The Life of a Sysadmin

I just love clever network hacks.

Speaking of which, I think I'm going to ask my boss if she'll send me to LISA. I didn't realize I had sysadmin heroes 'til I started looking at the program: Æleen Frisch! Michael Lucas! Tom Limoncelli (who's working at Google now, natch)! W. Curtis Preston! But also Dan Fucking Kaminsky, that's who:

I like big graphs and I can't deny...You other hackers can't deny...when a packet routes in with an itty bitty length and a huge string in your face you get sick...cuz you've fuzzed that trick...

...who's going to be presenting the results of a worldwide SSL scan among lots of other stuff.

I think it'd be great to attend, but it's a long shot. Wish me luck.

Thank you to our sponsors for the title.

Good news: I'm going to LISA! I convinced my employers to heavily subsidize my trip. I've booked a double room at the hotel; I'll be posting to the roomshare mailing list shortly, but feel free to comment or email if you wanna split the cost.

Bad news: I somehow borked X on my desktop at work yesterday. The symptoms are quite strange, and mostly involve not being able to click on a window and have focus move there. It's IceWM, and I haven't changed focus model, and the symptoms persisted over multiple restarts of KDM (ctrl-alt-backspace). I looked for open files, running processes and even removed .gconf* and .gnome* on principle; nothing. The only thing that was different was running, for the first time, the new(ish - 1.5.0.2) version of Firefox after d/l it from the Mozilla site. The machine is running SuSE 10, and for various reasons I can't update it right now. In the end, I got desparate enough to try a reboot, and of course that fixed it...which is NO FUCKING WAY to solve problems, dammit.

(Interesting how this pokes holes in my manly command-line-only stance; yes, I was able to get some work done by going to the console, but frankly I've become very very used to managing terminals and a browser with IceWM and it's hard to switch back. Damn.)

Weird news: A while back I came across a problem with a Solaris 10 machine: lpq just hung, and eventually timed out with an error (that I haven't written down, so I suck). Eventually figured out it was trying to contact the lpd service on the machine's main interface (handwave goes here about BSD-compatibility printing commands), which should've been run by inetd. Okay, but inetd is now taken care of by inetadm and svcs, not /etc/inetd.conf anymore. And while the command is called in.lpd, it's actually called svc:/application/print/rfc1179. Which is in maintenance mode, so start it up only it doesn't and I cannot figure out why: no log files I can see (the scattering of log files in a default Solaris install is really driving me nuts), no reason given, nothing. I ask another sysadmin who admits he's stumped by it but just for fun tries putting in an entry in /etc/inetd.conf and then running inetconv, the way you're not supposed to have to do except for weird legacy stuff that hasn't been moved to svcs yet. And damnitall, it works. Again, no idea why.

And that is it for now. I am tired beyond belief, having moved up my annual snifter of port from Xmas to go out with coworkers last night. I stopped drinking at 7pm and I'm still tired today. Pathetic. Arlo would be so disappointed in me.

Jackie, you yourself said it best when you said

 There's been a break in the continuum 

The United States used to be lots of fun... 

"Jackie", The New Pornographers 

10am CST: Welp, I'm in the air on my way to Chicago, and from thence to Washington for LISA. The laptop is running well (stress-tested by Sloan, The New Pornographers and Yo La Tengo), and I'm using my time to skip watching "Lady in the Water" (not how I want to see this film for the first time) and work on AsciiDoc. I think this is going to work pretty well for my plan: to start having my blog in just plain text for source, and plain HTML for output. I like it a lot, and the less PHP I have to audit the happier I am. (Not that I *do* audit PHP. But I feel guilty when I don't.)

Turned out I was rather stupidly cautious at the airport. The flight left at 6.15am PST, and I was there at 3.45am. What I didn't realize is that the ticket counter didn't open til 4.30am, and customs not til *5am*, thank you. But once they got started, everyone moved along pretty quickly.

I did get pulled over for extra searching, but nothing serious: where was I going, could I open the bag, where do I work. Once that was done, the officer was quite friendly; he urged me to take time to go see the sights, since work was paying for this. I expected worse.

But man, I don't know when I'll have the time. Training starts tomorrow with a full day of Solaris 10, and it just keeps going from there. Plus, of course, there's the free beer and ice cream. The time, she flies, no?

I need to get a haircut. I haven't shaved my head in two weeks, so I've got a damned dirty commie hippie head of hair at the moment.

Wow...over somewhere midwestern now, and the patchwork of land is neat to look at. Not half as beautiful as a city at night from 3000 metres, though...man, that's God's own set of Xmas lights.

12.30pm CST: Later...In O'Hare at Chicago, taking advantage of the free electrical outlets for charging laptops. The wifi access is charged-for, though, same as in Vancouver. And me without OzymanDNS...

10.20pm EST: Now in my hotel room. No wireless from USENIX up here, but it does work in the lobby where there's simply an amazing amount of very dressed-up corporate types. I think it's some sort of Xmas party. The contrast between them and the t-shirts-and-jeans crowd (not to mention me typing away alone on my laptop) is stunning. (Incidentally, my grandmother was both shocked *and* appalled to learn that not only was I not purchasing a new suit for this conference, I would not be wearing a suit at all.)

My luggage, I found out after an hour of waiting, is currently wending its way here from Chicago; I imagine some sort of Die Hard 2-esque leap across the tarmac that failed, but only barely. Allegedly United expected it here at 7pm and will courier it over Real Soon Now. We'll see.

By the time I finally made it to the hotel and checked in, it was 6.30pm . It had been a long time since I'd had anything but Mountain Dew (SPECIAL CAFFEINATED US VERSION!) to eat, so I was just starving enough to go for the -- wait for it -- $13 (US!) cheeseburger in the lobby. That and two Guinesses pretty much blew my budget for the week; at this point, I'm looking into the carb count in a BSSID beacon frame. (Yes, I'm making that term up.) Worth it, though; my roommate and I exchanged war/horror stories with a Sony engineer/sysadmin from San Francisco over the beer. Good times.

I'm pretty sure I saw Aeleen Frisch in the lobby. I think I saw William LeFebvre, the program chair, at the airport picking up baggage from the SAME BAGGAGE CAROUSEL where my stuff was supposed to be. There's this thing called USENIX bingo, where they give you cards with organizers' photos in it and you're supposed to get them to sign it. I think I'm going to tackle LeFebvre and ask him where my underwear is, then get him to sign my card to affirm that he didn't steal it.

I have not yet seem Tom Limoncelli, and I wouldn't recognize Dan Kaminsky if he queried my DNS server via avian carrier, so my plans to see what they've done with my underwear are, as yet, hazy. If my underwear doesn't show up, I may have to go shopping. I think the nearest Wal-Mart is in Tennessee.

As we sift through the bones of an idol

We dig for the bones of an idol

When the will is gone

'Cause something keeps turning us on

"Bones of an Idol", The New Pornographers

Today was Solaris 10 Administration, an all-day course that introduced all the nifty features of Solaris 10. I've only worked with Solaris since July, but I've been reading so much about Solaris 10 that most of the stuff presented (dtrace, SMF, zones) was familiar to me. OTOH, the course was aimed at admins of older versions of Solaris (2.veryearly through 8 and 9), and so the explanation of the differences assumed a lot more familiarity with Solaris than I had. It was a curious sensation.

Still, though, it was worth going to. Good quote: "Oracle DBAs are the most Kool-Aid drinking people I've ever met." And another: "Zones are the most controversial thing we'll be talking about today, and spending the most time on. I saw someone carrying two cups of coffee -- that's the right attitude." Also, Bill Lefebvre, the man I was going to accuse of stealing my underwear, wrote top(1).

Oh, and it's a good thing I brought a second wireless network card; the onboard one in the laptop kept dying, with an entry in syslog that read "fatal firmware error". Now I've got an Orinoco Gold in here, and it's working just fine.

Met a sysadmin today who works in the VOIP department of a phone company; they've moved most of their stuff from racks and racks of old-style Alcatel equipment to one rack of Solaris machines acting as soft switches. I was curious about the difference in reliability and uptime; my understanding is that the demands on telecom equipment are worlds above anything that can be provided by COTS Unix, and asked him how it worked for them.

He said that, yes, you'd get situations where a phone call would be delayed because of a system crash: instead of taking one second to connect, it might take two or even three. And if that was anything beyond a small fraction of their customers, that would be a big problem. However, the soft switches had much better failover ability than the old stuff; the old stuff would be up much longer, but when it failed everything would cascade and the whole system would come tumbling down, at which point a customer would hear "Your call cannot be completed as dialed."

Met another guy who was very excited about ZFS, because of an app at his work that writes 4 TB of data in individual 4 KB files. The best they've heard from their current storage vendor of choice is a block size of 8 KB...which means doubling their storage requirements just to deal with filesystem overhead.

I had alligator jumbalaya. It's official: it tastes like salty chicken.

Two sips from the cup of human kindness, and I'm shit-faced

Just laid to waste

If there's a choice between chance and flight,
Choose it tonight.

"Choose It", The New Pornographers

Just got back from a whirlwind walk from the Lincoln Memorial to the Washington Monument to the White House. Beautiful, all of it...though a) the White House is small and b) there was something being filmed/videotaped in the courtyard, which made me think of Vancouver.

Training again. AFrisch was good, convering Cfengine quite well; would've liked to see more info about expect. (Apparently there are Perl/Python bindings...I had no idea.) Afternoon course was "Interviewing For System Administrators" by Adam Moskowitz and that was great -- lots of things I didn't know, lots of tips on doing it better next time.

Saw Tom Limoncelli in the hall during a break. Managed to restrain myself. I have the reputation for quiet restraint of a nation to uphold.

Very tired now. Time to go get beer.

What the last ten minutes have taught me:

Bet the hand that your money's on

"Letter From An Occupant", The New Pornographers

Attended my first BOF last night on wikis for sysadmin documentation -- amazingly fun and informative. I even managed to contribute to the conversation. And when I told the war story about recovering my wiki from spammers (that's right! because PHPWiki sucks!) I got a gratifying look of sympathy from the audience.

Today's talk was "Habits of Highly Effective Sysadmins". It was aimed at folks like me who've been mostly self-taught, and I thought they hit the mark extremely well. (I've heard lots of people here say that they'll go see anything put on by Lee Damon or Mike Ciavarella just on principal (principle?).) Very, very informative and great teachers, too.

I found out today that Tom Limoncelli's name is pronounced "li-mon-sell-ee", not "li-mon-chell-ee". W/luck, this will save me embarassment later.

Tonight the BOFs start in earnest, including the one that offers free beer and ice cream. Sadly, I will be attending the one on pet counting instead. I will die a little bit inside.

Cities and circles drawn perfect, complete

These are the fables on my street, my street, my street

"My Street", The New Pornographers

Okay, my (lawyers, please note) TOTALLY ACCIDENTAL stalking of Tom Limoncelli continues. I met another sysadmin from Boston (who, BTW, is into LISP. Call that accidental? 'Cos I don't) (alsoplus he's the third guy I've met from a small shop, which is damned reassuring in a conference full o'people from multi-continent corporations/teams) who invited me along to the LOPSA hospitality room. I talked to David Parter from LOPSA about why I should join. He also gave me the sad news that the Burritos-as-big-as-your-head place in Madison, WI is closed. Noooooo!

Nice bunch of people, who'll probably be getting a membership fee from me post-haste. Totally unrelated to the free beer. I met a guy from a Scandinavian hosting company that has, like, 300,000 domains (!). We talked about spam for a while, and PHP's ability to include files remotely (he's a big fan. Oh, wait, no) ("When I meet the guy who put that in..." "You'll punch him in the cock?" "Oh, that's just the start of it."), and Perl vs. C vs. LISP vs. Dvorak keyboards vs. I don't know what all.

And who else is in the room AND stared at my badge trying to figure out who the hell I was? That's right, Tom! Still no chance to lean over casually and say, "So I hear Google's trying to figure out what to about TCP scalability bringdown. 'Cos, like, my enterprise-fu PHP taint mode will totally nebbish your gubbins. Scalable. Solution. Moving forward. Come back!"

Also went to the: Free Beer and Ice Cream BOF, PGP/CACert BOF, and the Bash scripting BOF. Last challenge: using Bash built-ins only, check to see if a given TCP port on a given host is open. Welp, I did know about Bash's built-in /dev/tcp/host/port, but totally foundered on syntax. We were told to email our scripts to polvi.net...which sounded familiar, and it should, 'cos was Alex Polvi, who works at Oregon State University Open Source Lab, they who provide bandwidth to such as Gentoo, Mozilla and Kerneltrap. At one point, a few friends of his came in and sat down close to where I was, and he came over and talked to them during one of the challenges. "I think everyone would get freaked out if they knew a Google recruiter was here," he said, laughing. Worked for me.

And, BTW, I thought I was at least quarter-decent at Bash. Hah! It is to laugh.

To wild homes we go,

To wild homes we return,

To wild homes we go.

"To Wild Homes", The New Pornographers

This morning was the keynote address by Cory Doctorow on "Hollywood's Secret War On Your NOC". Excellent stuff...lots of stuff I was already familiar with, but some specifics that were incredible and/or funny:

• "Nobody puts a rootkit on media you get over eMule. That only happens if you're dumb enough to go into the store and plunk down $15 for it." (Cute quote, but arguable.)
• "Small tip: If you want to improve your Star Wars: Episode 1 experience, switch the language to Italian and pretend it's opera."
• Comcast PVR: apparently, Comcast pushed a patch that deletes already-recorded material two weeks before the DVD is due to come out. Must track that down.
• "Nobody sets the security slider to less."
• Casting the DRM debate in terms of hardware that treats its user/owner as an attacker.
• EULAS: "agreements you've agreed to by moving through time or space" ("by entering this building, you agree...")
• "The WIPO has the same relationship to dump copyright laws that Sauron has to evil in Middle Earth." (The man knows his audience.)
• Turning down an engagement at Disney to speak to their execs about DRM. Why? Because at the last minute, he was given a EULA containing a clause that said "You agree to never use the word 'Disney' in print again." When he asked about this, he was told not to worry, as they'd almost certainly never use it.
• When he and a bunch of other NGO reps got access to WIPO meetings, they naturally published their notes twice a day on websites. This was in sharp contrast to the official WIPO minuts that a) took 6 months to come out, and b) had been vetted by everyone involved, giving them a chance to retract anything they didn't want to have on the record. Very shortly, various government reps started getting calls from their capitals saying, "You agreed to what?" When their replacements showed up, they had read the unofficial notes -- they were more timely, and more useful, than the official minutes.

Must Google:

• Owner-override model for DRM that makes it more user/owner-friendly.must Google.
• World of Warcraft -- URL/content trading in speech bubbles to get around the Great Firewall of China.

Whew! Met up with the Boston sysadmin again, and I pointed him to Windflower -- he's a small enough shop that it may actually be useful for him. Good stuff. Picked up a ribbon that said "Blogger", another that says "Newcomer", and a third that says "Usenix Baby" for Arlo.

After that came technical papers on spam. First up was a paper by Brent Kang et al. on Privilege Messaging (FIXME: Add link). Third-hand, but: allegedly, as of last year, phishing is making more money than drug smuggling. A cite would be really nice for that, but he didn't have one. He also mentioned a recent paper (again, need cite) showing that spam coming from Gmail accounts (not forged, but real accounts) had rised from 1% at the start to 10%...interesting to think of how that might indicate a failure of friend-of-a-friend. OTOH, maybe that's an indication of success of FOAF, since...

...the next paper, on the experience of an Italian research network, showed that their percentage of legit mail (not caught by the spam filters) had, over the last few months, gone as low as 8%. That's fucking incredible. However, he's having excellent results with Bayes and SpamAssassin, so maybe there's some hope.

After that was "A Forensic Analysis of a Distributed Two-Stage Web-Based Spam Attack" by Daniel Klein. Very interesting: showed how regular monitoring of his systems and looking at the graphs it produced let him notice -- the second time it happened -- a very subtle attack that let 5,000 messages go out the door because of a subtle, simple CGI bug. As at least some (and probably most) of the attacks were through web proxies, I asked him (knees knocking; I was very nervous) if he thought it would be worth looking for this sort of traffic, or this sort of traffic on certain pages. He pointed out that actually, this sort of traffic -- distributed, small requests, high in numbers -- was exactly what you wanted from a website, so it was extremely hard to analyze as it happened.

After that, I talked with Noah, a Debian security guy and senior sysadmin at MIT's Artificial Intelligence lab. ! We talked about spam, getting depressed about DRM (him) vs spammers (me), and moving the AI lab to a new building after 40 years (me. no, wait). Very interesting stuff, and a good guy.

The afternoon was taken up with data closet/centre setup training. Very, very good stuff once everyone got talking -- the slides were 'way thin, but my notes filled the rest of the book. Since I've learned what I know about this by making mistakes, it was good to think of maybe shaving a mistake or two off my list from the future.

And then...then the vendor exhibit. Beer (yay!), Budweiser (boo!), and a chance to pick up the cable modem hacking book from No Starch Press' table. I also got a chance to talk with the FSF folks, up/down from Boston, and pick up a t-shirt. No luck convincing a fellow attendee to join, but I'll keep working on him. Splunk had the best booth babes (or so I heard), but Google by far had the most people around their table. Interesting.

Now off to the BOFS. Quite looking forward to the one on life at small shops.

You looked as though I'd picked your name out of a hat

Next thing I know, you're fast asleep in someone's lap...

"The Bleeding Heart Show", The New Pornographers

Small shops BOF is coming up tonight, not last night. Wednesday's BOFs were:

• Should you roll your own config tool? I was actually looking for Tobias Oetiker's (!) (who received an award here for MRTG and RRDTool, and who I nearly tripped over at lunch yesterday) BOF on his tools but wandered into this one by mistake. I left after a few minutes, as a lot of the concepts were over my head. A shame, because apparently I missed a big discussion between Luke (puppet), the bcfg2 devels and (if I remember right) Mark Burgess (cfengine). Mark Burgess lost the fight and committed seppeku, with William Lefebvre as his second. Blood everywhere. USENIX is gonna lose the damage deposit for sure.

• Splunk: Someone directed me here because this was where the beer was. Again, all that was left was Bud (Lite). Splunk isn't really my bag, although the guy I've met who's gotta deal with 50GB of logfiles a day (or some such) was quite interested.

• LOPSA: Interesting, not least because someone else asked the question I was afraid to: What the hell is up with LOPSA and SAGE? Short answer: SAGE is about advancing the profession (research, training); LOPSA is about advancing you (professional development, support, fellowship...). Long answer: politics and tax laws.
• Streaming media at universities: Seven people including me. Everyone else was streaming terabytes of data with multiple servers; I wasn't. That was pretty much it.

Sound of tires, sound of God...

"Electric Version", The New Pornographers.

Thursday morning came far too early. My roommate offered some of his 800mg Ibuprofins, and I accepted. First thing I attended was the presentation "Drowning in the Data Tsunami" by Lee Damon and Evan Marcus. It was interesting, but seemed to be mostly about US data regulations (HIPPA/SOX et al.) and wasn't really relevant to me. I had been expecting more of an outline of, say, how in God's name we're going to preserve information for, say, a hundred years (heroic efforts of the Internet Archive notwithstanding). There was mention of an interesting approach to simply not accumulating cruft as you upgrade storage (because it's easier than sorting through to see what can be discarded; "Why bother weeding out 200MB when the new disk is 800GB?"): a paper by Rhadia Perlman (sp?) (she of OSPF fame) that proposes an encrypted data storage system combined with key escrow that, to expire data, simply deletes the key when the time is up. Still, I moved on before too long.

...Which was good, because I sat in on Alva Couch's presentation on his and Mark Burgess' paper, "Modelling Next-Generation Configuration Management Tools". Some very, very confusing stuff about aspects, promises and closures -- confusing because the bastard didn't preface his talk with "This is what Hugh from Vancouver will need to know to understand this." (May be in the published paper; will check later.) Here's what I could gather:

• System administration could be described as the Pinky and the Brain problem: "What are we going to do tonight, Pinky?" "Same thing we do every night, Brain: try to take over the world!"
• IOW, the problem is too big -- and in the meantime you have all these competing theories (aspects from Luke/Puppet (I think), promise theory from Burgess (which I had heard about) and closures from the bcfg2 people) that need to be integrated, but currently aren't.
• Many tools model/modify configuration, not behaviour -- and implicit in there is the (unproven?) assumption that correct behaviour emerges from correct configuration as if by magic. There is no understanding in cfengine of outside forces.
• A promise, in sysadmin terms, is promise to do something. For example, an NFS server promises to make certain files available over the network. A client mounting a disk from the server promises to access some of those files.
• Closure is the whole of the problem: in the case of the NFS server, it's DNS plus routing plus mountd running plus nfsd running plus proper ACLs (which I only found out at this conference that nearly everyone pronounces "ackles" rather than "ay see ells").
• His model: closures encompass promises encompass aspects. By dividing up the problem this way, you no longer have to take over the whole world.
• His model accounts for site policy by designating it a soft aspect.

I will do the right thing and read his paper, and I may update this later; these are just my notes and impressions, and aren't gospel. Couch is an incredibly enthusiastic speaker, and even though I didn't understand a lot of it I ended up excited anyway. :-) He gave another talk later in the week that Ricky went to, about how system administration will have to become more automatic; as a result, we'd all better learn how to think high-level and to be better communicators, because more and more of our stuff will be management -- and not just in the sense of managing computers. I'm going to seek out more of his stuff and see if it'll fit in my head.

After the break was a talk on "QA and the System Administrator", presented by a Google sysadmin. I went because it was Google, and frankly it wasn't that interesting. One thing that did jump out at me was when he described a Windows tool called Eggplant, a QA/validation tool. It has OCR built-in to recognize a menu, no matter where it is on the screen. This astounded me; when you start needing OCR to script things, that's broken. I don't doubt that it's a good tool, and I can think of lots of ways that would come in handy. But come on. I mean, a system that requires that is just so ugly.

I went out to lunch with Jay, a sysadmin from a shop that's just got permission from the boss to BSD a unit-testing program they've come up with for OpenBSD firewalls: it uses QEMU instances to fully test a firewall with production IP addresses, making sure that you're blocking and allowing everything you want. It sounds incredibly cool, and he's promised to send me a copy when he gets back. I can't wait to have a look at it.

After that was the meet-the-author session. I got to thank Tom Limoncelli for "Time Management for System Administrators", and got an autograph sticker from him and Strata Rose Chalup, his co-author for Ed 2. Sadly, I didn't get a chance to thank Tobias Oetiker (who I nearly ran into at lunch the day before).

Next up was the talk from Tom Limoncelli and Adam Moskovitz (Adam's looking for a job! Somebody hire him!) about how to get your paper accepted at LISA. Probably basic stuff if you've written a paper before, but I haven't so it was good to know. Thing like how to write a good abstract, what kind of paper is good for LISA, and how you shouldn't say things like "...and if our paper is accepted, we'll start work right away on the solution." Jay asked whether a paper on the pf testing tool would be good, and they both nodded enthusiastically.

Must Google:

• When talking about papers that go over the same subject, a paper from a previous LISA was mentioned that surveyed 8 years of papers on data storage and found identifiable cycles from "Oh no, we've got more data than disks!" to "Oh no, we've got more data than tape!" (This made me feel better about skipping out on the 9am talk.)
• Apparently, Sun reimplemented cat(1) and improved performance 10x.

Quotes from the talk:

• Tom: "You're not supposed to publish your paper on your website until it's published at LISA. And if you're cool, you'll do that with a cron job."
• From an audience member at another conference presentation: "At any point, did you step back and look at your work? And if so, were you sufficiently disgusted?"
• Tom again, on how audience criticism is a good thing: "Every theory paper needs someone to go up to the mic and say, 'Okay, Buck Rogers, but I live in reality.'"

At this point I started getting fairly depressed. Part of it was just being tired, but I kept thinking that not only could I not think of something to write a paper about, I could not think of how I'd get to find something to write about. I wandered over to the next talk feeling rather sad and lost.

The next talk was from Andy Seely on being a sysadmin in US Armed Forces Command and Control. Jessica was there, and we chatted a bit about how this talk conflicted with Tom Limoncelli's Time Management Guru session, and maybe ducking over to see that. Then Andy came over and asked Jessica to snap some picture, so she ended up staying. I was prepared to give it five minutes before deciding whether or not to leave.

Well, brother, let me tell you: Andy Seely is one of the best goddamned speakers on the planet. He was funny, engaging, and I could no more leave the room than I could get my jaw to undrop. Not only that, his talk was fascinating, and not just because he's a sysadmin for the US Armed Forces while simultaneously having a ponytail, earrings and tattoos. You can read the article in ;login: (FIXME: Add link) that it was based on, but he expanded on it considerably. Let me see what I can recall:

• One slide, a computer display of a map of the Middle East with lots of dots: "This is a map of people dying." This is what a screw-up or a service outage means in his job: people across the planet die.
• "There are databases where you can search on anyone in Afghanistan named Mohammed. It's an entertaining database optimization problem, let me tell you."
• On deadlines: "The more you work with government, the more you find dates...well, they're filled with humour."
• "We've got headquarters with systems everywhere -- no surprise, where haven't we invaded yet?" (laughter) I yell out "Canada!" "We're thinking about it. But we're looking for some place that'll fight back." (more laughter) "I'm sorry, that came out wrong. But it was funny." This made it to IRC, which prompted Ricky and others to ditch what they were doing and come over to this talk. (I met Andy later on and he apologized profusely, saying that he meant Canada was an ally, so why would the US invade them in the first place? We had a duel, my shot grazed his shoulder, and Canada's honour was regained.)
• Having to support an app where there's strong debate over whether it's written in C, Ada or Java, or whether it uses UDP or TCP.
• Being told that an app that keeps failing is single-threaded, so throwing more CPUs at it won't do anything; it's RAM that it needs. Later investigation confirms that, in fact, it's multi-threaded and needs more CPUs, not RAM...which the vendor eventually confirms.
• He can't install a compiler, or a debugger, or anything that doesn't come with a default install of Solaris 8, or 7, or 2.x. That would be a huge security offence.
• A Sun E4000 mainboard blows up in the Middle East. Getting one through regular channels would take too long, so where do you go? That's right: Ebay. He's a contractor, so he has no budget...but he does have a government credit card with a $2500 limit. So he calls up the guy selling it and cuts a deal to buy the thing for $2500 (shipping was billed separately). Put it on a C130, and off she goes.
• Not being allowed to write a program...but he is allowed to string shell commands together...and sometimes those commands get written down in a file for reference purposes. If he's lucky, Perl's on the machine as well.

Longer story: Because of the nature of his work, he's got boxes that he has to keep working when he knows next to nothing about what they're meant to do. Case in point: a new Sun box arrives ("and it's literally painted black!"), but the person responsible for it wants to send it back because it doesn't work -- which means that when they click the icon to start the app it's meant to run, it doesn't launch and there's no visible sign that it's running. There's no documentation. And yet he's obligated to support this application. What do you do?

Even tracking down the path to the program launched by the icon is a challenge, but he does, tracks down the nested shell scripts and finally finds the jar that is the app ("Aha! It is Java!"). He finds log files which are verbose but useless. He contacts the company that wrote it, and is told he needs a support contract...which the government, when putting together the contract for the thing, did not think to include. So he calls back an hour later, talks to the help desk and tells them he's lost the number -- "Can you help a brother out?" They do, but they're stumped as well, and say they've never seen anything like this.

Time to pull out truss, which produces a huge amount of output. Somewhere in the middle of all that he notices a failing hard read of a file in /bin: it was trying to read 6 bytes and failing. Turns out the damned thing was trying to keep state in /bin, and failing because the file was zero bytes long. He removed the file, and suddenly the app works.

Andy also talked about trying to get a multiple GB dump file from Florida to Qatar. Physical transport was not an option, because arranging it would take too long. So he tries FTPing the file -- which works until he goes home for the day, at which point the network connection goes down and he loses a day. So he writes a Perl script that divides the file into 300MB chunks, then sends those one at a time. It works!

At this point, someone yells out "What about split?" Andy says, "What?" He hadn't known about it. There was a lot of good-natured laughter. He asked, "Is there an unsplit?" "Cat!" came the response from all over the room. He smacked his forehead and laughed. "This is why I come to LISA," he said. "At my job, I've been there 10 years. People come to me 'cos I'm the smart one. Here, I'm the dumb one. I love that."

There are two things I would like to say at this point.

First off, Andy is at least the tenth coolest person on the entire Eastern seaboard. No, he didn't know about cat -- but not only did he reimplement it in Perl rather than give up, he didn't even flinch when being told about it in the middle of giving a talk at LISA. I would probably have self-combusted from embarassment ("foomp!"), and I would have felt awful. Andy's attitude? "I learned something." That's incredibly strong. (Although he told a story later about being in the elevator with some Google people. They recognized him and said, "Hey, it's the 'man cat' guy!")

Second, when he said, "Here, I'm the dumb one. I love that" I sat up straight and thought, "Holy shit, he's right." Here I am at LISA for the first time ever. I've met people who can help me, and people I can help. I've made a crapload of new friends and have learned more in one week than I would've thought possible. And I'm worried 'cos it might be a few years before I can think about presenting a paper? That's messed up. I tend to set unreasonably high goals for myself and then get depressed when I can't reach them. Andy's statement made me feel a whole lot better.

During Q & A I asked what he did for peer support, since his ability to (say) post to a mailing list asking for help must be pretty restricted. He said that he's started a wiki for internal use and it's getting used...but both the culture and the job function mean that it's slow going. He's also started a conference for fellow sysadmins: 100 or so this year, and he's hoping for more next year.

In conclusion: if you ever get the chance to go see him, do so. And then buy him a beer.

Introducing for the first time, Pharoah on the microphone!

Sing: All hail what will be revealed today

From the fear of the great unknown, from the line to the throne.

"The Laws Have Changed", The New Pornographers

Thursday night was the USENIX Carnival Of Fun: lots of carnival games that got you more tickets for the door prizes (which were a huge pile of No Starch Press books plus a Monty Python box set). I wandered around for a while, looking at the huge crowd and fighting the temptation to run to the balcony and shout, "Carousel is a lie! You can LIVE!"

I talked for a while to a woman I'd been running into the whole week, a sysadmin at a defence contractor. She had been to Andy's talk as well. One difference between her job and Andy's is that she's responsible both for classified and unclassified networks. One effect of this is that she's able to contact more people for support...but there are limits.

For example, she had to send off logs from one app that was failing to the vendor for them to pore over. The app was on a classified computer; she was forbidden to copy any data from that machine directly to an unclassified network, so that meant no SSH, no ftp, no USB disk, no burning of CDs, nothing. What did she do? She printed out the logs, verified that nothing in there was classified, then put them through a scanner and used OCR to munge the images back into text.

Later, an engineer from another vendor came to poke at an app running on an unclassified computer, and it was her job not just to supervise him, but to run the big K-Mart Special flashing blue light to let everyone around her know that there was someone without clearance in the room, and to watch their mouths and adjust their monitors appropriately. In other situations, she's had to sit at the keyboard and type what the engineer told her to...because without clearance, you're not allowed to touch the machine.

I wandered on, and picked up a tracking monkey. There was a security consultant with a huge bag of stuffed monkeys that were meant to wrap around your arm or shoulder or something. I couldn't make that work, so I wrapped it around my neck. A little tight, but it was worth it: when people would ask what it was or where I'd got it, I'd fix them with a stern look and ask suspiciously, "Where's your tracking monkey, citizen?"

Eventually I hooked up with Noah (CSAIL) and Deb (FSF). Deb made us smack things (Noah won the strength test) and throw things (she cheated at skeeball, but I managed to win another ticket so that was okay). When the draw came over I dragged over Ricky the Bostonian/iite/aniananan for luck, since at least 8 people who'd been w/in 70 feet of him had won. However, turns out his luck function really peaks at 70 feet, and at 4 feet away it's pretty minimal. Oh well.

We went to check out the Google BOF, but on the way out Deb dared me to play Logan. I dragged her up to the balcony overlooking the ball room and yelled my line, but sadly it got lost in the noise. The lineup for the Google BOF was insane; someone told us that they were giving away a MacBook Pro. <post-hoc rationalization> We decided to form a Bass BOF and headed to the bar.</post-hoc rationalization> (Sorry I couldn't make your scotch BOF, Jessica!)

There was massive talk about salting the cod (which just sounds like the best euphemism anywhere, and I really want everyone to pick up on that, so go!), places to drink in Boston (incl. one place that has 100 beers on tap), and many, many other things. After a while we headed to the LOPSA room, where a lot of people ended up. I talked briefly to Andy, the guy who talked about Command and Control:

I got a lot of pictures with the tracking monkey, including Tom Limoncelli:

and dkap and Melanie Rieback:

And when the night wound down, we went back down to the bar to verify that their supplies were still good. (They were.) Man, it's been a long time since I've closed a bar. :-)

I stole a page from your book, and a line from your page

And flew into a lesbian rage...

"Chump Change", The New Pornographers

Friday morning was Dan Fucking Kaminsky's talk, which I'd really been looking forward to. I dragged Ricky to it, telling him he rilly rilly needed to go, kthxbye.

My notes could not possibly do justice to his presentation, which was both funny and awe-inspiring. Anyway, Dan also makes the best slide shows I've seen; they're a whole textbook on their own. Go read all his stuff. And go see him talk! He's intelligent and friendly on rye bread.

Some random observations/quotes:

• When he takes questions from the audience, he thinks about what they're saying for a minute before replying. One question prompted the reply, "Man, you're gonna put me on an entire research path."
• When he mentioned the (FIXME: include link) auto paper generation tool, he described it as "a fuzzer that exploited a conference."
• On why SSH host keys suck: "You're looking at a bunch of random characters, comparing them, and if you're one character off that's it. One character off!
• On how easy it is to include a bank (say) login form, so that you end up posting to an HTTP form instead of an HTTPS form: "My grandmother could do that. She'll 0wn you." (laughter) "You laugh, but she's been to the last three Black Hat conferences. Have you?" (Note: I had originally conflated this point and the last one (SSH keys), but Wout set me straight. Next time I promise not to take so long to make corrections. :-)
• "Remember, there's nothing a bank wants less than hearing from you or seeing you in person."
• "Humans seem to have hardware acceleration for remembering names."

Ricky allowed as how Dan Fucking Kaminsky might have been worth getting up early for.

Okay, but after that the bitter pill of (FIXME: full name, title) Dmitri. This was a depressing, scary talk about network threats and how they're driven by very, very successful criminals. I'd heard this before, but the facts and stats he brought in were enough to just crush your soul.

The usual list:

• Spammers probably want anti-spam companies to stay in place. That protects the channel they're abusing. Otherwise, like a parasite that goes too far, they'll end up killing the thing they're exploiting.
• Most trojans/bots/whatever just ask the user to click...and it works. You don't need to go looking for a zero-day if you don't want to.
• Trojans that are sent out in small numbers will almost certainly never get sent to an AV company for analysis...which means AV software will almost certainly never detect it.
• Speculation about future uses of zombie networks: distributed computing, or distributed file systems.
• Image spam is already defeating many anti-spam programs. And to get around it, it wouldn't take much more than something like this: (FIXME: Add image)
• Many/most zombie networks will be active (spamming, say) for a few hours...then go silent for another month. Good luck trying to detect that.
• Some zombies will check blacklists before spamming, to see if their IP is listed. If the list supports it, they'll submit a request to get their IP delisted.
• His company is working on a way of filtering traffic, not just email, based on reputation. Push the responsibility to the user: your bank says "We're not accepting traffic from you because your IP address has a bad rep."

Dan Kaminsky asked if maybe the answer was to abandon persistence on the desktop, and just hand out Knoppix disks to everyone. Dmitri replied that would just push the attack to web databases and such that held the user's settings. DK pointed out that would mean a much smaller number of machines to secure, which Dmitri conceded.

Q: I work for a web farm; what can we do? A:: watch your netflows carefully and learn your normal traffic. (cf Dan Klein's presentation).

Q: I use fuzzy OCR plugin for SA and it works fine. A: you might not be seeing adaptation yet, but you will. OCR is bound to fail; too easy to trick.

He closed his talk by saying the obvious: he's very, very pessimistic, he sees no magic bullet, and he can't see any light at the end of the tunnel.

Come on, come out of the rain.

You're not oppressed, you're just too learned...

"Streets of Fire", The New Pornographers

Friday afternoon, a bunch of us were standing in the lobby. Jessica came by and said she was having problems getting into her home machine to get her boarding pass info. She was using the business centre, which only had locked-down Windows machines with no SSH client. The wireless was $87/hr or some such, and the free wireless set up by Usenix was way the hell over on the other side of the hotel. She was just about resigned to get up and go when a guy beside her piped up and said, "Hey, there's this tool that should help you out..."

"So I use it," she said, "and it turns out it tunnels SSH over DNS. It was the slowest connection I've ever used, but it was usable, and I got into my home machine."

I looked at her with wide eyes. "Was that...was that Dan Kaminsky who helped you?"

"I dunno," she said, "I've never meen him before. What does he look like?"

Normally I suck at descriptions, but I had this one down. "He looks like Brendan Frasier," I said confidently.

She shrugged. "I dunno, I don't think that was him...oh wait, there's the guy there."

We all turned to see Dan Kaminsky grinning. "That's one of the few times I've seen that tool actually be useful," he said.

Turns out he's a very friendly and funny guy, and if I heard him right he was roommates with the guy who started Friendster, who Jessica also knew. I foamed at the mouth for a bit in fanboyish wonder, then told him about IPoD and William Shatner's rap of the "Friends, Romans, Countrymen" speech from Free Enterprise. And of course, he wore the tracking monkey:

After that we split up for a bit, then re-united for supper. We hit FIXME, where we found a cute Mongolian waitress ("How many times can you say that?" asked Andy) and Bill Clinton burgers. We hit The Angry Inch in search of Angry Ale, which they no longer sold. Andy bought a t-shirt ("I'm never coming back to this place. And the last time I said I wasn't coming back to a place, I bought the place a round. This is cheaper").

Then we headed back to the the final LISA party. It was in the original hotel building, and it was the biggest goddamned suite I've ever seen. It had to be bigger than any two apartments I've lived in put together. There were lots of people there. I drank toasts with Wout (Cisco IT guy from Belgium; friendly, funny and BEST NAME EVAR) and Noah to Strata Rose Chalup, drinking this godawful Romanian plum moonshine...oh god, it was harsh. I spent a good 15 minutes with one of the board members of LOPSA trying to figure out the purpose of one of the suite's alcoves (we were stumped). And natch, I got more pix of the tracking monkey with William Lefebvre (top, 'member?):

and many, many others.

Eventually it came time to go home, so I said goodbye and collapsed in my suite.

Quotes I missed earlier:

• "I've got one user who considers 7-bit ASCII a luxury compared to what you can get from 5 or 6 bits."
• "'Cooperative collaboration.' Yeah, it's part of our vision statement."
• "90% of being a sysadmin is typing at computers. 10% is typing at users." -- Mark C.
• Pretty sure I saw Theodore T'so grinning (or at least had a confused look on his face) when I did Logan's Run.

One of the great things about going to LISA is that you get the proceedings and/or training for everything on CD or dead tree. (Well, nearly everything...I've heard that some people didn't or couldn't make their training materials available (though I've not been motivated to confirm this yet), and some of the talks didn't do this (Tom, where are your slides?)). There is some wonderful stuff to be found in them...

...like WWW::Mechanize, which is just perfect for testing out this conference registration form I'm working on. Only I've run into a bug that comes when trying to specify which button to click on:

$agent->click_button(value => 'Okay to submit');

That li'l chunk gave me this error:

Can't call method "header" on an undefined value at /home/admin/hugh/perl/lib/perl5/WWW/Mechanize.pm line 2003.

One guy reported the same trouble, but got no response. And the RT queue is fulla spam.

But aha, I found out how to use the Perl debugger in Emacs (M-x perldb. Shhhh!) and was able to track things down. Turns out there are a couple things going on:

1. In the page that I'm parsing, there are actually two forms, not one; one sends you back to correct mistakes, one sends you forward to keep going. Since I was not specifying which one to use, it used the first...and in that one, there is no button labelled "Okay to submit". One I specified the right form ($agent->form_number(2);) everything was good. 2. But of course, this sort of thing shouldn't happen, right? Right.

There are a couple subroutines/methods in this module that aren't testing for the right number of arguments. One of 'em is click_button, which has this loop:

    my $request;
    .
    .
    .
    elsif ( $args{value} ) {
        my $i = 1;
        while ( my $input = $form->find_input(undef, 'submit', $i) ) {
            if ( $args{value} && ($args{value} eq $input->value) ) {
                $request = $input->click( $form, $args{x}, $args{y} );
                last;
            }
            $i++;
        } # while
    } # $args{value}

    return $self->request( $request );

No test/case for not finding a button named whatever, so it just blithely returns $self->request( $request ). But of course, request does the same thing:

sub request {
    my $self = shift;
    my $request = shift;

    $request = $self->_modify_request( $request );

    if ( $request->method eq "GET" || $request->method eq "POST" ) {
        $self->_push_page_stack();
    }

    $self->_update_page($request, $self->_make_request( $request, @_ ));
}

Again, no test for the right number of arguments. And having just read the Test::Tutorial manpage, I'm all about unit testing and such, baby.

Memo to myself: Don't eat the Turkey sashimi.

In other news: I don't usually post links to things just to say "go read this". However, I'll make an exception in these cases.

First, I was recently going to use the word "Manichean" to mean "dualistic, good-vs-evil view of the universe, with an implied inevitable battle between the two". However, when I Googled for it to check the spelling, I came across this article explaining why that wasn't a terribly accurate use of the word. Interesting stuff...I certainly didn't know there were any Buddhist-influenced ascetics hanging around Baghdad in the 3rd century.

Second, there's some interesting and contradictory stuff on the procedures for GPG/PGP keysigning parties here and here. Why does publicizing a public key "slightly reduce the security of a key pair"? I don't know. I've had a quick look through my copy of Applied Cryptography (3rd Ed.), donated by the kind man behind Pangolin Systems, but can't find anything from Saint Bruce about this. Anyone?

Third, there's an excellent set of tools for keysigning parties available here. One of the people who signed my key at LISA had used caff to send it back, which is a nice wrapper around the whole procedure (grab the key, sign the key, encrypt the key with itself, email it back to each of the key's email addresses). The lack of understandable (but see next paragraph's self-ass-kicking) documentation for GPG means that a) this automation is very nice, and b) I'm kicking myself for not buying Michael Lucas' book from the No Starch Press booth at LISA.

Fourth, if'n you've got GPG, it's worth reading the documentation, like the FAQ or the GNU Privacy Handbook. Shame on me for not doing that previously. (And shame on me for taking so long to email people's keys back to them.)

Fifth, you can find some pretty stats here, or the trust path from me to Wietse Venema. Geek Pride!

Sixth and finally, there is this handy little page about how to set up a CPAN library in your home directory. Since it took me a while to track this down, I'm throwing it in here so's I can find it quicker next time.

When I got my first job in IT, a friend of mine bought me a copy of the third edition of Unix in a Nutshell. (Incidentally, why does O'Reilly's search, which in my client returns "Sorry, no matches were found containing ." (sic), suck so much?) Sure, it was help desk on a small ISP, but it was something. I read that book front to back on the bus to and from work, and filled it full of stickers from all the servers or PCs I assembled.

The sysadmin at that first job also had a cordless drill, and that made things so much easier when assembling or racking servers. I wanted one, but I didn't buy one 'cos I figured I hadn't earned it yet. When my Italian millwright father-in-law bought me one, I felt like it was a vote of confidence in a way.

Another thing the sysadmin had was a Leatherman Wave. Again, I wanted one, but I didn't think I'd earned it yet. Last week, I decided to get one; and if I was going to get one, I was going to wear the damn thing. I started wearing the sheath on my belt, and waited for a chance to use it.

Today I had that chance.

I got to work and went to the kitchen to grab a coffee. "There's a bat behind the fridge," I heard.

What?

The cleaning woman pointed. "I moved out the fridge to clean it," she said. "There was a bat behind it. I don't want to touch it."

I looked, and sure enough there was one hanging by the edge of the cupbard. It was small, like a mouse wearing an overcoat. (Goth mouse?)

And then my moment came.

There were no gloves (I was worried about rabies), but there was a towel. I draped the towel over the bat while frightened coworkers watched, and then covered it with a recycling bin.

And then I took out the Leatherman, and flipped out the knife. "I need help cutting cardboard," I said, and the receptionist came to help. She sliced up a cardboard box and gave me a square of it. I slid it between the cupboard and the towel, sandwiching the bat gently between it and the towel, with the recycling bin behind.

I carried it outside to a clump of trees (ah, the advantages of living on a beautiful campus), found a stick, coaxed it onto it and then left it up a tree.

But I couldn't have done it...

...without the Leatherman.

(This writing style brought to you by my third reading of Battlefield Earth. Our motto: Yeah, it's trash...so what?)

In other news, Hunter Matthews is giving a workshop on server room best practices at LISA '07. I met him at LISA last year, when he was another attendee of an otherwise thin tutorial on setting up server rooms/closet. He was also at the documentation BOF, and the one who said "I've got one user who considers 7-bit ASCII a luxury compared to what you can get from 5 or 6 bits." (Oh, and: "Cooperative collaboration. Yeah, its part of our vision statement.") He's a good guy and a good teacher, and if you're going to LISA you could do a lot worse than going to his workshop.

At last: I'm finally coming to the end of working with the verdammnt web registration forms. We're going from our awful hack of a glued-together mess of Mambo and custom PHP, to something that'll mainly be Drupal with no custom code. Allegedly it's six weeks 'til launch date; the registration forms in use right now will limp along 'til they're no longer needed (end of the summer).

The registration form I'm working on now is not complicated in the absolute sense, but it's the most complicated one we've got. Last year I was afraid to touch the (old, legacy, ugly) code, and mostly just changed dates. This year I thought "fuck it" and rewrote nearly all of it, using the tools and skills I'd picked up in the meantime. (I'm still not a great programmer, understand, but I have improved some over last year.)

After a full day banging my head against it, I'm finally coming to the point where I'm pretty confident that the code will do what it's supposed to. And that's a relief. Therefore, in the stylee du Chromatic, I give thanks to:

• Test::More
• Test::Harness
• WWW::Mechanize
• DBI

In other news...just downloaded the second dev preview of Indiana, which I'd managed to not hear about at all (the preview releases, that is). I love university bandwidth; 640MB in about 1 minute. Sweet. I'll give it a try at home and see how it feels.

I've just finished reading the summaries of LISA '07 in the latest issue of ;login:. I feel…incredibly left out. I'm starting to think this profession might not be such a simple thing, you know, man? Sir? The presentations on autonomic computing have left me feeling a bit like a buggy whip maker with his nose to the grindstone.

And yes, it's a way off, and yes, small shops and generalists will probably be around for a while to come. But I'm not sure how much I want to keep being at a small shop. Which means learning the big stuff. Which, natch, is hard to do when you're trying to figure out how to properly test registration forms. Sigh.

But: I just stuck my head out a door at work and saw a chickadee. It chirped for a while, sitting on a tree near our building, then flew off. On a rare sunny day in Vancouver in Frebruary, after a week of messed-up sleep and feeling like I've been spinning my wheels, this is nice.

I've been listening to the presentations from LISA07, and I have a few observations.

Trey Darley's presentation reminded me a lot of my last job, but much more intense: fast growth, no control, and no budget. The difference is that he had the experience and the chops to deal with it well. Also, if he can present at LISA, so can I.

Andrew Hume's presentation, "No Terabyte Left Behind", was interesting, by which I mean frightening. People mostly just trust that hardware does what it says it does/will do when it comes to storage. But that doesn't always work: he tells the story of a prof he worked with who checksummed all his files once a week. When a checksum changed — and it did about every 6 months — he'd retrieve it from backup. His rough guess for undetectable errors: 1 per 10 terabyte-years. And we're getting to the point where that's going to be significant very soon.

Tony Cass' presentation on grid computing for CERN was fascinating. This is the place I wanted to work (though as a particle physicist). UBC/TRIUMF is doing some work for this project as well, which makes me think I should jump over.

David Josephson's presentation was interesting, as much for the Q&A afterward as for his point. Which was? Glad you asked: that focussing on IP-based spam filtering (RBLs, greylisting) provides an incentive to spammers to hijack network prefixes via BGP attacks, and generally do nasty things to the Internet; please switch to content-based filtering post-haste. (To clarify, he was talking in particular about fast naive Bayesian classifiers, not SpamAssassin.) Since IP-based filtering treats IPs as valuable things — tokens that demonstrate your email is worth accepting — spammers steal IP addresses.

I'm not sure how much I buy his argument; he kept promising that the BGP attacks he described were only part of the problem, but he never seemed to get beyond that. But during the Q&A Brad Knowles got up and said (my summary) Content filtering doesn't scale, at least in his experience (as Senior Internet Mail Systems Administrator for AOL). At that point, another guy got up and said (again, my summary) that sort of thing is heard all the time, but with no data to back it up. The responder had co-authored a paper with Josephson that got Best Paper award at LISA '04, and they'd made damn sure to include a ton of footnotes. If their conclusions were wrong, people were free to challenge them; if Knowle's were wrong, they were unchallengeable because there was no data to back it up — it was all just story that got passed along and became myth.

Knowles' response was "I don't have time to write papers; I'm a technician, not an academic." Which is true, in lots of ways. And I don't mean any insult to Knowles; he's done things I will probably never match, we are all flooded with work, and so on. I'm one guy, working at a small shop, with none of his experience, or chops, or rep, or audience.

But there's a reason my .signature says "Because the plural of Anecdote is Myth": it's to remind me that unless you can back something up with facts, preferably written down and logged and repeatable, all you've got is a bunch of stories that become more and more True the more you repeat them.

It's obnoxious to sneer and say, "Cite, please"; it's worse to be ignorant.

Lots more listening to do. If you haven't downloaded them yet, you really should.

USENIX has done a wonderful thing: their conference proceedings are now open to the public, rather than requiring a USENIX membership.

This is very, very good. If you haven't gone through the list of presentations and papers from LISA, FAST, WOOT, or the USENIX conference itself, you really need to.

Come to that, if you haven't picked up a membership yet to USENIX and SAGE, you really need to. A dead-tree copy of ;login: magazine is the most interesting single publication I've found about computing in general, and system administration in particular. You owe it to yourself.

Work...hell, life is busy these days.

At work, our (only) tape drive failed a couple of weeks ago; Bacula asked for a new tape, I put it in, and suddenly the "Drive Error" LED started blinking and the drive would not eject the tape. No combination of power cycling, paperclips or pleading would help. Fortunately, $UNIVERSITY_VENDOR had an external HP Ultrium 960 tape drive + 24 tapes in a local warehouse. Hurray for expedited shipping from Richmond!

Not only that, the Ultrium 3 drive can still read/write our Ultrium 2 media. By this I mean that a) I'd forgotten that the LTO standard calls for R/W for the last generation, not R/O, and b) the few tests I've been able to do with reading random old backups and reading/writing random new backups seem to go just fine.

Question for the peanut gallery: Has anyone had an Ultrium tape written by one drive that couldn't be read by another? I've read about tapes not being readable by drives other than the one that wrote it, but haven't heard any accounts first-hand for modern stuff.

Another question for the peanut gallery: I ended up finding instructions from HP that showed how to take apart a tape drive and manually eject a stuck tape. I did it for the old Ultrium 2. (No, it wasn't an HP drive, but they're all made in Hungary...so how many companies can be making these things, really?) The question is, do I trust this thing or not? My instinct is "not as far as I can throw it", but the instructions didn't mention anything one way or the other.

In other news, $NEW_ASSIGNMENT is looking to build a machine room in the basement of a building across the way, and I'm (natch) involved in that. Unfortunately, I've never been involved in one before. Fortunately, I got training on this when I went to LISA in 2006, and there's also Limoncelli, Hogan and Chalup to help out. (That link sends the author a few pennies, BTW; if you haven't bought it yet, get your boss to buy it for you.)

As part of the movement of servers from one data centre across town to new, temporary space here (in advance of this new machine room), another chunk of $UNIVERSITY has volunteered to help out with backups by sucking data over the ether with Tivoli. Nice, neighbourly think of them to do!

I met with the two sysadmins today and got a tour of their server room. (Not strictly necessary when arranging for backups, but was I gonna turn down the chance to tour a 1500-node cluster? No, I was not.) And oh, it was nice. Proper cable management...I just about cried. :-) Big racks full of blades, batteries, fibre everywhere, and a big-ass robotic Ultrium 2 tape cabinet. (I was surprised that it was 2, and not U3 or U4, but they pointed out that this had all been bought about four or five years ago…and like I've heard about other government-funded efforts, there's millions for capital and little for maintenance or upgrades.)

They told me about assembling most of it from scratch...partly for the experience, partly because they weren't happy with the way the vendor was doing it ("learning as they went along" was how they described it). I urged them to think about presenting at LISA, and was surprised that they hadn't heard of the conference or considered writing up their efforts.

Similarly, I was arranging for MX service for the new place with the university IT department, and the guy I was speaking to mentioned using Postfix. That surprised me, as I'd been under the impression that they used Sendmail, and I said so. He said that they had, but they switched to Postfix a year ago and were quite happy with it: excellent performance as an MTA (I think he said millions of emails per day, which I think is higher than my entire career total :-) and much better Milter performance than Sendmail. I told him he should make a presentation to the university sysadmin group, and he said he'd never considered it.

Oh, and I've completely passed over the A/C leak in my main job's server room…or the buttload of new servers we're gonna be getting at the new job…or adding the Sieve plugin for Dovecot on a CentOS box...or OpenBSD on a Dell R300 (completely fine; the only thing I've got to figure out is how it'll handle the onboard RAID if a drive fails). I've just been busy busy busy: two work places, still a 90-minute commute by transit, and two kids, one of whom is about to wake up right now.

Not that I'm complaining. Things are going great, and they're only getting better.

Last note: I'm seriously considering moving to Steve Kemp's Chronicle engine. Chris Siebenmann's note about the attraction of file-based systems for techies is quite true, as is his note about it being hard to do well. I haven't done it well, and I don't think I've got the time to make it good. Chronicle looks damn nice, even if it does mean opening up comments via the web again…which might mean actually getting comments every now and then. Anyhow, another project for the pile.

The details on LISA '09 are finally up, and it looks good. Let's hope I can convince $WORK to send me there...

Heyo...I've finally migrated to Chronicle and switched the website to ikiwki. Things should be working, aside from a few links I'll be cleaning up as time goes on...however, if you notice anything truly wrong please drop a line. (The comment system is no longer email-based, btw.)

And in the interest of keeping this on-topic...looks like work may be sending me to LISA! Here's hoping...

Just got the approval from the boss...LISA, here I come! w00t!

I've come across a few LISA items today, and it's only 9am...

• Matt Simmons is going, and got one of the blogger gigs too.

• The BOFs are starting to fill up: Matt's got one for bloggers and another for small infrastructure, there's one for lightning talks, and one for uninvited talks.

• OpenDNS is hosting a happy hour at a nice-looking pub, which alleges it was actually "designed and built in Ireland and shipped over in the fall of 2002, where it was then fitted on site." Huh.

Man, I'm looking forward to this.

So this morning, again, I got paged about machines in our server room dropping off the network. And again, it was the bridge that was the problem. This time, though, I think I've figured out what the problem is.

The firewall has two interfaces, em0 (on the outside) and em1 (on the inside) , which are bridged. em1 has an IP address. I was able to SSH to the machine from the outside and poke around a bit. I still didn't find anything in the logs, but I did notice this (edited for brevity):

$ ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 9000
    lladdr 00:15:17:ab:cd:ef
    media: Ethernet autoselect (1000baseT full-duplex)
    status: active
    inet6 fe80::215:17ff:feab:cdef%em0 prefixlen 64 scopeid 0x1
em1: flags=8d43<UP,BROADCAST,RUNNING,PROMISC,OACTIVE,SIMPLEX,MULTICAST> mtu 9000
    lladdr 00:15:17:ab:cd:ee:
    groups: egress
    media: Ethernet autoselect (1000baseT full-duplex)
    status: active
    inet 10.0.0.1 netmask 0xffffff80 broadcast 10.0.0.1
    inet6 fe80::215:17ff:feab:cdee%em1 prefixlen 64 scopeid 0x2

See that? em1 has OACTIVE set. A quick search turned up some interesting hits, so for fun I tried resetting the interface:

$ sudo ifconfig em1 down
$ sudo ifconfig em1 up

and huzzah! it worked.

When I got to work I did some more digging and figured out that this and the earlier outage were almost certainly caused by running a full backup, via Bacula, of the /home partition on the machine. The timing was just about exact. The weird thing, though, is that the partition itself is smaller than var, which was backed up successfully both times:

$ df -hl
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      509M   42.4M    442M     9%    /
/dev/sd0g      106G   11.4G   89.1G    11%    /home
/dev/sd0d      3.9G    6.0K    3.7G     0%    /tmp
/dev/sd0f     15.7G    2.4G   12.5G    16%    /usr
/dev/sd0e     15.7G   13.6G    1.4G    91%    /var

The bacula file daemon logged this on the firewall:

Oct 28 02:46:15 bacula-fd: backup-fd JobId 3761: Fatal error: backup.c:892 Network send error to SD. ERR=Broken pipe
Oct 28 02:46:15 bacula-fd: backup-fd JobId 3761: Error: bsock.c:306 Write error sending 36841 bytes to Storage daemon:backup.example.com:9103: ERR=Broken pipe

With the earlier outage it was 65536 bytes, but otherwise the same error.

Okay, so the firewall's working again...now what? I'm about to head off to LISA in three days, so I can't very well upgrade to the latest OpenBSD right now. I settled for:

• turning off full backups on the firewall (everything important is kept in Subversion anyhow), and
• running a script from cron every 10 minutes that checks for the OACTIVE flag and, if found, resets the interface.

Hopefully that'll keep things going 'til I get back.

Following in Matt's footsteps, I ran into a serious problem just before heading to LISA.

Wednesday afternoon, I'm showing my (sort of) backup how to connect to the console server. Since we're already on the firewall, I get him to SSH to it from there, I show him how to connect to a serial port, and we move on.

About an hour later, I get paged about problems with the database server: SSH and SNMP aren't responding. I try to log in, and sure enough it hangs. I connect to its console and log in as root; it works instantly. Uhoh, I smell LDAP problems...only there's nothing in the logs, and id <uid> works fine. I flip to another terminal and try SSHing to another machine, and that doesn't work either. But already-existing sessions work fine until I try to run sudo or do ls -l. So yeah, that's LDAP.

I try connecting via openssl to the LDAP server (stick alias telnets='openssl s_client -connect' in your .bashrc today!) and get this:

CONNECTED(00000003)

...and that's all. Wha? I tried connecting to it from the other LDAP server and got the usual (certificate, certificate chain, cipher, driver's license, note from mom, etc). Now that's just weird.

After a long and fruitless hour trying to figure out if the LDAP server had suddenly decided that SSL was for suckers and chumps, I finally thought to run tcpdump on the client, the LDAP server and the firewall (which sits between the two). And there it was, plain as day:

• 3-way handshake
• client says "I speak SSL!"
• server says "I speak SSL too! Here you go!"
• but the client never sees that packet
• and neither does the firewall.

Near as I can figure, this was the sequence of events:

• We SSH'd from the firewall, with its two bridged Intel GigE jumbo-enabled NICs
• to the console server, which only does 10/100
• which somehow prompted a renegotiation of the link speed on the firewall's interface
• which settled on 100 MBit, full duplex, but with jumbo frames
• which the switch saw as completely bogus
• which prompted the switch to (silently, natch) drop all jumbo frames directed at the firewall's outside interface
• which, in the context of an LDAP lookup done by a client inside the firewall, meant that the first packet that failed was the "I speak SSL too! Here you go!" packet
• which left the client with an established TCP connection to the LDAP server, waiting for a certificate
• which meant that it never actually failed over to the other LDAP server.

This took me two hours to figure out, and another 90 minutes to fix; setting the link speed manually on the firewall just convinced the nic/driver/kernel that there was no carrier there. In the end the combination that worked was telling the switch it was a gigabit port, but letting it negotiate duplexiciousnessity.

Gah. Just gah.

Hey, everyone -- I'm organizing a BoF at LISA this year on conference organization. For a couple of years, I've wanted to create a local conference on system administration here in Vancouver, but I've been unsure how to start. I figure what better place to brainstorm and seek advice than at LISA?

So if you have questions or knowledge to share on:

• Scheduling talks and getting speakers
• Technical and organizational requirements
• Finding volunteers and sponsors
• Figuring out a budget (or "Just how far does this shoestring have to stretch?")

then drop on by the Dover C room on Thursday, November 5th, between 8:30 and 9:30pm. C'mon, you've gotta kill that hour before Matt's BoFs somehow...

Thanks to this conference's theme band, Soul Coughing!

Saskatoon is in the room
Pyongyang is in the room...
Is Chicago
Is not Chicago

"Is Chicago, Is Not Chicago" -- Soul Coughing

Midway through my flight to Baltimore and I'm in Chicago, listening to periodic announcements that the Threat Advisory Level is Orange. The wifi here isn't working for me (associates fine but no address by DHCP), so I'm sititng at my gate, with two hours 'til I leave, wondering if any of the people around me are going to LISA as well.

The airport here has this amazing tunnel that goes between two concourses. Again, it made me think I was in Logan's Run and it was only the thought of being arrested that kept me from running down the moving sidewalk, shouting "Carousel is a LIE!"

Departure was entirely uneventful; I didn't even get pulled over for extra questions. One odd thing was that (like O'Hare) the customs section of YVR was quite warm, and each of the customs officers had identical clip-on fans placed above them. The cords curled down out of site, and the reflection in the cubicle glass reminded me of spines; I kept thinking they were skeleton decorations for Hallowe'en.

QOTD:

I got the will to drive myself sleepless
I got the will to drive myself sleepless
Sleepless....

"Sleepless", Soul Coughing

That time is how I feel, not the time it really is; not only is it Easter but it's Standard time, not DST, which means that the change caught me off guard this morning. I woke up my roommate thinking it was time for us to shift our asses, but no such luck. Oh well.

(Turns out that alarm clocks these days, at least of the sort that were developed for the DOD and have been provided under NDAs to major hotel chains, have a switch on the bottom for DST adjustments with three settings: On +1, Off, and Auto. That is one of the best ideas ever.)

8:35am and registration is good; I've got a cool IPv6 sticker and a copy of all the training material on a USB stick I'm going to try hard not to lose.

First day's training is an all-day course called "Management Skills, or Don't Panic!". It's not the sort of thing I'd usually sign up for -- soft skills, avoidance thereof -- but I figure it's probably a Good Thing for me to do, like exercise and eating right. It's interesting; there are some good anecdotes and quotes in there:

"How do you deal with a visionary-type manager? How do you get him to support your project?" Audience: "Tell him you read it in a Neal Stephenson book."

At the end of the course I had a question: I'd taken this course defensively, in order to pick up some skills that I lack -- but I enjoy the technical side of my job very much. I enjoy learning new things, but the problems involved in management seem best, to me, enjoyed in the abstract and at a distance. You give up your techie skills and joys; what compensating joys are there?

She had two answers. The first joy was seeing, and helping, people develop skills and at best exceed their teacher. The second was the fun of finding the problems that lay in organizations' way, no matter how many disparate groups or layers they might span (techies, mgt, suppliers, finance, cultural), and talking with those different groups/layers in order to solve those problems.

As I said, it was interesting. I'm still not entirely sold on management...but then there's the example of a friend of mine who's been doing this since '92. In a lot of ways, when it comes to technical problems he's been there and done that...so management is a (possible) way to keep it interesting for him.

On another topic: Lunch time I got into a very interesting discussion with a woman who figures that MS will lose majority market share on June 30, 2011. Her reasons:

First off, it was a two-year prediction made at a conference in June; had to come up with some kind of date. But also, MS only has majority market share in web browsers, PC OS and office suites. Of those, she figures the stats for web browsers are cooked for marketing purpose, and says that there is very little actual independent, large-scale data; however, data from W3 Schools shows increasing FF share. PC OS: less and less important as people move to Google docs and Gmail, which let's face it are plenty good enough for most home use. And the increasing ability of OpenOffice and other tools means that the domination of office suites is on the way down to.

Check out (her own? not sure) website at http://www.whatwillweuse.com.

After the course I met up with Matt and finally got to put a face to the face. He was there on Official Usenix Bizness(tm), as he's blogging for LISA and wanted to interview the instructor. Very friendly guy who's doing a lot to spread his knowledge around. And as it turns out he also got bit by DST, though worse than me. Poor bastard...

QOTD:

Some kind of verb, some kind of moving thing
Something unseen, some hand is motioning to rise, to rise, to rise

Too fat fat, you must cut clean
You gotta take the elevator to the mezzanine
Chump change, and it's on, super bon bon
Super bon bon, super bon bon...

"Super Bon Bon", Soul Coughing

Tonight was a great deal of fun. I met up with Matt, who had invited me out for Turkish food earlier. I found that the group also included Tom Limoncelli and Doug Hughes, who is one of the Invited Talks coordinator and a very fun guy to boot.

We walked maybe 20 minutes across town to Cazbar on North Charles Street, and which I can recommend to anyone wanting good food. I had a lovely lamb and mozarrella Pide (like a pizza but more ethnic :-), did not like the Raki, but enjoyed the Sierra Nevada well enough.

Lovely food and fun conversation...like the guy who needed a Windows box to run Dell monitoring software, but decided to replace Explorer with Blackbox window manager and some kind of Apple Spotlight-like tool for Windows. My jaw dropped. "You've come this close to making Windows enjoyable for me."

After settling up the bill (non-trivial with 20 people, but we made it) we walked back again. I got to talk with Tom, which was neat (see 2006 entries from LISA re: accidental stalking); always fun to indulge in a little bit of hero worship.

Me: Oh, check it out: it's the Barnes and Noble store! Let's go party there!

Tom: What?

Me: Yeah, I've heard all about it! Free tequila shots at the door, cashiers dancing on top of their tills, DJs 'til 10am...

Tom: Oh, you're thinking of Borders.

I got to see the USS Constitution, which since I've been devouring the Master and Commander books over the last year or so I simply must visit. (Don't know when exactly...)

And so back to the bar. And so to bed. (tm Samuel Pepys.)

Monday morning:

I've seen the rains of the real world come forward on the plains
I've seen the Kansas of your sweet little myth...
I'm half-drunk on babble you transmit
Through your true dreams of Wichita.

"True Dreams of Wichita", Soul Coughing

This morning I had the SELinux tutorial, held by Rik Farrow. I took a moment to shake hands with Rik Farrow, who's teaching this class, and tell him that ;login: magazine, like, changed my life, man, you know?. If you haven't picked up copies of that magazine/journal, you owe it to yourself to do so. (And if you have and you agree with me, send him an email -- he usually only gets email as editor when there's a problem.)

Matt was there, as was Jay, who I met back in 2006.

The course was quite interesting. Some choice bits:

• "How many of you are using SELinux?" (Two hands) "How many of you have disabled SELinux?" (a hundred hands and six tentacles; yes, even Cthulhu disables SELinux) "See, that's why I came up with this course; I kept seeing instructions that started with 'Disable SELinux' and I wanted to know why."

• Telling Matt about Jay's firewall testing script.

  Me: So how to the big guys test their firewall changes? Matt: I dunno...probably separate routers, duplicate hardware... Me: Probably golden coffee cup holders, too. Matt: Jerks.

• You don't write SELinux policy. SELinux policy is hard. It's NP-complete and makes baby Knuth cry. Instead, you use what other people have written, and make use of booleans to toggle different bits of policy.

• However, the size of the SELinux policy is big and is only getting bigger. There are something like 85,000 or more rules in recent versions of RHEL/CentOS. This is very close to RF's rule of thumb that a really, really smart and experienced person, who's been intimately involved in its creation, can only comprehend about 100,000 lines of code. This worries him.

• Also, the problem of using SELinux is complicated by a lack of up-to-date documentation; like everything else it's a fast-moving target, and a book published in 2007 is now half out-of-date.

• But this should not stop you from using SELinux now,; it's handy, it's here, get used to it. Example of SELinux stopping ntpd from running /bin/bash; the SELinux audit file was the only sign.

• "In a multi-level secure system, files tend to migrate to higher security levels, and the system becomes less unusable. But that's beyond the scope of this class."

• (On programs with long histories of serious security problems) "Flash is the Sendmail of -- what do we call this decade? the naughts?"

• (On the difficulty of trying to decode SELinux audit logs) "It says the program 'local' had a problem. 'Local'. What the heck is that? Part of Postfix. Oh, good. Thanks for the descriptive name, Wietse."

• Something I hope to quiz him further on: "Most Linux systems have a single filesystem." Really?

During the break I met a guy who works with the Norwegian Meteorologicla service. This was interesting. He's got 250TB in production right now, and increasing CPU power means that their models can increase their spatial resolution, which means increasing (doubling?) their storage requirements. He talked briefly about running into problems with islands of storage, but I got distracted before I could quiz him further...

...by his story of building a new server room where they were capturing the waste heat and using it to heat the building. Interesting; what kind of contribution would it be making to the overall heating budget? Probably not much, but it all just goes on the grid anyhow, like the hot water from the garbage dump. What?

Turns out that there is a city-wide network of hot-water pipes that collects heat from, among other places, water heaters powered by waste methane from rotting garbage. So they don't use the methane to make electricity and dump it in the electrical grid; they use it to heat hot water and dump that in the hot water grid, consisting of insulated water pipes buried in the ground, which places around the city (and beyond!) will use. We've got what you could call a steam grid at UBC and probably other universities, but I'd never thought of doing this city-wide.

Oh, and he signed my LISA card, which was the second time he got asked today; he was wearing a LISA t-shirt and so he was fair game.

At lunch I buttonholed Jay a bit. I asked him about his coworker's firewall unit testing scheme. He said he's no longer working at that place, but it ended up being a lot less useful than they thought it would be. When I asked why, he said that 90% worked but 10% didn't; that 10% was things like network isolation (to avoid problems with using real IP addresses), and the fact that the interface to the three machines was QEMU serial connections...less than ideal.

The conversation shifted to firewalling, and another guy who was there mentioned that he loved OpenBSD's pf, but had to use iptables because of driver problems that prevented getting full performance out of 10GigE NICs with OpenBSD. Jay said they'd looked at the same problem at his place o' work, and in his words "It was cheaper to throw 8 GigE NICs in a box and pay someone to make Linux interface bonding not suck."

Monday afternoon:

Born to be a god among salesmen
Working the skinny tie
Slugging down fruit juice
Extra tall, extra wide

"Blueeyed Devil", Soul Coughing

Lunch time I talked with a gov't contractor who was in on the Hadoop tutorial. She talked about using a filesystem that was forty years old -- yes, that's a four zero -- which had lots of "warm" data (her term; I assume between hot caching and archiving to tape) cached to tape, but done very badly. The directory structure needs to be preserved, perhaps not at all costs but nearly; there are instances of old (maybe not 40 years old but close) documentation that refers to old paths that must not be broken. Interesting problem.

Also heard about this problem, which just gobsmacked me with its fullbore crazy.

Also, from other quarters, heard about a lab that lost its funding, which leaves it in a difficult position as it has a crapload of old G4s or G5s, watercooled, about half of which they discovered are leaking...

(Trying not to turn into Perez Hilton here. Not sure how well I'm doing.)

In the afternoon I took the Packaging for Sysadmins tutorial, which would have been much better (IMHO) handled as a hands-on workshop. I came back for the second half, but honestly it was a close thing...and yet when someone asked him, the instructor dropped gems of info about Func and Cobbler, which I'm going to be looking into as soon as I can.

During the break I talked with Derek, who's a sysadmin at a NYC trading firm. This was an absolutely fascinating talk, and only partly because I wasn't really aware of the whole high-frequency/low-latency trading...um, culture? algorithm? So:

• He has small data centres -- like, racks -- scattered across NYC in order to be rilly rilly close to the exchanges. Also works well for redundancy. The colos that are close to the exchanges are filled with fellow trading firms.

• The idea is that if you get your data from the exchange soon, analyze it soon, then get an order back to the exchange soon, you can make a lot of money. As a result, a 2.5 ms difference, like in swimming or 100-metre dashes, is absolutely huge.

• Improvements in speed are looked for all over the place: RT Linux, not running NTP on machines (partly because of the overhead it introduces, and partly because it doesn't have high enough resolution; better to take timing info from ethernet frames, which'll get you down to 7.03 nanosecond acccuracy), RT Java (which I didn't know existed), and even running apps on switches that run Linux (which, yes, may be slower than big servers, but are that much closer to the exchange and so it makes up for it0

• So his server rooms are small-ish and many (which if I was a better man I could turn into a full-on Dr. Seuss book), but get this: a trader's desk will have four workstations at it, each with four big-ass monitors sitting on top of their desk so that they can monitor the stocks they're trading. His power and cooling issues are at the desktop as well as in the server room. Madness.

After that back to my room, where my roommate (who's British) and I wondered at the madness of looking to the UK Conservatives for relief from a right-wing Labour agenda. Madness upon madness.

Tuesday afternoon:

And I hear a rumbling
I hear transmission grind
I bear witness
I have the clutch now...

"City of Motors", Soul Coughing

Tuesday afternoon was another Tom Limoncelli class for me: "Design Patterns for System Administrators". I think of design patterns as being a step above algorithms in the abstraction scale. (Tom told us that the term was first used in architecture and city planning; I need to add the titles for the books and maybe look them up too.) DP was a way of capturing passive knowledge: the knowledge you only get from experience.

The course was interesting, and I will be keeping the slides handy for future reference. It was also crowded -- there was not a free seat in the house. However, some of the material was already familiar from Tom's books, and some of it just did not apply to me because it was aimed at much bigger departments.

At the break I talked with Ludmilla, who managed to cram into my brain a better understanding of cross-site scripting attacks; this has always been a mysterious subject to me.

Stopped by the LOPSA desk to ask if they'd be interested in helping me at all with my (still vague and nebulous) sysadmin conference for Vancouver. They pinged the IRC channel (horrible mix of metaphors) and said sure, send an email. We talked about some upcoming changes on the LOPSA website, and I suggested sending a feed to planetsysadmin.com

For supper I headed out to a nice Italian restaurant with a few folks. I heard complaints about Red Hat support; an upgrade from RHEL 4 to RHEL 5 produced massive disk corruption on their SAN. Red Hat and the disk vendor pointed their fingers at each other for a year. Finally the disk vendor came out with a beta/testing firmware upgrade, which fixed the problem, but a final release has not come out yet. He's left deeply unimpressed with RHEL support: they were paying buckets of money and were left in the lurch. And I've heard that from a number of people here.

We got back late, so we hung out in the hallways talking to folks. I ended up talking to a sysadmin from the University of Alberta who, it turns out, can practically touch the OpenBSD FTP server from his desk. He talked about a move on the campus to switch to Google Mail for the entire university.

This was controversial a while back, when Lakehead University in Ontario tried it; one of the groups on campus (teacher's union?) sued because they said it violated privacy restrictions to place their email w/in reach of the Patriot Act. So I was surprised to hear that they were giving it another try. THere were two things that made this a not-wasted effort: first, apparently Ontario's privacy commissioner had ruled that email is just not private, so it was okay. The second is that UofA has invited the Alberta privacy commissioner to participate, so they're hoping to avoid any problems from the start.

So why are they doing it? First off it's free; Google gives it away to universities. Second, there are something like thirty separate email systems at UofA and no unified calendaring system. These are good things but it's interesting to hear of a university-wide concern about this; UBC is balkanized/decentralized to the point that implementing a campus-wide system like this would be pretty much a non-starter.

After a while I headed up to the LOPSA suite. One of the members said, "Hey, are you the Vancouver guy interested in starting a convention there? How would one or two speakers work?" Cazart! I made it clear that it's still in my head and I don't know what I'm doing...but OTOH a recent IT re-organization at UBC means that HR there is interested in making a clear career path for IT folks there, both in the central department and the individual faculties, so they may be interested in helping with this. And of course, university == cheap space in the summer. Anyhow, it's all early days and I still need to email them to remind them, but still...woot!

And then there was the guy who drove five hours after a regular workday to get to LISA. He'd come up on his own dime to organize a BOF but more importantly to make contacts; he's unhappy at his current job and wants to jump ship. "Man, I'm gonna stay here as long as it takes and if I gotta drive all night to get back at 9am, I'm doing it."

Well, I'm here to tell you that within THREE MINUTES he had two different guys fighting over him ("What's your specialty?...Damn! Yeah, talk to that guy...dammit, dammit dammit...") It was the feelgood story of the evening, and he was a damn friendly guy to boot. And when I left for the night, he was talking to Bill Lefebvre ("Hey, do you know who this guy is? He wrote top!").

I worked my magic (hot-cha!) throughout the night; persuaded Matt (almost) to join the FSF, and one of the 8 Norwegian sysadmin's I've met to join LOPSA (on sale! $10 off the rest of the week!). I asked Tom Limoncelli about my idea for training on "The n things a sysadmin must know about development"; he thought it was a good idea, suggested I look at the open-source tools that exist to help w/the situations I described, mentioned that Strata Rose-Chalup had pitched a book about this (but sadly the deal fell through), and suggested I get experience doing training, and doing training on this, by volunteering at my local LUG.

Finally, I spent a good bunch of time -- in both senses -- talking to a manager about what the appeal of the job was for him. He confirmed what the tutorial instructor had said: it is really, really neat to help people improve, to make the environment that allows them to do that and keeps them happy, and to see them get better and climb the ladder. It's not always easy and there are not-fun, difficult decisions to make, but the rewards are there.

I asked him if he'd always known he'd want to climb the ladder, or if this was something he found out later on. He thought a bit, and said that when he was younger he'd had a false sense of what was important; that not having a family had allowed him to fucus on tech fun to the exclusion of all else. Now that he was older and had kids, the long nights spent on tech was shifted to family, and his focus had switched to helping his team -- which was much more rewarding.

Wednesday (cont):

 Put the fake goatee on
 And it moves as cool as sugar free jazz.

 "Sugar Free Jazz", Soul Coughing

During the break I got into a conversation with Ali and George about cfengine and Python. I recommended "Dive into Python", and George agreed; "There's no time for yet another 'hello, world!' programming book."

And then I met up with Noah from MIT. w00t! I hadn't known he was coming, but then on Monday he was called by the Rock Star Sysadmin o' the Year' contest guys, who asked if he was coming: "No, not in the budget this year." "Really? Are you sure you're not coming?" "Um..." So here he was. We ducked briefly into the GUru session on Zenoss, but it was not for us and we moved on to the papers session.

The first one was "Pushing Boulders Uphill: The Difficulty of Network Intrusion Recovery". And holy cow, they weren't kidding. The state of the art for intrusion recovery, as the presenter said, is wipe and reinstall from backups. Okay, maybe you can do that with one or two machines -- maybe even a few more than that. But what do you do when your system is massively compromised? When there aren't just some Code Red packets but when every single machine has a rootkit?

Reinstalling from backups is no longer satisfying, and yet no one wants to share solutions they might have come up with: "What, I should put it on my resume? 'Got pantsed in front of Slashdot.' I don't think so." So, without identifying the people involved, he shared the story for the purpose of "adding to the lore" (great term).

In a nutshell, an academic department at an American university had its gold server, from which they pushed updates to one thousand workstations, got compromised. Now the workstations had rootkits in them. They only found this out by accident when various processes were crashing in weird ways. And they found it out in the middle of December, right before exams and Xmas, right before half their IT staff was leaving for unrelated reasons. (You could hear gasps around the room as the story was told. Six of those were mine.)

So what do you do? Do you take everything offline and screw over the students? Do you reset passwords? They didn't know exactly when the compromise had occurred, so backups were out. That left reinstalling -- but with what? Same distro, when you don't know if it's vulnerable, or something else? How do you make sure it's all going to work? The state of the art addresses very little of this, and does nothing to help with the entirely reasonable gut-clenching panic.

(I admit I have not read the paper yet. But once I get some time, it's going to be one of the first.)

The second paper I tuned out of, only to hear Tom Limoncelli get up at the question time and say, "I think this paper is crazy. I think that's good, because LISA needs more crazy papers. But I wonder if you realize how crazy it is." The speaker nodded and said, "Oh, yes."

The third paper was a comparison of two big mail migrations...again, it had the feel of adding to the lore (a good thing). It was an entertaing story, well told, about how all the preparation they'd done had not covered every eventuality. The presenter mentioned that one of the reviewer's comments was "You must not have done enough testing." "And I thought: I know! I'm in the future now, too!" They finished their talk with a video of raised flooring packing foam air hockey...fun times.

During the break I talked to a woman who was attending the conference for free, in return for volunteering at the USENIX desk. She ran her own business, and with the economy tanking she'd had to lay off everyone but herself...which meant that she was the sysadmin, too. She has computer experience but no sysadmin experience, so she came here to learn. I sold her on joining LOPSA by talking about how much the mailing lists had helped me.

The talk on Eucalyptus was next, and man, do I have mixed feelings about this presentation. On the one hand, cool stuff: open-source implementation of the AWS API so that researchers can have an actual cloud (based on the only instance of a cloud that everyone agrees on) to do research. What could be wrong with that?

OTOH, the way this guy talked gave me the same feeling as when I read Marshall McLuhan: it's English, but not as I know it. The one example I wrote down (he spoke at about 300 wpm) was when he described a server as "an aggregated set of state updates." That said, my roommate (who's doing a Ph.D. in this sort of thing) thought he was brilliant, so I'm perfectly willing to admit I may have been out of my depth at times.

He was quite funny at times:

• "At the end of the first week after the release, there was a cadre of users who had root who wanted desperately to remove it from their machines." -- on the sysadmin-vs-researcher fight in grid computing (not the cloud stuff he's doing now.)

• "If you do an open-source project like this, people often want to tell you things. A lot. And they want to tell you at 4 am."

And one last thing: he said he was quite impressed with Amazon's API. He kept seeing cases where people would change the API, as Eucalyptus had implemented it, in an attempt to improve it; the changes would almost invariably lower the amount that Eucalyptus could scale.

The LOPSA meeting was that night, and it was interesting. They're up to about 500 members, but they need more -- partly to keep it growing and partly to get access to things like O'Reilly Safari. (The magic number for stuff like that is 1000 members.) They mentioned the ties they're making with other countries -- Australia, Ireland, a group in India, "and we've just been talking with someone who wants to start a converence in Vancouver."

Lightning talks! In the spirit of the thing, bullet-point summaries:

• mrepo -- update tool for RedHat I must check out
• selinux permissive domains -- not sure if this was the same as the targeted policy that Rik Farrow was talking about
• timestamps for web app -- guy from Yahoo saying that SSL depends on proper timestamps to prevent MITM attacks, and yet we're trusting the client for these...arghh! any ideas?
• openefs -- Trey Harris' project to keep software working by never, ever letting it change; a combination of symlinks and OpenAFS that's due to be open-sourced soon
• Beth's story of crazy
• Alva Couch asking if a Lessons Learned section for LISA would be good for next year; the whole room agreed. More about this later.

(If I've missed any, let me know.)

I talked to the organizer afterward and asked how many people he'd had sign up in advance; the answer was none, and he'd had to go after people in hallways to get them to present. I felt bad for not doing so...I had meant to but I got distracted. Next time, I will Do The Right Thing!(tm)

Rock Star Sysadmin of the Year award...first the good: both Matt and Noah got Finalist and Runner-Up awards (respectively). This is cool and all the winners are to be congratulated. There were cool prizes given out, and the grand prize winner donated his to charity. There was cake. Yay everyone!

Now the bad: my cheeseometer was pinned. As someone pointed out, the presenter looked like Guy Smiley; he had spiky marketer hair and was just smarmy. And the band, for reasons I can only guess at, was the pet band of a guy who's a cake chef/baker in Baltimore and has a TV show about cakes that he makes. I thought the music was awful (but then, Noah liked it a lot and he's the one with the sysadmin prize :-), but more than that it was loud. Fortunately I had earplugs or there would've been blood running out of my ears.

(No, you're old!)

Oh, and there were TV cameras (marketing material? next week's cake episode? memo to myself: must tape cake show) filming the women (who I think were there with the vendor but I could be wrong about that) dancing up at the front of the stage; what the cameras didn't show was that they were pretty much the only dancers up there.

There was an escape to the LOPSA suite. I signed up two more people, then headed off for the hotel bar with Noah and a few other folks. I meant to call it an early night, but that did not happen. Oh well.

Wednesday:

Many miles wandering from room to room
Many trees slain just to write it to you...

"Soundtrack to Mary", Soul Coughing

Wednesday started with a test of the Emergency Viva System. My roommate had to defend a thesis with the University of Manchester, and they'd told him they were going to do it over the phone today at about mid-morning our time. What they didn't tell him was that they were going to call at 5am our time to make sure the phones worked.

So I got an early start to the day. I wrote yesterday's entry, then wandered down to the lobby to get coffee from the coffee shop (which had a sign saying "Now serving...Oatmeal and Grits". Hurl) and a free cinnamon bun from a sweet little old lady (no, really) in a hotel uniform. I met Matt and Bob the Norwegian (#6, I believe), where we discussed:

• Bumblebee tuna (holy crap, that's creepy)
• Free Enterprise
• Gummi Bear theme songs (Bob the Norwegian has 8 different languages on his music player, and more at home)
• And this exchange:

Matt: That's it, I give up. I've got eye cancer. Bob the Norwegian: You've got eye cancer? You're crazy. Me: ...said the guy with the 8 versions of the Gummi Bear theme song on his music player... Bob the Norwegian: 8 languages. I have more versions than that at home. Want to hear the ska version? Me: ...so you're in no position to throw the crazy brick around this room.

And then it was...opening time! As it happened I grabbed a seat right up at the front, and noticed Dr. Werner Vogel, CTO of Amazon.com, standing at the wall a couple feet to my left checking his email and waiting to give the keynote speech. "Oh...hello. I thought you'd be wearing a suit." "Nah." Jeans, Harley-Davidson t-shirt, denim long-sleeved shirt untucked.

Highlights from Adam Moskovitz' speech (he's the organizer):

• David Blank-Edelman got the SAGE Outstanding Achievement Award
• 815 attendees, and probably more what with late registrations
• 35% of papers submitted were accepted

Very quick speech; he knows his stuff.

And then it was the keynote. Dr. Vogel was talking about Amazon Web Services. This was interesting and entertaining and fascinating and all kinds of good gubbins. Highlights:

• Hanging out in the bar (missed this, dammit) w/LISA attendees; when he told them his original speech, they said "No, no, no! Tell us why Amazon is doing cloud stuff. Isn't it a book store?"
• "I sometimes introduced myself as the sysadmin for a large bookstore. But that would be disrespectful here; your job is a lot harder than mine." (Flattery will get you everywhere.)
• "Cloud computing is not my favourite term these days, because it includes almost anything...especially stuff that fails."
• "By now, we've learned that if major business magazines say Jeff Bezos is crazy, we're good."
• "For the first five years, Jeff's motto was 'Get big fast.' That's not a motto you should give to your engineers."
• "For some reason we put data centres near trailer parks. And trailer parks attract tornadoes."

He gave the example of Animoto, which is a startup that figured out how to detect rhythm and melody changes in music. They use it to automatically generate slideshows using slides submitted by users, or grabbed from their Flickr album. They offer a 30-second snippet, and then you can pay $x.95 to get the full version.

He showed one that used photos of him at a conference, and I forget what the music was but it was very disco-y and made the thing jaw-dropping, both because of the cheese and because the thing was utterly, completely addictive.

He showed a graph of their orders; it was climbing slowly from April 16th through the 18th, and then they released a Facebook app on April 19th. The app would grab pictures from a photo album, compose the slideshow, then notify all the user's friends that they had something cool to watch.

The graph went exponential. They had 25,000 customers signing up per hour. Their conversion rate is astonishingly high, because they ensured that the slideshow was available in 5 minutes or less.

And they own no servers at all: it's all done with Amazon virtual machines. They went from using 50 machines to a peak of 3500. "They're just a bunch of guys in New York with laptops; they use Amazon as their server park. Can you imagine going to VCs and saying, 'Give us $5 million 'cos we're going to release a Facebook app'?"

I thought it was really, really well done and interesting -- aside from one pretty noticeable hiccup. However, others disagreed. The USENIX summary is here. When the recordings/slides are up, I'll post a link.

Google has just relased a new firewall generatool called Capirca. I'm in the middle of the presentation right now and it's very exciting. It not only generated firewal ACLs for Cisco, Juniper and iptables but it also will VALIDATE them against netflow info. No support yet for OpenBSD's pf but they say it should be easy to add. And (correction) Apache-licensed to boot!

Ha! Slides here!

(Turns out you need at least three good, verbose albums to come up with that many quotable lyrics.)

Thursday morning (November 5 2009):

While waiting for the room to fill up for the Planck telescope talk, I had a ponies moment and realized that Tobi Oetiker has the coolest Beatles haircut ever. That is all.

The Planck (pronounced almost like "plonk") telescope is going to give the highest resolution maps of the cosmic microwave background, and it's going to be dealing with a metric fuckton (my words) of data -- on the order of 10^12 observations, or 10^8 sky pixels, or 10^4 power spectra (which is where the really interesting data is). To do this, you need a metric fuckton of computing power, and that's NERSC...which, the presenter said, has gone from being a data producer to a data sink, as more stuff comes in to be processed. (Even that has changed; scaling limits and other constraints have changed the math that they use to analyze the data.)

To handle all this data, they use a variety of techniques and hardware:

• They've got 60PB of storage in 10 Sun Ultrium 4tape libraries (but as he said later, that's a made-up number based on maximum capacity; in order to maximize retrieval times, they use a mix of Ultrium 3 and Ultrium 4)

• A 130 TB disk cache (!)

• About 400TB of storage in GPFS

• "One of the tricks to doing large data is: don't use I/O." Fast I/O is great, but avoiding it entirely is better. One byte/s of I/O is about 1000x the cost of one FLOP/s. It's easier to calculate it and keep it in memory than to look it up again.

• Having common data models across the community of users, to avoid duplication/remunging of data; it's a social challenge as much as a technical challenge, but addressing it early pays off.

• And remember: data from observations and experiments tends to increase in value over time (due to new analysis techniques), while data from simulations decreases in value over time (as computing capacity increases).

One question from the audience: Do you use GPU computing? A: No; lack of ECC is the biggest reason. PCI speed also a factor, but we already deal w/different speeds in different subsystems.

After that came the presentation for Anton, which is a specially-built supercomputer for molecular dynamics simulations. It was an interesting talk, and I'll be pointing one of the faculty members I work with at the slides and paper when they're available. Top quote: "Our user community is faster than our monitoring system."

Thursday afternoon:

First up was Elizabeth Zwicky's talk on distinguishing data from non-data, and how to deal with each when solving problems. She warned us that she was not a statistician, and what she was going to say would probably give a real statistician hives, but that it would be useful for dealing with computers -- "nothing with an ethics board."

Her talk was laced with examples from her career...like the time she tried to track down missing truck axles from a major defense contractor; this was complicated by their complete lack of data collection ("How many do you make in a week?" "The schedule calls for 100." "How many of those are completed by Friday?" "We're not collecting that data."). Or the time she broke into her CEO's office ("It has a lock!") by pushing up a ceililng tile, then reaching down with a coat hanger and pulling up the handle. Lesson learned: "If it stops at the ceiling, it's not really a wall."

Funny stories aside (and they were funny; I recommend listening to the talk), the point was the danger of assuming too much from initial observations -- we schedule X, so we must produce X; it looks like a wall, so it must be impervious. Data is observations, numbers with context -- not hearsay, or conclusions, or numbers without context. Again, listen to the talk; it's worth your time.

Hell, download every MP3 on this page and listen to them; that's what I'm going to do, and I've been to some of them.

Okay, after that came the refereed papers. Mostly I was there for the SEEdit paper, which describes the SEEdit tool (available on Sourceforge!) for editing/creating SELinux policy in a high-level language. After what Rik Farrow said about policy approaching his rule-of-thumb for human comprehension, I was interested to see if this could be used to generate/edit the existing policy. I tried asking this, but I don't think I made myself clear...and I meant to follow up with the presenter later, but I didn't. My bad.

The paper on the SSH-based toolkit was interesting, but it seemed complex; from what I could gather, you SSHd to a machine, then forwarded connections to (say) POP or SMTP over the tunnnel to a daemon at the other end, which would then forward it to the right destination. It kept seeming kludgy and complicated to me, especially compared to something like authpf plus the usual sort of encryption that should be on (say) POP or SMTP to start with. I asked him about this, and he wasn't familiar with authpf; he did say it was similar to another sort of tool, which I didn't write down in my notes. I'm guessing that I missed something.

With that the conference was over for the day; my roommate used my CD to install Ubuntu on his laptop (I knew bringing it along would come in handy!).

Thursday night (November 5th...god I'm behind) was NIGHT OF BoFs. (Dramatic music!) First up was my conference organizer's BoF. In a nutshell: I wanna start a conference; what do I need to know?

There were only a handful of people there, but hey, quality not quantity:

• Deb Nicholson from the FSF
• Scott Murphy, ArrowEye consulting, who has helped with BSDCan
• Ski Kacoroski from LOPSA
• Matt from Standalone Sysadmin, who (like me) was there to learn. (or possibly out of pity for me. Either way.)

Easiest part of organizing a conference: getting speakers. This surprised me, but everyone likes to talk about themselves. WIPs (work-in-progress posters/talks) will get everyone engaged.

Hardest part:

• defining the scope/theme of your event. This is important because a) you need your elevator pitch and b) otherwise it's just Saint Aardvark's Conference About Totally Interesting Stuff, and if you don't happen to be SAtC (poor you!) you may not be all that interested.

• the last week: death by a thousand papercuts + dread

Gotta have it:

• Swag bag. Contact local (or not!) sponsors early. For some reason I'm hung up on t-shirts being TOTES ESSENTIAL, but this is not necessarily the case.

• Chance to meet in advance; break the ice, get the newbies (and we're all newbies) to relax and make friends. If your event is on a Saturday, this is why Friday night was invented. Don't forget to have organizers working the floor.

• Everyone in the same room for meals -- either bring it in, or have one place close by designated and ready. You don't want people scattering to the four winds to eat...they'll never come back. And make the vegetarians/vegans happy; if all they get to eat is crackers and soy bologna, you will hear about it.

Random tips:

• Price the event according to what you aim to give people.

• Think about having a fun track beside one or two serious tracks.

• Record the sessions and offer Ogg/MP3 downloads. Don't forget slides and papers, too.

• Lead time: 9 months probably isn't enough time to organize an event with 300-400 attendees...but 6 months should do for 50 attendees. (That's more the scale I'm aiming at.)

• Careful with vendors; being sold at all day is a definite turnoff

• Re: sysadmin conference in particular: Survey local businesses and see what they need, what they'd send people to see.

• Always look for ways to delegate stuff, or you'll run yourself ragged.

Getting people back next year:

• Finish your closing speech with "See you next year!" ie, ask people to come back, and to spread the word.

• Meet within a month of finishing the conference with next year's organizers and start making plans. Put checklists and improvements on a wiki so that the info doesn't get lost.

• Get new blood every year, both attendees and in the organizing committee.

Also got various contacts and other suggestions from people...thanks very much!

After that came Matt's two BoFs: small infrastructure and bloggers. Unfortunately, my notes suck from these two events...but it was good talk at both. I was surprised to see how many people were there because they're professional writers; I keep thinking of this as just my way of scribbling on the walls.