sat in the case year after year. So I put some decent strings on it, changed the neckstrap button to play it backward, and then did a setup (to match the new strings to the scale length). That improved things quite a bit. It no longer sounded horrible. But it was still lacking sustain. Curious because being so meaty you'd think that is where it would shine. The problem was the frets - big meaty badass frets that had been hand shaped. And therein lies the problem. The hand shaping left them a bit rough. It took a few weeks of playing for the strings to 'polish' both the frets and the intricate inlays and smooth them out. Now it sings like a bird. I can add it to the list of 'perfect' guitars that I've acquired over a lifetime of searching. It doesn't matter that it's 'meaty' because that's a quality that makes it suited for particular uses. No guitar is perfect for all uses. They all have their special qualities which makes them best suited for one thing or another.

 

 

Looks pretty much like this one,  except hers is left-handed. Mine is right-handed but I play it backward (left-handed). Don't ask. The answer will make your brain hurt. 

Coincidentally, my Phoenix acoustic (which is currently showing in the main macgirvin.com website banner) also has improved recently - although it was already near perfect. This was from a batch of guitars I bought a few years back that were all awesome except they all cracked and split. I've spoken about this previously. This one didn't actually split, but developed two hairline cracks on the backside (that didn't affect the sound or beauty). Anyway, I'm pleased to report that with relocating to a more humid environment,  the hairline cracks completely vanished! It's perfect once again, and as far as I know, the only surviving specimen of this incredible line of guitars.

It just occurred to me that in the last 4-5 days I've written 'code' in Visual Basic, SmallTalk, lisp, C, bash, awk, PHP, perl, and python. Thousands of lines of code total. And there are probably a few dialects I forgot here. Not to mention 30-40 different flavours of config files, sed, Oracle-SQL, mySQL, and LDAP and some other stuff that don't quite qualify as 'code' but still involve intimately knowing a strange computer dialect. Oh yeah, HTML and JavaScript (of course).

Getting ready for the start of session next week so my postings have been and may be irregular for a while. Imaging lab machines, importing accounts, installing software for lecturers, that kind of thing. As soon as the students hit it'll be flat out for another few weeks as they all need to know how to set proxies and set up their mail accounts and every other system question that they come up with. 

But just so y'all don't feel totally neglected, here's a public service announcement from the anti-fur society. 

 

 

Remember folks, wearing animal fur is bad and makes you look ugly. See what I mean?   

February 14th. Isn't this an important day? Somebody's birthday? Oh that's right (smacks head). It's the candy and flowers day. Better get 'em.