Extra Pepperoni

Our original TiVo (hacked with web & FTP servers, 100mbps Ethernet, and 120gb hard drive) started showing a scrambled image; this has happened three times in the past, each time requiring drive replacement. The process is sufficiently awkward that when I put in the current 120gb drive, I decided to replace the TiVo entirely next time, rather than the drive — with a MythTV or something else.

After TiVo’s current promo, a TiVo Series 2 Dual Tuner (80gb) cost $80, which is entirely reasonable. I’ve been watching mostly ripped DVDs on the iPhone lately, so I was less worried about the fact that S2 and later TiVos encrypt the media files on disk, and were significantly harder to hack.

After installing the new TiVo, we discovered the problem is actually our Time Warner Cable signal again. They’re supposed to be here this week, and hopefully will be able to fix our problem, although we don’t have much confidence. They scramble the analog signal, thus breaking the new TiVo’s signature feature (dual tuners — the second one supports unencrypted analog cable, if we had it).

As it turns out, the new TiVo is a bit faster and much easier to download from; and onscreen UI is more capable and prettier. Unfortunately, it’s also crowded with junk (unwanted features) we cannot remove, but they’re easy enough to skip over and don’t impact the normal TV-watching experience. I’ve downloaded and watched a bunch of music videos, which is nice since MTV doesn’t show music videos any more.

Oh, and getting MPEGs out of the TiVo seems easier too — tyc was problematic, but tivodecode works, so long as I watch in VLC instead of QuickTime Player (which only shows the first frame, while playing back all the audio).

Amy and I were walking across the Gowanus Canal to see Miss Pettigrew Lives for a Day, when we came across this amusing Easter residue (on Saturday, so pre-Easter, no less!). I like Peeps, but not that much. Amy dislikes Peeps, but not that much. Her comment, upon hearing I intended to submit this photo to Miss Heather? “It’s not a poop. It’s a peep.”

Despite not being feces or canine, this still seemed right up Heather’s alley.

I got Exceed, and after reassigning my left modifiers to X instead of Windows, kate is quite reasonable. It uses kompare for graphical diff, and comes with some CVS plugins. I prefer BBEdit’s diff display (although BBEdit’s diff has been broken for years). I’m not sure how I managed to view a couple windows in xemacs from kompare, but I can probably avoid that in the future…

kate is clunkier and less featureful, and not as configurable as I expect — the commands I want to assign to the toolbar, for instance, are not available in that context. On the other hand, BBEdit doesn’t use a toolbar at all, and rearranging menus is only supported in limited ways, so I’m not convinced kate is inferior here — it may just feel like that to me as a BBEdit user. Hopefully Subversion support is available for kate, but that doesn’t actually matter to me right now.

I need to get Copy & Paste working between Windows (including PuTTY) and Exceed; hopefully this will be straighforward, but it doesn’t just work.

Per IDM, UltraEdit cannot be installed without admin rights, which I do not expect to get, so that’s out — at least until they offer an alternate installer.

kate icons are a bit fuzzy, but they fit the Linux aesthetic, and the fonts are very nice.

I can write Outlook rules to match on Subject strings, but it lacks “Starts with” instead of “Contains”, so I cannot specify original messages, and distinguish from Re: for replies.

The filter area shows a list of criteria with checkmarks at the top with blue underlines under the keywords. The bottom shows the same labels, with the same blue underlines. But at the bottom they’re “links” to dialog boxes for entering the criteria, while at the top the same “links” aren’t clickable. Way to mis-use a visual cue, and do it in the most confusingly inconsistent way possible!

Oh, and the rules dialogs are all modal, so once I start creating a rule, I cannot open candidate messages to confirm the rule matches.

I’m still aggravated that I cannot match on partial strings, like “The Notification Agent” or “root@” (acrosss multiple machines) in the From: line. Matching on Subject: (especially unanchored) is much less precise.

When I delete multiple messages, why does Outlook select a random message, instead of the next one?

In Conversation mode (which would be a lot more useful if it didn’t waste 2 messages worth of space per “Conversation”), if I use down-arrow to select the next conversation, it expands the conversation instead. Use left/right to collapse/expand converations — they aren’t needed for mailbox navigation! At least Control-KP+ expands all Conversations.

I hit the accursed 32k rules limit. Despite this post, our systems cap rules at 32kb total (client-side + server-side). Apparently this will go to 256kb, once we’re upgraded to Outlook 2007 and Exchange 2007. In the meantime, I’m spending a significant amount of time every day trying to make Outlook 2003 do decent filtering, with very limited success. In particular, Outlook is apparently unable to filter From: “root@*” as a catchall. This would make alerts easier to parse, as distinct from human-originated messages. Yuck!

pctony (congratulations on your Apache httpd PMC membership, Tony!) just informed me that comments here are broken. I knew Preview was broken, and am guessing that it’s a problem with my configuration of Admin-SSL, but hadn’t known it affected anyone other than myself. Admin-SSL in this configuration creates a disruption between the public (reading) side and the SSL-encrypted authenticated side, and preview & user logins for commenting both appear to be falling into that crack.

If I can’t get Admin-SSL working this way, I’ll come up with something else, although at this point I’m hoping Haris can tell me how to sort myself out.

In the meantime, I’m sorry for the inconvenience (especially Tony’s).

His two suggestions were to quote the path in the UltraEdit installer, or to use “dir /x” in CMD.COM to find the DOS-style 8.3 pathname of the destination folder. Unfortunately, I seem to have been wrong about the cause for their installer’s terribly vague “1925″ error message, as I tried another viable path (not containing spaces) today, and UE failed to install there too. Perhaps it’s a registry access issue — I sent email to IDM Software, and hope they have a more useful suggestion than “become an administrator”.

Q: I have several rules to mark bulk messages as read. How stupid is it that Outlook 2003 beeps, shows me the new mail notifier window, shows the new message in my “Unread Mail” filter; and then marks the message read and hides it?

A: Very.

It’s difficult to get a mailbox (”Search Folder”) or View/Filter to update; I’ve hit F5 (Refresh) several times, and watched read messages drop out of my “Unread Mail” search most times (but not reliably), but I haven’t had the patience to keep hitting F5 enough to see if the list of messages would eventually correct itself. I’ve switched to other mailboxes and back, but that doesn’t work most of the time either.

I just got a 1tb Time Capsule — it was a natural accessory for my new MBP, since I finally have a Mac with 802.11n support, and I routinely move large files or folders (500gb-8gb) around our home network; I also like the GE ports.

The Capsule replaced a WRT54G (hacked) and an AirPort Extreme — the APE is now serving as a print server in WDS mode (overkill, but otherwise it would just sit on a shelf, and the print server is handy). It is also providing backup space for all three of our laptops (including Julia’s), and the magic of Time Machine seems like a good security vs. convenience compromise — keeping conventional AFP or SMB shares from reppep.com mounted all the time on all three laptops would be suboptimal. Time Machine seems to handle mounting & unmounting gracefully.

On to the meat of my problem, though: Once I set up the Time Capsule, I noticed my MBP (10.5.2 latest) was getting the TC’s IP as its only DNS server via DHCP. This is annoying, as I configured the TC with 2 upstream DNS servers, and I want it to configure my Macs with at least those two; if the TC inserts itself first that’s fine, but it shouldn’t be my only nameserver.

The problem is aggravated (considerably!) by the fact that the TC is not actually serving names. My dig queries against it all time out.

On a related note, nmap points out that the Capsule is running an FTP server, which I (fortunately) cannot actually log into. I don’t see FTP anywhere in the UI or help (aside from a note about forwarding FTP through NAT). FTP is evil, and I don’t want it on at all! I know why ports 139 & 445 are open — to support SMB/CIFS and WINS, which I could configure but cannot turn off — but why RTSP and RealServer ports, and port 10,000?? I cannot get anything out of 10,000, so it’s not a normal Webmin, but what is Apple doing here??

I filed 3 bugs against Time Capsule, one against AirPort Admin Utility, and one against SP:Network, which I discovered while working around the TC DNS issue.

Meanwhile, I’m not holding my breath for answers & fixes from Apple. Do you all have more information about what’s going on here? Do TC users find a) the TC is the only only nameserver assigned via DHCP, and b) it doesn’t actually work as a nameserver??

This is odd. I have to use View Options to see full headers (in the Message Options window), but while that’s open, the main Outlook program is visible but completely unresponsive. Message Options is apparently a super-modal dialog, which blocks “other applications”, and the Alt-Tab task switcher doesn’t even show the main Outlook icon. I thought Outlook had crashed, until I realized it was accessible again after I dismissed Message Options.

In fairness to Apple, I’ve seen cases in Leopard where Apple’s Command-Tab task switcher only shows some of the currently running applications (it sorts itself out fairly quickly), but Windows’ super-modal behavior is fscked up, and designed into the application (or the OS!).

After DreamHost’s breach 8 months ago, I was aggravated at their poor handling of the situation, but willing to give them the benefit of the doubt, and still happy with their low prices and flexible services.

With the new bad news and worse confirmation (still with poor incident handling), though, it’s time to get out of dodge.

I have moved Extra Pepperoni back onto my own hardware. I started blogging on Apple’s Blojsom install, but gave up on Tiger Server for Blojsom (and Mailman) because the services kept silently shutting down, leaving me to notice they were disabled days or weeks later (no fault of Blojsom or Mailman — Apple didn’t do a good job porting SpamAssassin either). Bringing up a WordPress blog and mailing lists at DreamHost was easy and cheap, but that’s no good if they are unsafe.

I’ll look at moving a couple very light-duty Mailman lists off DH next, but the lists are so lightly used I’m not too concerned. There just isn’t any confidential information on the mailing lists, aside from their tiny subscriber lists.

Ah, well. I now know much more about WordPress and MySQL than I cared too, but the setup wasn’t too bad. I hadn’t realized how many customizations and tweaks I made to WordPress until it came time to recreate them on my own system:

1. Almost Spring theme (included by DreamHost); with minor hack
2. PHP Markdown Extra; with minor hack
3. MySQL admin UI
4. WP-DB-Backup (DH included one, which I’m no longer using)
5. mod_rewrite for permalinks
6. Admin-SSL, with “Shared SSL” tweak, integrated into my existing SSL site (meaning EP is available through two different “sites”, and I have to keep the Apache configurations reconciled)
7. Twitter
8. WP-Cache (DH standard)
9. Akismet anti-spam registration
10. Technorati pinger (came over automatically with the DB).
11. Fix for widget.php to use legal JavaScript tag.

I’ve been using Windows on a daily basis for 9 days now. At Rockefeller, I kept it on a VM (earlier, on a physical PC) which I could easily wipe and reinstall. I kept the few installers I need on a Mac so I could easily reinstall and be back in business. Now I have to do much more in XP/Outlook, and I have many gripes.

Things I Miss

These are mostly lacks in Windows, although not entirely.

• In the Alt-Tab task switcher, I cannot Hide (Command-H), Quit (Command-Q), or click an application’s icon to switch directly to it. This is aggravated by the fact that icons in the switcher often correspond to windows rather than on the Mac, where they correspond to applications (each with one or more windows), so there are many more icons to Tab through, and often several indistinguishable windows (4 Firefox windows generate 4 identical unlabeled icons; so do 4 open messages in Outlook). Considering Windows has had this feature for longer than Apple, it’s shockingly underpowered.
• I cannot hide the current application (window) from the keyboard (Command-H), or Hide Others (Command-Option-H).
• I miss BBEdit — working with notepad and vi for now; UltraEdit’s installer (recommended on TidBITS-Talk) doesn’t work in my environment. This will get worse as I start writing and editing more (code).
• BBEdit (particularly side-by-side diff and interactive reconciliation, which I should be able to find an alternative for, but sdiff isn’t it).
• bbedit (I miss opening files from the shell, including via sftp and from for loops).
• ssh keys for authentication.
• Seeing my personal email throughout the day — the financial/SEC/Sarbanes-Oxley environment requires a lot more separation between personal and work activities.
• Options (program-wide preferences) is not available from message windows — only from the mailbox viewer window. This is true in Thunderbird/Mac too; presumably copied from the MS model.
• Good filtering: Outlook’s filtering is very much wizard-driven, but not very flexible (no booleans & very limited criteria available); two filters that try to file the same message will put 2 “copies” of the message in different mailboxes; some options are handled on the server, while others are only performed on the client.
• BlackBerry filtering: The BlackBerry Curve shows everything in one mailbox; I’d like to see things grouped as I do on Outlook.

Things that bug me

• I can make Outlook sort a mailbox with the newest messages at the bottom (the default is newest-at-top), but then when I click the mailbox, Outlook selects the bottom (newest) message in a mailbox, whereas I want to read oldest first.
• I can make Outlook allow commas as address delimiters (which is what they are in the actual mail messages), but then I cannot type names, because we have autocomplete disabled and Outlook doesn’t recognize a correct “Last, First” recipient when it’s set to allow commas as delimiters (even though Outlook uses them once I click Check Names).
• Keyboard nickname completion (Command-L in Eudora); I can’t find a way to assign a keyboard shortcut to Check Names.
• I try to keep my mailbox “caught up” or “clean” (all messages read). Outlook doesn’t mark a message read until I deselect it. This means that when I’m done, to have it stop showing that last message as unread, I have to select something else.
• When I’m reading a bunch of new messages, and Outlook selects one I don’t want to read (see above about selecting the bottom/newest message), I have to click another message to get the Mark Unread contextual menu command; then I scroll up to the top and click on the first message.
• AutoCorrect absolutely would not let me type “SAs” (System Administrators) until I killed it.
• MS Office Communicator flashes in the Start bar and the Alt-Tab switcher, but it flashes the main window’s icon, instead of the one for the conversation with new activity. That’s just dumb.

Things I like

• Outlook can show me mailing list (group) membership. It’s called “Outlook Properties” in the menu, despite being maintained on the Exchange side, but after I got over thinking that couldn’t be the right place, this is quite handy.
• Outlook checks group memberships automatically when filtering; this cannot be turned off, so I cannot filter messages sent to a list separately from messages sent to a member of the list.

DreamHost wrote back, and the news isn’t good. Someone sent them a list which is apparently circulating, of username/password pairs for “FTP” accounts; one was mine. I had hoped that if a password leaked it was my old password, which I replaced back in June (on my birthday) when DreamHost told me they got hacked. No joy, though — the password they received was active on Extra Pepperoni (and chrispepper.com) until they sent me mail yesterday; I don’t use it elsewhere and changed it last night, but that means someone had access to EP very recently. It looks like nobody ever used the account, but methinks it’s time to install MySQL and WordPress on www.reppep.com, and probably Mailman too.

Crud on a cracker!

http://www.finjan.com/Pressrelease.aspx?id=1868&PressLan=1819&lan=3

And I still have no idea how they got me.

I got a message from DreamHost tonight which both confused and disturbed me.

Telling me there’s evidence that I have been intruded upon is scary — but what was the evidence?? Without more information, this is upsetting but not helpful.

I only access this account from fully patched Macs under my direct control. None of them were running Windows spyware, and I know there hasn’t been a hardware keylogger in operation on my equipment recently (I don’t believe every, but I’ve been doing lots of work on my equipment lately, so I know not recently). It’s certainly possible I got hacked by some brand-new Mac OS X exploit, but (especially given my understanding of DreamHost’s security model, which entails emailing plaintext passwords at the drop of a hat) I consider it considerably more likely this is a false alarm or miscommunication.

Especially given that, despite “we have reset your password”, the affected account’s password was NOT changed. I logged in normally and changed it myself. This makes me very glad that I created a brand-new password only for DreamHost last time they got hacked. On the other hand, I could have been sniffed logging in over the Internet (most of their access is unprotected); I only set up SSL for administration of Extra Pepperoni a month ago…

We’ll see how they respond to my request for clarification.

In the meantime, I am worried and aggravated.

It’s also somewhat suspicious that the timezone is UTC, considering that DreamHost is in Los Angeles. If it wasn’t the right panel.dreamhost.com hostname, I’d think this was an attempt to get me to submit my DH account information to a spammer, but that information isn’t worth much.

To: “Chris Pepper” <—-> From: DreamHost Support <support@—-> Subject: [reppep ----] Account Concerns… Date: Fri, 7 Mar 2008 02:20:34 +0000 (UTC)

Dear DreamHost customer,

We have found evidence indicating that your ‘reppep’ web server account may have been subject to intrusion by a malicious 3rd party. As a precautionary measure, we have reset your password and ask that you change it, here:

https://panel.dreamhost.com/index.cgi?tab=users&subtab=users& current_step=Index&next_step=Edit&usid=1532237

At this time we have found no evidence to suggest that there has been a breach of our internal security. We believe that the passwords in question were likely obtained through the use of spyware/keyloggers/malware, possibly installed on your personal computer.

In order to secure your account, we ask that you immediately follow the recommendations provided in the DreamHost AbuseCenter - particularly those involving the removal of malware. You may visit the AbuseCenter, here:

http://abuse.dreamhost.com/cracking/#exploits

If you have any questions or concerns, please let us know.

• DreamHost Abuse/Security Team

I started at Goldman Sachs Monday, working at their 30 Hudson St office in Jersey City (apparently the tallest building in NJ).
My temporary desk has a Southern exposure, with a great view of the Statue from the 32nd floor; next week I’ll move to my real desk.
The views of the Manhattan skyline at the end of the day are remarkable.

The commute (R subway to PATH) is actually 10-15 minutes shorter than the 65 minutes to or from Rockefeller, which is a pleasant surprise, although lunch options in that part of Jersey City are pretty sparse.