Geek Drivel

Geek Drivel is suddenly ridiculously popular with would-be blog spammers. I’m told that my primary defenses have blocked more than 400 automated spam messages in the last week, and maybe a dozen have gotten past them — all caught by my secondary defenses, I’m happy to say.

I’m not sure what prompted this sudden surge of interest, but the spammers are welcome to give up at any time.

It’s a very long article, so I’ve only skimmed the answers that their chosen experts gave, but it’s very odd to me that the answers were so varied. Market share was brought up several times, as an argument for a Mac (or Linux, though that was barely mentioned), but others said that market share matters a lot less now than it used to. Others mentioned that applications are the important ingredient nowadays, not OSes. And several pointed out that social engineering works the same on any OS.

Probably the most interesting response, to me, was the one from independent researcher Dino Dai Zovi:

Neither. Consumers should see if Apple’s iPad or the forthcoming devices based on Google’s Chrome OS suit their needs because both are significantly more secure than any general-purpose desktop system, Linux, Mac, or PC.

He’s got a point, but I can’t recommend an iPad, at least right now. The same features that make it “significantly more secure” also make it significantly less useful, in my opinion.

Google is taking over the ‘net — in more ways than one. Apparently advertising pays a lot more than we thought.

The title might seem rather yawn-inspiring to anyone who knows about the issue, but I’m not talking metaphorically. They are literally numbered: there was an estimated 625 days of them left on January 7th, representing 10.2% of the possible numbers. Just twelve days later, on the 19th, a second report said that was down to less than 10%.

What does this mean? Well, the Internet isn’t going to immediately stop working once the IPv4 addresses are gone. My take on it is that it will become harder (i.e. more expensive) for ISPs and hosting companies to obtain them, which means fewer new ISPs and hosting companies, which inevitably translates to higher prices (from all providers) for consumers.

Should you care about it? Probably. Is there a solution? Yes, the IPv6 standard (with, I’ve heard, enough address space to cover every square foot of the Earth with several of them) has been around for years. Can you do anything about it? Not much, other than demanding that consumer electronics manufacturers provide IPv6-enabled machines, and that ISPs offer IPv6 service. Any OS that has been updated in the last few years already does, it’s just the hardware (and the ISP willingness to buy and install it) that’s missing at this point.

I like the hosting company that we use for Oak Circle (and this blog). I’ve been a customer for about ten years, with various websites, and in that time, they’ve consistently improved what they offer, without raising their prices. But with my yearly renewal coming up next month, it was time to decide whether I was going to stay with them. Why? It all came down to secure FTP.

As anyone who knows me (or reads this blog) knows, I’m fairly paranoid when it comes to computer security. My hard drives are heavily encrypted, so that if they’re stolen, the thief won’t be able to get to my files. I do my web-browsing on a virtual Linux machine. My wireless network uses the strongest encryption currently available. I employ GPG-encrypted e-mail with anyone who’s willing to use it. All of my e-mail connections are made through an encrypted tunnel so that anyone who might manage to eavesdrop on the connection can’t get anything from them. There’s only one known hole remaining in my defenses: my hosting company only supports unsecure FTP.

Why does that matter? If anyone is watching the connection between me and the server when I’m using it, they’ll get my username and password with zero effort. And don’t try to tell me how unlikely that might be; I’m usually on the road several times a year, and have to use unencrypted wireless connections in hotels and such, prime targets for that kind of thing. And at home I’m using a cable Internet connection, which is easy for anyone on the same cable branch to eavesdrop on.

The owner of the hosting service adamantly refuses to allow SFTP or SCP because, he says, that would require shell access — a security no-no on a shared host. I’ve seen refutations of this, but I don’t know enough about the issue to judge who is right, so I’ll give him the benefit of the doubt.

However, it seems that he has recently bent to the demands from the paranoid, and implemented “FTP over Explicit TLS/SSL” (generally referred to as FTPS). That’s where the problem comes in, because although I can connect through that, I cannot get anything done. Uploads, downloads, even simply listing the contents of a directory — all of them fail.

I spent pretty much all of a sixteen-hour Sunday, and most of Monday, trying to work with the technicians there to isolate the problem. They refused to consider the possibility that it was on the server’s end, repeatedly instructing me to set up my FTP program a different way, or use a different program, or a different version, or a different machine, or that it was my router or firewall. And every few hours there would be a shift change, and I’d get a new technician who would only skim the beginning of the case before firing off a “solution” from the hip — one that (had he read the whole thing) would obviously not solve the problem, or that I’d already tried and documented, or that was completely irrelevant. It was very hard to keep my temper and respond politely a few times, explaining the problem YET AGAIN, when what I really felt like doing was screaming “I TOLD YOU PEOPLE THAT THAT THREE TIMES ALREADY, NOW STOP DROOLING ON YOURSELF AND GO READ THE F’ING CASE, YOU F’ING LAZY-ASS MORON!”

(Especially when I was finally bumped up to level two support, after dealing with four level-one techs, and the first thing the level-two guy did was show me his log proving that SFTP — i.e. FTP through SSH — worked just fine. Great, think I in his direction, but I don’t have access to SFTP and am not talking about it! I’m saying that FTPS is failing!)

Finally, late yesterday evening, I managed to prove that it wasn’t anything on my end that was causing it. It wasn’t easy: I had to use three different machines, two versions of FileZilla, two other FTP programs, and rope Ploni into helping to do it (thanks, Ploni), but there was nothing left on my end that they could blame, not even my ISP, and I could prove it.

So what do I find in my e-mail this morning, but a message that says they’ve tested it, and it works for them. Basically: “you’re screwed, nothing we can do, better luck next time.” Not even a suggestion of any alternatives I could try, not that I think there are any.

Will I stay with them? I don’t know yet. From what I hear, nearly every other hosting company can be even worse, and often is. And the ones with the least negative publicity cost three to four times as much as I’m paying now. So all told, I’d really rather stay with this one, if at all possible. But I simply refuse to do that while there’s no way to securely upload files.

We’ll see how this turns out. I may be able to find (or write) a script that will let me do what I need to. But don’t be shocked if the site has a few days of downtime in the near future, while I move it to a different provider.

ADDENDUM, 11pm: It turns out that there’s an easy way around the problem: I just connect to their CPanel file manager via SSL and use the upload option there. It’s something of a pain when you need to upload multiple files, but the file manager can handle archives, so I can always zip them up, upload the zip file, and unpack it on the server.

As my friend Gene pointed out via e-mail, after I told him about it:

The only downside is that approach probably uses form PUT which has binary data base64 encoded. For small files it won’t make that much of a difference but for large files…

(Base64 encoding, for those not privy to the knowledge already, reads groups of three binary bytes and writes out groups of four text-only bytes for them. It’s a great way to send binary files on a text-only interface, but the files take 33% longer to send than they would over a binary transport mechanism like FTP.)

I rarely find any need to upload large files, so I think I can put up with that, for now. Next January I’ll re-evaluate the situation.

This does look like a problem. Here’s an idea for an easy solution, though.

In the address bar, the browser could display both the address (as it does now) and the script name. Unicode is split up into different well-defined sections for different language scripts, so this shouldn’t be very difficult to implement. In the case of the Russian “raural” text that the article shows, you’d be able to tell that the site wasn’t really PayPal because you’d immediately see that it was from the Cyrillic section of Unicode, not the Latin section (which English uses) that you expected. Or you’d see that it was from mixed scripts, which would be a huge red flag in most cases.

It’s not a perfect solution, but it would allow moderately savvy Internet users protect themselves from this kind of thing.

If no one else attempts this, I might try writing a Firefox extension that does it, once Unicode domain names are possible.

As you can probably see by the fact that I’m posting this, we’ve got Internet access back. Turns out the cable modem had gone bad. So much for blaming it on the snow.

You don’t really realize just how dependent you are on the Internet until it’s gone for a day. I couldn’t pay my bills, do any online banking, continue personal conversations via e-mail, keep an ear on what’s going on in the world, or research a math problem I’d run into on one of my programs. My main sources of entertainment are Internet based too. Every time I turned around, it seemed that I was tripping over the fact that the Internet wasn’t available.

Sure, there are other ways to do all of those things. I still get my bills by mail, so I could always mail in a payment too. A trip to the bank would let me do any kind of banking I want. I could pick up the phone and call the people I was having conversations with. I could turn on the TV and hear about anything big that happened in the world, and the library would have provided everything I needed to figure out the math problem. The library and TV could solve most of my entertainment needs as well. But Internet access means that I don’t have to make a trip to the library or the bank, or wait several days for my payments to be delivered, or spend a lot of money on long distance calls, or waste half an hour or more in front of the TV for the five minutes worth of news that I want.

The Internet is “merely” a convenience, but it also saves both time and money — something that few mere conveniences can boast.

I’ve long thought that Internet access should be a public utility, like electricity or water. It’s the two-way flow of information and communication, and it’s as vital to the modern way of life as any other utility… even more so for information workers like myself. Now I see why some countries — and the United Nations — are calling Internet access a basic human right.