Category: Scumbags

Much worse than idiots – people who know what they’re doing is bad, but don’t care.

Avoiding DDOS: the PF way

~ Inquisitor

I’ve run a FreeBSD server in my home for six years now. I love the capabilities home servers give you over your bog-standard wireless router – mine, for example, downloads all my POP3 email from various sources, runs it through a Bayesian-enhanced SpamAssassin and filters it through into various IMAP folders (on my boxes, usually Thunderbird or, on the laptop, Mail.app). But you’ve got to be very careful with this, and apart from a front-facing Postfix for email directed at my dynamic DNS domain I have had no regularly open ports. What if I want to access my email from work, for instance?

For this, I’d like to use SSH forwarding; putting the IMAP port through to a local port on the machine I’m using, with the actual data transferred securely over the Internet and where no-one can listen in, even if I’m on some crappy open wireless somewhere. SSH is configured to only accept public key authentication, and to refuse all password access – if you try connecting from a normal SSH client without a relevant key, you get dumped back to your command line with my snidely worded banner, and a “No password access” message. The only public key is in my possession and, of course, is passworded.

Despite this, having open SSH attracts scumbags like paparazzi to Amy Winehouse and the system I use for my firewall (a 733MHz Pentium-III with 256MB RAM) simply can’t cope with thousands of individual connections doing ineffectual dictionary attacks on usernames over Virgin’s 20Mbit connection; it locks up with a massive load average somewhere in the “c”‘s. As an added bonus, this of course eats my “unlimited” download cap during that particular point of the day.

How, therefore, can I balance my security with my convenience? The answer is the same thing I use to do my NAT forwarding, the pf packet filtering firewall.

pf originated with OpenBSD, and was introduced into FreeBSD somewhere around 5.3: I switched from FreeBSD’s own ipfw2 when I upgraded from 4.x to 6.x. As a bonus, pf allows dynamic lists to be built up of IPs that trigger specific rules, allowing for dynamic blocking of SSH offenders.

After my initial “block in” rule in my pf.conf, I define a table:

block in

table <abusive_hosts> persist
block quick from <abusive_hosts>

This defines a list of abusive hosts, traffic from which is blocked without any further discussion (with pf, applicable rules lower down the list take precidence over rules further up unless ‘quick’ is provided, which cuts off further parsing.) You can manually add to this table like so:

pfctl -t abusive_hosts -Tadd <IP address>

Or, more interestingly, you can add to it programatically. After my catch-all NAT rules, I make a rule to allow access to the local SSH port – with a catch.

pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state \
        (max-src-conn 10, max-src-conn-rate 6/30, overload <abusive_hosts> flush global)

This allows up to ten simultaneous connections from a particular SSH port, or up to six within thirty seconds. flush kills the states for previously OK connections when it over-runs; global kills all connections from the IP. And the overload rule causes all those things which fail the rule to be pushed into the abusive_hosts table, meaning anything that’s bad and repeatedly connects to my SSH port end up going straight to null.

And this works, too. Using the pfctl command, you can view the contents of the table. I’ll pass it first through awk to remove the spacing, aiding with xargs for further piping, and then through “wc -l” to get the line count:

orpheus# pfctl -t abusive_hosts -Tshow | awk '{print $1}' | wc -l
      22

Removing ‘| wc -l’ gets you a list of IPs, and putting ‘xargs -n 1 host’ there instead gets you a list of the hostnames associated with each of the IPs which can give you an interesting picture: at least a couple of them right now are IPs on American cable modems who are almost certainly compromised home users.

That’s twenty-two abusive hosts who’ve met my SSH blackhole since I last rebooted my machine, who would otherwise have been a problem: pfctl -sr -v (which is sent to you in your nightly root emails) tells me that right now I’ve blocked 5.3MB of unwanted traffic from these hosts since I last rebooted 18 days ago, and I’m sure I’d have got much more if they hadn’t started getting nothing but silence from my machines since the point of blocking.

I’ve found this immeasurably useful for increasing my box’s uptime and overall reliability, which helps prove that a PIII type machine is still good enough for quite a lot of things. And if you click the link to read further, I’ve posted my complete (and only slightly altered) pf.conf for anyone’s interest.

Continue reading “Avoiding DDOS: the PF way”

Pillocks on 606

~ Inquisitor ~ 1 Comment

Whose smart idea was it to put up 606 message boards on the Sol Campbell racism controversy without once, as far as I can see, actually describing what the hell happened anywhere visible? The only people to actually report what was being said are of all people the Daily Mail, and The Guardian has a description of the chant as used in 2006. It’s all way beyond the line – a combination of homophobia (aimed at a straight man!) and lynching references in a song based on “Lord of the Dance” and a jolly chant along the lines that he’s a black guy who likes it up him.

Usual stupidity here, but good to see it called out for once – Croatia only got fined £15,000 for full-on racist chanting at the England team, despite their long history of such things. Message boards on things like this are invariably filled with “anti-PC” bores, idiots and occasionally someone with sense. Sometimes it’s worth deconstructing, so what are the shining wits (sic) on 606 saying?

comment by sandcastlejim (U7681251) / posted Yesterday

it’s just a bit of banter – sticks and stones and all that. the world has gone soft.

Uh-huh. Sticks and stones may break your bones, but threatening a footballer with lynching and AIDS (not necessarily in that order) because he left your team on a Bosman seven years ago after saying he wouldn’t is perfectly A-OK. Got it. Right.

You are a moron, aren’t you?

comment by With Big Phil We Must (U7876572) / posted 8 Hours Ago

does anyone think that the media and football clubs are becoming a bit too Feminized ?

i mean football has always been like this maybe its deemed as racial but if a former club cant give an ex player stick then whats the point goin to a game ..its all about Banter a release from pressure of work/home going to a game its for fun and enjoyment
In this matter i think people are being too politically correct and as hard as it is for me to say i think Sours fans did nothing wrong …and nothing more abusive than most teams fans give to old players who left to join a hated rival

You wont be able to cheer a goal soon

Or at least I hope that you won’t. And it’s “feminised”, at least if you’re not American; it doesn’t have a capital and it doesn’t have a “z”.

And that’s a really poor insult, too. “The worst thing I can say about you… is that you’re like a girl! GIRL!”

comment by Deadly Ledley (U2941764) / posted 3 Hours Ago

the lord of the dance song isnt racist

if the player was prepared to sell out his own fans, he should be prepared to take the backlash. By responding like this, he has shown that he has a fragile mind and can’t handle the boo boys

Oh dear. This one’s a snide reference to the man’s depressive episode in early 2006. How low can you go?

Actually, why should I even bother? They’re really condemning themselves. The real pillocks here are the BBC for opening up a message board where no useful Internet discussion can ever be achieved (see also Have Your Say, scotsman.com and any long thread on Comment Is Free.) The others are just attracted to it.

And you thought they were Communist

~ Inquisitor

When China’s design for the opening ceremony comes straight from the same chauvinist impulse that brought us Paris Hilton, Zoo and Nuts, My Super Sweet 16 and The Swan:

A pretty girl who won national fame after singing at the opening ceremony of the Olympic Games was only miming.

[…]

But the singer was Yang Peiyi, who was not allowed to appear because she is not as “flawless” as nine-year-old Lin.

The show’s musical director said Lin was used because it was in the best interests of the country.

BBC News, “China Olympic ceremony star mimed” (12th August 2008)

Now, if this had happened at an opening ceremony in a less authoritarian country, they’d have said “the best interests of the Games”, but it would otherwise have been an identical reaction. We can’t have anything imperfect, after all; bad for the sponsors. Could be embarrassing.

Wouldn’t it have been so much better if it was imperfect? That’s what we should have for 2012; we shouldn’t try to do an outrageously expensive media spectacle that’s likely to go wrong and fall flat, we should do something from the heart that if it goes wrong it just seems more endearing. The Eddie the Eagle of opening ceremonies, rather than the Terminal 5.

Why not, anyway? It would be better than telling a nine year-old that she can’t sing for the country because she’s apparently got crooked teeth, and that she’ll have to go without the credit for her own skill while the front gets all the headlines. It is a disgusting attitude, isn’t it?

I’m speechless

~ Inquisitor

The Media Guardian “Media Monkey” section (may need free registration) reports on the ‘Shaftas’, a negative award ceremony for the worst sort of hack…

Heat magazine won worst magazine of the year for their infamous tasteless stickers stunt.

This was a sticker featuring a picture of Katie “Jordan” Price’s profoundly disabled five-year-old son with the insignia “Harvey wants to eat me!“. This was so amazingly dreadfully out of tune – and, what’s more, widely reported – that Heat were forced into apologising. Words cannot describe how uncommon an event that is.

Media Guardian then however report an incident that didn’t make it to the press at large, unless you’re a reader of Loaded “magazine” (a publication that, all else being equal, should have been snuffed out at birth):

But they failed to show up so the award was given to Loaded instead for the magazine’s “110 birds we’d like to bone” feature. Even the hardened Shaftas audience shook their heads at Loaded’s inclusion of Kate McCann in this list, with a caption which read: “Sensitive one this but there’s nothing more erotic than a pained woman in need of some good lovin”. Hmmm.

Hmmm is about right. “Sensitive one this”? Kate McCann? That’s gall. That’s so amazingly tasteless I’m actually mostly speechless. Even most b3tans won’t go down to that level, and those that do at least are usually trying to be funny rather than creepy.

And that is creepy. It’s practically on ‘sick stalker’ level.

Loaded editor Martin Daubney bounced onto the stage to accept the award, saying: “I would love to blame a reporter but I wrote that myself.” After it was pointed out that made him a “truly dreadful human being”, he countered: “And I’m paid for it.” Monkey predicts future Shaftas greatness for this man.

Why do people buy Loaded magazine anyway? It’s not even very good porn, and it’s obviously from this not at all funny, so why bother?

The rest of the awards are interesting, bashing Richard Desmond and the usual suspects; worth a look.

For your convenience

~ Inquisitor ~ 1 Comment

A little frustrated right now: not only have my Radiohead tickets been held by Special Mail Service (the people who posted my passport to the wrong address a few years back) with the reference number I need to arrange redelivery spoken once by an automated voice over my mobile with no pen handy and no physical evidence they’ve been, but I’ve got a parcel from an online vendor sent through Initial Citylink which they failed to deliver.

I didn’t get carded, but a check on the tracking system told me that the parcel had attempted delivery; I call Citylink and they tell me that they don’t card in “secure” doorways (although mine isn’t very secure, and neither FedEx or Royal Mail have a problem carding me at all). This wouldn’t be a problem normally because Citylink open their depots quite late and I expected to be able to quickly go to the one at South Gyle (a number 22 bus away) and pick it up.

But there isn’t a South Gyle depot; it closed two months ago. They’ve moved to Livingston. As if that’s efficient for the Edinburgh area; it makes it inaccessible to anyone without a car or a tolerance for long, roundabout journeys on First Bus. And since I’m at work all day and since Citylink won’t change my address over the phone to my workplace my best hopes of getting the parcel are leaving it with my neighbours, which I’ve gone for as the least worst option.

There was an article in the Guardian business section yesterday about Citylink making large losses and dealing with it by… closing depots. Which will make people hate them more and try even harder to avoid them. I certainly won’t make the mistake of buying computer kit from a Citylink-only vendor again; and that without a bad experience before.

(And Radiohead, why SMS? You know they suck from the discbox experience; mine took way over a week to get here. Why continue with them? Why?)

Rock Band pricing takes ripoff Britain to a new dimension

~ Inquisitor

Rock Band is going to cost £179. £179. It’s $169 in the States for an identical package, that is to say £85. No way that VAT can explain this one.

I was actually considering buying an Xbox 360 and Rock Band was one of the main reasons. Paying £100 to Electronic Arts’ special party fund means that that pretty big reason has now been taken away. They won’t have a good explanation for this either, I’m betting…

When asked why the game will be so much more expensive in the UK than it is in the US, Kay cited VAT and the higher price of consumer electronics generally. “These are definitely not excuses so much as contributing reasons,” he stated.

“I can’t talk to the explicit pricing – how it gets split down between retailers and distributors and the whole chain – because I don’t actually know that much about it.”

In other words, no.

If this actually happens…

~ Inquisitor ~ 2 Comments

Virgin Media can get fucked. I am not having every web site I visit sent to China so some server can send back ‘targeted’ advertising, “anonymous” or no. It’s effectively unavoidable, ISP level spyware with a crap “anti-phishing” (read DNS hijacking) justification. The first thing I will be doing if this happens is getting a BT phone line installed and any non-BT ADSL ISP that doesn’t subscribe to this shit, probably Be.

This is of course assuming that this is even legal, and if it is it shouldn’t be. Who the hell thought this was a good idea, and why the hell haven’t they been fired already?

Edit: See here, here, here and here (the latter two contain a lot of great detective work about how dodgy Phorm actually are.) Let’s hope resistance isn’t futile on this one.

A mainstream attitude

~ Inquisitor

So the nominations for the NME Awards‘ Villain Of The Year category are:

  • George W. Bush
  • Tony Blair
  • Gordon Brown
  • David Cameron
  • Johnny “Razorlight” Borrell
  • Amy Winehouse.

Exactly what has she done to deserve this? All she’s done is have a breakdown while having the indignity to not totally submit to everything the paparazzi want to do to her. Not that it matters, of course, because Bush will win just as he’s done every year since 2003, but it’s the principle of the thing. Of course, the NME love dealing in pap photos of her, so I can guess whose side they’re on…

The Hero Of The Year list features a guy named Ryan Jarman, who in a first for me with current musicians I actually had to Google. He’s the singer in the Cribs, so I think that pretty much decides how hopeless this list is; worse, he said this:

“The mainstream attitude of indie bands today is a bigger problem than global warming”

meaning that indie bands shouldn’t actually try to make, you know, interesting music – an “indie” attitude in NME terms isn’t about how many copies you sell, it’s how many XTC riffs you can rip off in a much less appealing way without any form of originality or tune.

Half the awards are sponsored, too – very indie. The live act award is of course sponsored by Carling, whose brand is on what’s possibly the worst toilets in Glasgow (at least that I’ve had the misfortune to use) and the Best Video award features only one interesting video (Justice’s “D.A.N.C.E.”). Best Album Artwork is abominable. Many of the artists in the Worst Band award could do with being swapped with the Best Band award; they’d look about the same (you can keep the Hoosiers though).

If you want to vote on this tawdry excuse for an awards show you have to give IPC (that is to say Time Warner) your address and navigate a whole bunch of this-is-opt-in, this however is opt-out check boxes. Privacy invasion much? They can go please themselves; I certainly won’t.

Idiots at the BBC

~ Inquisitor ~ 5 Comments

This news article on a recent parenting case is alright in itself, but falls apart in two respects.

The only weblinks it provides in the related links section are to “father’s rights” organisations, one of which is the infamously horrible Fathers 4 Justice, a bunch of people whose favoured tactics for gaining support were dressing up as superheroes and scaling public buildings, performing occasional security breach stunts and committing serious vandalism on family court offices. (As an aside, I don’t link to their Wikipedia article here as I usually would do because it’s very very poor. Even for Wikipedia. You have been warned.) This should at least be balanced by a link to someone who’ll actually tell the truth rather than just ill-informedly rant. They’re also given far too much time in the article itself.

Worse, the “Have Your Say” boxout, giving a sample of the latest drivel from the BBC’s should-have-been-shut-down-years-ago comments section, currently has a quote from a “Jon” interspersed with the actual article:

So I presume the mother will expect the state to be paying for the childs upkeep, instead of the father!

The article itself, however, points out that

[The woman] said she wanted the baby girl, who is now 19 weeks old, adopted at birth without the knowledge of either them or her father.

So no, Jon, she bloody well doesn’t, you presume wrong, you’re a woman-hating berk who believes all that Fathers 4 Illiteracy tell you about the family courts system and whoever picked that entirely wrong quote out from the Have Your Say Fascist Wannabe Comments Pile should really think about what bias actually means the next time they do such a thing; the place where the comment quote is positioned makes it look a lot like an actual quote from the story, which is way wrong.

Besides, it’s worth pointing out the context of the story: the woman is an adult. She lives on her own. Why should a court anywhere in Britain even consider forcing her to tell her parents (which is how it got to the Appeal Court for this ruling), which we can assume from the context to be something that would cause a massive amount of embarrassment or possibly serious repercussions? That they would decide to do so is in itself worrying; this appeals decision, on the other hand, is probably the right one for everyone involved, hence why the F4J crowd think it’s wrong. Still, can’t win ’em all.

Edit 26/11/2007: Also note this much better Guardian article, with the detail that the idiot local authority actually wrote to the woman’s parents by mistake and without half the article taken up by comments from pressure groups.