…and around it goes

Well, not completely, but my love affair with it has faded.  It fits my needs for a lightly packed weekend trip and it is something I’ll keep for that and for using as a car computer, but I stopped carrying it daily.  Even given it’s pocketable size it’s a tad large to be in your pocket all the time.

In spite of this I was still considering upgrading to the new model for more RAM and the better video performance, but their customer support has fallen through the floor.  Given the unreliability of these machines, that is a huge issue, a showstopper for me.  I won’t be upgrading because of it.  Personally, I think OQO is faltering as a company.  I believe they are trying to find an exit with a buyer now.

What do I use daily now?  Well, I’m trying out a Blackberry Curve 8330 (Verizon had a two for $49 deal when I re-upped and that fit perfectly with my tightwad side…although they did soak me an additional $30 a mo for the unlimited net for it).  I’ve never been one for “smart phones”, to me a phone was just to make calls and use as a modem.  I didn’t even use the contacts list in my last phone.   As for Blackberry, in particular, I’d always though that Blackberries were just glorified phones with a PIM, address book, SMS, and perhaps some limited Internet via their proxy.  I didn’t know they can now do what they do.

So far I am impressed.  I have a SSH client to manage servers with in an emergency (screen is a tad small for any real work on it, but it’s ok for emergency troubleshooting and even managing accounts), I have my e-mail (although I refuse to use Blackberry’s push service and instead use LogicMail, the privacy side of me does not want someone in the middle), I have my real time server monitoring alerts, and I have my web access, in fact I have full net access.  That is all I really need when out daily.

It also has some things that I do not really need, but I like them.  Pandora is something I use a lot.  It’s Internet radio and my first foray into it.  I just plug the phone into the line in jack on my truck then start Pandora and I’m good to go, it even pauses the music if the phone rings.  Slacker is another internet radio app I installed and like.  No need for a Sirius subscription anymore (I think as phone networks and Internet radio progress that it means the death of satellite radio, unless they morph or merge).  I also find myself using Viigo a lot for RSS feeds.

BTW: If you are using a smartphone and Opera Mini, please be aware that everything goes through a proxy in Norway and that it operates as a man in the middle for SSL.  Obviously this is not good from a security or privacy standpoint.  Don’t use Opera Mini for anything like online banking, Paypal, etc. where you really want end to end encryption.

So I have only had the Blackberry for a couple of weeks now which means it is too early to find out if it has staying power, but I do expect it does, at least for a while.  Now I have to WAP enable Cotse somehow as LogicMail, though functional, is very basic. Either that or it’s time to learn to code in Java and write my own mail app for it, which I am considering.

We all already know about our IP address and what it can give away about us (I am assuming, perhaps incorrectly, that readers are privacy and security minded).  I want to talk about other perhaps lesser known risks to your privacy and security that you’ll find in your e-mail headers.   These range from giving away personal and local information to providing an attacker with the keys to your computer.

Lets start with personal information.  Most of you probably use a mail service that hides your IP address, but does it hide/change your message ID?  The message ID is generated by your mail client and may contain information about you, your general location, and/or your machine.   For example, some versions of Microsoft Outlook encode your machine’s IP address into the message ID.  We’ll look at a sample:

Message-ID: <000101c168cc$09359c50$0100a8c0@billsbarn>

You may notice that between the @ and the first $ (moving from right to left) we have c0a80001, that is hex: c0 = 192, a8 = 168, 00 = 0, and 01 = 1, or 192.168.0.1.  Also notice it gives the machine name, billsbarn.  Why give out any unnecessary information?

In the above example it is the IP address of the internal LAN, which gives away information on it’s own, but it could be an externally accessible IP in some situations.  Outlook isn’t alone in this, other clients do it too, be it in hex, octal, decimal, or other base.  It’s not only encoded IP addresses we can find in message IDs, we can often find machine names, isp names, pop account names, and local dates and times, giving away your timezone (in some cases this may matter).  These are often not even encoded.

Besides the message ID, mail clients have been known to stick all sorts of potentially personal information into the mail headers.  The organization you belong to or company you work for, who originally forwarded the message you are quoting, and even your fax and or phone number.   Mail clients are notorious for strewing personal and potentially damaging information throughout the mail headers.

Perhaps the stupidest idea I have ever seen from a security standpoint, most mail clients stamp into the mail headers the software you are using and it’s version number.  And every one of them have all suffered serious vulnerabilities at one time or another. Vulnerabilities that allow an attacker to remotely execute code on your machine.  Potentially giving him access to your computer and all the personal information about you it contains.  The keys to the castle, game over.

As always, you should keep up on patches, but in the event a vulnerability which you are unaware of exists, you may very well be telling your attacker how to gain access to your machine just by sending him an e-mail, either directly, via a mail list, or in a web mailing list archive (ever search google for older vulnerable user agent strings?  You find them all the time in current mai lists, for some of them all it would take to compromise the machine is to send the person a properly crafted e-mail).

Unfortunately your options are limited in correcting this as many clients simply do not give you the ability to change or remove these headers.  If you are good with a hex editor you may be able to change or zero out these headers in some clients.  Or you can research clients and what they place in headers and pick one that adds the least or that gives you the most control.  Or you can subscribe to a mail service that gives you the ability to add, remove, or change your mail headers.  Coincidentally, I happen to run one of those and if you are already a subscriber, you’re covered.

I’ve been fighting spam zombies most of the winter.  We are currently hosting over 25,000 mail domains.  Some of these domains come from hosts that simply could not handle the volume of zombies and backscatter, or just dumped it all at the end user, some being hit with 30k bounces an hour backscatter.  Others are our own domains, some of which spammers seem to love.  All of which need some protection where turning off the catchall just won’t do, that’s where my milter comes into play.

This milter was started when sendmail first started featuring milters (we’ve been seeing zombies hit us hard for years and without the protection it would be nearly impossible to offer our service).  Since then it has evolved quite a bit.   The idea behind it is to dynamically identify infected end user machines spewing spam and block those while allowing all validly sent mail, including valid mail servers spewing spam, to still get through (the milter, anyway, then it’s user filters that will block).

It accomplishes this by evaluating a number of items: the helo, the host and number of other related hosts that hit and were identified as a zombie (ie. how many other 123-123-123-123.example.coms have attacked), how it hit the server (ie. slamming, number of concurrent attempted deliveries, etc), number of unknown users it attempted to mail, spamtraps of ours it hit, and more.  Using all of these variables it creates a profile and matches against it.

At first it just dynamically managed a blocklist.  This got cumbersome fast as we grew.  The blocklist had to move to a db and I had to learn to be a better and more efficient programmer.  It now utilizes a few databases, incorporates dynamic blocking, backscatter protection per account or domain, and more.  It also creates a profile of valid mail servers and matches against those as well so that they don’t get caught even if they match the rest of the zombie profile (ie. the server got infected).  The target is only zombies.  We’ve slowed on the number of zombies added, but still pump in a fair amount of new ones every day.  I do expect this to slow again, but I’ve zeroed the dynamic db a couple of times both to redesign it and to test it’s autolearning as I tweaked, so it’s still a rather large amount.

Perhaps one day I’ll write a web interface to the db.  It’s contents paint a very interesting map of infected end user machines, or spam zombies.  I’ve also been able to identify individual botnets by things as simple as the way they helo (type server40.welcometelecom.ru into Google and see what I mean, you’ll see it show up as the helo for a lot of spam with hostnames around the globe). Others are slightly more complex, being fed a list of helo values along with the standard list of from addresses to use or using the machine name, but they form a pattern in other ways over time and become identifiable as well.

My mind is already running with ways to query this data and provide live statistics (number of zombies per botnet, domain, etc) that can be drilled down all the way to the list of machines and date last seen.  Unfortunately that is side work, which takes a back seat to the day to day running of the service so I have no idea when, or really even if, it will end up searchable like that.  Right now I have perl scripts that do it and I use the results to further tweak the milter.

BTW: Greylisting is dead.  I declare so now.  Nearly all zombies I have identified return, even after getting 550 returns to their delivery attempts (I’d say all but don’t yet have positive proof of all, but I do have positive proof that those which return within a typical greylist period are well above 90%.  What I don’t know is if they are resending or sending a new blast).  So those 4xx errors you greylisters return will also have the same zombie return.  If you are greylisting you are likely now accomplishing little but delaying your mail.

Other Battles:

Been battling a rather serious (but not fatally serious) health issue this winter (stomach/bowel).  It’s had me bedridden a lot.  This put a delay in some new features that were planned (they are still planned, just delayed).  I did get a chance to improve a number of backbone things.  Added bandwidth and server power to the mail network, further improved automatic failover (finally addressing the issue of “what if Verizon comes and rips out all the copper to the building again?”), redesigned our DNS, and fixed a number of bugs, but nothing that can really be identified by users as “hey, here’s something new”.

My daughter informed me last weekend that she reads my blog.  She is ten.  My first reaction was panic, just what did I write here?  I could not remember.  I knew it had to be somewhat tame because I have always been somewhat cautious with what I post, but not always.  Did I write things here that she should not read?  Fortunately the answer to that is no, but it opens a whole new world of issues and means I will have to be more conscious about self-censure.

I’m a creature of technology.  I am one of the group that got to play/work with early versions of what is now the Internet while in college.  The desktop PC also emerged while I was in college.    Computers and networking became my passion and my career.  I worked and consulted for many of the companies that were instrumental in helping chart the course that technology and the Internet took.

Unfortunately this means that I have left tracks all over the place…for decades.  My Google return is near 50,000 results and that is just when searching my name, other ways to search me yield even more results.   While much of that is regular techie stuff (dev projects I was involved in, interviews I have given, papers I have written, etc.) some of it is forum banter.  I fear she may find some of me in the midst of a flame fest that was not too flattering.  Or more likely stumble across the vile spewed against me by those in the past who have been angry that I would not term an account for legal speech.  I guess we’ll have to cross that bridge as it comes.

I suppose it was inevitable that my daughter would come to find me this way.  In this world of rapidly advancing technology most people will have a rich Internet life.  It just happened earlier than I expected.  Fortunately I stayed fairly tame in my online identity.  The same can’t be said for many of today’s college crowd and their facebook and myspace tell all lives.  What will happen thirty years from now when their ten year old child hits the net and sees some of the things mom and dad did.  Privacy is important for many reasons, manage your online identity properly, the Internet never forgets.

It still remains to be seen how much of me is in my daughter.  I see a lot in her already that reminds me of me at her age.   So perhaps she’ll follow the course I charted.  Maybe even eventually taking over the reigns of the business.  Perhaps one day she’ll explain to me a way she’s going to make Packetderm’s services even better from the seat I once sat in…ok, probably not, children rarely follow the parent’s footsteps (and besides, she wants to be a vet-singer-babysitter-medical biller), but we can all dream, can’t we?

It’s that time of season.  The time my family hates most.  The time I can go days without seeing the outside.  Life is boring for all who surround me as I bury myself in work.  It’s nearly winter.  Those of you who have been Cotse customers for some time have probably seen the pattern, summers we coast with only bug fixes, winters we buckle down for new development.  It’s a pattern that so far has worked well.

So far we have a few ideas for this winter, but no idea if any are the “one” you have been awaiting.  A new release to the webmail interface will happen and clean up some bugs as well as implement a few new features, but most of you use your own mail clients anyway.  There will probably be a redesign and consolidation of some milters, but that will be invisible to you (we hope), with the exception of some better filtering options.

We may offer an OpenVPN solution, perhaps in conjunction with a pptp vpn option for those who cannot get OpenVPN working.   Not yet sure on pricing, but probably $14.95 a mo.  This will oust Socks Plus as our new top service (Socks Plus will still be an available service) and will include all services below it in that price.  There has been some interest expressed in this.

We’ll also upgrade some hardware, both system and network (hopefully this will be invisible to you).  Other than that we’re not set, so if you have any suggestions feel free to offer them to suggestions (at) cotse.net.  Please understand that you will not receive any feedback and we do not guarantee that all suggestions will be implemented.

I do apologize for not providing feedback, but we have found that some people get very upset if we don’t see things their way and do exactly what they told us to do, so we avoid that whole situation by not responding on any, but we do implement many.

As long as I am blogging and discussing the OQO here is a quick list of additions for it that I am finding useful:

USB Web Cam - It’s  a tiny cam on a flexible stalk that plugs right into the USB.  Cheap on e-bay.  Works well.  I plan on trying a bike trip video blog of sorts.

ELM 327 Bluetooth - Also off e-bay.  This is a device that allows me to wirelessly read my vehicle’s OBDII (on board diagnostic) data, and also compile real time dyno info and such using ProScan.   Very useful when using the OQO as my car pc.

Two 80 GB 1/8 in ZIF drives in tiny USB ZIF enclosures - also off e-bay (drive and enclosure were separate purchases).  Each about the size of an ipod.  This gives me one drive that I keep fully encrypted for key data I want with me at all times (security keys, personal data and info, etc) and one for DVD/CD storage.  They power perfectly off the OQO’s USB port alone.

ZIPLink cables - retractable cables.  I have USB of all sizes, IPAQ (yes I still use my ipaq for e-books and GPS due to it’s size and battery life), CAT6, Crossover, and RJ11 (just in case, I also bought a tiny USB Zoom modem (size reference: network pigtail for old PCMCIA NICs are same size as this modem and look similar) in case I have to use a land line).

USB RS232 and parallel cables - The RS232 is great for network devices, the parallel I really haven’t used yet but was on a USB buying spree and didn’t yet have one.

USB Floppy drive - Mainly for FreeBSD network install, but I do occasionally find myself needing a floppy drive.  It makes sense to have a USB one for those times.

I also have a small USB drive reader (sata, IDE, etc), for any drives I may need to image.  Along with two standard batteries and an extended battery for the OQO.  A Sierra bluetooth full size foldable kb and a Think Outside bluetooth mouse.

(I’ve yet to use the kb or mouse, I was thinking of releasing them back to e-bay)

I have the A/C adapter and car /plane adapter (you can cut down to one and carry just the car/plane adapter and use it inside with a 120 v to 12v adapter, but you need one of those that will push at least 1 amp.  (Do not try to use the a/c adapter with a power inverter in the car, it needs a pure sine and the inverters are a modified sine, you’ll burn it out eventually)).

I also have foldable headphones for watching dvds or TV (yes, I bought a slingbox, however Sprint just changed their plan to be like Verizon (capped at 5 gig/mo), which will seriously limit my ability to stream my TV and I am not happy.  That is not what I bought.  Another reason I chose Sprint over Verizon is Sprint said unlimited bandwidth (meaning unmetered) and now are telling me “nope, that changed, so sorry, you no get what you bought, you get new, tanks for shopping Sprint…for engrish please press 1″ (ok it didn’t go exactly like that but it felt the same)), a tiny bluetooth gps (holux, and yes, we’re off Sprint and back on the accessories), a USB DVDRW slim, a multicard flash reader, usb hub, and more.

It all fits (including my OQO and IPAQ) into a small camera bag I got at walmart.  This is my current roadwarrior dream pack, it’s easy to carry, it fits nicely into a saddlebag (with room to spare), and I can do everything with it that I need a computer to do.  Far more carried in far less of a package than my thinkpad and it’s accessories, that is progress.

I know, I need pics.  I’ll get them here sooner or later.

I’ve had my OQO now about three months now so I figure a quick update:

I am still finding it very useful and love the machine, however it did have to go back and it wasn’t a pleasant experience.  Shortly after I wrote my last blog entry (I know I need to update far more) I noticed the drive was making funky noises.  In reading the OQOTalk forum I read that drive failure was common and the drive should be silent.  So I called support, they agreed, and I sent it back.

I was also reading in the forum about people sending it back for repair on a Monday and getting it back fixed Friday, so I was hoping for quick.  I even worked it so it would be a week I didn’t really need it.  I hit troubled times with OQO.   I got it back a month later.  I was not happy.  They do claim to be resolving the issues I hit, we’ll see.  I hope if it has to go back again that it is a bit faster of a turn around.

(Note: The machine still makes the same noises, it’s either normal noise or they didn’t replace the drive.  This time I am waiting for a complete failure.)

I do still want to emphasize that I love this machine.  It’s one of those devices that you love even with quirks.  If the drive fails and it has to go back I’ll really miss the machine.  In fact, I have even considered buying another so that I will still have one when the other is in the shop (unfortunately that has to wait, too much money to justify a spare).  It’s been a while since a device hooked me like this.

Until now I have been working with an ipaq hx4705 when away from my desk. I’ve loved it, but it has had it’s limitations. It’s ok for GPS, ebooks, music, contacts, a calculator, and basic PIM, but for remote work its not much good for anything beyond tethering to my phone for an emergency SSH session, which is doable, but really only for emergency use.

To work comfortably I need a little more than the ipaq can provide. So when traveling for any length if time I’ve carried an old 700 Mhz Celeron Thinkpad that I bought back when I first started Cotse. It’s been long due for an upgrade but it has been enough to do what I need to do, so I have not been able to justify the expense of an upgrade (you save a lot of money not upgrading just because something newer and better is out). To be honest, I don’t know if I can actually justify it now, but when I saw the latest umpcs, it made sense.

I splurged and bought an OQO. The OQO is a umpc, this was a new term for me. It means Ultra Mobile PC, the goal being a pc in your pocket. I have always called my ipaq my pocketpc. After all, Microsoft calls it that. But the OQO really is a pocket pc. The one I bought is 1.6 Ghz, 1 Gig RAM, 120 Gig drive with Sprint EVDO (I got Sprint to have access to both EVDO networks, Verizon via tethering to my cell if needed) with a 5″ LCD that runs at 800×480 and can zoom to 1,200×720 interpolated (which looks surprisingly good for interpolated).

I chose the OQO over the field of umpcs, some faster (read Sony UX), because of a few things. One was the integrated EVDO rev A, having that built in frees me quite a bit. The OQO also had the best fit and feel. It feels solid, it looks sleek, it is in outside design, near perfect. Nice screen, vivid, bright, and clear. It’s also an active digitiser, so inking is far better on it. The keyboard is very nice, far more usable than the others and it also has a few other desirable features, like hardware based crypto that I have yet to dig into.

I tried to take some pictures, but my camera seems to be having some difficulty, so no pictures. So far I love the OQO. I realize I’m taking a slight risk with a young upstart company (a group of Apple techs formed OQO in 2000. Apple Computer apparently wasn’t interested in developing the worlds smallest computer at that time so they struck out with their own company. Full story), but it’s a calculated risk.

OQO is US based, growing well, and seem to be getting rave reviews for their service, at least US based (foreign is a different story, very young and small, not many partnerships yet). I bought the accidental damage 3 year extended coverage because I know full well that being the smallest and so new a design/product means I’ll be using the coverage at some point.

I’ll try to keep this blog updated with my experiences. So far it’s an awesome device that gives me a fully functional, always with me, PC with broadband access (seeing 1 MBit plus speeds in all my tests so far) that I can keep in my pocket and whip out and use wherever I am. This is a first for me and I’m finding it very useful and freeing in using it to manage Packetderm/Cotse.

After typing out The Trip, a few things happened. First I found out that this blog is not dead. That there are many who get notified in some way that I have updated. Most of you have expressed your displeasure that I have disabled comments. The problem is the spammers abuse it so much I got fed up with it. Comments are more work for me and I like the less work for me concept better.

The Trip spurred e-mail discussion, both from readers and here at home with my girlfriend (well, not by e-mail with her, she’d be a tad ticked if I did that). The general consensus was that I should do it. My girlfriend agrees, not happily (I don’t think she wants me gone that long), but she understands. So a tentative date, summer 2010.

This will give us time to sell the condo and settle into the house. I’m attempting to entice a friend to go with me, but don’t know if he can. It’s one of those trips that is safer with two, but a better journey for one. Either way I will still go. I have to plan an itinerary, it will be a one or two month trip. Lots of stops to visit places, things, and people. I also have to figure out how to fund it.

It won’t be overly expensive, but even $200 a day for gas/tolls/food/lodging/etc. adds up to $12k for sixty days time and and 18k for ninety days. Granted some days will be less, but some will be more. I also must have cushion for the unforeseeable, a major bike repair or something. All this while also keeping a household and children going. I have almost two years to save it, but it will be tricky as I put nearly everything Packetderm earns back into the business.

In addition I would like to video blog it. To do this as well as easily work from the road I do need a full pc. I have used my ipaq with a bluetooth kb to ssh back to the servers, but it’s missing some things I need and would be cumbersome for handling the video uploading as well as the servers and e-mail. A small laptop is what is needed, but that takes up lots of space for a bike trip. That has me looking at umpcs.

I’m considering a 1.6 ghz, 120 GB, 1 gig ram, Verizon EVDO oqo umpc. About the size of my ipaq 4705 but a full XP or Vista (hope for XP) machine. That looks like $1700 on e-bay, ouch. I also must find a decent video camera. Something that is small, good picture in most light levels, good battery life, that can be waterproofed somehow.

Anyway, this is going to be a lot of fun if I can get it to work. Not so sure on that now, financial crisis always rears it’s head at the most inopportune time. However, at least now the only remaining obstacle is financial, that’s a quantifiable target and the service continues to grow daily, lately at an accelerated rate, so we’ll see.

I have this dream trip in mind where I take two or more months to ride across the country on my Valkyrie. It would be a journey fraught with perils, but rewarded in personal insight and growth. From bike breakdowns, to weather, to the danger of obstacles and other vehicles, it would be perilous. But the reward of having done it, that is an experience that could never be taken away from me.

I don’t have many life changing or soul building experiences. I mean I have the standards: marriage, failed marriage, child, and your other everyday average experiences. I don’t mean to in any way demean these experiences, each was a bit “magical” in it’s own way, it’s just that I haven’t had one all my own, that millions of others have not also experienced. Some people take off and backpack Europe for a year, climb some unclimbable place, or brave the Amazon rain forest, just to say they did. I didn’t do one of those. But even as a teen I dreamed of owning a motorcycle and riding it cross the country.

Well, I own a motorcycle, a rather nice one, comfortable, I commuted 120 miles a day (60 mi each way) through Boston with it and I regularly put on 300-500 recreational mile days in the summer. The miles put on during a normal summer are less than the miles it would be to zigzag across country and back. So I know I can easily do it. Riding cross country would be almost the same as summer riding, with a destination, or many destinations.

The problem is that I am getting old. Now is actually the prime time to do it. I don’t have an employer with whom I have to build enough vacation time. I can work my business from the road. I am still in decent shape with decent reflexes. At 43 I am old enough to be cautious yet not too old to be overly so (overly cautious is just as dangerous as complete lack of caution on a bike). I need to begin to plan my journey. I need to make it happen. One summer, out and back.

Will I do it? Or will there always be an excuse not to, I’m buying a house this year, kids in school, one needs this, another needs that, girlfriend wants marriage, she wouldn’t be happy with me gone for two months, the excuses of life which squash dreams. The excuses that set them aside for the future and keep setting them aside until there is no more future, will they get this one? Only time will tell, but this trip is my dream.