The Blog of Harald

A few days ago “I complained about Internet Explorer”:http://blog.cfrq.net/chk/archives/2004/08/21/argh-msie-and-bandwidth/

Google searching leads me to believe that MSIE doesn’t send If-Modified-Since: headers for images (and possibly other files, like CSS); instead, it expects to see an Expires: header in the HTTP response (It will also apparently listen to Cache-Control: headers). The beauty of standards is that there are so many to choose from…

More Googling led me to the following configuration directives for Apache:

   ExpiresActive On
   ExpiresByType image/gif "access plus 1 week"
   ExpiresByType image/jpeg "access plus 1 week"
   ExpiresByType image/png "access plus 1 week"

(It’s possible that image/* will work; I haven’t tried it).

I hope this helps someone else; I hope it helps me remeber next time :-)

I’ve visited lots of old fortresses in Canada, and a few in Europe, and I remember learning about defense in depth. This is the idea that your assets should be surrounded by multiple separate layers of defenses to make it harder for the barbarian hordes (or Americans :-) to break in. Ideally the defenses should be _different_, so that if a simple technique of defeating one is discovered, it doesn’t help against the others.

The forts I’ve visited are typically on a hill (so that you can see the enemy coming and prepare. But they’re also sunk into the hill, with sloping outer walls, to defend the inner walls against artillery. They’re surrounded by open fields (no trees or brush). The outer wall has gun emplacements, to mow down anyone trying to cross those fields. There is a deep trench between the inner and outer walls, deep enough that attackers must climb down, slowing them down. The inner walls are full of small, narrow windows to allow the defenders to shoot at anyone trying to cross the trench. The inner walls usually have towers that project into the trench, so that people trying to climb the inner walls aren’t hidden from defenders inside the walls; those attackers can be attacked from the towers. The important buildings inside the inner walls have their own defenses. And so on.

Of course, a few carefully placed shells from a battleship and the fort is history; but that’s progress for you.

Anyway, to make a long story short, here’s Robert Scoble’s “defense in depth strategy for Windows XP”:http://radio.weblogs.com/0001011/2004/08/22.html#a8128 – enjoy!

I haven’t even gone on vacation yet, and I already have almost 1000 unread items in my RSS reader. This feels just like the early days of the death of Usenet, when there was simply too much to read (and the signal to noise ratio was dropping with every new message, but that’s another rant).

I just dropped about a dozen feeds; mainly mainstream stuff like Engadget and Gizmodo and a few news sources. They were interesting, but ultimately too much work to read. (Since when did reading blogs become _work_, anyway?). The _really_ interesting stuff gets forwarded to me by other people, or referenced in other weblogs, so I usually see it anyway.

That takes me down to 500 unreads… maybe I’ll drop the cesspool that is /. while I’m at it :-)

It appears that if you set the Cache settings in IE to “Automatically” or “Every visit to the page”, then every time you visit a page at blog.cfrq.net IE fetches all page objects (page, CSS, favicon, embedded images). For some of them, it is sending the If-Modified-Since: header (I see 304 responses for the blog CSS, for example), but it does not seem to be sending If-Modified-Since: for the banner JPEGs. This means that MSIE visitors download the banners several times in a row as they browse the site. This not only wastes my bandwidth, but it also interferes with their experience, since they have to wait for the banner to download on every page visit.

I’ve noticed IE doing this before on the client side with image intense applications (like MovableType :-), but I hadn’t investigated until recently, when a small increase in visitors to my blog site _doubled_ the bandwidth used…

Is this a known IE bug? Is there anything I can do on the server side to work around it? The investigation continues…

These days it is stories like these that keep me awake at night.

* “China – An Energy Timebomb?”:http://alt-e.blogspot.com/2004/08/china-energy-timebomb.html
* “Basic Choices and Constraints on Long−Term Energy Supplies”:http://www.aip.org/pt/vol-57/iss-7/p47.html

Basically: We’ll run out of oil in my lifetime; long before that, it will be expensive, and then rationed. Alternative sources simply can’t fill the gap; we do not have the capability to replace just our electricity needs with renewable energy, never mind our other energy needs. Even if North America switched to nuclear power, we’d run out of fuel in 35-58 years, a mere band-aid for the problem.

Meanwhile, SUVs are the fastest growing market segment in China, and GM is actively marketing them.

I haven’t the faintest idea what we’re going to do about this looming crisis; I do know that our current technique (hiding our heads in the sand) isn’t going to cut it.

So after looking at “the mail I accidentally misfiled”:http://blog.cfrq.net/chk/archives/2004/08/16/oops/ there were, in fact, about 150 spam (almost 50%).

pobox.com has completely revamped their spam filtering service since I last looked; I can now monitor rejections, forward messages to myself, and add whitelist entries, all through a fairly simple interface. I’ve switched it on; so far one spam has gotten through, with no false positives…

Yuck!

Yahoo! News – Kids Plus Rocks Equals 120,000 Angry Bees

Reminds me of watching “The Swarm”:http://www.imdb.com/title/tt0078350/ when I was a kid. Not so amusing is that African “killer” bees are “slowly moving north”:http://www.txtwriter.com/Onscience/Articles/killerbees.html across the USA, and interbreeding with our European honey bees…

I found the problem.

Due to a typo in my .procmailrc, all of my incoming mail was being saved to the folder

^Return-Path:.*listserv.ntbugtraq.com

Which isn’t terribly useful, is it?

Very strange.

I just came back from a weekend of camping to find one new message in my inbox, and zero messages in my spam and spamMaybe boxes.

I’ve checked all the logs, and everything _seems_ to be working properly…

It is very easy to setup a self-contained network, with a Domain Controller, using Active Directory. Too easy, in fact; I’m on my third attempt :-).

I’m using cloned hard disk images under Microsoft Virtual PC, which caused my latest problem; Active Directory let me register a computer in the domain with the same name as the domain controller. Needless to say, _nothing_ worked after that. The reason this happened was because I tried to rename the image _and_ join the domain at the same time; Windows 2000 apparently joins the domain _first_, then attempts to rename the computer. This surprised me :-)

Fortunately, I had a master disk image, so it was trivial to restart from a fresh install and rebuild the domain controller (which, thanks to Microsoft’s wizards, is easy). But then I had to rebuild the two child domain controllers, since they refused to “demote” themselves when the domain master was unavailable.

Sadly, all of this is _time consuming_, even when the host is a P4 2.8 with 1Gb of memory and oodles of disk bandwidth…

I derive a certain perverse pleasure from watching the weather forecast for eastern Ontario changing every 12 hours. Apparently nobody can predict where those two hurricanes are going to go next :-)

“Densise Anthony”:http://www.dartmouth.edu/~socy/faculty/anthony.html doesn’t mention her security research on her “home page”:http://www.dartmouth.edu/~socy/faculty/anthony.html, but the “slides from her presentation”:http://www.dartmouth.edu/~deploypki/summit04/presentations/PKIUserBehavior.ppt are available on the “Dartmouth PKI Unlocked Summit and Workshop”:http://www.dartmouth.edu/~deploypki/summit04/proceedings.html page, which I found after a bit of Googling led me to the “Dartmouth PKI Lab Outreach Web Home”:http://www.dartmouth.edu/~deploypki/ page. There’s a bunch of good stuff buried in there, especially deployment tips, and the “Dartmouth OpenCA – LiveCD”:http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html looks especially interesting; I’m going to try it out in my testing lab soon.

I can’t find it now, but I remember reading recently about another “cross-discipline” team that discovered all sorts of interesting things, because each member of the team had a different way of looking at the data. Now a PKI research group has attached a sociologist to the team, and that is “starting to produce insight”:http://www.dartmouth.edu/~deploypki/summit04/presentations/PKIUserBehavior.ppt:

bq. A recent survey found that 75 percent of Dartmouth students have shared their network passwords. “They like having people who know their password,” explained “Denise Anthony”:http://www.dartmouth.edu/~socy/faculty/anthony.html, a sociologist who spoke at the PKI summit conference I attended earlier this month. “They like having someone who can check their e-mail for them or log them in to places where they’re supposed to be.”

bq. Professor Anthony’s talk was dramatically different and showed why it was a really smart move to attach a sociologist to Dartmouth’s PKI research group. As security technologists, we’re easily dazzled by our shiny cryptographic swords. But while we’re brandishing our swords, our users — like Indiana Jones in that famous scene from Raiders of the Lost Ark — might simply pull out their guns and shoot us. Better security protocols alone can’t thwart such game-changing behavior. We need to understand what motivates the behavior and figure out which carrots and sticks will influence it.

bq. It’s a given that most people take the path of least resistance. So, for example, two-thirds of Dartmouth students never change their passwords during their four years of enrollment. And most reuse their internal passwords for external sites such as The New York Times and Amazon.com. How do they perceive the risk associated with such behavior? According to Anthony, it’s a tragedy of the commons. The network is a collective resource, but people connected to the network feel that they’re consuming a private good. Their subjective view, she says, is this: “I’m in my office. I’m using my computer. It doesn’t feel like I’m part of a group. I don’t recognize how my behavior affects you.”

InfoWorld: Tragedy of the network commons

Fragile like my hold on reality

Ok, so it turns out that all (well, 125 of 126 :-) of the spam I’m getting these days is coming through my pobox.com address. The greylisting is working fine, in other words :-)

It’s been great having a portable email address, but now that I pay real money for my own domains, maybe it is time to switch over. I can do more accurate spam filtering on my personal server than they can on their shared servers Unfortunately, the massive spam volumes floating around these days are forcing us to these drastic measures. I’m beginning to believe the pessimists; e-mail is dying…

So maybe I spoke too soon; in “greylist results”:http://blog.cfrq.net/chk/archives/2004/07/14/greylist-results/ I said that my spam volume had gone way down. Well, it has come back up again. I’ll have to write scripts to prove it, but I have a theory.

Machines owned by spammers are being used relatively infrequently, maybe to reduce the chances of getting detected and blacklisted? So the first time a spam host shows up, it gets greylisted. But if they show up again a day or a week later, they get past the greylist filter, because they’re now in the cache (but haven’t been expired yet).

Maybe a fix would be to put two cache timeouts in; the first would be for machines that have not yet successfully delivered a message i.e. by retrying the original delivery), and would be relatively short, probably less than a day. The second would be the existing long timeout for machines that have already passed the first test.

That would eliminate spam machines that only show up infrequently. I don’t know whether it is worth the effort, though.

On the plus side, greylisting _is_ still keeping out the virus traffic…

My “New Refrigerator”:http://blog.cfrq.net/chk/archives/2004/08/03/refrigerators/” arrived at about 8:30 on Saturday morning. We took out all of the packing materials, hooked up the water and electricity supplies, and plugged it in. It is a thing of beauty :-)

It took about 3 hours for the freezer temperature to drop to -15%deg;C and a few hours longer for the fridge compartment to cool to about 2.5°C. I went out last night and loaded up on fresh food again; now we have a fridge that looks just like the pictures you see in the advertisments…

Baby teeth are wierd. They seem to take forever to get slowly looser, looser; then suddenly, wham!

I guess she’s officially a big girl now; two 6-year molars _and_ her first visit from the tooth fairy :-)

I don’t understand how the “exact”:http://www1.sears.ca/webapp/commerce/command/ProductDisplay?prmenbr=1&lng=E&cgrpfnbr=140&prrfnbr=154068521 “same”:http://www1.sears.ca/webapp/commerce/command/ProductDisplay?prmenbr=1&lng=E&cgrpfnbr=140&prrfnbr=156769590 fridge can sell for $600 more (almost 40%) with a different _door_. Although I do understand how the same fridge can sell for two different prices, $400 apart, depending on the sticker on the door (Kenmore vs. Whirlpool, in this case :-).

Anyway, we’ve purchased the replacement fridge. I turned the old one off, just in case it decides to catch fire or something useless like that. I took the doors off and cleaned it out, so that it wouldn’t start to smell bad (because the new fridge doesn’t arrive until _Saturday_…).

Mom brought Google to its knees (via “kuro5hin.org”:http://www.kuro5hin.org/).

bq. Fortunately for the internet, my mom’s on dialup. But unfortunately for the internet, your mom has cable. And your mom is just as obstinately ignorant as my mom. You might as well try to convince them to change their own oil as to keep their computers maintained.

In short: trying to teach Mom about computer security is a lost cause. Which leads to the obvious conclusion; we’re not going to fix the problem until we don’t have to teach Mom about computer security…