Category Archives: Technology

Am I being scammed?

So today my auction for the tc1100 tablet PC ended. The winning bidder:

  • Is registered to eBay with a Malaysia address
  • Wants me to ship to a Nigeria address (I specifically said in the auction that I do ship internationally, but I ship only to PayPal verified addresses — and I doubt that anybody in Nigera has one)
  • Uses the name “Strong Buyer” in e-mail From line. (There was a real-sounding name in the message from eBay, and the person wants me to ship to a “stepson” in Nigera, also with a real-sounding name)
  • Only registered on eBay today
  • Asked me to send it via DHL, which costs about $250, compared to about $70 with USPS Global Express Mail to Nigeria
  • In the auction, I asked people to “ask the seller a question” to get shipping quotes to their country before placing a bid. This person didn’t (several others did).
  • Has a free throwaway email account (not as well known as hotmail, but the same sort of thing)

I replied to the buyer’s e-mail giving shipping prices to Nigeria and Malaysia, and restating my policy of shipping to only PayPal Verified Addresses.

So what do you all think? Is this a scam?

I was shocked at the amount of scams that sellers on eBay are exposed to these days. I’ve never seen this before, even just a few months ago when I sold my last item on eBay. But with this one, spammers and scammers are using the “ask seller a question” interface. One person tried to get me to use an eBay phishing clone site. Quite a few tried to get me to sell to them off eBay, to people in China, using a non-reputable billpay service. And there was just some generic spam.

So all that, plus the fact that they want me to ship to Nigeria, plus the fact that the person just registered on eBay today, is making me nervous.

So it seems odd, but I can’t quite work out how somebody would actually defraud me here. Also, I’m interested in what I should do if it is a scam.

Multipath is working

Yesterday, we got multipath working with our HP MSA1500cs SAN. We have a fully redundant setup with redundant controllers, fibre channel switches, and two FC controllers per host.

We had been having a lot of trouble getting things to work right with active/passive controllers. We could get failover to work in some cases, but getting everything to communicate correctly in the event of a failure was difficult, since every machine would have to flip over to the passive controller simultaneously.

With a firmware upgrade, the MSA 1500cs can support active/active controllers. With the dual-active setup, both controllers are active simultaneously and both are valid paths.

Despite HP support’s indications to the contrary, HP does have information on using built-in multipathd in Linux instead of their proprietary multipath solution. It’s document c00635587, part AA-RW8RA-TE.

We’ve configured multipathd.conf like this:

      path_grouping_policy  multibus
      path_checker              tur
      failback                  immediate
      no_path_retry             60
      path_selector             "round-robin 0"

Just put that in your default block and it should work.

Announcing hpodder

Today I’m finally announcing hpodder.

I’ve been trying different podcatchers in Linux, and have been generally unhappy. ipodder looked nice at first, but turned out to be horribly buggy.

bashpodder/podracer looked like a nice idea. However, it didn’t have enough flexibility for me, its XML parser has some well-known failures (it’s not a real XML parser, after all), etc.

So I wrote hpodder. hpodder is a command-line podcast downloader for Linux. It features:

  • Extensive manual (installed as manpage, or you can view the PDF versoin). Documents all command-line options, the config file, a quick start, plus some basic information about the internal database
  • Database of seen URLs (in Sqlite3) — for use both for downloads and when processing feeds
  • Graceful handling of Ctrl-C, shutdowns, network troubles, etc — including ability to resume downloads later, plus the ability to detect servers that don’t handle download resuming properly (libsyn)
  • Automatic setting of ID3 tags based on the episode title and podcast title from the podcast’s feed (as iTunes does) — dramatically helps with viewing of all sorts of podcasts on the iPod and your PC
  • Support for download rate limits, progress bars, etc. via Curl
  • Seems to be stable for me
  • Command-line tools to: add new podcasts, remove podcasts, update podcast feed URLs, scan podcast feeds, list known podcasts & status, list known episodes & status, alter episode status (mark for downloading or not), “catch up” podcasts, etc.
  • Automatic retry of downloads that failed due to transient errors

You can download a source tarball, or apt-get install hpodder if you run Debian sid.

hpodder is written in Haskell, and calls the curl and id3v2 binaries. It uses the Sqlite3 library and my HDBC database interface for Haskell.

But you’d never need to know or care about that unless you’re a programmer.

In future hpodder versions, I intend to improve the download status display, add last-seen date tracking, and add multithreaded downloading.

Why Is Expensive Software So Crappy?

Today I was listening to Gary McGraw on Frontline Security talking about software security. One of his points was that a large part of security trouble is poor design.

That reminds me how I’ve been meaning to rant a bit about the really terrible security I’ve seen in proprietary software lately. Some of this is very expensive software that people pay lots of money for.

  • World-writable installations. In one case, the documentation for the software directed users to mark the entire program’s directory tree world-writable, including all files and directories within it. In a whole host of additional cases, consultants or support people tasked with installing the software make everything world-writable as a matter of routine. And some of these are programs specifically designed to be used on Unix shell hosts.
  • Overuse of telnet. There’s telnet use everywhere. One program actually telnets to a server to start their own server-side component and then send XML to it. So we have to have an account for the server-side component, put the password in plain text on the client side, and maintain *telnet* for the application. Have we never heard of, say, CGI, people???
  • Overuse of root. Again, I’ve seen this even in documentation — “run everything as root” or “if you have trouble, just run this as root.” I’ve seen installers actually check to see if they’re running as root, and fail if they’re not, even though they have no need for root privileges.

Sigh. Although I’ve seen some poor code out there in the Free Software community, I’ve never seen anything that even approaches this level of insanity.

Why is the most expensive software the least secure? And what can we do about it when the vendor doesn’t care?

HDBC 1.0.0

This evening, I released HDBC 1.0.0.

HDBC is a database API for Haskell. I wrote it after being unsatisfied with HSQL. HDBC at a certain level feels similar to Perl’s DBI. But it is both simpler and more powerful, IMHO, thanks in large measure to Haskell language features.

The HDBC homepage is here.

Now I’m a little annoyed at HP

So, a little while ago, I wrote about why I like HP. This week, I’m starting to be annoyed at them.

My employer just bought nearly $100,000 worth of HP hardware. We get a new MSA1500cs Fibre Channel SAN (with redundant controllers, FC switches, disks, etc), a new blade enclosure system, three blades to start with (all of them, at minimum, dual dual-core Opterons with 4GB RAM, and some considerably more), a rack to put all this in, etc.

So we’re starting to set all this stuff up. I’ve got Debian installed on an NFS root for testing the blades and how they interact with the SAN.

The blades have an integrated dual-port QLogic QLA2312 Fibre Channel adapter. The Linux kernel has a built-in driver for this (qla2xxx), which detects it and, so far at least, works fine. We want to run kernel 2.6.17 because it’s the first version where XFS has decent semantics for write ordering to prevent corruption after a power failure. Plus we want at least a 2.6.16.x kernel because we want to run the latest Xen 3.0 on these blades. (Live migration of virtual servers from blade to blade — this will be great.)

But we learn that HP does not support the kernel qla2xxx driver. HP does not say WHY they don’t support it, just that their own driver is the only one that they support.

After plowing through several annoying scripts to get to their driver, I realize why it fails to install: it is OLD. At BEST, 2.6.14 is the most recent kernel it would even compile against (release date: October 2005), and I think the most recent version it supports is more like 2.6.8 (almost TWO YEARS OLD now). They reference a whole bunch of kernel symbols and macros that were removed somewhere between 2.6.8 and 2.6.17.

I sent a ticket to HP support. Their first request was to run their system information gathering tool and send them the results. Fine, that’s reasonable. I did so. Next they say, gee, you’re running Debian, and we don’t support that.

Argh…. If they tried to compile it against 2.6.17.1 on RedHat or SuSE, they’d get the exact same problem. I told them what symbols they were erroneously using, and a simple grep would have showed them that.

Besides, how many customers are going to be pleased with no upgrade path available for 2 years? I wouldn’t want our kernel version to be held hostage to HP’s slow driver development process.

Sigh.

New hosting provider: VPSLink

Thanks to all of the helpful comments people left in response to my last post about hosting. I got some really helpful hints from them — including the one I eventually followed, to VPSLink.

I wound up going with VPSLink. Their prices are amazing and the performance is good, too.

I have to admit — I shot myself in the foot not once, not twice, but three times. The shorewall config I was using on my old VPS (which was hosted under UML) apparently doesn’t work well under OpenVZ (used at VPSLink). By “doesn’t work well”, I mean “blocks all traffic to or from the host on startup”.

So, I had rsynced over everything from my old host to the new, and rebooted the new. But it didn’t come back up. I was pretty sure this was why. I dropped off a ticket to the VPSLink folks asking them to please rm /etc/init.d/shorewall for me.

60 minutes later, they had done it. (And it looks like a bug in their ticket system prevented it from being flagged as “emergency” — they said they would have done it faster otherwise.)

I then tried to fix shorewall, and it looked like it was working, so I put the init script back and rebooted. Same problem! They fixed it again in about 60 minutes. (The ticket still had normal priority)

Finally, I deleted shorewall entirely, then rsynced my old host to the new one. Things looked good, so I rebooted…. and yes, guess what, that rsync brought back shorewall so it got hosed YET AGAIN. ARGH. This was now well into the overnight hours, but they still helped me out.

All in all, I am so far VERY impressed with VPSLink. I heartily recommend them. I’ll be sure to post updates as time goes by.

Regarding Memset, my current provider: Really great company. I heartily recommend them, too. My needs for RAM just wouldn’t be ecnomical under their current plans, but they are usually competitive. I also have experience with JohnCompanies. I used them way back when they only did FreeBSD VPSs, on through the Linux days, and we currently use their services at work. These are also great folks and I would recommend them to anyone. Like Mako’s suggestion of Rimuhost, both memset and JohnCompanies are “quality first” providers — not necessarily cheapest, but their systems work as advertised and are almost never down, and they support you with experienced Unix admins. BTW, Memset’s current plans use Xen and JohnCompanies uses Virtuozzo.

Disappointed with Dreamhost

I’ve been using Memset for many years to host my websites, Darcs repositories, etc. They provide virtual private servers. I’ve been happy with them overall, but as my RAM needs increase, things have been getting slower. As adding RAM to VPS plans is expensive no matter who the provider is, I decided to look for some other options.

I decided to try Dreamhost. They are a web hosting company with a clue. I don’t get root on the box, but they do give me the next best thing. ssh access, a decent suite of preinstalled packages, and clueful admins. I signed up earlier this week and started rsyncing some things over. They have a $10/mo plan which gives 1TB of monthly transfer and 20GB of disk space. Much nicer than the going rate of about $40 for 40GB of monthly transfer and 5GB of disk space for a VPS.

The web side of things worked fairly smoothly, and the system seemed to perform well. Until today, that is. I noticed my site being extremely SLOW this morning. I logged into the system to see if it was some problem with my configuration. It wasn’t, but the system load was — get this — over 100. I watched it for awhile and then fired off a support request. The load had been hovering between 20 and 80. It’s now 9.5 hours later, load is hovering between 11 and 30, things are still somewhat slow, and I’ve not heard back from them.

Then, later today, their server started refusing connections on port 80. Turns out this was a sitewide outage, and seems to have lasted for 30-60 minutes. I signed up to receive an e-mail when it was fixed, but I never got it.

Also, their e-mail hosting has never worked for me. At first, it was bouncing my mail. I sent a support request about that, and the next morning they said they fixed it. Well, it was no longer bouncing mail, but it wasn’t actually *delivering* it either. I told them that this morning, and still haven’t heard back from them.

Now, with my memset account, I can’t remember the last time I’ve had downtime. I’ve had slowness — rivaling what dreamhost is having — but actual downtime is exceedingly rare. And they seem to respond to trouble more quickly.

And the scary thing is that from all I’ve read, Dreamhost is really one of the best web hosting companies out there.

So, what do you all think? Should I continue going the “do it myself” route and host my site with a VPS (either with Memset or with JohnCompanies, another clueful host I’ve dealt with)? Or try to stick it out with Dreamhost? Or are there other clueful web hosting companies out there?

Right now, I’m of the “if you want it done right, do it yourself” mindset. Being able to save money, and also time by trusting someone else to keep the host patched and working only saves me angst if I can actually trust them to do that. Right now, I’m not so sure I can trust Dreamhost — or any other web hosting company.

How to solve “The following packages cannot be authenticated”

Users of Debian’s testing or unstable distributions may be noticing messages from apt saying things like:

WARNING: The following packages cannot be authenticated!
  foo bar baz
Install these packages without verification [y/N]?

I noticed today that google doesn’t turn up good hits for the fix. The fix is really simple:

apt-get install debian-archive-keyring
apt-get update

That’s it. You now have secure packages from Debian. Nice, eh?

An iPod under Linux

I finally purchased my first iPod: a black 60GB iPod video model. I had been holding off for years. The iPod sounded nifty, but I just didn’t quite go there.

The thing that finally won me over was the camera connector. It lets you plug your iPod directly in to a digital camera. The iPod can download photos from the camera to its internal disk without the need for a PC. Very slick.

So anyway, we got the iPod and the camera adapter at the Apple store in Cambridge — a quick subway ride from Usenix. They were out of stock on the FM tuner, so I ordered that online.

The next step was to get the iPod working with Linux. I currently have it working with both music and video. Here’s how I did it.