Secure FTP Headaches

Posted by on

I like the hosting company that we use for Oak Circle (and this blog). I’ve been a customer for about ten years, with various websites, and in that time, they’ve consistently improved what they offer, without raising their prices. But with my yearly renewal coming up next month, it was time to decide whether I was going to stay with them. Why? It all came down to secure FTP.

As anyone who knows me (or reads this blog) knows, I’m fairly paranoid when it comes to computer security. My hard drives are heavily encrypted, so that if they’re stolen, the thief won’t be able to get to my files. I do my web-browsing on a virtual Linux machine. My wireless network uses the strongest encryption currently available. I employ GPG-encrypted e-mail with anyone who’s willing to use it. All of my e-mail connections are made through an encrypted tunnel so that anyone who might manage to eavesdrop on the connection can’t get anything from them. There’s only one known hole remaining in my defenses: my hosting company only supports unsecure FTP.

Why does that matter? If anyone is watching the connection between me and the server when I’m using it, they’ll get my username and password with zero effort. And don’t try to tell me how unlikely that might be; I’m usually on the road several times a year, and have to use unencrypted wireless connections in hotels and such, prime targets for that kind of thing. And at home I’m using a cable Internet connection, which is easy for anyone on the same cable branch to eavesdrop on.

The owner of the hosting service adamantly refuses to allow SFTP or SCP because, he says, that would require shell access — a security no-no on a shared host. I’ve seen refutations of this, but I don’t know enough about the issue to judge who is right, so I’ll give him the benefit of the doubt.

However, it seems that he has recently bent to the demands from the paranoid, and implemented “FTP over Explicit TLS/SSL” (generally referred to as FTPS). That’s where the problem comes in, because although I can connect through that, I cannot get anything done. Uploads, downloads, even simply listing the contents of a directory — all of them fail.

I spent pretty much all of a sixteen-hour Sunday, and most of Monday, trying to work with the technicians there to isolate the problem. They refused to consider the possibility that it was on the server’s end, repeatedly instructing me to set up my FTP program a different way, or use a different program, or a different version, or a different machine, or that it was my router or firewall. And every few hours there would be a shift change, and I’d get a new technician who would only skim the beginning of the case before firing off a “solution” from the hip — one that (had he read the whole thing) would obviously not solve the problem, or that I’d already tried and documented, or that was completely irrelevant. It was very hard to keep my temper and respond politely a few times, explaining the problem YET AGAIN, when what I really felt like doing was screaming “I TOLD YOU PEOPLE THAT THAT THREE TIMES ALREADY, NOW STOP DROOLING ON YOURSELF AND GO READ THE F’ING CASE, YOU F’ING LAZY-ASS MORON!”

(Especially when I was finally bumped up to level two support, after dealing with four level-one techs, and the first thing the level-two guy did was show me his log proving that SFTP — i.e. FTP through SSH — worked just fine. Great, think I in his direction, but I don’t have access to SFTP and am not talking about it! I’m saying that FTPS is failing!)

Finally, late yesterday evening, I managed to prove that it wasn’t anything on my end that was causing it. It wasn’t easy: I had to use three different machines, two versions of FileZilla, two other FTP programs, and rope Ploni into helping to do it (thanks, Ploni), but there was nothing left on my end that they could blame, not even my ISP, and I could prove it.

So what do I find in my e-mail this morning, but a message that says they’ve tested it, and it works for them. Basically: “you’re screwed, nothing we can do, better luck next time.” Not even a suggestion of any alternatives I could try, not that I think there are any.

Will I stay with them? I don’t know yet. From what I hear, nearly every other hosting company can be even worse, and often is. And the ones with the least negative publicity cost three to four times as much as I’m paying now. So all told, I’d really rather stay with this one, if at all possible. But I simply refuse to do that while there’s no way to securely upload files.

We’ll see how this turns out. I may be able to find (or write) a script that will let me do what I need to. But don’t be shocked if the site has a few days of downtime in the near future, while I move it to a different provider.

ADDENDUM, 11pm: It turns out that there’s an easy way around the problem: I just connect to their CPanel file manager via SSL and use the upload option there. It’s something of a pain when you need to upload multiple files, but the file manager can handle archives, so I can always zip them up, upload the zip file, and unpack it on the server.

As my friend Gene pointed out via e-mail, after I told him about it:

The only downside is that approach probably uses form PUT which has binary data base64 encoded. For small files it won’t make that much of a difference but for large files…

(Base64 encoding, for those not privy to the knowledge already, reads groups of three binary bytes and writes out groups of four text-only bytes for them. It’s a great way to send binary files on a text-only interface, but the files take 33% longer to send than they would over a binary transport mechanism like FTP.)

I rarely find any need to upload large files, so I think I can put up with that, for now. Next January I’ll re-evaluate the situation.

“Controversial gym ad warns that aliens will eat overweight people”

Posted by on

There’s nothing controversial about it at all. Sure, it’s tacky and probably insensitive… but it’s also probably true. 🙂 And I say this as a guy who is carrying a little more weight than he probably should be.

This is one case that the market will solve: people who are offended by the sign won’t use that gym. I suspect the numbers are low enough that the gym won’t notice any difference.

“Minnesota levies world’s first carbon tariff…against North Dakota”

Posted by on

It’ll be interesting to see how this fight turns out. And important as well. If North Dakota wins, it’ll put a damper on any attempts to use carbon tariffs.

(Yes, it does “unfairly” give renewable energy an advantage over coal powered energy — that’s the whole point to it. But if I read the law correctly, there’s nothing preventing that; Minnesota is perfectly within its rights. On the other hand, as everyone should know, strange things happen in courtrooms.)

Triple Monitors!

Posted by on

As a programmer, I’ve always found that the more monitor space you’ve got, the more productive you can be. And multiple monitors are even better than a single huge monitor, in a lot of ways. When you’re referring to online documentation while you’re programming, for example, it’s a lot easier to just glance from one monitor to another than it is to switch between windows, or try to somehow fit all of both windows on a single screen at once.

I’ve been using a dual-monitor setup for years, but earlier this week I ran into a situation where even two monitors simply weren’t enough: coding in a Windows VM while having a Linux VM running a proxy and web browser, and needing to simultaneously monitor a program under Mac OS X. I managed to get by, but it was extremely irritating. And that was only the first part of that project, I’m going to have to revisit it for at least one more extended period in the near future.

I had an extra monitor lying around unused (an early-tech 4:3 17″ LCD one with an annoying flicker problem), but no way to connect it — this MacBook Pro only has one external monitor port in addition to the built-in monitor panel, and it’s already in use. And being a notebook computer, there was no way to add another video card. I’d seen USB video adapters before, but I’d never been able to use them because none of the manufacturers seemed to support Linux. But I suddenly realized a couple days ago that I was running a far more mainstream system now, and that the USB video adapter manufacturers who ignored Linux would almost certainly support Mac OS X.

Sure enough, that was the case. I found a fairly cheap representative of the species at our local Best Buy (for the curious, a Diamond BVU195 “USB Display Adapter Pro”), which claimed that OS X was supported. It turns out that it was, but I had to track down a hard-to-find page on their website to get the drivers; they weren’t included on the driver disk in the box, and whoever wrote the skimpy little manual had apparently never heard of an Apple computer. But they installed with no further hassle… and I had a three-monitor system.

It’s really a beautiful thing.

The third monitor isn’t quite as snappy as the first two — there’s a small but noticeable delay when you try to scroll a window on it, for example — but I expected that. I had some trouble getting it on my desk as well; even though I’d cleaned the desk off recently, and had kept it meticulously neat since, there simply wasn’t any place where it wouldn’t block something I didn’t want to give up. I finally plunked it down on the left side of the desk, in front of the window… it’ll do for now. It still has that annoying flicker too, but as it’s off to the side and I don’t have to stare at it continuously for long periods, I should be able to ignore that.

All in all, I’m happy with the setup. It should make further development work a lot easier. Now if the 8GB memory expansion that I need for this system would just drop to an affordable level, so my virtual machines could run simultaneously without a lot of really slow disk-swapping, I’d be all set.

“Why I Believe Printers Were Sent From Hell to Make Us Miserable”

Posted by on

Very timely, since GoddessJ and I helped her mother set up her new printer over the weekend. She replaced a semi-expensive Canon inkjet printer from around the turn of the century, which never worked particularly well and was extremely slow on top of that, with a really cheap (less than $150) Brother black-and-white laser printer/scanner/copier.

Now, I’d heard bad things about Brother printers, so I wasn’t too keen on it when she asked GoddessJ and I about it. But after looking at comments from customers on the ‘net, the worst thing we could find about it was a complaint that the toner cartridge was saying it was low after only about 500 pages, rather than the 1000 that the manufacturer claimed. If that was the worst thing anyone could legitimately say about it, I figured it was a lot better than I’d expected.

On the minus side, as the comic says, it didn’t include a printer cable — not a problem if you’re updating from a previous USB printer, but her old printer predated USB connectors, it was so old that it used a Centronics parallel interface instead (remember those?). I thought I recalled that she had the right kind of USB cable somewhere, and it turns out she did. It had come with the battery backup she’d bought last year to deal with the power problems that were causing her system to lock up regularly, and was still in the plastic wrapper with the battery backup manual.

And the drivers… don’t talk to me about the drivers. The ones that it came with for Windows were a breeze to set up, but her system is dual-boot Windows and Linux, and the Linux side was a massive pain in the tail to get running. You didn’t have to compile them yourself, but that’s about the only break you got… I guess Brother figures that anyone running Linux is enough of a geek that they don’t need simple installers. Oh well, at least they do offer some support for Linux, unlike Canon.

On the plus side, once it was set up, she was delighted that the new one was so ridiculously much faster than her old one, and produced such beautifully crisp text. Inkjet printers may be “just as crappy and unreliable as they were in 1995,” as the comic claims (and my personal experience backs up), but laser printers are far better than that, and have dropped in price by a huge amount in the last decade.

If you only need black-and-white printing, I’d highly recommend going with a cheap laser printer these days. Even if you do need color printing, it’s probably worth looking at a color laser printer, like the Xerox Phaser 6110MFP I picked up a few years ago. In the long run, it’s a lot cheaper than paying for ink, despite the up-front costs.