The future ain't what it used to be

As I got older and hopefully somewhat wiser, the feeling of history repeating itself got stronger. I can't say that I know it all or seen it all. Far from it. But I believe so much is lost when we fail to learn from history or even taking it into consideration. I often discuss my hopes and fears for the future as if they have already occurred, hence the name of this journal. Here you'll find my thoughts on politics, IT-security, technology and some personal musings.

Note: This authoring system is homegrown, so all functions are not yet written. Next up: commenting system.

(2013-07-05) Modsecurity_head_ache ? ... Here's how to cure it!

Don't get me wrong, modsecurity is a very competent security “application firewall”. I recently set it up on a server and downloaded the OWASP Core Rule Set (CRS). The base rules are a bit rudimentary, so I recommend that you get the OWASP CRS as well. As soon as it was setup, modsecurity started issuing warnings and blocking access. I pretty soon had to start creating exceptions for some files and directories. From there on I spent hours to test everything, scanning the logs with grep to find the errors. And then deciding on how to handle them.

Modsecurity is not something that you can just “setup” and the let it run. But if you spend time with it, you can add another layer of security to your system.

Here are a few tips, that you can probably find somewhere else as well, on how to setup exceptions. I hope you find them useful.

First, create a file in base_rules and call it modsecurity_00_custom_exclusions.conf. Create a link to this file from activated_rules with ln -s. Then open it for write in your favorite file editor.

If you want to totally disable modsecurity on a specific path, add this to modsecurity_00_custom_exclusions.conf:

<LocationMatch /folder/file.php>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

This rule with disable modsecurity for the file /folder/file.php.

It at also works fine for a folder (and its files and subfolders with their files)

<LocationMatch /folder/folder-to-omit/>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

You really should avoid totally disabling files or folders. Normally, you can use your logs to pinpoint why the lock down is triggered.

Example from Apache's error log:

[Fri Jul 05 17:36:06 2013] [error] [client xx.xx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/etc/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "248"] [id "958291"] [rev "2.2.5"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-958291"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/"] [hostname "www.test.com"] [uri "/folder/file.php"] [unique_id "xxxxxxxxxxxxxxxx"]

The important thing to note here is that access was denied. The key is the text “ModSecurity: Access denied with code 403(...)”. Now, the perfect solution should be reading up on WHAT this error means and and make sure it's not a false positive and then change the web application script that triggers it. In this case its “file.php” under /folder/. But you may have no way of rewriting it or have decided the error is in fact … uhm... in error. If so, disabling this exact rule for this exact file is simple. First find the rule number. It's called id and in this case, [id "958291"] is where you find it.

With this knowledge, all you have to do is to add an exception to modsecurity_00_custom_exclusions.conf:

<LocationMatch /folder/file.php>
<IfModule mod_security2.c>
SecRuleRemoveById 958291
</IfModule>
</LocationMatch>

Is this particular file generating more than one error or warning? No problem, just add this instead:

<LocationMatch /folder/file.php>
<IfModule mod_security2.c>
SecRuleRemoveById 958291 958292
</IfModule>
</LocationMatch>

The official documentation suggests that rule ids can be specified in many different ways:

SecRuleRemoveById 1 2 5 10-20 "400-556" 673

This translates to: remove ids 1, 2, 5, ids between 10 and 20, ids between 400 and 556 and please don't forget 673.

Links:

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsecurity2-apache-reference.html#N1096A

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsecurity2-apache-reference.html


Tags: Modsecuirty, php, security, scripting
Posted 2013-07-05 by Erik Zalitis, changed 2013-07-05 by Erik Zalitis

(2013-07-04) Security lockdown on the ERICADE Network

The ERICADE Network now uses modsecurity to further increase the security of its services. It works well, but may under some circumstances prohibit access that should not be restricted. If something seems to be broken, please send an email to erik (a) zalitis.se, and I will look over the settings.

Tags: Service announcement
Posted 2013-07-04 by Erik Zalitis, changed 2013-07-25 by Erik Zalitis

(2013-03-08) APRS

Here's ny latest project, a fill-in digipeater in southern Stockholm, Sweden.

http://sa0btz.ericade.net/aprs/

You can also use aprs.fi to see how well it works in real time:

http://aprs.fi/info/a/SA0BTZ-1

.. Ahh well, it's been online for almost a year, but I haven't blogged about it, so here goes.

Tags: HAM-radio, Amateur radio, APRS
Posted 2013-03-08 by Erik Zalitis, changed 2013-05-16 by Erik Zalitis

(2013-03-04) The thing about encryption

I've just read an interesting article in "the Register". It's an interview Adi shamir (The 'S' in RSA by the way) who says that "I definitely believe cryptography is becoming less important". He says something that I have thought a lot about: the cost of an attack. What follows here is my take on this security problem: If you want to target a specific individual in an organization (this attack is known as a "spear phishing" attack) you try to get a hold of his/her computer. Trying to get the person to download malware or attacking his browser, email software or other "internet enabled" applications running on the computer seems to be better time spent than trying to break the cryptography of his VPN. Once done, you may want to install malware that stays as "invisible" (a rootkit could be used for this) and at a preset interval "phones home" with captured documents, passwords and recorded key strokes.

The best way to attack a target depends on the cost. Attacking a well implemented cryptography solution may simple be too "expensive" compared to trying to get the person behind keyboard to download malware through a web browser. Few hackers choose to attack the well guarded door, when there might just be easier to get in through the open window in the back yard.

There are situations when attacking the encryption may be superior to attacking a computer: remember improved attack against MS-CHAP version 2? In the late July of 2012, Moxie Marlinspike demonstrated an attack which more or less dealt the PPTP VPN (Which normally uses MS Chap v2 to facilitate the key exchange) a deadly blow. Or even worse: the inherently broken WEP standard.

I think the lesson to be learned is this: you must understand that attackers most likely will choose the open window over the closed door. Understand and attend to the easy attack vectors, the "low hanging fruit" if you will, first!

Read the article here

Tags: Security, cryptography
Posted 2013-03-04 by Erik Zalitis, changed 2013-03-04 by Erik Zalitis

(2013-02-28) When did we all start being afraid of everything?

I probably covered this in earlier posts, but recently I started to wonder why we are so full with fear. When I was young, safety and security were no big concerns. And this was the decade when the United States of America and the Soviet union pointed nuclear arms towards the other side’s cities.

I, as most other people during that time, rode our bicycles without helmets. Yes, it was a stupid thing to do. We could also hardly be bothered to wear reflex bands and we walked everywhere at any time of the day. Or did we? I was probably more cautious than most as I actually took great care not to be walking out on unknown streets in the middle of the night. I also wore a reflex in the winter time. But still, I don’t remember anyone wearing a reflex in the form of a jacket. Not even the workers did. Today, a modern construction site looks like a beacon of reflected light. Everyone wear helmets when riding a bike. Superficially, this is great news. But, I wonder about the true reason. Is it really sensibility? I suspect a lot of us have acquired a new ”hobby”: fearing everything and everyone. ”Zero tolerance” was a word that came into the collective mind in the 90s. If there was the slightest risk of something being dangerous, it had to be forbidden or, god forbid, some one could get hurt. If you read the head lines of the news here in Sweden, by now you probably ”know” that everything causes cancer. You also have access to ten or twenty methods to lose weight, some which contradict with others. Now you know that your lasagna contains horse meat and I suspect what is actually labelled horse meat nowadays is just papier-maché.:) Is this dangerous? Is it an indicator that food is a hazard to your health…? Or is it nothing to worry about? Every day we’re informed about the latest risk that could hurt you, your family, your computer and/or pet.

We get new things to worry about every day. What happens the day the news papers tell us that we risk getting cancer by worrying too much about things? Check mate?

Tags: Fear
Posted 2013-02-28 by Erik Zalitis, changed 2013-02-28 by Erik Zalitis

(2013-02-26) One year of silence

It's hardly a thing to celebrate, but today it's exactly one year since I wrote anything in this blog. I hope to be back soon with my thoughts on security and other stuff.

Tags: Notice
Posted 2013-02-26 by Erik Zalitis, changed 2013-02-26 by Erik Zalitis

(2012-02-26) Seventeen years ago...

Only a few more minutes left to go before the show was to begin and it had been in the making for years. Not the show itself, but all the preparations and the necessary paperwork had taken almost two years. Sure, it could have started earlier if the community broadcaster we intended to use hadn’t lost its studio just weeks before we were supposed to have started. But on that night, exactly 17 years ago to this date, it didn’t matter. We were home and we were ready to hit the airwaves.

At exactly 6pm on the 26th of February 1995, I had turned the key that unlocked the controls and pushed the button that put us on the air. It’s easy to notice, when you listen to the tapes, how nervous we were. But we pulled it through and started an era that would last for exactly 11 years.

Radio Unga Forskare Stockholm (A rough translation into English: Radio Young Scientists of Stockholm) was the brainchild of me and Magnus A. We met on an event hosted but the federation of young scientists in 1993 and came up with the idea after some brainstorming. The federation couldn’t help us and instead referred us to their Stockholm district board. The district board like the idea and agreed to back us up financially. In 1995, finally the plans came into fruition and in the years that passed, we slowly “evolved” into the form we had until 2006, when the station was down to just me and I decided to that it was time to call it quits.

The most active years were between 1997 and 2003. We published some of our recorded material on the Internet at a time when most radio stations didn’t even have audio-streams available on their sites. From 1997 until 2004, we had a team of volunteers on a monthly basis recording popular science bits and discussions that we broadcast on a regular schedule. We reported from many of the larger Young Scientists conventions and also served as a news-channel for them. I personally wrote a Swedish guide to help rookie sound engineers to get started and published it on our website.

During those years, hundreds of people crossed our path. Some of them contributed with material, helped arranging events with us, worked with us in some of our projects or just visited the studio from time to time. During the most active years, there were 10-15 regular contributors to our show. Those years held everything from wonderful successes to downright painful mistakes. But in the end I’m happy for the time I spent with RadioUFS and I believe we made a difference in some way.

Today is the 17th anniversary of the station’s birth.

A more complete timeline can be found here (in Swedish)

Tags: RadioUFS, Radio Unga Forskare, närradio, community broadcast
Posted 2012-02-26 by Erik Zalitis, changed 2012-02-26 by Erik Zalitis

(2012-02-12) Do something – anything

The feeling of being powerless in a situation must be one of the worst feelings in the world. It’s the feeling you have when something is happening and you have no idea if it will affect you and your family or what to do about it. When you see a direct threat you have the age-old flight or fight response. That’s what we get for being simple beings relying on direct problem-solving. But recession, fear of illness, feat of losing your job or being attacked by terrorists are threats you can’t run away from or attack. When the fear cannot be handled by any direct action, we get anxiety as a result. Nothing is such a relief as someone offering to remove whatever is causing the fear and anxiety. When we feel that someone has an obligation to remove the threat, we feel anger towards them rather than against those that cause the threat itself.

We ask ourselves and everyone we know “Why are the people responsible of fixing those things not doing anything?” Here in Sweden the most common phrase of despair is “varför tar de inte sitt ansvar?” (Translated: “Why won’t they take their responsibilities?”). It’s not uncommon that we have no clear idea if there’s someone that should be responsible to remove the threat or who that should be. So, when crisis, real or imagined, strikes, taking control is the only way we can feel safe. But control must be regained even if we didn’t lose it in the first place or if we have no idea how to regain it. That’s why we have a word like “Security Theater”. Security Theater is what politicians, organizations, corporations or other groups use to make us all feel safe again. It could be installing more cameras because of a terrorist-attack, making data-retention mandatory for Internet Service Providers or disallowing liquids such a tooth paste on flights. The benefits of such actions are doubtful at best, but do provide way for those in charge to say “look, we did something. You’re safe now!”

It is not Security Theater if it’s actually is successful in removing or mitigating the threat without causing a larger threat/cost/problem by itself. It’s Security Theater if the core benefit is to stave of hysteria, fear and anxiety and If you see no problem in this, remember this:

- It has not solved any real problem at all.
- If there’s a real threat, it’s still out there. Only now we don’t think about it.
- We now have a bad habit of applying useless solutions to problems that may or may not be imaginary.
- Most of those solutions are “cover your own ass” rather than “protecting others”.
- We allow ourselves and others to accept easy solutions to unknown threats from unknown people. I think history has something to say about this.

Tags: Fear, politics, Safety
Posted 2012-02-12 by Erik Zalitis, changed 2012-02-12 by Erik Zalitis

(2012-01-29) Confusion in an elevator


The picture is a bit fuzzy, but should give you a hint about the problem.

One day a few months ago I came across this confusing control panel in an elevator. Never mind the cluttered layout of the buttons. The problem is with the three colored buttons on the upper row. The yellow one is not a button at al, but a lamp that goes on if the elevator gets overloaded. It does look like a button, just like the other two.

The green button is indeed a button and it’s the emergency button you’re supposed to push if you’re stuck in the elevator or if you need urgent help. That’s right, it’s green! The red one is actually the emergency stop, which kind of makes sense. The black button in the lower right corner is the door opener. The sign above the real emergency button says “To use the emergency alarm, keep the button depressed for 10 seconds”.

If you needed to open the closing door for another person and had to think fast, which button would you instinctively push?

... Thought so ...

Tags: Bad design, GUI design, humor, funny
Posted 2012-01-29 by Erik Zalitis, changed 2012-01-29 by Erik Zalitis

(2012-01-26) HAM-holiday

HAM-radio is a hobby that can last a lifetime. When I got my license last year, I started out as most newbies do and was content just to talk with nearby amateurs on the 2M and 70CM bands. Those bands are good for the rookie as they require very little in the way of antennas and setup. I frequently used the local repeaters as well. From there most new hams eventually find new bands and modes to explore. Pretty soon I set my eyes on the shortwave bands.



On shortwave you can speak to your own country, nearby countries and if the conditions allow: the whole world. The trick is that shortwaves frequencies allows for something called skip. This phenomenon is not just something you find on the shortwave, but shortwave is where most of the interesting HAM-radio traffic is going on, so it’s the natural place to hang around. I won’t get to technical here, but skip is what makes broadcast beyond the horizon possible. Now, the pesky ball we all live on is round, and this puts a limit on how far a radio-transmission may reach before disappearing into the blue yonder. But then there is “skip”. Some atmospheric layers (known as D, E and F-layers) cause radio waves on some frequencies to bounce rather than just disappear into space. To simplify it: Assume that I live in country A and country B is adjacent to country A. Country C is far on another continent and there’s no way for my transmissions to reach there, because of the horizon-problem. But the transmissions may actually bounce off of the atmospheric layers and skip country B, “landing” in country C. Unless my antenna position and transmission power allows for it, no one can hear me in country B, but I can be heard in country C. And here’s why “shooting skip” is so popular: there’s no easy way to know exactly how well it works or who that may listen. The skip conditions can be monitored thanks to online weather services, but exactly how well it works out at a given moment, you will have to find out by experimenting. There’s something “Forest Gump” of the whole situation. You never know what you get out of the radio box when you tune in.

This I know: shortwave reception is troublesome in big cities. I live in Stockholm in Sweden and northern Europe is not a bad place to be for a HAM-operator, but the city poses two big challenges for me: RF pollution and antenna placement. RF-pollution can be, but is not limited to: my neighbor’s plasma TV, the nearby underground station, computers, poorly built power supplies and even the ventilation system in the building across the street. It’s bad, but can be handled. The worse problem in my case is the fact that I live in a flat. I can’t setup 40 meters of long wire because I don’t have a yard. Now, there are ways around this as well, but the situation is not as good as one could hope for. However, my family owns a house in the country. A few weeks ago, I packed my HAM-stuff and spent my vacation in northern Sweden, and that’s the story you’re about to hear.

The preparations

The first semi-portable rig I assembled was battery powered and mounted inside a sturdy backpack. It worked well, but was too cumbersome to carry around. I figured that I would probably spend my time inside of or near a building, so I simplified the setup a bit. The antennas I use are two homemade random wires I created by cutting 25 meters of loudspeaker wire into discrete lengths. I created two antennas from the original cable. The first random wire has a radiator length of 20 meters and a ground cable of 12 meters. The second antenna has a radiator of 8 meters and a ground wire of 5 meters. I use the remaining 5 meters for my loudspeakers at home. The longer of the antennas is used for the 80 and 40 meter bands and the shorter one for is the 20 and 10 meter bands. Now, you can’t just connect the antenna-wires to the radio and expect it to work. My HAM-radio comes with a rather standard unbalanced connector, which I have connected to an antenna-tuner. From the antenna tuner I have connected a 10 meter long feed cable that goes in a 4:1 balun. A balun, or balanced to unbalanced transformer, is the box that the loudspeaker -cables are attached to in one end and my feed cable is attached to in other end. The antenna tuner is used to tune the antenna. All normal HAM-radios are built to function with an antenna that has an impedance of 50 Ohms. The problem is that impedance is a function of the frequency you’re transmitting on and the length of the antenna. To be perfectly resonant and thus present the radio with an impedance of 50 Ohms, the antenna length must match the frequency. This is a big oversimplification, I know, but basically that’s what it’s about. Most antennas are compromises of some sort. If you want to broadcast on the 80 meters band, the perfect antenna should be a multiple of 80 meter. A half wavelength dipole for the 80 meter band should thus be 20 x 2 meters long. The calculations can be very complex for some types of antennas and even in this case, the calculation comes with a twist. The optimal length is (wave length / 2) * 0.96. I have no idea what the reason for removing 4% of the expected length is, but it’s said to be an optimal solution for most radios. My antennas are random wires and not strict dipoles. When I designed them, I didn’t expect to be able to control the environment in which they would be used, so the random wire felt like a simpler and more flexible construction to me.

The radio itself is a Yaesu 857D. It covers all relevant shortwave bands, 2 meter and 70 cm and comes with all the modes you need and then some. The radio features fair filtering capabilities and comes with everything you expect to find in a shortwave radio. In short it’s a well-rounded performer that neither excels nor underperforms in any situation.

Going there

Now you know a little bit about the stuff that went into my backpack before I went away on vacation. The family house in the country is actually close to one of the more popular ski-resorts here in Sweden, but this time I wasn’t there for the skiing. As I came up rather late and it was dark, I didn’t feel like setting up the antenna. I just tossed the radiator and the ground wire on the ground to see if it worked. In spite of this poor setup, the reception on the 80 meter band was great. I didn’t want to try to broadcast with the antenna still on the ground, so I spent the evening listening. As the light of day came back in the morning I installed the antenna between the house and a nearby tree. A dipole or random wire must be mounted at a height of at least ¼ of the wave length you intend to tune into. But I had no way of reaching 20 meters above ground with the equipment I had in possession. The antenna placement was therefore hardly optimal, but for my purposes it would do.

My intent was mainly to work on the 80 meter band. Spanning the frequencies 3,5 to 3.9 MHz, this band has some interesting skip-properties. On daybreak, the skip conditions deteriorate and confine transmissions to a local area. In my case, this meant Scandinavia and the northernmost parts of Germany. As soon as the sun sets, the rather silent band comes alive as Europe lights up like a Christmas tree. However, for me the day time was the time I was looking forward to. In the morning and until the sun begins to set, there are a lot of “rag chewing” going on. “Raw chewing” is a HAM-term for a general discussion as opposed to competitions or tests. Think of it as a predecessor of today’s internet chat. Only they’re often more technical in nature.

Finally all was setup and tested and it was time to find one of those roundtables. At this time I want to remind you that HAM-radio generally is not full duplex. What I mean is that you can transmit or you can receive but not the same time. You’ve probably seen or even used a walkie-talkie at some time. Remember how you have to push a button to speak and the release the button to listen to the reply? This button is called PTT or “push to talk”. The legal side of HAM-radio does not put that many technical restrictions on how you may use your radio. So there’s nothing hindering you from use a setup that allows you to simultaneously listen and transmit. But the PTT is still the “least common denominator” and this means that conversations over the HAM-radio work a little bit different than over phone. In HAM-lingo a conversation is called a “QSO” and when more than two stations participate in a “QSO”, it becomes a “roundtable". Generally the person who started the QSO also owns the frequency for the time being. They often “rotate” who is allowed to speak at a given moment, so that every participant waits until their call sign is called up. The systems works, but in the beginning it may feel a bit intimidating when your call comes up even when you have no idea what to say. If the QSO only have two participants, there’s no need for any list, as the conversation just flows back and forward between them.

After a while you find out that many of the roundtables start at a preset time and many of the roundtables have had pretty much the same core participants for the last 20-30 years. The best way to learn is to tune in and listen. A good HAM keeps a log of his/her QSOs. My first QSO was at 07:30 on 3623 MHz as I checked in to the Nomira-roundtable. The first 5-10 minutes you could hear faint communication in Polish in the background, but as the sun rose the conditions changed so fast that they were gone and that just left the Nomira-roundtable on the frequency. Whereas my reception was good to great, I was quickly reminded of the suboptimal antenna-placement when I hit the PTT. Most of the participants could hear me, but the not all of them. At full power (100w) the signal reports I got back was ranged from fair to good from those that could hear me. I was still satisfied and continued to look for other QSO’s after the Nomira-roundtable had concluded their daily “rag chew”. Nomira is a Christian HAM-radio organization and they’re very nice and helpful people and made me feel right at home on 80 meters. During the few days I was on vacation I participated in a number of roundtables and QSOs and also tuned into a few “pirate radio”-stations. Among them was a station claiming only to broadcast 2 hours per year, calling themselves “Radio Mistletoe”. This and many other interesting things is what make HAM-radio such a fascinating hobby. Should I ever get tired of “rag chew”, there’s a plethora of other activities out there such as CW (Morse code of radio), RTTY/PSK32(data transfer), SSTV and contests.

The radio amateurs of the world have a long history of inventing new technologies, helping others in distress and generally breaking boundaries. I’m proud to follow in my grandfather’s footstep and while I’m an agnostic atheist, the idea of him sitting on a cloud and listening in on his grandson’s transmissions while muttering “… Humph!... Back in my time…” really amuses me.

Tags: HAM, HAM-radio
Posted 2012-01-26 by Erik Zalitis, changed 2013-04-17 by Erik Zalitis

(2012-01-15) Looking back at the 2010s

All eras are defined mostly in hindsight. A number of years later people may laugh at it, shake their heads or just get that “dreamy look” in their eyes when they think about it. If you think about the 1950s, you have an era which everyone has an opinion about. Even those that weren’t even born back then (I sure wasn’t). We may laugh at the commie scares and the crazy times when people feared the atom bomb. And it looks even worse when you think about the wars and the segregation. Exactly what it looked like and if it indeed did look the same way depended on where you were in the world.

It’s 2012 now and as always we live in the ultra-now. It will take a number of years until we can look back and think about it. What do you think we’ll love, like, hate or just don’t care for when we look back at the 2010s?

A few years ago I was worried about the surveillance spreading throughout our cities, networks and society. I concluded my blog post by noting that this is something we may have to sit through and hope that we learn something from in the end. That’s still my opinion, and the dark clouds are still gathering. They almost fill up the whole sky by now. The Internet gets more and more regulated. Not a month goes by without new words like SOPA, PIPA, Hadoopi and IPRED. The politicians and private sector managers are not the enemies, because they’re us! They’re citizens in the same society we are. Some of them may want to capitalize on our fears, but most of them believe in what they’re doing. The road to where we're heading is paved with the best of intentions. And still, we know it's not going well and it's not going in the right direction.

It doesn’t matter that we’re safer now than ever, the fears are still there. Whatever we don’t feel we fully understand and control, must therefore be tamed. The Internet fits this description, and so do the public streets and the places where we meet. All those must be controlled and any and all risks must be eliminated. Yesteryear’s anger over cameras that go everywhere and having to sacrifice our privacy is now just an irritated mumble. This is where we’re going, and it’s painfully apparent. What isn’t so apparent is where we will end up and how much it’s going to cost us.

But I worry more about how the mentalities change over time. We have not only come to accept things that we couldn’t dream of tolerating 10-20 years ago. But we also demand to know everything about everyone. Dostoyevsky once wrote that “The degree of civilization in a society can be judged by entering its prisons”, and if the fear, paranoia, loss of freedom and decline of justice in our society continue that may one day be something we all get a firsthand experience with. “Innocent” is just a word. Just like “civilization” and “society”.

Tags: Security, society, philosophy
Posted 2012-01-15 by Erik Zalitis, changed 2012-01-21 by Erik Zalitis

(2012-01-08) Comic book review - ”Pogo Possum – through the wild blue yonder”

A review of ”Pogo Possum – through the wild blue yonder”
Book: ”Pogo Possum – through the wild blue yonder”
ISBN: 978-1-56097-869-5
Pages: 290
Author: Walt Kelly, Jimmy Beslin et.al.
Publisher: Fantagraphics
Released: December 2011.



What am I reviewing here? Is it Pogo Possum as a comic or the collection album that Fantagraphics finally released in December 2011? The answer is that it will be both, but first let’s take a look at the book. Walt Kelly’s comic strip “Pogo Possum” ran from 1949 until 1975, almost two years after Walt’s death. Beside the daily comic strips that were published in newspapers all over the US there have been over 30 comic albums released and a number of collections as well. After the comic ended, there has been no attempt at publishing all daily and Sunday-strips in one set of volumes. In 2007 that changed as the publisher Fantagraphics announced that they would give the world the whole story from the very first Pogo Possum daily comic strip until the very end including the colored Sunday strips, all in 12 volumes. But time went by and the first volume failed to appear. They claimed to have serious problems finding all the strips in a usable condition and we waited. The first volume would cover the Pogo from 1949 – 1950, so we’re talking about something that’s 60 years old. In the end it took until fall of 2011 until they finally managed get the book released. And it has been worth the wait, I tell you…

The first thing I notice about the book is the good quality, its sturdiness and a binding that seems to be built to last. Only time will tell off course. The book comes with a foreword, editor’s notice, an index for each week covered of the comic itself, a separate section for the Sunday strips and finally the “predecessor” of Pogo that ran in the New York star newspaper before it folded. Most of the strips look great and have high contrasts and (for the Sundays) vibrant colors. Sometimes the colors may be a bit too vibrant and there are a small number of the daily strips that lack some sharpness and have an odd contrast range. But those are minor flaws hardly worth mentioning. The overall restoration work is amazing and makes no attempts to improve on the original so that it looks like it was made on a computer. It may come as no surprise as members of Walt Kelly’s own family have been enrolled in the project.



I have a small concession to make: I was born after Mr. Kelly died, so my knowledge of the comic strip is fairly limited and I started reading it just a few years ago. Also, I’m not a native English writer, so please forgive me my sometimes weird grammar.

What about the comic strip itself? As it has ended, we now know how it evolved from the humble beginnings in 1949 until the very end. This collection covers the two first years, 1949 and 1950 and shows how the comic begin finding its form. It’s amazing to see that almost all of the important characters were there from the start or at least came into the story early on.
The different story arcs centers around a number of characters living in the Okefenoke swamp in Georgia and how they deal with how they always misunderstand themselves, the others and what’s really going on. After a while I get the feeling that the characters are more like concepts and ideas that Walt Kelly plays around with than real characters. He often throws in the events of the day, like in the arc where he lets the incompetent “scientist” of the swamp, Howland Owl, try to create an “Adam Bomb” (Atom bomb) out of a yew and a geranium. Yewranium sounds like Uranium when pronounced and that alone makes up the base of the whole story arc. Unlike many other comic strips that either tell lengthy stories or just resort to be gag-a-day comics, Pogo Possum uses variable length arcs. Those arcs continue until Walt Kelly obviously gets fed up with them and changes the subject. Sometimes the story smoothly transitions over to another one and sometimes it just shifts gears without using the clutch. Various events also frequently “spawn” new characters into the story as they are needed. Some of those characters never reappear, whereas other join the back of the queue until a “Deus ex Machina” is needed. Walt Kelly once jokingly said that the “characters work for another comic” when they’re not in Pogo Possum, and why not? The characters apparently know that they’re actors in a comic story, and sometime even use the edges of the panels to lean against or to do things like using them to strike a match against.

The main (and thus always recurring) characters are just a handful with literally hundreds of extras filling in whenever they’re needed. But the one lead character of the story is the eponymous Opossum who is known as Pogo by his friends. He has a mostly kind and gentle demeanor. His best pal Albert is an alligator who smokes cigars, tries to intimidate the others but is deadly afraid of alligators and refuses to calm down even told he is one himself. Then we have the “only sane man” in the swamp, Porky Pine. What counts as sanity in the swamp may be discussed, but in relative terms he fits the bill. Porky, like Eyeore in Winnie the Pooh by AA Milne, is in a permanent state of gloom and depression. This is in stark contrast to the constantly untroubled mind of Churchy La Femme, the turtle whose mind is free of both common sense and any trace of intelligence. Howland Owl considers himself a scientist and a scholar, which he may be the only one in the world that actually believe. He can barely read, has no idea where science ends and urban legends start and will seldom if ever doubt himself for any reason. Some of the other main characters take a little longer to get into the story. Miz beaver, Deacon Muskrat and Miz Mam’selle Hepzibah make their respective appearances in the story after a while. And last but not least, the “bad guys”, Seminole Sam (salesfox) and Wily Katt (Wild cat) pop on in. The characters are often drawn like they were in motion. Walt Kelly used to work as an animator for Disney, and it shows! Every character changes their pose and facial expression dynamically between the panels and Kelly is very able to make them look like they’re running, walking or falling even when printed on paper.

In my opinion the best part of the whole comic is the dialog. Walt Kelly’s grasp of mid-west US dialects seems, to say it kindly, to be lacking, but that’s actually a great thing. Pogo Possum sports a non-existent, yet very understandable flavor of American-English. And I’m pretty sure that Walt Kelly knew exactly what he was doing, as the dialog is extremely vibrant with all its playing with words, double meanings and droll jokes. Some characters even have their own word balloons that mirror their way of talking. Okefenokian, as I would like to call it, is its own language that may count as “Engrish” by today’s standard. If you get stuck reading something, just say it aloud and it should become clear what they’re really saying. Walt Kelly is just a much a great writer as he is a great artist.



In this first volume, the direction that Pogo would later on take is not yet clear. While there are some political jokes already from start, the comic later became politically very active and challenged many of the things Walt Kelly felt was unfair or plain wrong. I look forward to rereading his take on Joseph McCarthy that should be in the next volume if I’m not mistaken. A fair warning though, as Pogo matured it included more and more references to the political stage of the day. When you read future volumes from Fantagraphics you might want to have a reference book or perhaps access to the Internet at hand. I’m not a US-citizen, so far I have already had resort to the Internet to understand what some jokes are about more than one time.

Many lesser strips use their first panels to “build up” to a punch line in the last panel. Pogo on the other hand may or may not give you a punch line in the last panel, but you won’t notice you had so much fun getting there.

Final verdict: 10/10. A well-executed tribute to a masterful comic.

Tags: Pogo Possum, book review
Posted 2012-01-08 by Erik Zalitis, changed 2012-01-21 by Erik Zalitis

(2012-01-08) What is going on at ERICADE?

It's been very quiet on this site for the last 3-4 months, but a lot have happened in the background. In late of October 2011 I decided to take a large portion of the services offline. This did not include any essential services such as the mail-system and the name lookup service (DNS).

During the fall of 2011, I rebuilt most of the services from scratch, which has taken a lot of time. During this time, the radio station has been offline and all news pages have been static.

The radiostation came back on the air on the 30th of December. As of now all services have been restored except for a few that have been retired.

The mail service has been kept update and is running the latest stable build of Kerio Connect.

I've changed the SSL-certificate for secure.ericade.net, which rendered a few cosmetic error messages until all services were properly changed.

The radio station is now running the new ShoutCast 2.xx streaming-software.

The role playing forums have been retired and will not come back.

A few minor issues still must be addressed, but as of now, we're back on track and back on the air. Enjoy!

Tags: Service announcement
Posted 2012-01-08 by Erik Zalitis, changed 2012-01-08 by Erik Zalitis

(2011-09-14) Ten years of security

A few days ago a milestone flew by: it was ten years since the World Trade Center attack. Much happens in ten years, but in the world of security so much has changed that I can’t help but wonder if a time traveler from 2001 would be able to recognize the world of 2011.

Back in 2001, we had Nimda knocking down our web servers while we were still recovering from the effect of the dot com crash with no end in sight. Enron went under and MCI/WorldCom crashed. Then came the outbreak of worm attacks and the second coming of the Spamocalypse. Internet became so common, that even our grandmothers and grandfathers started using it for everything. When the worm attacks finally subsided, the web browsers became the target and the malicious code went from one trick ponies to multi vector attack-wielding one-man armies. Proving that we had learned nothing, we made more and more of our software reliant on an “always on” Internet connection. Playing a computer game without the proverbial intravenous connection to the big cloud simply wasn’t possible anymore.

The sheer volume of software security patches we had to apply went from scattered showers every now and then to flowing like the Niagara falls. Music and movies, both legal and illegal, also flowed to our computers through bit-torrent, ITunes and services too many to name.

Ever quest, World of Warcraft and the numerous clones of those games merged the idea of user communities with gaming and forever changed gaming from a solitary pastime to a social thing. Talking about communities; we went from IRC, to forums to blogs, to MySpace, to Face Book to Twitter. Everything could be found with Google and that included your house and maps of your neighborhood. And don’t forget that Internet is for porn! Security wise, porn sites have always been bad news and many careless users got virus when searching for sex. Like in the real world. YouTube came from nowhere and suddenly you could find all those TV-clips and obscure songs you though were lost forever. RIAA and MPAA were none too amused.

The governments of the world woke up as from a nightmare of falling helplessly through the space of libertarian Internet-fueled direct democracy and acted in panic. In the name of fighting terrorism and child pornography without any idea on how to actually make any difference in the matter, laws were enacted. Surveillance became ubiquitous and the corporate world followed suit as RIAA declared war on … everyone. Especially grandmothers and young girls who had downloaded the latest crappy boy band songs. Someone calculated that if RIAA were right about the value of pirated songs, a normal IPOD full with copyrighted music would be the most valuable object in the entire world.

China grew larger. India became a preferred destination for businesses jumping on the off shoring band wagon. Many other “low cost” countries followed suit and the global talent pool grew quickly. This and many other changes caused the software market to boom.

People met, fell in love and even “lived together” on the Internet. But Internet also taught us to fear everyone we didn’t know or understand and to stick to places where people always agreed with us. The trend of publishing the identities of condemned criminals gained traction and then went so far as to publish the names of those suspected of something. The gossip and rumor machine had landed on the Internet. How many people that were innocently accused of being criminals, psychopaths or pedophiles and such will probably never be known, but history will judge those spreading such rumors! Mark my word! But people also used their newly found soap box to judge and criticize wars, injustices and other wrongdoings they felt had been done.

Apple reemerged like it was the Phoenix bird complete with new, stylish feathers. Microsoft screwed the pooch and called the offspring Windows Vista. Eventually they saved their faces with Windows 7. The protests against the regulation and secrecy of governments and corporations changed form and suddenly we had entered the era of Wiki leaks. It was the logical next step from governments and corporations spying on people while people were spying on each other. Could authors such as Agatha Christie or Raymond Chandler have dreamed of a society where spy gear would be dirt cheap and everyone could spy on anyone? The Internet allowed people to be as infantile as the felt like and behind the false security of “being anonymous” some of them made ruthless comments on blogs and comment sections. But anonymity also helped to who were hindered to speak freely and thus started a war between those preferring anonymity and those demanding civility. Terms such as anonymizers, onion- and garlic routing entered the common discussion. Hacking also grew another worrisome skill: targeted attacks. Remember the attacks against Iran’s nuclear program? At least that’s what I believe it was. Half-life 2 was delayed because a hackers were able to get hold of some of the source code and Sony got whipped real hard as hackers broke into their gaming network bringing the PS3 community to a grinding halt. Google in China…. I could go on… But let’s continue.

The media landscape got its own overhaul when the emerging Internet based media outlets forced the traditional media to step into the virtual realm. We saw Internet giving power to everyone who was ready to grab it before anyone else did. Most of this came out rather well in my opinion, but we also had to contend with hackers, shady businesses, scams, criminals, Nazis and nationalists and off course everyone with the audacity of voicing a different opinion than our own. The Internet didn’t collapse and neither did the e-businesses, proving the strength of human adaptability. We simply learned to be careful and to survive when it wasn’t enough. Some of our experiences were hard earned.

If all this caused democracies to shake in their foundations, the dictatorships sometimes even fell. It wasn’t the Internet that brought them down, but empowered people feeling strength through hope. Hope was also in the air when the United States of America got its first black president, who appealed to the younger audience with his Blackberry and his Twitter feeds. Anyone here who wants to write new lyrics to the Billy Joel song “We didn’t start the fire”?

The release of Apple’s Iphone led to the rebirth of the PDA. Suddenly everyone had a portable computer and calendar that also doubled as a … phone… Google competed with their own operating system for mobiles called “Android” while Microsoft tried its best to keep up with them. Bronze is the second loser. Right now it’s all about the “apps”, you know buying simple software commodities for cheap money to extend the usability of your cell phone or just to make it look even sillier. And it all integrates into the fluffy, furry critter known as the “cloud”. And now we have finally come to the present day and our journey ends for now. Ahead lies the future, but that’s a story for another day.

It pains me to realize that I probably forgot half of everything that has changed the world for better or worse since 2001. And I feel sorry for those innocent people that died in twin towers as well as for the rest of us that had to feel the pain and fear afterwards. But in all, it has been an interesting ten years that have also held a lot of positive changes. And there has never been any shortage of work for us in the IT-security corner of the IT-world.

TTFN, Erik Zalitis

Tags: Politics, IT-Security, philosophy
Posted 2011-09-14 by Erik Zalitis, changed 2011-09-14 by Erik Zalitis

(2011-07-17) The faulty towers Q-code



I readily admit, I didn't check if someone else have already thought of this. I was pretty sure I wasn't the first HAM to suggest this, but it just popped into my head, so I'm posted it here. Sure enough, it even exists as an official code, but my version is funnier.

First off: what is a Q-code?

In short, it is a set of codes originally used in wireless telegraphy to create shortcuts to many of the common things you needed to ask or inform others about. Most of the codes are questions and answers about radio conditions, frequencies and other important stuff. An example:

QSY? means "shall I change the frequency?"
QSY (without the "?") means "change your frequency to ........."

Off course the last statement is followed by a proper frequency.

Sooooo... Here it is:

QUE? - Do you have any idea what you're doing?
QUE - I have .... idea what I'm doing.

The dots should be replaced with a number on a scale from 1-5. The scale values are:

0 - Que?
1 - no
2 - a feeling I may have an
3 - a faint
4 - fair
5 - an illusion that I have an

0 should not be used, but it will be, believe me.
All values below 2 are always honest.
All values above 1 may indicate that the other station is clueless.
Higher values technically mean the other party should have more of an idea or clue what they're doing. If this really is the case is unclear at best.

The "que?" comes from the character Manuel in Faulty Towers, one of the best TV-shows ever. Please understand that it's not meant as a racist comment. If you have seen the TV-series, you'll understand that it's clearly not the case! He is one of the more sane people in Faulty Towers, which when compared with John Cleese's character, doesn't say all that much.

Full disclosure
The code actually exists in real life and is at least a bit funny:

QUE? means "Can you speak in ... (language), - with interpreter if necessary; if so, on what frequencies?"

QUE means "I can speak in ... (language) on ... kHz (or MHz).".

http://en.wikipedia.org/wiki/Q_code

Tags: HAM radio, humour
Posted 2011-07-17 by Erik Zalitis, changed 2013-03-19 by Erik Zalitis

(2011-07-13) Mother Nature's view on security

Why won't we ever get rid of vulnerable software and hardware? What does it take to make everything perfectly secure? Most people I ask those questions respond by saying it cannot be done and I think they’re right. But why do we still act as if there was a way to make all security problems go away?

I think there are a lot of different reasons that causes us to push forward to remove all risks by being “proactive”. To be proactive is thus to solve any problem before it appears, right? If so, why do we need early warning system to be proactive? Just let that sink in for a moment.

If you detect a problem before it gets critical, you're not really proactive. You’re reactive, but reacting in time. The word “proactive” means to “(…) initiate change rather than reacting to events.” 1) In order to be proactive, you cannot ever look at any values or logs, because the moment you detect that something heading the wrong way, you're reacting to an event. The only true way to be “proactive” is to be Nostradamus. And his track record is … well … almost entirely wrong.

So, what's the point of this discussion? I’m not trying to discourage early detection of problems or forward planning. Those two factors can really increase reliability and uptime for any system. The problem is that we see any problem “getting through” as a total failure.

Good security involves protecting a system in proportion to the loss a compromise would cause. This is in many of the security books you can read. By implication, a sound security plan accepts that enough resources spent by an attacker will give them a good chance to actually succeed. This also means giving up the pipe dream of never getting hacked or having a system failure.

If Mother Nature applied for the position of system administrator, no one would hire her.

- "So, how would you make sure the network can handle an intrusion?”
- "I would let it happen and let the devices that survive remain online afterwards."

Not exactly what you want to hear from your system administrator? Still, that's how it’s done in reality. When an intruder is successful, smart people learn how it was possible for the intruders to get through and then they adapt their infrastructure to cope with the new situation. And sometimes they still get hacked again, until their security is good enough to stand the test of time. But this cannot last either, because any security stance will weaken over time. So the cycle repeats as long as there are enough dangerous risk agents around. There is a reason risk management plans include terms such as “annual rate of occurrence” and “single loss expectancy”. Security planners actually expect attacks to be successful more than once in the life time of an organization. With as little exposure of vital systems as possible, smart and fast detection of attacks, forward planning (this is as close to “proactive” you get in reality) and reduction of complexity of the systems; you can mitigate your risks. But eliminating them? Please! Not even Mother Nature would try to do that! Instead plan ahead and learn how to survive when it happens while still upholding a good security regiment.

Anyone talking about “zero tolerance” or “proactive security” is either blind or not telling you the truth.

1) http://www.thefreedictionary.com/proactive

Tags: IT-security, philosophy
Posted 2011-07-13 by Erik Zalitis, changed 2011-07-13 by Erik Zalitis

Older posts