I still use Internet Relay Chat occasionally. Sometimes I need to ask a question on IRC using WiFi in a sketchy area (say, cafe near MIT), or I want to disguise my location from random IRCers (say, when I'm at a client site or a friend's house).
Such security and privacy issues were the main motivation for using text-terminal IRC clients on trusted servers for over a decade. Now that I'm using XChat, I needed to reproduce the various encryption and IP address hiding that I had going on before. I didn't want to mess around with IRC bouncers, IRC-specific proxies, nor VPNs.
The other day, I implemented a 5-minute solution to this for XChat on my laptop, by having a hotkey sequence set up an SSH port-forwarding tunnel from my laptop, through my trusted server, to a server of a certain IRC network:
ssh -L 127.0.0.1:irc-server.foo:6667 -N my-server.foo
I had an XChat network item with only one server
127.0.0.1/6666. The XChat network options for proxy server, SSL,
etc. are disabled.
However, I soon needed my old Privoxy-based Web traffic forwarding, so that I could buy something on eBay from a cafe without letting someone hijack my account session. Once I had my Privoxy tunnel again, I realized that I could solve my IRC problem by using HTTP CONNECT through the remote Privoxy, and get rid of the IRC-server-specific SSH tunnel.
To do this, I disabled CONNECT-limiting on the remote Privoxy, by adding this default action rule (which is safe to do, because the remote Privoxy listens only on 127.0.0.1):
+limit-connect{-}
Then I configured XChat to use the HTTP proxy, on XChat Preferences -> Network setup -> Proxy Server. Hostname 127.0.0.1, port 8119, type HTTP, use proxy for all connections. I got rid of the tunnel-specific XChat IRC network entry I created before.
It works fine. The main drawback is that I now need to have my Privoxy tunnel up, even when on my LAN at home. That means a tiny bit of hassle, increased traffic for my remote server, increased latency, and less chance of recovering the IRC connection when a WiFi link is dropped briefly.
Again, the right way to do this would probably be OpenVPN and either a server with a very big pipe (or lots of hassle with routing rules and SPI to VPN only sensitive traffic). I prefer the 5-minute solution for now.
Sometimes, your internal-use-only wiki punishes you for being too productive.
MoinMoin "surge protection."
Without special permission, officials [at the National Highway Traffic Safety Administration] are no longer allowed to provide information to reporters except on a background basis, which means it cannot be attributed to a spokesman. [...] The administrator is Nicole R. Nason, who took over on May 31, 2006, after she was appointed to the post by President Bush.
—By Christopher Jensen, "What's Off the Record at N.H.T.S.A.? Almost Everything," nytimes.com Wheels blog, 2007-04-22 12:07pm
Someone picked the perfect stock photo for this piece. Who can't face reporters without safety goggles?
It seems like every Federal agency employing scientists, engineers, or analysts of any kind is being gagged by the Bush administration.
I'm working on the architecture for a Web service that scales its dynamic content by clever use of a farm of load-balanced dumb commodity HTTP servers serving static objects. The dumb HTTP servers need only serve via HTTP objects SCP'd or Rsync'd to their local filesystems, and store access logs that be processed via a program that is copied over and invoked via SSH. A separate host (or three) controls the centralized data and coordinates the farm of fast-and-cheap HTTP pawn servers.
While developing this centralized server, I need a small farm of pawn servers for functional testing purposes. What is important is that each pawn server have its own IP address, filesystem, Apache, and SSH server. Performance testing will not be done at this point, so I can simulate the farm of pawns on a single machine, rather than filling my kitchen with old tower PCs.
Rather than power up a single tower or my spare 1U server for this purpose, I decided to use my old IBM ThinkPad X20 laptop (which is no longer useful as a laptop, after its spine-shattering drop to the floor). The ThinkPad is small, quiet, and uses little power.
For the virtualization software, I first looked briefly at Xen and Linux KVM before deciding that Linux VServer enabled the most expedient solution for my pretty straightforward requirements. I could find no correct documentation on the Web for how to do what I need with VServer on Debian, however. Hence this blog entry, which captures what I found worked, for the benefit of myself or others in the future.
I did essentially the following to create a simulated farm of size three:
Reserve three static IP addresses, one for each VServer guest.
For my laptop, named claire (Keim), the three VServers are named
claire1 through claire3, and the IP addresses are
192.168.1.201 through 192.168.1.203. claire, the VServer host, is
192.168.1.200.
Install Debian GNU/Linux Etch on the laptop. Just the minimum install, plus packages
openssh-server and screen. Get security updates.
Install Debian's packaging of the Linux kernel with VServer patches:
Install the package:
apt-get install linux-image-vserver-686
Edit /boot/grub/menu.lst to make the VServer kernel
the first.
Reboot into the VServer kernel. (Note: It seemed necessary to be running a VServer kernel before attempting to install the VServer userspace tools, to get all the Debian install-time behavior.)
Install the VServer userspace tools:
apt-get-install util-vserver vserver-debiantools
For each VServer guest, do as for the following example of
claire1, modifying the hostname, IP address, and Ethernet
interface as necessary.
Use the Debian-specific newvserver tool to create
the guest:
newvserver --hostname claire1 \
--domain neilvandyke.org \
--ip 192.168.1.201/24 \
--mirror http://http.us.debian.org/debian/
There will be several interactive prompts. Basically:Set time zone to U.S. Eastern.
Enable shadow passwords.
Set root password.
Don't create a normal user account.
Don't select any additional software.
Configure the guest to use a virtual Ethernet interface based
off eth0, so claire1 would have eth0:1;
claire2, eth0:2; etc. (Note: with the
newvserver in vserver-debiantools version 0.3.4, you
cannot give a virtual interface with the --interface command-line
option, since that triggers a bug, which is why we set the interface here.)
echo eth0:1 > /etc/vservers/claire1/interfaces/0/dev
Start the new guest:
vserver claire1 start
Install SSH server and Apache 2:
vserver claire1 exec apt-get install openssh-server apache2
Verify that you can SSH to 192.168.1.201 and that
you can access the placeholder page at http://192.168.1.201/.
Now that I know what I'm doing, I'd make a script to automate this.
I'd also use my own Debian mirror, grabbed via debmirror.
At time of this writing, I've not yet set up vunify.
Mr. Deity is funny and well-executed.
Live demos can be risky, even when operating with a static environment (or data). A live demo in an uncontrolled environment is riskier -- such as when the environment presents a case the system cannot handle well.
In earlier years of the Web, I encountered an additional way that demos with live data are risky.
I believe it was September 5th, 1997. I was a new grad student at MIT. Due to bureaucratic snafu, I didn't have a computer. So I was using an old broken piece of garbage computer with a big old CRT that was effectively in a hallway, to check email and whatnot.
I think I had my first-phase MyPaper prototype on screen when a research scientist came up and wanted to see it. MyPaper implemented a newspaper metaphor for Web software agent reporting, and its main feature was news items scraped from the Web.
I give him an elevator speech on some of my ideas as I bring up a new MyPaper issue, and it was all exciting. Then, while scrolling through the MyPaper issue, I sense he's zoning out, and I was probably thinking, "drat, he's reading the news." Then he says in a sad voice, "Mother Theresa died...," which must have been a breaking news item.
Way to buzzkill my demo, Mother Theresa.
This photo accompanies a Slate article, with the caption:
A live "ops center" in a country SCL won't identify.
Overlook the dummy graphics on the big displays, and count the laughably bad human-factors flaws that pervade the design.
I don't think one should try to design a convincing -- much less, functional -- operations center by naive borrowing of elements from pirated "24" TV episodes and old NASA command center footage.
After a week of running, I can now go 4 kilometers on a soft track pretty easily. I'd stopped running after spraining my knee one winter a few years ago, and am very happy that the knee isn't complaining.
I decided it was time to get a water bottle that was intended to be reused. Earlier this year, I'd read about leaching of nasties from various types of materials used for food containers (which prompted me to invest in Pyrex for my kitchen), so I did a refresher Google.
I know little about materials, chemisty, and biology, so I'm not qualified to evaluate the scientific studies. The popular articles I found were mostly in agreement that the polycarbonate plastic (PSI resin code #7) used in the popular clear and colored Nalgene bottles was bad for you, and PETE #1 was considered bad, at least for reusable bottles, as well. Pretty much everyone agreed that milky-white HDPE #2 or LDPE #4 was the way to go. Some also recommended lined stainless steel bottles, like those by Sigg, as an alternative.
(A colleague who'd done chemistry research as an undergrad thought that a few cycles of boiling would pretty much exhaust the nasty chemicals that could leach from the polycarbonate bottles. But I decided to simply get one considered by experts to be safe, rather engage in DIY alchemy.)
I went to Eastern Mountain Sports in Harvard Square, and all the plastic water bottles that I and an employee could find in stock were the dreaded #7. A second employee suggested that they might be getting the non-killer version of Nalgene bottles in in time for September.
Then I stumbled upon the EMS-branded LDPE #4 bicycle water bottles,
which are not in the same section of the store as the other water bottles. I
don't know the plastic type for the black cap (PP #5, perhaps?). They're
lightweight, soft, inexpensive to replace if lost of stolen ($4, as compared to
Siggs for $20 to $35), have a wide opening for easy cleaning, and are easy to
carry even with sweaty hands, due to the typical bike water bottle groove. The
bottle I purchased looks somewhat better than ugly one shown on
ems.com, with the new and more discreetly-printed logo, and a
black cap.
Buy a carton of them, and mail them to all your friends! Cultivate an aura of eccentric genius, or at least eccentric.
Site © 1994-2008 Neil Van Dyke neil@neilvandyke.org XHTML 1.0 Strict CSS2 Legal