growse.com

It's as if I've been away all summer.

Thu, 15 Jul 2010 10:16:49 GMT

I'm not very good at this. One of my main reasons for owning a blog is to allow me to look into the past and cross-reference my random distorted memories with some inane ramblings that I was making at the time. For example: I can look back on entries like this one and be reminded of how I felt during most of the 3 years I spent at university. Of course, there is a secondary purpose, which is to keep various people (who I know but don't talk to often enough) updated with what's going on with me. It's like one of those annoying family newsletters that some people send out periodically, but more frequent and less about babies.

Recently, I've rather failed to keep up with my, admittedly low, frequency standard. I shall attempt to fix this for the rest of this year. In the meantime, here's a quick summary of what's been going on.

I'm still buying a house. I didn't think this would be a terribly fast process, but I've been rather unprepared for the horror of how long this is taking. I'm currently giving even odds on being in by Christmas.

I passed my bike test. This is a good thing, even if the actual test process was a complete farce. It's a little disconcerting sitting in the DSA office after the test waiting to be told if you've passed or not, and this isn't made any more comfortable by the fact that your instructor chooses that moment to have a series of arguments with the examiner on subjects ranging from what 'Give way to oncoming traffic' means to the legality of pulling over into a cycle lane. I think the examiner hated me. He still passed me though, mostly because I didn't actually do a single thing wrong during the test. I'm pleased with that. I now need to go shopping.

I've been learning more Java, and have had to make some fairly significant changes to this site. Originally, it was just a bunch of JSPs that called some JDBC on the backend. But then I read about JPA and decided I wanted some of that. So I began yet another rewrite, but this time doing the backend bit properly. In theory, this was a simple job, but I ended up lurching between various persistence providers. I started with EclipseLink, which is the reference standard for JPA 2.0. However, after discovering there were some fairly major features still missing from this, I gravitated towards Hibernate. I didn't really get on with Hibernate - I thought it was a bit backward. I'm sure it's wonderful and very good, it just didn't seem that straightforward to me. Finally, I settled on TopLink, which is Oracle's thing. Surprisingly, this is straightforward, easy to configure, feature-complete, extensible and generally works. Good stuff.

I've got a new job. It involves building stuff. I like building stuff. I'm going to see if I can get the word 'Lego' into my objectives.

I'm off to the proms on Friday! This is exciting for many reasons, one of which is that it's Mahler 8. Every year when the proms schedule is published, I look through to see if they're doing Mahler 8, and they never do (not surprising). This year, they are, and it's going to be great. Long-winded, heavy, but great.

And that concludes the news.

Big things. Very big things.

Mon, 26 Apr 2010 14:44:01 GMT

No updates for a while, life is a little hectic right now with lots going on. Most importantly, I'm involved in a very complex process of house-stalking, which usually means wearing dark glasses and hiding in cafes in small sleepy villages scattered across the country.

I'm a little hazy on the details, but I'm led to believe that I should shortly expect to be frustrated by a combination of estate agents, banks and solicitors before finally emerging triumphant into a new chapter of my life which I shall call: DIY.

On security, IPsec and IPv6

Tue, 23 Mar 2010 12:27:37 GMT

As technical problems go, getting IPsec working properly would usually score about a 7 on my imaginary 1-10 scale of 'things that I think are difficult'. However, for some reason, I found myself dabbling with this very issue in order to solve a particular problem.

I've got a couple of development servers at home, where I do a lot of work for both myself and other people. Occasionally, I need to be able to access these remotely, but keep other people out at the same time. Now, there's a number of different solutions for this, most of them slightly clunky. It did occur to me that these servers are IPv6 capable, and through the use of AICCU I can have IPv6 wherever I go. I had a plan.

What I really wanted was to be able to connect to these servers remotely, over any service/port and have that connection authenticated and encrypted. A full-whack VPN would probably do it, but I've had bad experiences with that. On-demand IPsec seemed a better idea, as that's independent of what the traffic above it is (web, SMTP, etc.).

After some tinkering, I'm nearly there. I'm at the point where I can do on-demand ESP IPsec between a mobile, remote Linux client and a development server, authenticated with x509 certificates. Mostly using IPsec tools and Racoon. What I need to test next is other flavours of Linux, Windows and certificate revocation. Then I'll do a proper write-up.

Ironic vandalism

Fri, 12 Feb 2010 11:31:43 GMT

Those of you familiar with the London Underground will no doubt be aware of the variety of adverts that you get to enjoy as you are ferried up and down escalators. I never really pay them that much attention, but I spotted an amusing thing this morning. There are a number of posters advertising cosmetic surgery, which in themselves are fairly harmless. However, some people appear to have taken offense to these and have reacted by sticking various labels over the top of these ads saying things like "Don't buy this sexist shit" and "You are beautiful. You don't need this". I always thought it fairly amusing that a group of people should use the medium of impersonal and social pressure to rile against an industry that appears to profit from other people's susceptibility to impersonal and social pressure. I'm not sure if it's genius or stupid.

I was idly thinking if there was some sort of concise yet witty retort that could also be stuck up alongside the original stickers. Something like "Ignore the stickers! Be yourself!" written on a sticker and stuck to a poster would be suitably contradictory. As I was musing this, I noticed on the next poster up the escalator that someone had been thinking along the same lines. Their sticker? "It worked for Michael Jackson". Tasteless? Almost certainly. Funny? Yes.

On a different note, this site is now fully IPv6'd up! Hurrah. I mean fully in the actual literal sense, in that all the DNS responses from the root server downwards contain AAAA records. The IPv6 DNS glue is in place and working marvellously.

When things work better than expected.

Mon, 01 Feb 2010 10:46:46 GMT

Since my last post, I've been running a slightly experimental spam filter. The idea being to stop most spam before it gets to spamassassin, which is relatively expensive to run (in terms of resources).

It's been far too effective. As can be seen on SpamWatch, processed spam has basically dropped to zero. It's so idle, it's given up reporting altogether.

Don't panic, because I'm currently devising a brand new way of generating pretty graphs out of the vast array of data generated by millions of malware-infested Windows XP desktops which repeatedly attempt to connect to my mailserver in the hope that they might actually put some gibberish in front of my face that may entice me into spending some money on Viagra. I've a plan!

Spammage. More of it. Loads of it! Yay!

Tue, 19 Jan 2010 10:50:36 GMT

For some reason, my ongoing battle against spam isn't yet fully won. Whilst the current combination of MTAs, counter-measures and cluster-bombs are effective, there's still a few problems.

Actually, there's one specific problem: I don't have enough resources (specifically, memory) to run my spamassassin bayesian filter any more. I'm getting a mail from cron pretty much every day detailing the times at which spamassassin fell over the previous day, mostly due to running out of room in which to manoeuvre. Yesterday, it fell over 5 times.

I've always been interested in the idea of greytrapping and tarpitting mail. Simply put, this is a fairly simple way of detecting spam that assumes that most spammers don't obey the SMTP RFC standard. The greytrapping bit works by initially rejecting all unrecognised From/To/IP Address tuples with a "Try again later" message. Proper mailservers obey this and when they reconnect a bit later get allowed through. Spamming botnets have an aim to deliver as much mail as fast as possible, so tend to ignore this and not bother reconnecting.

The tarpitting bit takes a blacklist and slows down the connection of any blacklisted IP address, basically only allowing something silly like one byte every hour. The idea of this is to use up the resources of the evil mailserver by holding the connection open as long as possible.

The obvious way to do this is to use spamd on OpenBSD. Rather than being an MTA in its own right, this basically sits in front of the MTA and does the above cleverness. It's also meant to be quite efficient, because it doesn't care about the mail body.

Now, I hear you ask, what if the spammer does obey the SMTP RFC and delivers a mail later? Won't they get whitelisted? Well, yes. But this is why spamd on its own isn't a good idea. So I'll be keeping my existing content filtering thingie in place. The nice thing is that the expensive process of looking through the mail content won't happen on every single mail that drops into my mailserver, but only those that get past spamd. This should (in theory) stop it from falling over.

The main problem I have now, is that if I implement this, my spamwatch stats will go all screwy, because there's no real way to know how many spams that spamd rejects (you can deliver multiple mails over a single SMTP session). I'll keep it going, and hopefully there'll be a huge dropoff in the number of spams rejected by spamassassin, because they'll be caught by the spamd filter. It'll be interesting finding out.

Down, then up again.

Mon, 04 Jan 2010 12:27:14 GMT

It's weird how the new year has brought lots of broken things. My internet broke at home, the bike wouldn't start this morning, glassfish crashed, the database server ran out of memory, my phone stopped sending texts etc. etc.

Doom and gloom.

Anyway, I've fixed most of these things by kicking them. For the rest, I'll plough on with the niggling thought in my mind that somewhere in my small corner of the world, something isn't working properly.

At least we've not had any earthquakes.

My life is complete(-ish)

Fri, 11 Dec 2009 12:54:37 GMT

Now, Chopin.

P.S. as the piano mover was hauling it into the room, I mentioned that it was of a particular attachment, given that it was the piano I leant on. He casually mentioned that "his mate, Tim Minchin, had been trying to get him to learn for the past 4 years". Seriously? Tim Minchin?! Not sure if I was being had on. If I were, it's a fairly obscure joke to make...

Perfect timing

Thu, 10 Dec 2009 23:51:21 GMT

Just when I go and rewrite the whole of this site to work on Java and Glassfish, Sun goes and releases v3. Oh well.

Gosh, what? Java? Who?

Mon, 30 Nov 2009 15:04:34 GMT

It's been a while coming, but I've finished the Java-version of this site and deployed it onto Glassfish! Hurrah. So far, it's different in that it's better, faster and less broken. It may brake every now and again though, so if that happens, bear with me. It's rather cunning, because all the messy infrastructure bits (databases, email) are all abstracted away from the code and kept in the app server, so I can deploy the same codebase on as many different environments that I want.

The links page is probably the most changed. It now pulls in my Delicious account. So far, there's only two links on there, but I'll add more through time. It's basically my bookmark list, so it's probably only useful to me. Still, at least it's useful to me.

I'll tinker some more. Maybe I could figure out how to get it to email me when it breaks.